1 / 23

Complimentary role of CAE and CRO in the provision of combined assurance

Complimentary role of CAE and CRO in the provision of combined assurance. IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality. Discussion topics. King 111 on combined assurance-

ferris
Download Presentation

Complimentary role of CAE and CRO in the provision of combined assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Complimentary role of CAE and CRO in the provision of combined assurance IMFO Audit & Risk Indaba 28-29 June 2012 Nathi Mhlongo-eThekwini Municipality

  2. Discussion topics • King 111 on combined assurance- • Where is it risky? Are we focusing where it matters?---- Source PwC statistical information • Critical areas of convergence for CAE and CRO • Requirements for effective cooperation between CAE and CRO • Benefits of combined assurance

  3. King 111……… 3.5 The Audit Committee should ensure that a combined assurance model is applied to provide a coordinated approach to all assurance services Combined assurance

  4. Combined assurance model Council and Key Committees OVERSIGHT Audit and Risk Committee Municipal Manager and Key Committees Risk Management Committee MANAGEMENT GOVERNANCE First Line of Defence Third Line of Defence Second Line of Defence Internal and External Auditors Chief Risk Office Ethics and Compliance Ombudsperson Legal ASSURANCE Management of Operations

  5. Is there convergence between IA and ERM?

  6. Chief Risk Officer

  7. Chief Audit Executive

  8. King 3 on risk management and combined assurance • The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks King 3 on IA and combined assurance • The board should receive assurance regarding the effectiveness of the risk management process

  9. Can CAE and CRO collaborate? • What does ERM mean? • How do both functions fit into the equation? • How can internal audit assist and yet independently evaluate risk management activities?

  10. ERM Definitions RIMS: ERM is a strategic business discipline that supports achievement of an organization’s objectives by addressing the full spectrum of its risks and managing a combined impact of those risks as a interrelated risk portfolio The IIA: ERM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of objectives. Source: The IIA and RIMS

  11. Common areas of convergence • ISO 31000:2009 • IIA International Professional Practice Framework • COSO ERM framework • Open Compliance and Ethics Group’s Red Book • RIMS and IIA 2012 joint report eThekwini Municipality - EXCO ERM

  12. Managing risk makes sense……….

  13. Risks that are generally not perceived as well managedHow well is risk being managed? Well managed PwC 2012 State of the IA Profession Study

  14. Stakeholders value internal audit’s contribution… and want moreWhich risks are receiving too little attention from internal audit? PwC State of the IA Profession Study

  15. Lets reflect…………Can IA provide assurance….

  16. The fact of the matter is……… • Are risks adequately covered in the risk profile? • Is risk information simplified or excessively cluttered? • Is risk information credible? Expertise of the CRO • Stakeholder consensus on risks raised by management? • CAE robust dialogue with CRO around ERM? • AG participation in dialogue? Is ERM effective? • Is IA specific skill available? • Does IA have enough budget?

  17. Results of Ineffective Risk Management • Poor identification of risks • Breakdown in internal control that could prevent the organization from achieving its objective • Reactive responses to potential risks, rather than proactive • Changing/ new risks are not adequately identified, controlled and managed • Inability to leverage on internal audit expertise e.g root cause analysis, impact assessment etc • Inability to leverage on ERM expertise

  18. Expectations from CAE • Timely recommendations • Risk impact insight • Quality of recommendations to improve business performance

  19. Critical area of convergence for CAE/CRO • Root cause and impact assessments-IA • Controls design and implementation consulting-ERM • Action planning and real time assurance on implementation according to plan-IA/ERM • Combined assurance • Effective and efficient communication

  20. An effective combined assurance framework To ensure success, the organisation requires: • A common risk language • Enabling technology • Clearly defined roles of all assurance providers • Approved combined assurance policy to ensure commitment to cooperate • A communication plan – encompassing ongoing communication • Involvement from senior leadership – “tone at the top” • Continued coordination, reporting and communication • Provision of necessary and appropriate training

  21. Risk Register

  22. Acknowledgements • King 111 • PwC 2012 State of Internal Audit Study • EThekwini Municipality ERM framework • RIMS and IIA 2012 Joint Report eThekwini Municipality - EXCO ERM

  23. “Siyabongakakhulu” ????????????????? eThekwini Municipality - EXCO ERM

More Related