The Accountant-May-June 2017

More documents

Recommendations

Info

MANAGEMENT UNDERSTANDING THE RISK MANAGEMENT PROCESS By CPA Abdhalla Mambo Dallu, abdhallamambo@yahoo.com Identifying risks, as well as their likelihood and overall impact, can help beginner internal auditors provide recommendations that enable companies to develop an effective risk management plan. Besides identifying the risks facing an organization, internal auditors help assess the impact risks can have on companywide performance and processes. Therefore, the role of auditors is not only to evaluate risks, but to determine whether adequate controls are in place to mitigate risks effectively. Becoming familiar with the different elements of an effective risk management process can help beginner internal auditors provide recommendations that address the organization’s risk management needs and identify risks before they become a threat to company-wide assets and data. What is Risk? According to The Institute of Internal Auditors, risk is defined as the possibility that an event will occur, which will impact an organization’s achievement of objectives. There are many forms of risk in an organization, including IT risk, financial risk, operational risk, network security 18 MAY - JUNE 2017
MANAGEMENT risk, and personnel risk. To address risks more effectively, organizations may use a risk management approach that identifies, assesses, manages, and controls potential events or situations. Among other things, the goal of effective risk management is to ensure that each risk is identified, documented, prioritized, and mitigated whenever possible. Because all organizations face risk, whether positive (i.e., opportunities) or negative (i.e., events that hinder company processes), the challenge for auditors is to know when risk will occur and the impact it will have on the organization. In addition, auditors need to consider the probability that the risk will occur. For example, it may not be necessary for the organization to worry about a particular IT risk when the likelihood that it will occur is significantly low and its impact is low as well. However, organizations should concentrate on lowprobability risks that will have a highnegative impact. As a result, looking at the impact and probability of each risk is important when establishing an effective risk management program that addresses company-wide risk. The Risk Management Process When establishing a risk management process or initiative, auditors should recommend that organizations examine best management practices in the area. Typically, risk management plans have the following objectives: 1. To eliminate negative risks. 2. To reduce risks to an “acceptable” level if risks cannot be eliminated. This means a risk level the organization can live with, making sure that proper controls are in place to keep risks within an acceptable range. 3. To transfer risks by means of insurance (i.e., insuring company assets for theft or destruction, such as hurricane or fire damage) or to transfer the risk to another organization (i.e., using a third-party vendor to install network equipment so that the vendor is made responsible for the installation’s success or failure). Risk management consists of risk assessments, risk mitigation, and ongoing risk evaluations and assessments. The risk assessment stage is where the auditor identifies and evaluates each risk, the impact these risks have on the organization, and any risk-reducing recommendations. The end result of the risk assessment is to determine the extent of the potential threat and its associated risk, which is defined as the likelihood that a given threat can exploit or take advantage of a particular vulnerability. For example, if an auditor is evaluating an IT system, the threats to the system should be analyzed in conjunction with potential vulnerabilities and any implemented controls. The risk mitigation stage involves prioritizing, implementing, and maintaining appropriate risk-reduction measures that are recommended in the risk assessment process, while the ongoing risk evaluation and assessment stage asks that the organization continuously evaluate their risk management activities in reducing risks. a) Identifying Risks The risk assessment process begins with the identification of risk categories. An organization most likely will have several risk categories to analyze and identify risks that are specific to the organization. Examples of risk categories include: • Technical or IT risks. • Project management risks. • Organizational risks. • Financial risks. • External risks. • Compliance risks. For instance, technical risks are associated with the operation of applications or programs including computers or perimeter security devices (e.g., a computer that connects directly to the Internet could be at risk if it does not have antivirus software). An example of a project management risk could be the Likelihood Level High Medium Low Likelihood Definition inadequacy of the project manager to complete and deliver a project, causing the company to delay the release of a product to the marketplace. Organizational risks deal with how the company’s infrastructure relates to business operations and the protection of its assets (e.g., the company does not have clear segregation of duties between its production and development environments), while financial risks encompass events that will have a financial impact on the organization (e.g., investing the company’s cash reserves in a highly speculative investment scheme). External risks are those events that impact the organization but occur outside of its control (e.g., natural disasters such as earthquakes and floods). Finally, a compliance risk occurs when a company does not comply with mandated federal regulations, which often results in fines or legal sanctions. b) Determining the Risk Likelihood Level Once risks are identified, the next step is to determine the likelihood that the potential vulnerability can be exploited. Several factors need to be considered when determining this likelihood. First, the auditor needs to consider the source of the threat, the motivation behind the threat, and the capability of the source. Next, auditors need to determine the nature of the vulnerability and, finally, the existence and effectiveness of current controls to deter or mitigate the vulnerability. The likelihood that a potential vulnerability could be exploited can be described as high, medium, or low. c) Identifying the Risk’s Impact The next step is to determine the impact The threat’s source is highly motivated and sufficiently capable, and controls that prevent the vulnerability from being exercised are ineffective. The threat’s source is motivated and capable, but controls are in place that may impede a successful exercise of the vulnerability. The threat’s source lacks motivation or capability, and controls are in place to prevent or significantly impede the vulnerability from being exercised. MAY - JUNE 2017 19
Page 1 and 2: JOURNAL OF THE INSTITUTE OF CERTIFI
Page 3 and 4: TABLE OF CONTENTS 26 COVER STORY Wi
Page 5 and 6: EDITORIAL Dear Reader, The matter o
Page 7 and 8: Financial reporting and assurance T
Page 9 and 10: Financial reporting and assurance T
Page 11 and 12: Business Practice and Development I
Page 14 and 15: Business practice and development O
Page 16 and 17: Economy THE IMPACT OF HYPERINFLATIO
Page 18 and 19: Management THE POWER OF PERSUASION
Page 22: MANAGEMENT Gor Mahia fans engaging
Page 25 and 26: Finance and Investment will also ne
Page 27 and 28: Information Technology DATA GOVERNA
Page 29 and 30: COVER STORY Daniel Susskind, a lect
Page 31 and 32: CPA Centre TO LET Structure • Ele
Page 33 and 34: governance the generation of a plan
Page 35 and 36: Public Policy Auditor General Edwar
Page 37 and 38: Public Policy and ensure government
Page 39 and 40: WORK PLACE If you are in the catego
Page 41 and 42: WORK PLACE Wherever, you find yours
Page 43 and 44: WORK PLACE Does this thought ever c
Page 45 and 46: WORKPLACE working remotely and bein
Page 47 and 48: WORK PLACE Being self-employed mean
Page 49 and 50: INSPIRATION don’t always come tru
Page 52 and 53: SOCIETY POSTPARTUM DEPRESSION IS A
Page 54 and 55: SOCIETY immediate family members an
Page 56 and 57: ENVIRONMENT Society in collaboratio
Page 58 and 59: HEALTH DEALING WITH CONSTIPATION Co
Page 60 and 61: HEALTH lower back, using your arms
Page 62 and 63: TID BITS Below are selected article
Page 64 and 65: BOOK REVIEW Reviewed by Angela Muti
Page 66 and 67: STAR OF THE MONTH STAY FOCUSED A gr
Page 68 and 69: TRAVEL By Clive Mutiso, clivemutiso
Page 70 and 71:
KAMPALA ««««« PICTORIAL PROGRE
Page 72 and 73:
ACCOUNTABLE RECIPES By Sharon Gaton
Page 74 and 75:
PEN OFF questions effectively open
show all

The Accountant-May-June 2017

Create successful ePaper yourself

Delete template?

Save as template?