07.08.2023 Views

TIAPS ALB_Module 2A. Governance and Managerial Accountability

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Module</strong> 2: Good<br />

<strong>Governance</strong>,<br />

<strong>Managerial</strong><br />

<strong>Accountability</strong>,<br />

Developing Strategy,<br />

<strong>and</strong> Data Analysis<br />

<strong>TIAPS</strong> Albania 2023/24<br />

1


2


Table of Contents<br />

<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />

Analysis ........................................................................................................................................... 5<br />

Introduction .................................................................................................................................. 5<br />

Relevant St<strong>and</strong>ards ..................................................................................................................... 7<br />

Relevant Competencies .............................................................................................................. 7<br />

References <strong>and</strong> Additional Reading............................................................................................ 7<br />

<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong> ............................................................................ 8<br />

<strong>2A</strong> Learning Outcomes ................................................................................................................ 8<br />

<strong>2A</strong>.1 <strong>Governance</strong> Revisited ........................................................................................................ 8<br />

<strong>2A</strong>.2 Risk Management ............................................................................................................. 12<br />

<strong>2A</strong>.2.1 Risk Concepts ............................................................................................................ 14<br />

<strong>2A</strong>.2.2 Risk Identification ....................................................................................................... 15<br />

<strong>2A</strong>.2.3 Risk Analysis <strong>and</strong> Evaluation ..................................................................................... 16<br />

<strong>2A</strong>.2.4 Risk Responses ......................................................................................................... 19<br />

<strong>2A</strong>.2.5 Monitoring .................................................................................................................. 20<br />

<strong>2A</strong>.3 COSO Internal Control – Integrated Framework.............................................................. 21<br />

<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong> ............................. 23<br />

<strong>2A</strong>.5 Entity-wide Risk Management .......................................................................................... 27<br />

2B. Managing People.................................................................................................................... 30<br />

2B Learning Outcomes.............................................................................................................. 30<br />

2B.1 Leadership ........................................................................................................................ 30<br />

2B.1.1 Styles of Leadership .................................................................................................. 30<br />

2B.1.2 Delegation .................................................................................................................. 31<br />

2B.1.3 Leadership as Service ............................................................................................... 32<br />

2B.2 Talent Management Strategies ......................................................................................... 35<br />

2B.3 Motivation .......................................................................................................................... 38<br />

2B.3.1 Maslow’s Pyramid ...................................................................................................... 38<br />

2B.3.2 McGregor’s Theory X, Theory Y ................................................................................ 39<br />

2B.3.3 Vroom’s Expectancy Theory ...................................................................................... 39<br />

2B.3.4 Hertzberg’s Two-Factor Model................................................................................... 39<br />

2B.4 Competency Frameworks…………………………………………………….…………..41<br />

3


2C. Quality Assurance .................................................................................................................. 44<br />

2C Learning Outcomes ............................................................................................................. 44<br />

2C.1 The Need for Quality Assurance ...................................................................................... 44<br />

2C.2 Elements of Internal Audit Quality Assurance .................................................................. 46<br />

2D. Managing the Internal Audit Activity ....................................................................................... 49<br />

2D Learning Outcomes ............................................................................................................. 49<br />

2D.1 Managing the Internal Audit Function............................................................................... 49<br />

2D.2 Internal Audit Strategic Planning ...................................................................................... 53<br />

2D.2.1 Engagement Work Program ...................................................................................... 53<br />

2D.2.2 Internal Audit Plan...................................................................................................... 53<br />

2D.2.3 Internal Audit Strategic Plan ...................................................................................... 54<br />

2D.3 Advanced Professional Practices ..................................................................................... 57<br />

2D.3.1 Using Digital Tools ..................................................................................................... 58<br />

2D.3.2 Agile Auditing ............................................................................................................. 60<br />

2D.3.3 Lean Auditing ............................................................................................................. 62<br />

2D.3.4 New <strong>and</strong> Evolving Risk Areas.................................................................................... 63<br />

2E. Data Analytics for Internal Auditing ........................................................................................ 70<br />

2E Learning Outcomes.............................................................................................................. 70<br />

2E.1 Data Analytics <strong>and</strong> Internal Auditing ................................................................................. 70<br />

2E.2 Data Analytics Methods .................................................................................................... 72<br />

2E.2.1 Variance Analysis ....................................................................................................... 72<br />

2E.2.2 Trend Analysis ............................................................................................................ 73<br />

2E.2.3 Reasonableness Testing ............................................................................................ 73<br />

2E.2.4 Ratio Estimation ......................................................................................................... 73<br />

2E.2.5 Benchmarking ............................................................................................................ 73<br />

2E.3 Data Analytics Tools .......................................................................................................... 74<br />

2E.4 Data Visualization ............................................................................................................. 77<br />

References <strong>and</strong> Additional Reading ............................................................................................. 80<br />

4


<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>,<br />

Developing Strategy, <strong>and</strong> Data Analysis<br />

Introduction<br />

The <strong>TIAPS</strong> program has been developed for public sector internal auditors typically with<br />

three to five years of relevant experience, including those who are or who aspire to be in<br />

supervisory <strong>and</strong> managerial positions. It is suitable for those who are familiar with how to<br />

plan <strong>and</strong> perform internal audit services <strong>and</strong> communicate findings <strong>and</strong> insights. It aims to<br />

develop a deeper practical underst<strong>and</strong>ing of the contribution internal audit makes to<br />

organizational effectiveness <strong>and</strong> improvement as well as exploring how to coordinate <strong>and</strong><br />

optimize internal audit resources <strong>and</strong> services. This includes building relationships with key<br />

stakeholders, developing a strategy for the internal audit function, managing people <strong>and</strong><br />

other resources, enhancing quality <strong>and</strong> effectiveness through adoption of advanced<br />

practices, providing audit opinions, <strong>and</strong> supervising audit engagements.<br />

The <strong>TIAPS</strong> program comprises four modules:<br />

<strong>Module</strong> 1: Audit <strong>and</strong> Assurance<br />

<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />

Analysis<br />

<strong>Module</strong> 3: Accounting Fundamentals<br />

<strong>Module</strong> 4: Introduction to Performance Audit<br />

<strong>Module</strong> 2: Good <strong>Governance</strong>, <strong>Managerial</strong> <strong>Accountability</strong>, Developing Strategy, <strong>and</strong> Data<br />

Analysis builds on the concepts explored in <strong>Module</strong> 1: Audit <strong>and</strong> Assurance to ensure<br />

internal audit’s provision of relevant, high quality, <strong>and</strong> timely assurance <strong>and</strong> advice. The<br />

module examines the principles of decision-making <strong>and</strong> managerial accountability to support<br />

organizational risk management <strong>and</strong> internal control. It also identifies the roles <strong>and</strong><br />

responsibilities of internal audit management <strong>and</strong> leadership especially in respect of<br />

managing resources, people, <strong>and</strong> quality. The module is organized as follows:<br />

<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />

<strong>2A</strong>.1 <strong>Governance</strong> Revisited<br />

<strong>2A</strong>.2 Risk Management<br />

<strong>2A</strong>.3 COSO Internal Control – Integrated Framework<br />

<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />

<strong>2A</strong>.5 Entity-wide Risk Management<br />

2B. Managing People<br />

2B.1 Motivation<br />

5


2B.2 Talent Management Strategies<br />

2B.3 Motivation<br />

2B.4 Competency Frameworks<br />

2C. Quality Assurance<br />

2C.1 The Need for Quality Assurance<br />

2C.2 Elements of Internal Audit Quality Assurance<br />

2D. Managing the Internal Audit Activity<br />

2D.1 Managing the Internal Audit Function<br />

2D.2 Internal Audit Strategic Planning<br />

2D.3 Advance Professional Practices<br />

2E. Data Analytics for Internal Auditing<br />

2E.1 Data Analytics <strong>and</strong> Internal Auditing<br />

2E.2 Data Analytics Methods<br />

2E.3 Data Analytics Tools<br />

2E.4 Data Visualization<br />

References<br />

6


Relevant St<strong>and</strong>ards<br />

Reference is made throughout the <strong>TIAPS</strong> program to relevant international st<strong>and</strong>ards, principally<br />

those of The Institute of Internal Auditors (IIA) included in the International Professional Practices<br />

Framework (IPPF). Other st<strong>and</strong>ards <strong>and</strong> frameworks, most notably the COSO Internal Control –<br />

Integrated Framework, are also noted where appropriate.<br />

At the time of writing, The IIA is undertaking a major review of the IPPF with an expected period of<br />

public exposure in 2023. The content of this module reflects the 2017 edition (published in 2016 <strong>and</strong><br />

effective from the start of 2017). Participants should anticipate major revisions to the structure <strong>and</strong><br />

content of the IPPF, although fundamental principles about the practice of internal auditing are<br />

unlikely to change significantly. This program will be updated once the revisions to the IPPF are<br />

finalized <strong>and</strong> formally introduced.<br />

Relevant Competencies<br />

Reference is made throughout the material to relevant competencies taken from the IIA’s Internal<br />

Audit Competency Framework. The purpose of including these statements, which describe<br />

competencies at three levels (General Awareness, Applied Knowledge, <strong>and</strong> Expert), is to remind<br />

students of the practical nature of this program. To develop competencies, knowledge acquired by<br />

reading, reflection, <strong>and</strong> experience needs to be applied to practical situations <strong>and</strong> supported by<br />

appropriate attitudes <strong>and</strong> values. Personal <strong>and</strong> professional development is a continuous process.<br />

The IIA’s Internal Audit Competency Framework is designed for all internal auditors, is based on<br />

global research, <strong>and</strong> represents recognized best practices. The statements are necessarily brief <strong>and</strong><br />

much more detail <strong>and</strong> information is needed to substantiate <strong>and</strong> contextualize the content. The<br />

statements can be regarded as signposts to help internal auditors <strong>and</strong> their managers navigate their<br />

careers, identifying opportunities for ongoing advancement to remain competent <strong>and</strong> best able to<br />

meet or exceed the needs <strong>and</strong> expectations of their stakeholders.<br />

References <strong>and</strong> Additional Reading<br />

References are given at the end of this module. Participants are encouraged to read these to provide<br />

greater underst<strong>and</strong>ing of the topics. The items have been selected to complement the content<br />

included in this module <strong>and</strong> to offer internal auditors relevant, practical guidance.<br />

7


<strong>2A</strong>. <strong>Governance</strong> <strong>and</strong> <strong>Managerial</strong> <strong>Accountability</strong><br />

<strong>2A</strong> Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Describe the principles of effective decision-making.<br />

• Assess the effectiveness of risk management.<br />

• Apply the COSO model of internal control to support underst<strong>and</strong>ing of organizational<br />

governance.<br />

• Explain the importance of managerial accountability to governance, risk<br />

management, <strong>and</strong> internal control.<br />

• Evaluate the effectiveness of managerial accountability.<br />

• Describe the principles supporting entity-wide risk management.<br />

<strong>2A</strong>.1 <strong>Governance</strong> Revisited<br />

IIA Internal Audit Competency Framework: Common Business Processes<br />

General Awareness: Describe the risk <strong>and</strong> control implications of common business<br />

processes (human resources, procurement, contracting, product development, project<br />

management, sales, marketing, logistics, management of outsourced processes, etc.).<br />

Applied Knowledge: Examine the risks <strong>and</strong> controls related to the organization’s business<br />

processes.<br />

Expert: Recommend actions to address risks related to the organization’s business<br />

processes. 1<br />

<strong>Module</strong> 1 Audit <strong>and</strong> Assurance described internal audit’s contribution to governance <strong>and</strong> in<br />

doing so identified the key components of governance in the public sector with reference to<br />

important models. The need for the structures <strong>and</strong> processes that constitute governance<br />

arises due to accountability <strong>and</strong> uncertainty. Public officials have a duty of care to citizens<br />

whose resources they are using to achieve a public benefit. Consequently, managers <strong>and</strong><br />

leaders must adopt appropriate measures to ensure their actions <strong>and</strong> behaviors are likely to<br />

fulfill organizational purpose economically, effectively, efficiently, ethically, <strong>and</strong> sustainably.<br />

To achieve this, they must lead, direct, <strong>and</strong> oversee activities <strong>and</strong> make timely interventions<br />

as required. Well-intentioned plans <strong>and</strong> actions, however, cannot guarantee desirable<br />

outcomes. Resources, systems, people, <strong>and</strong> events are unreliable <strong>and</strong> unpredictable. Risk<br />

management <strong>and</strong> internal control – key components of governance – are needed to provide<br />

reasonable assurance objectives will be achieved within an acceptable margin of error.<br />

Internal audit’s contribution is to provide greater transparency <strong>and</strong> insight. This helps<br />

governing bodies 2 extend their oversight across the entity <strong>and</strong> receive independent<br />

assurance on the adequacy <strong>and</strong> effectiveness of governance, risk management, <strong>and</strong> internal<br />

control to complement <strong>and</strong> supplement reports received from management – including risk<br />

<strong>and</strong> compliance functions – regarding performance, position, <strong>and</strong> prospects. Internal audit<br />

1<br />

Internal Audit Competency Framework, The IIA, 2022.<br />

2<br />

Refer to <strong>Module</strong> 1 section 1A.2 for a description of governing bodies <strong>and</strong> the many forms they may take in the public sector.<br />

8


also serves management through assurance <strong>and</strong> advice, acting as a well-informed strategic<br />

advisor <strong>and</strong> champion of innovation <strong>and</strong> change.<br />

External audit provides additional transparency by ensuring external stakeholders receive<br />

reliable reports on all aspects of public sector activity. Internal <strong>and</strong> external auditors have a<br />

broadly similar purpose (although they have important differences), operate according to<br />

compatible professional st<strong>and</strong>ards, <strong>and</strong> act independently from (i.e., without responsibility for<br />

or interference by) the areas they review.<br />

Guidance from the Chartered Institute of Internal Auditors provides a useful comparison<br />

between internal auditors <strong>and</strong> external auditors, summarized in the table below <strong>and</strong> adapted<br />

for relevance to the public sector. 3<br />

Primary clients<br />

Purpose of<br />

assurance<br />

Coverage or<br />

nature of work<br />

Internal Audit<br />

Management <strong>and</strong> the governing<br />

body.<br />

To provide transparency <strong>and</strong><br />

insight to senior management <strong>and</strong><br />

the governing body on all aspects<br />

of governance, risk management,<br />

<strong>and</strong> internal control, to enable<br />

better decision-making, <strong>and</strong> to<br />

facilitate innovation <strong>and</strong><br />

improvements.<br />

“Internal audit covers all categories<br />

of risks <strong>and</strong> their management,<br />

starting from their identification,<br />

taking in various responses to<br />

risks, including traditional internal<br />

financial <strong>and</strong> non-financial controls<br />

<strong>and</strong> including the flow of<br />

information around the<br />

[organization] about risk. Internal<br />

auditors also cover governance<br />

processes <strong>and</strong> the internal control<br />

environment that seeks to mitigate<br />

risk <strong>and</strong> governance issues.”<br />

External Audit<br />

Superior entity, where applicable<br />

(such as line ministry), parliament,<br />

<strong>and</strong> the public.<br />

“To add verification, credibility, <strong>and</strong><br />

reliability to reports” from public<br />

entities to government <strong>and</strong> from<br />

government to the public. “An<br />

external audit process ensures that<br />

[an organization]’s internal controls,<br />

processes, guidelines <strong>and</strong> policies<br />

are adequate, effective <strong>and</strong> in<br />

compliance with governmental<br />

requirements, industry st<strong>and</strong>ards <strong>and</strong><br />

[organizational] policies. This type of<br />

audit also ensures that reporting<br />

mechanisms prevent errors in<br />

financial statements.”<br />

External auditors typically conduct:<br />

• Financial audits<br />

• Compliance audits<br />

• Performance audits<br />

The purpose of the financial is to<br />

confirm:<br />

• The accuracy <strong>and</strong> completeness<br />

of the client's accounting records.<br />

• Whether the client's accounting<br />

records have been prepared in<br />

accordance with the applicable<br />

accounting framework.<br />

• Whether the client's financial<br />

statements present fairly its<br />

results <strong>and</strong> financial position.<br />

Performance audits evaluate the<br />

3<br />

Position paper: Internal audit's relationship with external audit, Chartered Institute of Internal Auditors, 2020.<br />

9


Timing <strong>and</strong><br />

frequency<br />

Focus of<br />

opinion<br />

Responsibility<br />

for<br />

improvement<br />

Internal auditing is a permanent<br />

presence in the organization <strong>and</strong><br />

conducts engagements according<br />

to organizational priorities <strong>and</strong> risks<br />

based on a planned schedule as<br />

well as ad hoc missions.<br />

Internal audit provides assurance<br />

on the adequacy <strong>and</strong> effectiveness<br />

of governance, risk management,<br />

<strong>and</strong> internal control, which may<br />

include an opinion.<br />

“Improvement is fundamental to the<br />

role of internal audit. Working<br />

within the organization on a<br />

constant basis allows internal<br />

auditors to identify current or<br />

emerging weaknesses <strong>and</strong> advise<br />

<strong>and</strong> facilitate managers’ efforts to<br />

improve processes. At the same<br />

time, internal auditors have a<br />

professional duty to avoid usurping<br />

the responsibility of managers to<br />

manage.”<br />

economy, effectiveness, <strong>and</strong><br />

efficiency of projects <strong>and</strong> initiatives in<br />

terms of their outcomes <strong>and</strong> impacts.<br />

Compliance audits identify the<br />

conformance with policies,<br />

regulations, <strong>and</strong> other requirements.<br />

External audits (especially financial<br />

audits) tend to follow a cyclical<br />

pattern tied to annual reporting<br />

requirements.<br />

“The external audit focus is<br />

predominantly on validating that the<br />

financial statements are a true <strong>and</strong><br />

fair representation of past<br />

performance.”<br />

“External auditors have no explicit<br />

responsibility to improve their clients’<br />

governance or risk management<br />

processes. They have a duty to<br />

report internal control problems that<br />

they come across as part of their<br />

work.”<br />

We may also add the primary accountability of the head of the internal audit unit is to the<br />

governing body of the organization while external auditors of the Supreme Audit Institution<br />

are accountable to parliament, often reporting to a representative committee, the cabinet<br />

office, the head of government or the head of state.<br />

<strong>Governance</strong>, risk management, <strong>and</strong> internal control can be understood as different facets of<br />

the same thing. Their purpose is to provide reasonable assurance of organizational success.<br />

They operate at every level throughout an organization. Every activity, decision, plan, <strong>and</strong><br />

behavior contributes in some way – positively or negatively – to the entity’s economy,<br />

effectiveness, efficiency, integrity, <strong>and</strong> sustainability.<br />

<strong>Governance</strong> is the broadest of the three concepts. Its focus concerns the highest-level<br />

objectives, strategies, structures, processes, <strong>and</strong> decisions, <strong>and</strong> is driven by ultimate<br />

10


accountability to stakeholders. “Those charged with governance” typically refers to the<br />

members of the governing body <strong>and</strong> may include those with executive <strong>and</strong> nonexecutive<br />

roles.<br />

• Risk management takes account of the inherent uncertainty in all goal-oriented<br />

activity with the aim of optimizing outcomes, not to eliminate risk (which is impossible<br />

without ab<strong>and</strong>oning all goals <strong>and</strong> actions to achieve them) but to take better<br />

decisions. Both taking an action <strong>and</strong> refraining from doing so constitute taking a risk.<br />

Managing risk is part of the responsibility of management, although the governing<br />

body should ensure there are appropriate structures <strong>and</strong> processes in place. This<br />

may include individuals or teams with a specific focus on risk <strong>and</strong> compliance (i.e.,<br />

second line roles) to provide additional expertise, oversight, <strong>and</strong> challenge.<br />

• Internal control (sometimes referred to as control or managerial internal control<br />

(MIC)) describes management’s responses to risk.<br />

As noted in <strong>Module</strong> 1, not all entities have separate “second line” functions. The<br />

responsibility for managing risk, however, remains within management regardless of<br />

structure. Where there are no distinction second line functions, the task of managing risks<br />

sits with those who also have first line roles.<br />

<strong>2A</strong>.1: Reflection<br />

The term “internal control” sometimes creates a negative image – especially among<br />

managers – <strong>and</strong> can be a barrier to establishing a good underst<strong>and</strong>ing of the role <strong>and</strong><br />

importance of governance, risk management, <strong>and</strong> internal audit – which are also terms that<br />

are not well understood.<br />

Have you experienced difficulties communicating the purpose of internal control as well as<br />

governance, risk management, <strong>and</strong> internal audit?<br />

How do you – or how could you – explain these terms to your audit clients <strong>and</strong><br />

stakeholders to avoid such difficulties?<br />

In what ways, if any, does your internal audit function engage with other internal <strong>and</strong><br />

external assurance providers (such as risk <strong>and</strong> compliance functions, legal counsel, financial<br />

controllers, financial officers, <strong>and</strong> external auditors)?<br />

Are there ways in which internal audit could work more closely with other internal <strong>and</strong><br />

external assurance providers while maintaining appropriate safeguards for independence?<br />

11


<strong>2A</strong>.2 Risk Management<br />

IIA Internal Audit Competency Framework: Risk Management<br />

General Awareness: Describe fundamental concepts of risk <strong>and</strong> risk management; describe<br />

risk management frameworks.<br />

Applied Knowledge: Use a risk management framework to identify potential threats; examine<br />

the effectiveness of risk management within processes <strong>and</strong> functions.<br />

Expert: Appraise the methods used to assess the effectiveness of risk identification <strong>and</strong><br />

management. 4<br />

Risk management is the attempt to apply awareness <strong>and</strong> underst<strong>and</strong>ing of risks to<br />

strategizing, goal setting, planning, decision-making, deployment of resources, operational<br />

activity, monitoring, reporting, <strong>and</strong> forecasting. It is most effective when it is holistic (entitywide),<br />

consistent (supported by a common framework <strong>and</strong> terminology), <strong>and</strong> integrated<br />

(built-in rather than bolted-on). A general principle is that whoever is responsible for an<br />

activity or goal is also responsible for managing the associated risks. An entity may assign<br />

individuals or teams with specialist second line roles (e.g., risk management, compliance,<br />

information security, legal counsel, <strong>and</strong> financial control) to provide support for managers<br />

focused on first line roles (i.e., “front of house” services to clients <strong>and</strong> “back office” services<br />

to enable the organization to operate, such as administration, HR, finance <strong>and</strong> accounting,<br />

<strong>and</strong> IT, noting that many back office functions also have a focus on control). However, the<br />

general principle of risk ownership remains.<br />

In their approach to risk management, some organizations consciously adopt a formal<br />

framework, such as COSO Enterprise Risk Management – Integrating with Strategy <strong>and</strong><br />

Performance or ISO 31000: Risk Management. There are benefits in doing so, including<br />

having a ready-made objective benchmark of recognized best practice <strong>and</strong> a valuable tool<br />

for assessment <strong>and</strong> training. There are also disadvantages, including the need to ensure the<br />

model is relevant <strong>and</strong> the risk of getting distracted by excessive detail. Any approach needs<br />

to be appropriate, <strong>and</strong> its adoption should be incremental to match the needs <strong>and</strong> maturity of<br />

the entity. In all cases, internal audit is expected to evaluate the effectiveness of risk<br />

management <strong>and</strong> contribute to its improvement, in accordance with St<strong>and</strong>ard 2120 – Risk<br />

Management of the IPPF.<br />

Risk is commonly defined in connection with the attainment of objectives <strong>and</strong> allows for both<br />

favorable <strong>and</strong> adverse variances from desired outcomes. Three useful <strong>and</strong> similar definitions<br />

of risk are given below.<br />

• IIA: The possibility of an event occurring that will have an impact on the achievement<br />

of objectives. Risk is measured in terms of impact <strong>and</strong> likelihood. 5<br />

• ISO: The effect of uncertainty on objectives. 6<br />

• COSO: The possibility that events will occur <strong>and</strong> affect the achievement of<br />

objectives. 7<br />

4<br />

Internal Audit Competency Framework, The IIA, 2022.<br />

5<br />

International Professional Practices Framework, The IIA, 2016.<br />

6<br />

ISO 31000:2018 Risk Management, ISO, 2018.<br />

7<br />

COSO Enterprise Risk Management – Integrating with Strategy <strong>and</strong> Performance, COSO, 2017.<br />

12


It is worth quoting IIA St<strong>and</strong>ard 2120 – Risk Management in full as it succinctly directs<br />

auditors to consider key factors when determining the effectiveness of risk management<br />

processes.<br />

2120—Risk Management<br />

The internal audit activity must evaluate the effectiveness <strong>and</strong> contribute to the<br />

improvement of risk management processes.<br />

Interpretation:<br />

Determining whether risk management processes are effective is a judgment resulting<br />

from the internal auditor’s assessment that:<br />

• Organizational objectives support <strong>and</strong> align with the organization’s mission.<br />

• Significant risks are identified <strong>and</strong> assessed.<br />

• Appropriate risk responses are selected that align risks with the organization’s<br />

risk appetite.<br />

• Relevant risk information is captured <strong>and</strong> communicated in a timely manner<br />

across the organization, enabling staff, management, <strong>and</strong> the board to carry out<br />

their responsibilities.<br />

The internal audit activity may gather the information to support this assessment during<br />

multiple engagements. The results of these engagements, when viewed together,<br />

provide an underst<strong>and</strong>ing of the organization’s risk management processes <strong>and</strong> their<br />

effectiveness.<br />

Risk management processes are monitored through ongoing management activities,<br />

separate evaluations, or both.<br />

2120.A1 The internal audit activity must evaluate risk exposures relating to the<br />

organization’s governance, operations, <strong>and</strong> information systems regarding the:<br />

• Achievement of the organization’s strategic objectives.<br />

• Reliability <strong>and</strong> integrity of financial <strong>and</strong> operational information.<br />

• Effectiveness <strong>and</strong> efficiency of operations <strong>and</strong> programs.<br />

• Safeguarding of assets.<br />

• Compliance with laws, regulations, policies, procedures, <strong>and</strong> contracts.<br />

2120.A2 The internal audit activity must evaluate the potential for the occurrence of fraud<br />

<strong>and</strong> how the organization manages fraud risk.<br />

2120.C1 During consulting engagements, internal auditors must address risk consistent<br />

with the engagement’s objectives <strong>and</strong> be alert to the existence of other significant risks.<br />

2120.C2 Internal auditors must incorporate knowledge of risks gained from consulting<br />

engagements into their evaluation of the organization’s risk management processes.<br />

13


2120.C3 When assisting management in establishing or improving risk management<br />

processes, internal auditors must refrain from assuming any management responsibility<br />

by actually managing risks. 8<br />

Risk management involves multiple steps, to identify, assess, <strong>and</strong> implement responses to<br />

risks that are relevant to the organization <strong>and</strong> its objectives. The overall approach of risk<br />

management should be:<br />

• Planned, focused, <strong>and</strong> systematic.<br />

• Relevant to organizational need <strong>and</strong> priorities.<br />

• Maintained continuously as objectives <strong>and</strong> conditions change.<br />

• Monitored <strong>and</strong> adjusted as required.<br />

The process should be cyclical <strong>and</strong> iterative allowing for continuous improvement.<br />

Figure: Iterative <strong>and</strong> Cyclical Risk Management<br />

<strong>2A</strong>.2.1 Risk Concepts<br />

There are many related terms used regarding risk management. Internal auditors should<br />

make sure their meaning is clear when discussing risk with members of management <strong>and</strong><br />

the governing body. It is useful to agree a common taxonomy <strong>and</strong> to keep it simple. Some<br />

common terms are defined in the table below. However, some alternative definitions are<br />

possible, <strong>and</strong> the most important things are clarity <strong>and</strong> agreement.<br />

8<br />

International Professional Practices Framework, The IIA, 2016<br />

14


Concept<br />

Risk capacity<br />

Risk attitude<br />

Risk appetite<br />

Risk<br />

tolerance<br />

Risk universe<br />

Risk profile<br />

Risk severity<br />

Risk<br />

response<br />

Inherent risk<br />

Residual risk<br />

Definition <strong>and</strong> Application<br />

The ability to tolerate risk without significant failure.<br />

A general disposition or mindset with respect to risk, such as being risk<br />

averse or risk hungry.<br />

The level of risk an organization is willing to take, often expressed for<br />

categories (or classes) of risks.<br />

Risk appetite for specific activities or objectives, including acceptable<br />

variations beyond broader risk appetite, at least on a temporary basis.<br />

The totality of risks that may impact an organization.<br />

The aggregate pattern of significant risks across key activities.<br />

A measure of the level of risk (usually based on likelihood <strong>and</strong> impact).<br />

An organization’s actions taken in recognition of a risk to manage its<br />

impacts <strong>and</strong>/or likelihood within the limits agreed according to appetite <strong>and</strong><br />

tolerance.<br />

The level (severity) of a risk to which an organization is (theoretically)<br />

exposed in the absence of any risk responses (controls).<br />

The level (severity) of a risk to which an organization is exposed with risk<br />

responses (controls) in place.<br />

Risk appetite is an important concept since it sets the tone for risk management. COSO<br />

Guidance, Risk Appetite: Critical to Success, provides useful discussion on this topic.<br />

The COSO Enterprise Risk Management—Integrating with Strategy <strong>and</strong><br />

Performance defines risk appetite as: The types <strong>and</strong> amount of risk, on a broad level,<br />

an organization is willing to accept in pursuit of value.<br />

Inherent in this definition are several key points. Risk appetite:<br />

• Is intentionally broad to apply across an organization, recognizing that it may<br />

differ within various parts of the organization while remaining relevant in<br />

changing business conditions.<br />

• Focuses on risk that needs to be taken to pursue strategies that enhance<br />

long-term success.<br />

• Recognizes that risk is more than individual decisions.<br />

• Links to value – it is tied to the choices the organization makes on how it<br />

creates <strong>and</strong> preserves value. 9<br />

<strong>2A</strong>.2.2 Risk Identification<br />

The process of risk management begins with risk identification. Risks do not exist in the<br />

abstract but relate to objectives. Where there are no objectives there are no risks. Two<br />

individuals or entities in the same circumstances may face different risks or different levels of<br />

risk exposure because they have different goals. To answer the question “what are the<br />

risks?” we must first answer the question “what are the objectives?” Therefore, risk<br />

identification starts with a review of an organization’s purpose, goals, strategies, <strong>and</strong> targets.<br />

This can also be applied to departments, projects, <strong>and</strong> systems.<br />

9<br />

Risk Appetite: Critical to Success, COSO, 2020.<br />

15


Risk identification needs to be maintained on a regular basis. As internal <strong>and</strong> external<br />

conditions <strong>and</strong> goals change, the risk profile also evolves. New risks arise from new<br />

conditions (such as a change of leader, introduction of a new policy, changes to legislation<br />

<strong>and</strong> regulations, implementation of new systems, <strong>and</strong> shifts in economic <strong>and</strong> social factors).<br />

The process of risk identification often includes a combination of:<br />

• Review of purpose, goals, strategies, <strong>and</strong> targets.<br />

• Review of performance, position, <strong>and</strong> prospects.<br />

• Brainstorming workshops with key individuals.<br />

• Consideration of each class of risk or each major department, systems, or process.<br />

• Review of the existing risk register.<br />

• Review of previous audits <strong>and</strong> inspections.<br />

• Consideration of relevant guidance, articles, journals, <strong>and</strong> other literature.<br />

• Consultation with subject matter experts.<br />

Internal auditors are likely to be involved in supporting this process. The extent to which<br />

internal audit is asked to help will depend on the level of risk maturity (see below). They may<br />

facilitate risk self-assessment workshops <strong>and</strong> provide training. The head of internal audit<br />

should also make an independent risk assessment as part of the process of planning the<br />

schedule of engagements but must include the input of senior management <strong>and</strong> the<br />

governing body, in accordance with St<strong>and</strong>ard 2010.<br />

2010.A1 The internal audit activity’s plan of engagements must be based on a<br />

documented risk assessment, undertaken at least annually. The input of senior<br />

management <strong>and</strong> the board must be considered in this process. 10<br />

<strong>2A</strong>.2.3 Risk Analysis <strong>and</strong> Evaluation<br />

Risk workshops <strong>and</strong> other processes can yield long lists of risks. Some will be more<br />

important than others <strong>and</strong> many risks in the risk universe require little or no attention. To<br />

make this determination requires analysis <strong>and</strong> evaluation. This allows managers to prioritize<br />

<strong>and</strong> decide on appropriate risk responses.<br />

Not all risks are relevant or significant. Purely theoretical or hypothetical risks with very<br />

limited likelihood can safely be ignored. However, so-called black swan events occur<br />

infrequently <strong>and</strong> are hard to predict but may have significant impacts. In some parts of the<br />

world tornadoes, earthquakes, or hurricanes may occur although it is difficult to know where<br />

<strong>and</strong> when. There may also be very rare scenarios where such events are combined with<br />

conditions like tsunamis, wildfires, or high tides making the impacts that much greater. They<br />

are highly unlikely but that does not mean organizations (<strong>and</strong> individuals) can dismiss the<br />

possibility because from time to time such things will occur. The global Covid-19 p<strong>and</strong>emic<br />

caused rapid <strong>and</strong> widespread disruption. Nevertheless, many individuals <strong>and</strong> organizations<br />

had warned governments that such a scenario was possible. As we encroach more into the<br />

natural environment <strong>and</strong> encounter species with which humans have had little previous<br />

contact, the chances of diseases jumping to humans increase. Coupled with rapid mass<br />

global transportation significantly multiplies the chance of viruses spreading quickly.<br />

10 International Professional Practices Framework, The IIA, 2016<br />

16


Impact<br />

Other than black swan events, organizations must also consider emerging risks which are<br />

those with a high degree of uncertainty, often accompanied with high volatility, <strong>and</strong> with the<br />

potential for far-reaching <strong>and</strong> widespread consequences. They arise from conditions not<br />

previously experienced <strong>and</strong> so the posible chains of events <strong>and</strong> impacts are difficult to<br />

estimate. Risks arising from climate change, artificial intelligence, <strong>and</strong> geo-politics fall into<br />

this category. It is hard to prepare for the unknown, but organizations need to keep these in<br />

view, learn what they can from available information, <strong>and</strong> maintain active preparedness in<br />

the form of contingency plans as far as possible. This may include avoiding undue reliance<br />

on single organizations or territories for critical supplies <strong>and</strong> having built-in flexibility in<br />

operations. This is similar to business continuity <strong>and</strong> disaster recovery planning. We may not<br />

know what the cause may be, but we can prepare for denial of access to buildings, power<br />

outages, disruption to supply lines, loss of key personnel, staff shortages, <strong>and</strong> other social,<br />

political, environmental, or economic turmoil.<br />

Aside from black swan events <strong>and</strong> emerging risks, it is possible to classify, evaluate, <strong>and</strong><br />

prioritize risks. Classifications are developed to match the characteristics of the organization.<br />

Classes or categories may include:<br />

• Strategic risk.<br />

• Operational risk.<br />

• Financial risk.<br />

• Reporting risk.<br />

• IT risk.<br />

• Compliance risk.<br />

• Cybersecurity risk.<br />

• Reputational risk.<br />

The categories help with the process of managing risks <strong>and</strong> the choice of categories used<br />

should be made to suit organizational needs. Risk appetite may vary according to class of<br />

risk. Some broad topics, such as ESG (environmental, social, <strong>and</strong> governance), can<br />

represent risks in multiple classes, in the case of ESG this could include reputational,<br />

financial, reporting, <strong>and</strong> compliance risks.<br />

Evaluation of risks can include attaching descriptive or numerical values. Likelihood <strong>and</strong><br />

impact are usually the two most important dimensions, although others may be considered.<br />

Sometimes a grid is used similar to the one shown below.<br />

Severe<br />

Major<br />

Moderate<br />

Minor<br />

Insignificant<br />

Rare Unlikely Moderate Likely Highly<br />

likely<br />

Likelihood<br />

Figure: Risk Severity Matrix<br />

17


Impact<br />

Risks can be placed on the matrix according to their relative severity. Red, yellow, <strong>and</strong> green<br />

shading can be used to create a heat map. Alternative numerical values may be attached, as<br />

shown below.<br />

5 5 10 15 20 25<br />

4 4 8 12 16 20<br />

3 3 6 9 12 15<br />

2 2 4 6 8 10<br />

1 1 2 3 4 5<br />

1 2 3 4 5<br />

Likelihood<br />

Figure: Risk Severity Matrix – Numerical<br />

In this case, severity has been calculated as a product of likelihood <strong>and</strong> impact. However, an<br />

organization may be more concerned about a risk with a likelihood of 3 <strong>and</strong> an impact of 5<br />

than a risk with a likelihood of 5 <strong>and</strong> an impact of 3. We can tolerate more likely but less<br />

impactful events than less likely but more impactful ones. This suggests impact could be<br />

weighted if desired to reflect this. Other factors may also be considered, such as:<br />

• Vulnerability: how susceptible is the organization to certain types <strong>and</strong> levels of<br />

impact?<br />

• Velocity: how quickly will the impact be felt once the initial event has occurred?<br />

• Volatility: how much changeability <strong>and</strong> uncertainty is there regarding the<br />

circumstances <strong>and</strong> our assessment of likelihood <strong>and</strong> impact?<br />

• Simultaneous occurrence: if two or more related or unrelated impacts are felt at the<br />

same time, how will the organization be able to cope? Risks with lower individual<br />

severity may combine to create more significant impacts.<br />

There are many ways in which risk can be quantified with varying levels of sophistication <strong>and</strong><br />

granularity. There is a trade-off to be had. If a model is too simple it can reduce the value of<br />

quantifying risks. Three-point scales (whether qualitative or quantitative) are unlikely to be<br />

sufficient to reflect the real differences in levels of risk exposure faced by an organization. In<br />

models with an odd number of gradations there is a natural tendency to fall into the middle,<br />

after discounting the upper <strong>and</strong> lower extremes. This also reduces the effectiveness of the<br />

exercise.<br />

On the other h<strong>and</strong>, if a model is too complex it may become unwieldy. The effort involved in<br />

determining very fine gradations may exceed the benefits it yields. The process of evaluation<br />

should not get in the way of what the aim is. The purpose is to identify areas of risk that<br />

require attention <strong>and</strong> help with prioritization <strong>and</strong> determination of a proportionate response.<br />

COSO Risk Assessment in Practice provides useful guidance on this <strong>and</strong> related topics. 11<br />

It is important to remember the exercise of risk evaluation is not a perfect science.<br />

Organizations should be careful not to get seduced or distracted by the numbers. Risk<br />

evaluation is a tool to support the analysis, prioritization, <strong>and</strong> subsequent responses. For<br />

senior management <strong>and</strong> the governing body, the key questions are: what do we need to be<br />

focused on, what are we doing about it, <strong>and</strong> are our current responses effective?<br />

11<br />

Risk Assessment In Practice, COSO, 2012.<br />

18


<strong>2A</strong>.2.4 Risk Responses<br />

Having identified, classified, evaluated, <strong>and</strong> prioritized risks, the next stage is to determine<br />

appropriate responses. “Control” can suggest the response to a risk is always to restrict or<br />

reduce its impact but since some of the impacts of uncertainty on objectives are favorable –<br />

we sometimes exceed targets <strong>and</strong> forecasts, <strong>and</strong> new opportunities arise – then some of the<br />

responses are to take advantage of rather than limit risks. Risk responses can serve to<br />

manage either likelihood or impact or both.<br />

The aim of responses is to ensure the residual risk severity falls within the expressed risk<br />

appetite. Responses need to be proportionate in terms of cost <strong>and</strong> effort in relation to the<br />

size of the risk. Basic responses are described below.<br />

Basis Risk<br />

May include<br />

Responses<br />

Treat<br />

Reduce, mitigate, enhance, exploit, leverage, or optimize<br />

Terminate<br />

Avoid or ab<strong>and</strong>on the activity or goal<br />

Transfer<br />

Share (e.g., through insurance), spread, or outsource<br />

Tolerate<br />

Accept or pursue<br />

The effectiveness of the response can be measured by the difference between the inherent<br />

<strong>and</strong> residual risk severity. Sometimes these risk responses are used in combination. There is<br />

always an element of “tolerate” with regard to the residual risk unless the response is to<br />

terminate. Often public sector entities operate in areas of high risk – such as military combat,<br />

major construction, infectious diseases, nuclear power, <strong>and</strong> emergency response services –<br />

that need to be managed but cannot be terminated.<br />

Regular components of the control environment (described in section <strong>2A</strong>.3) – such as<br />

training, awareness raising, <strong>and</strong> well-communicated codes of conduct <strong>and</strong> policies – serve<br />

as general controls. A very common control is segregation of incompatible duties (as<br />

discussed in <strong>Module</strong> 1 Audit <strong>and</strong> Assurance under measures to address fraud risk). Consider<br />

the following specific controls for risks associated with cash receipts <strong>and</strong> payments:<br />

• Set tight limits on the number of people who can perform sensitive roles, such as<br />

authorizing payments <strong>and</strong> signing checks.<br />

• Assign separate cash drawers for each employee responsible for collecting cash <strong>and</strong><br />

record a daily tally.<br />

• Endorse checks at the point of receiving them to restrict their usage.<br />

• Do not allow employees to draw cash for personal use.<br />

• Do not collect amounts in excess of what is due <strong>and</strong> offer “cash back.”<br />

• Issue numbered receipts <strong>and</strong> keep a copy.<br />

• Deposit cash as soon as possible with deposit slip, otherwise secure undeposited<br />

amounts.<br />

• Keep blank checks secure.<br />

• Make checks out to specific payee (not “cash” or similar or left blank).<br />

• Conduct regular reviews <strong>and</strong> reconciliations <strong>and</strong> investigate irregularities. 12<br />

12<br />

Local Management Guide: The Practice of Internal Controls, Office o the New York State Comptroller, 2010.<br />

19


These are all designed to treat (through mitigation) the risk of money going missing through<br />

error or fraud. Most reduce likelihood. Setting authorization limits <strong>and</strong> making regular<br />

reviews reduce impact by restricting how much could go missing before the problem is<br />

identified.<br />

Financial speculation, investments in new technology, promotion of innovation to stimulate<br />

economic growth <strong>and</strong> address climate change, issuing government bonds, <strong>and</strong> adjusting<br />

interest rates <strong>and</strong> levels of taxation are examples of how the public sector can seek to<br />

exploit uncertainty.<br />

<strong>2A</strong>.2.5 Monitoring<br />

Monitoring is a key part of the risk management process. This includes monitoring controls<br />

to ensure they are operating as expected <strong>and</strong> maintaining a close watch for changes in the<br />

risk l<strong>and</strong>scape. Routine monitoring should be conducted by those implementing the controls<br />

<strong>and</strong> their supervisors. Completing reconciliations <strong>and</strong> stock takes are a form of monitoring.<br />

Inspections <strong>and</strong> audits may also be undertaken. Monitoring should include a combination of<br />

periodic <strong>and</strong> ad hoc review. Automated systems make it easier to maintain close monitoring<br />

<strong>and</strong> reports may be generated to highlight irregularities.<br />

<strong>2A</strong>.2: Reflection<br />

Think about the structures, processes, <strong>and</strong> resources in your organization that collectively<br />

represent risk management.<br />

What formal provisions are made in your organization for risk management?<br />

Is there a coherent, entity-wide approach to managing organizational risks?<br />

Is risk management connected with strategic <strong>and</strong> operational planning, reporting,<br />

monitoring, <strong>and</strong> performance management?<br />

Is there a common framework <strong>and</strong> agreed terminology used to describe risk?<br />

Is responsibility for risks <strong>and</strong> controls delegated down the organization to teams <strong>and</strong><br />

individuals?<br />

20


<strong>2A</strong>.3 COSO Internal Control – Integrated Framework<br />

IIA Internal Audit Competency Framework: Internal Control<br />

General Awareness: Identify types of controls.<br />

Applied Knowledge: Use an internal control framework to examine the effectiveness <strong>and</strong><br />

efficiency of internal controls.<br />

Expert: Evaluate <strong>and</strong> recommend improvements to the organization’s internal control<br />

framework; assess the organization’s implementation of its internal control framework. 13<br />

The best known <strong>and</strong> most widely used model for internal control is COSO Internal Control –<br />

Integrated Framework (2017). It is commonly adopted in the public sector <strong>and</strong> sometimes<br />

written into legislation. For example, it is a part of the European Union accession<br />

requirements within the model of Public Internal Financial Control (PIFC) (see <strong>Module</strong> 3<br />

Accounting Fundamentals).<br />

The COSO model comprises five interrelated elements:<br />

• Control environment.<br />

• Risk assessment.<br />

• Control activities.<br />

• Monitoring.<br />

• Information <strong>and</strong> communication.<br />

There is a natural intersection between risk management <strong>and</strong> internal control, especially in<br />

the components of risk assessment <strong>and</strong> control activities.<br />

Figure: The Five Elements of Internal Control<br />

• The internal control environment is the overall framework for control. It is established<br />

through diligent leadership, consistent tone-at-the-top, a commitment to integrity <strong>and</strong><br />

transparency, regular awareness-raising <strong>and</strong> training, clarity of roles <strong>and</strong><br />

responsibilities, <strong>and</strong> appropriate <strong>and</strong> documented delegation of authority.<br />

• Risk assessment is needed to identify, evaluate, <strong>and</strong> prioritize uncertainties that may<br />

impact the achievement of objectives. Risk assessment should form part of<br />

strategizing, planning, decision-making, operations, monitoring, <strong>and</strong> evaluation.<br />

13<br />

Internal Audit Competency Framework, The IIA, 2022.<br />

21


• Control activities are the responses developed to manage risks within acceptable<br />

limits. Controls may be a combination of preventive, detective, <strong>and</strong> corrective<br />

measures implemented as part of normal operating procedures <strong>and</strong> should be<br />

proportionate in terms of cost <strong>and</strong> effort in relation to the level of risk. Training should<br />

be provided as necessary. Implementing <strong>and</strong> maintaining control activities must be<br />

documented <strong>and</strong> included within a description of roles <strong>and</strong> responsibilities.<br />

• Systematic monitoring is a necessary part of ensuring the adequacy <strong>and</strong><br />

effectiveness of control activities to determine they are operating as intended. As<br />

objectives <strong>and</strong> risks change, it is likely control activities will need to be adjusted <strong>and</strong>,<br />

in some cases, removed. Routine <strong>and</strong> ad hoc monitoring is undertaken by<br />

supervisors <strong>and</strong> line managers as well as periodically by inspectors <strong>and</strong> internal <strong>and</strong><br />

external auditors.<br />

• Finally, the effectiveness of internal control is dependent on systems of information<br />

<strong>and</strong> communication to maintain up-to-date descriptions of processes <strong>and</strong> escalate<br />

issues to the appropriate level of authority in the event of a control failure.<br />

Any system of control needs to be cost-effective, proportionate to risks <strong>and</strong> priorities,<br />

compatible with organizational culture, <strong>and</strong> integrated within decision-making <strong>and</strong><br />

operations.<br />

<strong>2A</strong>.3: Reflection<br />

COSO Internal Control – Integrated Framework is central to the model of PIFC (Public<br />

Internal Financial Control).<br />

How well is COSO Internal Control – Integrated Framework understood in your<br />

organization – by senior leaders, managers, <strong>and</strong> staff?<br />

What role can the internal audit function play to promote greater awareness <strong>and</strong><br />

underst<strong>and</strong>ing regarding internal control <strong>and</strong> the COSO Internal Control – Integrated<br />

Framework?<br />

Based on your insights on the adequacy <strong>and</strong> effectiveness of internal control in your<br />

organization, which area or areas have the greatest need or opportunity for improvement<br />

(control environment, risk assessment, control activities, monitoring, <strong>and</strong> information <strong>and</strong><br />

communication)?<br />

22


<strong>2A</strong>.4 Decision-Making, Risk Management, <strong>and</strong> <strong>Managerial</strong><br />

<strong>Accountability</strong><br />

The principles of decision-making, risk management, <strong>and</strong> managerial accountability are<br />

closely related.<br />

Every organization or system requires a set of explicit <strong>and</strong> implicit rules to operate,<br />

sometimes referred to as bureaucracy. When the rules are burdensome in comparison with<br />

the objectives <strong>and</strong> complexity of the task, they can have a negative impact on effectiveness<br />

<strong>and</strong> efficiency. Excessive bureaucracy is known as red tape. Otherwise, formal <strong>and</strong> informal<br />

rules ensure activity is organized <strong>and</strong> purposeful. Specialization <strong>and</strong> the division of<br />

responsibilities increase <strong>and</strong> improve performance. Entities establish structures <strong>and</strong><br />

hierarchies as ways of organizing resources <strong>and</strong> functions, taking care to ensure there is<br />

clarity to avoid unintended gaps <strong>and</strong> unnecessary duplication as well as appropriate<br />

interconnection to maintain organizational coherence.<br />

However, rules are insufficient to complete every task. If they were, organizations would not<br />

need managers. Organizations are not machines. They are human undertakings. The<br />

function of managing is effectively one of making decisions. Tasks that do not require<br />

decision-making we can describe as purely administrative where one is simply abiding by<br />

rules <strong>and</strong> following instructions. In many cases, such tasks can be automated. In reality,<br />

there are few roles that lack any degree of discretion.<br />

In highly centralized organizations, important decision-making is made at the highest levels<br />

of authority. This can be appropriate when there is a strong need for uniformity <strong>and</strong> limited<br />

need for decision-making at lower levels, such as in an army or when junior team members<br />

have very limited knowledge <strong>and</strong> experience. In other situations, centralization can lead to<br />

bottlenecks where lengthy decision-making processes are carried out by individuals who are<br />

remote from operations, <strong>and</strong> there is often a failure to utilize talent which can lead to<br />

demotivation <strong>and</strong> demoralization. In centralized bodies, internal control is equated with<br />

following rules <strong>and</strong> is enforced through inspection. Most employees are therefore carrying<br />

out administrative tasks requiring multi-tiered signoffs as a paper trail <strong>and</strong> ex-ante approval<br />

for appropriations, commitments, disbursements, etc. Such a system is heavily focused on<br />

the legality <strong>and</strong> regularity (i.e., on compliance) of transactions <strong>and</strong> rather less on<br />

effectiveness <strong>and</strong> performance.<br />

Organizations with decentralized decision-making <strong>and</strong> control are more agile <strong>and</strong><br />

responsive. Employees’ expertise is more appropriate to their tasks, thus creating greater<br />

job satisfaction <strong>and</strong> engagement. Internal control operates most effectively at the level at<br />

which decisions are taken. Those closest to the action are best placed to underst<strong>and</strong> <strong>and</strong><br />

intervene. Tasks should be delegated to the lowest level at which sufficient competency<br />

exists to complete them successfully. It is otherwise an ineffective use of talent (<strong>and</strong> the<br />

financial resources necessary to pay for it) to have someone over- or under-qualified for their<br />

role.<br />

Managers make decisions to help achieve goals that satisfy the purpose of the team,<br />

division, department, entity, <strong>and</strong> governing administration. We have said previously that<br />

taking goal-oriented actions <strong>and</strong> taking risks are the same thing. Knowledge of risks helps<br />

prepare for a range of possible outcomes. The purpose of risk management is to enable<br />

23


managers to make good decisions. Independent assurance <strong>and</strong> advice from internal audit<br />

has the same purpose.<br />

Effective internal control is dependent on delegation of authority <strong>and</strong> powers to an<br />

appropriate level of activity. <strong>Accountability</strong> flows up the chain of comm<strong>and</strong> <strong>and</strong> ultimately to<br />

the highest levels of government. However, within this structure individuals are empowered<br />

to take actions in a reasonable manner regulated by suitable preventive <strong>and</strong> detective<br />

controls. Delegation of powers <strong>and</strong> responsibilities should be achieved without relieving the<br />

person who is delegating from responsibility for exercising those powers <strong>and</strong> responsibilities.<br />

<strong>Managerial</strong> accountability is defined as:<br />

A process whereby managers at all levels are responsible for, <strong>and</strong> may be required to<br />

explain, the decisions <strong>and</strong> actions taken to meet the objectives of the organisation [or<br />

section thereof] they manage. <strong>Managerial</strong> accountability implies responsibility for<br />

sound financial management at all levels, i.e., the adequate organisation, procedures<br />

<strong>and</strong> reporting of the results of the organisation. 14<br />

This does not just apply to financial resources or managers at the senior level. Every<br />

employee making decisions is a manager in this sense. In other words, “managerial<br />

accountability is an approach to public management in which managers are held<br />

accountable for results by assigning them responsibility, accompanied by delegated authority<br />

for decision making, <strong>and</strong> the autonomy <strong>and</strong> resources necessary to achieve the expected<br />

results.” 15 Delegation of authority must be executed in a carefully considered way. It<br />

introduces risks at every point where decisions are made. Hence, delegation of authority<br />

must be accompanied by appropriate controls to provide “guard rails” within which managers<br />

are authorized to use their judgment. There should be a documented schedule of delegation<br />

starting with entity objectives <strong>and</strong> showing a cascade of decision-making authority down the<br />

organization to appropriate teams <strong>and</strong> individuals.<br />

Figure: Components of <strong>Managerial</strong> <strong>Accountability</strong><br />

14<br />

Compendium of the public internal control systems in the EU Member States 2012, Publications Office of the European<br />

Union, 2012.<br />

15<br />

<strong>Managerial</strong> <strong>Accountability</strong> in the Western Balkans, Sigma, 2018.<br />

24


<strong>Managerial</strong> accountability requires firstly that there is clear delegation of responsibility <strong>and</strong><br />

secondly that managers are held to account, meaning they accept the consequences for<br />

their behavior, decisions, <strong>and</strong> performance, <strong>and</strong> are treated appropriately. This may include:<br />

• Being required to improve upon any subst<strong>and</strong>ard work, submit to increased<br />

supervision, <strong>and</strong> undertake additional training.<br />

• Receiving recognition (positive feedback, praise, rewards, bonuses, pay increases,<br />

promotion, <strong>and</strong> other opportunities.)<br />

• Receiving approbation (constructive criticism, loss of privileges, demotion, reassignment,<br />

suspension, <strong>and</strong> potentially loss of position.)<br />

This also entails a need for systematic <strong>and</strong> reliable performance reporting. Delegation is only<br />

executable if it genuinely combines responsibility, decision-making authority, <strong>and</strong> autonomy.<br />

• Responsibility: Tasks need to be defined <strong>and</strong> assigned formally <strong>and</strong> included in the<br />

manager’s role description.<br />

• Authority: Managers need to have the commensurate level of authority to fulfil the<br />

responsibilities assigned to them.<br />

• Autonomy: Managers must be able to make decisions freely within their assigned<br />

area of responsibility <strong>and</strong> have the necessary resources to achieve this.<br />

Autonomy allows managers to make decisions about financial <strong>and</strong> other resources in pursuit<br />

of goals with the possibility of getting this wrong. This is not the same as merely following<br />

detailed regulations, st<strong>and</strong>ards, <strong>and</strong> procedures. It involves the application of reasoning <strong>and</strong><br />

judgment.<br />

The purpose of internal control is reasonable assurance of success in a manner that is<br />

economic, effective, efficient, ethical, <strong>and</strong> sustainable. Success includes operating in<br />

conformance with legislation, regulation, policies, <strong>and</strong> other requirements <strong>and</strong> excitations.<br />

Internal control can be achieved by delegating responsibility, authority, <strong>and</strong> autonomy to the<br />

level of decision-making <strong>and</strong> activity <strong>and</strong> applying suitable controls as limits on managerial<br />

powers. The purpose is not to establish autonomous self-governing entities. It is common for<br />

governments to exercise direct control over the most significant assets <strong>and</strong> liabilities in the<br />

interests of national fiscal discipline. However, an increase in delegated responsibility<br />

supports more dynamic <strong>and</strong> responsive internal control. Managers are accountable for the<br />

consequences of their actions <strong>and</strong> behaviors <strong>and</strong> are duly incentivized to make continuous<br />

improvements. In some environments, managers are asked to make an annual declaration<br />

for their accountability for performance <strong>and</strong> internal control.<br />

Taken together, internal audit <strong>and</strong> managerial accountability are sometimes referred to as<br />

the double-lock of financial management. Their purpose is to improve the ways in which<br />

public resources are managed. Performance management is only as good as the<br />

effectiveness of internal control which in turn is dependent on the reliability of risk<br />

identification <strong>and</strong> assessment. Therefore, it is imperative that risk management activities are<br />

integrated into every stage of planning <strong>and</strong> operations, maintaining focus on the most<br />

significant risks to objectives.<br />

The role of internal audit is to support this process through independent assurance, insights,<br />

<strong>and</strong> advice, helping managers identify risks <strong>and</strong> design efficient <strong>and</strong> effective responses to<br />

25


them. Where controls are not working as intended, are focused on lower priority risks, or are<br />

disproportionate to the likelihood or impact of risks, they should be redesigned accordingly in<br />

the interests of economy, effectiveness, <strong>and</strong> efficiency.<br />

Prerequisites for <strong>Managerial</strong> <strong>Accountability</strong><br />

• Clarity of roles of responsibilities with sufficient differentiation at all levels as well as<br />

between entities (including ministries <strong>and</strong> their subordinated entities). This includes<br />

responsibility for the implementation of internal control aligned with the objectives <strong>and</strong><br />

risks of each activity.<br />

• Alignment with policies <strong>and</strong> procedures.<br />

• Risk-based strategic <strong>and</strong> operational planning.<br />

• Commitment by managers to act in the best interests of the organization.<br />

• Quality control to ensure subst<strong>and</strong>ard work is not accepted.<br />

• Organizational goals integrated within the planning process that are cascaded down to<br />

departments, divisions, teams, <strong>and</strong> individuals. Goals should be SMART, prioritized, <strong>and</strong><br />

documented.<br />

• Formalized schedule of delegation of responsibility, authority, <strong>and</strong> autonomy appropriate<br />

to levels of competency, to include devolved budgetary responsibility. Requirements for<br />

the process of delegation may be defined by law with very specific procedures to confirm<br />

transfer of responsibilities. More generally, organizations <strong>and</strong> leaders may assign tasks<br />

<strong>and</strong> duties from within their own span of responsibilities to members of their department<br />

or team. In all cases, delegation should be planned <strong>and</strong> documented carefully.<br />

• Regular assessment of managers’ competencies.<br />

• Performance evaluation <strong>and</strong> appraisal policies that ensure expectations are clearly<br />

communicated, supported, monitored, evaluated, <strong>and</strong> recognized.<br />

• Adequate supervision.<br />

• Training <strong>and</strong> professional development.<br />

• Implementation of a suitable entity-wide risk management framework.<br />

• Implementation of a suitable system of internal control, coordinated, <strong>and</strong> managed<br />

across the entity. Procedures <strong>and</strong> controls must be documented.<br />

• Merit-based <strong>and</strong> transparent recruitment <strong>and</strong> promotion.<br />

• Systematic monitoring <strong>and</strong> reporting of performance.<br />

<strong>2A</strong>.4: Reflection<br />

How would you describe the decision-making process in your organization – as highly<br />

centralized, highly decentralized, or somewhere in between?<br />

Consider the prerequisites listed above for managerial accountability. Which of these may<br />

be a cause of limiting the effective managerial accountability in your organization?<br />

What can internal audit do to strengthen managerial accountability in your organization?<br />

Do the principles of managerial accountability apply to the internal audit function? Do audit<br />

team members have appropriate levels of responsibility, authority, <strong>and</strong> autonomy?<br />

26


<strong>2A</strong>.5 Entity-wide Risk Management<br />

Within each assurance engagement, internal auditors evaluate the adequacy <strong>and</strong><br />

effectiveness of risk management <strong>and</strong> provide insights to support improvements.<br />

Additionally, the head of internal audit is often expected to offer an opinion on risk<br />

management for the organization as a whole. Risk management should be planned<br />

holistically to ensure consistency, coherence, <strong>and</strong> comprehensiveness. It is only at an<br />

aggregate level that an entity can consider its full risk profile.<br />

COSO describes entity-wide risk management as:<br />

The culture, capabilities, <strong>and</strong> practices, integrated with strategy-setting <strong>and</strong><br />

performance that organizations rely on to manage risk in creating, preserving, <strong>and</strong><br />

realizing value. It…includes practices that management puts in place to actively<br />

manage risk…[<strong>and</strong>] addresses more than internal control [to include] strategy-setting,<br />

governance, communicating with stakeholders, <strong>and</strong> measuring performance. Its<br />

principles apply at all levels of the organization <strong>and</strong> across all functions. 16<br />

The following table illustrates some of the key differences between risk management at a<br />

departmental, team, or process level <strong>and</strong> entity-wide risk management. It also distinguishes<br />

less mature from more mature risk management practices.<br />

Increasing Risk<br />

Management Maturity<br />

Characteristic<br />

Risk management at a<br />

departmental, team, <strong>and</strong> process<br />

level<br />

Approach • Tactical.<br />

• Focus on individual<br />

departments or classes of risk.<br />

• May be reactive, short-term,<br />

<strong>and</strong> fragmented.<br />

• May be based on periodic or<br />

sporadic risk assessments.<br />

• Likely to focus on likelihood<br />

<strong>and</strong> impact only.<br />

Guiding principle • Attention to risk tolerances.<br />

• Focus on detective <strong>and</strong><br />

preventive controls.<br />

Primary goals • Minimize losses, improve<br />

efficiencies, increase gains.<br />

Responsibility • Primarily the departmental<br />

leader or process owner.<br />

Scope • Risks within department, team,<br />

or process.<br />

• Focus on operational risks<br />

relevant to departmental, team,<br />

or process goals.<br />

Entity-wide Risk Management<br />

• Strategic.<br />

• Holistic organizational view.<br />

• Pro-active, long-term, <strong>and</strong><br />

integrated.<br />

• Continuous risk assessment<br />

process.<br />

• May consider other risk<br />

dimensions (such as volatility<br />

<strong>and</strong> correlation) in addition to<br />

likelihood <strong>and</strong> impact.<br />

• Attention to risk appetite.<br />

• Focus on leveraging opportunity<br />

as well as implementing control.<br />

• Fulfilment of organizational<br />

mission.<br />

• Should be assigned to a senior<br />

official.<br />

• All aspects of organizational<br />

activity, strategy, <strong>and</strong> planning.<br />

• Focus on strategic risks <strong>and</strong><br />

aggregated operational risks<br />

relevant to organizational goals.<br />

16<br />

COSO Enterprisewide Risk Management: Integrating with Strategy <strong>and</strong> Performance, COSO, 2017.<br />

27


As organizations develop <strong>and</strong> mature, so too should their organizational risk management.<br />

There are numerous models for risk management maturity sharing many common elements.<br />

The purpose of a model is to provide an initial assessment of current status, identify<br />

opportunities for improvement, <strong>and</strong> help establish a planned approach for increasing<br />

maturity. This is a process internal audit is well-placed to support.<br />

The Risk Maturity Model (RMM) 17 is one such model with five levels of maturity:<br />

1. Ad hoc.<br />

2. Initial.<br />

3. Repeatable.<br />

4. Managed.<br />

5. Leadership.<br />

The assessment is based on consideration of seven elements related to entity-wide risk<br />

management (ERM):<br />

Element<br />

1. Adoption of<br />

ERM-based<br />

process<br />

2. ERM Process<br />

Management<br />

3. Risk Appetite<br />

Management<br />

4. Root Cause<br />

Discipline<br />

5. Uncovering<br />

Risks<br />

6. Performance<br />

Management<br />

7. Business<br />

Resiliency <strong>and</strong><br />

Sustainability<br />

Focus<br />

Risk culture <strong>and</strong> level of executive or board-level support for<br />

enterprise risk management.<br />

Adoption of ERM methodology throughout the culture <strong>and</strong> decisions,<br />

<strong>and</strong> how well the risk management program follows best practice<br />

steps to identify, assess, evaluate, mitigate, <strong>and</strong> monitor risks.<br />

Awareness around risk-reward trade-offs, accountability for risk,<br />

defining risk tolerances, <strong>and</strong> whether the organization is effective in<br />

closing the gap between potential <strong>and</strong> actual risk.<br />

Risk identification by source, or root cause, versus the symptoms <strong>and</strong><br />

outcomes they produce. Focusing on the root cause of a risk <strong>and</strong><br />

classifying them accordingly will strengthen response <strong>and</strong> mitigation<br />

efforts.<br />

Quality <strong>and</strong> coverage of risk assessments. It examines the method of<br />

collecting risk information, the risk assessment process, <strong>and</strong> whether<br />

enterprise-wide trends <strong>and</strong> correlations can be uncovered from the<br />

risk information.<br />

Execution of visions <strong>and</strong> strategy. It evaluates the strength in planning,<br />

communicating, <strong>and</strong> measuring core enterprise goals with a riskbased<br />

process, <strong>and</strong> the extent to which progress deviates from<br />

expectations.<br />

Integration of business continuity, operational planning, <strong>and</strong> other<br />

sustainability activities with a risk-based methodology.<br />

Internal audit may adopt such a model, apply it to their evaluation of risk management, <strong>and</strong><br />

use it to help management identify opportunities <strong>and</strong> set goals for continuing improvement.<br />

17<br />

www.riskmaturitymodel.org<br />

28


<strong>2A</strong>.5: Reflection<br />

Use the Risk Maturity Model (or something similar) to assess the maturity of risk<br />

management in your organization. You may need to make an educated guess for any<br />

elements you are not wholly sure of.<br />

On a scale of 1-5 (where 1 is ad hoc, 2 initial, 3 repeatable, 4 managed, <strong>and</strong> 5 leadership)<br />

or similar, what score would you attribute to risk management maturity in your organization?<br />

What factors are the most significant in contributing to the risk management maturity in<br />

your organization?<br />

What role can internal auditing play to help management continue to improve risk<br />

management maturity?<br />

29

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!