Control Governance and Risk

Management
 Control Governance and Risk
Management
• CGRM are interrelated concepts that are fundamental
to the field of internal auditing and the work of internal
auditors.
• Management plans, organizes and directs the
performance of sufficient actions to provide
reasonable assurance that objectives and goals will be
achieved.
• Internal auditors help an organization accomplish its
objectives by bringing a systematic disciplined
approach to evaluating and improving the effectiveness
of risk management, control and governance
processes.
 Internal Control
• As defined by “The Institute of Internal
Auditors”
– “Control is the employment of all the means
devised in an enterprise to promote, direct,
restrain, govern and check upon its various
activities the purpose of seeing that enterprise
objectives are met. These means of control
include, but are not limited to, standards,
committees, charts of accounts, forecasts,
budgets, schedules, reports, records, checklists,
methods, devices and internal auditing.”
 Internal Control
• As defined by the IIA Practice Advisory 2100-1
– “Control is any actions taken by the management to
enhance the likelihood that established objectives and
goals will be achieved. Controls may be preventive (to
deter undesirable events from occurring)”, detective
(to detect and correct undesirable events that have
occurred), or directive (to cause or encourage a
desirable event to occur). The concept of a system of
control is the integrated collection of control
components and activities that are caused by an
organization to achieve its activities and goals.”
 Internal Control
• As defined by the Committee of Sponsoring
Organizations of the Treadway Commission
(COSO)
– “Control is a process effected by an entity;s board of
directors, management and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations”
 Committee of Sponsoring
Organizations of the Treadway
Commission (COSO)
• Is a voluntary organization dedicated to improving the quality of financial
reporting through business ethics, effective internal controls, and
corporate governance
• Organized in 1985 to sponsor the Commission on Fraudulent Financial
Reporting, an independent private sector initiative that studied the causal
factors that can lead to fraudulent financial reporting
• Sponsored jointly by five major professional associations headquartered in
the United States:
– American Accounting Association
– American Institute of Certified Public Accountants
– Financial Executives International
– The Institute of Internal Auditors
– Institute of Management Accountants
 The COSO definition reflects certain
fundamental concepts:
• Internal control is a process
– It is a means to an end, not an end itself.
– The concept of internal control is the integrated
collection of control components and activities
that are used by an organization to achieve its
objectives and goals.
– It is not an event or circumstance but a dynamic
and iterative process.
– The control framework is tied to the business
objectives and flexible enough to be adaptable.
 Control is a Process
a) Setting Standards
– Standards are specific goals or objectives with which performance is
compared.
– Standards are commonly classified in terms of QUANTITY. QUALITY,
TIME and COST.
b) Measuring Performance
– Measurement must be carefully chosen because it is a message to
the controlled activity’s personnel and directs their behaviour.
– Complete measurement is often not possible or not desirable.
– People doing the measurement need to be involved in the
performance.
– Behavioural considerations are important factors in selecting who
does the measuring, as well as what is measured and what standards
are used.
 Control Points
• Selection of points at which performance will be measured
is critical. It is not possible to oversee or measure the
performance of every aspect of an organization’s activities
because of various factors such as:
– The cost would be prohibitive.
– The information system generating such data would overload
the manager’s capacity for review.
– Too much control is demoralizing.
– Measuring the wrong performance is unproductive.
– Developing surrogate quantitative measures for many
qualitative issues may focus attention on the wrong issues
– The choices of control points and standards will affect
behaviour. Standards and control points must be selected so
they are congruent with organizational goals.
 Control is a Process
c) Evaluation and Correction
– Any alteration in the production process may make
previously used or organization-wide standards
inapplicable to the case at hand.
– Detection of a variation from standards is followed
by the critical phases of evaluation and correction.
– A thorough understanding of applicable standards is
required if appropriate corrective action is to result.
– Some control situations require little evaluation and
lead to immediate corrective action.
 Internal Control is Effected by People
• Controls is not merely a policy manuals and forms, but people at every
level of an organization.
• Its is effected by the BOD, management and other personnel.
• It is accomplished by the people of an organization, by what they do and
say such as:
– BOD and Senior Management
• BOD is tasked to establish and maintain the organization’s governance processes and
obtain assurances concerning the effectiveness of the risk management and control
processes.
• Senior management’s role is to oversee the establish , administration and assessment of
that system of risk management and control processes.
– Organization’s Managers
• Organization’s managers are responsible for the assessment of the control processes in
the processes of their areas.
– Internal and External Auditors
• IAs and EAs provide varying degrees of assurance about the state of effectiveness of the
risk management and control processes in select activities and functions of the
organization.