Companies are under increasing competitive, regulatory and shareholder pressure to assess and manage their integrity risks more effectively. In the past internal auditors have investigated financial frauds and illegal acts after they have happened. While this service continues to be important, senior executives are increasingly interested in preventing such problems and avoiding serious damage to the organization’s reputation and shareholder wealth.
- Integrity risk management will improve business performance by enhancing the processes to prevent, deter and detect fraud and illegal acts and reduce integrity risk to an acceptable level.
- Integrity risk management will improve the efficiency and effectiveness of internal auditing by assisting audit teams in identifying and addressing fraud and illegal acts risks early in their audits.
This methodology should not be viewed as a rigid “cookbook” of prescribed activities, which, if mechanically performed, will always produce the desired finished product. It is a flexible framework upon which internal audit teams can build, adapting their approach to their current needs and situation.
The Integrity Risk Management methodology focuses exclusively on the Integrity Risk section of the Process Risk category of the Protiviti Risk Model The general integrity risk categories in that model are Employee Fraud, Management Fraud, Illegal Acts, Unauthorized Use and Reputation Risk. They are defined as follows:
- Employee Fraud — employees, customers or suppliers, individually or in collusion, perpetrate fraud against the company, resulting in financial loss.
- Management Fraud — management and/or employees issue misleading financial statements with intent to deceive the investing public and the external auditor or engage in bribes, kickbacks, influence payments and other schemes for the benefit of the organization.
- Illegal Acts — willful violations of laws or governmental regulations. Illegal acts should be broadly construed to include, for example, violations of environmental laws or securities regulations, but should be restricted to those that are integrity related. Illegal acts committed against the organization by third parties (i.e., organized criminals) are also included. Illegal acts committed by the organization’s personnel unrelated to the company’s business activities are not relevant for our purposes, unless they create a reputation risk for the organization. See Reputation Risk below.
- Unauthorized Use — the use of the organization’s physical, financial, information and other assets for unauthorized or unofficial purposes by employees or others (industrial espionage), resulting in loss of competitive advantage.
- Reputation Risk — the risk that an organization may lose customers, key employees or its ability to compete or perform its business purpose, due to public perceptions that it does not deal fairly with employees, customers, suppliers and stakeholders, or know how to manage its business. (For example, a company’s lawful use of child labor to manufacture designer clothing may be damaging to its reputation with customers in some countries).
Loss of customers means the loss of future revenue streams. Loss of employees means the loss of the talent, skills and expertise needed to run and grow the business. Loss of ability to profitably compete means, ultimately, going out of business.
Reputation risk can arise as a consequence of employee fraud, management fraud, illegal acts or unauthorized use, given enough media attention and coverage. It can also arise directly from other lawful activities of the organization. It can often be mitigated by the same measures taken to manage other integrity risks.
Internal Auditors need to ask the right questions about integrity risks and controls in addressing the vital concerns of management. These questions include:
- What are the integrity risks inherent in the business/process/product?
- Is the organization effectively assessing its integrity risks?
- What risk exposure limits should the organization have?
- How does the organization manage integrity risks? What information is needed to monitor integrity risk? Where does the information come from and how often is it obtained?
- How is integrity risk measured? Is the information currently used to measure and monitor integrity risk reliable?
- How is the organization doing in terms of balancing the cost/benefit relationship of integrity risk management? Is the organization making more money (in the short-term) by taking on abnormal or unusual levels of integrity risk exposure?
- How does the organization’s performance, regarding Integrity Risk management, compare to Best Practices and to the competition? How can the organization improve?
- Does the way the organization conducts its business expose the organization to unacceptable integrity risks?
The Integrity Risk Management process (see above graphic) can be applied broadly at the organization level (across many processes) or more narrowly within specific processes of an organization. There are three major components to the process, sandwiched between determining management’s expectations and communicating results.
Although the methodology is shown to be linear, the actual execution may require that certain steps be repeated or that the sequence of steps be modified.
The internal audit team should inquire about and document their client’s expectations. The expectations discussion is designed to:
- Help understand and respond to the expectations of management or of the group being assessed
- Help plan the work to meet/exceed the client’s expectations.
- Obtain feedback about achievement of those expectations.
- Learn how to improve upon the delivery of services.
The team inquires, during the course of its work, about the client’s expectations for the integrity risk management process, and whether expectations have been met and exceeded. Any significant changes from what was originally agreed to and the reasons underlying those changes are communicated on an ongoing basis.
Understanding expectations requires a full understanding of business operations and potential fraud concerns. The team should customize the expectations discussion to reflect that understanding. One common issue is that management may not have clearly defined the goals for the integrity risk management process, which makes it difficult to establish clear expectations for the audit team. Management may in some cases obtain input from the independent directors to ensure that their expectations in this area are known and are communicated to the audit team.
During the discussion, expectations are summarized and shared with the appropriate members of the audit team. Changes in senior management, the Audit Committee, the corporate structure or the company’s condition all can impact the process of understanding expectations from year to year. The Internal Audit team should customize its approach based on the specific situation. Regardless of the approach taken, the end result should be an understanding of client expectations and a plan to meet or exceed these expectations.
An organization that wants to manage its integrity risks needs first to assess the integrity risks to which it is exposed. In our experience, most organizations do not have an up-to-date evaluation of their integrity risks. If they exist at all, they may not reflect recent developments in crime trends (e.g., caused by new technology or organized criminal gangs) or their organization’s activities (e.g., new international ventures). They often do not draw on the most effective external information sources, particularly for international locations. Risk assessments also may not reflect the full measure of losses (direct and consequential) that could arise from each potential integrity risk incident.
This component of the process has four phases that together determine the integrity risks which the organization needs to mitigate through its system of controls. The four phases are: Identify Key Integrity Risks, Source Integrity Risks, Measure Integrity Risks, Reject, Transfer and Retain Integrity Risks.
KnowledgeLeader has several tools and resources to help you identify fraud and integrity risks. See More on Fraud.
Objective: To focus integrity risk assessment on specific businesses or business units, risks, and processes.
1) Understand the industry, environment, countries of operation, business objectives, etc.
2) Identify the performance measures used in the business and review the financial performance.
3) Identify the universe of integrity risks using knowledge bases, external information sources and facilitated self-assessment. Link to Self-Assessment Survey Development Tool
4) Identify the processes wherein identified risks could occur, and the owners of those processes.
5) Filter the risks further using facilitated self-assessment by a steering committee and process owners to arrive at Preliminary Target Integrity Risks (PTIR) (to be sourced, measured and validated at a later step).
6) Obtain management agreement on Preliminary Target Integrity Risks (PTIR).
Objective: To determine where and how integrity risks, both external to the organization and within its business processes, manifest themselves.
1) Understand each identified business process.
2) Note any control information offered during discussions.
3) Map the process.
4) Source the PTIRs within the business process.
Objective: To develop valuable information for management to use in making informed strategic decisions about integrity risk during the next phase.
1) Identify useful metrics.
2) Gather risk measurement information and determine whether the PTIR’s adverse consequences will be expressed qualitatively or quantitatively.
3) Measure the level of significance
4) Assess the level of likelihood and determine integrity risk exposure.
Objective: To facilitate management in making strategic integrity risk decisions and selecting target integrity risks.
1) Determine management’s tolerance for the risk impact areas of a PTIR
2) Assess the gaps between the potential consequences of a PTIR and management’s risk tolerance and determine the estimated cost of implementing the integrity risk management strategy.
3) Assist management in identifying the Target Integrity Risks (i.e., the PTIRs management chooses to retain and reduce to an acceptable level.)
In the second component, “Evaluate and Improve Integrity Risk Controls,” the adequacy of the organization’s existing controls are evaluated. The idea is to mitigate the specific integrity risks which have been identified and which the organization has elected to retain. This can be done by comparing existing controls to best practices. The design and operating effectiveness of the relevant controls should also be tested. Identify any control gaps and propose appropriate new or improved controls, then assist the client in building improved controls into their business processes.
The types of controls that can be considered in this component include both process-specific controls and environmental controls, such as ethics programs, compliance programs, anti-fraud programs and other nontraditional measures to reduce integrity risk. Environmental controls are particularly important in mitigating integrity risk because process controls may be overridden or circumvented by a determined fraudster or thief, especially if collusion is involved.
In the third component, “Provide Change Management Services,” the goal is to assist the organization in establishing a self-assessment process to identify and act on changes in integrity risks as they occur. The organization’s processes should allow for the identification of potentially significant integrity risks on a timely basis, along with the assessment of whether they are being adequately mitigated to an acceptable level. The result is continuous improvement of the organization’s control processes.
“Communicate Results” is shown as the last step in the linear process. However, experience has shown that frequent and ongoing communication with management is crucial and should occur throughout the process. This feedback can generate valuable additional input from management to enhance and focus remaining work.