Internal Audit Indonesia's

Juli 15, 2010

Fraud Schemes and Scenarios

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

The purpose of this document is to provide common understanding of the potential fraud schemes and scenarios that ABC Company has included in its entity-level fraud risk assessment. Each of these schemes/scenarios was should be examined by the Internal Audit group and senior management from each of the functional areas within the company.

Fraud Schemes/Scenarios and Definitions

Benefits Fraud: Encompasses the receipt of benefits by employees that are not eligible, dependents of employees that are not eligible, or the receipt of benefits beyond their departure date from the company.

Bid Rigging: This scheme occurs when an employee fraudulently assists a vendor in winning a contract through the competitive bidding process. This may include related party transactions and vendor kickbacks, among other frauds.

Check Fraud: Check fraud includes the use of technology to design/reproduce bank checks and simple check forgery.

Check Theft: This scheme involves interception of a valid disbursement prior to delivery to the rightful recipient.

Collateral or Records Management: Employee could use titles to secure other/personal debt.

Concealment of Investing Activity: This scheme involves the failure of personnel to report investing activity for inclusion in the financial statement preparation process.

Disguised purchases: This scheme involves the utilization of company funds to make non-company related purchases. The purchase may benefit the employee or another party and is intended to have the appearance of a purchase made in the normal course of business.

Early Recognition of Revenue: Companies try to enhance revenue by manipulating the recognition of revenue. Improper revenue recognition entails recognizing revenue before a sale is complete, before the product is delivered to a customer, or at a time when the customer still has options to terminate, void, or delay the sale. Examples of improper revenue recognition include recording sales to nonexistent customers, recording fictitious sales to legitimate customers, recording purchase orders as sales, altering contract dates and shipping documents, entering into “bill and hold” transactions, holding the books open until after shipment so that the sale can be recorded in the desired period, entering into side agreements, and channel stuffing.

Earnings Management/Smoothing: The pressure to meet or beat analyst expectations may lead management to engage in dubious practices such as “big bath” restructuring charges, creative acquisition accounting, “cookie jar reserves,” “immaterial” misapplications of accounting principles, and the premature recognition of revenue. Insistence on aggressive application of accounting principles, on always being “on the edge” and on applying “soft” methods allowing for a lot of “running room” when making significant estimates in the financial reporting process all contribute to an environment that impair or reduce the quality of earnings and breed earnings management.

Electronic Transaction Fraud: This scheme is similar to embezzlement, but specifically relates to diversion, theft, or misappropriation of funds that are received or disbursed electronically. This scheme may be perpetuated at the initiation point of the transaction, during transmission, or at the destination of the transaction.

Embezzlement: The property of another party is wrongfully taken or converted for the wrongdoer’s benefit. This may include theft of cash or property or the use of company assets for personal gain.

Employee Fraud: While every industry is at risk for employee fraud, the nature of the financial services industry makes it an attractive target for employees who can figure out how to work around existing or lax controls and, for example, create dummy loans, siphon money from customer accounts, or arrange to get kickbacks for providing services. This may also include fraud resulting from a “rogue employee,” e.g., the trader who manages to trade off-book and/or hide his trading losses in accounts that only he controls or from insider dealing, i.e., the use of non-public information for personal gain.

Fictitious Borrowing/Borrowing Fraud: Personnel may enter into borrowing arrangements for personal gain utilizing company credentials/collateral.

Fictitious Vendors: This scheme involves intent to divert funds to an employee or another party with no corresponding receipt of goods or services.

Fictitious/False Employees: This refers to someone on payroll who does not actually work for the company. Through the falsification of personnel or payroll records a fraudster causes paychecks to be generated to a “ghost.” The fraudster or an accomplice then converts these paychecks. The ghost employee may be a fictitious person or a real individual who simply does not work for the victim employer. When the ghost is a real person, it is often a friend or relative of the perpetrator.

Financial Statement Fraud: Misstatement(s) of an entity’s financial statements accomplished by: (a) overstatement of revenue and revenue-related assets or (b) understatement of costs or expenses and their related liabilities (c) omission or manipulation of required disclosures which involves violation(s) of Generally Accepted Accounting Principles (“GAAP”) and which defrauds investors or creditors of the entity by manipulation, deception, or contrivance using false and misleading financial information.

Fraudulent Account Activity: This scheme involves the manipulation of customer accounts to conceal delinquency or boost portfolio performance metrics. The scheme may involve changing receivables status to current or manipulating bankruptcy account status to boost the quality of receivables and lessen the need for a bad debt reserve.

Fraudulent Capitalization of Costs: This scheme involves the capitalization of costs that do not provide a benefit to future periods. Management may undertake this effort to delay the recognition of period expenses and lessen the current P&L impact.

Fraudulent Journal Entries: Some characteristics may include entries (1) made to unrelated, unusual or seldom-used accounts; (2) made by individuals who typically do not make journal entries; (3) made with little or no support; (4) made post-closing or at the end of a period such as quarter or year end and might be reversed in a subsequent period; (5) include round numbers; and/or (6) affect earnings. Financial statement fraud is frequently accomplished through the use of fraudulent journal entries and is a form of management override of the internal control structure. Of particular interest would be journal entries that mask fund diversion, the improper reversal of reserve accounts, the use of intercompany accounts to hide expenses, and/or the capitalization of costs that should be expensed.

Fraudulent Disbursements: In fraudulent disbursement schemes, an employee makes a distribution of company funds for a dishonest purpose. Examples of fraudulent disbursements include forging company checks, the submission of false invoices, doctoring timecards and so forth.

Fraudulent Loan Setup/Funding Disbursement: This scheme involves booking loans that do not exist, or disbursing funds to fictitious customers. This scheme can inflate revenues, assets (loan receivables) and may also include embezzlement of funds.

Identity Theft: A crime in which an imposter obtains key pieces of personal information, such as Social Security or driver’s license numbers, in order to impersonate someone else.

Inflated Time Reporting: Employees may intentionally report hours that were not spent working. This may involve reporting hours for days the employee did not work, incrementing hours beyond those actually spent at work, and failing to report vacation or sick time.

Insider Trading: Insider trading is an illegal act that involves the use of non-public information to purchase/sell company stock. Insider trading most often involves executive management or financial reporting personnel who have access to company performance results in advance of public filings.

Intentional Misapplication of Payments: This scheme involves taking a customer payment and applying it to another customer, or another type of payable due from the customer.

Kiting: Check kiting is the act of writing checks against a bank account with insufficient funds to cover the check in hopes that funds will be available prior to the payee depositing the check.

Lapping: Lapping customer payments is one of the most common methods of concealing skimming. It is a technique, which is particularly useful to employees who skim receivables. Lapping is the crediting of one account through the abstraction of money from another account. It is the fraudster’s version of “robbing Peter to pay Paul.”

Loss Allowance Manipulation: The scheme involves changing allowance calculation assumptions, changing input data, or simply changing the end result of the allowance calculation to delay the impact of impending losses. This scheme most often must be continued over time to conceal inevitable write-offs and may lead to other fraudulent journal entries (defined above).

Manipulation of Bonus/Commission Criteria/Results: This scheme is similar to embezzlement, but has distinct characteristics. Personnel responsible for submitting bonus/commission attainment (HR, department management) may modify compensation criteria or performance results to increase bonus/commission payouts to themselves or the employees that work for them. In many cases, this scheme is justified by management to reward employees that are perceived to be strong performers that are not rewarded by established performance metrics.

Manipulation of Derivative Position: This scheme involves the intentional misreporting of derivative position to conceal a poor business decision or simply increase earnings. This scheme can be accomplished in a variety of manners including the destruction or concealment of supporting documentation, falsifying documentation related to hedging activities, or modifying the actual position to one more favorable to the company.

Manipulation of Inventory: This scheme involves the modification of inventory records to overstate assets or failure to recognize the decline/impairment to its value. This scheme may involve the falsification or destruction of records in an attempt to substantiate activity in the period that did not occur.

Manipulation or Concealment of Trigger Reporting: This scheme involves the intentional cover up or falsification of performance reports that would otherwise result in the violation of debt covenants.

Misappropriation of Customer Payments/Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case customer payments, for the benefit of someone else – that of the employee or for another customer.

Misappropriation of Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case company funds, for the benefit of someone else.

Misappropriation of Trustee Payments/Funds: Often accompanies embezzlement, but is a separate and distinct offense. Misapplication is the wrongful taking or conversion of another’s property, in this case trustee payments, for the benefit of someone else.

Misleading Analyst Forecasts: This scheme is perpetuated by management to conceal a pending downturn or flat revenues or to predict a significant in increase in revenue despite the lack of supporting analysis.

Overstatement of Assets: Areas where assets can easily be overstated include inventory valuation, accounts receivable, business combinations, and fixed assets:

  • Inventory valuation: the failure to write down obsolete inventory, manipulation of physical inventory counts, recording “bill and hold” items as sales and including these items in inventory
  • Accounts receivable: fictitious receivables and the failure to write-off bad debts
  • Business combinations: setting up excessive merger reserves and taking the reserves into income
  • Fixed assets: capitalizing costs that should be expensed or booking an asset although the related equipment might be leased

Proprietary Information Dissemination: This scheme involves the intentional dissemination of private company information to potential customers, vendors or suppliers that give them an unfair advantage in dealing with the company, whether applying for a loan or providing goods/services. This scheme may be coupled with other acts such as embezzlement or bid rigging (defined above).

Speculative Investing: This scheme involves company personnel, either on their own, or at the direction of management, to enter into derivative/hedging transactions with no specific risk that is attempting to be mitigated. This may be an attempt to circumvent investing policies in an effort to boost earnings or to profit individually from the transaction.

Tax Evasion: The company intentionally evades payment of taxes that is otherwise owed to a taxing authority. This conduct can include but is not limited to the concealment of assets or income, keeping two sets of books, manipulation of quarterly payment estimates, and the destruction of books and records.

Title Fraud: This scheme involves the use of company assets, in this case vehicle titles, to secure personal/others debt. This scheme is most likely to occur with Collateral or Records Management employees due to their access to such documents.

Unrecorded, Deferred, or Understated Liabilities: The most common methods used to understate liabilities include failing to record liabilities and/or expenses, failing to record warranty costs and liabilities and failing to disclose contingent liabilities. In one high profile case, liabilities were hidden in off-balance sheet affiliates.

Other Fraud Schemes/Scenarios to Consider

Collusion with Dealers
Concealment or Manipulation of financial results and disclosures
Dealer buyback – Theft of Funds
Diversion of Funds/Misappropriation of Assets
Diversion/Misappropriation of Funds
Diversion/Theft of DisbursementsElectronic Payments Fraud

Failure to Record/Remit Payroll Taxes
Failure to Remit Ancillary Product Refund to Customer
False Repo Agent Invoices
Falsification of Expense Reports
Fraudulent Auction Invoices
Fraudulent Repo Agent Invoices/Auction Expenses
Fraudulent Settlement Negotiation
Improper Re-Aging Accounts to Current
Initiation of Fraudulent Check
Manipulation of Assumptions Utilized by Financial Reporting

Manipulation of Bank Account Status
Manipulation of Estimates to Alter Quarterly Tax Payments
Manipulation of Payroll Records
Manipulation of Performance Forecasting
Manipulation of Performance Results
Manipulation of Significant Accounting Estimates
Manipulation or Theft of Fees
Management Circumvention/Override of Loan Setup Controls
Principal Credit Adjustments to Increase Recoveries
Principal Credit Adjustments to Reduce/Pay-Off Loans
Related Party Purchases
Related Party Transactions
Terminated Employee Payments
Unauthorized Electronic Payments
Unsupported Top-Side Entries
Use of Resources for Personal Gain
Vendor Kickbacks

Protiviti’s Sarbanes-Oxley Section 404 Compliance Initiatives Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

To comply with Section 404 of the Sarbanes-Oxley Act, management needs a comprehensive internal controls evaluation approach. Section 404 is an annual assessment with an external auditor attestation required.

As part of this process companies have the opportunity to:

  • Understand, document and evaluate their internal control over financial reporting to comply with Section 404
  • Improve the efficiency and effectiveness of their business processes and internal controls
  • Build a sustainable, cost-effective assessment process

Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach, which is illustrated below.

Set Foundation

In the Set Foundation stage, we establish the basis of the work. This includes project organization, developing a project plan, agreeing on the project approach and identifying existing internal controls documentation.

Organize Project

Develop Project Plan

Agree on Project Approach and Reporting Requirements

PHASE I – Assess Current State and Identify Relevant Processes

In Phase I, we conduct a risk assessment to provide the basis for selecting priority financial reporting elements and the processes feeding those elements for review. This stage also includes inventorying and reviewing existing process documentation to determine its adequacy for purposes of identifying risk and evaluating controls.

Complete Entity-Level Risk Assessment

Select Priority Financial Reporting Elements

Select Priority Processes

Inventory Existing Documentation

Develop Phase II Action Plan

PHASE II – Document Design and Evaluate Critical Processes and Controls

The focus of Phase II is on documenting the identified processes and the related risks and controls, and identifying potential control gaps. Process documentation is typically in narrative or flowchart form. Risk and control documentation will include identification of process risks and related controls, assessment of controls design effectiveness and assessment of controls operating effectiveness, which is accomplished through testing of controls.

Document Processes

Source Risks

(Note: Sourcing the risks (or “what can go wrong”) to the achievement of assertions is THE most important part of the management’s evaluation of internal control over financial reporting.)

Document Controls

Assess Design

Validate Controls Operation

Develop Phase III Action Plan

PHASE III– Design Solutions for Control Gaps

Phase III considers all of the control design and operating gaps identified in Phase II and determines the required remediation for each respective gap.

During Phase III:

Factors to consider when assessing deficiencies:

Phase IV – Implement Solutions for Control Gaps

Phase IV entails the execution of remediation plans created in Phase III and the establishment of policies and procedures to ensure timely and accurate updating of process documentation as changes occur. This phase includes training company personnel in control gap remediation.

During Phase IV:

Critical Supporting Activities

As each phase of the SOA methodology is executed, it is important to complete certain supporting activities. These supporting activities are important to revisit throughout the process as they assist in moving SOA compliance from project to process. These activities are organized in four categories.

Project Management

Knowledge Sharing


Continuous Improvement

Fraud/Integrity Risk Methodology

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

What Is Integrity Risk?
Key Questions Answered by the Integrity Risk Management Process
Overview of the Integrity Risk Management Process


Companies are under increasing competitive, regulatory and shareholder pressure to assess and manage their integrity risks more effectively. In the past internal auditors have investigated financial frauds and illegal acts after they have happened. While this service continues to be important, senior executives are increasingly interested in preventing such problems and avoiding serious damage to the organization’s reputation and shareholder wealth.

This methodology should not be viewed as a rigid “cookbook” of prescribed activities, which, if mechanically performed, will always produce the desired finished product. It is a flexible framework upon which internal audit teams can build, adapting their approach to their current needs and situation.

What Is Integrity Risk?

The Integrity Risk Management methodology focuses exclusively on the Integrity Risk section of the Process Risk category of the Protiviti Risk Model The general integrity risk categories in that model are Employee Fraud, Management Fraud, Illegal Acts, Unauthorized Use and Reputation Risk. They are defined as follows:

  • Employee Fraud — employees, customers or suppliers, individually or in collusion, perpetrate fraud against the company, resulting in financial loss.
  • Management Fraud — management and/or employees issue misleading financial statements with intent to deceive the investing public and the external auditor or engage in bribes, kickbacks, influence payments and other schemes for the benefit of the organization.
  • Illegal Acts — willful violations of laws or governmental regulations. Illegal acts should be broadly construed to include, for example, violations of environmental laws or securities regulations, but should be restricted to those that are integrity related. Illegal acts committed against the organization by third parties (i.e., organized criminals) are also included. Illegal acts committed by the organization’s personnel unrelated to the company’s business activities are not relevant for our purposes, unless they create a reputation risk for the organization. See Reputation Risk below.
  • Unauthorized Use — the use of the organization’s physical, financial, information and other assets for unauthorized or unofficial purposes by employees or others (industrial espionage), resulting in loss of competitive advantage.
  • Reputation Risk — the risk that an organization may lose customers, key employees or its ability to compete or perform its business purpose, due to public perceptions that it does not deal fairly with employees, customers, suppliers and stakeholders, or know how to manage its business. (For example, a company’s lawful use of child labor to manufacture designer clothing may be damaging to its reputation with customers in some countries).

Loss of customers means the loss of future revenue streams. Loss of employees means the loss of the talent, skills and expertise needed to run and grow the business. Loss of ability to profitably compete means, ultimately, going out of business.

Reputation risk can arise as a consequence of employee fraud, management fraud, illegal acts or unauthorized use, given enough media attention and coverage. It can also arise directly from other lawful activities of the organization. It can often be mitigated by the same measures taken to manage other integrity risks.

Key Questions Answered by the Integrity Risk Management Process

Internal Auditors need to ask the right questions about integrity risks and controls in addressing the vital concerns of management. These questions include:

Overview of the Integrity Risk Management Process

The Integrity Risk Management process (see above graphic) can be applied broadly at the organization level (across many processes) or more narrowly within specific processes of an organization. There are three major components to the process, sandwiched between determining management’s expectations and communicating results.

Although the methodology is shown to be linear, the actual execution may require that certain steps be repeated or that the sequence of steps be modified.

Determine Client Expectations

The internal audit team should inquire about and document their client’s expectations. The expectations discussion is designed to:

The team inquires, during the course of its work, about the client’s expectations for the integrity risk management process, and whether expectations have been met and exceeded. Any significant changes from what was originally agreed to and the reasons underlying those changes are communicated on an ongoing basis.

Understanding expectations requires a full understanding of business operations and potential fraud concerns. The team should customize the expectations discussion to reflect that understanding. One common issue is that management may not have clearly defined the goals for the integrity risk management process, which makes it difficult to establish clear expectations for the audit team. Management may in some cases obtain input from the independent directors to ensure that their expectations in this area are known and are communicated to the audit team.

During the discussion, expectations are summarized and shared with the appropriate members of the audit team. Changes in senior management, the Audit Committee, the corporate structure or the company’s condition all can impact the process of understanding expectations from year to year. The Internal Audit team should customize its approach based on the specific situation. Regardless of the approach taken, the end result should be an understanding of client expectations and a plan to meet or exceed these expectations.

Assess Integrity Risks

An organization that wants to manage its integrity risks needs first to assess the integrity risks to which it is exposed. In our experience, most organizations do not have an up-to-date evaluation of their integrity risks. If they exist at all, they may not reflect recent developments in crime trends (e.g., caused by new technology or organized criminal gangs) or their organization’s activities (e.g., new international ventures). They often do not draw on the most effective external information sources, particularly for international locations. Risk assessments also may not reflect the full measure of losses (direct and consequential) that could arise from each potential integrity risk incident.

This component of the process has four phases that together determine the integrity risks which the organization needs to mitigate through its system of controls. The four phases are: Identify Key Integrity Risks, Source Integrity Risks, Measure Integrity Risks, Reject, Transfer and Retain Integrity Risks.

KnowledgeLeader has several tools and resources to help you identify fraud and integrity risks. See More on Fraud.

Identify Key Integrity Risks

Objective: To focus integrity risk assessment on specific businesses or business units, risks, and processes.

1) Understand the industry, environment, countries of operation, business objectives, etc.
2) Identify the performance measures used in the business and review the financial performance.
3) Identify the universe of integrity risks using knowledge bases, external information sources and facilitated self-assessment. Link to Self-Assessment
Survey Development Tool
4) Identify the processes wherein identified risks could occur, and the owners of those processes.
5) Filter the risks further using facilitated self-assessment by a steering committee and process owners to arrive at Preliminary Target Integrity Risks (PTIR) (to be sourced, measured and validated at a later step).
6) Obtain management agreement on Preliminary Target Integrity Risks (PTIR).

Source Integrity Risks

Objective: To determine where and how integrity risks, both external to the organization and within its business processes, manifest themselves.

1) Understand each identified business process.
2) Note any control information offered during discussions.
3) Map the process.
4) Source the PTIRs within the business process.

Measure Integrity Risks

Objective: To develop valuable information for management to use in making informed strategic decisions about integrity risk during the next phase.

1) Identify useful metrics.
2) Gather risk measurement information and determine whether the PTIR’s adverse consequences will be expressed qualitatively or quantitatively.
3) Measure the level of significance
4) Assess the level of likelihood and determine integrity risk exposure.

Reject, Transfer and Retain Integrity Risks

Objective: To facilitate management in making strategic integrity risk decisions and selecting target integrity risks.

1) Determine management’s tolerance for the risk impact areas of a PTIR
2) Assess the gaps between the potential consequences of a PTIR and management’s risk tolerance and determine the estimated cost of implementing the integrity risk management strategy.
3) Assist management in identifying the Target Integrity Risks (i.e., the PTIRs management chooses to retain and reduce to an acceptable level.)

Evaluate and Improve Integrity Risk Controls

In the second component, “Evaluate and Improve Integrity Risk Controls,” the adequacy of the organization’s existing controls are evaluated. The idea is to mitigate the specific integrity risks which have been identified and which the organization has elected to retain. This can be done by comparing existing controls to best practices. The design and operating effectiveness of the relevant controls should also be tested. Identify any control gaps and propose appropriate new or improved controls, then assist the client in building improved controls into their business processes.

The types of controls that can be considered in this component include both process-specific controls and environmental controls, such as ethics programs, compliance programs, anti-fraud programs and other nontraditional measures to reduce integrity risk. Environmental controls are particularly important in mitigating integrity risk because process controls may be overridden or circumvented by a determined fraudster or thief, especially if collusion is involved.

Provide Change Management Services

In the third component, “Provide Change Management Services,” the goal is to assist the organization in establishing a self-assessment process to identify and act on changes in integrity risks as they occur. The organization’s processes should allow for the identification of potentially significant integrity risks on a timely basis, along with the assessment of whether they are being adequately mitigated to an acceptable level. The result is continuous improvement of the organization’s control processes.

Communicate Results

“Communicate Results” is shown as the last step in the linear process. However, experience has shown that frequent and ongoing communication with management is crucial and should occur throughout the process. This feedback can generate valuable additional input from management to enhance and focus remaining work.

Juli 14, 2010

Entity Level Controls – Risk Assessment Questionnaire

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 9:14 am

What is risk assessment?

Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements.

What is the objective of risk assessment?

The objective of the entity’s risk assessment process is to establish and maintain an effective process to identify, analyze, and manage risks relevant to achieving business objectives and/or the preparation of reliable financial statements. The questionnaire includes the following 31 points of focus/control objectives for risk assessment entity-level controls:

COSO Attribute
Point of Focus/Control Objective
Entity-Wide Objectives Management has a business planning process in place that examines existing objectives and establishes new objectives when necessary.
Entity-Wide Objectives Management establishes business plans and budgets with realistic goals, and incentives for achievement of plans are balanced.
Entity-Wide Objectives The business planning process is a bottom-up process. Each functional leader, with the assistance of their direct reports, is responsible for identifying specific goals/priorities for their areas of responsibility that will satisfy the company’s overall priorities for the year.
Entity-Wide Objectives Management has established and clearly communicated the company’s mission, strategy and business objectives.
Entity-Wide Objectives Objectives are communicated at the appropriate levels and are understood and adopted by the responsible parties.
Entity-Wide Objectives Management has established a process to periodically review and update entity-wide strategic plans and objectives.
Entity-Wide Objectives Entity-wide objectives provide sufficiently broad statements and guidance on what the entity desires to achieve, yet are specific enough to relate directly to the entity.
Entity-Wide Objectives The Board of Directors reviews all entity-wide objectives and business plans, providing feedback and/or formal approval when necessary.
Activity-Level Objectives Activity-level objectives are linked with entity-wide objectives and strategic plans.
Activity-Level Objectives Activity-level objectives are consistent with each other (e.g., objectives for the sales organization are consistent with the manufacturing organization).
Activity-Level Objectives Resources are generally sufficient to achieve objectives for processes in key business functions, and plans are in place to acquire additional resources as needed.
Activity-Level Objectives Management has identified what must go right or where failure must be avoided, for entity-wide objectives to be achieved.
Activity-Level Objectives Capital spending and expense budgets are based on management’s analysis of the relative importance of objectives.
Activity-Level Objectives Objectives serving as critical success factors provide a basis for particular management focus.
Activity-Level Objectives All appropriate levels of management are involved in objective setting and demonstrate commitment to the objectives.
Risk Identification & Management Management identifies risks related to each of the established objectives.
Risk Identification & Management Management has mechanisms in place to identify business risks resulting from entering new markets, lines of business or from offering new products and services.
Risk Identification & Management Management identifies financial reporting risks that result from operations or compliance with laws and regulations.
Risk Identification & Management There have not been financial reporting or disclosure related issues identified by internal or external auditors.
Risk Identification & Management Management identifies fraud risk factors, including management override of controls.
Risk Identification & Management Identifying risks includes estimating the significance of the risks identified, assessing the likelihood of the risks occurring, and determining the need for action.
Risk Identification & Management Risks are evaluated as part of the business planning process.
Risk Identification & Management Senior management develops plans to mitigate significant identified risks.
Risk Identification & Management The responsibilities and expectations for the entity’s business activities and the entity’s philosophy about identification and acceptance of business risk, are clearly communicated to the executives in charge of separate functions.
Risk Identification & Management Risks are reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee, and legal).
Risk Identification & Management There are effective processes in place for sourcing, measuring and monitoring internal business risks.  For example, process risk and information for decision-making risk.
Manage Change The business planning process includes a broad spectrum of personnel with collective knowledge of all areas of the entity.
Manage Change The business planning process includes consideration of changes in the business environment, including the industry, competitors, the regulatory environment and customers.
Manage Change Mechanisms exist to anticipate, identify, and react to routine events or activities that affect achievement of entity – or activity-level objectives.
Manage Change Changes in risks are identified in a timely manner.
Manage Change Changes are appropriately communicated to the proper level of management (depending on the significance).
Manage Change Management has identified the resources needed to achieve the objectives and has plans to acquire the necessary resources.
Manage Change Budgets and forecasts are updated throughout the year to reflect changing conditions such as changing market conditions, competing priorities, resource allocation, etc.  These changes are clearly documented to allow future reference to reason why change occurred.

Risk Assessment Audit Work Program

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 9:08 am

Audit Objectives

The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the risk assessment component of the COSO framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.

Risks addressed in this audit work program include:

  • Management does not have a business planning process in place that examines existing objectives and establishes new objectives when necessary.
  • Management has not established business plans and budgets with realistic goals, and incentives for achievement of plans are not balanced.
  • Objectives are not communicated at the appropriate levels and are not understood and adopted by the responsible parties.
  • Management has not established a process to periodically review and update entity-wide strategic plans and objectives.
  • Activity-level objectives are not linked with entity-wide objectives and strategic plans.
  • Activity-level objectives are not consistent with each other (e.g., objectives for the sales organization are not consistent with the manufacturing organization).
  • Management does not identify risks related to each of the established objectives.
  • Management does not have mechanisms in place to identify business risks resulting from entering new markets or lines of business or from offering new products and services.
  • Management does not identify financial reporting risks that result from operations or compliance with laws and regulations.
  • Management does not identify fraud risk factors, including management override of controls.
  • Management does not estimate the significance of the risks identified, assess the likelihood of the risks occurring, and determine the need for action.
  • Risks are not evaluated as part of the business planning process.
  • Senior management does not develop plans to mitigate significant identified risks.
  • The responsibilities and expectations for the entity’s business activities and the entity’s philosophy about identification and acceptance of business risk are not clearly communicated to the executives in charge of separate functions.
  • Risks are not reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee and legal).
  • The business planning process does not include a broad spectrum of personnel with collective knowledge of all areas of the entity.
  • The business planning process does not include consideration of changes in the business environment, including the industry, competitors, the regulatory environment, and customers.
  • Changes in risks are not identified in a timely manner.
  • Changes are not appropriately communicated to the proper level of management (depending on the significance).
  • Management has not identified the resources needed to achieve the objectives and does not have plans to acquire the necessary resources.
  • Budgets and forecasts are not updated throughout the year to reflect changing conditions.
Project Work Step
I. Audit Procedures
A. Strategic Plan
1. Obtain a copy of the five-year rolling strategic plan for (insert year) and (insert year).
2. Through inspection, verify that the strategic plan was updated for (insert year).
B. Individual Bonuses
1. Inquire with the VP-HR as to the process for determining bonus payouts.
2. Obtain documentation (policies, guidelines) related to the Incentive Compensation Plan that is in place.
C. Employee Goals
1. Inquire with VP of HR concerning the process for employees to follow for determining Critical Success Factors.
2. Obtain documentation (i.e. policies, guidelines, or communications from HR) regarding the CSF process.
D. Strategy
1. Obtain agendas, meeting minutes, documentation and plans resulting from the (insert year) offsite strategy meeting.
2. Verify that the attendees of the meeting included the top X individuals of the company.
3. Through inspection, verify that the company’s performance in relation to the strategic plan as well as strategic developments and their related benefits and risks were discussed.
D. Budget and Forecast
1. Generate a random sample of two months from the period selected for testing, (insert date) to (insert date).
2. Obtain copies of the X Report verifying it was completed for the months selected for testing.
3. Inquire with Finance personnel to verify that senior and executive management review the monthly X Report.
E. Scope
1. Obtain documentation related to the financial statement risk analysis.
F. Fraud Risk Assessment
1. Through inquiry, determine how the fraud risk assessment is performed.
2. Obtain a copy of the fraud risk assessment meeting minutes and supporting documentation.
3. Verify potential fraud scenarios and mitigating controls were discussed.
G. Mitigation of Financial Reporting Risk
1. Obtain copies of the company’s SOX documentation.
2. Through inspection, verify that plans to mitigate risks in Financial Reporting are included in the SOX documentation.
H. Disclosure
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain a copy of the Disclosure Committee member’s certification of the Quarterly Report.
3. Through inspection, verify that the Disclosure Committee performed a review of controls and information to determine disclosure requirements as evidenced via signed certification.
I. Organizational Structure
1. Obtain the Company’s documentation concerning the X System.
2. Obtain evidence that the roles within the company have been assigned complexity levels in order to determine the appropriate organizational structure.
J. Five Year Plan
1. Obtain a copy of the five-year rolling strategic plan for (insert year) and (insert year).
2. Through inspection, verify that the strategic plan was updated for (insert year).
II. Reporting Procedures
A. Compile results from this process review into a report for management to review.
B. Schedule a meeting with management and appropriate process owners to discuss results.
C. Receive sign-off from management on the report results and document action steps to address process deficiencies.

Enterprise Risk Management: Practical Implementation Ideas

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

One of the most critical challenges for management today is determining how much risk the business is prepared to accept as it strives to create value. Yet, research consistently indicates that six of ten senior executives “lack high confidence” that their company’s risk management practices identify and manage all potentially significant business risks.

With the heightened focus on risk management, it has become increasingly clear that traditional risk management approaches do not adequately identify, evaluate and manage risk. Traditional approaches tend to be fragmented, treating risks as disparate and compartmentalized. These risk management approaches often limit the focus to managing uncertainties around physical and financial assets. Because they focus largely on loss prevention, rather than adding value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in this rapidly changing world.

Under enterprise risk management (ERM), the focus is on integrating risk management with existing management processes, identifying future events that can have both positive and negative effects and evaluating effective strategies for managing the organization’s exposure to those future possible events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity.

A new approach to risk management

ERM differs from traditional risk management approaches in terms of focus, objective, scope, emphasis and application. It aligns strategy, people, processes, technology and knowledge. The emphasis is on strategy, and the application is enterprise-wide.

Under an ERM approach, management’s attention is directed to the uncertainties around the enterprise’s entire asset portfolio, including its intangible assets such as its customer assets, its employee and supplier assets and such organizational assets as its differentiating strategies, distinctive products and brands and innovative processes and systems. This expanded focus is important in this era of market capitalizations significantly exceeding balance sheet values and the desire of many companies to focus on protecting their reputation from unacceptable risks relating to potential future events.

The COSO Enterprise Risk Management – Integrated Framework, issued in September 2004, defines ERM in broad terms that underscore some fundamental concepts and provides a common language as well as guidance on how to effectively manage risk across the enterprise. Like its internal control counterpart, the COSO ERM framework is presented as a three-dimensional matrix. It includes four categories of objectives across the top: strategic, operations, reporting and compliance. There are eight components of enterprise risk management across the face of the cube. Finally, the entity, its divisions and business units are depicted as the third dimension of the matrix along the side.

This ERM framework does not replace the internal control framework. Instead, it incorporates it. As a result, businesses may decide to implement ERM to address their internal control needs and to move toward a more robust risk management process.

Why implement ERM?

ERM provides a company with the process it needs to become more anticipatory and effective at evaluating, embracing and managing the uncertainties it faces as it creates sustainable value for stakeholders. It helps an organization manage its risks to protect and enhance enterprise value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. Third, it helps management improve business performance.

These contributions redefine the value proposition of risk management to a business. One way to think about the contribution of ERM to the success of a business is taking a value dynamics approach. Just as potential future events can affect the value of tangible physical and financial assets, so also can they affect the value of key intangible assets. This is the essence of what ERM contributes to the organization: the elevation of risk management to a strategic level by broadening the application and focus of the risk management process to all sources of value, not just physical and financial ones.

ERM transitions risk management from “avoiding and hedging bets” to a differentiating skill for protecting and enhancing enterprise value as management seeks to make the best bets in the pursuit of new opportunities for growth and returns. ERM invigorates opportunity-seeking behavior by helping managers develop the confidence that they truly understand the risks and have the capabilities at hand within the organization to manage those risks.

Five steps to implementing ERM:

For organizations choosing to broaden their focus to ERM, there are five practical steps for implementation. While the following steps provide a simplified view of the task of implementing ERM, the implementation process does not occur overnight and, for certain, is not easy to accomplish. ERM is a journey and these steps are a starting point.

STEP 1: Conduct an enterprise risk assessment (ERA) to assess and prioritize the critical risks.

An ERA identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. If an organization has not identified and prioritized its risks, ERM becomes a tough sell because the value proposition can only be generic. Using the entity’s priority risks to identify gaps provides the basis for improving the specificity of the ERM value proposition. The message: Avoid endless dialogues about ERM. Get started by conducting an ERA to understand your risks.

STEP 2: Articulate the risk management vision and support it with a compelling value proposition.

This step provides the economic justification for going forward. The “risk management vision” is a shared view of the role of risk management in the organization and the capabilities desired to manage its key risks. To be useful, this vision must be grounded in specific capabilities that must be developed to improve risk management performance and achieve management’s selected goals and objectives.

“Risk management capabilities” include the policies, processes, competencies, reporting, methodologies and technology required to execute the organization’s response to managing its priority risks. They also consist of what we call “ERM infrastructure.” To illustrate:

Item A. Defining the specific capabilities around managing the priority risks begins with prioritizing the critical risks and determining the current state of capabilities around managing those risks (see Step 1 with respect to conducting an ERA). Once the current state of capabilities is determined for each of the key risks, the desired state is assessed with the objective of identifying gaps and advancing the maturity of risk management capabilities to close those gaps.

Item B. ERM infrastructure consists of the policies, processes, organization oversight and reporting in place to instill the appropriate discipline around continuously improving risk management capabilities. Examples of elements of ERM infrastructure include, among other things, an overall risk management policy, an enterprise-wide risk assessment process, presence of risk management on the Board and CEO agenda, a chartered risk committee, clarity of risk management roles and responsibilities, dashboard and other risk reporting, and proprietary tools that portray a portfolio view of risk.

Here is the message: The greater the gap between the current state and the desired state of the organization’s risk management capabilities (Item A), the greater the need for ERM infrastructure (Item B) to facilitate the advancement of those risk management capabilities over time. A working group of senior executives should be empowered to articulate the role of risk management in the organization and define relevant goals and objectives for the enterprise as a whole and its business units.

STEP 3: Advance the risk management capability of the organization for one or two priority risks.

This step focuses the organization on improving its risk management capability in an area where management knows improvements are needed. Like any other initiative, ERM must begin somewhere. There are many possible starting points. Examples include:

  • Compliance with the Sarbanes-Oxley Act (specifically Sections 404 and 302 of the Act)
  • Risks other than financial reporting risk (for example, one or two priority financial or operational risks, operational risk in a financial institution, other regulatory compliance risks and/or governance reform issues, etc.)
  • Evaluating enterprise-wide risk assessment results to identify priority areas (in other words, migration to ERM begins with first selecting the priority risks and assessing the current state of risk management capabilities addressing those risks, as discussed in Step 1)
  • Integration of ERM with the management and operating processes that matter (for example, strategic management, annual business planning, new product launch or channel expansion, quality initiatives, performance measurement and assessment, capital expenditure planning, etc.)

Many public companies in the U.S. may begin their evolution to ERM with Section 404 compliance because the first-year compliance investment is significant and a company cannot have sound governance without transparency in its financial reporting. A strong focus on reliable financial reporting is a good foundation on which to build ERM capabilities. Regardless of where an organization begins its journey, the focus of ERM is the same: to advance the maturity of risk management capabilities for the organization’s priority business risks.

STEP 4: Evaluate the existing ERM infrastructure capability and develop strategy for advancing it.

It takes discipline to advance the capabilities around managing the critical risks. The policies, processes, organization and reporting that instills that discipline is called “ERM infrastructure.” We have asserted that the purpose of ERM is to eliminate significant gaps between the current state and the desired state of the organization’s capabilities around managing its key risks. We provided some examples of ERM infrastructure above when discussing Step 2. Other examples include a common risk language and other frameworks, knowledge sharing to identify best practices, common training, a chief risk officer (or equivalent executive), definition of risk appetite and risk tolerances, integration of risk responses with business plans, and supporting technology.

ERM infrastructure facilitates three very important things with respect to ERM implementation. First, it establishes fact-based understanding about the enterprise’s risks and risk management capabilities. Second, it ensures there is ownership over the critical risks. Finally, it drives closure of gaps.

ERM infrastructure is not a one-size-fits-all. What works for one organization might not work for another. The elements of ERM infrastructure vary according to the techniques and tools deployed to implement the eight ERM components (see the COSO framework introduced on page 2), the breadth of the objectives addressed, the organization’s culture and the extent of coverage desired across the organization’s operating units. Management should decide the elements of ERM infrastructure needed according to these and other appropriate factors.

STEP 5: Advance the risk management capabilities for key risks.

This step begins with selecting the enterprise’s priority risks. After the first four steps are completed, it will often be necessary to update the ERA for change. Once the priority risks are defined, based on the updated ERA, management must determine the current state of the capabilities for managing each risk and then assess the desired state with the objective of advancing the maturity of the capabilities around managing those risks. This has already been accomplished for one or two priority risks (see Step 3). Now management broadens the focus to other priority risks.

Risk management capabilities must be designed and advanced, consistent with an organization’s finite resources. For each priority risk, management evaluates the relative maturity of the enterprise’s risk management capabilities. From there, management needs to make a conscious decision: how much added capability do we need to continually achieve our business objectives? Further, what are the expected costs and benefits of increasing risk management capabilities? The goal is to identify the organization’s most pressing exposures and uncertainties and to focus the improvement of capabilities for managing those exposures and uncertainties. The ERM infrastructure management has chosen to put in place drives progress toward this goal.

Companies in the early stages of developing their ERM infrastructure often lay the foundation with a common language, a risk management oversight structure and an enterprise-wide risk assessment process. Some companies have applied ERM in specific business units. And a few companies have evolved toward more advanced stages, such as the management of market and credit risks in financial institutions and the management of compliance risks in other industries.

Wherever a company stands with respect to developing its risk management, directors and executive management would benefit from a dialogue around how capable they want the entity’s risk management to be with respect to each of its priority risks. The capability maturity model provides a scale for evaluating the maturity of an organization’s risk management capabilities. The model provides five states for rating the maturity or capability of any process ranging from “initial” to “optimizing.”

The capability maturity model is a powerful tool for evaluating sustainability. Using this model, management rates the enterprise’s capabilities in key risk areas, identifies gaps based on the level of capability desired in specific areas, and shifts the dialogue on operating metrics to incorporate appropriate emphasis on process maturity. The ERM infrastructure ensures that the rating process is fact-based and conducted with integrity by the participating risk owners.

The model provides a valuable framework for facilitating substantive dialogue among directors, management and others regarding the capability of the organization’s processes as compared to the critical risk areas identified in their risk assessments. Armed with this tool, Boards and management are able to satisfy themselves that risk management improvements are directed to the areas of greatest concern and exposure. The focus is then directed to implementing those improvements according to management’s plan over time. Again, the ERM infrastructure provides oversight to ensure that improvements are on schedule.

Managing the ERM journey

Companies evolving toward ERM should keep in mind that it is a journey, not a destination. ERM can potentially represent a sea change in organizational attitude and behavior. As with any significant change, the adoption of ERM is fundamentally a process of building awareness, developing buy-in and ultimately driving the acceptance of ownership throughout the organization. Change enablement is, therefore, a significant aspect of an ERM initiative because everyone’s perspective about risk varies.

To help ensure success, keep the following in mind when implementing ERM:

  • Develop a compelling business case linking the ERM agenda to real priority business needs; garner support from the top and manage progress against milestones over time.
  • Obtain agreement on risk management objectives and the necessary ERM infrastructure; consider relevant cultural issues and focus on enterprise-wide application.
  • Implement an effective enterprise-wide risk assessment process early.
  • Clarify process ownership issues: Who decides, who designs, who builds and who monitors?
  • Integrate risk management with the business planning process.
  • Don’t forget the true purpose of ERM infrastructure; be sure to define the future goal state of the capabilities around managing the critical risks and contrast it with the current state.
  • Use the COSO ERM components as a framework against which to benchmark ERM requirements.

Properly implemented, ERM can help organizations pursue strategic growth opportunities with greater speed, skill and confidence. Opportunity-seeking behavior is invigorated if managers have the confidence that (1) they understand the risks they are taking on and (2) the organization’s risk taking is aligned with its core competencies and risk appetite. Markets will differentiate competing organizations by the quality and extent – real or perceived – of their risk management capabilities.

Internal audit’s role in fraud prevention

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

The requirement of Section 404 of the Sarbanes-Oxley Act that management of public companies issue reports on the effectiveness of internal controls over financial reporting — including fraud prevention and detection — is well known.

How to do this is another matter.

“There is a great lack of guidance with respect to exactly what should be present, how to measure effectiveness and what the threshold is for a passing score,” says Toby Bishop, president and CEO of the Association of Certified Fraud Examiners (ACFE). “So there is tremendous uncertainty among everyone working in this area.”

Because there’s no consensus on what constitutes the best internal control practices, many companies are spending much time documenting policies and procedures that have little to do with the reasons behind Sarbanes-Oxley, according to Bishop.

“People sometimes forget why this legislation was there in the first place,” he says. “This is all about protecting investors from massive financial frauds. We must focus on that issue before worrying about the small stuff.

“With respect to fraud, the problem is not documentation. It’s a fairly consistent series of major gaps in anti-fraud measures at companies. I have worked with several thousand participants in ACFE training courses, going through the ACFE Fraud Prevention Checkup. Only two of those several thousand have claimed their organization would score more than half marks in that assessment. No organization would pass the evaluation.”

Urton Anderson, a professor of accounting at University of Texas, points out that management has the responsibility for systems, policies and procedures. Fraud is not a direct responsibility of internal audit functions. Professor Anderson, who is also the former Chairman of IIA Internal Audit Standards Board (IASB), says, “the question becomes how can internal audit assist management?”

“They can do this through risk analysis,” he says. “The other role they play is that once fraud is suspected, they have the skills to help investigate the activity. Internal audit has a lot of things they can look at: risk assessment, risk allocation, how the organization handles tips on hotlines, because that’s where you get the most benefit. You don’t find a lot of fraud through auditing. WorldCom is an example of where internal audit found it, but that’s not something the internal audit department would routinely look at.”

Guidance for keeping fraud at bay
The Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors, state: “The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”

The IIA standards require internal auditors to assess risks facing their organizations to serve as the basis from which audit plans are devised and against which internal controls are tested. To aid in this effort, the ACFE and six other organizations — American Institute of Certified Public Accountants, Financial Executives International, Information Systems Audit and Control Association, Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management — have developed Management Anti-Fraud Programs and Controls: Guidance to Help Prevent, Deter and Detect Fraud.

Among other things, this document recommends that internal auditors determine whether:

  • The organizational environment fosters control consciousness.
  • Realistic organizational goals and objectives are set.
  • Written polices (for example, a code of conduct) exist that describe prohibited activities and the action required whenever violations are discovered.
  • Appropriate authorization policies for transactions are established and maintained.
  • Policies, practices, procedures, reports and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas.
  • Communication channels provide management with adequate and reliable information.
  • Recommendations need to be made for the establishment or enhancement of cost-effective controls to help deter fraud.

Joseph Wells, a former FBI agent, white-collar criminologist, Certified Public Accountant and founder and chairman of the Association of Certified Fraud Examiners, has studied and stopped thousands of corporate frauds. His experience has convinced him that good internal controls are necessary but not sufficient to detect and deter fraud.

“I think controls are vital, but one thing controls don’t do well is measure the culture of the organization,” Wells says. “That is a major factor in fraud. Studies indicate that tips and complaints uncover more fraud than all other methods put together. It’s vitally important that there be a culture in the organization and a method of reporting so people can furnish information without fear of reprisal.”

Recognition of the importance of a culture of integrity is leading to new developments regarding what constitutes effective fraud measures, according to Bishop. New tools are needed because recent experience has shown that senior management, who commit more than 80 percent of financial statement frauds, frequently overrides traditional internal controls.

Bishop suggests the use of new survey tools to measure an organization’s ethical environment and propensity for wrongdoing. These surveys would be sent to a statistically valid sample of employees. In a Fortune 100 company, for instance, the survey would go to several thousand employees.

It would ask a series of questions which, according to Bishop, research has shown to be reliable indicators of the integrity of the workplace. Questions would probe whether employees believe management would support them if they raised concerns about wrongdoing or if they would be punished or suffer retribution.

“These survey techniques have been used to evaluate ethics programs in large organizations,” Bishop says. “They can be effective in identifying environments that are vulnerable to wrongdoing. They provide extremely valuable data for audit committees. It can be argued the use of these tools is critical for performing a meaningful evaluation under Section 404. Yet from what I hear, adoption of these tools has been extremely limited.”

Bishop says that in the current climate, benchmarking against peer companies is often a misleading exercise, because most companies are similarly unprepared. For this reason, persons with deep knowledge about preventing and detecting fraud have never been in greater demand. He recommends that most organizations have a certified fraud examiner on their internal audit staff. “There is a pressing need for more certified fraud examiners or other fraud experts to help companies and independent auditors to cope with the large amount of catching up that is necessary to implement world-class fraud prevention and detection measures,” Bishop says.

There are 14,500 certified fraud examiners, about half the ACFE membership. The number of applicants to the certified fraud examiner program is up 40 percent from a year ago, according to Bishop. That followed a 50 percent jump the year before.

“There has been an explosion of interest in learning about fighting fraud effectively, which has been largely driven by the corporate scandals and need to rebuild public trust in financial reporting and auditing,” Bishop says. “We don’t pretend we can prevent or detect all frauds. But we know that with knowledge we can do a much better job.”

The ‘perception of detection’
Wells says one way internal auditors can do a better job is to “take a higher stance. Let people in the organization know you are looking for fraud and welcome information from employees who have suspicions. This is what actually prevents and deters fraud. It’s a concept we call the perception of detection.”

His skepticism over the ability of internal controls by themselves to rein in fraud ties in with the Statement on Auditing Standards 99 (SAS 99), issued in 2002 by the Auditing Standards Board of the American Institute of Certified Public Accountants. AICPA standards apply to the external audits of public companies but may be used by internal auditors. The Institute of Internal Auditors endorses but does not require SAS 99.

SAS 99 emphasizes that auditors should exercise professional skepticism and identify risks that may result in a material misstatement due to fraud by brainstorming, asking management and performing analytical procedures. It also stresses that auditors should assess the risk of fraud after taking into account an evaluation of the firm’s programs and controls and says the audit should be adapted based on the findings.

Internal auditors can help their companies prepare for the SAS 99-related procedures the external auditors will undertake for the financial statement audit. They also can undertake the procedures directly within their own non-financial and operational reviews to assure management that anti-fraud programs are working.

Key provisions of SAS 99 include:

  • Increased emphasis on professional skepticism.
  • Discussions with management and other personnel.
  • Unpredictable audit tests.
  • Responding to management override of controls.

Understanding SAS 99’s anti-fraud thrust
Anti-fraud programs and controls as discussed in SAS 99 include the following major elements:

Creation and maintenance of a culture of honesty and ethics. SAS 99 states that management needs to set the ethical culture through both their daily words and actions.

Evaluation of fraud risks and implementation of risk mitigation. Fraud risk factors are included in SAS 99 and are separated into the areas of fraudulent financial reporting and asset misappropriation. Responses may include preventative controls (reducing the opportunity to commit fraud); mitigation control (reducing the impact of potential fraud); and transference (selecting appropriate fraud insurance such as a fidelity insurance policy).

Development of an appropriate oversight process. SAS 99 says internal and external parties need to oversee the risk of, and responses to, fraudulent financial reporting. It also says employees should be able to communicate wrongdoing without fear of retribution and calls for independent verifications by internal and external auditors to ensure controls are operating effectively.

Marie Hendrixson, a Protiviti managing director in Philadelphia, recommends internal auditors use SAS 99 as a “tool kit.” Codes of conduct, ethics hotlines, whistleblower programs, hiring and employee screening processes, fraud investigation/remediation and fraud risk assessment all should be open to internal audit review, she says.

“Even in situations where a company has a separate forensic audit group, this group should use internal audit as a resource,” Hendrixson says. “Internal audit is in the field daily and therefore is in the best position to assess areas of potential fraud.”

Where to turn for more anti-fraud information

The Association of Certified Fraud Examiners offers a “Fraud Prevention Checkup,” a series of questions with scoring criteria to help organizations determine fraud vulnerabilities.

The checkup and other useful information may be viewed at the association’s Web site.

The New Risk Imperative – An Enterprisewide Approach

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am
Chapter 1 of The 2004 Handbook of Business Strategy

CEOs face many challenges. They must focus and motivate their organizations to capitalize on emerging opportunities. They must continually invest scarce resources in the pursuit of promising — though uncertain — investments and business activities. They must manage the business in the face of constantly changing circumstances. And as they do all of these things, they must simultaneously be in a position to confidently assure investors, directors and other stakeholders that their organizations manage risk in today’s demanding global marketplace.

Our premise is this: An enterprisewide risk management process (EWRM) will help CEOs increase their confidence that all potentially significant business risks are identified and managed. Your organization needs an enterprisewide process to bring risk into balance as a strategic imperative in a complex and fast-changing world. This chapter focuses on the trends driving what we call the new risk imperative, and provides an overview of the key elements of an enterprisewide approach to managing the critical risks and creating and protecting enterprise value.

Five trends driving the new risk imperative

We see five key trends raising the bar for risk management.

Trend No. 1: The assets used to create value are changing. Business models are changing radically, increasing the emphasis on sources of value that are neither owned nor ownable, and reducing costs of capital and entry. These assets are your customers, employees and suppliers, as well as such organizational assets as your distinctive brands, innovative processes, proprietary information systems and differentiating strategies. These intangible assets may very well present the greatest source of enterprise value. Likewise, they may present the greatest source of risk.

The increasing significance of these strategic assets present challenges because, even today, the traditional risk management model as deployed by most companies – perhaps even yours – focuses primarily on the physical and financial assets on the balance sheet and the related contractual obligations. As power shifts from suppliers to consumers, innovative companies are altering the competitive balance in their respective industries through revolutionary business models built on relationships and innovative uses of technology. The risks associated with these new business models elevate the importance of risk management in creating and protecting enterprise value.

Is your business model focused on the right strategies that emphasize your strategic assets, competitive strengths and core competencies? Are you managing the risks to your reputation, brands, channels, supply chain, knowledge capital and intellectual assets just as you manage the risks to your tangible physical and financial assets? How do you know?

Trend No. 2: The meaning of risk is changing. The increasingly complex business environment is creating a paradox. Risk is more significant than it has ever been, and yet it is less understood than ever before. In the past, most organizations tended to see risk as something to avoid with the objective of preserving value. Past conventions and attitudes about “risk as a threat” have resulted in a narrow view of the role of risk management in a business, a view that ignores reality.

Unless companies take risks, they die. To be successful, they must be open, positive and proactive about the risks they face. That is why the traditional risk management model, while perhaps good for companies in the past, is no longer good enough as they face an uncertain future. Companies and investors that see risk management as a differentiating asset are focused on the future and on the possibilities of what could happen if they manage risk effectively — not just what might go wrong if they don’t. Thus companies need to be more systematic in their approach to assessing and managing risk.

Have you discarded the notion that risk is something unwelcome or to be avoided? Are you embracing risk as thoughtfully and as thoroughly as you can to gain competitive advantage, improve business performance and achieve your strategic goals? Are you concentrating on the value that accepting and managing risks can create and not just the costs that might be incurred?

Trend No. 3: The approach to managing risk is evolving. As competitive and other external forces drive the call for improving risk management, new risk management processes and tools are emerging. These include more robust risk identification techniques, more effective risk measurement methodologies, better information management tools, and increasingly effective scenario analysis and planning. As a result of these and other developments, business risk management is evolving to a more holistic, comprehensive and integrated approach, an approach that is truly enterprisewide. Companies are teaching their people to manage risks – all kinds of risks – with common methods, processes and tools that can be adapted to new and emerging circumstances. These risk management methods, processes and tools are being integrated within key business processes, such as strategic management and business planning.

Is your company utilizing effective tools to continually identify, source and measure its risks? Is it allocating capital to the best prospects for earning acceptable risk-adjusted returns? Is it capturing, aggregating and utilizing all data and information relevant to measuring and managing risk? Is it betting on a single forecast or even on a few discrete scenarios? Are business planning and risk management separate appendages? If an adverse scenario occurs, do you know in advance what actions you will take?

Trend No. 4: The role of risk management in strategy is growing. Change is no longer linear, but exponential. Technologies, customer loyalty and labor markets are changing more rapidly over time, behaving in a manner resembling the volatility of commodity, currency and equity markets. In addition, just-in-time inventory, sole sourcing, outsourcing, Internet-based sales and procurement are just a few of the increasingly prevalent practices that provide points of focus for strategists. While the Internet and related technologies are having a major impact on external relationships and commercial transactions, their impact on internal operations and communications is increasingly pervasive.

To be successful, companies must innovate and deliver products and solutions that create new sources of value for their customers or markets; otherwise, they will lose ground to nimbler, more creative rivals. As companies increasingly sell, promote, procure, design, distribute, plan – in general, conduct all business virtually and electronically – effective risk controls and contingency plans become essential, particularly in the post-September 11 era. Never-ending innovation also gives rise to new risks that should be evaluated virtually real-time. Unless these risk management considerations are factored into the business plan, they won’t be addressed. Business planning is a fluent, dynamic process. Risk management augments that process.

Do you know your greatest strategic risks and opportunities today as they evolve? Is your organization and culture capable of adapting to change? Is it able to quickly adjust its strategies to capitalize on profitable growth opportunities and respond to competitive and other risks? As you adopt new practices, have you also evaluated the new risk-return trade-offs of using them? Have you considered the “unthinkable scenarios” in your evaluations of the future?

Trend No. 5: The demands of external stakeholders are increasing. The ability to define a company’s future in terms of its opportunities – not to mention its ability to manage its destiny in an uncertain environment – is a powerful driver of share price. The emphasis on improving corporate governance and transparency in reporting is leading to increased accountability for boards, CEOs and other senior executives. As a result, many directors and executives are searching for more comprehensive, holistic techniques that give them greater confidence that their organizations are identifying, measuring, controlling and monitoring risk. Too often the focus is on reacting to financial disasters: “Can what happened to them happen to us?” But as investor and regulator “need to know” heightens, as the volume of calls for transparency in financial reporting increases and as competitors develop and communicate increasingly value-added business models, it is imperative that boards demonstrate equal competence in managing both the “upside” and the “downside.”

Are you satisfied with your certification process? Are you prepared to communicate in a public forum what your company’s risks are and how effectively you are managing them? Will your revelations inspire confidence or raise more questions than they answer? Is your reporting keeping investors informed with no surprises? Should you wait until the board starts asking these and other related questions before taking action or, conversely, should you take proactive steps to address them now?

The new risk imperative – an enterprisewide approach

In this evergreen environment, every organization has a business model – and certainly your organization’s business model is critical to differentiating itself in the marketplace and positioning for success. But traditional business models often treat risk as an afterthought. Ultimately, it is your company’s ability to manage the risks inherent in its business model that will determine whether or not it succeeds. Risk management, effectively integrated into strategic management processes, makes business plans more robust.

Risk management forces a fresh perspective. No organization, however large and capable and no matter how bright and smart its management, is immune to change. That is why risk should be an active part of the business strategy agenda with a balanced focus on the upside as well as the downside. Understanding the consequences of inaction versus action helps managers see the full picture, particularly as the lifecycle of business models compress in the global economy.

An EWRM process will help CEOs and their teams improve the linkage of risk and opportunity and position business risk management as a source of competitive advantage. Organizations need a new, strategic business process to bring risk into balance as a strategic imperative in a complex and fast-changing world.

What is EWRM? It is a structured and disciplined approach to managing risk. It aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the organization faces as it creates and protects enterprise value. “Enterprisewide” is a truly holistic, integrated, forward-looking and process-oriented approach to managing all key business risks and opportunities – not just financial ones – with the intent of maximizing shareholder value for the enterprise as a whole. It is an elimination of functional, departmental or cultural barriers.

In an EWRM environment, risk and opportunity are inextricably tied to one another. It is a shift from traditional risk management approaches in which the focus is fragmented, risk is a negative, reactive and ad hoc behavior is the norm, and the risk management activity itself is transaction-oriented (or cost-based), narrowly-focused and functionally-driven. Proponents of EWRM realize that risk management is neither an afterthought nor an appendage to the organization’s core business.

EWRM is not a “one-size-fits-all” solution. That is because every company is different. The components of EWRM will be different, as defined by the company’s business model and strategies, organizational structure, culture, risk appetite and dedicated resources. However, most companies undertaking a journey to implement EWRM are focused on seven essential tasks. These tasks are illustrated using the process at right. These tasks begin with setting goals and objectives, defining a common language and implementing an effective oversight structure for risk management. With that as a foundation, the remaining tasks form an ongoing process – assess risk, develop strategy, design and implement capabilities, monitor performance, and continuously improve the process. All of these tasks are supported by information for decision-making.

Establish goals, objectives and oversight — Under EWRM, clearly articulated goals and objectives are vital to success. Management aligns these goals and objectives with overall business objectives, strategies and performance goals, and communicates them throughout the enterprise with crisply written policies. EWRM is built on a well-defined organizational oversight structure, with clarity of process ownership issues a prime focal point. Risk management responsibilities, authorities and accountabilities are assigned to appropriate personnel so that everyone understands his or her respective role from the highest levels of the organization down. Senior management ensures that the entrepreneurial “money making” activities and restraining control activities are carefully balanced so that neither one is disproportionately strong relative to the other.

Assess business risk — As managers compete within their organizations for funding to fuel new investments and projects, a process is needed to separate emotion from fact. In an EWRM environment, risks are systematically identified and sourced by executives who operate in an open, positive and proactive environment and are accountable for their choices. The key managers rigorously measure the risks that matter on an aggregated basis. Priority risks are clearly understood, including the risks affecting the organization’s intangible sources of enterprise value. These sources of value include the company’s customer base, its distribution partners, its supply chain, its innovative processes and systems, its proprietary knowledge capital, and other intellectual property, the risks to which are acknowledged just as fully as the risks to its physical and financial assets.

An effective risk assessment requires three things – skillful risk owners, a common risk language and a forward-looking, continuous process for identifying, sourcing and measuring risks and opportunities. These elements are applied consistently across the enterprise to understand the nature of the priority risks impacting on business objectives, strategies and performance, including the root causes or drivers of those risks to provide a basis for measuring, controlling and monitoring them. Individual and aggregate risks taken are priced in terms of capital, earnings and cash flow at risk. Once a consistent risk assessment framework is developed and implemented, risk aggregation and comparison across the different types of investments, products and business units that matter to management becomes possible. Capital allocation techniques become more meaningful in their application.

Develop risk management strategies — Management has to make choices about how to manage priority risks. A systematic process is needed to bridge the gap between risk identification and implementation. Such a process should be integrated tightly with the key elements germane to managing a business, such as:

  • the organization’s business objectives, business strategy, structure and culture;
  • the decision-making processes that are vital to value creation;
  • the process for formulating business strategy;
  • the measurement and monitoring of organization performance; and
  • the organization’s approach to continuous process improvement.

Under EWRM, the process for deciding the appropriate risk strategy takes an enterprise view rather than a unit or functional view, and considers all available options for managing risk so that the selected strategy optimizes risk and reward for the enterprise as a whole. The tired old “this is the way we’ve always done it” mantra is ruthlessly cast away. Fresh thinking is the order of the day because the competitive marketplace demands no less. Decisions to transfer or accept risks are evaluated on both a standalone and an aggregate basis, leading to more cost-effective hedging through a better understanding and exploitation of diversification opportunities. They also lead to more focused relationships with risk underwriters. For example, considering natural internal offsets and changes in operating and borrowing practices can reduce the need for hedging through financial derivatives.

“Risk owners” are responsible for developing and assessing risk management alternatives and selecting the appropriate strategy. Through a structured approach to evaluating risk management options, they work with business-unit operators to evaluate risk/reward trade-offs and the effectiveness of alternative strategies to bring risk into balance with established risk parameters and limits. They decide what must be done to execute the selected risk strategy, design the capabilities for executing the strategy, and monitor performance to ensure the capabilities are executed according to design and achieve the desired objectives. They share knowledge and best practices, enabling the enterprise to learn once and capture intellectual capital.

Design and implement risk management capabilities — Risk owners decide and design the processes, competencies, reporting, methodologies and systems that execute the selected risk strategies and policies. They ensure such capabilities are built and executed, and are integrated with processes for managing the business. Finite resources are efficiently allocated to the most significant risks; therefore, such redundant and unnecessary risk controls are eliminated.

Monitor performance — Effective monitoring enables managers to answer the question, “how do you know?” Risk owners and executive managers create performance measures to monitor the design and operational effectiveness of risk management capabilities, including risk controls. Monitoring adds value because it helps managers do a better job running the business. Relevant, actionable business-unit information is gathered, evaluated and reported on a standardized basis for monitoring purposes, including formalized reporting to the board and appropriate levels of management. A continuous review process is in place to monitor achievement of objectives, execution of strategies, compliance with policies and identification of evolving “best practices” for managing risk. Executive management also monitors the monitoring processes deployed by owners of “mission critical” risks. Internal audit plays a value-added role in the monitoring process.

Continuously improve risk management capabilities — Business risk management is a process. As with other business processes, managers and risk owners (who are the process owners) continuously improve it as conditions change over time. Executive management and directors monitor plans for improving risk management through final completion. Benchmarking, education and training are a priority. The flow of knowledge and information about risk and risk management capabilities up, down and cross-functionally across the enterprise is facilitated and supported by all levels of management, and enabled by web-based tools and other technology.

Common frameworks are useful in facilitating the kind of knowledge sharing that can drive continuous improvement. Today’s information technologies – the Internet, intranets and e-mail – create tremendous opportunities to share knowledge and experience. For example, one European telecommunications firm uses cellular Internet communications technology to poll its risk owners and their teams regarding the likelihood and severity of key risks.

Support the process with information for decision-making — In an EWRM environment, directors and senior managers are in a position to confidently make informed decisions regarding the trade-off between risk and reward, and daily business decisions at the operating level are made within the context of the organization’s strategies for bearing risk. Timely, relevant information, including measures of individual risks, are aggregated into an overall “portfolio” framework or scorecard, and are linked to relevant measures of enterprise performance. Data and information about the effectiveness of risk management capabilities and risk control processes are provided by risk owners all over the enterprise using web-enabled feeds to data warehousing facilities. A central group then manually and electronically extracts relevant information for analysis and reporting purposes.

Summary — The single most important benefit of EWRM is to provide greater confidence and relevant summary information to the board, CEO and management that risks and opportunities are being systematically identified, rigorously analyzed and effectively managed on an enterprisewide basis – all fully aligned with the enterprise’s business model for creating value. The seven essential tasks outlined above help organizations build or improve their capabilities to master risk as they create and protect enterprise value.

Taking an enterprisewide view

The view that managers take of the scope of their responsibilities influences their view of risk. If their view is a functional one, they will manage risks to achieve functional excellence. For example, a procurement manager may focus on ensuring the availability of raw materials at the lowest possible cost without regard to the costs and risks of carrying inventory.

EWRM requires an enterprisewide view of the business and its risks and risk management capabilities. Ultimately, taking an enterprisewide view means taking aim at achieving the highest level of risk-adjusted return possible from the resources available to managers within defined enterprise boundaries. From a risk management standpoint, this view has to be consistent with executive management’s view of the organization. If management takes a centralized view of the business, an enterprise view would extend to the entire organization. On the other hand, if management has a decentralized view of the organization with different units operating autonomously, an enterprise view would apply at the unit level.

An enterprisewide view of an organization means three things:

  • First and foremost, it means that when managers make choices, they consider the best interests of the organization as a whole. Every decision made is meant to improve the organization as a whole, and not just any particular segment. This level of understanding is difficult to achieve because, for many companies, the predominant command and control culture facilitates information flows up and down, but rarely horizontally. That this is difficult does not justify ignoring it.
  • Second, it means that the objectives and incentives of individuals are aligned with the organization’s performance measurement systems. An enterprisewide view requires management to recognize, measure and reward decisions that consider the organization’s overall interests. A systematic enterprisewide approach to managing risk can create dysfunctional behavior if the objectives and incentives and the firm’s performance measurement systems do not also reflect a similar enterprisewide perspective. If the performance of different managers is not assessed and rewarded according to an enterprisewide view, how can these managers be expected to evaluate risks and make decisions according to an enterprisewide perspective?
  • And third, it means that the tools and measures used by key decision-makers at all levels of the organization reflect an enterprisewide view. Risk management goals, objectives, policies and processes must be consistent with the view of the organization being managed. If management’s focus is primarily directed to the success of specific operating units, then the policies and processes for managing risk should likewise be directed to such units. The challenge here is avoiding needless redundancy in risk management capabilities across multiple units. In cases where there are risks common to multiple units, it may make sense to organize a strategic risk unit to develop and deploy the required risk management skills, methodologies and systems managing one or more key risks inherent in the business model. Then the enterprise is able to act quickly, as conditions and circumstances change, with the knowledge that it has the competencies to effectively manage the risks undertaken.

An enterprisewide view, through which every decision made is meant to improve the institution as a whole and not just a particular part, is not new. Global banks have been taking such a view for years in managing their market risk and credit risk. For example, they find that aggregation of risks relating to their trading positions and loan portfolios makes sense when shocks occur from time-to-time in the currency markets.

The value proposition

EWRM helps a company manage its risks to create and protect value in three ways. First, it helps to establish sustainable competitive advantage. Second, it optimizes the cost of managing risk. And third, it improves business performance. These contributions redefine the value proposition of risk management to a business by elevating risk management capabilities to a strategic level. They also lead to possibly the single greatest benefit risk management can make to the success of a business. That is, instill greater confidence in the board, CEO and executive management that risks and opportunities are being systematically identified, rigorously analyzed and exploited on an enterprisewide basis consistent with the business model for creating and protecting enterprise value. Moreover, in an EWRM environment, the company gains confidence that the business model and its underlying assumptions are continually challenged and refined in a dynamic cycle of continuous change.

We have discussed the trends that are driving a more strategic approach to managing risk. We have explored the essential tasks of assessing, managing and monitoring risk and what is required in taking an enterprisewide view in implementing these tasks. We also discussed the benefits of EWRM. In the next chapter, we explore the steps to take when implementing an EWRM solution.

Capability Maturity Model (CMM)

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

The Capability Maturity Model (CMM) is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language that is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model. The CMM consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process as Initial, Repeatable, Defined, Managed or Optimizing. It applies to any process within an organization and, when applied effectively, improves the ability of organizations to meet goals for cost, schedule, functionality and quality and is a useful tool when communicating with stakeholders. This model establishes a yardstick against which to determine and pursue improved performance.

When applying the CMM, the process must meet all criteria to rate at a given level within the model. You are either at a stage of maturity within the CMM or you are not. There are no plus’ or minus’ when applying the CMM. Management must apply the criteria based upon the facts provided by the current state analysis to rate the maturity of the process. Reasonable interpretation will be needed at times, requiring the process owner and the evaluator to use professional judgment.

The CMM is not intended to be prescriptive. It does not tell an organization “how” to improve. However, its application can provide insights on change management strategy. Management can also evaluate where on the CMM the company needs to be with respect to each process. Cost and time reductions will often be prime considerations in this assessment.

When determining what improvements are needed to reach the next level of maturity, evaluators should consider the importance of the process being addressed. As the importance of a process increases, its desired capability increases. This does not mean that all processes must eventually operate at the Managed or Optimized state. No business has the resources to accomplish that goal. Also, evaluators should consider if the process is simple, has low volumes, involves exercise of professional judgment or has significant conformance requirements.

The five stages of maturity depicted in the CMM are further described below. Evaluators should customize these criteria to fit the facts, circumstances and culture within the organization.

I. Initial Stage

The process is ad-hoc and occasionally even chaotic, where control is not a priority. A process at this level is not clearly defined and success depends on individual effort. While processes at the Initial Stage frequently produce outputs that work, those outputs may be over budget or the process often misses scheduled deadlines. The process is like a “black box” because there is very little transparency into it; therefore, the only way to monitor performance is through rough output measures.

A. Representative Characteristics

  • Environment is not stable, lacks sound management practices and is undermined by ineffective planning and reaction-driven activities.
  • During a crisis, planned procedures may even be abandoned and success is dependent on having an exceptional manager and an effective team.
  • When process personnel leave, their stabilizing influence leaves with them.
  • The process is often unpredictable because it is constantly changed or modified, even as work progresses.
  • Performance is dependent on the capabilities of individuals and varies with their innate skills, knowledge and motivations.
  • Performance can be predicted only by an individual rather than organizational capability.

B. Process Maturity Evaluation Criteria

  • None. The process is ad-hoc with no defined, repeatable structure.

C. Maturity Focus for Next Level – Repeatable Stage

  • Develop a disciplined process.

II. Repeatable Stage

The Repeatable Stage marks the shift from technical knowledge and skills to organizational and managerial issues. This is what process maturity is about. In this stage, customer requirements are understood and basic policies and activities are in place to repeat key functions across segments of the enterprise. Documented processes provide the foundation for consistent processes that can be institutionalized across the enterprise with training and verification. Policies are established for managing the process and procedures are established for implementing those policies. Output measures are tracked and monitored, creating an environment that is stable and disciplined. Reliance on people continues where controls documentation still requires improvement. The focus at this stage is on improving processes before tackling organizational issues, which are addressed in the Defined Stage.

A. Representative Characteristics

  • Process managers:
    • Set realistic objectives, policies and plans for the process.
    • Enforce policies and train and direct people to practice and document the procedures.
    • Track cost, time, and performance primarily with output measures.
    • Identify problems when they arise.
  • People work more effectively by:
    • Incorporating “lessons learned” from the best staff into documented processes.
    • Building the skills to perform those processes.
    • Continually improving by learning from people performing the job.
    • Sharing successful practices that lead to more repetition across the organization.

B. Process Maturity Evaluation Criteria

  • Basic policies – A basic policy structure is established to articulate (1) process purpose and objectives and (2) roles, responsibilities and accountabilities for executing and monitoring the process.
  • Quality assurance – Activities are established to “inspect” quality to ensure that quality objectives are met as the process is improved.
  • Basic controls and management oversight – Basic internal controls are in place along with appropriate oversight activities by management.
  • Basic tracking of cost, time and quality outputs – Basic cost, quality and time output measures are in place.
  • Activity planning – Specific process activities to achieve the stated objectives and requirements are designed and documented.
  • Understanding of customer requirements – The objectives and requirements of the process are clearly understood.

C. Maturity Focus for Next Level – Defined Stage

  • Develop a standard and consistent process.

III. Defined Stage

At the Defined Stage, the process is well documented and the Six Components of Infrastructure are integrated into a standard process for the enterprise. This process includes: inputs; standards and procedures for performing the work; verification mechanisms (such as internal audit or peer reviews); and outputs and completion criteria. Policies, process, and standards are defined and institutionalized, creating a “chain of certification.” A major challenge many organizations face is designing a process that empowers the individuals doing the work without being overly rigid. Also, managers proactively anticipate risks that may arise and prepare for them.

A. Representative Characteristics

  • “Documentation and standardization” means:
    • The tasks of the process are documented well enough to be understood by process participants.
    • There is a common enterprise-wide understanding of the activities, roles and responsibilities in the process.
    • Organization-wide training is designed to ensure that staff and managers have the requisite knowledge and skills to execute the process.
  • “Integration” means:
    • Policies, process activities, skill sets, reports, methodologies and technology are integrated into a coherent whole.
    • The outputs of one task flow smoothly into the inputs of the next task.
    • When mismatches between tasks occur, they are identified and addressed timely rather than “overcome” when encountered while executing the process.

B. Process Maturity Evaluation Criteria

  • Verification mechanisms – To ensure the process is performing as intended, internal audit or independent peer group teams conduct period audits.
  • Cross-functional coordination – If the process cuts across functional boundaries, a cross-functional team is created to execute and monitor the process.
  • Integration technology and data – The process design integrates systems and data as enablers to the other elements of infrastructure.
  • Integration of competencies, reports and methods – The process design integrates key elements of infrastructure, i.e., people and organization, management reports and methodologies.
  • Process training – Formal training supports and reinforces the policies and activities defining the process.
  • Organization process definition – The process is clearly defined so that everyone who has a role in building, executing and monitoring the process can understand its purpose and design.
  • Organization process focus – The entity is committed to establishing in word and deed a “process discipline,” enterprise-wide, with respect to the specific process.

C. Maturity Focus for Next Level

  • Create a predictable process.

IV. Managed Stage

The Managed Stage is characterized by “metrics, measures, and monitoring” where risk is managed quantitatively enterprise-wide creating a “chain of accountability.” The process is both stable and measured but an exceptional circumstance may occur. Both the process and its outputs are quantitatively understood and controlled. Detailed metrics of process cost, quality and time are collected, including process measures and output measures. The objective is process control, meaning the organization should control waste and sporadic spikes. Waste arises whenever there is reworking of process tasks or outputs. When waste arises from the way a process is designed, it is “chronic.” Inevitably there is chronic waste in any process, which requires reworking to prevent things from getting worse. Sporadic spikes arise from special causes of variation that require “fire fighting” activities.

A. Representative Characteristics

  • Productivity and quality are measured for important activities:
    • Measurement is quantitative, meaning that variability in process performance is narrowed to fall within acceptable bounds.
    • Quantitative goals are set for both outputs (output measures) and activities (process measures).
    • For established processes, meaningful variations in process performance can be distinguished from random variation (noise).
    • An enterprise-wide database is used to collect and analyze process performance data.
  • Management’s ability to predict outcomes grows steadily more precise as the variability in the process grows smaller.
  • The process operates within measurable limits, meaning:
    • Process Owner can predict trends in process and output quality within the bounds of these limits.
    • When limits are exceeded, corrective actions are taken.
    • Process outputs are predictably of high quality.
  • Risks involved in new process procedures, applications and innovations are identified and carefully managed.

B. Process Maturity Evaluation Criteria

  • Process quality management – Formal quality management techniques are applied to eliminate non-essentials and simplify and focus process activities and tasks, with the objective of making the process “best-in-class” with respect to lowering costs, compressing time, increasing quality and reducing risk to an acceptable level.
  • Quantitative process management – Appropriate process measures are put in place to augment the output measures and facilitate management of the process.

C. Maturity Focus for Next Level

  • Work on continuously improving the process.

V. Optimizing Stage

As process activities are executed, the process is continuously improved by quantitative feedback and from implementing innovative approaches. At the Optimizing Stage, there is a strong focus on continuous process improvement for controls enterprise-wide:

  • Identifies and corrects weaknesses timely to strengthen the process.
  • Seeks to prevent the re-occurrence of defects by analyzing them to determine their root causes and identifies effective ways to fix them.
  • Analyzes the process to prevent known types of defects from occurring.
  • Uses data on process performance to analyze costs and benefits of new process procedures, applications and innovations.
  • Identifies and deploys innovations throughout the organization that exploit best practices.
  • Shares “lessons learned” routinely.

A. Representative Characteristics

The organization strives to continuously improve the range of its process capability. Often continuous improvement is a mindset for the entire entity. Improvements occur both by incremental advancements in the existing process and by innovations using new ideas, technologies, and methods. Common causes of variation are addressed to reduce chronic waste and sporadic spikes.

Disciplined change is a way of life, as inefficiencies and defect-prone activities are identified, eliminated, simplified, focused, and automated. At this stage, improvements are continually attempted in a controlled manner to improve productivity and quality. Process owners are able to estimate and then track quantitatively the impact and effectiveness of change.

B. Process Maturity Evaluation Criteria

  • Process change management – Process owners are continuously looking for ways to improve process performance either incrementally or through innovative breakthroughs; formal change management techniques are applied to implement changes.
  • Technology change management – As process requirements and activities change over time, there is tight control over changes in systems and data to ensure that all changes are authorized and consistent with the process owner’s tactics for process optimization.
  • Defect prevention – Process owners continuously focus on “building in” rather than “inspecting” quality through elimination, simplification and focus techniques.

C. Maturity Focus for Next Level

None. Maintenance is the key at this stage to drive continuous improvement.

Enterprise Business Risk Management Process – Overview Framework

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 12:00 am

Enterprise business risk is defined as threats to the organization’s capability to achieve its objectives and execute its business strategies successfully. The organization’s value creation objectives define the context for management’s determination of risk management goals and objectives which, in turn, drive and focus the process of managing business risk.

Through an integrated business risk management process, senior management determines how much risk they are willing to accept when balancing risks and rewards, and allocating resources. They communicate to operating managers, risk managers and process/activity owners the level of acceptable risk (which is often described as risk appetite, risk tolerance or risk threshold).

Enterprise business risk management is illustrated broadly in the diagram below. It is a continuous process of:

  • Establishing risk management objectives, tolerances and limits for all of the enterprise’s significant risks
  • Assessing risks within the context of established tolerances
  • Developing cost-effective risk management strategies and processes consistent with the overall goals and objectives
  • Implementing risk management processes
  • Monitoring and reporting upon the performance of risk management processes
  • Improving risk management processes continuously
  • Ensuring adequate communication and information for decision making

« Laman SebelumnyaLaman Berikutnya »

Buat situs web atau blog gratis di