mario andrade internal controls and risk management english
DESCRIPTION
The speaker will cover the progress made in Ecuador in moving towards a risk based approach to public auditing.TRANSCRIPT
1
FACILITATOR: MARIO ANDRADE
CHALLENGES OF THE INTERNAL AUDITOR IN THE DESIGN AND IMPLEMENTATION OF
INTERNAL CONTROL AND RISK MANAGEMENT OF PUBLIC AGENCIES
INTERNATIONAL CONSORTIUM ON GOVERNMENTAL FINANCIAL MANAGEMENT
(ICGFM), 24TH ANNUAL INTERNATIONAL
MIAMI, MAY, 2010
2
SHARE A MODEL OF INTERNAL CONTROL BASED ON RISK MANAGEMENT, APPLICABLE TO ANY PUBLIC OR PRIVATE ENTITY; WITH OR WITHOUT GREATER STATISTICAL INFORMATION..
IT WILL BE MOSTLY PRACTICE.
GOAL AND METHODOLOGY:
3
HOW MUCH DO YOU KNOW ABOUT INTERNAL CONTROL?
1. A LOT
2. A LITTLE
3. NOTHING
QUESTION 1
4
HOW MUCH DO YOU KNOW ABOUT INTEGRAL RISK MANAGEMENT?
1. A LOT
2. A LITTLE
3. NOTHING
QUESTION 2
5
IT SHOULD BE LED BY THE HIGHEST AUTHORITY IT COMMITS THE WHOLE ORGANIZATION IT INVOLVES ALL PROCESSES AND ACTIVITIES IT ALLOWS MEETING GOALS EFFICIENTLY AND ETHICALLY IT PROVIDES RELIABLE, USEFUL INFORMATION IT PROMOTES ENFORCEMENT OF STANDARDS IT SAFEGUARDS RESOURCES IT INCREASES GOVERNABILITY IT IMPROVES ACCOUNTABILITY
IT DOES NOT ELIMINATE RISKS OF MISTAKES AND IRREGULARITIES
IC MAY CHANGE IN A VERY SHORT TIME
KEY FACTORS IN INTERNAL CONTROL AND RISK MANAGEMENT
6
“With self-discipline, anything is possible.”
Teodoro Roosevelt
7
SETTING OF GOALS
RESPONSE TO RISKS
EVALUATION OF RISKS
IDENTIFICATION OF EVENTS
CONTROL ACTIVITIES
COMPONENTS OF INTERNAL CONTROL AND RISK MANAGEMENT CONTROL ENVIRONMENT
I
N
F
O
R
M
A
T
I
O
N
AND
C
O
MM
U
N
I
C
A
T
I
O
N
S
U
P
E
R
V
I
S
I
O
N
RESULT
MEETING GOALS – SATISFIED USERS
8
1. INTEGRITY AND ETHICAL VALUES
2. PHILOSOPHY AND STYLE OF HIGHEST
LEADERSHIP
3. ADMINISTRATIVE BOARD AND COMMITTEES
4. ORGANIZATION AND PROCESSES
5. MANAGEMENT OF HUMAN RESOURCES
6. ACCOUNTABILITY
ELEMENTS OF THE CONTROL ENVIRONMENT
9
POINTS TO EVALUATE – CONTROL ENVIRONMENT (1 of 2)
INTEGRITY AND ETHICAL VALUES
1. Approved code of ethics; 2. Ethics Committee3. Dissemination4. Effective application; indicators, impacts,
evaulation
PHILOSOPHY AND STYLE OF LEADERSHIP
1. Institutional policies and directives: ethics, transparency, human resources, organization, planning, environment, innovation and technology, RISKS;
2. Strategic planning;3. Dissemination; application; evaluation
ADMINISTRATIVE BOARD AND COMMITTEES
1. Define roles clearly: leaders-strategic processes 2. Committees: Auditing, human resources, IT …3. Dissemination, appllication, evaluation
10
POINTS TO EVALUATE – CONTROL ENVIRONMENT (2 of 2)
ORGANIZATION AND PROCESSES
1. Map of processes, organizational chart, authority, powers and responsibility
2. Processes, activities, indicators, reports3. Dissemination, application, evaluation
HUMAN RESOURCES
1. Systems and sub-systems: planning, recruitment, classification and valuing, evaluation, training…
2. Manuals, instructions…3. Dissemination, application, evaluation
ACCOUNTABILITY 1. Systems and tools2. Do not confuse work reports with RdC 3. Dissemination, application, evaluation
11
1. VERY COMMITTED
2. SOMEWHAT COMMITTED
3. NO COMMITMENT
HOW TO QUALIFY THE COMMITTMENT OF THE HIGHEST AUTHORITY OF YOUR INSTITUTION TO STRENGTHEN
INTERNAL CONTROL?
QUESTION 3
12
POINTS TO EVALUATION – INFORMATION AND COMMUNICATION
INTEGRATED INFORMATION SYSTEM
1. IT strategic plan2. Integration of processes and information3. Suppliers and users4. Tools: COBIT-ITIL…
INTERNAL COMMUNICATION
1. Intranet2. Security policies, privileges, protocols3. Accessibility, updating4. Evaluation, impacts
EXTERNAL COMMUNICATION
1. Laws and standards of tranparency2. Utilization of the web portal3. Social control 4. Evaluation, impacts
13
POINTS TO EVALUATE -- SUPERVISION
CONTINUING SUPERVISION
1. Defined, congruent authority and responsibilities2. Set and incorporated into processes3. Evidences 4. Evaluations
INTERNAL AUDITING
1. Independence2. NEW ROLE FOR THE INTERNAL AUDITOR3. Resources4. Audit committee5. Reports and follow-up
EXTERNAL CONTROL
1. Coordination2. Independence3. Timeliness
14
1. RECOMMEND THE DESIGN AND IMPLIMENTATION OF IC
2. DISSEMINATE THE LEGAL AND CONCEPTUAL FRAMEWORK OF IC
3. PROMOTE (push) THE DESIGN, IMPLILMENTATION AND SELF-EVALUATION OF IC
WHAT DO YOU THINK THE ATTITUDE OF THE INTERNAL AUDITOR SHOULD BE TOWARD THE DESIGN AND IMPLIMENTATION OF
INTERNATL CONTROL – IC?
QUESTION 4
15
SETTING OF GOALS
IDENTIFICATION OF EVENTS
EVALUATION OF RISKS
RESPONSE TO RISKS
CONTROL ACTIVITIES
PROCESS FOR RISK MANAGEMENT
16
1. STRATEGIC, OPERATIONAL, INFORMATIONAL AND ENFORCEMENT GOALS
2. SPECIFIC GOALS AT EACH LEVEL
3. ALIGNMENT OF INSTITUTIONAL GOALS WITH NATIONAL GOALS, MISSION…
4. INDICATORS, REPORTS
5. DISSEMINATION
6. EVALUATION
POINTS OF CONTROL – SETTING GOALS
17
1. PARTICIPATION OF INTERNAL AND EXTERNAL EXPERTS
2. STATISTICAL OR QUALITATIVE INFORMATION
3. EXTERNAL EVENTS: Polítical, social, economic, environmental, technological
4. INTERNAL EVENTS: Human, financial, and technological resources; processes, infrastructure
5. INVENTORY OF EVENTS ASSOCIATED WITH GOALS
POINTS OF CONTROL – IDENTIFICATION OF EVENTS
18
1. POLITICAL CONTROL
2. THREATS, BLACKMAIL, OFFERS
3. LACK OF CREDIBILITY
4. BAD PRACTICES ACCEPTED BY SOCIETY AND PROFESSIONS
5. OBSOLETE OR INSUFFICIENT LEGAL PROVISIONS
6. LACK OF ALLOCATION OF RESOURCES
7. LACK OF TRANSPARENCY OF THE SYSTEM
8. INSUFFICIENT USE OF TECHNOLOGY AND NEW PROVISIONS
9. NO COORDINATION AMONG LAW-ENFORCEMENT AGENCIES
10. GOVERNMENT AGENCIES AND INEFFICIENT CONTROL
11. SOCIETY WITHOUT TOOLS TO EXERCISE SOCIAL CONTROL
12. GENERAL RESISTENCE TO CHANGE
13. ….
GOAL. INCREASE USER SATAISFACTION BY 25%. EXTERNAL EVENTS
19
1. DEFICIENT SYSTEM OF HUMAN RESOURCES
2. UNETHICAL BEHAVIOR OF PERSONNEL
3. LACK OF PROFESSIONAL COMPETENCE
4. LOW SALARIES
5. INADEQUATE ORGANIZATION
6. ABSENCE OF PROCESSES AND PROCEDURES WITH INDICATORS
7. LACK OF ADEQUATE, TIMELY SUPERVISION
8. NO SANCTIONS APPLIED OR RULES MAKE APPLICATION DIFFICULT
9. LACK OF INVESTIGATION PLANS
10. INVESTIGATION WITHOUT INTENSIVE USE OF TECHNOLOGY
11. NEW FORMS OF INVESTIGATION HAVE NOT BEEN INCORPORATED
12. INADEQUATE OR INSUFFICIENT RESOURCES AVAILABLE
13. ……
GOAL. INCREASE USER SATAISFACTION BY 25%. INTERNAL EVENTS
20
1. MEASURE PROBABILITY
2. MEASURE IMPACTS
3. PREPARE THE RISK MAP WITH THE PARTICIPATION OF THOSE DIRECTLY INVOLVED
4. RISK MANAGEMENT MUST BE STARTED EVEN WITHOUT STATISTICAL INFORMATION
POINTS OF CONTROL – EVALUATION OF RISKS
21
Imp
act
L
ow
Med
ium
Hig
h
Excess of acceptable risk
Within acceptable risk
Low Medium High
Probability
RISK MAP
E
X
P
L
I
C
A
C
I
Ó
N
22
“THE APPROACH THAT WE HAVE TAKEN IN FINANCIAL AND BUSINESS RISK IS TO TRY TO QUANTIFY WHAT WE CAN AND NOT
NECESSARILY WORRY ABOUT EVERYTHING THAT WE CANNOT CAPTURE IN OUR MEASUREMENTS”
DIRECTOR OF CORPORATE FINANCES MICROSOFT CORP. 2006
23
POINTS OF EVALUATION – RESPONSE TO RISKS
1. ACCEPT
2. PREVENT
3. SHARE
4. REDUCE
5. LEAVE EVIDENCE OF COMMITMENTS
24
POINTS TO EVALUATE – CONTROL ACTIVITIES
1. ACTIONS TO MITIGATE RISKS
2. REDUCE MISTAKES OR IRREGULARITIES
3. RAISE THE POSSIBILITY OF MEETING GOALS
4. POINTS OF INTERNAL CONTROL, NOT ONLY FINANCIAL AND ADMINISTRATIVE, BUT RATHER MISSION OPERATIONS
5. POINTS OF SOCIAL CONTROL
6. INSPECTIONS, VERIFICATIONS, CONCILIATIONS, CONFIRMATIONS, SUPERVISION, INFORMATION, ACCOUNTABILITY, SEPARATION OF FUNCTIONS, ELECTRONIC AND MANUAL CONTROLS…
25
1. CODE OF ETHICS FULLY APPLIED – EXAMPLE OF AUTHORITIES
2. ETHICS COMMITTEE AT WORK TO HANDLE COMPLAINTS
3. FACILITATE THE RESPONSIBLE SUBMISSION OF COMPLAINTS
4. TRANSPARENT SYSTEM OF HUMAN RESOURCE MANAGEMENT
5. ORGANIZATION BY PROCESSES
6. COMPLETE MANUAL OF PROCESSES AND PROCEDURES
7. INTEGRATED SYSTEM OF INVESTIGATION AND ACCUSATION
8. USE OF TECHNOLOGY IN THE PRE-PROCESS AND PROCESS STAGES
9. OBJECTIVE, PERMANENT SUPERVISION
10. USE OF INDICATORS AND INFORMATION SYSTEMS
11. OBJECTIVE EVALUATIONS AND PROFESSIONAL CAREERS
12. GOVERNMENT POLICY TO PROVIDE RESOURCES**
13. MODERNIZE THE RULES **
14. ……
CONTROL ACTIVITIES
MATRIX FOR THE RISK MANAGEMENT PROCESS
• GOAL: Have recommendations met by 95%• ACCEPTABLE RISK: 95%; RISK TOLERANCE: 5%
RESPONSE:P = Prevent A = AcceptR = Reduce S = Share
H = High 3M = Medium 2L= Low 1
H M L H M L
Lack of support from top leadership
3 3 R
Create an Audit Committee Approval of the PAR by the Board Establish sanctions for failure to comply
The report does not reach workers
3 3 RInclude political and operational responsible people Put report on the Intranet-WEB
Inadequate promotion and motivation
3 3 R
Involvement of audited entities in formulating recommendations Use of the corrective Action Plan Follow-up
RESPONSE TO RISKS
CONTROLSEVENTS PROBABILITY IMPACTEVALUATION
26
27
DO YOU BELIEVE THAT YOU CAN PROMOTE STRENGTHENING OF THE INTERNAL CONTROL OF YOUR ENTITY?
1. YES
2. NOT VERY LIKELY
3. NO
QUESTION 5
28
Model for the design and self-evaluation of a System of
Internal Control based on Risk Management
See Example
29
NO ONE LIKES CONTROL, BUT IF ITS POSITIVE EFFECTS ARE PROVEN,
PEOPLE CAN TOLERATE IT AND SUPPORT ITS APPLICATION