mario andrade internal controls and risk management english

1

FACILITATOR: MARIO ANDRADE

CHALLENGES OF THE INTERNAL AUDITOR IN THE DESIGN AND IMPLEMENTATION OF

INTERNAL CONTROL AND RISK MANAGEMENT OF PUBLIC AGENCIES

INTERNATIONAL CONSORTIUM ON GOVERNMENTAL FINANCIAL MANAGEMENT

(ICGFM), 24TH ANNUAL INTERNATIONAL

MIAMI, MAY, 2010

2

SHARE A MODEL OF INTERNAL CONTROL BASED ON RISK MANAGEMENT, APPLICABLE TO ANY PUBLIC OR PRIVATE ENTITY; WITH OR WITHOUT GREATER STATISTICAL INFORMATION..

IT WILL BE MOSTLY PRACTICE.

GOAL AND METHODOLOGY:

3

HOW MUCH DO YOU KNOW ABOUT INTERNAL CONTROL?

1. A LOT

2. A LITTLE

3. NOTHING

QUESTION 1

4

HOW MUCH DO YOU KNOW ABOUT INTEGRAL RISK MANAGEMENT?

1. A LOT

2. A LITTLE

3. NOTHING

QUESTION 2

5

IT SHOULD BE LED BY THE HIGHEST AUTHORITY IT COMMITS THE WHOLE ORGANIZATION IT INVOLVES ALL PROCESSES AND ACTIVITIES IT ALLOWS MEETING GOALS EFFICIENTLY AND ETHICALLY IT PROVIDES RELIABLE, USEFUL INFORMATION IT PROMOTES ENFORCEMENT OF STANDARDS IT SAFEGUARDS RESOURCES IT INCREASES GOVERNABILITY IT IMPROVES ACCOUNTABILITY

IT DOES NOT ELIMINATE RISKS OF MISTAKES AND IRREGULARITIES

IC MAY CHANGE IN A VERY SHORT TIME

KEY FACTORS IN INTERNAL CONTROL AND RISK MANAGEMENT

6

“With self-discipline, anything is possible.”

Teodoro Roosevelt

7

SETTING OF GOALS

RESPONSE TO RISKS

EVALUATION OF RISKS

IDENTIFICATION OF EVENTS

CONTROL ACTIVITIES

COMPONENTS OF INTERNAL CONTROL AND RISK MANAGEMENT CONTROL ENVIRONMENT

I

N

F

O

R

M

A

T

I

O

N

AND

C

O

MM

U

N

I

C

A

T

I

O

N

S

U

P

E

R

V

I

S

I

O

N

RESULT

MEETING GOALS – SATISFIED USERS

8

1. INTEGRITY AND ETHICAL VALUES

2. PHILOSOPHY AND STYLE OF HIGHEST

LEADERSHIP

3. ADMINISTRATIVE BOARD AND COMMITTEES

4. ORGANIZATION AND PROCESSES

5. MANAGEMENT OF HUMAN RESOURCES

6. ACCOUNTABILITY

ELEMENTS OF THE CONTROL ENVIRONMENT

9

POINTS TO EVALUATE – CONTROL ENVIRONMENT (1 of 2)

INTEGRITY AND ETHICAL VALUES

1. Approved code of ethics; 2. Ethics Committee3. Dissemination4. Effective application; indicators, impacts,

evaulation

PHILOSOPHY AND STYLE OF LEADERSHIP

1. Institutional policies and directives: ethics, transparency, human resources, organization, planning, environment, innovation and technology, RISKS;

2. Strategic planning;3. Dissemination; application; evaluation

ADMINISTRATIVE BOARD AND COMMITTEES

1. Define roles clearly: leaders-strategic processes 2. Committees: Auditing, human resources, IT …3. Dissemination, appllication, evaluation

10

POINTS TO EVALUATE – CONTROL ENVIRONMENT (2 of 2)

ORGANIZATION AND PROCESSES

1. Map of processes, organizational chart, authority, powers and responsibility

2. Processes, activities, indicators, reports3. Dissemination, application, evaluation

HUMAN RESOURCES

1. Systems and sub-systems: planning, recruitment, classification and valuing, evaluation, training…

2. Manuals, instructions…3. Dissemination, application, evaluation

ACCOUNTABILITY 1. Systems and tools2. Do not confuse work reports with RdC 3. Dissemination, application, evaluation

11

1. VERY COMMITTED

2. SOMEWHAT COMMITTED

3. NO COMMITMENT

HOW TO QUALIFY THE COMMITTMENT OF THE HIGHEST AUTHORITY OF YOUR INSTITUTION TO STRENGTHEN

INTERNAL CONTROL?

QUESTION 3

12

POINTS TO EVALUATION – INFORMATION AND COMMUNICATION

INTEGRATED INFORMATION SYSTEM

1. IT strategic plan2. Integration of processes and information3. Suppliers and users4. Tools: COBIT-ITIL…

INTERNAL COMMUNICATION

1. Intranet2. Security policies, privileges, protocols3. Accessibility, updating4. Evaluation, impacts

EXTERNAL COMMUNICATION

1. Laws and standards of tranparency2. Utilization of the web portal3. Social control 4. Evaluation, impacts

13

POINTS TO EVALUATE -- SUPERVISION

CONTINUING SUPERVISION

1. Defined, congruent authority and responsibilities2. Set and incorporated into processes3. Evidences 4. Evaluations

INTERNAL AUDITING

1. Independence2. NEW ROLE FOR THE INTERNAL AUDITOR3. Resources4. Audit committee5. Reports and follow-up

EXTERNAL CONTROL

1. Coordination2. Independence3. Timeliness

14

1. RECOMMEND THE DESIGN AND IMPLIMENTATION OF IC

2. DISSEMINATE THE LEGAL AND CONCEPTUAL FRAMEWORK OF IC

3. PROMOTE (push) THE DESIGN, IMPLILMENTATION AND SELF-EVALUATION OF IC

WHAT DO YOU THINK THE ATTITUDE OF THE INTERNAL AUDITOR SHOULD BE TOWARD THE DESIGN AND IMPLIMENTATION OF

INTERNATL CONTROL – IC?

QUESTION 4

15

SETTING OF GOALS

IDENTIFICATION OF EVENTS

EVALUATION OF RISKS

RESPONSE TO RISKS

CONTROL ACTIVITIES

PROCESS FOR RISK MANAGEMENT

16

1. STRATEGIC, OPERATIONAL, INFORMATIONAL AND ENFORCEMENT GOALS

2. SPECIFIC GOALS AT EACH LEVEL

3. ALIGNMENT OF INSTITUTIONAL GOALS WITH NATIONAL GOALS, MISSION…

4. INDICATORS, REPORTS

5. DISSEMINATION

6. EVALUATION

POINTS OF CONTROL – SETTING GOALS

17

1. PARTICIPATION OF INTERNAL AND EXTERNAL EXPERTS

2. STATISTICAL OR QUALITATIVE INFORMATION

3. EXTERNAL EVENTS: Polítical, social, economic, environmental, technological

4. INTERNAL EVENTS: Human, financial, and technological resources; processes, infrastructure

5. INVENTORY OF EVENTS ASSOCIATED WITH GOALS

POINTS OF CONTROL – IDENTIFICATION OF EVENTS

18

1. POLITICAL CONTROL

2. THREATS, BLACKMAIL, OFFERS

3. LACK OF CREDIBILITY

4. BAD PRACTICES ACCEPTED BY SOCIETY AND PROFESSIONS

5. OBSOLETE OR INSUFFICIENT LEGAL PROVISIONS

6. LACK OF ALLOCATION OF RESOURCES

7. LACK OF TRANSPARENCY OF THE SYSTEM

8. INSUFFICIENT USE OF TECHNOLOGY AND NEW PROVISIONS

9. NO COORDINATION AMONG LAW-ENFORCEMENT AGENCIES

10. GOVERNMENT AGENCIES AND INEFFICIENT CONTROL

11. SOCIETY WITHOUT TOOLS TO EXERCISE SOCIAL CONTROL

12. GENERAL RESISTENCE TO CHANGE

13. ….

GOAL. INCREASE USER SATAISFACTION BY 25%. EXTERNAL EVENTS

19

1. DEFICIENT SYSTEM OF HUMAN RESOURCES

2. UNETHICAL BEHAVIOR OF PERSONNEL

3. LACK OF PROFESSIONAL COMPETENCE

4. LOW SALARIES

5. INADEQUATE ORGANIZATION

6. ABSENCE OF PROCESSES AND PROCEDURES WITH INDICATORS

7. LACK OF ADEQUATE, TIMELY SUPERVISION

8. NO SANCTIONS APPLIED OR RULES MAKE APPLICATION DIFFICULT

9. LACK OF INVESTIGATION PLANS

10. INVESTIGATION WITHOUT INTENSIVE USE OF TECHNOLOGY

11. NEW FORMS OF INVESTIGATION HAVE NOT BEEN INCORPORATED

12. INADEQUATE OR INSUFFICIENT RESOURCES AVAILABLE

13. ……

GOAL. INCREASE USER SATAISFACTION BY 25%. INTERNAL EVENTS

20

1. MEASURE PROBABILITY

2. MEASURE IMPACTS

3. PREPARE THE RISK MAP WITH THE PARTICIPATION OF THOSE DIRECTLY INVOLVED

4. RISK MANAGEMENT MUST BE STARTED EVEN WITHOUT STATISTICAL INFORMATION

POINTS OF CONTROL – EVALUATION OF RISKS

21

Imp

act

L

ow

Med

ium

Hig

h

Excess of acceptable risk

Within acceptable risk

Low Medium High

Probability

RISK MAP

E

X

P

L

I

C

A

C

I

Ó

N

22

“THE APPROACH THAT WE HAVE TAKEN IN FINANCIAL AND BUSINESS RISK IS TO TRY TO QUANTIFY WHAT WE CAN AND NOT

NECESSARILY WORRY ABOUT EVERYTHING THAT WE CANNOT CAPTURE IN OUR MEASUREMENTS”

DIRECTOR OF CORPORATE FINANCES MICROSOFT CORP. 2006

23

POINTS OF EVALUATION – RESPONSE TO RISKS

1. ACCEPT

2. PREVENT

3. SHARE

4. REDUCE

5. LEAVE EVIDENCE OF COMMITMENTS

24

POINTS TO EVALUATE – CONTROL ACTIVITIES

1. ACTIONS TO MITIGATE RISKS

2. REDUCE MISTAKES OR IRREGULARITIES

3. RAISE THE POSSIBILITY OF MEETING GOALS

4. POINTS OF INTERNAL CONTROL, NOT ONLY FINANCIAL AND ADMINISTRATIVE, BUT RATHER MISSION OPERATIONS

5. POINTS OF SOCIAL CONTROL

6. INSPECTIONS, VERIFICATIONS, CONCILIATIONS, CONFIRMATIONS, SUPERVISION, INFORMATION, ACCOUNTABILITY, SEPARATION OF FUNCTIONS, ELECTRONIC AND MANUAL CONTROLS…

25

1. CODE OF ETHICS FULLY APPLIED – EXAMPLE OF AUTHORITIES

2. ETHICS COMMITTEE AT WORK TO HANDLE COMPLAINTS

3. FACILITATE THE RESPONSIBLE SUBMISSION OF COMPLAINTS

4. TRANSPARENT SYSTEM OF HUMAN RESOURCE MANAGEMENT

5. ORGANIZATION BY PROCESSES

6. COMPLETE MANUAL OF PROCESSES AND PROCEDURES

7. INTEGRATED SYSTEM OF INVESTIGATION AND ACCUSATION

8. USE OF TECHNOLOGY IN THE PRE-PROCESS AND PROCESS STAGES

9. OBJECTIVE, PERMANENT SUPERVISION

10. USE OF INDICATORS AND INFORMATION SYSTEMS

11. OBJECTIVE EVALUATIONS AND PROFESSIONAL CAREERS

12. GOVERNMENT POLICY TO PROVIDE RESOURCES**

13. MODERNIZE THE RULES **

14. ……

CONTROL ACTIVITIES

MATRIX FOR THE RISK MANAGEMENT PROCESS

• GOAL: Have recommendations met by 95%• ACCEPTABLE RISK: 95%; RISK TOLERANCE: 5%

RESPONSE:P = Prevent A = AcceptR = Reduce S = Share

H = High 3M = Medium 2L= Low 1

H M L H M L

Lack of support from top leadership

3 3 R

Create an Audit Committee Approval of the PAR by the Board Establish sanctions for failure to comply

The report does not reach workers

3 3 RInclude political and operational responsible people Put report on the Intranet-WEB

Inadequate promotion and motivation

3 3 R

Involvement of audited entities in formulating recommendations Use of the corrective Action Plan Follow-up

RESPONSE TO RISKS

CONTROLSEVENTS PROBABILITY IMPACTEVALUATION

26

27

DO YOU BELIEVE THAT YOU CAN PROMOTE STRENGTHENING OF THE INTERNAL CONTROL OF YOUR ENTITY?

1. YES

2. NOT VERY LIKELY

3. NO

QUESTION 5

28

Model for the design and self-evaluation of a System of

Internal Control based on Risk Management

See Example

29

NO ONE LIKES CONTROL, BUT IF ITS POSITIVE EFFECTS ARE PROVEN,

PEOPLE CAN TOLERATE IT AND SUPPORT ITS APPLICATION

30

Thanks very much for your attention!

[email protected]

mario andrade internal controls and risk management english

Business

model of internal control

control activitiesactions

control activitiesc

control environment

internal auditor

integral risk management

risk managementit

business risk