audit audit commite and risk management

TT

Audit, Audit Committee & Risk Management- Manoj Agarwal at Institute of Company Secretaries of India

T5-Mar-2011 © ANB Consulting CO. Pvt. Ltd.2

• What is Risk• Risk Management• Classification of Risks• What is Audit• Audit Committee Role• Expectation from Risk Management

Agenda


Risk, in traditional terms, is viewed as a ‘negative’.

The Chinese give a much better description of risk

• The first is the symbol for “danger”, while

• the second is the symbol for “opportunity”, making risk a mix of danger and opportunity.

What is Risk?

“Risk- let’s get this straight up front – is good. The point of Risk management is not to eliminate it; that would eliminate reward. The point is to manage it – that is, choose to place bets, where to hedge bets, and where to avoid betting together.” - Thomas A. Stewart


Risk & Risk Management

In economic terms, profit is the reward for entrepreneurship or “Risk

Taking”

As a lay investor, our investment planning is based on risk

perception – bank deposits, life insurance, debentures and GoI

bonds, Mutual Funds, Shares, Private Equity….

Risk management is an attempt to identify, measure and

monitor risks– so as to manage uncertainty.


Risk Management

1Understand the nature and extent of risks facing the company

2 Understand the extent and categories of risks which it regards as acceptable for a company to bear

3 Understand the likelihood of risks concerned materializing

4 Company’s ability to reduce the incidence and impact on business of risks that do materialize

5 Costs of operating particular controls relative to benefits


Classification of Risks

Strategic

• A strategic risk is a risk that a company is exposed to when pursuing its business objectives, or likely loss arising from a poor strategic business decision. e.g. Too much dependence on one line of business; or a failed acquisition

Operational

• Operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. e.g. Frauds in Banking; Risk of poor planning e.g. Funds constraint

Compliance

• Risks a company is exposed to because of breach of law / regulatory requirement. e.g. Non compliance in foreign country due to ignorance.


The Need for Risk Management

• Complex, ever changing macro environment

• Sustainable, profitable growth to meet stakeholder expectation

• Trend towards greater transparency & enhanced levels of corporate governance

# Move from survival to competitive advantage


Eight Components of COSO ERM Model


Eight Components of COSO ERM Model

ERM Process

Objective SettingStrategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance

Event Identification Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques

Event InterdependenciesEvent Categories – Risks and Opportunities

Risk Assessment Inherent and Residual Risk – Likelihood and Impact

Methodologies and Techniques – Correlation

Risk ResponseIdentify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View

Information & CommunicationInformation – Strategic and Integrated Systems – Communication

Monitoring Separate Evaluations – Ongoing Evaluations

Control ActivitiesIntegration with Risk Response – Types of Control Activities – General Controls

Application Controls – Entity Specific


Rank Risk

1 Regulation and compliance

2 Access to credit

3 Slow recovery or double-dipRecession

4 Managing talent

5 Emerging markets

6 Cost cutting

7 Non-traditional entrants

8 Radical greening

9 Social acceptance risk andcorporate social responsibility

10 Executing alliances andtransactions

Top 10 Risks–EY2010 Business Risk Report


Board Disclosures –Risk management (Clause 49)

1. It shall put in place procedures to inform Board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework.

2. Management shall place a report certified by the compliance officer of the company, before the entire Board of Directors every quarter documenting the business risks faced by the company, measures to address and minimize such risks, and any limitations to the risk taking capacity of the corporation. This document shall be formally approved by the Board.


What is Audit

The general definition of an audit is an evaluation of a person, organization, system, process, enterprise, project or product. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation

(source Wikipedia)

Audits are performed to ascertain the validity and reliability of information; also to provide an assessment of a system's internal control. The goal of an audit is to express an opinion on the person / organization / system (etc.) in question, under evaluation based on work done on a test basis.


Audit Committee

1. Company to constitute an audit committee with terms of reference

2. At least three members- two thirds independent

3. Chairman to be independent- must attend every AGM to answer shareholder queries

4. All members financially literate & at least 1 member to be accounting or related financial management expert

5. May meet with or without executives – generally CFO & CEO are invited

6. Must meet at least 4 times a year - quorum = greater of 2 members or 2/3rd and at least 2 independent


Audit Committee’s role – Clause 49

1. Oversee financial reporting process

2. Recommend to the Board the hiring and firing of statutory auditors and confirming their remuneration

3. Review the adequacy of internal control system

4. Reviewing the adequacy of structures, staffing and examining the scope of internal audit department

5. Discussing significant findings and follow ups with internal auditors

6. Review of financial and risk management policies

7. To review working of whistle blower mechanisms

8. Other functions specified in terms of reference


Review of information by Audit Committee

The Audit Committee shall mandatorily review the following information:

1. Financial statements and draft audit report, including quarterly / half-yearly financial information;

2. Management discussion and analysis of financial condition and results of operations;

3. Reports relating to compliance with laws and to risk management;

4. Management letters / letters of internal control weaknesses issued by statutory / internal auditors; and

5. Records of related party transactions

6. The appointment, removal and terms of remuneration of the Chief internal auditor shall be subject to review by the Audit Committee


Expectation from Risk Management

• Avoidance of Surprises• Effective evaluation of cost of control• Protection of the Reputation• Proper allocations of resources • Higher probability of meeting targets• More informed decision making• Recognizing opportunities and focusing on areas for

improvement

….Leading to competitive advantage


Risk awareness…

CAN’T MANAGE WHAT YOU DON’T SEE!


No Risk

No Gain!


Thank [email protected]


Management Discussion and Analysis report

This Management Discussion & Analysis should include discussion on the following matters within the limits set by the company’s competitive position:

1. Industry structure and developments.

2. Opportunities and Threats.

3. Segment–wise or product-wise performance.

4. Outlook.

5. Risks and concerns.

6. Internal control systems and their adequacy.

7. Discussion on financial performance with respect to operational performance.

8. Material developments in Human Resources / Industrial Relations front, including number of people employed.

Back


Training of Board Members

Company shall train its Board members in the business model of the company as well as the risk profile of the business parameters of the company, their responsibilities as directors, and the best ways to discharge them.

(Non Mandatory Requirement Clause 49)

Back


Audit Committee reporting

Back

Inherent risk Control risk Overall riskArea 1 - Risk 1 - Risk 2 - Risk 3………

Med High Med - high

Area 2 - Risk 1 - Risk 2 - Risk 3………

Low Med Med - low


High Low Med - high


High High High

Audit Committee Heat Map- Provide internal audit view of

risks- Provide underlying basis of

ratings- Ratings drive the frequency of

audits

Explained above is a generic model – sophisticated scoring techniques could be used to arrive at ratings

audit audit commite and risk management

Education

management discussion

audit committee

risk management

2011 anb consulting

board

risk 1

risk

audit