RISK MANAGEMENT
In implementing its goals and objectives, Organisations shall face risks that are potentially increasing and
complex due to the dynamics of the development and demand, both internally and
externally. Therefore, it requires a comprehensive and integrated risk
management with the strengthening in the aspect of internal control.
The implementation of risk
management shall be conducted by referring to the best international best
practices divided in three (3) categories. First, risk management of first line
of defense conducted by the working unit implementing business process. Second,
risk management of second line of defense conducted by the working unit which
has the risk management function and independent from the work unit conducting
business process. Third, risk management of third line of defense conducted by
the working unit implementing the function of internal audit to ensure the
activities of risk management are performed effectively.
With
the availability of this risk management in three phases, it is expected that
the process of duty implementation of Organisations, in particular in decision
making can be conducted by observing the aspects of prudentiality, good
governance principle, and obtaining optimum result toward the performance,
finance and credibility of policy.
Based on the above framework, the
internal audit has the important role in the quality assurance to the overall
work process in Organisations. The scope of internal audit function includes
the implementation of internal audit and consultation through the provision of
opinion and recommendation toward the process of governance, risk management,
and Controlling.
The
implementation of internal audit function of Organisations shall use the
methodology of Risk Based Internal Audit. The high the audit target risk, the
higher the frequency of internal audit implementation. The work process with
high risk shall be audited every year, whereas the work process with medium
risk and low risk shall be audited in a longer time span, namely once in 2 or 3
years.
Internal Controls – Thinking Inside the
Box (COSO Cube)
As the financial year 2015-16 crosses the midway, many companies
would still be in the process of coming to terms with the new ICFR (Internal
Controls over Financial Reporting) in the Indian scenario.
Any new thing that comes up for implementation generally has
some teething issues, simply because change management as a process is
frictional and for any successful implementation; a well-defined and well
managed project plan is a must.
Business as we see through the lens of Internal Audit, starts
off with a vision (mostly emanating from ideas) translates into a mission with
a strategy defined to achieve that mission, and strategy further rolls down to
objectives (Strategic, Operational, Financial, Compliance) for each of the
business processes, which are managed by people; duly supported with technology
& resources to ensure that they are in compliance to the policies, laws
& regulations while achieving their strategy and mission.
Simply put: Vision & Mission --> Strategy --> Goals
& Objectives --> Mapped to business processes --> which are managed
by people --> For ensuring achievement of Goals & Objectives -->
resulting into Implementation of strategy --> resulting into achieving the
mission.
The COSO framework has been used globally and is time tested and
has a very rational approach for implementation. Where most companies struggle
to achieve a proper implementation of internal controls is they think of
Internal Audit as a value adding function / activity and are almost asking for
an “Out of the box approach / thinking” and that is where some of those
organizations completely miss the point. Internal Audit is not only about value
creation but equally about Value Protection, and in today’s scenario, more
about risk management, that is where Risk Based Internal Audits have become the
fad.
The need today is not to have number of controls but to have
right quality of controls, simply because there is a cost to every control you
implement in the organization (in terms of time and resources involved).
Where most organizations would do well is, while doing their
Enterprise Risk Management exercise, they should define their goals and
objectives (which should be enablers for implementation of the strategy and for
achievement of objectives) and further map each of those goals & objectives
to the business processes and identify risk champions to ensure that those
goals and objectives are met within the timelines, keeping in view the overall
timeline for fully implementing the strategy.
Once this is done, the role of internal audit function would be
enhanced qualitatively and that is where the internal auditor will have to
think constructively inside the box (COSO cube), because all 5 parameters of
the cube will be inextricably linked to strategic, operational, financial and
compliance objectives and that is where the organizations would begin to
appreciate the right set of controls being implemented for their business.
Disclaimer: The views expressed in this post are personal views
Statutory Requirement of Internal audit u/s 138
Statutory Requirement of Internal audit u/s 138
RISK CONTROL MATRIX