COSO AND INTERNAL AUDIT - European Commission
COSO ANDINTERNAL AUDITHOW CAN THEY CONTRIBUTE TOINSIGHT?IAS Conference, November 27th, 2019
FOCUS OF PRESENTATIONIAS Conference 2019 Günther Meggeneder/ista COSO & Internal Audit Changing Risk Landscape Changing demand of stakeholders Integrate COSO principles into business practices Apply COSO and Internal Audit principles How to achieve Internal Audit’s missionSlide 2
3 GROUPS OF RISKS ARE EVOLVINGNaturalExtreme weather eventsIAS Conference 2019 Günther Meggeneder/ista COSO & Internal AuditNatural disastersFailure of climate-change mitigationand adaptationDigitalCybersecurityData ProtectionGeopoliticalIdentity theftWeapons of mass destructionEmbargoTrade warSlide 3
DEMAND (OR NEED) OF STAKEHOLDERS Boards overconfidence Boards view the organization’s capability to manage risks higher than management.IAS Conference 2019 Günther Meggeneder/ista COSO & Internal Audit Make misalignment transparent Internal Audit needs to set the right expectations – no horror scenario, but also notrivialisation Implement/Enhance systematic ERM approach Internal Audit needs to evaluate Risk Management procedures and help to improve,professionalise them (e.g. using COSO ERM as possible approach) Focus on current and future risks Internal Audit needs to look into current developments – listen to the business, but alsolook outside the company/industryhttps://www.theiia.org/OnRiskSlide 4
THE COSO ERM FRAMEWORKINTEGRATING WITH STRATEGY & PERFORMANCE 2017High level risks in Context of the strategy:Possibility of misalignment between strategy and Mission, Vision & Core ValuesImplications from the strategy chosenSource: COSO ERM – Integrating with Strategy and Performance 20175
COSO ERM Framework 2017RISK MANAGEMENT COMPONENTS &UNDERLYING PRINCIPLESComponentsPrinciplesSource: COSO ERM – Integrating with Strategy and Performance 20176
IAS Conference 2019 Günther Meggeneder/ista COSO & Internal AuditINTEGRATE COSO PRINCIPLES INTO BUSINESS PRACTICESThe ERM framework does not replace the 2013 InternalControl – Integrated FrameworkThe two frameworks are distinct and complementaryBoth use a components and principles structureAspects of internal control common to enterprise riskmanagement are not repeatedSome aspects of internal control are developed further in theERM frameworkSlide 7
COSO INTERNAL CONTROL PRINCIPLESIAS Conference 2019 Günther Meggeneder/ista COSO & Internal AuditControl EnvironmentRisk AssessmentControl ActivitiesInformation &CommunicationMonitoring ActivitiesSlide 81.2.3.4.5.Demonstrates commitment to integrity and ethical valuesExercises oversight responsibilityEstablishes structure, authority and responsibilityDemonstrates commitment to competenceEnforces accountability6.7.8.9.Specifies suitable objectivesIdentifies and analyzes riskAssesses fraud riskIdentifies and analyzes significant change10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures13. Uses relevant information14. Communicates internally15. Communicates externally16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
9
HOW TO ACHIEVE OUR MISSIONIAS Conference 2019 Günther Meggeneder/ista COSO & Internal AuditTo enhance and protect organizational value by providing riskbased and objective assurance, advice, and insight. It's important but not enough to meet Standards! Use research and educational material to know more! Take COSO and IIA material as reference to your Charter, Manual and procedures! Align your audit risk assessment to the organization’s risk assessment! Understand which business objectives may be influenced by your audit work! Look beyond to see future challenges and incorporate them into your audit plansand projects!Slide 10
THANK YOUGünther MeggenederHead of Internal Audit and Complianceista internationalLuxemburger Straße 1DE - 45131 Essenwww.ista.com
APPLYING ENTERPRISE RISK MANAGEMENT TOENVIRONMENTAL, SOCIAL AND GOVERNANCERELATED RISKS12IAS Conference 2019 Günther Meggeneder/ista COSO & Internal Audit
POTENTIAL UPDATES TO EXISTING GUIDANCECOSO in the Cyber Age (Q4 2019)Practical Approaches to Creating and Protecting Organizational Value (Q4 2019)Understanding and Communicating Risk Appetite (Q4 2019)Monitoring Guidance (TBD 2020)ERM for Cloud Computing (TBD 2020)
POTENTIAL NEW GUIDANCEUsing COSO ERM to Manage Compliance Risks (Q1 2020)Blockchain and its Impact on Internal Controls (Q1 2020)ERM in an Agile Environment (Q1 2020)Assessment Tools for Risk (Q2 2020)Psychology and Sociology of Fraud (TBD)Robotic Process Automation and Artificial Intelligence (TBD – no known authors at this time)14
The ERM framework does not replace the 2013 Internal Control –Integrated Framework The two frameworks are distinct and complementary Both use a components and principles structure Aspects of internal control common to enterprise risk management are not repeated Some aspects of internal control are developed further in the ERM framework
1992 on the Internal Controls-Integrated Framework. Because, Internal control has different meanings to different parties, COSO tries to establish a common definition and standard that can serve such parties. Under COSO’s report, (quoted from July 1994 Edition of COSO Internal Controls-Integrated Framework, “COSO Report”), “Internal
CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .
COSO ICIF 2013 COSO Internal Control Integrated Framework Risk Assessment/Control Activities Principles and Points of Focus COSO Permission to Reprint: 201503‐0048 Michael L. Piazza Principal Associate Professional Development Associates Risk Ass
GTAG Global Technology Audit Guides HoA Head of Agency HoIA Head of Internal Audit IA Internal Audit / Internal Auditor IA-CM Internal Audit Capability Model IAS Internal Audit Service . Audit, the Code of Ethics for Internal Auditors and the Auditing Standards. The only way
INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S
developed a risk management definition or framework definition called COSO Enter-prise Risk Management or COSO ERM. This risk management framework, updated with COSO guidance and published in 2011,2 provides a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.
4. Marco De Referencia De Cobit 5 5. Articulacion Coso, Cobit Y Ley Sarbanes-Oxley 6. Analizando El Marco De Referencia De COSO Para TI En COBIT 5 7. Propuesta De Articulación COBIT 5 Con COSO, Orientado A Cumplir Los Lineamientos De La Ley SARBANES-OXLEY 8. Metodología Que Apoya La Implementación 9. Resultados 10. Discusión 11 .
audit committee and internal audit is fundamental to internal audit's success. 1.2. Securing the appropriate resources for internal audit to meet expectations In many organisations, the audit committee is responsible for approving the internal audit budget, and this approval is typically based on management's recommendation.
