3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Activities: - Codes of conduct - Attitudes and responses to deviations of behavior - Consistent at all management levels - Attention to partners that perform outsourced activities - Role for internal audit to give insight in CE - Define set of indicators, e.g. breaches of confidentiality, and define measures - Clear organizational structure - Limitation of authority Risk assessment 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Activities: - Defines risk tolerance and risk appetite - Relation objectives and risk - Fraud triangle - Changes in processes, changes in leadership Control activities 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Activities: - Inherent risk -/- control = residual risk - Segregation of duties - IT controls Verspreiden niet toegestaan | Gedownload door Ewout Vlug ([email protected])lOMoARcPSD
12 Information and communication 13. Uses relevant information 14. Communicates internally 15. Communicates externally Activities: - Define information requirements - Considers costs and benefits - Communicate internal control with personnel and other parties - Communicate to shareholders and other stakeholders - Enable inbound communication - Communication re. Whistleblowing Monitoring 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Activities: - Attention for internal auditing - Consider rate of change in the business - Communicate deficiencies internally to the top Limitations of internal control - Events outside management control (disasters) - Judgment errors - Breakdown of internal controls, mistakes - Management override Roles and responsibilities: Link to corp. Gov. - Audit committee - Compensation / remuneration committee - CEO and CFO - Risk management and compliance function - Internal and external auditors New elements - Reporting: financial and non-financial - Attention for the dependence on technology - Specific attention for fraud risk: Fraud triangle (opportunity, attitude, rationalization) and reporting fraud, theft. - Attention for outsourcing risks - Commitment to competence: Attract, develop and retain competent staff Accountability:- Deviations - Incentives - Pressures - From risk appetite risk tolerance - Internal controls: attention for general controls, IT controls, specify dependency on controls - Quality aspects of information: Sufficient, timely, current, correct (accurate and complete), accessible, protected, verifiable, retained Verspreiden niet toegestaan | Gedownload door Ewout Vlug ([email protected])lOMoARcPSD
13 The 3 lines of defence model: Limitations of the model: - Preconditions, such as strategy, structure - Human judgments - Breakdowns - Management override - Collusion The 4 lines of defense: 4. External audit / external authorities 3. Internal audit 2. Staff (risk management, compliance) 1. Line management Benefits updated
You've reached the end of your free preview.
Want to read all 27 pages?
Verspreiden niet toegestaan, Ewout Vlug, door Ewout Vlug, Gedownload door Ewout