Governance, Risk Management, and Internal Control are mentioned in the definition of Internal audit. How should we understand these activities?
These activities are not completely independent, they are closely interrelated and all aims towards the ultimate objective: providing reasonable assurance for accomplishing the enterprise’s objectives. The quality (performance) of one activity will affect the quality of the other activities and vice versa:
- Governance with good performance will create favorable conditions and environment for the risk management and internal control activities.
- Well-implemented Risk Management will help Governance become more effective, and help Internal Control be implemented in the right direction and allocate resources more appropriately.
Let's explore with details as below:
Governance is combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
Governance activities include:
- Identifying the cores of enterprises such as Mission, Objectives, Risk appetite, Business Model, Oriented Values, Behavior Principles with stakeholders (including shareholders, employees, authorities, law, partners, customers, suppliers, public, community).
- Building organizational structures (including the authorities, functions, and benefits for each management position), appropriate governance policies and procedures that help to fulfill the Missions and Objectives within the acceptable border of risk appetite, oriented values and behavior principles. Select the adequate and appropriate personnel.
- Monitoring the operation of the organizational structures and the governance policies and procedures to ensure that all wrong direction movements are promptly adjusted and intervened.
- Supervising the enterprise-culture building and maintenance to ensure that it is consistent with the cores of the enterprise and development stages.
- Building enterprise strategy and strategic plans; Supervising the strategic implementation of related departments and making adjustments when necessary.
- Monitoring the performance of the enterprise’s objectives of each year.
- Monitoring the risk management and internal control processes.
- Cooperating with independent evaluating parties such as internal audit, independent audit, etc. for the monitoring function.
Specific authorities and functions of each management position related to governance activities in an organizational structure of an enterprise (such as: general meeting of shareholders, controlling board, board of directors, audit committee, board of directors, etc.) can be found in the Enterprise Law.
Risk Management is a process to identify, assess, manage, and response to risks (possibility of an unwanted event) to provide reasonable assurance for the achievement of the enterprise 's objectives.
Steps of risk management are:
Step 1: Identification of context
A precondition to risk identification is identifying the relevant contexts, for example:
- Laws and regulations
- Market risk (e.g., interest rates, foreign exchange rates, prices, market share ...).
- Business processes
- Units / divisions, etc.
Step 2: Risks identification
Risks should be identified relative to each identified context. The following methods can be used to help identify risks:
- Reviewing the list of events that will occur in the considered context. Risks can be detected from these events.
- Questionnaires and surveys to people involved. Responses will be able to help provide relevant information.
- Considering all signs/indicators, that may suggest potential events.
- Analyzing the related process to find the gaps (what could go wrong?).
- Analyzing losses/ damages in past to predict for the future.
- Analyzing of weakness / strength / opportunity / challenge.
- Analysis of hypothetical situations, etc.
Step 3: Risk assessment and prioritization
Risk assessment should be considered synthesizing two factors: (1) impact level, (2) likelihood. Depending on the situation to consider using either qualitative (using a matrix risk map with each column being one element with different levels of each factor) or quantitative (using scoring and weighted value for each factor). The combined assessment results will be used to analyze and prioritize when allocating limited resources (time, people, cost) to deal with risks.
Risk assessment is the only relative, it depends much on the biased judgment of the assessors (based on their knowledge and relevant experience).
Step 4: Risk response
After identifying prioritized material risks, enterprises should consider choosing the following risk responses with most suitable to the “risk appetite” and resources:
- Avoidance: the enterprises end the activity/ department from which the risk arises. For example, the exchange rate risk incurred from an activity is too high, the enterprise may choose to sell that activity to eliminate the risk.
- Retention: the enterprises accept this risk and no invest resources to perform any other action because they think that option is the most optimal.
- Reduction: the enterprises will invest resources to implement related control procedures to reduce the risk to an acceptable level.
- Sharing: the enterprises transfer loss potential risk to another party through actions such as: purchasing insurance contract, implementing the hedging contract, outsourcing activity, entering into joint ventures, etc.
The selected risk response will be assigned to the relevant departments for implementation.
The consideration of how to choose a risk response depends on factors such as (1) risk appetite, (2) feasibility of each option under specific conditions, (3) cost implementation (must be lower than the value to be realized), (4) objectives and development strategy.
Step 5: Risk monitoring
At this step, the following procedures need to be performed:
- Continuing to monitor the identified risks to find out any changes
- Evaluating current risk response plans for material risks, assessing the level of risk remaining after the residual risk implementation, can them be at acceptable low level? Is it suitable for the risk appetite of the enterprise?
- Continuing to review and evaluate new risks.
Authorities and Responsibilities of management positions related to risk management:
- The Board (Board of Directors/ or Board of Members): Approving risk management policies and procedures. Monitoring and evaluating to ensure that these documents are in place and effective. Making adjustments and intervention when noticing any signs of deviation. These responsibilities can be delegated to the Risk Committee (subordinate to the Board).
- Management - Executive Directors: Being responsible for organizing and implementing all risk management activities in accordance with the issued policies and procedures.
- Internal Audit: being responsible for giving independent and objective assurance and consulting on this activity to help it achieve the set objectives.
Components of Internal Control comprises: (1) Control environment; (2) Risk assessment; (3) Control Activities; (4) Information and Communication; (5) Monitoring
Control environment: is the attitude and actions of the Board and management regarding the importance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:
- Integrity and ethical values: How companies show their appreciation of these ethical values through enterprise’s documents, corporate communication, the attitude and actions of the Board and management?
- Management’s philosophy and operating style: Do the Board and management have a philosophy and operating style consistent with the enterprise's ethical values? Is it consistent and exemplary for the staff?
- Organization structure: Is it consistent with the model and nature of the enterprise? Inappropriate organizational structure reduces the effectiveness of control procedures.
- Assignment of authority and responsibility: Are the assignment of authority and responsibility of each position related to internal control sufficiently, coherently, and appropriately regulated?
- Human resource policies and practices: Are compliance actions recognized, encouraged and appreciated? Are there any appropriate sanctions for noncompliance actions?
- Competence of personnel: An environment with many qualified and appropriate personnel will well influence others around.
- Control: is any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
Control processes are processes to ensure that risks are contained within the level that an organization is willing to accept, including the following steps:
- Establishing standards for the operation to be controlled
- Measure performance against the standards
- Examining and analyzing deviations
- Taking corrective actions
- Reappraising the standards based on experience
Controls can be categorized as follows:
- Preventive control: deter the occurrence of unwanted events. For example: using a locked safe to keep cash, using password requirement that is difficult enough to login to the system, the transaction with value exceeds a certain threshold, it must be approved by a higher level, etc.
- Detective control: alert the proper people after unwanted event. They are effective when detection occurs before material ham occurs. For example: counting and comparing cash in the safe with value in accounting book, the system automatically sends an alert to the relevant person when there are signs of unusual accessing the system, etc.
- Corrective control procedure: This type of procedure is to eliminate negative effects of unexpected events, so that the overall impact level does not exceed the permitted threshold. For example: If the cost has exceeded a certain threshold, the next transactions must be considered and adjusted so that the total cost does not exceed the allowed budget.
- Directive control procedure: This type of procedure helps the relevant people improve their awareness and skills thereby reducing the likelihood of unexpected behaviors/events. For example: Issuing a detailed manual for user; Effective internal training course, detailed job description, etc.
In addition to the above classification, depending on the particular situation, the control procedures can be classified as follows:
- Primary/secondary control: “primary” means the procedures that can stand alone to ensure the set goals themselves, and “secondary” means the procedures that can only action as supplement/ support to another primary procedure.
- Manual/ automated control: “manual” means that it is performed by humans through human senses and judgments, so quality can vary with factors that can affect people such as: mood, health, pressure, and psychology, time, personality, risk, etc. “Automated” means that the machine performs according to the programmed, so it is not affected by "human" factors, however there are also disadvantages such as rigidity, lack of flexibility when necessary, or errors if they arise will be of broad systemic effect, possibly subject to unauthorized interference (hacked).
- Control for each transaction/ group of transactions: there are procedures to be performed for each transaction, but there are also control procedures that must be performed in groups of many transactions because the process only creates conditions to perform for group of transactions (e.g., group transactions in one day / week / month).
- General controls of information systems (General IT Controls)/ separate control for each application (Application Controls).
Relationship between Risk and Control?
- A risk, depending on the specific situation and the influence of many related factors, it can go through many controls before being reduced to an acceptable level of the enterprise.
- A control can be effective for many different risks. A control should ensure that the cost of the implementation is lower than the loss of the potential risk, if the cost is more than the cost implementation, the control is not meaningful but also interfere with the operation of the enterprise.
Authorities and Responsibilities of management positions related to risk management:
- The Board - Board of Management/Board of Members: Overall monitoring and evaluation of internal control activities.
- Management: being responsible for organizing, guiding and implementing internal control activities to each department in enterprises, ensuring risks (according to the assessment of risk control activities) controlled within acceptable levels.
- The Internal Audit: being responsible for giving an independent and objective opinion and consulting on this activity to help it achieves the set objectives.