Example of an Opinion on Governance, Risk Management, and Internal Control

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

I have been asked to provide an example of the type of formal report I would provide the audit committee, sharing my overall assessment of the adequacy of governance, risk management, and related internal control processes.

I started providing formal overall assessments about 20 years ago (when I led the internal audit department at Tosco Corporation). But that was limited to whether internal controls provided reasonable assurance that risks were managed effectively. You can see a copy of one of my reports from that era here.

If I were to provide a report based on the same set of facts today, it would be somewhat different. Why? Because my thinking has moved on and I would add content related to governance and risk management processes. I would also provide an opinion at the overall corporate level.

The report might be something like this, for the fictional TBD company:

 

YEAR-END 2997

CONFIDENTIAL REPORT

BY GENERAL AUDITOR

Prepared at the direction of the General Counsel

ATTORNEY-CLIENT PRIVILEGED 

Purpose

Each year, Internal Audit completes an increasingly large number of audits in the areas considered to present the greatest risk to the company. The volume of individual opinions is such that it is difficult to see the big picture and assess the overall adequacy of governance, risk management, and controls. Furthermore, Audit does not formally review every area every year.

This report presents an overall, confidential assessment of the systems of governance, risk management, and internal control, including a comparison with the prior year where applicable.  It provides our opinion whether these systems provide reasonable assurance that the more significant risks to the company are at acceptable levels. It is based upon:

  • The results of internal audits completed during the year, including our assessment of the framework and processes for the management of risk.
  • The results of the board’s self-assessment process, performed in coordination with Internal Audit.
  • The results of the board’s assessment of the performance of the external auditors, Coopers & Lybrand, performed with the assistance of Internal Audit.
  • Any controls deficiencies reported by Coopers & Lybrand or other third party auditors or examiners.
  • Prior audit results, and corrective actions taken and reported by management.
  • The results of special and other projects performed by the department, and
  • The personal observations of the Audit Department’s management team.

The company’s General Counsel has requested this information, in anticipation of potential litigation. The report has been reviewed with senior management, who will be available to provide their perspectives at the audit committee meeting. They did not express any significant disagreement with this report and its conclusions.

The assessment is first for the company as a whole, then by division and by category.  Internal controls (as defined by the Committee of Sponsoring Organizations of the Treadway Commission) “are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations.”

 

Overall Assessment

While the company continues to address prior deficiencies with improvements in its information technology (IT) systems and operational processes, the level of risk exceeds acceptable criteria in the following areas. This merits the continued attention of the board and executive management.

Compliance and safety: The XYZ refinery, which represents a major portion of the company’s refining operations, continues to have significant weaknesses in its management of risks in these areas. This is discussed in more detail in the TBD Refining section.

Operational effectiveness: The company only tracks what it purchases for its ABC convenience store system, not what it sells. This, combined with the overall age and lack of functionality in the company’s IT systems and the higher (than our competitors) number of employees, limits the ability of management to optimize efficiency and operating results.

Risk management: The company has a relatively immature and informal risk management program, reliant on the individual actions of managers rather than any coordinate and formal program. This neither provides an overall picture of risk across the business, nor assurance that risks and opportunities will be given appropriate, timely consideration in future. See our separate report on this risk area.

Information for decision-making: While the company now has a common system for all its refining and pipeline operations, the marketing business is separate and only integrated through spreadsheets. As a result, executive management may not have reliable information (other than at quarter-end) that provides insights into total company operations. Reliance is placed on spreadsheet models maintained by the Corporate Controller that include estimates of inventory levels and other key information. While this has been reasonably accurate in the past, there is a risk that future executive decisions may be based on outdated or inaccurate information.

With respect to financial and management reporting, and to operations at the other operating locations, risks are with acceptable criteria.

 

TBD Refining Company

As noted in the overall report, management’s processes provide reasonable assurance that the more significant risks are at acceptable levels with the exception of operations at the XYZ refinery.

We continue to be concerned with XYZ’s controls to ensure reliable operations; prior reports have questioned preventative and predictive maintenance and inspection practices. This directly impacts controls to ensure compliance with environmental and other regulations, as well as the effective use of resources (people as well as costs.)  In addition, we remain very concerned that XYZ’s turnaround planning and management practices are below standard, and that procurement activities are significantly less than desirable. These issues do not impact the adequacy of financial reporting on XYZ’s assets and results of operations.

 

TBD Marketing Company

Management’s processes provide reasonable assurance that the more significant risks are at acceptable levels with the exception of operational efficiency and effectiveness.

The major concern continues to be IT. The systems inherited as a result of the acquisition of ABC are by no means state of the art.  One problem is that we don’t know what we sell in each store, just what we purchase. This makes it difficult to target our marketing efforts, which include stocking each store with the right quantity of the right goods, and maximizing the effective use of our advertising dollars. In addition, TMC has more people than optimal (based on benchmarks with our competitors and our own studies); that is necessary until we can implement more effective systems. Our audits have found that departments are reasonably efficient given the limitations of the systems.

Complicating this are three issues: (a) the process for managing change to our systems is not only fragmented but also does not provide adequate assurance that the changes necessary for effective business operations will be implemented with the required quality — especially important when the problems with program and data security are also considered; (b) the IT department has more staff that are average at best than we can afford, especially given the significant number of system conversions and migrations — let alone any new functionality that should be introduced; (c) the level of turnover within IT is much too high, and it is especially troublesome when good people leave.

While I have confidence in leadership of IT, these are massive problems that will not be easily solved.

 

TBD Distribution Company

Management’s processes provide reasonable assurance that the more significant risks are at acceptable levels. However, management needs to address a number of issues at the terminals that have been acquired in the last year.

 

Commercial Activities

Commercial activities include the purchase and sale of physical inventory; the hedging of related prices through futures, options, and other derivatives; and a limited level of speculative trading. Overall, risks are managed within approved criteria, although there is significant reliance on close scrutiny of all activity and positions by the CEO, and serious control weaknesses were identified during our audits.

Financial reporting of derivative activities depends on the position reports, and the risk of their being materially in error is not significant. However, our recent audit found that key reconciliations (e.g., of broker statements) were not independently performed. This increases the risk to financial reporting and to compliance.

Commercial activities are inherently risky; controls cannot prevent a trader picking up the phone and committing the company to an inappropriate and/or costly transaction. Deterrent and detective controls are essential, but cannot compensate for the poor decision a trader may make. The new IT system (COMETS) is not yet in place, and there is no overall company position report for the Risk Management Committee to review (if they were ever to meet as a group, rather than essentially consist of the CEO’s personal and lone oversight). Even when COMETS is fully implemented, the system will not automatically check individual or total position limits. The lack of independence in the accounting and reconciliation of derivatives activity significantly increases the risk of fraud.

Posted on May 24, 2012 by Norman Marks

Share This Article:    

  1. Norman:

    Thanks for sharing this.  My reading suggests this report would be appropriate in an environment where work units were not self-assessing risks, risk treatments and residual risk status. You have indicated clearly this is the case in your report when you report on risk management. This is an area I would like to see far more audit departments doing. 

     I question however if the full signfiicance of weak risk management is being fully conveyed in the report. If the organization had robust risk management processes the report would, in my opinion, be best positioned as audit's report on the quality and reliability of management's self-assessments not audit's subjective view of adequacy or effectiveness. As long as an audit department is content being a company's primary risk/risk treatment/control analysts/reporters many management groups and boards are happy with that as the status quo.

    It would also seem appropriate given the rise of ISO 31000 and importance of risk management to transition away from the use of the word "control" and move to "risk treatments" and more discussion of audit's views on management's risk appetite.  It isn't clear to me based on my quick reading how you/the audit department have decided that the areas you have focused on are outside of the company and board's risk appetite. 

  1. Tim, you make some interesting points. Thank you for that.

    I would not change much if the company were self-assessing risks (I don't understand your residual risk distinction, because I only assess at that level) and controls ('control' is the correct term under ISO 31000 - 'treatment' is the process to modify risk, 'control' is the measure that modifies risk). I would only state whether management's assessment and mine were consistent.

    On your last point, the risk management process is informal so in that case I would use my judgment, with consultation with management, as to whether the level of risk was acceptable.

  1. Norman, thanks for sharing.  

    I'd be nervous about making providing this as an opinion, "With respect to financial and management reporting, and to operations at the other operating locations, risks are with[in] acceptable criteria."  I'd suggest all you can really say is that based on the audit work conducted this year, the risks in the other areas reviewed are within tolerance.  Your macro opinion could leave audit open to the implication that they own control effectiveness.

  1. @Mr. Norman, Thanks for sharing this format and it is an interesting one. However, you mentioned under overall assessment that  “the level of risk exceeds acceptable criteria in the following areas. This merits the continued attention of the board and executive management”.

    Is it not appropriate to have continued attention of board and executive management” at all the time?. If so, then the report could mention “special / focused / Immediate attention” to the areas of concern ( depends on the level of risk) and not to attribute continued attention only in case of weakness. Kindly advice me if I am wrong.
     
    @Mr. Tim, As Internal auditors, they (strive to) present objective view of internal control adequacy and its effectiveness and not subjective view as you mentioned. However, they may provide only reasonable assurance and not obsolute assurance.
     
    Further, I agree with Norman on the view about controls and Treatment.

    Regards

  1. @Mr. Norman, Thanks for sharing this format and it is an interesting one. However, you mentioned under overall assessment that  “the level of risk exceeds acceptable criteria in the following areas. This merits the continued attention of the board and executive management”.

    Is it not appropriate to have continued attention of board and executive management at all the time?. If so, then the report could mention “special / focused / Immediate attention” to the areas of concern ( depends on the level of risk) and not to attribute continued attention only in case of weakness. Kindly advice me if I am wrong.
     
    @Mr. Tim, As Internal auditors, they (strive to) present objective view of internal control adequacy and its effectiveness and not subjective view as you mentioned. However, they may provide only reasonable assurance and not obsolute assurance.
     
    Further, I agree with Norman on the view about controls and Treatment.

    Regards

  1. I appreciate this is a mock-up, but I think there's a flaw in presenting an opinion of the type "risks are at acceptable/unacceptable levels" without also explaining how that opinion links to the adopted risk appetite.  Appetite and tolerances should be setting the targets, and auditors shouldn't give an opinion on the acceptability of risks which are based on personal prejudices but aren't tied back to definitive targets.  Linking the opinion to the appetite grounds the opinion, and reinforces the importance of the appetite - too often the risk appetite statement is disconnected from everything else.  Finally, there is a choice to be made when finding the appetite is at odds with the actual levels of risk: whether to try to change the actual level of risk, or whether to reconsider the appetite statement.  Though normally we shouldn't change targets just to suit performance, we have to be open-minded about the potential to work back from specific risk areas to a revision of the appetite statement; sometimes people will reason about risk more usefully when dealing with concrete examples instead of abstract principles.  Also, new and unanticipated risk factors - which may be first stated in a report like this - should force the need to review the appetite statement.  So whilst an opinion stated relative to the appetite leaves open the option to update the appetite, an opinion without such reference might encourage a more dogmatic, and contentious, role for IA, where IA is implying an opinion on what the appetite should be.  It would be best to avoid this by methodically presenting performance vs. targets - even in the case of risk performance and risk targets - at every stage in the process.

  1. Hi Sir, I just wanted to ask if system limitations could be classified as system error also? Particularly when the system limitation is a basic need of an ERP? Or when would you classify a system limitation apart from system errosr? I would be glad to know your thoughts on this sir.
  1.  Bern, I am not sure I would worry too much about terminology, what is include in "system limitations". I would focus on the risks to the achievement of corporate objectives. If there is no ERP, that might result in a lack of information - but it could be fine and appropriate to the business.

  1.  I agree that the audit committee needs to be informed how the decision is made about acceptable risk levels.As suggested by IIA Standards, this should be based on the criteria established by the ERM system. If those do not exist. Internal audit should use its judgement in consulation with management.

Leave a Reply