How Can Organizations Assess and Manage Risks?

LAMAAA Can you tell us the scope of your job functions, the number of professionals working with you, and how long have you been working for Deloitte & Touche LLP?

RH I am a Manager in the Audit and Enterprise Risk Services practice at Deloitte & Touche LLP. The Enterprise Risk Services component of our group in the Pacific Southwest consists of approximately 280 professionals. I have been with Deloitte & Touche LLP for 30 years.

LAMAAA With regards to Audit and Risk Services, can you define what risk is and what is the significance of risk in the audit process?

RH Risk is the impact of, and the likelihood that, threats can adversely affect an organization’s ability to achieve business strategies and objectives. There are various types of risk: Business Risk, Financial Risk, Operational Risk, Reporting Risk, Process Risk, Strategic Risk, Litigious Risk, and Environmental Risk.

In the audit process, risk is used to evaluate which areas the audit should focus on. Properly addressing the risks of a business can help us to better tailor an audit to each business.

LAMAAA What kinds of models and standard components, if any, do you find essential in developing a qualitative risk analysis?

RH All entities face risks from both internal and external sources. The COSO (Committee of Sponsoring Organizations) framework is typically used when developing a qualitative risk analysis. Risk assessment is one of the five components of internal control and the second level of the COSO pyramid depicting the structure of internal control. Appropriately identifying and managing risks will help an entity achieve it objectives.

LAMAAA In light of increased risk factors, what are some best practices associated with identifying risk and measuring risks? What is an example (or consequence) for its failure?

RH A precondition of risk assessment is establishing objectives because a risk is any condition that stands in the way of reaching the objectives of the entity. Without knowing the objective, it is impossible to know what risks might prevent the entity from reaching its goals.

The risks must be linked and consistent among the different levels and functions of the entity. For example, marketing will likely not be able to pursue an objective of marketing new and innovative products if the financial plan calls for a drastic reduction in research and development.

LAMAAA How would you determine the probability of the occurrence of loss?

RH When determining the probability of the occurrence of loss, the industry norms can be used to evaluate which risks are typically higher in that industry along with the control environment of that business. For example, in the banking industry, physical safeguards that protect valuables against robberies are evaluated with a higher probability of occurrence than the likelihood of a robbery in the healthcare industry.

The control environment refers to the organization’s history and culture that provides the foundation for the other components of an entity’s internal control system. The culture rests on the integrity, ethical values, and competence of the entity’s people and on the environment in which they carry out their responsibilities.

LAMAAA Base on best practices or effective approaches, what internal controls and preventive measures are intended by organizations (government and private) to prevent fraud, waste and abuse before it occurs?

RH Preventive internal controls include a range of control activities such as approvals, authorizations, certifications, reconciliations, reviews of operating performance, physical and electronic security of assets. It also includes the segregation of duties in the form of manual controls and computer (programmed) controls.

The effectiveness of the internal controls are not based entirely on an organization’s control activities, but should be holistically based on the internal control structure. The organization’s control environment, information and communication, and risk assessment infrastructure all help serve as deterrents and preventive internal controls against fraud waste and abuse.

LAMAAA Organizations seek reasonable, cost effective recommendations and conduct risk assessments in place of risk- based auditing. What is Risk-Based Auditing and how is it performed?

RH To initiate a risk-based audit, risk assessments are performed to identify areas of inherent and control risks. The risk assessments determine the appropriate level of protection corresponding to a given level of risk.

LAMAAA Thank you very much for your time and discussing your views. Your participation is just one indication of the global interest and challenges management, auditors, accountants and standard setters face in managing risk. We recognize it’s not that risks are to be avoided but the greater difference lies in managing risks appropriately.

Russell Harder is a Manager in the Audit and Enterprise Risk Services practice at Deloitte & Touche LLP.

He serves a wide range of clients in varying industries including healthcare, entertainment, and education. Russell’s prior experience includes external and internal audits in various industries including manufacturing, financial services and oil & gas as well as an extensive background in tax.

He has conducted various financial, operational, and compliance based audits throughout North America, the United Kingdom, Belgium and Germany. Currently, Russell spends the majority of his time assisting clients in their readiness programs to address Sarbanes-Oxley reporting requirements in addition to managing Internal Audit outsourcing arrangements.

Russell is a Chartered Accountant (CA), Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA) and Certified Fraud Examiner (CFE).

Russell earned a Bachelor of Commerce degree from the University of Calgary (Canada) with a Major in Accounting.