The institution can respond to risk through various mechanisms such as avoidance, transfer, accepting and managing of the risk. When the institution elects to manage the risk, it will require control activities to support the management of the risk to within tolerable levels.
Control activities will produce detailed action plans for managing all material risks.
The risk assessment will have produced a management's perspective of the effectiveness of the existing controls. This would inform management of additional control interventions required to better manage the risk exposures to an acceptable level. Management will be able to consider the best control options from various alternative control types:
These ensure that the institutions structure and systems support its policies, plans and objectives and operate within laws and regulations;
These ensure that policies and objectives are delivered in an efficient and effective manner and that losses are minimised;
These ensure that resources allocated are accounted for fully and transparently and are properly documented;
Information Technology controls
These controls relate to IT systems and include access control, controls of system software programmes, business continuity controls and other controls.
Each control type above can be classified as either:
These controls are designed to discourage errors or irregularities from occurring e.g. adequate physical security of assets to prevent losses such as theft or damage. If properly enforced, these controls are usually the most effective type of controls;
These controls are designed to find errors or irregularities after they have occurred e.g. performance of reconciliation procedures to identify errors;
These controls usually operate together with detective controls in order to correct identified errors or irregularities.
3.1 Considerations for improving controls
The following questions could provide useful information for a high level understanding of the underlying issues and the control improvements required:
· What is the risk assessment telling us about the effectiveness of the current controls (What needs to be enhanced)?
· What are the various options available for addressing the residual risk?
· What amount and quality of information do we have about the risk (what additional information is required to fully understand and respond to this risk)?
· How much is the additional control going to cost and how does this compare with the benefits to be derived from the additional control?
· Is there a necessity for introducing new policies and procedures, or updating the existing policies and procedures?
· How will we measure whether the new control measures are working or not?
· What is the action plan for addressing the control gaps?
· Who is the responsible person?
· What project plans should we put in place?
3.2 Assurance on control activities
Up until now the control adequacy and effectiveness was based exclusively on management perception. The inherent danger in this is that "optimism bias" could prevail, that is to say, management is more optimistic about the control environment than they really should be.
An examination of the control activities performed by an independent party has the advantage of eliminating "optimism bias" and revealing a more realistic perspective of the control activities.
Independent assurance can be provided by internal audit, a corporate function, independent consultants or the Auditor-General.
The reports provided by these assurance providers should be utilised to update the assessments reflected in the risk register and should form the basis for developing additional control enhancements that is required.