Broken Triangle

7/30/2019 Broken Triangle

1/16

The broken triangle?Improving the relationshipbetween internal audit,management, and the auditcommittee


2/162

This publication contains general in ormation only andDeloitte is not, by means o this publication, renderingaccounting, business, nancial, investment, legal, tax, orother pro essional advice or services. This publication is nota substitute or such pro essional advice or services, norshould it be used as a basis or any decision or action thatmay a ect your business. Be ore making any decision ortaking any action that may a ect your business, you shouldconsult a quali ed pro essional advisor.

Deloitte, its a liates, and related entities shall not beresponsible or any loss sustained by any person who relieson this publication.

Copyright 2010 Deloitte Development LLC. All rightsreserved.


3/16

The disconnect between internal audit, executivemanagement, and the audit committee is nothing new.The broken triangle has existed or decades at manyorganizations, with varying degrees o severity.

But dys unction that was deemed tolerable in the 80s,90s, and 00s is unacceptable today. The stakes bothpersonal and corporate have been ratcheted to a

new level. Regulators, analysts, stakeholders, and evenlitigators all have a keen interest in how well this corporatetrio, so essential to good governance and e ective riskmanagement, works together to protect and propel theorganization.

What are the symptoms o a broken triangle? Financialrestatements. Material weaknesses. Regulatorynoncompliance. Contentious or ine ectual boardmeetings. Voluntary and involuntary turnover. Missedearnings. Excessive litigation. Failed partnerships andalliances. Unmitigated risk. And so on. 1

I your organization exhibits any o these symptoms, you

have an obligation to seek a cure. A good place to startmay be to examine the structural integrity o the triangle.

The broken triangle

1 We are not suggesting that every instance o material weakness, nancial restatement, regulatory noncompliance, andthe like is directly attributable to the broken triangle. These problems may arise despite a unctional relationshipbetween the three parties. Nonetheless, we contend that in most cases, a dys unctional relationship is a contributingcause, and in some cases, a primary cause.


4/16

Convince a chie audit executive to speak o the record, andyou may be in or a shock: o tentimes, internal audit is notthe independent, objective organization its thought to be.

In some companies, ostensible reporting linesnotwithstanding, the CAE does the CFOs bidding. Thelatter controls budget, sta ng, and the audit plan, which,

rom a practical standpoint, can e ectively neuter internal

audits independence and objectivity.

Ideally, internal audit serves as the eyes and ears o theboard and audit committee, an essential component inthe system o checks and balances. But how can a CAEcon dently and reliably report up problems i he or she isworried about job security?

As Upton Sinclair amously stated: It is di cult to get aman to understand something when his job depends on his

not understanding it.

O the record

4


5/16

Every organization has a pecking order, and determiningyour place is as easy as answering one question: Whosyour boss?

Yet reporting structures or the CAE o ten de y thissimple analysis. In many organizations, the CAE reports

unctionally to the audit committee and administrativelyto the CFO or CEO. Consequently, the whos your boss?

issue becomes instantly muddled. Serving two masters canpresent problems in terms o allegiances, independence,and e ectiveness.

In other organizations, the CAE reports to the controller.Now, we have nothing against controllers. (Some o our

avorite people are controllers.) But when you consider theresponsibilities and expectations under which internal auditoperates, placing the CAE at this level o the hierarchymakes little sense.

As the pecking order rules state: The lower you report,the harder it is to team with executives at higher levels .

And when it comes to running an e ective internal auditoperation, teaming is key.

So give your CAE clout along with responsibility. Make himor her a true senior executive o the company to providethe respect and visibility accorded such positions. Removeany ambiguity as to whom the CAE reports. And make surethe boss sits high in the organizational chart.

Whos your boss?

The broken triangle? Improving the relationship between internal audit, management, and the audit committee 5


6/16

Relatively ew people outside o the UK know the queen oEnglands last name. She is Her Majesty, not Liz Windsor 2,with good reason: Titles con er respect.

A name is a power ul tool, both practically andpsychologically. Judges are your honor and governorsare the honorable. Whether or not you agree with thedesignation, it does exert a power ul infuence over those

who come in contact with the person.

The same holds true or Internal Audit. We suggest youconsider renaming the unction Audit Services. The newtitle will provide more o an association with value andservice rather than connotations around internal a airs andpolicing.

Audit Services presents an entirely di erent image tothe world and a resh approach to the unction. It is moreaccurate and descriptive, and it better in orms others whatthey should expect rom the unction.

Dont take the suggestion too ar, however. Werecommend you avoid calling the CAE your majesty.

The name game

2 Technically, she is not even the queen o England. Shes Queen o the United Kingdom o Great Britain and Northern Ireland.

6


7/16

Ask leaders in your organization where internal auditsprimary ocus should be, and you may be surprised at therange o responses. To illustrate, take the quiz below.

Compare results with others in your organization, andyoull probably discover that this simple test highlights avexing problem: thinking around the proper role o internalaudit is not aligned.

Great expectations?

IA in ocus: A short quiz

What is the primary unction o internal audit? This quiz will help determine i yourthinking is aligned with others in your organization.

Step 1: Circle your role from the choices below.

Step 2: Where should internal audit primarily focus its attention? Circle one item.

Your role Internal audit should primarily deliver Audit Committee Reassurance and Value Protection1.

Strategic Focus and Value Creation2.

Business Risk Insights and Risk Mitigation3.

Upper Management

Board o Directors

Internal Audit

At a high level, we usually nd that the audit committeeand the board want reassurance and value protection,while management seeks strategic ocus and valuecreation.

Un ortunately, i everyone expects something di erentrom internal audit, no one is likely to be satis ed.



8/16

Sometimes audit committees and management dontknow what engineers and actuaries intuitively understand:Theres no such thing as per ect assurance.

For example, space shuttles are subject to tens othousands o quality checks, yet sometimes they ailcatastrophically. Insurance companies consult actuarialtables and pore over statistical probability, but sometimes

they are still bankrupted by an un oreseen event.

Similarly, the audit committee and management sometimeshave a alse sense o reassurance as to the scope ointernal audits activities. For example, they may believethat all periods in a nancial review are covered, or that100 percent o transactions have been audited. This, ocourse, is rarely the case.

To avoid nasty surprises, the audit committee and

management must understand the depth and breadth ocoverage by internal audit. Audit plans and risk coverageshould be clearly explained so that everyone understandsexactly what work is being done and not done.

Per ect assurance?

8


9/16

Any rank assessment o the current state o enterpriserisk management (ERM) would have to conclude thatspectacular ailures de ne the eld more so than its abilityto keep businesses out o trouble.

Why does ERM so consistently all short? Perhaps becauseinternal audit is not su ciently integrated in ERMactivities. Considering IAs knowledge, objectivity, and

methodologies, and in light o its ability to provide inputto stakeholders regarding risk exposures, risk reporting,and risk management, its stunning to discover howin requently ERM activities and/or projects appear on IAsaudit plan.

The potential or IA to enhance the e ectiveness o anorganizations risk management activities is immense. Butto do so, internal audit needs to break ree o its traditionalrole. Visionary IA groups can expand their job descriptionto include roles such as the ollowing:

Advisor: advising management on risks related tostrategic initiatives, organization, process and systemicchanges

Prognosticator: peering ahead to help managementenvision uture risks and opportunities

Aggregator: considering how risks interact and cascade

E fciency specialist: identi ying ine ciencies in riskmanagement

Advocate: identi ying and helping to mitigate risksassociated with protecting and increasing shareholdervalue; advocating or resources to address risk areasdeemed insu ciently covered

Subject matter specialist: providing knowledge and

experience in key risk areasTroubleshooter: getting involved in control remediationand design; helping to conduct and interpret riskassessments.

Embracing risk



10/16

Popular TV crime shows o ten have three main charactertypes cop, detective, and lawyer a cast apparentlyripped straight rom internal audit. Consider these typicalIA lineups:

Police - In heavily regulated industries, or inorganizations attempting to strengthen a weak internalcontrol environment, a policing role or IA may be thenorm. The disadvantage to this role is that it o ten puts

IA at odds with management and others in the company.Detective - In this role, internal audit ocuses onidenti ying issues and problems, uncovering acts orpresentation to management. The downside to thisapproach is that internal auditors may eel pressured to

nd a problem (thereby justi ying their existence) insteado proactively ocusing on pertinent risk areas.

Counsel - As trusted counsel, internal audit takes on amore participative role, advising on key business risksinstead o simply per orming audits. The IA group buildsmeaning ul business relationships with management andthe audit committee.

For which role is internal audit most suited? In ourexperience, organizations are best served when internalaudit predominantly takes on a counsel role, while

secondarily per orming the other roles as needed.

The IA police? This model can o ten be a dead end,ostering resentment instead o collaboration. Most

internal auditors dont see themselves as police o cers.Care should be taken to ensure that the rest o thecompany doesnt perceive them that way either.

Cop, detective, or counsel?

10


11/16


12/16

Increasingly, internal audit is being asked to rein inexpenses. We have seen many instances in the last ewyears where IAs budget has been slashed by up to 25percent.

At the same time, IA is under pressure to expand coverage.Risks are increasing. Audit committees and boards areconcerned. And internal audit should be providing more

risk mitigation and com ort.

This do more with less mentality creates stress at best,dangerous gaps at worst. How to resolve this seeminglyunsolvable riddle? A ew approaches are possible:

Make greater use o technology and continuous1.monitoring tools. This, o course, may require anup ront investment o (scarce) unds. Not always,though: some existing technology tools mostnotably the latest versions o ERM systems includecontrol monitoring tools that are o ten underutilizedor unused.

Appeal to the audit committee.2. In mostorganizations, the AC approves the internal auditbudget. But the audit committee holds additionalpower it almost never exercises the ability to directmanagement to increase internal audits budget. Nowmay be an opportune time or the audit committee tofex its muscles.

Acquire outside services to address areas o3.concern. An outside service can o ten provide amore cost-e ective means o tackling labor-intensive,complex, or limited-duration projects with shortterm, non-recurring costs.

Do more with less

12


13/16

The structure o internal audit o ten mirrors that o theorganization as a whole. For example, companies thatmake extensive use o outsourced service providers payroll, manu acturing, order ul llment, and the like may be more inclined to use an outsourced or cosourcedmodel or internal audit. Companies that go it alone inmost other areas o the business may do so in IA as well.

Many chie audit executives deliberately shun anydiscussion about outsourcing or cosourcing, operatingunder the belie that these models can undermine oreven make redundant their position. Yet dismissing thesemodels outright can ignore some signi cant bene ts:

Cost: Outsourcing and cosourcing can be cost e ective,allowing companies to avoid hiring, training, bene ts,taxes, and other associated expenses.

Does your model ft to a T?

Talent: Sourcing provides access to skills and talents thatmay not be available in-house.

Flexibility: IA groups can quickly bring people on asrequired by need; and can easily scale back whenbudget, workload, or other considerations dictate.

Objectivity: Tackling di cult or controversial issuesmay be easier or an outside party than those in the

organization, who might worry about job security andnancial well-being.

Capabilities: Through sourcing, internal audit groupscan access global resources, bridge language barriers,and gain new perspectives.



14/16

In virtually every organization with which we have worked,the audit committee and/or management has harboredmistaken assumptions about the activities o internal audit.These di ering expectations mean that the CAE is almostinevitably disappointing someone. But, more signi cantly,it represents a loss o opportunity and a squandering oresources. The value that internal audit can bring to theorganization is too great to be rittered away.

The rst step toward mending the triangle rests with theCAE. This may mean adopting a more assertive role thanin the past. The CAE should ensure that management andthe audit committee have ull visibility into the activitieso internal audit and are ull partners in the developmento the internal audit objectives, audit plan, and relatedactivities.

CAEs need to have an appropriate level o executive/ boardroom presence and leadership skills to position their

unctions or success. Internal audit needs a rm handat the wheel; CAEs cant allow their unctions to getblockaded or diverted o course. They will ace resistanceas they attempt to re ocus their organizations toward amore strategic and consultative role; this resistance mustbe overcome.

Remember that the alignment o internal audit needs tobe regularly revisited. A changing competitive landscape,evolving needs o the business, turnover o personnel, andother actors necessitate constant review and re reshing. Itcan never be set and orget.

The broken triangle has existed or ar too long. Dontignore the elephant in the room. (Unattended elephantstend to make huge messes.)

Unattended elephants

14


15/16

Here are eleven practical steps to bring harmony to yourtriangle:

Communicate:1. Be open about the relationshipsbetween internal audit, the audit committee, andexecutive management.

Check your reporting lines:2. Determine whether yourcurrent reporting structure or the CAE is optimal.

Rebrand:3. Consider renaming your internal auditgroup as audit services or another more descriptiveand appropriate name.

Align expectations:4. Ensure that IAs audit plan andareas o strategic ocus are understood and agreedupon by all parties.

Manage expectations:5. Theres no such thing asper ect assurance.

Embrace risk:6. Expand your attention to risks that canimpede your growth and pro tability objectives.

Defne IAs identity:7. Cop, detective, or counsel?

Expand your audit scope:8. Address emerging issuesand trends.

Take control o your budget:9. Can you do more withless?

Adopt a workable model:10. Determine what tsbest or your organization: In-house? Cosource?Outsource?

Make the CAE an o fcer:11. Bestow a title that helpsgarner the respect accorded to those in leadershippositions.

Make the triangle sing



16/16

Contacts

About Deloitte Deloitte re ers to one or more o Deloitte Touche Tohmatsu, a Swiss Verein, and its network o member rms, each o which is a legally separate and independententity. Please see www.deloitte.com/about or a detailed description o the legal structure o Deloitte Touche Tohmatsu and its member rms. Please see www.deloitte.com/us/about or a detailed description o the legal structure o Deloitte LLP and its subsidiaries.

Copyright 2010 Deloitte Development LLC. All rights reserved.Member o Deloitte Touche Tohmatsu

1036

For a discussion o your business issues or or morein ormation on our services, contact any o thepro essionals listed below.

Eric HespenheideGlobal LeaderInternal Audit ServicesDeloitte & Touche LLP

+1 313 396 [email protected]

John PeirsonUS Managing PartnerInternal Audit Trans ormationDeloitte & Touche LLP+1 612 397 4714

[email protected]

Wayne RoseDeputy Managing PartnerInternal Audit Trans ormation Energy & Resources

Deloitte & Touche LLP+1 214 840 [email protected]

Brett ShermanPartnerInternal Audit Trans ormation Consumer & IndustrialProductsDeloitte & Touche LLP+1 973 602 [email protected]

Paul LindowPartnerInternal Audit Trans ormation Financial ServicesDeloitte & Touche LLP+ 1 415 783 [email protected]

Steve Curry

PartnerInternal Audit Trans ormation Health Sciences &GovernmentDeloitte & Touche LLP+1 215 405 [email protected]

Sandy PundmannPartnerInternal Audit Trans ormation Technology, Media &TelecommunicationsDeloitte & Touche LLP+1 312 486 3790

[email protected]

Patty MillerPartnerDeloitte & Touche LLP+1 415 783 [email protected]

Neil BrownPartnerEnterprise Risk ServicesDeloitte Canada+1 416 643 [email protected]

Broken Triangle

Documents

Transcript of Broken Triangle