HitlditbiHow can internal audit bring value in turbulent times?value … · 2014. 12. 15. ·...
Transcript of HitlditbiHow can internal audit bring value in turbulent times?value … · 2014. 12. 15. ·...
H i t l dit b iHow can internal audit bringvalue in turbulent times?value in turbulent times?
15 Years of ČIIAPrahaNovember 11-12, 2010
Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA, , , , ,Past Chairman of the Board IIAPast President ECIIA
Current State
Organizations have been accepting significant risk
Huge and sudden losses
Organizations have been accepting significant risk
• Huge and sudden losses • Uncertain and unpredictable • Irrational Irrational • High speed • Complex and inter-connected
2
Economic Downturn Economic Downturn
• Governance failures around the globe• Governance failures around the globe• Risk management efforts ineffective• Stakeholder confidence shaken• Legislative / regulatory response anticipated• Executives’ bonuses questioned
• Opportunity for internal audit profession to demonstrate leadership in risk management control and governance leadership in risk management, control and governance
3
Economic Downturn / Financial CrisisEconomic Downturn / Financial Crisis
• Illustrative risks:– Increased incentives for financial fraud– Disgruntled ex-employees who sabotage, pilfer assets– Short term cost-cutting with destructive operational or Short term cost cutting with destructive operational or
control implications– Reliance on a third party supplier, distributor, or joint
venture partner with financial difficulties; what venture partner with financial difficulties; what contingency plan is in place
– Customer dissatisfaction; over-valued receivablesPotential liq idit iss e d e to the tightening of c edit– Potential liquidity issue due to the tightening of credit
– Loss of reputation
Internal Audit RoleHelp management identify risks, design risk management strategies,
assess and monito effecti eness of applicable cont olsassess and monitor effectiveness of applicable controls
4
IIA Survey – March 2009IIA Survey March 2009
• 87% report companies negatively • 87% report companies negatively impacted50% h h d b d t d d 24% • 50% have had budgets reduced; 24% by 11% or more– 80% reduced travel– 70% reduced training– 47% reduced cosourcing– 33% had force reduction
5Source: Institute of Internal Auditors GAIN Survey
IIA Survey – March 2009
• 47% have increased coverage of operational • 47% have increased coverage of operational risks
• 48% have increased coverage of • 48% have increased coverage of cost/expense reduction or containment
• 35% have increased coverage of the • 35% have increased coverage of the effectiveness of risk management
• 40% have increased coverage of their • 40% have increased coverage of their companies exposure to third parties in financial distressfinancial distress
6Source: Institute of Internal Auditors GAIN Survey
Risk of Not RespondingRisk of Not Responding
• Diminished stature of Internal Audit in surfacing • Diminished stature of Internal Audit in surfacing and addressing emerging risks
• Significantly reduced credibility as a trusted g y ygovernance partner (oversight body vs. management partner)
• Diminished value of internal audit activities– Seen as being inflexible and non-responsive to emerging
i krisk– Internal competition
• “Where were the internal auditors?”• Where were the internal auditors?
7
Current state of the profession
Different levels of maturity•Different levels of maturity–Compliance / financial / operational / technical–Risk based vs. cyclical/rotational–Auditing vs. consulting
B d f t l i k t d –Broad or narrow focus -- controls, risk management and governance
•Different levels of acceptance–Legislated / regulated Legislated / regulated –Must have vs. optional / nice to have–Critical function vs. necessary evily
8
What do Internal Auditors currently do?What do Internal Auditors currently do?
• Test financial controls• Audit compliance• Look at operational• Look at operationalopportunities
• Audit risk management • Audit risk management frameworkP f t dit• Perform management audits
• Audit governance process
9
Potential Internal Audit InvolvementPotential Internal Audit Involvement
• Participate in cross functional ‘what if’ discussions to • Participate in cross functional what if discussions to reconsider risks and identify action plans
• Help design risk management / monitoring processes (i.e., l !) dd i kcontrols!) to address risks
• Redirect audit resources to re-assessed highest risk areas– Risk assessment and risk management/monitoring practicesRisk assessment and risk management/monitoring practices– Complex decision models – such as risk monitoring and valuation– Physical and system security in the aftermath of layoffs– Fraud risk managementFraud risk management– Operational reviews in processes that MUST continue to work– Investment diversification policy– Consumer loan credit policyConsumer loan, credit policy– Extended enterprise reviews
10
Three lines of defense model
A Strategic Solution – Three Lines of Defense ModelA Strategic Solution Three Lines of Defense Model
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
Co
rpoLegal
Exte R
eM
Int
Reporting & Accountingo
rate
Au
dit S
Forensic
Local Audit
Risk Management & Internal Control
rnal A
ud
it
eg
ula
tor
Man
ag
em
e
tern
al C
on
ervice
s
Insurance
nt tro
l
Compliance
11
EMERGING TRENDSEMERGING TRENDS
1. Risk Management
2. Extended Enterprise2. Extended Enterprise
3 S i l R ibilit3. Social Responsibility
4. Tax
EMERGING TRENDSEMERGING TRENDS
1. Risk Management
2. Extended Enterprise2. Extended Enterprise
3 S i l R ibilit3. Social Responsibility
4. Tax
IIA Standard 2120
• The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Determining whether risk management processes are effective is a judgmentDetermining whether risk management processes are effective is a judgment resulting from internal auditor’s assessment that: • Organizational objectives support and align with organization’s mission.• Significant risks are identified and assessedSignificant risks are identified and assessed.• Appropriate risk responses are selected that align risks with organization’s
risk appetite.• Relevant risk information is captured and communicated in timely manner e e a t s fo at o s captu ed a d co u cated t e y a e
across organization, enabling staff, management, and the board to carry out responsibilities.
• Risk management processes are monitored through ongoing management g p g g g gactivities, separate evaluations, or both.
IIA Standards confirm role of internal audit to assess and provide assurance, but also to help enhance risk management
14
Balancing Internal Audit’s Roles
• Giving assurance that risks are correctly evaluated• Giving assurance on the risk management process
Core/Safe
Major ERM ActivitiesInternal Audit’s Role
• Giving assurance that risks are correctly evaluated• Evaluating risk management processes
Core/Safe –consistent with
Standards • Evaluating the reporting of key risksR i i th t f k i k• Reviewing the management of key risks
• Facilitating identification and evaluation of risksShould be • Coaching management in responding to risks
performed with certain
safeguards
• Coordinating ERM activities• Consolidated reporting on risks• Championing establishment of ERM• Developing risk management strategy - BOD approval• Setting risk appetite• Imposing risk management processes
Should not be performed by internal audit
Imposing risk management processes• Providing management assurance on risks
• Implementing risk responses on management’s behalf• Making decisions on risk responses
• Assuming accountability for risk management• Implementing risk responses on management s behalf
15
IIA Guidance
Position PaperAppropriate IA RolesAppropriate IA Roles
• Provide assurance to executives and board on:– Risk management processes, both design and effectiveness
– Management of key risks, including the effectiveness of controls and mitigation
– Reliable and appropriate assessment and reporting of risks
• Provide consulting assistance:• Provide consulting assistance:– Share tools and techniques used to analyze risks and controls
– Be a catalyst to introduce ERM
– Provide advice, facilitate workshops, coach on risk, control and a common language, framework and understanding;
– Act as the central point for coordinating, monitoring and reporting on risks
– Support management in identifying ways to mitigate risk
IIA Position Paper “The Role of Internal Audit in Enterprise-wide Risk Management,” reissued January 200916
IIA Guidance
Position Paper (Continued)
• Inappropriate Roles– Should not set the risk appetite
– Should not be responsible for risk management decisions
– Should not manage any of risks on behalf of management
Management must remainManagement must remain responsible for risk management
IIA Position Paper “The Role of Internal Audit in Enterprise-wide Risk Management,” reissued January 200917
Organizational Maturity•Embedded in
•No focus on risk inter-linkages
•Policies, risk authorities defined and communicated
•Coordinated risk management activities across silosRi k tit i
•Embedded in decision-making
•Early-warning risk indicators
•Linkage to
•Ad-hoc/chaotic
•Depends primarily on i di id l
•Limited alignment of risk to strategy
•Disparate monitoring
•Routine risk assessments
•Communication of key risks to the Board
•Risk appetite is defined
•Enterprise-wide risk monitoring, measuring and reporting
•Linkage to performance measurement and incentives
•Risk modeling and scenarios individual
heroics, capabilities and verbal wisdom
•Reaction to adverse events by specialists
•Discrete roles established for
•Executive Committee
•Dedicated team•Primarily qualitative
reporting•Training•Integrated response to adverse events
d
and scenarios •Industry benchmarking
•Sustainable•Technology implementation
1: Unaware
small sets of risks
2: Fragmented
q•Reactive
3: Top-down
•Rapid escalation
•Proactive
4: Systematic
implementation
5: Risk intelligentg
Un-rewarded risk Rewarded risk
Are we doing the
right things?
Do we comply with relevant
laws and regulations?
Do we have integrated
management information?
Are we doing the
things right?
Copyright © 2009 Deloitte Development LLC. All rights reserved.
things?regulations? information? right?
18
The Level of Internal Audit’s Effort is Dependent of the Company’s Risk Intelligence Capability
alue Integrated Enterprise Risk Management Capability
Illustrativeol
der V
a
Systemic Risk
RiskIntelligent
Stak
eho y
ManagementTop DownFragmentedUnaware
Top Down Systemic Risk Mgmt.Fragmented Risk IntelligentUnaware
Typical Implications for Internal Audit
Top Down Systemic Risk Mgmt.Fragmented Risk IntelligentUnaware
• Linkage of IA Risk Based audit plan to ERM
• Risk Owners Formulate
• Risk identification and assessment typically initiated and led by IA
• Leveraged risk identification / assessment • Risk Owners Formulate
Mitigation• Internal Audit evaluates and monitors
initiated and led by IA• Heavier involvement in risk analysis
• Heavier involvement in formulation of
assessment• Better coordination with risk owners on risk mitigation efforts andformulation of
recommendation for risk mitigation and control
efforts and controls
Copyright © 2009 Deloitte Development LLC. All rights reserved.19
Consultant vs. Evaluator
Audit design and effectiveness of specific risk management processes
r
management processesReport on consolidated risks and management’s
responses
s. E
valu
ato
Evaluate best practices and adaptation to organization;
ti i ti f i k t
nsul
tant
vs optimization of risk management
practices
Con
Advice focusing on risk managementstructure and approach to address basic risksFacilitate identification and evaluation of relevant risks and
Less MatureRisk Management
More Mature Risk Management
risk mitigation steps
Risk Management Risk Management
Adopted from IIA Position Paper “Organizational Governance: Guidance for Internal Auditors,” July 200620
New IA Risk Assessment Approach
• Prioritize mitigation based on the likelihood of events
• The fallibility of probability– Little or no predictive value
– Major value losses are often high impact / low likelihoodNatural disasters Current global financial crisis
Credit crunch Financial scandals
9/11 Danish cartoons
– Biases management to direct resources to high impact / high likelihood events
H
to high impact / high likelihood events
– Typically focuses on single events rather than a series of events or domino effects Im
pact
– Audit activities are often misdirected to the “red zone”
LikelihoodL H
L
Likelihood
21
Enterprise Risk Management Refreshed
• Look beyond likelihood (probability)y (p obab ty)
• Three key factors:– Impact of an event on business value
– Organization’s vulnerability to its effects
– Risk event’s speed of onset
Impact
Degree to which t ld ff t
Vulnerability
Remaining risk ft id i
Speed of Onset
Time required for i k t tevent would affect
enterprise value in absence of
mitigating action
after considering efforts to monitor,
manage and mitigate impact
risk event to affect the business
g g mitigate impact
22
Risk Management Refreshed
M = High Impact/High Vulnerability • Provide assistance in design of controls where impact and vulnerability
are high• Track progress on remediation plans HTrack progress on remediation plans
A = High Impact/Low Vulnerability • Obtain assurance confidence in
Assurance of Preparedness
alu
e Assurance MitigateObtain assurance confidence in preparedness is justified
R = Low Impact/Low Vulnerability Cumulativemp
act
on
Va
PreventDetectCorrectEscalate
C l tip / y• Obtain assurance on effectiveness• Identify ways to improve efficiency
CumulativeImpact?
Ris
k I
m
RedeployCumulativeImpact
CI = Low Impact/High Vulnerability • Assess cumulative impacts and frequency
L Vulnerability H
Copyright © 2009 Deloitte Development LLC. All rights reserved.23
EMERGING TRENDSEMERGING TRENDS
1. Risk Management
2. Extended Enterprise2. Extended Enterprise
3 S i l R ibilit3. Social Responsibility
4. Tax
Risk Area Ripe for IARisk Area Ripe for IA
• Third party performance and stability• Third party performance and stability– How effective is your organization’s vendor management
process?– Are your key third parties meeting service level agreements? – Are your third party relationships delivering the committed
value?– Do your key third parties have strong internal controls in
place?• Cost and revenue opportunities• Cost and revenue opportunities
– Have you been overbilled?– Have all license fees/royalty payments been remitted
t l ?accurately?• Could a third party be preparing to audit your organization?
25
Extended business relationships
SupplySupply--SideSidePartnersPartners
DemandDemand--SideSidePartnersPartners
LicenseesLicensees InfrastructureInfrastructure
• Vendors• Suppliers• Manufacturers
• Franchisees• Distributors• Advertising
• Co-brand partners
• Joint
• IT outsourcing• HR services• Travel agencies• Manufacturers
• Replicators• Integrators
• Advertising agencies
• Retailers• Warranty
Joint developers
• Patent licensees
• Travel agencies• Legal services• Transaction
processing Warranty providers
processing• Call centers
26
Driving value from the extended genterprise
• Revenue recovery– Royalties
• Relationship management
• Brand protectionRoyalties– Franchise fees
• Cost reduction
• Brand protection
• Security and privacy
• Regulatory compliance– Volume discounts– Most favored pricing
• Regulatory compliance
• Improved reporting– Point of sale data
Forecast data– Forecast data
27
The impact – at a detailed level
• Application of rates outside of contractual agreementsg
• Miscalculation or failure to apply discounts or volume rebates
D li ti f h i i• Duplication of charges or invoices
• Erroneous application of management fees and margins• Erroneous application of management fees and margins
• Inappropriate or overstated expensesInappropriate or overstated expenses
• Service credits not following to invoicesg
28
EMERGING TRENDSEMERGING TRENDS
1. Risk Management
2. Extended Enterprise2. Extended Enterprise
3 S i l R ibilit3. Social Responsibility
4. Tax
Corporate Social ResponsibilityCorporate Social Responsibility
• Consider …. Is your organization ready?T f h f l f ?– To pay for what was formerly free?
– To take advantage of shifting demographics?– To respond to activists?To respond to activists?– To anticipate your stakeholder’s changing needs and
expectations?IA t l t• IA as catalyst– Understand your organization’s approach and attitude– Educate on breadth of risk and opportunitypp y– Assist in collecting data and benchmarking– Assist in planning approach with appropriate
measurements to monitor progress and risk managementmeasurements to monitor progress and risk management– Ultimately, assist in designing new processes and
supporting controls
30
EMERGING TRENDSEMERGING TRENDS
1. Risk Management
2. Extended Enterprise2. Extended Enterprise
3 S i l R ibilit3. Social Responsibility
4. Tax
The Tax EnvironmentPressures on the tax departmentContinued regulatory pressure
Revenue authority transformation
Pressures on the tax department
• Risk based assessment• Sophisticated interventions
Impact of technology in tax
“…the visibility and communication of tax has increased across the wider Impact of technology in tax
• Standardisation and automation• E-filing and systems audits
Ad i t h l
finance community as a result of formalising the controls and processes over financial reporting and tax management…” VodaphoneAdvances in technology
• Services Oriented Architecture• Controls and risk management
management… Vodaphone
Increased demand for tax resource
Globalisation of businesses
Impact of social responsibility
The CFO, the Board, tax authorities, auditors, investors, analysts, regulators, pressure groups and even non-executives are all ‘looking over the shoulder’ at the management of tax.
32
Typical Tax Risks Identified• Tax exposures/missed opportunities from insufficient inter-departmental communication
due to assumed tax knowledge
• Incorrectly implemented tax planning.
• Tax balance considered immaterial
• Overseas local tax issues
• Complexity of group structure causing negative tax management impacts• Complexity of group structure causing negative tax management impacts
• Tax inefficiencies / missed opportunities resulting from low risk appetite
• Uncertainty and resource implications arising from accounting and regulatory changes
• Lack of involvement/late involvement of tax in product development
• Incorrect tax calculations due to spreadsheet errors
C li i t f d ti l b i ( l t t )• Compliance process is not performed on a timely basis (e.g. late returns)
33
Closing h hThoughts
What are other internal audit functions doing?doing?• Stay close to business and management: their concerns are your
concerns.
• Be flexible, don’t focus exclusively on the achievement of the annualplanplan.
• Focus on real risks, i.e. current business issues (extendedenterprise, customers, tax).
• Review internal audit strategy with outside assistance.
• Reassess risks on a regular basis.
• Develop and maintain meaningful KPIs.
• Review 2nd lines of defense.
• Be involved in ERM.
• Look at downturn implications: fraud exposure, change in customerbehaviour
35
Further tips for internal auditorsFurther tips for internal auditors
Focus on areas that are critical for the organization:organization:
• Cost saving measuresC t fit bilit• Customer profitability
• Reliability of supply chain
Budget cuts and belt-tightening exercises willBudget cuts and belt tightening exercises willforce you to reprioritize your audits!
36
Responsibilities TODAYResponsibilities TODAY
Are each of us Are each of us ….• Hiring the best and brightest
– and providing a learning and career pathwayk d d k h ld d l• Seeking to understand stakeholder expectations and evaluating
effectiveness in meeting those expectations• Developing and demonstrating strong communication skills to
effectively convey findings and recommendations• Embracing and executing a risk-based approach with a
balanced plan• Providing leadership on issues of corporate governance, fraud,
risk management, internal control and financial reporting• Willing to challenge status quo, and operating as change Willing to challenge status quo, and operating as change
agents
37
Responsibilities TODAYResponsibilities TODAYAre each of us ….
• Staying informed on emerging trends in our • Staying informed on emerging trends in our profession?
– Risk assessmentCAATs– CAATs
– Continuous controls monitoring• Keeping abreast of new developments in our
businesses industries and regions considering risks and businesses, industries and regions, considering risks and taking a proactive role:
– Economic downturn C d t bili ti– Currency destabilization
– Extended enterprise – IFRS adoption worldwide– Corporate responsibility and sustainability– Corporate responsibility and sustainability– Espionage/technology terrorism
38
View on Internal Audit: Maturity model
Internal Audit should: Support the business in establishing and maintaining the Internal ControlSupport the business in establishing and maintaining the Internal Control
Framework (short term) Provide assurance on the Internal Control Framework to Board of Directors and
Audit Committee (medium & longer term)Audit Committee (medium & longer term) Generate opportunities to further improve efficiency and effectiveness of
processes; value protection and value enhancement (continuously).
39
Raising Expectationsg p
As you move across the Internal Audit maturity model
• Stakeholder expectations increase dramatically
• Consequences of quality failures increase– Risk – Reward
• Skills required to execute go up– All levels of the Internal Audit group, not just the CAE
• Easier to demonstrate Internal Audit ROI
40
Final ThoughtsFinal Thoughts
• Risks facing our organizations are unprecedented and • Risks facing our organizations are unprecedented and stakeholders’ expectations continue to increase
• Internal audit profession has an opportunity to step f dforward
• Individual practitioners and organizations must ‘raise the bar’ to most effectively represent and advocate for ba o o y p a d ad o a oour profession
• Our new challenges will bring new opportunities for our organizations internal auditing as a profession and organizations, internal auditing as a profession, and each of us as professionals
41
H i t l dit b iHow can internal audit bringvalue in turbulent times?value in turbulent times?
15 Years of ČIIAPrahaNovember 11-12, 2010
Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA, , , , ,Past Chairman of the Board IIAPast President ECIIA