H i t l dit b iHow can internal audit bringvalue in turbulent times?value in turbulent times?

15 Years of ČIIAPrahaNovember 11-12, 2010

Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA, , , , ,Past Chairman of the Board IIAPast President ECIIA

Current State

Organizations have been accepting significant risk

Huge and sudden losses

Organizations have been accepting significant risk

• Huge and sudden losses • Uncertain and unpredictable • Irrational Irrational • High speed • Complex and inter-connected

2

Economic Downturn Economic Downturn

• Governance failures around the globe• Governance failures around the globe• Risk management efforts ineffective• Stakeholder confidence shaken• Legislative / regulatory response anticipated• Executives’ bonuses questioned

• Opportunity for internal audit profession to demonstrate leadership in risk management control and governance leadership in risk management, control and governance

3

Economic Downturn / Financial CrisisEconomic Downturn / Financial Crisis

• Illustrative risks:– Increased incentives for financial fraud– Disgruntled ex-employees who sabotage, pilfer assets– Short term cost-cutting with destructive operational or Short term cost cutting with destructive operational or

control implications– Reliance on a third party supplier, distributor, or joint

venture partner with financial difficulties; what venture partner with financial difficulties; what contingency plan is in place

– Customer dissatisfaction; over-valued receivablesPotential liq idit iss e d e to the tightening of c edit– Potential liquidity issue due to the tightening of credit

– Loss of reputation

Internal Audit RoleHelp management identify risks, design risk management strategies,

assess and monito effecti eness of applicable cont olsassess and monitor effectiveness of applicable controls

4

IIA Survey – March 2009IIA Survey March 2009

• 87% report companies negatively • 87% report companies negatively impacted50% h h d b d t d d 24% • 50% have had budgets reduced; 24% by 11% or more– 80% reduced travel– 70% reduced training– 47% reduced cosourcing– 33% had force reduction

5Source: Institute of Internal Auditors GAIN Survey

IIA Survey – March 2009

• 47% have increased coverage of operational • 47% have increased coverage of operational risks

• 48% have increased coverage of • 48% have increased coverage of cost/expense reduction or containment

• 35% have increased coverage of the • 35% have increased coverage of the effectiveness of risk management

• 40% have increased coverage of their • 40% have increased coverage of their companies exposure to third parties in financial distressfinancial distress

6Source: Institute of Internal Auditors GAIN Survey

Risk of Not RespondingRisk of Not Responding

• Diminished stature of Internal Audit in surfacing • Diminished stature of Internal Audit in surfacing and addressing emerging risks

• Significantly reduced credibility as a trusted g y ygovernance partner (oversight body vs. management partner)

• Diminished value of internal audit activities– Seen as being inflexible and non-responsive to emerging

i krisk– Internal competition

• “Where were the internal auditors?”• Where were the internal auditors?

7

Current state of the profession

Different levels of maturity•Different levels of maturity–Compliance / financial / operational / technical–Risk based vs. cyclical/rotational–Auditing vs. consulting

B d f t l i k t d –Broad or narrow focus -- controls, risk management and governance

•Different levels of acceptance–Legislated / regulated Legislated / regulated –Must have vs. optional / nice to have–Critical function vs. necessary evily

8

What do Internal Auditors currently do?What do Internal Auditors currently do?

• Test financial controls• Audit compliance• Look at operational• Look at operationalopportunities

• Audit risk management • Audit risk management frameworkP f t dit• Perform management audits

• Audit governance process

9

Potential Internal Audit InvolvementPotential Internal Audit Involvement

• Participate in cross functional ‘what if’ discussions to • Participate in cross functional what if discussions to reconsider risks and identify action plans

• Help design risk management / monitoring processes (i.e., l !) dd i kcontrols!) to address risks

• Redirect audit resources to re-assessed highest risk areas– Risk assessment and risk management/monitoring practicesRisk assessment and risk management/monitoring practices– Complex decision models – such as risk monitoring and valuation– Physical and system security in the aftermath of layoffs– Fraud risk managementFraud risk management– Operational reviews in processes that MUST continue to work– Investment diversification policy– Consumer loan credit policyConsumer loan, credit policy– Extended enterprise reviews

10

Three lines of defense model

A Strategic Solution – Three Lines of Defense ModelA Strategic Solution Three Lines of Defense Model

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

Co

rpoLegal

Exte R

eM

Int

Reporting & Accountingo

rate

Au

dit S

Forensic

Local Audit

Risk Management & Internal Control

rnal A

ud

it

eg

ula

tor

Man

ag

em

e

tern

al C

on

ervice

s

Insurance

nt tro

l

Compliance

11

EMERGING TRENDSEMERGING TRENDS

1. Risk Management

2. Extended Enterprise2. Extended Enterprise

3 S i l R ibilit3. Social Responsibility

4. Tax

EMERGING TRENDSEMERGING TRENDS

1. Risk Management

2. Extended Enterprise2. Extended Enterprise

3 S i l R ibilit3. Social Responsibility

4. Tax

IIA Standard 2120

• The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Determining whether risk management processes are effective is a judgmentDetermining whether risk management processes are effective is a judgment resulting from internal auditor’s assessment that: • Organizational objectives support and align with organization’s mission.• Significant risks are identified and assessedSignificant risks are identified and assessed.• Appropriate risk responses are selected that align risks with organization’s 

risk appetite.• Relevant risk information is captured and communicated in timely manner e e a t s fo at o s captu ed a d co u cated t e y a e

across organization, enabling staff, management, and the board to carry out responsibilities.

• Risk management processes are monitored through ongoing management g p g g g gactivities, separate evaluations, or both.

IIA Standards confirm role of internal audit to assess and provide assurance, but also to help enhance risk management

14

Balancing Internal Audit’s Roles

• Giving assurance that risks are correctly evaluated• Giving assurance on the risk management process

Core/Safe

Major ERM ActivitiesInternal Audit’s Role

• Giving assurance that risks are correctly evaluated• Evaluating risk management processes

Core/Safe –consistent with

Standards • Evaluating the reporting of key risksR i i th t f k i k• Reviewing the management of key risks

• Facilitating identification and evaluation of risksShould be • Coaching management in responding to risks

performed with certain

safeguards

• Coordinating ERM activities• Consolidated reporting on risks• Championing establishment of ERM• Developing risk management strategy - BOD approval• Setting risk appetite• Imposing risk management processes

Should not be performed by internal audit

Imposing risk management processes• Providing management assurance on risks

• Implementing risk responses on management’s behalf• Making decisions on risk responses

• Assuming accountability for risk management• Implementing risk responses on management s behalf

15

IIA Guidance

Position PaperAppropriate IA RolesAppropriate IA Roles 

• Provide assurance to executives and board on:– Risk management processes, both design and effectiveness

– Management of key risks, including the effectiveness of controls and mitigation

– Reliable and appropriate assessment and reporting of risks

• Provide consulting assistance:• Provide consulting assistance:– Share tools and techniques used to analyze risks and controls

– Be a catalyst to introduce ERM

– Provide advice, facilitate workshops, coach on risk, control and a common language, framework and understanding;

– Act as the central point for coordinating, monitoring and reporting on risks

– Support management in identifying ways to mitigate risk

IIA Position Paper “The Role of Internal Audit in Enterprise-wide Risk Management,” reissued January 200916

IIA Guidance

Position Paper (Continued)

• Inappropriate Roles– Should not set the risk appetite

– Should not be responsible for risk management decisions

– Should not manage any of risks on behalf of management

Management must remainManagement must remain responsible for risk management

IIA Position Paper “The Role of Internal Audit in Enterprise-wide Risk Management,” reissued January 200917

Organizational Maturity•Embedded in

•No focus on risk inter-linkages

•Policies, risk authorities defined and communicated

•Coordinated risk management activities across silosRi k tit i

•Embedded in decision-making

•Early-warning risk indicators

•Linkage to

•Ad-hoc/chaotic

•Depends primarily on i di id l

•Limited alignment of risk to strategy

•Disparate monitoring

•Routine risk assessments

•Communication of key risks to the Board

•Risk appetite is defined

•Enterprise-wide risk monitoring, measuring and reporting

•Linkage to performance measurement and incentives

•Risk modeling and scenarios individual

heroics, capabilities and verbal wisdom

•Reaction to adverse events by specialists

•Discrete roles established for

•Executive Committee

•Dedicated team•Primarily qualitative

reporting•Training•Integrated response to adverse events

d

and scenarios •Industry benchmarking

•Sustainable•Technology implementation

1: Unaware

small sets of risks

2: Fragmented

q•Reactive

3: Top-down

•Rapid escalation

•Proactive

4: Systematic

implementation

5: Risk intelligentg

Un-rewarded risk Rewarded risk

Are we doing the

right things?

Do we comply with relevant

laws and regulations?

Do we have integrated

management information?

Are we doing the

things right?

Copyright © 2009 Deloitte Development LLC. All rights reserved.

things?regulations? information? right?

18

The Level of Internal Audit’s Effort is Dependent of the Company’s Risk Intelligence Capability

alue Integrated Enterprise Risk Management Capability

Illustrativeol

der V

a

Systemic Risk

RiskIntelligent

Stak

eho y

ManagementTop DownFragmentedUnaware

Top Down Systemic Risk Mgmt.Fragmented Risk IntelligentUnaware

Typical Implications for Internal Audit

Top Down Systemic Risk Mgmt.Fragmented Risk IntelligentUnaware

• Linkage of IA Risk Based audit plan to ERM

• Risk Owners Formulate

• Risk identification and assessment typically initiated and led by IA

• Leveraged risk identification / assessment • Risk Owners Formulate

Mitigation• Internal Audit evaluates and monitors

initiated and led by IA• Heavier involvement in risk analysis

• Heavier involvement in formulation of

assessment• Better coordination with risk owners on risk mitigation efforts andformulation of

recommendation for risk mitigation and control

efforts and controls

Copyright © 2009 Deloitte Development LLC. All rights reserved.19

Consultant vs. Evaluator

Audit design and effectiveness of specific risk management processes

r

management processesReport on consolidated risks and management’s

responses

s. E

valu

ato

Evaluate best practices and adaptation to organization;

ti i ti f i k t

nsul

tant

vs optimization of risk management

practices

Con

Advice focusing on risk managementstructure and approach to address basic risksFacilitate identification and evaluation of relevant risks and

Less MatureRisk Management

More Mature Risk Management

risk mitigation steps

Risk Management Risk Management

Adopted from IIA Position Paper “Organizational Governance: Guidance for Internal Auditors,” July 200620

New IA Risk Assessment Approach

• Prioritize mitigation based on the likelihood of events

• The fallibility of probability– Little or no predictive value 

– Major value losses are often high impact / low likelihoodNatural disasters Current global financial crisis

Credit crunch Financial scandals

9/11 Danish cartoons

– Biases management to direct resources to high impact / high likelihood events

H

to high impact / high likelihood events 

– Typically focuses on single events rather than a series of events or domino effects Im

pact

– Audit activities are often misdirected to the “red zone” 

LikelihoodL H

L

Likelihood

21

Enterprise Risk Management Refreshed

• Look beyond likelihood (probability)y (p obab ty)

• Three key factors:– Impact of an event on business value

– Organization’s vulnerability to its effects

– Risk event’s speed of onset

Impact

Degree to which t ld ff t

Vulnerability

Remaining risk ft id i

Speed of Onset

Time required for i k t tevent would affect

enterprise value in absence of

mitigating action

after considering efforts to monitor,

manage and mitigate impact

risk event to affect the business

g g mitigate impact

22

Risk Management Refreshed

M = High Impact/High Vulnerability • Provide assistance in design of controls where impact and vulnerability 

are high• Track progress on remediation plans  HTrack progress on remediation plans 

A = High Impact/Low Vulnerability • Obtain assurance confidence in

Assurance of Preparedness

alu

e Assurance MitigateObtain assurance confidence in preparedness is justified

R = Low Impact/Low Vulnerability  Cumulativemp

act

on

Va

PreventDetectCorrectEscalate

C l tip / y• Obtain assurance on effectiveness• Identify ways to improve efficiency

CumulativeImpact?

Ris

k I

m

RedeployCumulativeImpact

CI = Low Impact/High Vulnerability • Assess cumulative impacts and frequency

L Vulnerability H

Copyright © 2009 Deloitte Development LLC. All rights reserved.23

EMERGING TRENDSEMERGING TRENDS

1. Risk Management

2. Extended Enterprise2. Extended Enterprise

3 S i l R ibilit3. Social Responsibility

4. Tax

Risk Area Ripe for IARisk Area Ripe for IA

• Third party performance and stability• Third party performance and stability– How effective is your organization’s vendor management

process?– Are your key third parties meeting service level agreements? – Are your third party relationships delivering the committed

value?– Do your key third parties have strong internal controls in

place?• Cost and revenue opportunities• Cost and revenue opportunities

– Have you been overbilled?– Have all license fees/royalty payments been remitted

t l ?accurately?• Could a third party be preparing to audit your organization?

25

Extended business relationships

SupplySupply--SideSidePartnersPartners

DemandDemand--SideSidePartnersPartners

LicenseesLicensees InfrastructureInfrastructure

• Vendors• Suppliers• Manufacturers

• Franchisees• Distributors• Advertising

• Co-brand partners

• Joint

• IT outsourcing• HR services• Travel agencies• Manufacturers

• Replicators• Integrators

• Advertising agencies

• Retailers• Warranty

Joint developers

• Patent licensees

• Travel agencies• Legal services• Transaction

processing Warranty providers

processing• Call centers

26

Driving value from the extended genterprise

• Revenue recovery– Royalties

• Relationship management

• Brand protectionRoyalties– Franchise fees

• Cost reduction

• Brand protection

• Security and privacy

• Regulatory compliance– Volume discounts– Most favored pricing

• Regulatory compliance

• Improved reporting– Point of sale data

Forecast data– Forecast data

27

The impact – at a detailed level

• Application of rates outside of contractual agreementsg

• Miscalculation or failure to apply discounts or volume rebates

D li ti f h i i• Duplication of charges or invoices

• Erroneous application of management fees and margins• Erroneous application of management fees and margins

• Inappropriate or overstated expensesInappropriate or overstated expenses

• Service credits not following to invoicesg

28

EMERGING TRENDSEMERGING TRENDS

1. Risk Management

2. Extended Enterprise2. Extended Enterprise

3 S i l R ibilit3. Social Responsibility

4. Tax

Corporate Social ResponsibilityCorporate Social Responsibility

• Consider …. Is your organization ready?T f h f l f ?– To pay for what was formerly free?

– To take advantage of shifting demographics?– To respond to activists?To respond to activists?– To anticipate your stakeholder’s changing needs and

expectations?IA t l t• IA as catalyst– Understand your organization’s approach and attitude– Educate on breadth of risk and opportunitypp y– Assist in collecting data and benchmarking– Assist in planning approach with appropriate

measurements to monitor progress and risk managementmeasurements to monitor progress and risk management– Ultimately, assist in designing new processes and

supporting controls

30

EMERGING TRENDSEMERGING TRENDS

1. Risk Management

2. Extended Enterprise2. Extended Enterprise

3 S i l R ibilit3. Social Responsibility

4. Tax

The Tax EnvironmentPressures on the tax departmentContinued regulatory pressure

Revenue authority transformation

Pressures on the tax department

• Risk based assessment• Sophisticated interventions

Impact of technology in tax

“…the visibility and communication of tax has increased across the wider Impact of technology in tax

• Standardisation and automation• E-filing and systems audits

Ad i t h l

finance community as a result of formalising the controls and processes over financial reporting and tax management…” VodaphoneAdvances in technology

• Services Oriented Architecture• Controls and risk management

management… Vodaphone

Increased demand for tax resource

Globalisation of businesses

Impact of social responsibility

The CFO, the Board, tax authorities, auditors, investors, analysts, regulators, pressure groups and even non-executives are all ‘looking over the shoulder’ at the management of tax.

32

Typical Tax Risks Identified• Tax exposures/missed opportunities from insufficient inter-departmental communication

due to assumed tax knowledge

• Incorrectly implemented tax planning.

• Tax balance considered immaterial

• Overseas local tax issues

• Complexity of group structure causing negative tax management impacts• Complexity of group structure causing negative tax management impacts

• Tax inefficiencies / missed opportunities resulting from low risk appetite

• Uncertainty and resource implications arising from accounting and regulatory changes

• Lack of involvement/late involvement of tax in product development

• Incorrect tax calculations due to spreadsheet errors

C li i t f d ti l b i ( l t t )• Compliance process is not performed on a timely basis (e.g. late returns)

33

Closing h hThoughts

What are other internal audit functions doing?doing?• Stay close to business and management: their concerns are your

concerns.

• Be flexible, don’t focus exclusively on the achievement of the annualplanplan.

• Focus on real risks, i.e. current business issues (extendedenterprise, customers, tax).

• Review internal audit strategy with outside assistance.

• Reassess risks on a regular basis.

• Develop and maintain meaningful KPIs.

• Review 2nd lines of defense.

• Be involved in ERM.

• Look at downturn implications: fraud exposure, change in customerbehaviour

35

Further tips for internal auditorsFurther tips for internal auditors

Focus on areas that are critical for the organization:organization:

• Cost saving measuresC t fit bilit• Customer profitability

• Reliability of supply chain

Budget cuts and belt-tightening exercises willBudget cuts and belt tightening exercises willforce you to reprioritize your audits!

36

Responsibilities TODAYResponsibilities TODAY

Are each of us Are each of us ….• Hiring the best and brightest

– and providing a learning and career pathwayk d d k h ld d l• Seeking to understand stakeholder expectations and evaluating

effectiveness in meeting those expectations• Developing and demonstrating strong communication skills to

effectively convey findings and recommendations• Embracing and executing a risk-based approach with a

balanced plan• Providing leadership on issues of corporate governance, fraud,

risk management, internal control and financial reporting• Willing to challenge status quo, and operating as change Willing to challenge status quo, and operating as change

agents

37

Responsibilities TODAYResponsibilities TODAYAre each of us ….

• Staying informed on emerging trends in our • Staying informed on emerging trends in our profession?

– Risk assessmentCAATs– CAATs

– Continuous controls monitoring• Keeping abreast of new developments in our

businesses industries and regions considering risks and businesses, industries and regions, considering risks and taking a proactive role:

– Economic downturn C d t bili ti– Currency destabilization

– Extended enterprise – IFRS adoption worldwide– Corporate responsibility and sustainability– Corporate responsibility and sustainability– Espionage/technology terrorism

38

View on Internal Audit: Maturity model

Internal Audit should: Support the business in establishing and maintaining the Internal ControlSupport the business in establishing and maintaining the Internal Control

Framework (short term) Provide assurance on the Internal Control Framework to Board of Directors and

Audit Committee (medium & longer term)Audit Committee (medium & longer term) Generate opportunities to further improve efficiency and effectiveness of

processes; value protection and value enhancement (continuously).

39

Raising Expectationsg p

As you move across the Internal Audit maturity model

• Stakeholder expectations increase dramatically

• Consequences of quality failures increase– Risk – Reward

• Skills required to execute go up– All levels of the Internal Audit group, not just the CAE

• Easier to demonstrate Internal Audit ROI

40

Final ThoughtsFinal Thoughts

• Risks facing our organizations are unprecedented and • Risks facing our organizations are unprecedented and stakeholders’ expectations continue to increase

• Internal audit profession has an opportunity to step f dforward

• Individual practitioners and organizations must ‘raise the bar’ to most effectively represent and advocate for ba o o y p a d ad o a oour profession

• Our new challenges will bring new opportunities for our organizations internal auditing as a profession and organizations, internal auditing as a profession, and each of us as professionals

41

H i t l dit b iHow can internal audit bringvalue in turbulent times?value in turbulent times?

15 Years of ČIIAPrahaNovember 11-12, 2010

Jean-Pierre Garitte, CIA, CCSA, CISA, CFE, RFA, , , , ,Past Chairman of the Board IIAPast President ECIIA