Say It Right

of 50/50 Say It Right Presentation to IIA Granite State Chapter 9 May 2013 Phil Tarling Chairman of the Global IIA Board
  • date post

  • Category


  • view

  • download


Embed Size (px)


Say It Right. Presentation to IIA Granite State Chapter 9 May 2013 Phil Tarling Chairman of the Global IIA Board . Background to the Speaker. Vice President, IA Centre of Excellence, Huawei Chairman - Global IIA Immediate Past President of the ECIIA (2010-2011) - PowerPoint PPT Presentation

Transcript of Say It Right

IIA General PowerPoint Template

Say It RightPresentation to IIA Granite State Chapter 9 May 2013

Phil TarlingChairman of the Global IIA Board

www.globaliia.orgwww.globaliia.org1Vice President, IA Centre of Excellence, HuaweiChairman - Global IIAImmediate Past President of the ECIIA (2010-2011)Past President of the IIA UK and Ireland (2005-06)Provided Capacity building in Internal Audit & PIFC since 1998Worked in the UK, Estonia, Latvia. Lithuania, Poland, Hungary, Czech Republic, Kenya, South Africa, Romania, Macedonia, Croatia, Serbia, Kosovo and TurkeyNow responsible for developing internal audit capacity in a worldwide Chinese owned telecoms company

Background to the Speaker


www.globaliia.org3Some real changes in the last decade

www.globaliia.orgSome real changesThe profession - founded in 1941

With Europe at war -and the rest of the world not far off

www.globaliia.orgSome real changesThe profession developing a new look in the two thousand and tens

www.globaliia.orgFrom Clipboard

To Tablet Some real changes

www.globaliia.orgSome real changes

www.globaliia.orgSome real changes

The Auditor with a Tabletwww.globaliia.orgSome real changes

July 2012 China Takes Second spot from Japan www.globaliia.orgSome real changes

The BRICS announced the setting up of the bank, described as a "BRICS-led South-South development bank."

www.globaliia.orgBut one thing everyone has

www.globaliia.orgThe one common featureNewCommunication

www.globaliia.orgNew Communication

www.globaliia.orgNew CommunicationThis new communication is INFLUENTIAL

Egypt protests organised through Social Media

www.globaliia.orgNew CommunicationThis new communication BREAKS BARRIERS

Syria unrest shown to the world on YouTube

www.globaliia.orgNew CommunicationThe IIAs very own

www.globaliia.orgNew CommunicationSocial Media is being used for internal audit Professional Development and Enhancement

In the first 6 months, had 3.2M hits

Is anyone still saying that Social Media is not important?

Our companies arent, nor is government

www.globaliia.orgNew CommunicationThe UK Prime Ministers Web Site

www.globaliia.orgNew Communication

www.globaliia.orgNew CommunicationCommunication comes in all shapes and sizes

BUT they all rely upon being listened to

www.globaliia.orgNew Communication


www.globaliia.orgThe Internal Auditor Communication & Understanding

www.globaliia.orgThe Internal Auditor -CommunicationThis is not new to Internal Auditors

Communication has always been a soft skill that auditors have developed, through reporting style and listening

But previously Internal Audit had a bad reputation.

www.globaliia.orgThe Internal Auditor & CommunicationWe have moved onFocussed on risk,Determined to suggest solutions,Not hiding behind independence,Avoiding the sidelinesInvolved in the organisations success or failure

Internal Audit is now a key part of the business

www.globaliia.orgThe Internal Auditor & CommunicationWe need to make sure that what we say: not only has an audiencenot only that people are listening

But also that we


www.globaliia.orgInternal Auditing in the 20 teensGetting to the Top Table

www.globaliia.orgwww.globaliia.orgGetting to the Top Table

Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the oppositions attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.

1st line:Business Management2nd line:Risk Mgt / Compliance / Others3rd line:Risk Based Internal AuditExternal Audit and the Regulators are the Referee and Linesman

www.globaliia.orgBoard of Directors/ Audit CommitteeSenior ManagementOperational Management1st Line of Defence2nd Line of Defence3rd Line of DefenceExternal AuditRegulatorsQualitySecurityEnterprise Risk ManagementFinancial ControlInspectionEthics & LegalInternal ControlInternal Audit

Getting to the Top Table DIRECTIONASSURANCECOMPLIANCECONTROLRISKSwww.globaliia.orgThree lines of defence model The three lines of defence model is one approach to safeguarding the internal control framework. Our colleagues in the financial services industry will be familiar with it because it is the Financial Services Authoritys (FSA) preferred approach.The model is not prescribed, but is implied as part of the functional segregations and reporting structures that the FSA looks for when undertaking its risk assessment (ARROW) visits. Lets look in more depth at how this model is typically applied. The framework in practice1st line of defence This describes the controls an organisation has in place to deal with the day-to-day business. Controls are designed into systems and processes and assuming that the design is sound to appropriately mitigate risk, compliance with process should ensure an adequate control environment. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequacy of process and unexpected events.2nd line of defence This describes the committees and functions that are in place to provide an oversight of the effective operation of the internal control framework. These committees review the management of risk in relation to the particular risk appetite of the business, as determined by the board. The effectiveness of the 2nd line is determined by the oversight committee structure, their terms of reference, the competence of the members and the quality of the management information and reports that are considered by these oversight committees. The 2nd line is re-enforced by the advisory and monitoring functions of risk management and compliance. Risk management defines and prescribes the financial and operational risk assessment processes for the business; maintains the risk registers and undertakes regular reviews of these risks in conjunction with line management. Compliance advises on all areas of regulatory principles, rules and guidance, including leading on any changes, and undertakes monitoring activity on key areas of regulatory risk. One would expect these functions to report upon their work undertaken and significant findings to the appropriate executive risk oversight committees in the 2nd line. These functions may also report to the boards audit committee or a board risk committee in the 3rd line (depending upon the committee structures of the organisation). 3rd line of defenceThis describes the independent assurance provided by the board audit committee, a committee of non-executive directors chaired by the senior independent director, and the internal audit function that reports to that committee. Internal audit undertakes a programme of risk based audits covering all aspects of both 1st and 2nd lines of defence. Internal audit may well take some assurance from the work of the 2nd line functions and reduce or tailor its checking of the 1st line. Clearly the level of assurance taken will depend on the effectiveness of the 2nd line, including the oversight committees, and internal audit will need to coordinate its work with compliance and risk management as well as assessing the work of these functions. The findings from these audits are reported to all three lines, i.e. accountable line management, the executive and oversight committees and the board audit committee.This 3rd line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (1st line) and the defence (2nd line) fails to pick up the oppositions attack, it is left to the goalkeeper (3rd line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both 1st and 2nd lines and failure to do so may lead to significant loss to the organisation. The FSA and internal auditThe FSA, as regulator to the financial services industry, has four statutory objectives:market confidence: maintaining confidence in the financial system public awareness: promoting public understanding of the financial system consumer protection: securing the appropriate degree of protection for consumers reduction of financial crime: reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime. The FSA places significant reliance on the work of internal audit when assessing the risk that individual organisations present to achieving the above objectives. The FSA places internal audit under regular close scrutiny as part of its risk assessment visits. It is particularly concerned with internal audits independence, its standing with the board and senior executive management and the influence it exercises across the organisation. Other sectorsAlthough the above model has been described above as typically applied in a financial services organisation, it is equally relevant to other sectors and industries. The model of management control in the 1st line, oversight challenge in the 2nd and independent assurance in the 3rd is universal in application and one well worth considering.


Getting to the Top TableThe third line of Defence provides the outlet to the Audit Committee and Board

But the seat is not a vacant seat for the CAE to walk into

The seat at the Top Table has to be earned www.globaliia.orgScaling Greater HeightsBusiness is Focused on Risks: Top 10 Business Risks in 2011

Cost cuttingNon-traditional entrantsRadical greeningSocial acceptance and Corporate Social ResponsibilityExecuting alliances and transactionsRegulation and ComplianceAccess to creditSlow recovery or double-dip recessionManaging talentEmerging markets1. Ernst & Young Business Risk Reportwww.globaliia.org32

Risk Based Internal Audit RBIA is not about identifying the Process Risk in the organisation

Risk Based Internal Auditing (RBIA) is a methodology that links internal auditing to an organisations overall risk management framework.

RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetitewww.globaliia.orgMeeting Stakeholder Expectations: Are we Being Honest With Ourselves?Audit CommitteeExecutive ManagementUnacceptable0.0%0.4%Poor0.4%1.9%Acceptable16.1%25.9%Good57.6%57.8%Outstanding25.9%14.0%If surveyed today on how well internal auditing is meeting its needs and expectations, my audit committee/executive management would probably rate their overall satisfactionSource: Emerging Trends and Leading Practices Spring 2011, The Institute of Internal Auditors Audit Executive Network

www.globaliia.org34Source: Ernst and Young Global Internal Audit Stakeholder Survey, November 2010 & January 2012The View from the Other Side:

www.globaliia.org35Source: Internal Audit Research Foundation Survey, March 2012Internal Audit should provide Insight

www.globaliia.org36Source: IIA Research Foundation Survey, March 2012Internal Audit frequently delivers Insight

www.globaliia.org37My Internal Audit delivers Insight

Source: IIA Research Foundation Survey, March 2012www.globaliia.org38

Provide Insight Insight should come through linking IA through RBIA with Risk Management and Governance in the organisation

Meet our Stakeholders expectations we need to ensure that we do what it is they want us to do

Educate the Stakeholders in what we can do

www.globaliia.orgAscending to the Level of A Trusted AdvisorRelationshipsCompetenceCapable but poorly alignedCompliance functionEngaged but not strategicTrusted advisor

www.globaliia.orgCommunication is the answer

www.globaliia.orgCommunication is the answer We have to understand the messagesDo we know the language?

www.globaliia.orgCommunication is the answer for IACAEs need to :

Listen to what the Board are saying directly and through the Audit Committee

Listen to what the senior executives are saying

Understand what the messages are

www.globaliia.orgCommunication is the answer Messages are often coded

www.globaliia.orgCommunication is the answer for IAMake sure that what you are saying is to the right peopleBe careful of the Reply All button

Make sure that your communication is clearAre your reports concise and in plain languageIs it what you want to say?

www.globaliia.orgCommunication is the answer for IA

www.globaliia.orgCommunication is the answer UseSimple Words

www.globaliia.orgCommunication is the answer Get a name as the Advisor to the Board and Audit Committee; the go to person for business advice

Have regular informal interaction with the Audit Committee members and the Chairman

Go beyond just reporting audit results; be part of the business discussing business issues with senior Executives

www.globaliia.orgCommunication is the answer Regularly communicate to senior management and the board:Emerging risks facing the enterpriseSystemic trends on risks and controls gleaned from audit resultsAll the internal audit team need to be effective communicators

Thank you

Phil Tarling

Office: +441189208506Mobile: +447802656986

Email: [email protected]: @philtarling