The Future of Internal Audit · Challenges facing Audit Committees cont….. KPMG has identified...

Top Issues for Audit Committees in the Future

IIA Armenia Conference

18-19 November 2017

SpeakerIIA Global Chairman – 2012-2013ECIIA President 2010-2011IIA UK and Ireland President 2005-2006

------------------------------------------------------Holder of the CIA, CMIIA, CRMA, QIAL qualifications

------------------------------------------------------31 years experience in Internal Audit 29 years at managerial level

-------------------------------------------------------IA Project Expert for the EC and the OECD

Experience in the Public and Private sectors, including spells as:• VP Capability & Head of the Centre of Internal Audit Excellence - Huawei• Head of Internal Audit for a number of Health organisations in the UK• Head of Internal Audit for the UN Special Tribunal for the Lebanon• Head of Internal Audit for the UN War Crimes Tribunal for Bosnia Herzegovina• Project Manager for EC funded projects in Poland, Romania, Turkey• Project Manager for Development Agency funded projects in Kenya, South Africa and

Botswana• Project Expert for EC/OECD funded projects in Croatia, Kosovo, Serbia, Hungary, Latvia,

Estonia, Lithuania, Czech Republic, Macedonia

Agenda

1. Roles and Responsibilities of Audit Committees

2. Challenges facing Audit Committees

3.Actions Audit Committees might consider

Roles and Responsibilities of Audit Committees

An audit committee is a selected number of members of a company's board of directors whose responsibilities include helping auditors remain independent of management. Most audit committees are made up of three to five or sometimes as many as seven directors who are not a part of company management.

Financial Times

Roles and Responsibilities of Audit Committees cont….

The Primary Role of the Audit Committee:

Is to provide oversight of the financial reporting process, the audit process (both internal and external), the system of internal controls and compliance with laws and regulations..

Roles and Responsibilities of Audit Committees cont….In practice this means that the Audit Committee will

Review significant accounting and financial reporting issues, along with professional and regulatory pronouncements, so they understand the potential impact on the financial statements.

Review the results of the external audit with management and the external auditors.

Review significant internal audit findings, approve the internal audit plan and review the appointment and termination of the CAE.

Review the arrangements for Risk Management and their effectiveness in regard to the Company’s risk appetite.

Review internal controls and their effectiveness, in particular considering any management reports and observations on their operation.

Have Executive sessions with the CAE and separately the External Auditor.


The Three Lines of Defence - the key to risk responsibilities in an organisation


Understanding the Three Lines of Defence is fundamental to the Audit Committee’s understanding of the governance oversight role

The First Line, that is operational management, which has ownership, responsibility and accountability for

directly assessing, controlling and mitigating risks.

The Second Line, that is activities covered by several components of internal governance (compliance, risk

management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation.

The Third Line, An independent internal audit function will, through a risk-based approach to its work,

provideassurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an organisation’s risk landscape.

Challenges facing Audit Committees

WHO KNEW?

APPEARS THAT A

NUMBER OF SENIOR EXECS

KNEW

Challenges facing Audit Committees cont…..

SHOULD THE AC HAVE KNOWN?


TONE AT THE TOP


Wells Fargo - Bank employees opened millions of credit-card accounts customers hadn’t approved in order to hit profit targets

As of October 1, 2016 the bank eliminated product sales goals for its retail banking team. It also appointed a new community banking chief, and fired about 5,300 employees connected to the scandal,

SALES TARGETS DRIVING THE WRONG BEHAVIOUR


So the previous slides would suggest the following challenges

Culture: what is the pervading culture of the company?

Tone at the Top: is there a Good Tone at the Top?

Ethics: is there evidence of an ethical approach?

Risk Management: is risk being identified and managed?


KPMG has identified the following:

Risk Management is the top concern – the effectiveness of risk management programmes, cyber security risks and the company’s control of risks

Audit Committees are looking to Internal Audit to focus on the critical risks to the business, including key operational risks (e.g. cyber security and technology risks) and controls, and not just regulatory or compliance risks. They want the IA plan to be flexible and business responsive.

A significant number of Audit Committees rated Culture and Tone at the Top as a top challenge

A number cited short term pressures and aligning short and long term aims as the top challenge

believe that their Committee agenda is not properly focused on these issues

Taken from KPMG – 2017 Global Audit Committee Pulse Survey



Are not satisfied that their agenda is properly focused on CFO succession planning

Are only somewhat satisfied

Audit Committees want to devote more time to the finance organisation including talent management, training, resources as well as succession for key finance executives

Few Audit Committees believe that their companies have robust implementation processes for the new Accounting Standards due on stream at the beginning of 2018

Audit Committees believe they need to better understand the business and its key risks to improved the effectiveness of their oversight. They view more experience in cyber security and IT as being essential for improved oversight


So do you know whether:

1. All recognised revenue is genuine and isn’t being reversed once the Financial Statements are agreed?

2. Third party suppliers are complying with anti-slavery, anti-child employment and anti-illegal materials laws?

3. Losses are being accounted for appropriately?

4. The Internal Audit plan is focussed on the key risks of the company and is flexible enough to meet the potential for speedy change in risks?

5. The Risk Management arrangements are effective and all key risks to the company have been identified?

6. KPI’s are incentivising inappropriate behaviour?

From Events and Surveys the key challenges appear to be:

Better Focus for the Internal Audit activity

Risk Management

Culture/Tone at the Top/Ethics

Cyber Security/IT

Better Understanding of the Business

Aligning short and long term aims

Succession Planning in the Finance area

Concerns that Audit Committees should consider

Concerns that Audit Committees should consider cont….

Consider what Internal Audit may be able to do to meet the challenges?


Taken from Protiviti– Setting the 2017 Audit Committee Agenda

Is this the Mandate you can use to meet the challenges?


Risk Management

Make sure there is regular reporting of the Risk Register and the steps taken to mitigate risk

Has Internal Audit evaluated the system of Risk Management?

Has the Contingency Plan been operationally tested?

Do not make assumptions that all has been considered:

The £300M airport in St Helena where no account was taken of the wind shear created by the mountain, making it dangerous to land

In the Gulf of Mexico, cutting corners to save money.


Culture/Tone at the TopIt is important that the Audit Committee retains an independent stance from the Executive management.

Culture frequently is impacted by the way that the CEO acts.

In the DOW case the CAE was ignored when raising issues about $1M of CEO expenses, being told to let things lie

In 2011, the CEO repaid $719,923 in overpaid expenses between 2007-2010

In 2011 the CAE was moved to a Finance Control job

In 2013 he resigned writing the DOW CONFIDENTIAL Memo detailing his concerns


A dispute between the CAE and the CEO should be a RED FLAG for the Audit Committee

When governance fails, unwanted culture flourishes

Where toxic culture exists, governance erodesRichard Chambers – IIA CEO

The Audit Committee are the Guardians of the Governance process

If Governance fails, the Audit Committee has failedPhil Tarling


Cyber Security and IT Issues

The number 1 concern for Audit Committees

Ensure that the Internal Audit plan has sufficient

resource applied to this area

Ensure that some of the actions opposite are taken on

board by the Executive team

ISACA Cyber Security Survey - 2016


The other Cyber concern is the Talent Pool,

Of the surveyed companies, the majority took between three to six months to fill a vacant Cyber Security position

The available resource likely needs to be sufficient to deal with such a gap


ISACA Cyber Security Survey - 2016


Better understanding of the businessThis applies equally to the Audit Committee and the Internal Auditors and allows more insight into the risks that the organisation face and the actions that can be taken to mitigate those risks.

Have regular presentations to the Board on selected operational areas

Better aligning of long and short term aimsUnderstanding of the business should help achieve this objective

Succession Planning in the Finance areaAs part of the Planning process insist on there being succession planning for various scenarios

Summary

Years ago Non Executive Directors were cronies of the Chairman and/or CEO

Those Days are gone

Non Executives, and therefore the Audit Committee, are a key element in Effective Governance.

The Audit Committee therefore need to be aware of the challenges that they face in fulfilling their role and ensuring that the three Lines of Defence are operating effectively to defend the organisation.

• Phil Tarling

• Internal Audit Consultant

• Tel:+441329282155

• Mob:+447802656986

• Email: [email protected]

• http://www.tarlingassurancerisk.co.uk.

Thank You

http://www.tarlingassurancerisk.co.uk/

The Future of Internal Audit · Challenges facing Audit Committees cont….. KPMG has identified...

Documents

Transcript of The Future of Internal Audit · Challenges facing Audit Committees cont….. KPMG has identified...