The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA,...
-
Upload
francine-richardson -
Category
Documents
-
view
216 -
download
1
Transcript of The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA,...
The Internal Auditor, Governance and Risk Management
18 November 2014
Phil Tarling, CMIIA, CIA, QIAL, CRMA
Speaker’s Background
The Internal Auditor, Governance and Risk Management
Vice President, IA Centre of Excellence, Huawei
Past Chairman - Global IIA (2012-2013) Past President of the ECIIA (2010-2011) Past President of the IIA UK and Ireland
(2005-2006) Provided Capacity building in Internal Audit
& PIFC since 1998 Previously worked in the UK, Estonia, Latvia.
Lithuania, Poland, Hungary, Czech Republic, Kenya, South Africa, Romania, Macedonia, Croatia, Serbia, Kosovo and Turkey
Now responsible for developing internal audit capacity in a worldwide Chinese owned telecoms company
Huawei – A Global Company
The Internal Auditor, Governance and Risk Management
• 140+ countries , 150 nationalities, 15 Regional Headquarters , 150,000+ employees, £39.5bn revenues
R&D center
Huawei Headquarters
Technical support center
Accounting share center
Supply center & Hub
Training center
Biding center (Planning)
Agenda
The Internal Auditor, Governance and Risk Management
1. Current Expectations of Internal Audit
2. Corporate Governance & the Players in the Organisation
3. Risk Management in the Organisation
4. Encompassing Role of Internal Audit
Current Expectations of Internal Audit
The Internal Auditor, Governance and Risk Management
The Internal Audit definition
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes
Elements included in the Internal Audit remit
The Internal Auditor, Governance and Risk Management
Governance“…a set of relationships between company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” (OECD)
Risk ManagementManaging the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood
ControlsControl is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved
Four Pillars of Effective Governance
The Internal Auditor, Governance and Risk Management
Effective Governance
External Audit
Board of Directors
Management
Inte
rnal
Aud
it
“Internal auditing is perhaps the most important pillar in effective corporate governance and risk management. It has a unique position and can cover much broader risk areas than any external audit could.”
- Lord Smith of Kelvin
Global International Standards 2110 Governance
The Internal Auditor, Governance and Risk Management
The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values in the
organisation Ensuring effective organisational performance
management and accountability Effectively communicating risk and control
information to appropriate areas of the organisation
Effectively co-ordinating the activities of and communicating information among the Board, external and internal auditors and management
Key Elements of Governance
The Internal Auditor, Governance and Risk Management
• Promotion of Ethics & Values
• Organisational Performance
• Accountability
• Risk and Control requirements
• Communication of Information
• Leadership & Direction
Promotion of Ethics & Values
The Internal Auditor, Governance and Risk Management
• Tone at the Top• Setting the right example
Tesco puts $35m private jet up for salePrivate plane being sold by Tesco boasts leather seats, maple wood interior and DVD players
Organisational Performance
The Internal Auditor, Governance and Risk Management
• Regular monitoring • Remuneration linked to
performance
Leadership & Direction
The Internal Auditor, Governance and Risk Management
• Vision
• Mission
• Values
• Forward looking
• Balancing performance & compliance
• Gaining ownership
Risk Management & the Organisation
The Internal Auditor, Governance and Risk Management
Why does Risk Management matter?
With over 1 million views on their promo video and a tonne of bad press, Nokia has been forced to admit that ‘The video demonstrates the benefits of optical image stabilization only and the video is not shot on a Lumia 920′.
To counter Fraud
To counter stupidity
Risk Management & the Organisation
The Internal Auditor, Governance and Risk Management
Why does Risk Management matter? To counter Nature
COSO ERM Definition
The Internal Auditor, Governance and Risk Management
Enterprise Risk Management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
COSO Enterprise Risk Management
The Internal Auditor, Governance and Risk Management
The components of ERM
The Internal Auditor, Governance and Risk Management
Internal environment
Objective setting
Event Identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
First LineImplements
Second LineOversight
Third LineEvaluates
The principles behind good Risk Management
The Internal Auditor, Governance and Risk Management
1. Every organisation should be headed by an effective Board, which is collectively responsible for the success of the organisation
2. There should be a clear division of responsibilities at the head of the organisation between running the board and running the organisation’s business. No individual should have unfettered powers of decision
3. The Board should have a balance of Directors, including independent non executive directors so that no one individual or group of individuals can dominate the decision taking.
The principles behind good Risk Management…
The Internal Auditor, Governance and Risk Management
4. There should be a formal, rigorous and transparent process for appointments to the board
5. The board should be supplied in a timely manner with the information required to enable it to discharge its duties. All directors should receive induction when they join the board and should regularly update their skills and knowledge
6. The board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and the individual directors
The principles behind good Risk Management…
The Internal Auditor, Governance and Risk Management
7. A significant proportion of Director’s remuneration should be linked to the organisation’s performance
8. There should be a formal and transparent process for the determination of the remuneration of the top management of the organisation
9. The board have a responsibility to maintain a sound system of internal control to protect the organisation’s assets and to enhance performance
10.The board should have formal and transparent processes for the appointment of the internal and external auditors, their relationship with such and the reporting procedures to be used in respect of financial and internal control processes.
The encompassing role of Internal Audit
The Internal Auditor, Governance and Risk Management
Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.
1st line:Business Management
2nd line:Risk Mgt / Compliance / Others
3rd line:Risk Based Internal Audit
External Audit and the Regulators are the Referee and Linesman
The Three Lines of Defence
The Internal Auditor, Governance and Risk Management
Board of Directors/ Audit Committee
Senior Management
Operational
Managem
ent
1st Line of Defence 2nd Line of Defence 3rd Line of Defence
External Audit
Regulators
Quality
Security
Enterprise Risk Management
Financial Control
Inspection
Ethics & Legal
Internal Control
DIRECTION
ASSURANCE
COM
PLIANCE
CON
TROL
RISKS
It should assist in defining where Internal Audit should be and where it shouldn’t be
Shared Purpose of the Three Lines
The Internal Auditor, Governance and Risk Management
Know
the objectives
Know
the Risk
s
Implement
Control
s
Recommend
Process
change
Identify objectives
Identify Risk
s
Implement
Mitigation
Report Exposur
e
Identify objectives
Identify Risk
s
Evaluate
Control
s
Provide Assurance
Second Line ERM Department
First Line Management
Third Line IA Department
Internal Audit’s role in Risk Management
The Internal Auditor, Governance and Risk Management
3 Lines of defence shows there is:
• Synergy• Commonality of purpose
And there can be:
• Holistic use of outcomes• Reliance upon each other’s work
But could there be pitfalls
The Internal Auditor, Governance and Risk Management
Internal Audit’s role in Risk Management
So with those advantages
Can the first, second and third lines of defence work together?
They can, but SHOULD they?
Some time ago the IIA introduced the FAN
The Internal Auditor, Governance and Risk Management
Internal Audit’s role in Risk Management
It is still relevant
Combined Internal Audit and Risk Management
The Internal Auditor, Governance and Risk Management
We are all trying to win the gameEach line has a specific job that contributes to Winning
So in our organisations what are the important elements:
• Recognition that first line role is more than just revenue generation or service provision
• Coordination of the same purpose of all three lines, but providing input to the individual needs of each line
• Retention of Internal Audit Independence
The Development of GRC
The Internal Auditor, Governance and Risk Management
Risk and Resiliency Operating Committee
Global Enterprise Risk Sponsors
Audit Committee
Head of Audit & Risk
(Governance, Risk and Controls)
IT Audit ERM
Business Audit
Ethics and Investigati
ons
Board sub-committee. Conducts an ERM deep-dive
every six months
VPs from Finance, Engineering, Sales, IT,
Supply Chain and Services meet to discuss cross-
functional risks every six weeks
Escala
tion
Path
Governance StructurePotential Downsides
• Loss of independence and objectivity
• Blurs the reporting lines – typically the CFO will
have responsibility for Risk, the CEO for Audit
Potential Upsides
• All governance, risk management and control compliance issues are in the one area
And if you have to combine
The Internal Auditor, Governance and Risk Management
If you have to have a combined approach you need to clarify:
• Management remain responsible for Risk Management
• Internal Audit must not be the owner of risk
• With a joint HIA and CRO the Board should be aware that the division of time does not impact IA independence or coverage
• Ideally a joint Head of Audit & Risk should not give assurance on RM activities but this may not be possible to avoid so steps have to be taken to provide as much objectivity as possible
Why are there concerns with GRC
The Internal Auditor, Governance and Risk Management
UK Parliamentary Commission on Banking – First Report 2013 “Changing Banking for Good”.
A blurring of responsibility between the front line and compliance staff risks absolving the front line from responsibility for risk.
Internal audit’s independence is as important as that of the Chief Risk Officer and the Head of Group Compliance
The “three lines of defence” have not prevented banks’ control frameworks failing in the past in part because the lines were blurred and the status of the front-line, remunerated for revenue generation, was dominant over the compliance, risk and audit apparatus.
How should we audit
The Internal Auditor, Governance and Risk Management
The Risk Based Internal Audit approach links to
• Business Objectives - identify what the business is trying to achieve
• Business Risks – identify what the risks are to the achievement of those objectives
• Controls – identify the controls that are necessary to deal with the risks
• Assurance – provide the Board with Assurance that Governance Risk and Compliance are being controlled
O R
C
A
Internal Audit at the higher level
The Internal Auditor, Governance and Risk Management
Should cover• The Governance environment
Policies, culture and structure
• The Governance Process How the policies are implemented
• The Governance Procedures Monitoring systems
Internal Audit at the higher level cont..
The Internal Auditor, Governance and Risk Management
The Simple role
Check job descriptions See that personal appraisals are regularly
held Are there individual objectives linked to the
organisation’s Do managers know who they are
responsible to Do they know who they are accountable to Do they know what the words mean
BUT this is the simple compliance model IT does not meet the international standards on
the role of IA
The Internal Auditor, Governance and Risk Management
Internal Audit at the higher level cont..
The Difficult role
• Audit how accountability actually works in the organisation
• Audit the adequacy of the information flows to top managers
• Audit how the Board work, how they communicate the strategy
• Audit how the strategy is complied
The Internal Auditor, Governance and Risk Management
What should be the role of Internal Audit
The Audit Plan should contain audits of:
Strategic Planning Managerial Accountability Board communication The system of Personal Appraisals Personal Objective setting
And others at the higher level…
The Internal Auditor, Governance and Risk Management
At this level Internal Audit is not easy
Have we the right qualified auditors?If not then get the qualified auditors that you need
We are not higher executives – we do not understandThen find people who do or go on training courses – internal auditors have to learn to be at the top table nowadays
Resistance from the Board/Executive levelUse the Standards to convince, Be patient in trying to convince, Make sure that every job adds value and use this as a lever, Do NOT promise what you cannot deliver
Thank You
The Internal Auditor, Governance and Risk Management
Phil Tarling
Office: +441189208506Mobile: +447802656986
Email: [email protected]: @philtarling