The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA,...

The Internal Auditor, Governance and Risk Management

18 November 2014

Phil Tarling, CMIIA, CIA, QIAL, CRMA

Speaker’s Background


Vice President, IA Centre of Excellence, Huawei

Past Chairman - Global IIA (2012-2013) Past President of the ECIIA (2010-2011) Past President of the IIA UK and Ireland

(2005-2006) Provided Capacity building in Internal Audit

& PIFC since 1998 Previously worked in the UK, Estonia, Latvia.

Lithuania, Poland, Hungary, Czech Republic, Kenya, South Africa, Romania, Macedonia, Croatia, Serbia, Kosovo and Turkey

Now responsible for developing internal audit capacity in a worldwide Chinese owned telecoms company

Huawei – A Global Company


• 140+ countries , 150 nationalities, 15 Regional Headquarters , 150,000+ employees, £39.5bn revenues

R&D center

Huawei Headquarters

Technical support center

Accounting share center

Supply center & Hub

Training center

Biding center (Planning)

Agenda


1. Current Expectations of Internal Audit

2. Corporate Governance & the Players in the Organisation

3. Risk Management in the Organisation

4. Encompassing Role of Internal Audit

Current Expectations of Internal Audit


The Internal Audit definition

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.

It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes

Elements included in the Internal Audit remit


Governance“…a set of relationships between company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” (OECD)

Risk ManagementManaging the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood

ControlsControl is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved

Four Pillars of Effective Governance


Effective Governance

External Audit

Board of Directors

Management

Inte

rnal

Aud

it

“Internal auditing is perhaps the most important pillar in effective corporate governance and risk management. It has a unique position and can cover much broader risk areas than any external audit could.”

- Lord Smith of Kelvin

Global International Standards 2110 Governance


The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values in the

organisation Ensuring effective organisational performance

management and accountability Effectively communicating risk and control

information to appropriate areas of the organisation

Effectively co-ordinating the activities of and communicating information among the Board, external and internal auditors and management

Key Elements of Governance


• Promotion of Ethics & Values

• Organisational Performance

• Accountability

• Risk and Control requirements

• Communication of Information

• Leadership & Direction

Promotion of Ethics & Values


• Tone at the Top• Setting the right example

Tesco puts $35m private jet up for salePrivate plane being sold by Tesco boasts leather seats, maple wood interior and DVD players

Organisational Performance


• Regular monitoring • Remuneration linked to

performance

Leadership & Direction


• Vision

• Mission

• Values

• Forward looking

• Balancing performance & compliance

• Gaining ownership

Risk Management & the Organisation


Why does Risk Management matter?

With over 1 million views on their promo video and a tonne of bad press, Nokia has been forced to admit that ‘The video demonstrates the benefits of optical image stabilization only and the video is not shot on a Lumia 920′.

To counter Fraud

To counter stupidity

Risk Management & the Organisation


Why does Risk Management matter? To counter Nature

COSO ERM Definition


Enterprise Risk Management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

COSO Enterprise Risk Management


The components of ERM


Internal environment

Objective setting

Event Identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring

First LineImplements

Second LineOversight

Third LineEvaluates

The principles behind good Risk Management


1. Every organisation should be headed by an effective Board, which is collectively responsible for the success of the organisation

2. There should be a clear division of responsibilities at the head of the organisation between running the board and running the organisation’s business. No individual should have unfettered powers of decision

3. The Board should have a balance of Directors, including independent non executive directors so that no one individual or group of individuals can dominate the decision taking.

The principles behind good Risk Management…


4. There should be a formal, rigorous and transparent process for appointments to the board

5. The board should be supplied in a timely manner with the information required to enable it to discharge its duties. All directors should receive induction when they join the board and should regularly update their skills and knowledge

6. The board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and the individual directors

The principles behind good Risk Management…


7. A significant proportion of Director’s remuneration should be linked to the organisation’s performance

8. There should be a formal and transparent process for the determination of the remuneration of the top management of the organisation

9. The board have a responsibility to maintain a sound system of internal control to protect the organisation’s assets and to enhance performance

10.The board should have formal and transparent processes for the appointment of the internal and external auditors, their relationship with such and the reporting procedures to be used in respect of financial and internal control processes.

The encompassing role of Internal Audit


Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.

1st line:Business Management

2nd line:Risk Mgt / Compliance / Others

3rd line:Risk Based Internal Audit

External Audit and the Regulators are the Referee and Linesman

The Three Lines of Defence


Board of Directors/ Audit Committee

Senior Management

Operational

Managem

ent

1st Line of Defence 2nd Line of Defence 3rd Line of Defence

External Audit

Regulators

Quality

Security

Enterprise Risk Management

Financial Control

Inspection

Ethics & Legal

Internal Control

DIRECTION

ASSURANCE

COM

PLIANCE

CON

TROL

RISKS

It should assist in defining where Internal Audit should be and where it shouldn’t be

Shared Purpose of the Three Lines


Know

the objectives

Know

the Risk

s

Implement

Control

s

Recommend

Process

change

Identify objectives

Identify Risk

s

Implement

Mitigation

Report Exposur

e

Identify objectives

Identify Risk

s

Evaluate

Control

s

Provide Assurance

Second Line ERM Department

First Line Management

Third Line IA Department

Internal Audit’s role in Risk Management


3 Lines of defence shows there is:

• Synergy• Commonality of purpose

And there can be:

• Holistic use of outcomes• Reliance upon each other’s work

But could there be pitfalls



So with those advantages

Can the first, second and third lines of defence work together?

They can, but SHOULD they?

Some time ago the IIA introduced the FAN



It is still relevant

Combined Internal Audit and Risk Management


We are all trying to win the gameEach line has a specific job that contributes to Winning

So in our organisations what are the important elements:

• Recognition that first line role is more than just revenue generation or service provision

• Coordination of the same purpose of all three lines, but providing input to the individual needs of each line

• Retention of Internal Audit Independence

The Development of GRC


Risk and Resiliency Operating Committee

Global Enterprise Risk Sponsors

Audit Committee

Head of Audit & Risk

(Governance, Risk and Controls)

IT Audit ERM

Business Audit

Ethics and Investigati

ons

Board sub-committee. Conducts an ERM deep-dive

every six months

VPs from Finance, Engineering, Sales, IT,

Supply Chain and Services meet to discuss cross-

functional risks every six weeks

Escala

tion

Path

Governance StructurePotential Downsides

• Loss of independence and objectivity

• Blurs the reporting lines – typically the CFO will

have responsibility for Risk, the CEO for Audit

Potential Upsides

• All governance, risk management and control compliance issues are in the one area

And if you have to combine


If you have to have a combined approach you need to clarify:

• Management remain responsible for Risk Management

• Internal Audit must not be the owner of risk

• With a joint HIA and CRO the Board should be aware that the division of time does not impact IA independence or coverage

• Ideally a joint Head of Audit & Risk should not give assurance on RM activities but this may not be possible to avoid so steps have to be taken to provide as much objectivity as possible

Why are there concerns with GRC


UK Parliamentary Commission on Banking – First Report 2013 “Changing Banking for Good”.

A blurring of responsibility between the front line and compliance staff risks absolving the front line from responsibility for risk.

Internal audit’s independence is as important as that of the Chief Risk Officer and the Head of Group Compliance

The “three lines of defence” have not prevented banks’ control frameworks failing in the past in part because the lines were blurred and the status of the front-line, remunerated for revenue generation, was dominant over the compliance, risk and audit apparatus.

How should we audit


The Risk Based Internal Audit approach links to

• Business Objectives - identify what the business is trying to achieve

• Business Risks – identify what the risks are to the achievement of those objectives

• Controls – identify the controls that are necessary to deal with the risks

• Assurance – provide the Board with Assurance that Governance Risk and Compliance are being controlled

O R

C

A

Internal Audit at the higher level


Should cover• The Governance environment

Policies, culture and structure

• The Governance Process How the policies are implemented

• The Governance Procedures Monitoring systems

Internal Audit at the higher level cont..


The Simple role

Check job descriptions See that personal appraisals are regularly

held Are there individual objectives linked to the

organisation’s Do managers know who they are

responsible to Do they know who they are accountable to Do they know what the words mean

BUT this is the simple compliance model IT does not meet the international standards on

the role of IA


Internal Audit at the higher level cont..

The Difficult role

• Audit how accountability actually works in the organisation

• Audit the adequacy of the information flows to top managers

• Audit how the Board work, how they communicate the strategy

• Audit how the strategy is complied


What should be the role of Internal Audit

The Audit Plan should contain audits of:

Strategic Planning Managerial Accountability Board communication The system of Personal Appraisals Personal Objective setting

And others at the higher level…


At this level Internal Audit is not easy

Have we the right qualified auditors?If not then get the qualified auditors that you need

We are not higher executives – we do not understandThen find people who do or go on training courses – internal auditors have to learn to be at the top table nowadays

Resistance from the Board/Executive levelUse the Standards to convince, Be patient in trying to convince, Make sure that every job adds value and use this as a lever, Do NOT promise what you cannot deliver

Thank You


Phil Tarling

Office: +441189208506Mobile: +447802656986

Email: [email protected]: @philtarling

The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA,...

Documents

Transcript of The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA,...