Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013

Similar presentations

Presentation on theme: "Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013"— Presentation transcript:

1 Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013
Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013

2 Background – Many Perspectives
Audit Committee Chair of $2 Billion NASDAQ Company 40 years studying the internal audit profession, PhD thesis on “Auditor Independence and Systems Design” Many IIA committees including: President IIA Research FD Member, IPPF Oversight Committee Task force to write the definition of internal auditing Chair (5 years) and member of COSO (11 years) Author of Research related to Internal Auditing

3 Factors Affecting the Profession
Internal Audit Rate of Change Technology Governance Organizational Relationships Globalization Staff/ Growth Opportunities Complexity

4 Challenges for the Profession
Perspectives and Challenges: Where should internal auditing be regarding: Enterprise-wide Risk Management Internal Control Fraud Prevention and Detection Combined Assurance. How do we Prepare for these Challenges???

5 What do we Know Businesses Fail But, do we know why they Fail?
Fortune 500 results Nokia Phones But, do we know why they Fail? Enterprise Risk Management and Strategy are intertwined Internal Control is Important, COSO Framework is Updated.

6 Internal Control_ Analysts View
Pinto, Clinton, Ashbaugh – Skaiffe (2013) We find analysts’ earnings forecasts are significantly less accurate for firms with material weaknesses in internal control. This finding suggests that analysts’ acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms’ financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements

7 Risk and Control Relationship
Objectives Risk Assessment Mitigation/ Control STRATEGY

8 Business risks Is this risk? Who is Responsible?

9 Barclays bank September 2011, as reported in the Financial Times:
“Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations”. What does this mean?

10 Returns and risk Risk Current Return

11 Returns and risk Do you have a discussion
on whether the increased variance in possible returns is acceptable in pursuing those returns? Where is that discussion held? How are the results of that discussion translated into operations? Risk Current Return

12 Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. COSO ERM, 2004

13 Risk appetite – objectives, and risk tolerances

14 Understanding ERM Everything Starts with objectives
Responsibility Cascades through The Organization There is a defined process

15 Objectives and risk: Defining responsibility
Who sets the Objectives at each of these levels? Who sets the Risk Management Responsibilities and Approach? Are the same people who are responsible for accomplishing the objectives also for accomplishing them within certain risk tolerances? If you cannot answer these questions, effective risk management is not possible.

16 Relationship of Internal Control and ERM
Objectives Strategies Risk Analysis Internal Control Develop strategies to achieve corporate objectives Company / Department / Store sets objectives Identify Risks to Achieving the Objectives At This point, have them break into groups and develop – for one of their selected areas – what how they would fill out this chart. Controls: Designed and Implemented to Mitigate the Risks

17 Internal Audit Role Standard 2120: Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes: Organizational objectives aligned with mission Significant risks identified and assessed Appropriate risk responses consistent with risk appetite Relevant risk information is gathered Risk management processes are monitored

18 Internal Audit Role Practice Advisory 2009
Internal auditors need to obtain sufficient and appropriate evidence to determine that the key objectives of ERM are met. Consider: Research into current developments, trends, etc. Review corporate policies and board minutes re strategy, risk appetite, etc. Review risk reports issued by management Consider alignment across units and the organization

19 IA role evolves Identifies Risks for Audit Planning Leadership and Facilitator of ERM – build on Audit Committee Relationship ERM Expert – Role evolves to evaluating effectiveness of risk management processes.

20 Internal control Update of the COSO Internal Control, Integrated Framework

21 What has changed in that time?
Why Update Now? 20th Anniversary What has changed in that time? Organizational boundaries Expanded reporting responsibilities’ Information Technology Rate of Change Nature of control procedures Too many failures at the control environment.

22 Viewing Internal Control as a Process
Applies to all 5 Components While many of you are likely familiar with the COSO cube that I showed earlier, the figure shown on this slide presents the same concepts in a different visual way. Notice that you still see the five elements of IC from the cube. Underlying all the five elements is the graded shaded horizontal arrow that illustrates how organizational objectives underlay or transcend all the 5 elements. I like this visual – especially when teaching students about the COSO elements of IC – because it lays out a logical framework for thinking about IC. That is, it helps link “objectives, risks, and controls” by requiring the reader to first think about objectives management is trying to achieve – for example, quality financial reporting – and then it encourages the reader to assess risks associated with achieving that objective, highlights next the control environment that include entity-wide controls to address those risks and then it focuses on specific control activities to address specific process level risks. Then we see the Info Comm and with Monitoring expanded to emphasize that element in this document. Notice that Monitoring encircles all 5 elements of IC suggesting that management should design and implement monitoring procedures to evaluate all elements of IC, not just control activities. The ultimate goal is to monitor the IC system’s ability to manage or mitigate meaningful risks threatening entity objectives. As the boxes on this slide indicate – monitoring also applies to all types of objectives – not just financial reporting. Monitoring also applies to COSO’s ERM framework as well. Applies to all Internal Control Objectives: Operations, Reporting, Compliance Concepts also apply to ERM: But not specifically addressed

23 Key Changes Reporting Component – much broader than financial reporting Within Framework, move to a principles / points of focus approach. Guidance: Weakness in internal control More judgment, but within structured approach Risk Based, not control based Fraud Assessment is required Importance of Operations and Compliance Objectives Personnel are Accountable for Internal Control

24 Key Changes Increase Focus on Compliance and Operations Objectives
All five components are equally applicable to compliance and operations objectives.

25 Reporting: A Few Comments
Expanded Reported: Key Performance Indicators Risk, Accepted Risk, and Risk Realized Effectiveness of ERM Effectiveness of Internal Control Over Financial Reporting Move from historical data to market data Expanded Forms of Reporting: Alternatives to annual financial statements Social Media Continuous Reporting model – more dependent on controls. Contractual / Organizational Relationship Reporting

26 Control Environment - Principles
Ethics and Integrity: Set the tone with a Statement of Values Communicate Values Evaluate Adherence - Identify Deviations Take Action Commitment to Integrity and Ethics

27 2. Governance: Demonstrates Independence from Management
Board establishes oversight responsibilities Board has requisite skills Members are objective and independent (and demonstrate such through actions) Provides oversight over all 5 components of Internal Control

28 Establishing Authorities and Responsibilities. Management Must:
Establishes structures, authorities, and reporting lines. Attract and retain competent People Hold personnel accountable.

29 Risk Assessment Principles
FRAUD RISK: WHAT IF TOP AND MID-LEVEL MANAGEMENT ARE INVOLVED? Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine) Risk Assessment Principles Set Objectives Identify the risks to achieving the objectives Identify Fraud Risks Identify changes that will affect risks. Objectives Risks Fraud Risks Changes in Risks

30 Points of Focus: Integrated with risk assessment
Control Activities Points of Focus: Integrated with risk assessment Specific to the organization Identifies key processes Considers the mix of control activities Considers levels within organization Addresses segregation of duties Select control activities that limit risks to those that are acceptable. IT controls merit particular attention, especially IT General Controls Establish Policies for what is expected and procedures for what is to be done.

31 Example: starting with risk
Experience with a NASDAQ Company with approximately $2 Billion in Sales

32 SOX Overview: where we started
SOX processes not significantly overhauled in years Legacy key controls accumulated over time since 2004 PCAOB’s Auditing Standard 5 (AS5) not fully embraced Largely failed to recognize two common control platforms WISE SAP •Controls documentation and testing at a site level Inconsistent controls, processes, level of detail Significant redundant work, over testing of controls Significant busy work •Inefficiencies related to Lack of alignment with external auditor Redundant work within company site staff

33 Significant Controls Rationalization Process
Cross-functional Finance teams formed Led by Controller and CAE •Process owners embraced the opportunity for change •Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement level Assessed risk of material misstatement for significant accounts and disclosures and their relevant assertions •Scoping Grouped controls into ten major processes Reevaluated which processes, systems, and locations pose risks

34 Key Process Map

35 Risks of Material Misstatements
Started with a list of 240 risks of material misstatement provided by External Auditor •SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risks What they found: Numerous instances where control activities covered >1 risks Overlapping controls Better Use of Monitoring

36 Key Results Significant decrease in controls identified as Key Controls: 289 Manual controls to 142 Manual controls 67 automated controls to 35 automated controls 13 new key controls added Approximately 50% reduction More emphasis on automated controls Next Step: Better assessment of Monitoring

37 Update and Approach Forward
Company and External Auditors jointly doing testing New and Updated Documentation Support of Process Owners Updated thoughts about implementation and use of Internal Controls

38 Information and Communication
Organization obtains relevant and timely information Organization internally communicates information to support internal control Communicates with pertinent outside organizations regarding internal control.

39 A mix of ongoing or separate is OK
Monitoring A mix of ongoing or separate is OK Oversight Systems, or SAP have processes to build until computer applications, for example segregation of duties Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action. Reports can be very useful If designed to provide useful Information on control operation, e.g. a control reconciliation

40 Considers Rate of Change Starts with a Baseline
Monitoring Considers Rate of Change Starts with a Baseline Knowledgeable Personnel Integrated with Operations Adjusts Scope and Frequency Separate Evaluations are periodically needed, including an assessment of whether on-going monitoring is working effectively. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.

41 Monitoring Considerations
Monitoring activities need to be designed at a level of precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, and There has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.

42 Recommendations for Internal Auditors
Communicate with Board and Audit Committee Value proposition for the entity Value proposition for internal audit Importance of compliance and operations Objectives Work with External Auditor Rationalize and streamline controls Identify effective, timely, and relevant monitoring activities Identify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.

43 Recommendations for Internal Auditors
Communication with Process Owners Their responsibilities The nature of an integrated internal control framework, especially why all five components need to be present and functioning Relationship of controls to objectives and risks Controls should be cost-effective Opportunities for Effective Monitoring

44 Combined assurance A Leadership Role for Internal Auditing

45 Assurance Fatigue – Making Compliance More Efficient
Leadership from S. Africa – PwC King Report Leading report regarding combined assurance. Worldwide influence on Governance Concept: Look at Compliance Across the Organization.

46 Organizational View Many disparate rules and regulations
Many disparate assurance providers: Federal auditors External auditors Internal auditors Different assurance bodies within the organization

47 The Auditee’s Perspective

48 Who are the Assurance Providers

49 Who do they Report to?

50 Combined Assurance Coordinate and provide relevance assurance on key risk exposures Minimize business/operational disruptions Comprehensive Tracking of Remedial Action and/or Improvements Improved Board and AC Reporting Hopefully, reduced assurance costs.

51 Recommended Process Make the Business Case
Assurance Reality Check (Inventory) Risk Mapping Combined Assurance Design Make Combined Assurance a Continuing Reality

52 Embrace Change: Steps for Internal Audit
Commit to Active Training – and leadership across the organization. Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals. Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control

53 Thank You – it is an Exciting Time
Dr. Larry E. Rittenberg Chair Emeritus, COSO University of Wisconsin 5823 Monticello Way Madison, WI 53719 Ph:

Download ppt "Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013"

Similar presentations

Ads by Google