Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013.

Similar presentations


Presentation on theme: "Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013."— Presentation transcript:

1 Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013

2 Background – Many Perspectives Audit Committee Chair of $2 Billion NASDAQ Company 40 years studying the internal audit profession, PhD thesis on Auditor Independence and Systems Design Many IIA committees including: President IIA Research FD Member, IPPF Oversight Committee Task force to write the definition of internal auditing Chair (5 years) and member of COSO (11 years) Author of Research related to Internal Auditing

3 Factors Affecting the Profession Internal Audit Rate of Change Technology Governance Organizational Relationships Globalization Staff/ Growth Opportunities Complexity

4 Challenges for the Profession Perspectives and Challenges: Where should internal auditing be regarding: Enterprise-wide Risk Management Internal Control Fraud Prevention and Detection Combined Assurance. How do we Prepare for these Challenges???

5 What do we Know Businesses Fail Fortune 500 results Nokia Phones But, do we know why they Fail? Enterprise Risk Management and Strategy are intertwined Internal Control is Important, COSO Framework is Updated.

6 Internal Control_ Analysts View Pinto, Clinton, Ashbaugh – Skaiffe (2013) We find analysts earnings forecasts are significantly less accurate for firms with material weaknesses in internal control. This finding suggests that analysts acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements

7 Risk and Control Relationship Objectives Risk Assessment Mitigation/ Control STRATEGY

8 Business risks Is this risk? Who is Responsible?

9 Barclays bank September 2011, as reported in the Financial Times: Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations. What does this mean?

10 Returns and risk Return Risk Current

11 Returns and risk Return Risk Current Do you have a discussion on whether the increased variance in possible returns is acceptable in pursuing those returns? Where is that discussion held? How are the results of that discussion translated into operations?

12 Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entitys risk management philosophy, and in turn influences the entitys culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. COSO ERM, 2004

13 Risk appetite – objectives, and risk tolerances

14 Understanding ERM Everything Starts with objectives There is a defined process Responsibility Cascades through The Organization

15 Objectives and risk: Defining responsibility Who sets the Objectives at each of these levels? Who sets the Risk Management Responsibilities and Approach? Are the same people who are responsible for accomplishing the objectives also for accomplishing them within certain risk tolerances? If you cannot answer these questions, effective risk management is not possible.

16 Relationship of Internal Control and ERM Objectives Strategies Risk Analysis Internal Control Company / Department / Store sets objectives Develop strategies to achieve corporate objectives Identify Risks to Achieving the Objectives Controls: Designed and Implemented to Mitigate the Risks

17 Internal Audit Role Standard 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes: Organizational objectives aligned with mission Significant risks identified and assessed Appropriate risk responses consistent with risk appetite Relevant risk information is gathered Risk management processes are monitored

18 Internal Audit Role Practice Advisory 2009 Internal auditors need to obtain sufficient and appropriate evidence to determine that the key objectives of ERM are met. Consider: Research into current developments, trends, etc. Review corporate policies and board minutes re strategy, risk appetite, etc. Review risk reports issued by management Consider alignment across units and the organization

19 IA role evolves Identifies Risks for Audit Planning Leadership and Facilitator of ERM – build on Audit Committee Relationship ERM Expert – Role evolves to evaluating effectiveness of risk management processes.

20 INTERNAL CONTROL Update of the COSO Internal Control, Integrated Framework

21 Why Update Now? 20 th Anniversary What has changed in that time? Organizational boundaries Expanded reporting responsibilities Information Technology Rate of Change Nature of control procedures Too many failures at the control environment.

22 Viewing Internal Control as a Process Applies to all 5 Components Applies to all Internal Control Objectives: Operations, Reporting, Compliance Concepts also apply to ERM: But not specifically addressed

23 Key Changes Reporting Component – much broader than financial reporting Within Framework, move to a principles / points of focus approach. Guidance: Weakness in internal control More judgment, but within structured approach Risk Based, not control based Fraud Assessment is required Importance of Operations and Compliance Objectives Personnel are Accountable for Internal Control

24 Key Changes Increase Focus on Compliance and Operations Objectives All five components are equally applicable to compliance and operations objectives.

25 Reporting: A Few Comments Expanded Reported: Key Performance Indicators Risk, Accepted Risk, and Risk Realized Effectiveness of ERM Effectiveness of Internal Control Over Financial Reporting Move from historical data to market data Expanded Forms of Reporting: Alternatives to annual financial statements Social Media Continuous Reporting model – more dependent on controls. Contractual / Organizational Relationship Reporting

26 Control Environment - Principles 1. Ethics and Integrity: a. Set the tone with a Statement of Values b. Communicate Values c. Evaluate Adherence - Identify Deviations d. Take Action 1. Commitment to Integrity and Ethics

27 2. Governance: Demonstrates Independence from Management Board establishes oversight responsibilities Board has requisite skills Members are objective and independent (and demonstrate such through actions) Provides oversight over all 5 components of Internal Control

28 Establishing Authorities and Responsibilities. Management Must: 3. Establishes structures, authorities, and reporting lines. 4. Attract and retain competent People 5. Hold personnel accountable.

29 Risk Assessment Principles FRAUD RISK: WHAT IF TOP AND MID- LEVEL MANAGEMENT ARE INVOLVED? Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine) 6. Set Objectives 7. Identify the risks to achieving the objectives 8. Identify Fraud Risks 9. Identify changes that will affect risks. Objectives Risks Fraud Risks Changes in Risks

30 Control Activities Points of Focus: Integrated with risk assessment Specific to the organization Identifies key processes Considers the mix of control activities Considers levels within organization Addresses segregation of duties 10. Select control activities that limit risks to those that are acceptable. 11. IT controls merit particular attention, especially IT General Controls 12. Establish Policies for what is expected and procedures for what is to be done.

31 EXAMPLE: STARTING WITH RISK Experience with a NASDAQ Company with approximately $2 Billion in Sales

32 SOX Overview: where we started SOX processes not significantly overhauled in years Legacy key controls accumulated over time since 2004 PCAOBs Auditing Standard 5 (AS5) not fully embraced Largely failed to recognize two common control platforms WISE SAP Controls documentation and testing at a site level Inconsistent controls, processes, level of detail Significant redundant work, over testing of controls Significant busy work Inefficiencies related to Lack of alignment with external auditor Redundant work within company site staff

33 Significant Controls Rationalization Process Cross-functional Finance teams formed Led by Controller and CAE Process owners embraced the opportunity for change Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement level Assessed risk of material misstatement for significant accounts and disclosures and their relevant assertions Scoping Grouped controls into ten major processes Reevaluated which processes, systems, and locations pose risks

34 Key Process Map

35 Risks of Material Misstatements Started with a list of 240 risks of material misstatement provided by External Auditor SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risks What they found: Numerous instances where control activities covered >1 risks Overlapping controls Better Use of Monitoring

36 Key Results Significant decrease in controls identified as Key Controls: 289 Manual controls to 142 Manual controls 67 automated controls to 35 automated controls 13 new key controls added Approximately 50% reduction More emphasis on automated controls Next Step: Better assessment of Monitoring

37 Update and Approach Forward Company and External Auditors jointly doing testing New and Updated Documentation Support of Process Owners Updated thoughts about implementation and use of Internal Controls

38 Information and Communication 13. Organization obtains relevant and timely information 13. Organization internally communicates information to support internal control 13. Communicates with pertinent outside organizations regarding internal control.

39 Monitoring A mix of ongoing or separate is OK 16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. 17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action. Oversight Systems, or SAP have processes to build until computer applications, for example segregation of duties Reports can be very useful If designed to provide useful Information on control operation, e.g. a control reconciliation

40 Monitoring Considers Rate of Change Starts with a Baseline Knowledgeable Personnel Integrated with Operations Adjusts Scope and Frequency Separate Evaluations are periodically needed, including an assessment of whether on-going monitoring is working effectively. 16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. 17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.

41 Monitoring Considerations Monitoring activities need to be designed at a level of precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, and There has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.

42 Recommendations for Internal Auditors 1. Communicate with Board and Audit Committee a. Value proposition for the entity b. Value proposition for internal audit c. Importance of compliance and operations Objectives 2. Work with External Auditor a. Rationalize and streamline controls b. Identify effective, timely, and relevant monitoring activities c. Identify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.

43 Recommendations for Internal Auditors 3. Communication with Process Owners a. Their responsibilities b. The nature of an integrated internal control framework, especially why all five components need to be present and functioning c. Relationship of controls to objectives and risks d. Controls should be cost-effective e. Opportunities for Effective Monitoring

44 COMBINED ASSURANCE A Leadership Role for Internal Auditing

45 Assurance Fatigue – Making Compliance More Efficient Leadership from S. Africa – PwC King Report Leading report regarding combined assurance. Worldwide influence on Governance Concept: Look at Compliance Across the Organization.

46 Organizational View Many disparate rules and regulations Many disparate assurance providers: Federal auditors External auditors Internal auditors Different assurance bodies within the organization

47 The Auditees Perspective

48 Who are the Assurance Providers

49 Who do they Report to?

50 Combined Assurance Coordinate and provide relevance assurance on key risk exposures Minimize business/operational disruptions Comprehensive Tracking of Remedial Action and/or Improvements Improved Board and AC Reporting Hopefully, reduced assurance costs.

51 Recommended Process 1. Make the Business Case 2. Assurance Reality Check (Inventory) 3. Risk Mapping 4. Combined Assurance Design 5. Make Combined Assurance a Continuing Reality

52 Embrace Change: Steps for Internal Audit 1. Commit to Active Training – and leadership across the organization. 2. Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals. 3. Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control

53 Thank You – it is an Exciting Time Dr. Larry E. Rittenberg Chair Emeritus, COSO University of Wisconsin 5823 Monticello Way Madison, WI Ph:


Download ppt "Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013."

Similar presentations


Ads by Google