Presentation on theme: "Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013"— Presentation transcript:
1 Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013 Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined AssuranceDr. Larry RittenbergCLAIN CONFERENCE,May 17, 2013
2 Background – Many Perspectives Audit Committee Chair of $2 Billion NASDAQ Company40 years studying the internal audit profession, PhD thesis on “Auditor Independence and Systems Design”Many IIA committees including:President IIA Research FDMember, IPPF Oversight CommitteeTask force to write the definition of internal auditingChair (5 years) and member of COSO (11 years)Author of Research related to Internal Auditing
3 Factors Affecting the Profession Internal AuditRate of ChangeTechnologyGovernanceOrganizational RelationshipsGlobalizationStaff/ Growth OpportunitiesComplexity
4 Challenges for the Profession Perspectives and Challenges: Where should internal auditing be regarding:Enterprise-wide Risk ManagementInternal ControlFraud Prevention and DetectionCombined Assurance.How do we Prepare for these Challenges???
5 What do we Know Businesses Fail But, do we know why they Fail? Fortune 500 resultsNokia PhonesBut, do we know why they Fail?Enterprise Risk Management and Strategy are intertwinedInternal Control is Important, COSO Framework is Updated.
6 Internal Control_ Analysts View Pinto, Clinton, Ashbaugh – Skaiffe (2013)We find analysts’ earnings forecasts are significantly less accurate for firms with material weaknesses in internal control. This finding suggests that analysts’ acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms’ financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements
7 Risk and Control Relationship ObjectivesRisk AssessmentMitigation/ControlSTRATEGY
9 Barclays bank September 2011, as reported in the Financial Times: “Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations”.What does this mean?
11 Returns and risk Do you have a discussion on whether the increased variance in possible returns is acceptable in pursuing those returns?Where is that discussion held?How are the results of that discussion translated into operations?RiskCurrentReturn
12 Risk appetiteThe amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.COSO ERM, 2004
13 Risk appetite – objectives, and risk tolerances
14 Understanding ERM Everything Starts with objectives Responsibility Cascades throughThe OrganizationThere is a defined process
15 Objectives and risk: Defining responsibility Who sets the Objectives at each of these levels?Who sets the Risk Management Responsibilities and Approach?Are the same people who are responsible for accomplishing the objectivesalso for accomplishing them within certain risk tolerances?If you cannot answer these questions, effective risk management is not possible.
16 Relationship of Internal Control and ERM ObjectivesStrategiesRisk AnalysisInternal ControlDevelop strategies to achieve corporate objectivesCompany / Department / Store sets objectivesIdentify Risks toAchieving theObjectivesAt This point, have them break into groups and develop – for one of their selected areas – what how they would fill out this chart.Controls: Designed and Implemented to Mitigate the Risks
17 Internal Audit Role Standard 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes:Organizational objectives aligned with missionSignificant risks identified and assessedAppropriate risk responses consistent with risk appetiteRelevant risk information is gatheredRisk management processes are monitored
18 Internal Audit Role Practice Advisory 2009 Internal auditors need to obtain sufficient and appropriate evidence to determine that the key objectives of ERM are met. Consider:Research into current developments, trends, etc.Review corporate policies and board minutes re strategy, risk appetite, etc.Review risk reports issued by managementConsider alignment across units and the organization
19 IA role evolvesIdentifies Risks for Audit PlanningLeadership and Facilitator of ERM – build on Audit Committee RelationshipERM Expert – Role evolves to evaluating effectiveness of risk management processes.
20 Internal controlUpdate of the COSO Internal Control, Integrated Framework
21 What has changed in that time? Why Update Now?20th AnniversaryWhat has changed in that time?Organizational boundariesExpanded reporting responsibilities’Information TechnologyRate of ChangeNature of control proceduresToo many failures at the control environment.
22 Viewing Internal Control as a Process Applies to all 5 ComponentsWhile many of you are likely familiar with the COSO cube that I showed earlier, the figure shown on this slide presents the same concepts in a different visual way. Notice that you still see the five elements of IC from the cube.Underlying all the five elements is the graded shaded horizontal arrow that illustrates how organizational objectives underlay or transcend all the 5 elements.I like this visual – especially when teaching students about the COSO elements of IC – because it lays out a logical framework for thinking about IC.That is, it helps link “objectives, risks, and controls” by requiring the reader to first think about objectives management is trying to achieve – for example, quality financial reporting – and then it encourages the reader to assess risks associated with achieving that objective, highlights next the control environment that include entity-wide controls to address those risks and then it focuses on specific control activities to address specific process level risks. Then we see the Info Comm and with Monitoring expanded to emphasize that element in this document.Notice that Monitoring encircles all 5 elements of IC suggesting that management should design and implement monitoring procedures to evaluate all elements of IC, not just control activities.The ultimate goal is to monitor the IC system’s ability to manage or mitigate meaningful risks threatening entity objectives.As the boxes on this slide indicate – monitoring also applies to all types of objectives – not just financial reporting. Monitoring also applies to COSO’s ERM framework as well.Applies to all Internal Control Objectives:Operations,Reporting,ComplianceConcepts also apply to ERM:But not specifically addressed
23 Key ChangesReporting Component – much broader than financial reportingWithin Framework, move to a principles / points of focus approach.Guidance:Weakness in internal controlMore judgment, but within structured approachRisk Based, not control basedFraud Assessment is requiredImportance of Operations and Compliance ObjectivesPersonnel are Accountable for Internal Control
24 Key Changes Increase Focus on Compliance and Operations Objectives All five components are equallyapplicable to compliance andoperations objectives.
25 Reporting: A Few Comments Expanded Reported:Key Performance IndicatorsRisk, Accepted Risk, and Risk RealizedEffectiveness of ERMEffectiveness of Internal Control Over Financial ReportingMove from historical data to market dataExpanded Forms of Reporting:Alternatives to annual financial statementsSocial MediaContinuous Reporting model – more dependent on controls.Contractual / Organizational Relationship Reporting
26 Control Environment - Principles Ethics and Integrity:Set the tone with a Statement of ValuesCommunicate ValuesEvaluate Adherence - Identify DeviationsTake ActionCommitment to Integrity and Ethics
27 2. Governance: Demonstrates Independence from Management Board establishes oversight responsibilitiesBoard has requisite skillsMembers are objective and independent (and demonstrate such through actions)Provides oversight over all 5 components of Internal Control
28 Establishing Authorities and Responsibilities. Management Must: Establishes structures, authorities, and reporting lines.Attract and retain competent PeopleHold personnel accountable.
29 Risk Assessment Principles FRAUD RISK: WHAT IF TOP AND MID-LEVEL MANAGEMENT ARE INVOLVED?Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine)Risk Assessment PrinciplesSet ObjectivesIdentify the risks to achieving the objectivesIdentify Fraud RisksIdentify changes that will affect risks.ObjectivesRisksFraud RisksChanges in Risks
30 Points of Focus: Integrated with risk assessment Control ActivitiesPoints of Focus:Integrated with risk assessmentSpecific to the organizationIdentifies key processesConsiders the mix of control activitiesConsiders levels within organizationAddresses segregation of dutiesSelect control activities that limit risks to those that are acceptable.IT controls merit particular attention, especially IT General ControlsEstablish Policies for what is expected and procedures for what is to be done.
31 Example: starting with risk Experience with a NASDAQ Company with approximately $2 Billion in Sales
32 SOX Overview: where we started SOX processes not significantly overhauled in years Legacy key controls accumulated over time since 2004PCAOB’s Auditing Standard 5 (AS5) not fully embracedLargely failed to recognize two common control platforms WISESAP•Controls documentation and testing at a site level Inconsistent controls, processes, level of detailSignificant redundant work, over testing of controlsSignificant busy work•Inefficiencies related to Lack of alignment with external auditorRedundant work within company site staff
33 Significant Controls Rationalization Process Cross-functional Finance teams formed Led by Controller and CAE•Process owners embraced the opportunity for change•Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement levelAssessed risk of material misstatement for significant accounts and disclosures and their relevant assertions•Scoping Grouped controls into ten major processesReevaluated which processes, systems, and locations pose risks
35 Risks of Material Misstatements Started with a list of 240 risks of material misstatement provided by External Auditor•SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risksWhat they found:Numerous instances where control activities covered >1 risksOverlapping controlsBetter Use of Monitoring
36 Key ResultsSignificant decrease in controls identified as Key Controls:289 Manual controls to 142 Manual controls67 automated controls to 35 automated controls13 new key controls addedApproximately 50% reductionMore emphasis on automated controlsNext Step: Better assessment of Monitoring
37 Update and Approach Forward Company and External Auditors jointly doing testingNew and Updated DocumentationSupport of Process OwnersUpdated thoughts about implementation and use of Internal Controls
38 Information and Communication Organization obtains relevant and timely informationOrganization internally communicates information to support internal controlCommunicates with pertinent outside organizations regarding internal control.
39 A mix of ongoing or separate is OK MonitoringA mix of ongoing or separate is OKOversight Systems, or SAP have processes to build until computer applications, for example segregation of dutiesOngoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.Reports can be very usefulIf designed to provide usefulInformation on control operation,e.g. a control reconciliation
40 Considers Rate of Change Starts with a Baseline MonitoringConsiders Rate of ChangeStarts with a BaselineKnowledgeable PersonnelIntegrated with OperationsAdjusts Scope and FrequencySeparate Evaluations are periodically needed, including an assessment of whether on-going monitoring is working effectively.Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.
41 Monitoring Considerations Monitoring activities need to be designed at a level of precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, andThere has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.
42 Recommendations for Internal Auditors Communicate with Board and Audit CommitteeValue proposition for the entityValue proposition for internal auditImportance of compliance and operations ObjectivesWork with External AuditorRationalize and streamline controlsIdentify effective, timely, and relevant monitoring activitiesIdentify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.
43 Recommendations for Internal Auditors Communication with Process OwnersTheir responsibilitiesThe nature of an integrated internal control framework, especially why all five components need to be present and functioningRelationship of controls to objectives and risksControls should be cost-effectiveOpportunities for Effective Monitoring
44 Combined assuranceA Leadership Role for Internal Auditing
45 Assurance Fatigue – Making Compliance More Efficient Leadership from S. Africa – PwCKing ReportLeading report regarding combined assurance.Worldwide influence on GovernanceConcept: Look at Compliance Across the Organization.
46 Organizational View Many disparate rules and regulations Many disparate assurance providers:Federal auditorsExternal auditorsInternal auditorsDifferent assurance bodies within the organization
50 Combined AssuranceCoordinate and provide relevance assurance on key risk exposuresMinimize business/operational disruptionsComprehensive Tracking of Remedial Action and/or ImprovementsImproved Board and AC ReportingHopefully, reduced assurance costs.
51 Recommended Process Make the Business Case Assurance Reality Check (Inventory)Risk MappingCombined Assurance DesignMake Combined Assurance a Continuing Reality
52 Embrace Change: Steps for Internal Audit Commit to Active Training – and leadership across the organization.Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals.Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control
53 Thank You – it is an Exciting Time Dr. Larry E. RittenbergChair Emeritus, COSOUniversity of Wisconsin5823 Monticello WayMadison, WI 53719Ph: