Presentation on theme: "Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013."— Presentation transcript:
Internal Audit Challenges: Integration of Strategy, Risk, Control, and Combined Assurance Dr. Larry Rittenberg CLAIN CONFERENCE, May 17, 2013
Background – Many Perspectives Audit Committee Chair of $2 Billion NASDAQ Company 40 years studying the internal audit profession, PhD thesis on Auditor Independence and Systems Design Many IIA committees including: President IIA Research FD Member, IPPF Oversight Committee Task force to write the definition of internal auditing Chair (5 years) and member of COSO (11 years) Author of Research related to Internal Auditing
Factors Affecting the Profession Internal Audit Rate of Change Technology Governance Organizational Relationships Globalization Staff/ Growth Opportunities Complexity
Challenges for the Profession Perspectives and Challenges: Where should internal auditing be regarding: Enterprise-wide Risk Management Internal Control Fraud Prevention and Detection Combined Assurance. How do we Prepare for these Challenges???
What do we Know Businesses Fail Fortune 500 results Nokia Phones But, do we know why they Fail? Enterprise Risk Management and Strategy are intertwined Internal Control is Important, COSO Framework is Updated.
Internal Control_ Analysts View Pinto, Clinton, Ashbaugh – Skaiffe (2013) We find analysts earnings forecasts are significantly less accurate for firms with material weaknesses in internal control. This finding suggests that analysts acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements
Risk and Control Relationship Objectives Risk Assessment Mitigation/ Control STRATEGY
Business risks Is this risk? Who is Responsible?
Barclays bank September 2011, as reported in the Financial Times: Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations. What does this mean?
Returns and risk Return Risk Current
Returns and risk Return Risk Current Do you have a discussion on whether the increased variance in possible returns is acceptable in pursuing those returns? Where is that discussion held? How are the results of that discussion translated into operations?
Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entitys risk management philosophy, and in turn influences the entitys culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks. COSO ERM, 2004
Risk appetite – objectives, and risk tolerances
Understanding ERM Everything Starts with objectives There is a defined process Responsibility Cascades through The Organization
Objectives and risk: Defining responsibility Who sets the Objectives at each of these levels? Who sets the Risk Management Responsibilities and Approach? Are the same people who are responsible for accomplishing the objectives also for accomplishing them within certain risk tolerances? If you cannot answer these questions, effective risk management is not possible.
Relationship of Internal Control and ERM Objectives Strategies Risk Analysis Internal Control Company / Department / Store sets objectives Develop strategies to achieve corporate objectives Identify Risks to Achieving the Objectives Controls: Designed and Implemented to Mitigate the Risks
Internal Audit Role Standard 2120: Risk Management The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes: Organizational objectives aligned with mission Significant risks identified and assessed Appropriate risk responses consistent with risk appetite Relevant risk information is gathered Risk management processes are monitored
Internal Audit Role Practice Advisory 2009 Internal auditors need to obtain sufficient and appropriate evidence to determine that the key objectives of ERM are met. Consider: Research into current developments, trends, etc. Review corporate policies and board minutes re strategy, risk appetite, etc. Review risk reports issued by management Consider alignment across units and the organization
IA role evolves Identifies Risks for Audit Planning Leadership and Facilitator of ERM – build on Audit Committee Relationship ERM Expert – Role evolves to evaluating effectiveness of risk management processes.
INTERNAL CONTROL Update of the COSO Internal Control, Integrated Framework
Why Update Now? 20 th Anniversary What has changed in that time? Organizational boundaries Expanded reporting responsibilities Information Technology Rate of Change Nature of control procedures Too many failures at the control environment.
Viewing Internal Control as a Process Applies to all 5 Components Applies to all Internal Control Objectives: Operations, Reporting, Compliance Concepts also apply to ERM: But not specifically addressed
Key Changes Reporting Component – much broader than financial reporting Within Framework, move to a principles / points of focus approach. Guidance: Weakness in internal control More judgment, but within structured approach Risk Based, not control based Fraud Assessment is required Importance of Operations and Compliance Objectives Personnel are Accountable for Internal Control
Key Changes Increase Focus on Compliance and Operations Objectives All five components are equally applicable to compliance and operations objectives.
Reporting: A Few Comments Expanded Reported: Key Performance Indicators Risk, Accepted Risk, and Risk Realized Effectiveness of ERM Effectiveness of Internal Control Over Financial Reporting Move from historical data to market data Expanded Forms of Reporting: Alternatives to annual financial statements Social Media Continuous Reporting model – more dependent on controls. Contractual / Organizational Relationship Reporting
Control Environment - Principles 1. Ethics and Integrity: a. Set the tone with a Statement of Values b. Communicate Values c. Evaluate Adherence - Identify Deviations d. Take Action 1. Commitment to Integrity and Ethics
2. Governance: Demonstrates Independence from Management Board establishes oversight responsibilities Board has requisite skills Members are objective and independent (and demonstrate such through actions) Provides oversight over all 5 components of Internal Control
Establishing Authorities and Responsibilities. Management Must: 3. Establishes structures, authorities, and reporting lines. 4. Attract and retain competent People 5. Hold personnel accountable.
Risk Assessment Principles FRAUD RISK: WHAT IF TOP AND MID- LEVEL MANAGEMENT ARE INVOLVED? Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine) 6. Set Objectives 7. Identify the risks to achieving the objectives 8. Identify Fraud Risks 9. Identify changes that will affect risks. Objectives Risks Fraud Risks Changes in Risks
Control Activities Points of Focus: Integrated with risk assessment Specific to the organization Identifies key processes Considers the mix of control activities Considers levels within organization Addresses segregation of duties 10. Select control activities that limit risks to those that are acceptable. 11. IT controls merit particular attention, especially IT General Controls 12. Establish Policies for what is expected and procedures for what is to be done.
EXAMPLE: STARTING WITH RISK Experience with a NASDAQ Company with approximately $2 Billion in Sales
SOX Overview: where we started SOX processes not significantly overhauled in years Legacy key controls accumulated over time since 2004 PCAOBs Auditing Standard 5 (AS5) not fully embraced Largely failed to recognize two common control platforms WISE SAP Controls documentation and testing at a site level Inconsistent controls, processes, level of detail Significant redundant work, over testing of controls Significant busy work Inefficiencies related to Lack of alignment with external auditor Redundant work within company site staff
Significant Controls Rationalization Process Cross-functional Finance teams formed Led by Controller and CAE Process owners embraced the opportunity for change Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement level Assessed risk of material misstatement for significant accounts and disclosures and their relevant assertions Scoping Grouped controls into ten major processes Reevaluated which processes, systems, and locations pose risks
Key Process Map
Risks of Material Misstatements Started with a list of 240 risks of material misstatement provided by External Auditor SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risks What they found: Numerous instances where control activities covered >1 risks Overlapping controls Better Use of Monitoring
Key Results Significant decrease in controls identified as Key Controls: 289 Manual controls to 142 Manual controls 67 automated controls to 35 automated controls 13 new key controls added Approximately 50% reduction More emphasis on automated controls Next Step: Better assessment of Monitoring
Update and Approach Forward Company and External Auditors jointly doing testing New and Updated Documentation Support of Process Owners Updated thoughts about implementation and use of Internal Controls
Information and Communication 13. Organization obtains relevant and timely information 13. Organization internally communicates information to support internal control 13. Communicates with pertinent outside organizations regarding internal control.
Monitoring A mix of ongoing or separate is OK 16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. 17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action. Oversight Systems, or SAP have processes to build until computer applications, for example segregation of duties Reports can be very useful If designed to provide useful Information on control operation, e.g. a control reconciliation
Monitoring Considers Rate of Change Starts with a Baseline Knowledgeable Personnel Integrated with Operations Adjusts Scope and Frequency Separate Evaluations are periodically needed, including an assessment of whether on-going monitoring is working effectively. 16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning. 17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.
Monitoring Considerations Monitoring activities need to be designed at a level of precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, and There has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.
Recommendations for Internal Auditors 1. Communicate with Board and Audit Committee a. Value proposition for the entity b. Value proposition for internal audit c. Importance of compliance and operations Objectives 2. Work with External Auditor a. Rationalize and streamline controls b. Identify effective, timely, and relevant monitoring activities c. Identify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.
Recommendations for Internal Auditors 3. Communication with Process Owners a. Their responsibilities b. The nature of an integrated internal control framework, especially why all five components need to be present and functioning c. Relationship of controls to objectives and risks d. Controls should be cost-effective e. Opportunities for Effective Monitoring
COMBINED ASSURANCE A Leadership Role for Internal Auditing
Assurance Fatigue – Making Compliance More Efficient Leadership from S. Africa – PwC King Report Leading report regarding combined assurance. Worldwide influence on Governance Concept: Look at Compliance Across the Organization.
Organizational View Many disparate rules and regulations Many disparate assurance providers: Federal auditors External auditors Internal auditors Different assurance bodies within the organization
The Auditees Perspective
Who are the Assurance Providers
Who do they Report to?
Combined Assurance Coordinate and provide relevance assurance on key risk exposures Minimize business/operational disruptions Comprehensive Tracking of Remedial Action and/or Improvements Improved Board and AC Reporting Hopefully, reduced assurance costs.
Recommended Process 1. Make the Business Case 2. Assurance Reality Check (Inventory) 3. Risk Mapping 4. Combined Assurance Design 5. Make Combined Assurance a Continuing Reality
Embrace Change: Steps for Internal Audit 1. Commit to Active Training – and leadership across the organization. 2. Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals. 3. Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control
Thank You – it is an Exciting Time Dr. Larry E. Rittenberg Chair Emeritus, COSO University of Wisconsin 5823 Monticello Way Madison, WI Ph: