Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA, QIAL, CRMA.

Similar presentations


Presentation on theme: "The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA, QIAL, CRMA."— Presentation transcript:

1 The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA, QIAL, CRMA

2 Speaker’s Background The Internal Auditor, Governance and Risk Management  Vice President, IA Centre of Excellence, Huawei  Past Chairman - Global IIA ( )  Past President of the ECIIA ( )  Past President of the IIA UK and Ireland ( )  Provided Capacity building in Internal Audit & PIFC since 1998  Previously worked in the UK, Estonia, Latvia. Lithuania, Poland, Hungary, Czech Republic, Kenya, South Africa, Romania, Macedonia, Croatia, Serbia, Kosovo and Turkey  Now responsible for developing internal audit capacity in a worldwide Chinese owned telecoms company

3 Huawei – A Global Company The Internal Auditor, Governance and Risk Management 140+ countries, 150 nationalities, 15 Regional Headquarters, 150,000+ employees, £39.5bn revenues R&D center Huawei Headquarters Technical support center Accounting share center Supply center & Hub Training center Biding center (Planning)

4 Agenda The Internal Auditor, Governance and Risk Management 1.Current Expectations of Internal Audit 2.Corporate Governance & the Players in the Organisation 3.Risk Management in the Organisation 4.Encompassing Role of Internal Audit

5 Current Expectations of Internal Audit The Internal Auditor, Governance and Risk Management The Internal Audit definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes

6 Elements included in the Internal Audit remit The Internal Auditor, Governance and Risk Management Governance “…a set of relationships between company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.” (OECD) Risk Management Managing the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood Controls Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved

7 Four Pillars of Effective Governance The Internal Auditor, Governance and Risk Management Effective Governance “Internal auditing is perhaps the most important pillar in effective corporate governance and risk management. It has a unique position and can cover much broader risk areas than any external audit could.” - Lord Smith of Kelvin “Internal auditing is perhaps the most important pillar in effective corporate governance and risk management. It has a unique position and can cover much broader risk areas than any external audit could.” - Lord Smith of Kelvin

8 Global International Standards 2110 Governance The Internal Auditor, Governance and Risk Management The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:  Promoting appropriate ethics and values in the organisation  Ensuring effective organisational performance management and accountability  Effectively communicating risk and control information to appropriate areas of the organisation  Effectively co-ordinating the activities of and communicating information among the Board, external and internal auditors and management

9 Key Elements of Governance The Internal Auditor, Governance and Risk Management Promotion of Ethics & Values Organisational Performance Accountability Risk and Control requirements Communication of Information Leadership & Direction

10 Promotion of Ethics & Values The Internal Auditor, Governance and Risk Management Tone at the Top Setting the right example Tesco puts $35m private jet up for sale Private plane being sold by Tesco boasts leather seats, maple wood interior and DVD players

11 Organisational Performance The Internal Auditor, Governance and Risk Management Regular monitoring Remuneration linked to performance

12 Leadership & Direction The Internal Auditor, Governance and Risk Management Vision Mission Values Forward looking Balancing performance & compliance Gaining ownership

13 Risk Management & the Organisation The Internal Auditor, Governance and Risk Management Why does Risk Management matter? With over 1 million views on their promo video and a tonne of bad press, Nokia has been forced to admit that ‘The video demonstrates the benefits of optical image stabilization only and the video is not shot on a Lumia 920 ′. To counter Fraud To counter stupidity

14 Risk Management & the Organisation The Internal Auditor, Governance and Risk Management Why does Risk Management matter? To counter Nature

15 COSO ERM Definition The Internal Auditor, Governance and Risk Management Enterprise Risk Management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

16 COSO Enterprise Risk Management The Internal Auditor, Governance and Risk Management

17 The components of ERM The Internal Auditor, Governance and Risk Management Internal environment Objective setting Event Identification Risk assessment Risk response Control activities Information and communication Monitoring First Line Implements Second Line Oversight Third Line Evaluates

18 The principles behind good Risk Management The Internal Auditor, Governance and Risk Management 1.Every organisation should be headed by an effective Board, which is collectively responsible for the success of the organisation 2.There should be a clear division of responsibilities at the head of the organisation between running the board and running the organisation’s business. No individual should have unfettered powers of decision 3.The Board should have a balance of Directors, including independent non executive directors so that no one individual or group of individuals can dominate the decision taking.

19 The principles behind good Risk Management… The Internal Auditor, Governance and Risk Management 4.There should be a formal, rigorous and transparent process for appointments to the board 5.The board should be supplied in a timely manner with the information required to enable it to discharge its duties. All directors should receive induction when they join the board and should regularly update their skills and knowledge 6.The board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and the individual directors

20 The principles behind good Risk Management… The Internal Auditor, Governance and Risk Management 7.A significant proportion of Director’s remuneration should be linked to the organisation’s performance 8.There should be a formal and transparent process for the determination of the remuneration of the top management of the organisation 9.The board have a responsibility to maintain a sound system of internal control to protect the organisation’s assets and to enhance performance 10.The board should have formal and transparent processes for the appointment of the internal and external auditors, their relationship with such and the reporting procedures to be used in respect of financial and internal control processes.

21 The encompassing role of Internal Audit The Internal Auditor, Governance and Risk Management Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation. 1 st line: Business Management 2 nd line: Risk Mgt / Compliance / Others 3 rd line: Risk Based Internal Audit External Audit and the Regulators are the Referee and Linesman

22 The Three Lines of Defence The Internal Auditor, Governance and Risk Management DIRECTION ASSURANCE COMPLIANCE CONTROL RISKS It should assist in defining where Internal Audit should be and where it shouldn’t be

23 Shared Purpose of the Three Lines The Internal Auditor, Governance and Risk Management Know the objectives Know the Risks Implement Controls Recommend Process change Identify objectives Identify Risks Implement Mitigation Report Exposure Identify objectives Identify Risks Evaluate Controls Provide Assurance Second Line ERM Department First Line Management Third Line IA Department

24 Internal Audit’s role in Risk Management The Internal Auditor, Governance and Risk Management 3 Lines of defence shows there is: Synergy Commonality of purpose And there can be: Holistic use of outcomes Reliance upon each other’s work But could there be pitfalls

25 The Internal Auditor, Governance and Risk Management Internal Audit’s role in Risk Management So with those advantages Can the first, second and third lines of defence work together? They can, but SHOULD they? Some time ago the IIA introduced the FAN

26 The Internal Auditor, Governance and Risk Management Internal Audit’s role in Risk Management It is still relevant

27 Combined Internal Audit and Risk Management The Internal Auditor, Governance and Risk Management We are all trying to win the game Each line has a specific job that contributes to Winning So in our organisations what are the important elements: Recognition that first line role is more than just revenue generation or service provision Coordination of the same purpose of all three lines, but providing input to the individual needs of each line Retention of Internal Audit Independence

28 The Development of GRC The Internal Auditor, Governance and Risk Management Risk and Resiliency Operating Committee Global Enterprise Risk Sponsors Audit Committee Head of Audit & Risk (Governance, Risk and Controls) Head of Audit & Risk (Governance, Risk and Controls) IT Audit ERM Business Audit Ethics and Investigations Board sub-committee. Conducts an ERM deep-dive every six months VPs from Finance, Engineering, Sales, IT, Supply Chain and Services meet to discuss cross-functional risks every six weeks Escalation Path Governance Structure Potential Downsides Loss of independence and objectivity Blurs the reporting lines – typically the CFO will have responsibility for Risk, the CEO for Audit Potential Upsides All governance, risk management and control compliance issues are in the one area

29 And if you have to combine The Internal Auditor, Governance and Risk Management If you have to have a combined approach you need to clarify: Management remain responsible for Risk Management Internal Audit must not be the owner of risk With a joint HIA and CRO the Board should be aware that the division of time does not impact IA independence or coverage Ideally a joint Head of Audit & Risk should not give assurance on RM activities but this may not be possible to avoid so steps have to be taken to provide as much objectivity as possible

30 Why are there concerns with GRC The Internal Auditor, Governance and Risk Management UK Parliamentary Commission on Banking – First Report 2013 “Changing Banking for Good”. A blurring of responsibility between the front line and compliance staff risks absolving the front line from responsibility for risk. Internal audit’s independence is as important as that of the Chief Risk Officer and the Head of Group Compliance The “three lines of defence” have not prevented banks’ control frameworks failing in the past in part because the lines were blurred and the status of the front-line, remunerated for revenue generation, was dominant over the compliance, risk and audit apparatus.

31 How should we audit The Internal Auditor, Governance and Risk Management The Risk Based Internal Audit approach links to Business Objectives - identify what the business is trying to achieve Business Risks – identify what the risks are to the achievement of those objectives Controls – identify the controls that are necessary to deal with the risks Assurance – provide the Board with Assurance that Governance Risk and Compliance are being controlled O RCAO RCA

32 Internal Audit at the higher level The Internal Auditor, Governance and Risk Management Should cover The Governance environment  Policies, culture and structure The Governance Process  How the policies are implemented The Governance Procedures  Monitoring systems

33 Internal Audit at the higher level cont.. The Internal Auditor, Governance and Risk Management The Simple role  Check job descriptions  See that personal appraisals are regularly held  Are there individual objectives linked to the organisation’s  Do managers know who they are responsible to  Do they know who they are accountable to  Do they know what the words mean BUT this is the simple compliance model IT does not meet the international standards on the role of IA

34 The Internal Auditor, Governance and Risk Management Internal Audit at the higher level cont.. The Difficult role Audit how accountability actually works in the organisation Audit the adequacy of the information flows to top managers Audit how the Board work, how they communicate the strategy Audit how the strategy is complied

35 The Internal Auditor, Governance and Risk Management What should be the role of Internal Audit The Audit Plan should contain audits of:  Strategic Planning  Managerial Accountability  Board communication  The system of Personal Appraisals  Personal Objective setting And others at the higher level…

36 The Internal Auditor, Governance and Risk Management At this level Internal Audit is not easy Have we the right qualified auditors? If not then get the qualified auditors that you need We are not higher executives – we do not understand Then find people who do or go on training courses – internal auditors have to learn to be at the top table nowadays Resistance from the Board/Executive level Use the Standards to convince, Be patient in trying to convince, Make sure that every job adds value and use this as a lever, Do NOT promise what you cannot deliver

37 Thank You The Internal Auditor, Governance and Risk Management Phil Tarling Office: Mobile:


Download ppt "The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA, QIAL, CRMA."

Similar presentations


Ads by Google