2
INTERNAL AUDIT…
A CREDIBLE PLAYER IN THE GRC FIELD...? !
IIA Netherlands Congress 18-19 June 2015
Peter Diekman
3
For internal audit to be a credible player in the GRC field, it
must include soft controls in the audit approach
Whilst auditing the appropriateness of the system of internal
controls remains to be an important task, it will be insufficient
to address the issues raised by audit committees and
managing boards
Each company is built on two pillars, i.e. “Culture” and
“Structure”.
An internal audit function solely focusing on “Structure” whilst
ignoring “Culture” does not add sufficient value to the
organisation.
Statements
Corporate governance
Good governance, including honest and
transparent acting by management, as well as
adequate supervision, encompassing
accountability regarding the supervisory role, is
essential condition for public trust in the
managing board and supervisory board.
Application of and compliance with the Corporate
Governance Code guarantee good corporate
governance.
4
Corporate governance
• Determining aspects of good governance:
– Integrity / honesty
– Transparency
– Supervision
– Accountability regarding supervision
– Are there any subsequent aspects
determining “good governance”?
5
Dimensions of corporate
governance
– Quality of supervision
• Knowledge and time spent by supervisory board members
• Unanswered questions about behaviour, attitude and moral issues
– Quality Internal Audit
• Single focus on system of controls
• Inclusion or exclusion of behavioural aspects
– Quality of external audit
• Independence
• Engagement owned by supervisory board / audit committee
• Single focus on financial reporting
• Fear for focusing on behavioural aspects
– Quality internal controls
• Policies and procedures
• ICT controls
– Quality of compliance function
• Focus and awareness of law and
regulations
• Some focus on behaviour, but still
linked to law and regulations
• The degree in which financial
ethics forms part of compliance
– Corporate social responsibility
• Economic principles
• Legal principles
• Ethical principles
• Being a good citizen
Other aspects of corporate governance
6
Dimensions of corporate
governance
Corporate governance is seen as the
driver of business performance that is
achieved at both micro and macro
levels.
A country’s economy and competitive
position depend on the drive and
efficiency of its companies, and the
effectiveness with which their boards
discharge their responsibilities.
Management must be free to drive
their companies forward, but exercise
that freedom within a framework of
effective accountability
Sir Adrian Cadbury
Financial Aspects of Corporate Governance, 1992
7
Dimensions of corporate
governance
– Corporate Governance is about “good
business governance”
– “Good business governance” depends on
behaviour of management and staff
– This is why “soft controls” or “soft skills” are
regarded to be increasingly important in the
context of corporate governance
8
Dimensions of corporate
governance
• According to the UN*, good governance encompasses eight aspects i.e.:
• Consensus Oriented
• Participatory
• Following the Rule of Law
• Effective and Efficient
• Accountable
• Transparent
• Responsive
• Equitable and Inclusive
9
* Source: Agere, Sam (2000). Promoting good governance. Commonwealth Secretariat. ISBN 978-0-85092-629-3
Dimensions of corporate
governance
“In business, 1% of the people is always corrupt, 1% is always honest and 98% of the people behave depending on the situation”
Prof. Dr. Muel Kaptein
Rotterdam School of Management
10
Dimensions of corporate
governance
• Muel Kaptein: “Why good people
sometimes behave badly”*
– Instructions are unclear
– Situations cannot be discussed
– Bad examples and tone set by management
– People are not involved
– Instructions cannot be achieved
– People are invisible
– People are disempowered
* Muel Kaptein: “Waarom goede mensen soms de verkeerde dingen doen”, Business Contact, 2011
11
Eight soft controls *
Frequency of deviations
Reporting of deviations
Clarity
Tone / example
setting
Practicability
Involvement
Transparency
Discuss
ability
Accountability
Enforcement
* Model by Muel Kaptein
12
Dimensions of corporate
governance– Why do good people do bad
things?
• Leaders are being followed without criticism
• Even if someone does not have coercive power, he/she may have strong influence upon others
• Certainly if the influencer is someone with “authority”, one’s own responsibility might be deferred to the person with authority
• The paradigm is that one abides by the law and one has to simply follow the leader...”Befehl ist Befehl”
13
Dimensions of corporate
governance
14
Obedience
“Milgram experiments”
15
Dimensions of corporate
governance– More than 65% of all people in the
experiment went all the way to administer electric shocks of 450 volts
– More than 65% of all people allowed to be overruled by or deferred their ethical decision to a person of “authority”
– This does not only happen in a laboratory environment, but may happen in a business environment on a daily basis
– This is why a focus on attitude, behaviour, atmosphere and soft controls in business is so important
16
Prof. Stanley Milgram
Yale University
Relevance for Internal Audit
– If leadership profiles
become dominant,
individuals in the
organisation may
• …act in accordance with
instructions, without
questioning
• …defer opining by
themselves
• …create a ‘tick the box’
mentality
– Have a focus on leadership
styles
– Try to determine whether
there is open and
transparent communication
between leaders and staff
– Try to ascertain the level of
assertiveness of staff
– Employ behavioural
specialists in your IA team
17
Clear ethical codes
Effectiveness of ethical codes, policies and
procedures depends on:
– Clarity of such codes, policies and procedures
– Degree that this is being discussed among all
employees
– The degree management sets the behavioural
example
– Whether or not disobedience is allowed
18
Clarity
• Ethical codes
• Norm awareness
• Euphemism
• Rules pressure
• Prohibitions
• Descriptive norms
• Broken Windows
Theory
19
Clarity - Code of ethics
20
Clarity - Code of Ethics
21
Clarity
Be clear about
expectation and about
what is wanted and
unwanted behaviour.
Give a clear example.
Clear expectations people know
what to do people do what they
are supposed to do
22
Clarity – Norm awareness
Ethical codes are only effective if they are activated at crucial points in time
Activate all kind of behavioural norms and values at crucial points in time
Activated norms result in affective reactions where people (wish to) see themselves as ethical individuals
23
Clarity – Norm awareness
Activating ethical behaviour...
24
The Ten Commandments
experiment...
The ‘compulsory eyes’
experiment…
Clarity - Euphemisms
A: A euphemism is a polite expression used in place of words or phrases that otherwise might be considered harsh or unpleasant
• Jokes = bullying
• Lubricant = bribes
• Creative accounting = fraud
• Align the organisation = dismiss staff
B: How we pronounce things broadcasts a strong message about expected and wanted behaviour and accordingly it will influence behaviour!
25
Discuss ability
• Communication
• Pressure from the group
• Conformity
26
‘Terschelling silenced a whistle blower’
Volkskrant 28 February 2015
“The municipality of the island of Terschelling has paid
€ 155K to a whistle blower and asked him to step down. The whistle blower, an accountant, reported a booking scandal. Also, he warned for financial problems in connection with a reorganisation.”
The municipality expected a 'positive attitude‘ and ‘conformity’. The whistle blower’s signal of financial problems was interpreted as a direct assault on managers in charge. He obviously positioned himself as an outlier.
27
The Asch paradigm
– “It is scary to be seen as an outlier”
– “It is save to behave like others regardless of
my own opinion or view”
– “If I behave differently, I might not be
accepted by my peers”
– “I don’t dare to discuss this with my boss, as
he expects me to conform with the standing
policies and procedures”
28
Pressure from the group
conformity
29
Conclusions
Self reflection:
• Am I able or am I not able to express my own opinion?– Why am I able?
– Why am I not able?
Observations in business organisations:
• Are difficult issues, cumbersome situations, dilemmas and mistakes discussed?
Interventions:
• In discussions: Play devil’s advocate, vote anonymously
• Conduct intervision sessions and learn from each other
• Praise transparency regarding difficult situations, dilemmas and mistakes
30
Relevance for Internal Audit
• Is there an ethical code?– Is this code activated?
– Do people understand the true meaning of it?
• Do you observe instances of ‘group behaviour’?– Ask people why they
behave as they do
– Try to imagine what happens with staff that is seen as an outlier
• How does staff deal with (personal) dilemmas?– Are there group discussion?
– Are intervision sessions held?
– Are people able to speak out?
• Do you observe instances of bullying?– Are euphemisms used?
– Are complaints centrally reported?
– Is there a ‘person of trust’?
31
Conclusion
32
“Mistakes are allowed.
Let’s discuss them, solve
them and learn from them”
Risk
33
New rules & roles for
Supervisory Board
• Minimum requirements for time spent and number of
supervisory positions
• Mandatory training and CPE requirements
• Proven leadership skills
• Proven knowledge of risk management
• Proven experience with audit
• Maintain contacts with managing board members and
senior management
34
Risk Management
– What is risk management?
• Control risk
• Be clear about risk border lines
• Pricing of risk
• Monitoring risk
• Inform about risk
35
Risk appetite
• Determine the maximum level of risk acceptable for the company
– Who determines the risk appetite?
– How to quantify risk appetite?
– Which qualitative risks are taken into consideration?
– Is risk appetite static or dynamic?
– Do management and supervisors understand risk?
“I believe that this company can survive a € 500M disaster...”
36
Risk appetite
– How good are we in determining risk?
– Research* has revealed that we are being
influenced in different ways when making
estimates
• We use too small random samples
• We allow to become biased through references
• Availability heuristics influence our estimates
* Source: Daniel Kahneman – Thinking, fast and slow, chapters 10 thru 13, Farrar, Staus and Giraux, New York, 2011
37
Risk appetite
– Heuristics – the
doctrine of finding
– Heuristics plays an
important role while
making an estimation
– Availability heuristic
• Events that recently
happened come first to
mind...
Prof. Daniel Kahneman
Princeton University
38
Risk appetite
– Availability heuristic
• Events that are readily available in our memory such as
» Sexual escapades of politicians
» An aeroplane crash
» Personal experiences have more impact than experiences regarding other individuals
• The result is that events that are “available” will influence our ability to make an estimation. This is why our estimations are often biased or prejudiced.
39
Risk appetite
Events and risks
• How do you divide the risk of dying of a brain illness or of a traffic accident?
• Which one is a bigger “killer”: a Tornado or asthma?
• What is the risk of dying from a lighting strike or of botulism?
• How do you divide the risk of dying from illness or due to an accident?
Estimated result
• 80% of respondents indicate that dying due to a traffic accident is more likely
• Most respondents argue that a tornado is a bigger “killer” than asthma
• The risk of a lighting strike is considered considerably bigger than the risk of botulism
• The risk of death due to an illness or an accident is considered equally likely
Statistical result
• Brain illness results in twice
as many deaths than
accidents
• Asthma is a 20x bigger
“killer” than a tornado
• Botulism results in 52x
more casualties than a
lightning strike
• Illness results in 18x more
deaths than accidents
40
Risk Management Dimensions
Control dimension Risk dimension
41
Control dimension
1e line2e line
3e line
Role:
• Determine
Strategy
• Execute
strategy
• Monitor the
business
Role:
• Prepare
• Support
• Analyse
• Control
• Report
• Advice
Role:
Audit
Reporting
Managing board
(Senior) line management
Finance
HR
Legal
Compliance
Risk Mgt
Actuary
Communication
Internal Audit
Supervisors / Audit CommitteeRegulators
42
Risk Management Dimensions
Control dimension Risk dimension
43
Risk Dimension
• Risk analysis is a process of consecutive phases
• Criteria for risk analysis
• Likelihood of an event
• Impact of an event
• Organisation vulnerability for risk events
• Velocity of risk events
• Inquire about perceived risk on the work floor
• Demonstrate and discuss the results
• Determine the appropriate risk response
44
Risk Dimension
Scale of likelihood – Example
Rating Frequency Definition Likelihood Definition
5 Frequent More than once in 2 years Almost certain >90% risk
4 Likely Once in 2-10 years Likely 65% - 90% risk
3 Possible Once in 10-20 years Possible 35% - 65% risk
2 Not likely Once in 20-30 years Not likely 10% - 35% risk
1 Rare Less than once in 30 years Rare < 10% risk
Annual frequency Likelihood
45
Risk Dimension
Rating Description Definition
5 Extreme • Financial loss > € x m
• Severe loss of reputation
• Criminal pursuit
• Revoke of licence
• Casualties
• Several senior managers quit
4 Material • Financial loss between € X and € Y m
• Loss of reputation
• Regulatory intervention
• Loss of vendors and clients
• Legal claims
3 Average • Financial loss between € Y en € Z m
• Short term negative publicity
• Critical report from regulator
• Unrest among employees
2 Low • Modest financial loss
• Critical press articles
• Mandatory incident reporting to regulator
1 Insignificant • Hardly financial damage
• Negative publicity can be refuted
• Isolated issues among employees
Impact scale - example
46
Risk Dimension
Rating Description Definition
5 Very high • No scenario plan
• Lack of reacting capacity
• Remedial measures insufficiently implemented
• No contingency plan
4 High • Only scenario plan for most important risks
• Limited reacting capacity
• Remedial measures partly implemented
• Limited contingency plan
3 Average • Stress testing and vulnerability analysis performed
• Reacting capacity available
• Remedial measures implemented, not tested
• Contingency plan available, not tested
2 Low • Strategic options defined
• Proper reacting capacity available
• Remedial measures implemented and tested
• Contingency plan available and tested
1 Very low • Realistic option being executed
• Reacting capacity available at all levels
• Regular testing of plans and measures
Vulnerability scale - example
47
Risk Dimension
Rating Description Definition
5 Very high • Event becomes immediately visible.
Hardly possible to give a warning
signal
4 High • Event becomes visible within a few
days
3 Average • Event becomes visible in a few
months
2 Low • Event becomes visible in half a year
1 Very low • Event becomes visible after one
year
Velocity* scale - example
* Velocity is the time between occurrence of the event and the time that the event surfaces
48
Risk DimensionIm
pa
ct
Hig
h
HighLow
Lo
w
Likelihood
1 5
1
5
9
Risk 3
Risk 1
Risk 5
Risk 2
Risk 4
Risk 6
9
49
Critical view
on
Risk Management
Particularly following the banking / economic / geopolitical crisis...
• It has become obvious that management does not or insufficiently understand the risk models
• “Economics” and “Risk Management” do not have sufficient real impact on the way companies are managed
• Real strategic issues are NOT or insufficiently on the agenda of the board
• Risk management is approached way too much from a mathematical perspective
• Risk Management models do NOT work in times of economic crisis and are only tested under normal economic conditions
• Human behaviour is often irrational and highly biased, which is ignored in the risk management models.
50
Compliance function
Some quotes from the business…
• “Oh yeah…we also have to include ‘compliance’”
• “The compliance officer does not understand our business”
• “Compliance is an impediment for agility and profitability”
• “Gate keeper for integrity”
• “Necessary hurdle”
• “Cash burner”
• “Liaison for regulators”
51
Compliance function
52
Compliance function
Individual competencies1. Integrity and steadfastness
2. Investigative and focussed on innovation
3. Analytical skills
4. Judgement skills and discretion
5. Independence
6. Context
7. Communication
8. Effectiveness
Knowledge
9. Risk Management
10. Environment
11. Moral and Ethics
12. Awareness
13. ICT
Practice14. Applied knowledge
15. Proportionality
16. Critical and resistance
17. Responsiveness
18. Result drivenA sheep with five legs….
53
Compliance Risk
Compliance risk is the uncertain event
that people behave in a non-compliant
fashion as a result of which certain
objectives will not be achieved
54
Compliance Risk
• The compliance function focuses on human behavioural risk
• The norm for this behaviour is:• Law and regulation
• Internal policies and procedures
• Cultural norms, that you have learned from your parents as from the time you lied in the crib...
‘soft controls!’
55
High
Low
Principles based Rules based
“Trust me”
Le
ve
l o
f tr
ust
“Tell me”
“Prove me”
The lower the level of trust, the more important transparency is
Rules versus Principles Based
Comply with law
And regulation
Keep employee
Knowledge at
Proper level
Properly inform
consumers
Maintain strong
Market position
Regulation
56
Implementing compliance
1.Responsibility for compliance rests with the board of directors
2.Senior management is responsible for managing compliance risk
3.Senior management must communicate and pursue compliance policy
4.Senior management must ensure a permanent compliance function
5.De compliancefunctie must be independent
6.The compliance function must be well staffed and have an appropriate budget
7.The compliance function advises senior management how to manage compliance risk
8.The compliance function is subject to internal audit
9.Companies must alway comply with law and regulation
10.The compliance function may be out-sourced, but it remains the responsibility of management
57
Relevance for Internal Audit
– Compliance is a specialism. Does Internal Audit
have sufficient knowledge of compliance to
perform the audit?
– Send internal audit staff to compliance courses
– See to it that internal audit staff that is involved in
compliance audit spend sufficient audit hours to
gain experience
– Compliance and Internal Audit are the corner
stones for business integrity and the company’s
licence-to-operate
58
Prof. Dr. Peter A.M. Diekman RA
Forensic Consultancy Bussum BV
Bussummerweg 12
1261 CA BLARICUM
Netherlands
T +31 651 527383
W www.fcbconsult.com
59