internal audit challenges: integration of strategy, risk, control, and combined assurance dr. larry...
TRANSCRIPT
Internal Audit Challenges:
Integration of Strategy, Risk, Control, and Combined Assurance
Dr. Larry Rittenberg
CLAIN CONFERENCE,
May 17, 2013
Background – Many Perspectives• Audit Committee Chair of $2 Billion NASDAQ Company• 40 years studying the internal audit profession, PhD thesis
on “Auditor Independence and Systems Design” • Many IIA committees including:
• President IIA Research FD• Member, IPPF Oversight Committee• Task force to write the definition of internal auditing
• Chair (5 years) and member of COSO (11 years)• Author of Research related to Internal Auditing
Factors Affecting the Profession
Internal Audit
Rate of Change
Technology
Governance
Organizational Relationships
Globalization
Staff/ Growth Opportunities
Complexity
Challenges for the Profession• Perspectives and Challenges: Where should internal
auditing be regarding:
• Enterprise-wide Risk Management• Internal Control• Fraud Prevention and Detection• Combined Assurance.
How do we Prepare for these Challenges???
What do we Know• Businesses Fail
• Fortune 500 results• Nokia Phones
• But, do we know why they Fail?
• Enterprise Risk Management and Strategy are intertwined
• Internal Control is Important, COSO Framework is Updated.
Internal Control_ Analysts View• Pinto, Clinton, Ashbaugh – Skaiffe (2013)• We find analysts’ earnings forecasts are significantly
less accurate for firms with material weaknesses in internal control. This finding suggests that analysts’ acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms’ financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements
Risk and Control Relationship
ObjectivesRisk
AssessmentMitigation/
Control
STRATEGY
Business risks
Is this risk?Who is
Responsible?
Barclays bank• September 2011, as reported in the Financial Times:
• “Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations”.
• What does this mean?
Returns and risk
Return
Risk Current
Returns and risk
Return
Risk Current
Do you have a discussion on whether the increased variance in possible returns is acceptable in pursuing those returns?
Where is that discussion held?
How are the results of that discussion translated into operations?
Risk appetite• The amount of risk, on a broad level, an entity is willing to
accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.
• COSO ERM, 2004
Risk appetite – objectives, and risk tolerances
Understanding ERM
Everything Starts with objectives
There is a defined process
Responsibility Cascades throughThe Organization
Objectives and risk:Defining responsibility
Who sets the Objectives at each of these levels?
Who sets the Risk Management Responsibilities and Approach?
Are the same people who are responsible for accomplishing the objectives also for accomplishing them within certain risk tolerances?
If you cannot answer these questions, effective risk management is not possible.
Relationship of Internal Control and ERM
Objectives
Strategies
Risk Analysis
Internal Control
Company / Department / Store sets objectives
Develop strategies to achieve corporate objectives
Identify Risks to Achieving the Objectives
Controls: Designed and Implemented to Mitigate the Risks
Internal Audit Role• Standard 2120: Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes:• Organizational objectives aligned with mission• Significant risks identified and assessed• Appropriate risk responses consistent with risk appetite• Relevant risk information is gathered• Risk management processes are monitored
Internal Audit Role• Practice Advisory 2009• Internal auditors need to obtain sufficient and appropriate
evidence to determine that the key objectives of ERM are met. Consider:• Research into current developments, trends, etc.• Review corporate policies and board minutes re strategy, risk
appetite, etc.• Review risk reports issued by management• Consider alignment across units and the organization
IA role evolves
Identifies Risks for Audit Planning
Leadership and Facilitator of ERM – build on Audit Committee Relationship
ERM Expert – Role evolves to evaluating effectiveness of risk management processes.
INTERNAL CONTROLUpdate of the COSO Internal Control, Integrated Framework
Why Update Now?
• 20th Anniversary
• What has changed in that time?• Organizational boundaries• Expanded reporting
responsibilities’• Information Technology• Rate of Change• Nature of control procedures• Too many failures at the control
environment.
Viewing Internal Control as a Process
Applies to all 5 Components
Applies to all Internal Control Objectives: Operations, Reporting, Compliance
Concepts also apply to ERM: But not specifically addressed
Key Changes • Reporting Component – much broader than financial
reporting
• Within Framework, move to a principles / points of focus approach.
• Guidance:• Weakness in internal control• More judgment, but within structured approach• Risk Based, not control based• Fraud Assessment is required• Importance of Operations and Compliance Objectives• Personnel are Accountable for Internal Control
Key Changes• Increase Focus on Compliance
and Operations Objectives
• All five components are equally
applicable to compliance and
operations objectives.
Reporting: A Few Comments• Expanded Reported:
• Key Performance Indicators• Risk, Accepted Risk, and Risk Realized• Effectiveness of ERM• Effectiveness of Internal Control Over Financial Reporting• Move from historical data to market data
• Expanded Forms of Reporting:• Alternatives to annual financial statements• Social Media• Continuous Reporting model – more dependent on controls.• Contractual / Organizational Relationship Reporting
Control Environment - Principles
1. Ethics and Integrity: a. Set the tone with a Statement
of Values
b. Communicate Values
c. Evaluate Adherence - Identify Deviations
d. Take Action
1. Commitment to Integrity and Ethics
2. Governance: Demonstrates Independence from Management
• Board establishes oversight responsibilities• Board has requisite skills• Members are objective and independent (and demonstrate such
through actions)• Provides oversight over all 5 components of Internal Control
Establishing Authorities and Responsibilities. Management Must:3. Establishes structures, authorities, and reporting lines.
4. Attract and retain competent People
5. Hold personnel accountable.
Risk Assessment
Principles
• FRAUD RISK: WHAT IF TOP AND MID-LEVEL MANAGEMENT ARE INVOLVED?
• Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine)
6. Set Objectives
7. Identify the risks to achieving the objectives
8. Identify Fraud Risks
9. Identify changes that will affect risks.
Objectives
Risks
Fraud Risks
Changes in Risks
Control Activities
• Points of Focus:• Integrated with risk assessment• Specific to the organization• Identifies key processes• Considers the mix of control activities
• Considers levels within organization
• Addresses segregation of duties
10. Select control activities that limit risks to those that are acceptable.
11. IT controls merit particular attention, especially IT General Controls
12. Establish Policies for what is expected and procedures for what is to be done.
EXAMPLE: STARTING WITH RISKExperience with a NASDAQ Company with approximately $2 Billion in Sales
SOX Overview: where we started• SOX processes not significantly overhauled in years
Legacy key controls accumulated over time since 2004 • PCAOB’s Auditing Standard 5 (AS5) not fully embraced
• Largely failed to recognize two common control platforms WISE
• SAP
• •Controls documentation and testing at a site level Inconsistent controls, processes, level of detail
• Significant redundant work, over testing of controls • Significant busy work
• •Inefficiencies related to Lack of alignment with external auditor • Redundant work within company site staff
Significant Controls Rationalization Process
• Cross-functional Finance teams formed Led by Controller and CAE
• •Process owners embraced the opportunity for change
• •Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement level
• Assessed risk of material misstatement for significant accounts and disclosures and their relevant assertions
• •Scoping Grouped controls into ten major processes • Reevaluated which processes, systems, and locations pose
risks
Key Process Map
Risks of Material Misstatements• Started with a list of 240 risks of material misstatement
provided by External Auditor
• •SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risks
• What they found:• Numerous instances where control activities covered >1 risks• Overlapping controls• Better Use of Monitoring
Key Results• Significant decrease in controls identified as Key
Controls:• 289 Manual controls to 142 Manual controls • 67 automated controls to 35 automated controls• 13 new key controls added• Approximately 50% reduction
• More emphasis on automated controls• Next Step: Better assessment of Monitoring
Update and Approach Forward• Company and External Auditors jointly doing testing
• New and Updated Documentation
• Support of Process Owners
• Updated thoughts about implementation and use of Internal Controls
Information and Communication
13. Organization obtains relevant and timely information
14. Organization internally communicates information to support internal control
15. Communicates with pertinent outside organizations regarding internal control.
Monitoring
• A mix of ongoing or separate is OK
16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.
17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.
Oversight Systems, or SAP have processes to build until computer applications, for example segregation of duties
Reports can be very usefulIf designed to provide useful Information on control operation, e.g. a control reconciliation
Monitoring
• Considers Rate of Change• Starts with a Baseline• Knowledgeable Personnel• Integrated with Operations• Adjusts Scope and Frequency• Separate Evaluations are periodically
needed, including an assessment of whether on-going monitoring is working effectively.
16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.
17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.
Monitoring Considerations• Monitoring activities need to be designed at a level of
precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, and
• There has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.
Recommendations for Internal Auditors
1. Communicate with Board and Audit Committeea. Value proposition for the entity
b. Value proposition for internal audit
c. Importance of compliance and operations Objectives
2. Work with External Auditora. Rationalize and streamline controls
b. Identify effective, timely, and relevant monitoring activities
c. Identify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.
Recommendations for Internal Auditors
3. Communication with Process Owners
a. Their responsibilities
b. The nature of an integrated internal control framework, especially why all five components need to be present and functioning
c. Relationship of controls to objectives and risks
d. Controls should be cost-effective
e. Opportunities for Effective Monitoring
COMBINED ASSURANCEA Leadership Role for Internal Auditing
Assurance Fatigue – Making Compliance More Efficient• Leadership from S. Africa – PwC
• King Report• Leading report regarding combined assurance.• Worldwide influence on Governance
• Concept: Look at Compliance Across the Organization.
Organizational View• Many disparate rules and regulations
• Many disparate assurance providers:• Federal auditors• External auditors• Internal auditors• Different assurance bodies within the organization
The Auditee’s Perspective
Who are the Assurance Providers
Who do they Report to?
Combined Assurance• Coordinate and provide relevance assurance on key
risk exposures
• Minimize business/operational disruptions
• Comprehensive Tracking of Remedial Action and/or Improvements
• Improved Board and AC Reporting
• Hopefully, reduced assurance costs.
Recommended Process
1. Make the Business Case
2. Assurance Reality Check (Inventory)
3. Risk Mapping
4. Combined Assurance Design
5. Make Combined Assurance a Continuing Reality
Embrace Change: Steps for Internal Audit
Click icon to add picture
1. Commit to Active Training – and leadership across the organization.
2. Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals.
3. Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control
Thank You – it is an Exciting Time
• Dr. Larry E. Rittenberg• Chair Emeritus, COSO• University of Wisconsin• 5823 Monticello Way• Madison, WI 53719
• Ph: 1-608-274-8690
53