Internal Audit Challenges:

Integration of Strategy, Risk, Control, and Combined Assurance

Dr. Larry Rittenberg

CLAIN CONFERENCE,

May 17, 2013

Background – Many Perspectives• Audit Committee Chair of $2 Billion NASDAQ Company• 40 years studying the internal audit profession, PhD thesis

on “Auditor Independence and Systems Design” • Many IIA committees including:

• President IIA Research FD• Member, IPPF Oversight Committee• Task force to write the definition of internal auditing

• Chair (5 years) and member of COSO (11 years)• Author of Research related to Internal Auditing

Factors Affecting the Profession

Internal Audit

Rate of Change

Technology

Governance

Organizational Relationships

Globalization

Staff/ Growth Opportunities

Complexity

Challenges for the Profession• Perspectives and Challenges: Where should internal

auditing be regarding:

• Enterprise-wide Risk Management• Internal Control• Fraud Prevention and Detection• Combined Assurance.

How do we Prepare for these Challenges???

What do we Know• Businesses Fail

• Fortune 500 results• Nokia Phones

• But, do we know why they Fail?

• Enterprise Risk Management and Strategy are intertwined

• Internal Control is Important, COSO Framework is Updated.

Internal Control_ Analysts View• Pinto, Clinton, Ashbaugh – Skaiffe (2013)• We find analysts’ earnings forecasts are significantly

less accurate for firms with material weaknesses in internal control. This finding suggests that analysts’ acquisition of private information cannot overcome the negative effects of ineffective internal control on the reliability of firms’ financial reports. Second, we document that material weaknesses in internal control are associated with greater forecast dispersion. This finding suggests ineffective internal control creates greater information uncertainty to users of financial statements

Risk and Control Relationship

ObjectivesRisk

AssessmentMitigation/

Control

STRATEGY

Business risks

Is this risk?Who is

Responsible?

Barclays bank• September 2011, as reported in the Financial Times:

• “Barclays must increase its risk appetite in order to generate adequate returns to meet our market expectations”.

• What does this mean?

Returns and risk

Return

Risk Current

Returns and risk

Return

Risk Current

Do you have a discussion on whether the increased variance in possible returns is acceptable in pursuing those returns?

Where is that discussion held?

How are the results of that discussion translated into operations?

Risk appetite• The amount of risk, on a broad level, an entity is willing to

accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. … Risk appetite guides resource allocation. … Risk appetite [assists the organization] in aligning the organization, people, and processes in [designing the] infrastructure necessary to effectively respond to and monitor risks.

• COSO ERM, 2004

Risk appetite – objectives, and risk tolerances

Understanding ERM

Everything Starts with objectives

There is a defined process

Responsibility Cascades throughThe Organization

Objectives and risk:Defining responsibility

Who sets the Objectives at each of these levels?

Who sets the Risk Management Responsibilities and Approach?

Are the same people who are responsible for accomplishing the objectives also for accomplishing them within certain risk tolerances?

If you cannot answer these questions, effective risk management is not possible.

Relationship of Internal Control and ERM

Objectives

Strategies

Risk Analysis

Internal Control

Company / Department / Store sets objectives

Develop strategies to achieve corporate objectives

Identify Risks to Achieving the Objectives

Controls: Designed and Implemented to Mitigate the Risks

Internal Audit Role• Standard 2120: Risk Management

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes:• Organizational objectives aligned with mission• Significant risks identified and assessed• Appropriate risk responses consistent with risk appetite• Relevant risk information is gathered• Risk management processes are monitored

Internal Audit Role• Practice Advisory 2009• Internal auditors need to obtain sufficient and appropriate

evidence to determine that the key objectives of ERM are met. Consider:• Research into current developments, trends, etc.• Review corporate policies and board minutes re strategy, risk

appetite, etc.• Review risk reports issued by management• Consider alignment across units and the organization

IA role evolves

Identifies Risks for Audit Planning

Leadership and Facilitator of ERM – build on Audit Committee Relationship

ERM Expert – Role evolves to evaluating effectiveness of risk management processes.

INTERNAL CONTROLUpdate of the COSO Internal Control, Integrated Framework

Why Update Now?

• 20th Anniversary

• What has changed in that time?• Organizational boundaries• Expanded reporting

responsibilities’• Information Technology• Rate of Change• Nature of control procedures• Too many failures at the control

environment.

Viewing Internal Control as a Process

Applies to all 5 Components

Applies to all Internal Control Objectives: Operations, Reporting, Compliance

Concepts also apply to ERM: But not specifically addressed

Key Changes • Reporting Component – much broader than financial

reporting

• Within Framework, move to a principles / points of focus approach.

• Guidance:• Weakness in internal control• More judgment, but within structured approach• Risk Based, not control based• Fraud Assessment is required• Importance of Operations and Compliance Objectives• Personnel are Accountable for Internal Control

Key Changes• Increase Focus on Compliance

and Operations Objectives

• All five components are equally

applicable to compliance and

operations objectives.

Reporting: A Few Comments• Expanded Reported:

• Key Performance Indicators• Risk, Accepted Risk, and Risk Realized• Effectiveness of ERM• Effectiveness of Internal Control Over Financial Reporting• Move from historical data to market data

• Expanded Forms of Reporting:• Alternatives to annual financial statements• Social Media• Continuous Reporting model – more dependent on controls.• Contractual / Organizational Relationship Reporting

Control Environment - Principles

1. Ethics and Integrity: a. Set the tone with a Statement

of Values

b. Communicate Values

c. Evaluate Adherence - Identify Deviations

d. Take Action

1. Commitment to Integrity and Ethics

2. Governance: Demonstrates Independence from Management

• Board establishes oversight responsibilities• Board has requisite skills• Members are objective and independent (and demonstrate such

through actions)• Provides oversight over all 5 components of Internal Control

Establishing Authorities and Responsibilities. Management Must:3. Establishes structures, authorities, and reporting lines.

4. Attract and retain competent People

5. Hold personnel accountable.

Risk Assessment

Principles

• FRAUD RISK: WHAT IF TOP AND MID-LEVEL MANAGEMENT ARE INVOLVED?

• Libor may have a twin brother. Word has leaked out that the London-based firm ICAP, the world's largest broker of interest-rate swaps, is being investigated by American authorities for behavior that sounds eerily reminiscent of the Libor mess. Regulators are looking into whether or not a small group of brokers at ICAP may have worked with up to 15 of the world's largest banks to manipulate ISDAfix, a benchmark number used around the world to calculate the prices of interest-rate swaps. (May 9, 2013, Rolling Stones Magazine)

6. Set Objectives

7. Identify the risks to achieving the objectives

8. Identify Fraud Risks

9. Identify changes that will affect risks.

Objectives

Risks

Fraud Risks

Changes in Risks

Control Activities

• Points of Focus:• Integrated with risk assessment• Specific to the organization• Identifies key processes• Considers the mix of control activities

• Considers levels within organization

• Addresses segregation of duties

10. Select control activities that limit risks to those that are acceptable.

11. IT controls merit particular attention, especially IT General Controls

12. Establish Policies for what is expected and procedures for what is to be done.

EXAMPLE: STARTING WITH RISKExperience with a NASDAQ Company with approximately $2 Billion in Sales

SOX Overview: where we started• SOX processes not significantly overhauled in years

Legacy key controls accumulated over time since 2004 • PCAOB’s Auditing Standard 5 (AS5) not fully embraced

• Largely failed to recognize two common control platforms WISE

• SAP

• •Controls documentation and testing at a site level Inconsistent controls, processes, level of detail

• Significant redundant work, over testing of controls • Significant busy work

• •Inefficiencies related to Lack of alignment with external auditor • Redundant work within company site staff

Significant Controls Rationalization Process

• Cross-functional Finance teams formed Led by Controller and CAE

• •Process owners embraced the opportunity for change

• •Risk Assessment Used a top-down, risk based approach, beginning at the consolidated financial statement level

• Assessed risk of material misstatement for significant accounts and disclosures and their relevant assertions

• •Scoping Grouped controls into ten major processes • Reevaluated which processes, systems, and locations pose

risks

Key Process Map

Risks of Material Misstatements• Started with a list of 240 risks of material misstatement

provided by External Auditor

• •SOX Team added another 14 company specific risks Teams identified key controls to prevent or detect these risks

• What they found:• Numerous instances where control activities covered >1 risks• Overlapping controls• Better Use of Monitoring

Key Results• Significant decrease in controls identified as Key

Controls:• 289 Manual controls to 142 Manual controls • 67 automated controls to 35 automated controls• 13 new key controls added• Approximately 50% reduction

• More emphasis on automated controls• Next Step: Better assessment of Monitoring

Update and Approach Forward• Company and External Auditors jointly doing testing

• New and Updated Documentation

• Support of Process Owners

• Updated thoughts about implementation and use of Internal Controls

Information and Communication

13. Organization obtains relevant and timely information

14. Organization internally communicates information to support internal control

15. Communicates with pertinent outside organizations regarding internal control.

Monitoring

• A mix of ongoing or separate is OK

16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.

17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.

Oversight Systems, or SAP have processes to build until computer applications, for example segregation of duties

Reports can be very usefulIf designed to provide useful Information on control operation, e.g. a control reconciliation

Monitoring

• Considers Rate of Change• Starts with a Baseline• Knowledgeable Personnel• Integrated with Operations• Adjusts Scope and Frequency• Separate Evaluations are periodically

needed, including an assessment of whether on-going monitoring is working effectively.

16. Ongoing, or Separate Evaluations – whether all five components are (a) present, and (b) functioning.

17. Evaluates and Communicates Internal Control Deficiencies in a timely manner to those responsible for taking corrective action.

Monitoring Considerations• Monitoring activities need to be designed at a level of

precision such that they are capable of detecting material misstatements in the financial statements due to a breakdown of the underlying control activities, and

• There has to be some substantiation that the data used in the monitoring activity is accurate and timely, i.e. the underlying data need to be tested on some regular basis.

Recommendations for Internal Auditors

1. Communicate with Board and Audit Committeea. Value proposition for the entity

b. Value proposition for internal audit

c. Importance of compliance and operations Objectives

2. Work with External Auditora. Rationalize and streamline controls

b. Identify effective, timely, and relevant monitoring activities

c. Identify level at which underlying controls need to be tested to be satisfied that risk are properly mitigated.

Recommendations for Internal Auditors

3. Communication with Process Owners

a. Their responsibilities

b. The nature of an integrated internal control framework, especially why all five components need to be present and functioning

c. Relationship of controls to objectives and risks

d. Controls should be cost-effective

e. Opportunities for Effective Monitoring

COMBINED ASSURANCEA Leadership Role for Internal Auditing

Assurance Fatigue – Making Compliance More Efficient• Leadership from S. Africa – PwC

• King Report• Leading report regarding combined assurance.• Worldwide influence on Governance

• Concept: Look at Compliance Across the Organization.

Organizational View• Many disparate rules and regulations

• Many disparate assurance providers:• Federal auditors• External auditors• Internal auditors• Different assurance bodies within the organization

The Auditee’s Perspective

Who are the Assurance Providers

Who do they Report to?

Combined Assurance• Coordinate and provide relevance assurance on key

risk exposures

• Minimize business/operational disruptions

• Comprehensive Tracking of Remedial Action and/or Improvements

• Improved Board and AC Reporting

• Hopefully, reduced assurance costs.

Recommended Process

1. Make the Business Case

2. Assurance Reality Check (Inventory)

3. Risk Mapping

4. Combined Assurance Design

5. Make Combined Assurance a Continuing Reality

Embrace Change: Steps for Internal Audit

Click icon to add picture

1. Commit to Active Training – and leadership across the organization.

2. Develop an Actionable Internal Audit Plan with Objectives, Risk Analysis, and Measurable Goals.

3. Build on Expertise and relationship of (a) organizational objectives, (b) risk management, and (c) internal control

Thank You – it is an Exciting Time

• Dr. Larry E. Rittenberg• Chair Emeritus, COSO• University of Wisconsin• 5823 Monticello Way• Madison, WI 53719

• lrittenberg@bus.wisc.edu

• Ph: 1-608-274-8690

53