mario a. nazareth - bcasonline.org audit stakeholder's expectati… · mario a. nazareth....

Mario A. NazarethGroup Chief Internal Auditor

Mahindra & Mahindra LimitedBombay Chartered Accountants’ Society

13th July 2018

Internal Auditors – the sine qua non for good, clean and transparent governance

…. independent, objective assurance and consulting activity Institute of Internal Auditors (IIA)

…. independent appraisal function; supports management Association of Chartered Certified Accountants (ACCA)

…. a way of ensuring businesses and public sector organizations use resources efficiently and apply process consistently Institute of Chartered Accountants of India (ICAI)

…. provides independent assurance on effectiveness of internal controls, risk management processes and contributes to enhancing governance for achieving organizational objectives. (Proposed Revision) Institute of Chartered Accountants of India (ICAI)

How is Internal Audit defined?


….. an aid (to Management and the Board) on matters

related to:

Risk

Governance

Control



The Third line of Defense

• Evaluate and improve the controls environment

• Assess whether financial and operating information is accurate and reliable

• Statutory compliances should be assured

• Streamline processes and look for redundant/ duplicate activities

• Attempt to bring about standardization through benchmarking

• Suggest improvement opportunities


Objectives of any Internal Audit

Challenges facing an Internal Audit Team

• Companies are becoming multi locational, multi product

• A changing demographic profile because of business acquisitions and growth

• The rigors of Performance Management Systems adds to the strain

• Technology aids .. Technology inhibits too

• Staff turnover in Operations

• Operations Manuals and Process Flowcharts – are they still considered relevant?

• New-age frauds – data sampling could soon become a thing of the past


continued overleaf

Challenges facing an Internal Audit Team (cont’d)

• Outsourcing of operations – are controls looked into … or is cost the only factor?

• Data access privileges … an illusion?

• Systems are made to support decision making and facilitate MIS. Do they highlight control weaknesses?

• Reviews of Controls & Commonality of processes – strictly for Internal Auditors … can they cope?

• Non documented processes and documentation to support business decisions – how long more?

• Resources for Internal audit – not always the brightest and the best


Expectations from Internal Audit

• Be in front of and understand the business

• Develop a Risk centric mindset

• Focus on process improvement; leverage technology effectively

• Move to ‘new age’ audit areas including areas concerning Governance and Compliance

• Look at the big picture

• Transparency and sharpness in reporting

• Keep re-inventing yourself

• Avoid overstepping the Auditor’s role


Top level expectations

Changing attributes of an Internal Auditor…..

Role: Policeman to Business enabler

Viewpoint: Reactive to Predictive

Outlook: Oversight to Insight

Approach: Controls based to Risk based

Skills set: Traditional Tools to Automated Tools

Attitude: Staid to Innovative

Interpretation: Data becomes Information


Unchanging characteristics …..

• Unyielding on values and ethics

• Knowledgeable and passionate

• Guided by instinct; perceptive by nature

• Friendly, yet aloof

• Tough, but with measured compassion

• Principled, with doses of pragmatism


Calendar of Significant Events in M&MYear Event

1964 Appointment of M&M’s first Internal Auditor

1988 Constitution of the Audit Committee in M&M

Pre-2003 Co-sourcing of audits begins

2004, 05, 08, 10, 13

Hosted the Auditor Conclaves

2009 Begun to formulate In-house Standards, Policies, Guidance Notes

2015 Commenced the Internal Peer Review process

2016 M&M’s 100th Audit Committee meeting

2018 Re-formulation of In-house Standards, Policies, Guidance Notes


NB: The above represent a selective list of events


…. the voice of a Stakeholder


Rama BijapurkarIndependent Director

Sharpness in Reporting


Help get to the

POINT

The clutter of a thousand words


Relevant for the Operating Team

Relevant for the Senior Management

for the

CEO

Reports - what’s relevant to whom?

The Executive Summary

The Conclusion and Report Rating


Audit ConclusionsOur audit review indicates that there is need to introduce ………. The controls were found to be generally adequate in other areas selected for review.

Our audit review has highlighted the need for enhanced monitoring to ensure ………….. This could be better achieved with the use of available System support.

Our audit review has highlighted concerns about ………. and the absence of periodic reviews. These processes need to be considerably strengthened.

Our review has highlighted the absence of a formally defined process for ……….. with possibilities of a bias creeping into ………. There is a risk that …… the Company ..… could be exposed to needless litigation.

The wide and unexplained gap between …….. and ……….. could be a pointer to ………… . Documentation in support of crucial decisions was not available for review.

Our audit review has highlighted that there needs to be more rigor, with structured automation, in several of the key procedures and processes.


Are the Report Ratings and Observation Gradings biased? Are they Reliable?

Is there a process for determining Ratings and Gradings?

How do I interpret the Report?

Questions in every Stakeholder’s mind


What’s the gut feel?

Into which category do the Observations fall?

What does the Rating Template indicate?

Bias in Reporting – the triple filter test


Rating - Long Term Scale

AAA Highest Safety

AA High Safety

A Adequate Safety

BBB Moderate Safety

BB Moderate Risk

B High Risk

C Very High Risk

D Default

Rating - Short Term Scale

A1 Very strong safety

A2 Strong safety

A3 Moderate Safety

A4 Minimal Safety

D Default IA indicators of assurance

A High

B Acceptable

C Minimal

D Unacceptable

Statutory audit opinions

Unmodified

Modified

Disclaimer

Adverse



Overall Report Rating

A High

B Acceptable

C Minimal

D Unacceptable

Individual Observation Grading

C Critical

M Major

M Medium

L Low

Internal Audit indicators of assurance

4 alphabet 4 Colour

Conclusion:Our audit review indicates that there is need to introduce ………. The controls were found to be generally adequate in the other areas selected for review.

+


2010 Rating and Grading System introduced across the Group

Standardised Reporting at Audit Committees across the Group

2012 Mahindra Finance - Rating Template rolled out for audits of branches

2013 Template designed for Mahindra Holiday Resort audits



Overall Report Rating ParametersA Key internal controls provide a high level of assurance that

processes are operating efficiently and effectively.

B Key internal controls provide an acceptable level of assurance that processes are operating efficiently and effectively.

C Key internal controls provide a minimal level of assurance that processes are operating efficiently and effectively. Immediate action is required to improve the operating effectiveness of controls.

D Key internal controls provide an unacceptable level of assurance that processes are operating efficiently and effectively. Critical observations were identified that require IMMEDIATE Senior Management attention to improve the operating effectiveness of controls.


Observation Grading and Root Cause Definitions

Observation grading

Critical High risk, requires immediate Senior Management attention.

Major High risk, requires Senior Management attention.

Medium Medium risk, requires corrective action.

Low Low risk, with opportunities for improvement.

Root cause definitionsPeoples issue

The exception noted results from non adherence to the laid down processes and procedures

Business Process

The process/ control gap is the result of an inherent limitation of the business process

IT Process The process/control gap is the result of inherent limitations of the IT architecture supporting the business process


…. the voice of another Stakeholder



Ramesh IyerVice Chairman and Managing Director

Mahindra & Mahindra Financial Services Limited

Look at the Bigger Picture


Missing the woods for the trees


Age-old commonsense … a thing of the past ?


Data Knowledge Experience A holistic view

The Metamorphosis of an Audit Observation


Data is effective only if it can be turned into information,

and information into insight

Are we drowning in Information but starving for Know ledge ?versusInternal Auditors – the sine qua non for good, clean and transparent governance

Artificial vs Real Intelligence

Are we drowning in Information but ignoring Know ledge ?Internal Auditors – the sine qua non for good, clean and transparent governance


2006 Introduction of ACL in audits and data analytics

2008+ Continuous Monitoring and development of audit Scripts

2012+ More intensive use of ACL and other software in audits



….Voice of the Auditee



Jasmin SuchakDeputy General Manager

Corporate Management Services

Believing everybody is dangerous

Believing nobodyis very dangerous


• An independent evaluation – started in April 06

• Currently 12 parameters – format revised for F-08 audits

• A 5 point rating scale– Strongly agree– Agree– Neutral– Disagree– Strongly disagree

• An Overall Satisfaction Score (1 to 10)

• Open comments• Results shared with the Audit Committee

The Auditee Evaluation Questionnaire


The Auditee Evaluation Questionnaire

1. The Audit area was appropriately selected for review2. The Audit engagement addressed the key concerns in the

chosen area

3. The audit was conducted in a professional manner4. The current Processes and Procedures were well explained to

and understood by the Audit Team

5. The significant Audit Observations were promptly communicated and discussed by the Audit Team

continued

Scoring pattern1 2 3 4 5

Strongly disagree

Disagree Neutral Agree Strongly agree


The Auditee Evaluation Questionnairecontinued

6. The audit Observations displayed sufficient depth of analysis and understanding of the issues involved

7. The Observations and Report were unbiased and objective8. An opportunity was given to discuss the Observations in

sufficient detail with all concerned before the Report was released

9. The Auditee’s explanations were given due weightage in the framing of the Observations and Recommendations

10. The Recommendations are practical11. The timelines agreed upon for completion of the Action

Plans are realistic

12. The Recommendations once implemented will be value adding to the Sector/ organization


On a scale of 1 (lowest) to 10 (highest), how satisfied were you with the audit engagement

Open Comments We welcome your comments and suggestions to help us serve you better – particularly in those areas where your Ratings have been ‘2’ or below.

The Auditee Evaluation Questionnairecontinued


Concluding Comments


…. these make us proud

Year Event

2008 Winners of the ACL Impact Award (Asia Pacific)

2012 Winners of the IIA Bombay Chapter Award for Innovation

2017 Group CIA is presented with IIA India’s (First) Internal Auditor of the Year AwardWinners of the IIA Bombay Chapter Award for Best Application of Technology


No one can whistle a symphonyIt takes a whole orchestra to play it

- Luccock


If being an Auditor used to be a pleasure …

Which as years went by became an

Today it might be viewed as a burden –

But not if there is a genuine acceptance of the contribution that wise and well meaning Auditors can play


Thank You


mario a. nazareth - bcasonline.org audit stakeholder's expectati… · mario a. nazareth....

Documents