governance, risk and compliance trends - chapters · pdf filegovernance, risk and compliance...

© 2016 Grant Thornton LLP | All rights reserved

Governance, Riskand Compliance Trends

April 11, 2017


Introductions

• Jim Culbreth, Director - Risk Advisory Services• Josh Brown, Manager - Risk Advisory Services

2


Agenda

• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing

3


Highlights from General Audit Management(GAM) Conference

The annual IIA GAM conference was held last month inOrlando. Key themes were:• Data analytics• Corporate governance and culture• 3rd party risks• Cyber• Leadership (Richard Chambers new book Trusted Advisors:

Key Attributes of Outstanding Internal Auditors)

4


Agenda


5


CBOK Stakeholders' Advice to the CAE

About CBOK (Common Body of Knowledge)• World's largest on-going study of the internal audit profession. Led

by the Internal Audit Foundation (formerly the IIA ResearchFoundation)

• The latest study has two components:– Practitioner – explores a variety of IA practices– Stakeholder – perspectives from stakeholders on IA

performance• Practitioner and stakeholder reports are available at

www.theiia.org/goto/CBOK

6


CBOK Stakeholders' Advice to the CAE(cont'd)

Stakeholder participant facts:• Survey participants = 1,124• Interview participants = 100+• Countries = 23• Positions represented:

– Board member - 34%– CEO – 15%– CFO – 18%– Other C-suite – 33%

• Study was done July 2015 through February 2016

7


CBOK Stakeholders' Advice to the CAE(cont'd)

Four key messages for how the CAE can perform better:• Exhibit strong business acumen, including industry knowledge,

ability to understand business strategy, and insight to understandand assess risks

• Demonstrate leadership skills (technical competence, innovationand relational competence)

• Manage competing priorities, demands and conflicts• Seek to influence the culture of the organization

8


Agenda


9


Updated IPPF Guidance

• Revisions made in October 2016; effective January 2017• Increased focus on:

– Independence/potential impairments– Organization's governance processes surrounding strategy, risk

management– Reporting to Senior Management and the Board

10


IPPF Update

1000 - Purpose,Authority, andResponsibility

• Internal Audit Chartermust be consistentwith:• Mission of Internal

Auditing• Mandatory elements

of the IPPF, TheStandards

• Definition of InternalAuditing

1110 -OrganizationalIndependence

• Internal Audit activitymust be free frominterference indetermining the scopeof internal auditing,performing work, andcommunicating results

1112 - Chief AuditExecutive RolesBeyond Internal

Auditing

• Implementation ofsafeguards to limitimpairment ofindependence whenrole falls outside ofinternal auditing

1320 - Reportingon the QAIP

• QAIP results mustinclude disclosure of:• Scope and frequency

of internal andexternal assessments

• The qualifications andindependence of theassessor(s),assessment team,including anypotential conflicts ofinterest

• Conclusions ofassessors

• Corrective actionplans

11


IPPF Update (cont.)

2060 - Reportingto Senior

Management andthe Board

• Reporting must reportperiodically on internalaudit's conformancewith the Code ofEthics and theStandards

2110 -Governance

• Make recommendationsto improveorganization'sgovernance processesfor:• Strategic/operational

decision-making• Oversight of risk

management andcontrol

2200 -Engagement

Planning

• Engagement plansmust considerorganization's relevantstrategies, objectives,and risks

2450 - OverallOpinions

• Opinions must takestrategies, objectives,and risks of theorganization intoaccount

12


Agenda


13


Definitions…

Big data is "Techniques andtechnologies that enableenterprises to effectively andeconomically analyze ALL oftheir data ."

Data analytics is "the processof gathering and analyzingdata and then using the resultsto make better decisions."

14


Data Analytics Maturity

15


Top challenges hindering the use of DataAnalytics in Internal Audit

Internal audit executivesidentified obtaining data asthe top challenge toincorporating data analyticsinto their internal auditfunctions.

16


The evolution of Data Analytics

Competency PurposeProgramming language Code to the processERP configuration Configure applicationsMultidimensional reporting Reporting and pivot capabilityCorporate PerformanceManagement

Planning, Forecasting and Consolidation

Governance Reference data and terminology alignmentData warehouse Put all the detail in one placeInformation discovery Model use cases without ETLBig data Any data, any where, any format, all the time

17


NEED FOR END-TO-END INTERNAL AUDIT ANALYTICS

One source, many results.

Create Value Increase Insights Reduce Cost Reduce Errors &Mitigate Risks

Enhance Efficiency& Effectiveness

• Make compliance acompetitiveadvantage

• Enhance ROI forrisk and compliance

• Improve sales andprofitability

• Be faster and smarter• Real-time alerts and

insights• Focus on critical

leading indicators• Transparency across

the business

• Reduce cost ofinternal auditactivities

• Focus on elevatedrisk areas andexposure usingmodeling andmachine learning

• Less errors and falsepositives

• Better testingcoverage

• More timelyresponse to controlfailures and risks

• Automate time-intensive and manualprocesses

• Enhance data accessand quality

• Positive assurance oncontrols / compliance

The Value to Internal Audit

18


Data Analytics and Risk Management

Future Forward Views

• The board is looking for data-driven decisions on risk• The C-suite is looking for key risk analytics and their

relevance to the organization• The ability to “foresee” future risks before manifestation• CAEs are struggling to find an integrated, efficient

approach to data analytics that maximizes value

19


• Historical Perspective – Error detection andquantification

• Continuous Review – Continuous monitoring andcontinuous auditing

• Future Perspective – Key Risk Indicators along withpredictive and prescriptive analytics

Data Analytics and Risk Management

Internal Audit Application

20


Agenda


21


Emerging Risks

• An emerging risk is an issue that is perceived to bepotentially significant but which may not be fullyunderstood1

• Previously known risks that are evolving in unexpectedways with unanticipated consequences2

• A condition, situation, or trend that could significantlyimpact a company's financial strength, competitiveposition, or reputation within the next 5 years3

1https://www.lloyds.com/news-and-insight/risk-insight/emerging-risks-team2Susan K. Woerner, FCAS, FCIA, MAAA, CERA3Beverly Barney-The Prudential Insurance Company of America

22


Why it matters

• May have multiple direct or indirect consequences that couldimpact businesses both internally and externally1

• Adverse impacts on revenue growth, operating margins, and assetproductivity if risks are not identified in a timely manner2

• Often cannot be predicted using forecasting and/or otherconventional risk-management techniques3

• Low likelihood, high impact risks should be viewed as importantas high likelihood, high impact risks

1Eddie McLaughlin, MD & Practice Leader-Marsh Risk Consulting EMEA2Rob Gould, Director of Internal Audit-Harley Davidson Co.3Taleb, Goldsteing, and Spitznagel-Harvard Business Review

23


Linkage to Risk Assessment

• An organization’s ability to achieve established business objectives isaffected by both internal and external risk factors

• The combination of internal and external risk factors in their pure,uncontrolled state is referred to as inherent risk

• A risk assessment should be performed to obtain a betterunderstanding of the entity and its environment, including its riskappetite

• Focuses management’s attention on the truly important risks – riskswith the potential to significantly impact financial performance orendanger the organization’s survival

• It gets people talking!24


Agenda


25


Consultative Auditing

• Many similarities between consulting and auditing…– Bring value to the Business (protecting and/or enabling value)– Identify potential issues and opportunities– Offer solutions to problems– Both provide objective advice and recommendations – up to the

"customer" to make decisions• The biggest differences

– Don’t put Audit in position of auditing solutions it helpedimplement

– Audit is more structured – consulting is less structured

26


Skillsets are similar for auditing and consulting

Discipline inThought, Focus,

and Action(Attention to

Detail)

Active Listening

ArticulateCommunication

Enthusiasm andPassion

“Fire in the Belly”

Good Interviewer(ask greatquestions)

27


Whether consulting and/or auditing – ourRELATIONSHIPS make a difference!

People do business with people that theyKnow, Like, and Trust.

While it sounds simple, most individuals andorganizations fail miserably at building meaningful

relationships.

Get it right – on both the individual and collective teamlevels – and you will achieve results by giving people a

DISTINCTIVE EXPERIENCE.28


The Trusted Advisor Continuum

Expertfor Hire

TrustedAdvisor

SteadySupplier

COLLABORATIVERELATIONSHIP

EXP

ERT

ISE

(DE

PTH

)

Project Based

Needs Based

RelationshipBased

* Adapted from "Clients for Life" and "The Trusted Advisor"TASK

INSI

GH

T (B

RE

ADTH

)

29


Characteristics of a Trusted AdvisorRelationship

Internal audit is recognized for the value we provide on breadth ofareas beyond audit.Our services are requested by customers and we are often pulled in"early" for our opinions on important matters.

We actively collaborate as a team with our customers.

Audit has a "seat at the table" in strategy meetings, etc.

Individuals share issues, business imperatives, and confidentialmatters.

Customers refer us to others in the Company.

Multiple relationships have been fostered within our targetcustomer areas.Audit recommendations and findings are viewed as a value, not apenalty.

30

© 2016 Grant Thornton LLP | All rights reserved 32

Contact Information

Jim CulbrethDirector, Risk AdvisoryServicesRaleigh, NC919 881 2700Jim [email protected]

Josh BrownManager – Risk AdvisoryServicesCharlotte, NC704 632 [email protected]

governance, risk and compliance trends - chapters · pdf filegovernance, risk and compliance...

Documents