governance, risk and compliance trends - chapters · pdf filegovernance, risk and compliance...
TRANSCRIPT
© 2016 Grant Thornton LLP | All rights reserved
Governance, Riskand Compliance Trends
April 11, 2017
© 2016 Grant Thornton LLP | All rights reserved
Introductions
• Jim Culbreth, Director - Risk Advisory Services• Josh Brown, Manager - Risk Advisory Services
2
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
3
© 2016 Grant Thornton LLP | All rights reserved
Highlights from General Audit Management(GAM) Conference
The annual IIA GAM conference was held last month inOrlando. Key themes were:• Data analytics• Corporate governance and culture• 3rd party risks• Cyber• Leadership (Richard Chambers new book Trusted Advisors:
Key Attributes of Outstanding Internal Auditors)
4
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
5
© 2016 Grant Thornton LLP | All rights reserved
CBOK Stakeholders' Advice to the CAE
About CBOK (Common Body of Knowledge)• World's largest on-going study of the internal audit profession. Led
by the Internal Audit Foundation (formerly the IIA ResearchFoundation)
• The latest study has two components:– Practitioner – explores a variety of IA practices– Stakeholder – perspectives from stakeholders on IA
performance• Practitioner and stakeholder reports are available at
www.theiia.org/goto/CBOK
6
© 2016 Grant Thornton LLP | All rights reserved
CBOK Stakeholders' Advice to the CAE(cont'd)
Stakeholder participant facts:• Survey participants = 1,124• Interview participants = 100+• Countries = 23• Positions represented:
– Board member - 34%– CEO – 15%– CFO – 18%– Other C-suite – 33%
• Study was done July 2015 through February 2016
7
© 2016 Grant Thornton LLP | All rights reserved
CBOK Stakeholders' Advice to the CAE(cont'd)
Four key messages for how the CAE can perform better:• Exhibit strong business acumen, including industry knowledge,
ability to understand business strategy, and insight to understandand assess risks
• Demonstrate leadership skills (technical competence, innovationand relational competence)
• Manage competing priorities, demands and conflicts• Seek to influence the culture of the organization
8
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
9
© 2016 Grant Thornton LLP | All rights reserved
Updated IPPF Guidance
• Revisions made in October 2016; effective January 2017• Increased focus on:
– Independence/potential impairments– Organization's governance processes surrounding strategy, risk
management– Reporting to Senior Management and the Board
10
© 2016 Grant Thornton LLP | All rights reserved
IPPF Update
1000 - Purpose,Authority, andResponsibility
• Internal Audit Chartermust be consistentwith:• Mission of Internal
Auditing• Mandatory elements
of the IPPF, TheStandards
• Definition of InternalAuditing
1110 -OrganizationalIndependence
• Internal Audit activitymust be free frominterference indetermining the scopeof internal auditing,performing work, andcommunicating results
1112 - Chief AuditExecutive RolesBeyond Internal
Auditing
• Implementation ofsafeguards to limitimpairment ofindependence whenrole falls outside ofinternal auditing
1320 - Reportingon the QAIP
• QAIP results mustinclude disclosure of:• Scope and frequency
of internal andexternal assessments
• The qualifications andindependence of theassessor(s),assessment team,including anypotential conflicts ofinterest
• Conclusions ofassessors
• Corrective actionplans
11
© 2016 Grant Thornton LLP | All rights reserved
IPPF Update (cont.)
2060 - Reportingto Senior
Management andthe Board
• Reporting must reportperiodically on internalaudit's conformancewith the Code ofEthics and theStandards
2110 -Governance
• Make recommendationsto improveorganization'sgovernance processesfor:• Strategic/operational
decision-making• Oversight of risk
management andcontrol
2200 -Engagement
Planning
• Engagement plansmust considerorganization's relevantstrategies, objectives,and risks
2450 - OverallOpinions
• Opinions must takestrategies, objectives,and risks of theorganization intoaccount
12
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
13
© 2016 Grant Thornton LLP | All rights reserved
Definitions…
Big data is "Techniques andtechnologies that enableenterprises to effectively andeconomically analyze ALL oftheir data ."
Data analytics is "the processof gathering and analyzingdata and then using the resultsto make better decisions."
14
© 2016 Grant Thornton LLP | All rights reserved
Data Analytics Maturity
15
© 2016 Grant Thornton LLP | All rights reserved
Top challenges hindering the use of DataAnalytics in Internal Audit
Internal audit executivesidentified obtaining data asthe top challenge toincorporating data analyticsinto their internal auditfunctions.
16
© 2016 Grant Thornton LLP | All rights reserved
The evolution of Data Analytics
Competency PurposeProgramming language Code to the processERP configuration Configure applicationsMultidimensional reporting Reporting and pivot capabilityCorporate PerformanceManagement
Planning, Forecasting and Consolidation
Governance Reference data and terminology alignmentData warehouse Put all the detail in one placeInformation discovery Model use cases without ETLBig data Any data, any where, any format, all the time
17
© 2016 Grant Thornton LLP | All rights reserved
NEED FOR END-TO-END INTERNAL AUDIT ANALYTICS
One source, many results.
Create Value Increase Insights Reduce Cost Reduce Errors &Mitigate Risks
Enhance Efficiency& Effectiveness
• Make compliance acompetitiveadvantage
• Enhance ROI forrisk and compliance
• Improve sales andprofitability
• Be faster and smarter• Real-time alerts and
insights• Focus on critical
leading indicators• Transparency across
the business
• Reduce cost ofinternal auditactivities
• Focus on elevatedrisk areas andexposure usingmodeling andmachine learning
• Less errors and falsepositives
• Better testingcoverage
• More timelyresponse to controlfailures and risks
• Automate time-intensive and manualprocesses
• Enhance data accessand quality
• Positive assurance oncontrols / compliance
The Value to Internal Audit
18
© 2016 Grant Thornton LLP | All rights reserved
Data Analytics and Risk Management
Future Forward Views
• The board is looking for data-driven decisions on risk• The C-suite is looking for key risk analytics and their
relevance to the organization• The ability to “foresee” future risks before manifestation• CAEs are struggling to find an integrated, efficient
approach to data analytics that maximizes value
19
© 2016 Grant Thornton LLP | All rights reserved
• Historical Perspective – Error detection andquantification
• Continuous Review – Continuous monitoring andcontinuous auditing
• Future Perspective – Key Risk Indicators along withpredictive and prescriptive analytics
Data Analytics and Risk Management
Internal Audit Application
20
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
21
© 2016 Grant Thornton LLP | All rights reserved
Emerging Risks
• An emerging risk is an issue that is perceived to bepotentially significant but which may not be fullyunderstood1
• Previously known risks that are evolving in unexpectedways with unanticipated consequences2
• A condition, situation, or trend that could significantlyimpact a company's financial strength, competitiveposition, or reputation within the next 5 years3
1https://www.lloyds.com/news-and-insight/risk-insight/emerging-risks-team2Susan K. Woerner, FCAS, FCIA, MAAA, CERA3Beverly Barney-The Prudential Insurance Company of America
22
© 2016 Grant Thornton LLP | All rights reserved
Why it matters
• May have multiple direct or indirect consequences that couldimpact businesses both internally and externally1
• Adverse impacts on revenue growth, operating margins, and assetproductivity if risks are not identified in a timely manner2
• Often cannot be predicted using forecasting and/or otherconventional risk-management techniques3
• Low likelihood, high impact risks should be viewed as importantas high likelihood, high impact risks
1Eddie McLaughlin, MD & Practice Leader-Marsh Risk Consulting EMEA2Rob Gould, Director of Internal Audit-Harley Davidson Co.3Taleb, Goldsteing, and Spitznagel-Harvard Business Review
23
© 2016 Grant Thornton LLP | All rights reserved
Linkage to Risk Assessment
• An organization’s ability to achieve established business objectives isaffected by both internal and external risk factors
• The combination of internal and external risk factors in their pure,uncontrolled state is referred to as inherent risk
• A risk assessment should be performed to obtain a betterunderstanding of the entity and its environment, including its riskappetite
• Focuses management’s attention on the truly important risks – riskswith the potential to significantly impact financial performance orendanger the organization’s survival
• It gets people talking!24
© 2016 Grant Thornton LLP | All rights reserved
Agenda
• GAM Update• CBOK Stakeholders' Advice to the CAE• Updated IPPF Guidance• Data Analytics• Emerging Risks• Consultative Auditing
25
© 2016 Grant Thornton LLP | All rights reserved
Consultative Auditing
• Many similarities between consulting and auditing…– Bring value to the Business (protecting and/or enabling value)– Identify potential issues and opportunities– Offer solutions to problems– Both provide objective advice and recommendations – up to the
"customer" to make decisions• The biggest differences
– Don’t put Audit in position of auditing solutions it helpedimplement
– Audit is more structured – consulting is less structured
26
© 2016 Grant Thornton LLP | All rights reserved
Skillsets are similar for auditing and consulting
Discipline inThought, Focus,
and Action(Attention to
Detail)
Active Listening
ArticulateCommunication
Enthusiasm andPassion
“Fire in the Belly”
Good Interviewer(ask greatquestions)
27
© 2016 Grant Thornton LLP | All rights reserved
Whether consulting and/or auditing – ourRELATIONSHIPS make a difference!
People do business with people that theyKnow, Like, and Trust.
While it sounds simple, most individuals andorganizations fail miserably at building meaningful
relationships.
Get it right – on both the individual and collective teamlevels – and you will achieve results by giving people a
DISTINCTIVE EXPERIENCE.28
© 2016 Grant Thornton LLP | All rights reserved
The Trusted Advisor Continuum
Expertfor Hire
TrustedAdvisor
SteadySupplier
COLLABORATIVERELATIONSHIP
EXP
ERT
ISE
(DE
PTH
)
Project Based
Needs Based
RelationshipBased
* Adapted from "Clients for Life" and "The Trusted Advisor"TASK
INSI
GH
T (B
RE
ADTH
)
29
© 2016 Grant Thornton LLP | All rights reserved
Characteristics of a Trusted AdvisorRelationship
Internal audit is recognized for the value we provide on breadth ofareas beyond audit.Our services are requested by customers and we are often pulled in"early" for our opinions on important matters.
We actively collaborate as a team with our customers.
Audit has a "seat at the table" in strategy meetings, etc.
Individuals share issues, business imperatives, and confidentialmatters.
Customers refer us to others in the Company.
Multiple relationships have been fostered within our targetcustomer areas.Audit recommendations and findings are viewed as a value, not apenalty.
30
© 2016 Grant Thornton LLP | All rights reserved 31
© 2016 Grant Thornton LLP | All rights reserved 32
Contact Information
Jim CulbrethDirector, Risk AdvisoryServicesRaleigh, NC919 881 2700Jim [email protected]
Josh BrownManager – Risk AdvisoryServicesCharlotte, NC704 632 [email protected]