11

Perspectives of 100 CAEs:

How Forward-Thinking and

Contemporary Audit Executives

are Enabling Positive Change

2

PARTICIPATE IN SESSION POLLING and

Q&A • Download the IIA Conferences App to

participate in polling during select

sessions

• Select the session through the

schedule icon and click on the polling

icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

• Submit your questions for the session

or to specific presenters by selecting

the ASK icon

3

About Tom

Tom O’ReillyDirector & Internal Audit Practice Leader

4

About Yulia

Yulia GurmanExecutive Director, Internal Audit and Corporate Security

Packaging Corporation of America

5

Packaging Corporation of America (PCA)

• Domestic company headquartered in Lake

Forest, IL

• One of the largest manufacturers of

containerboard and corrugated packaging

• 2018 revenue $7 billion

• Decentralized environment with more than

100 facilities located primarily across the

United States

6

Polling Question 1Please open the conference app to participate

7

What emerging risks are you covering?

Or describe with one word how

business is changing?

8

9

Business is Changing...

10

But Internal Audit Isn’t...

Source: MISTI 2018 and 2019 Internal Audit Topics on the audit plan survey charts.

11

… and Our Stakeholders are Noticing

of CAEs are extremely or moderately

confident in their organization’s ability to

identify and assess

emerging and atypical risks

HOWEVER

of CAEs say the board will turn to

management

for identification and assessment of

emerging and atypical risks

87%

78%

12

How to be a better Internal Audit Leader through:

• Expanding Audit Coverage

• Increasing Audit’s Subject Matter Expertise

• Positioning Audit to “Lead from the Front”

How can you use internal audit to

ENABLE POSITIVE CHANGE

in your organization?

Learning Objectives

13

Expand The Coverage

Of Your Audit Plan

14

Internal Auditing Definition

Internal auditing is an independent,

objective assurance and consulting

activity designed to add value and

improve an organization's

operations.

It helps an organization

accomplish its objectives by

bringing a systematic, disciplined

approach to evaluate and improve

the effectiveness of risk

management, control, and

governance processes.

CAE Considerations:

Do you have a risk assessment?

- does it reflect the strategic objectives and

emerging risks of your organization?

Do you include the right

stakeholders in your discussions?- review organizational changes

Re-evaluate Your Risk Assessment Approach

15

Four main objectives for every organization:

Organizational Objectives

Increase Revenue

Continually Innovate

Manage Human Resources

Decrease Costs

16

Polling Question 2Please open the conference app to participate

17

Our Audit Plan addresses strategic initiatives

а. No

b. Yes, but we could do better

c. Yes, we feel good about our risk coverage

d. We don’t have any strategic initiatives

18

19

20

Risk Assessment Questions

1. Business area risks and objectives

2. Changes in people, process, and

technology

• Succession Plan

• Emerging and Disruptive

Technology

• Automation

3. Major process/department initiatives

Risk Assessment Resources

1. Risk/Audit Universe

2. Internal Audit’s interface with

Enterprise Risk Management

(ERM)

3. External benchmarks

4. Peer network

How Can you Enhance Your Risk Assessment?

Building Relationships = Better Information

21

Real Life Examples

22

Strategic

Market

• Interest Rate

• Foreign Currency

• Commodity

• Derivatives

Liquidity and Credit

• Cash Management

• Debt Management

• Credit and Collections

• Funding

• Hedging

• Insurance

Accounting and Reporting

• General Ledger Close

• Consolidation Process

• Accounting, Reporting and

Disclosure

• Internal Control/SOX 404/302

• Information and Reporting

Integrity

Tax

• Tax Strategy and Planning

• Tax Optimization

• Transfer Pricing

• Property Taxes

Capital Structure

• Debt

• Equity

• Pension Funds

FinancialCompliance

Code of Conduct

• Ethics

• Fraud

Legal

• Contract

• Liability

• Intellectual Property

• Anti-Corruption / FCPA

• Technology Compliance

Support

Regulatory

• Trade

• Export Compliance

• Labor

• Securities

• Environmental

• Data Protection and Piracy

• International Purchases and

Sales

• Product Quality/Safety

• Health & Safety

• Competitive Practices/Anti-

Trade

• Sales and Marketing

• Technology Compliance

Support

• Customs

Governance

• Board Performance

• Tone at the Top

• Corporate Environment

• Corporate Social

Responsibility

Planning and Resource Allocation

• Organizational Structure

• Strategic Planning

• Budgeting & Forecasting

• JV’s/Alliances Partnerships

• Special Purpose Entities

• IT Strategy

Major Initiatives

• Vision and Direction

• Planning and Execution

• Measurement and

Monitoring

• Technology Implementation

• Business Acceptance

Mergers, Acquisition & Divesture

• Valuation and Pricing

• Due Diligence

• Execution and Integration

Market Dynamics

• Competition

• Economic Factors

• Customer Profile Trends

• Socio-Political

• Pricing Pressures

Legend

Addressed by company Internal Audit in 2018 and in 2017

Addressed by company Internal Audit in 2016

Communication & Investor

Relations

• Media Relations

• Investor Relations

• Employee

Communications

• Technology-

Enabled

Communications

(e.g. social media)

Operations

Sales and Marketing

• Marketing and

Advertising

• Sales and Pricing

• Customer Insight and

Analysis

• New Product

Development

• Technology-Enabled

Sales Channels

• Sales Order Processing

• Customer Support and

Management

• Warranty

Supply Chain

• Engineering

• Material Planning

• Sourcing and

Procurement

• Production and Inventory

Control

• Distribution

• Third party /

subcontractors

People

• Recruitment and

Retention

• Development

and Performance

• Succession

Planning

• Compensation

and Benefits

• Labor Relations

• Payroll/Timekeep

ing

Information Technology

• Information

Management /

Infrastructure

• Security/Access

• Availability/Conti

nuity

• Integrity

Hazards

• Natural Events

and Terrorism

Physical Assets

• Real Estate

• Property, Plant,

and Facilities

Risk Universe Coverage: 2018 and 2019

23

Succession Planning – Inappropriate planning for attrition of key executives could result in

business disruption, loss of key customer relationships, or loss of IP.

Top Risk Identified by Management Sample Audit Plan

Procurement (Location #1, Location #2)

Distributor Pricing

Intellectual Property

Anti-Corruption Program

Subcontractor & Consignment Inventory Program

New Product Research and Development – Ineffective use of R&D investments will hinder

ability to develop new products or meet customer needs.

Asset Risk – company inventory stored internally or at third-party locations may not be secure,

counted, recorded, transferred, or disposed of according to procedures.

Intellectual Property – Inability to enforce patents or protect intellectual property (from theft)

could result in a loss of product market share and future sales.

Procurement – Ineffective supplier and sourcing strategies, negotiating, engaging and vendor

monitoring could cause business interruptions and result in higher material costs.

Product Pricing – Gross margins could erode if pricing processes, procedures, and systems are

not working optimally and average selling prices continue to decrease.

Talent Management – Inefficient employee development and recruiting operations may hinder

our ability to promote and hire qualified internal and external candidates.

Corporate Vision and Strategy – If the corporate strategy is not vetted, communicated, and

accepted within the company, current and long-term initiatives may fail.

Anti-Corruption – Potential bribes paid to government and commercial third parties may result

in regulatory fines and damage company’s reputation.

Voice of Management: Risk Identification Interview Results

24

Regulation and Compliance Risks

Cost Cutting

Managing Talent

Pricing Pressure

Emerging Technologies

Market Risks

Expansion of Government’s Role

Slow-recovery and Double-Dip Recession

Social Acceptance Risks / Corporate Social Responsibility

Ethics, Anti-Corruption Program

20xx Top Business Risks 20xx Audit Plan

Critical Control Reviews, Travel and Expense by Location

Distributor Pricing

Procurement (Location #1, Location #2), Distributor Reviews

Risk Research Benchmarking

25

Summary of 20XX Key Themes By Business Area

Key Themes

• Include Initiatives

• System Changes

• Control Changes

• Industry Risks

• Other?

Business

Area/Segment A

• Include Initiatives

• System Changes

• Control Changes

• Other?

Business

Area/Segment B

• Include Initiatives

• System Changes

• Control Changes

• Other?

Business

Area/Segment C

Through the course of the Risk Assessment process, Internal Audit identified themes that would be considered the high-priority risk

areas for 20XX to address. Additional themes that support Medium priority risk areas are included in the full 2019 Audit Plan as well.

• Continuous growth of a Company’s business; systems and other technology changes; growing risk areas

like cybersecurity; and changes in regulatory environment require a robust plan that will remain flexible

and continue to adapt to changes in the business.

• Changes to the proposed plan will be communicated timely to management and the Audit Committee.

26

Increase the Use of Subject

Matter Expertise

27 Source: Internal Auditing’s Value to Stakeholders - Internal Audit Foundation

Expertise Improves

Insight

Use Subject Matter Experts (SMEs)

Improves Internal

Audit Value

28

Polling Question 3Please open the conference app to participate

29

Did you ever have to “avoid” risky

area coverage due to lack of

subject matter expertise?

а. Yes b. No

30

31

• Assess your own team’s skillset and experience and determine gaps

• Become one!

• Attend targeted training

• Learn from others

• Look for SMEs in your Company:

• Employees

• Guest Auditor Program

• Use consulting firms

• Tip: Engage your staff to work on the project so they can learn from the experts

How Do You Find The Right SMEs?

32

• Your team members learn new skills

• Develop in-house expertise

• Cover new risk areas

• Strategic risks

• “Non-traditional” audit areas

• Obtain benchmarking information

• If consultants are engaged, ask for benchmarking data for similar companies and share with management

Additional Value Of Using SMEs

33

Lead from the Front

3

34

1 2 3Education:

● Show trends and emerging risks

● Share innovative practices on

how to mitigate certain risks

What Can CAEs Do?

Help the Audit Committees and

Management understand:

● Which risks are more predominant

for your industry and organization

● Specific implications of each

identified risk

Propose Solutions:

● Risk coverage game plan

● New technology use (if applicable)

● Resource needs

● Special advisory projects

CAEs can help Management and the Board (Audit Committee) by offering the

following:

35

Learn and Innovate Every Day!

Publications News Network Research

36

Resources

Available at the IIA Bookstore

37

Are You Ready?

38

TELL US WHAT YOU THINK!

Evaluate this session right in the

IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete

your session evaluations.