impact of corporate governance on the internal audit profession glenn e. sumners, dba, cia, cfe...
TRANSCRIPT
Impact of Corporate Governance on the Internal Audit Profession
Glenn E. Sumners, DBA, CIA, CFE
UpwardHacia arriba
Onward Adelante
(1941)
“Internal auditing is an endless journey towards an every-changing destination.” Glenn E. Sumners
Dominican RepublicPunta Cana2012
Today
Glenn Sumners, DBA, CIA, CFE is on the faculty of Louisiana State University where he is the director of the Louisiana State University Center for Internal Auditing (LSUCIA). He was named Educator of the Year in 1987 by the IIA and received the LCPA Lifetime Achievement in Accounting Education Award in 1999. In 2006, Professor Sumners received the Bradford Cadmus Memorial Award from the IIA. He is a member of the IIA Society Emeritus. In 2012, he was inducted into the IIA American Hall of Distinguished Audit Practitioners. Three LSUCIA students have placed first in the international manuscript competition. Eighteen students from the LSUCIA Program have won international award for the highest score on the CIA exam. In 2012, The CIA Award for the highest student score was named the Dr. Glenn E. Sumners Award.He provides quality assurance reviews, consulting, and training to internal audit groups and audit committees. He has made over 1200 presentations in the last 25 years. He has been invited to speak in 25 countries.
Glenn E. SumnersDirector
Louisiana State University Center for Internal Auditing
{Su foto}
Presenter (presentador)
Governance (gobierno)
Agenda (orden del día)
Adding Value: The expanding role of Internal Auditing (valor agregado)•The Value Proposition (la prpuesta de valor)•Addressing Governance (relación con el gobierno corporat)
• Infrastructure (infraestructura) Integration (Integración)•Assessing Risk (evaluación de riesgos) (Borderless organizations) (organizaciones sin fronteras)
• Internal (interno)• External (externo) (Strategies) (Estrategias)• Risk Threats (riesgos amenaza)• Risk Opportunities (riesgos oportunidades)
Governance Agenda (gobierno orden del día)Adding Value: The expanding role of Internal Auditing (toward governance)•Job enlargement•Job satisfaction•Job enrichment•Addressing Governance (infrastructure and integration)•Assessing Risk (broader perspective) (borderless organizations)
• Internal• External (strategies)
•Enhancing Controls• Control Activities• Management Controls
• Plan (tactical and strategic) (planning committee)• Organize (delegation of accountability)• Staff (needed competencies outpacing competencies) (CFIA) (CBOK) (Surveys)• Direct (policies and procedures) (control activities)• Monitor (change management) (custodial managers)
• Environmental Controls
COSO – Tone at the Top (infrastructure) (integration) (permeation)•Control Environment
Agenda (orden del día)• Enhancing Controls (mejorar los controles)
• Control Activities (actividades de control) (time allocation)• Management Controls (controles de gestión)
• Plan (Tactical and Strategic) (Comité de Planificación))• Organize (Delegation of Accountability) (organizar)• Staff (I K W – RP) (BS and CS) (personal)
• Needed competencies outpacing competencies• CFIA• CBOK (Business Knowledge)• Surveys (Encuestas) (Critical Thinking – Hours – Business)
• Direct (Policies and Procedures) (directo)• Monitor (Oversight, Analytics, Change Management) (custodial
managers)• Control Environment (Entorno de control interno))
• All components of COSO reside in the Control Environment)• Virgin territory
COSO – Tone at the Top (infrastructure) (integration) (permeation)(infraestructura) (integración) (penetración)
Internal Auditing: Adding Value(Auditoria Internía: Agregando Valor)
Integration•GRC
External
Entity
Process
Unit
Control Environment
Management Controls
Control Activities
Evolution of the Profession (evolución de la profesión)
Controls(Controles)
Risk(Riesgos)
Board
Audit Committee•Charter
Internal Audit•Charter
Governance(Gobierno)
(Mature)(Maduro)
(Embryo)(Embrión)
(Radar)
•Opportunities•Threats
Evaluation•Check the box•Reality
Quality (calidad)
Question: Can you be in 100% compliance and go out of business?
Issues (cuestiones):•Accountability – Governance, Risks, and Controls (responsabilidad)•King III •Transparency (transparencia)•Sustainability (sostenibilidad)
Board (Junta)•Selection Process (Proceso de Seleccíon)
Audit Committee(comité de auditoría)
CAE
Risk Committee(comité de
riesgos)
CRO•Global•Strategic
(CRMA)
Compensation Committee(comité de
compensación)•Stock options•Bonus plans
• Counter-productive
•Salaries• Up, up, up,
and away
Governance (Gobierno Corporativo)
Personal Opinion (Opinión personal)::The CEO and CFO should not be involved in selecting members of the Board, Audit Committee, Risk Committee, or Compensation Committee
AAA
COB CEO
Obj.
Sub.
SOD
Reporting (Reportaje)Board (Junta) CEO
Audit Committee(Comité de Auditoría)
Functional(Funcional)
Administrative (Administrativo)
Internal Audit(Auditoria Interna)
•Resources• Office Space• Budget
• Training• Travel• Staffing
• Primary Report• Audit Plan• Overview of Administrative• Executive Session (Reunión Ejecutiva)• Charter
• Performance Evaluation• Promotions • Hiring – Rotation - Termination
Proactive Review
• CAE• Charter (Estatutos)
“The internal auditors should have an independent reporting line directly to the Audit Committee.” SAS #99
“Three principle factors contribute to independence and objectivity: the organizational positioning of the function, the corporate stature of the chief internal auditor, and the reporting of the chief internal auditor to the audit committee.
For day-to-day operational purposes, the chief internal auditor should report administratively to a senior officer who is not directly responsible for preparing the company’s financial statements. The commission encourages an administrative reporting relationship in which the chief internal auditor reports directly to the CEO.” NCFFR (1987)
Best Business CrimesMr. Kozlowski had the company’s (Tyco) internal auditors report to the board through himself, and ensured they would not audit a Tyco unit through which the fraudulent loans and other payments were made.
Risk Management Process(Proceso de Administractión de Riesgos)
The Risk Complexity Multiplier(El multiplicador de la complejidad de riesgo)
10 x 100 x 1000
Limitations (limitaciones):•Limited Oversight•Limited Knowledge•Limited Experience•Limited Accountability•Technology•Interconnectivity
Factors (factores):•Chaos Theory
• Prediction•Butterfly Effect•Tipping Point
• Organizations (5/9)• Ethics
•Long-term Planning•Integration
Status (Estado):•Check the box•Reality (Realidad)
Audit Committee (comité de auditoría)of Board of Directors
(oversight)
CEO (Responsibility)
CRO(Execution)
Risk Management (gestión de riesgos)
Auditor in Charge (AIC)Micro (Engagement Planning)
CAEMacro (Resource Allocation)
Audit
Priority
(Integration and Linkage)(Integración y conexion)
• Fraud Risk• Analytics
What does CRMA really mean?(Certified Risk Management Assurance)
ERM Implementation (Endless Activity)
(Adapt to Change)
Risk Environment• Oversight• Accountability• Ownership• Monitor-Adjust
Need• Globalization• Technology• Information• Market Volatility• Interconnectivity• Staffing• Rate of Change
ContextIdentifyPriorityRisks•Strategic•Operational•Financial•Compliance
Risk Management
Status
Gap Analysis
Desired ERM
Business Plan
Integration
Dynamic Process
SizeIndustryStrategyCompetition
Cycle•Challenge•Change
Continuous Integration
Process
Governance Challenges:•Control Environment•Internal Environment•Goals and Objectives•Tone at the Top
Governance Integration
What are the five primary reasons controls fail?(Cuales son las 5 razones principales por las cuales los controles fallen?)
1.________________________________2.________________________________3.________________________________4.________________________________5.________________________________
“V O l l” =
Question (Pregunta)
Increase
Sugar 10 Times
Milk 9
Eggs 12
Bacon 16
Stamps 15
Fraud ? Why
Why? (Porqúe?)
Technically, Ken is innocent.
What are the five primary reasons controls fail?
1.Lack of integrity2.Weak control environment3.Inconsistent objectives4.Poor communication (Up, Down, and Across)5.Inability to understand and react to changing conditions
Internal Control – Integrated Framework
Internal Control – Failures(Control Interno – Fracasos)
Question: How many of these relate to “Governance”?
Un
it B Act
ivit
y 2
Monitoring
Info. & Communication
Control Activities
Control Environment(Entorno de Control)
Un
it A Act
ivit
y 1
Complia
nce
Fin
anci
al
Reporti
ng
Oper
atio
ns
Challenge (desafío):•Evolving from Control Activities to the Control Environment
COSO Control (Addressing Governance)
Aggregate (agregado)
Entity (entidad)
Process (proceso)
Unit (unidad)Risk Assessment
“Management should periodically check the batteries in their moral compass.” GES
Mandatory Audits - Entity• Employee Survey• ERM• Conflict of Interest• Complaint Process• Executive Expense Report• Analytical Audit• Ethics Audit• Governance
Audit Plan to Address Governance
• Accruals• Change• Reserves (Step #1)• Transformation Transactions• Top-side Closing• Revenue Recognition• Compensation
Review• Audit Committee – Best Practices
• Charter• Checklist• GAP Analysis• Documentation
Question: How much time does it take to do an entity level audit?
Approach• Unit • Entity
ERM – Conceptual Framework
Division
Business Unit
Subsidiary
Entity
Objective SettingEvent Identification
Risk AssessmentRisk Response
Control ActivitiesInfo. & Communication
Internal Environment(Ambiente de Control)
Monitoring
Strategic
(Estratégio
s)Operati
onsReporti
ng
Compliance
Cont
rol C
ompo
nent
s(C
ompo
nent
es d
el c
ontr
ol)
Objectives(Objetivos)
Focus: •Internal Environment•Strategies•Integration
COSO Risk (Riesgo) TIPS
COSO Risk Objectives• Strategic• Operations• Compliance• Financial
COSO Components • Control Environment• Monitoring• Information & Communication• Risk• Control Activities
A
AAA
Question: What is the solution?
Corporate Governance, Risk and Controls(Gobierno Corporativo, Riesgos y Controles)
Risk
s(R
iesg
os)
RRR
Cont
rols
(con
trol
es)
C
C
C
Organization
Ove
rrid
e(a
nula
r)
ORORORObjective
Subjective
Job Specificity
Beneficial
Mon
itorin
g(m
onito
reo)
M
MM
Audit plans from top down that parallel the business plan.
Audit Focus
Pres
sure
(pre
sión
)
PPP
Opp
ortu
nity
(opo
rtun
idad
)
OOo
Ratio
naliz
ation
(rac
iona
lizac
ión)
RRR
Uncertainty (I ncertidumbre)
Risk Sources (Fuentes de riesgo) Condition (Condicion)
Changing Circumstances (las circunstancias cambiantes)
Threats (Amenazas)
Opportunities (Oportunidades)
Threats (Amenazas)
Technology (Tecnología)
Opportunities (Oportunidades)
Threats (Amenazas)
Opportunities (Oportunidades) New Products
(Nuevos productos) Threats
(Amenazas) Opportunities
(Oportunidades) Threats
(Amenazas) I nternational Operations (Operaciones
I nternacionales) Opportunities (Oportunidades)
Threats (Amenazas)
Opportunities (Oportunidades)
Regulations (Regulaciones)
Tactical Planning (la planificación táctica)
Strategic Planning (planificación estratégica)
TimelyTransparentReporting
Reasonable Assurance
External:
Uncontrollable
Strategies Operations
Internal:
Controllable
Reporting Compliance
Enterprise Risk Management Integrated Framework(gestión del riesgo institucional del marco integrado)(Strategies) (Estrategias)Linkage:
•Objectives•Risk•Strategies
Internal Auditing(Auditoría Interna)
Other Governance Challengesfor Board, Audit Committee, and CAE
• Technology (Tecnología)• Continuous Monitoring
• Globalization (Globalización)• Risk Interconnectivity
• Staffing (Dotación de Personal)• Business Knowledge• Technology• Risk• Governance• Control Environment• CFIA• CBOX• Surveys
• Critical Thinking• Hours of Preparation• Who Studies
• Fraud (Fraude)• Detection to Prevention• Detrimental to Beneficial
• Analytics (Análisis)• Integration
• Monitoring Process• Audit Process• Embody• Governance
Preguntas y Respuestas
Questions & Answers
Información de contacto
Glenn E. Sumners, DBA, CIA, CFEgsumners@hotmail.comwww.sumnersauditservices.org225-445-45658222 Walden RoadBaton Rouge, LA 70808 USA
Conclusiones
The primary challenge of the internal audit profession will be fulfilling the prime directive to add value through
enhancing governance, risks, and controls.
These challenges will lead to the job enlargement and job enrichment of the profession.