internal audit forum - pwc: audit and assurance ... · 16.09.2004 · oimproves understanding of...
TRANSCRIPT
Internal Audit Internal Audit Forum Forum
2424 September September 20022002
Internal Audit Forum
• Welcome and Introduction• Objectives of the Forum• Session 1 Risk & Control Self Assessment
• Presentation by Khun Plaipun Siam Commecial Bank• Questions and Discussion
• Session 2 Internal Audit Transformation• Presentation by PricewaterhouseCoopers• Questions and Discussion
• Future Topics and Ideas
• Next Forum ?
• Concluding Comments
AgendaAgenda
Risk and Control Self Assessment
Internal Audit Forum
what is CSA
the evolution of CSA
a typical risk and control workshop
building CSA into business processes
the benefits from implementing CSA
AgendaAgenda
Internal Audit Forum
Definition
Risk and Control Self Assessment is...the involvement of management and staff in the assessment of risks and internal controls relating to the operations within which they operate.
Key features...
Undertaken by those responsible for managing the operations
process through which risks and internal control effectiveness is examined
structured and documented
continuous
draws out and leverages the collective knowledge and insights
flexible implementation approach
Internal Audit Forum
Evolution of CSA
Gulf Canada Internal Audit noted high correlation between results of control self assessment in controller’s department by managers and staff and overall control effectiveness (1987)
500 CSA Workshops throughout Gulf
Development of internal control models (COSO)
Development of risk based assessments
Tools
Internal Audit Forum
Different approaches to CSA
• Generic Internal Control Questionnaire (ICQ)
• Customised Questionnaires• Control Guides• Interview Techniques• Control Model Workshops• Interactive Facilitated
Workshops
Least contact
Most contact
Internal Audit Forum
A typical Risk and Control Workshop
EducationCommunicate
objectivesIdentify
risksAssess
risks
Develop action plans
Identifycontrols
Assess controls
Strategy
Process
Project
Top 5 Objectives
Operating
Financial reporting
Compliance
Internal Audit Forum
EducationCommunicate
objectivesIdentify
risksAssess
risks
Develop action plans
Identifycontrols
Assess controls
Threat
Uncertainty
Opportunity
Internal
External
A typical Risk and Control Workshop
Internal Audit Forum
EducationCommunicate
objectivesIdentify
risksAssessrisks
Develop action plans
Identifycontrols
Assess controls
Likelihood
Impact
A typical Risk and Control Workshop
Internal Audit Forum
EducationCommunicate
objectivesIdentify
risksAssessrisks
Develop action plans
Identifycontrols
Assess controls
Preventative
Detective
Corrective
Control EnvironmentRisk AssessmentControl ActivitiesInfo & CommunicationMonitoring
A typical Risk and Control Workshop
Internal Audit Forum
EducationCommunicate
objectivesIdentify
risksAssessrisks
Develop action plans
Identifycontrols
Assess controls
Residual risk exposure ?
Effective / Efficient
A typical Risk and Control Workshop
Internal Audit Forum
EducationCommunicate
objectivesIdentify
risksAssessrisks
Develop action plans
Identifycontrols
Assess controls
WhatWhenWho
Report
Sign-off
A typical Risk and Control Workshop
Internal Audit Forum
Critical success factors for CSA
• Executive sponsorship and commitment
• Business line responsibility and commitment
• Common language and process across the organization
• Dedication of appropriate skilled resources
• Monitoring CSA process for quality and consistency
• Build in follow up of CSA action plans into monitoring and reporting process
Internal Audit Forum
Building CSA into Business Processes
• Strategic Planning tool
• Project Management
• Risk and/or control monitoring tool
• Internal Audit tool
Internal Audit Forum
Benefits to the Business
Highly relevant to operational managers
Improves understanding of risks and controls
Increases onus on management to be responsible for design, operation and maintenance of internal controls
Simple to implement
Collaborative - management and internal audit working together
Empowering - line management can to some extent shape their own destiny
Internal Audit Forum
Benefits to Internal Audit
• A “dream come true” for Internal Audit
• Identify fundamental and cultural risks and strengths
• Help detect catastrophic risk before it acquires critical mass
• Management recognise value added
• Audit seen as a business partner
• Directs audit focus
• Basis for a Board report on risk and control
CRSA - Control and Risk Self-Assessment
Understanding, Assessing, Documenting and Communicating Effectively
on
Corporate Risks and Controls
19Internal Audit Forum
Topics
• Understanding Business Strategies
• Aligning Business, Processes and Systems
• Control and Risk Self-Assessment
• Result
Internal Audit Forum
• RISK: “Volatility of value of an asset and the return on this asset in a given market in a given period of time” (Old Economy)
SYSTEMIC AND NON-SYSTEMIC RISKS
SYSTEMIC AND NONSYSTEMIC AND NON--SYSTEMIC SYSTEMIC RISKSRISKS
• RISK: “ Is the measure of uncertainty, complexity or boundary of an investment or enterprise” (New Economy)
Understanding Business Strategies
Internal Audit Forum
• RETURN: “Gain in excess of a return hurdle (SVA) on the allocated capital”(Old Economy)
RISK AND RETURNRISK AND RETURNRISK AND RETURN
• RETURN: “Gain in image, trust, reputation, knowledge and/or reciprocity, financial or not”(New Economy)
Understanding Business Strategies
Internal Audit Forum
RISK AND CONTROLRISK AND CONTROLRISK AND CONTROL
• CONTROL: “Set of activities designed to maintain risk within established boundaries (risk appetite, risk/return)” (New Economy)
Understanding Business Strategies
• CONTROL: “Set of activities designed to maintain business activities and resources use within pre-established goals and guidelines” (Old Economy)
Internal Audit Forum
RISK, CONTROL AND INFORMATIONRISK, CONTROL AND INFORMATIONRISK, CONTROL AND INFORMATION
• RISK: “Degree of uncertainty, complexity or abrangence of a system”
• CONTROL: “Reduces uncertainty, clarifies complexity and evidences abrangence through information”
• INFORMATION: “Data processed in a way that is meaningful to users”
Understanding Business Strategies
Internal Audit Forum
CONSUMERSUPPLIER ORGANISATION
RISK-CONTROL BOUNDARY
CONTROL ENVIRONMENTCONTROL ENVIRONMENT
VALUE CHAIN - PHYSICAL INFORMATION FLOW (VALUE ADDED)
Understanding Business Strategies
Internal Audit Forum
RISK-CONTROL BOUNDARY
CONSUMERSSUPPLIERS
COMPETITORS
ORGANISATION
AFFINITYGROUPS
CONTROL ENVIRONMENTCONTROL ENVIRONMENT
VALUE CHAIN - DIGITAL INFORMATION FLOW (GENERATED VALUE)
Understanding Business Strategies
Internal Audit Forum
CRSA is a methodology used to review:
• key business objectives• risks involved in achieving the objectives• internal control designed to manage those
risks
Control and Risk Self-Assessment
Internal Audit Forum
• Promote awareness of the new business scenario and trends
• Explore the extended enterprise boundaries
• Encourage a culture of sound risk-taking
• Emphasize that control is the duty of everyone
• Nurture common understanding, frame of reference and language
• Seek alignment of business, strategies, risks, controls and resources
• Stimulate the sharing of information through common interests and mutual trust
• Obtain commitment with amply recognised, common business ethics and practices
STRATEGIES AND OBJECTIVESSTRATEGIES AND OBJECTIVES
Control and Risk Self-Assessment
Internal Audit Forum
RESULT
• Key Controls• Summary• Recommended Internal Control - Function• Recommended Internal Control -Company • Internal control Report
Internal Audit Forum
Questions and Questions and AnswersAnswers
IA – A need to Transform
Internal Audit Forum
Agenda
The Need for Transformation in Internal Audit
Some characteristics of best practice
Questions and discussion
Internal Audit Forum
The Ever Changing World
• The New Environment
• “e”
• Change, Change, Change
• More with Less
• Support areas must add value to the overall business strategy
• Real Sensitivity to Risk and Controls
• Focus on business objectives
Internal Audit Forum
Changing Environment for IA
• Understanding “Value” is critical to deploying the right resources and doing the “right” things.
• Internal Audit stakeholders are expecting a breadth of expertisesignificantly beyond traditional internal auditing.
• To deliver value, internal audit resources and capabilities must be “aligned” with stakeholder and organizational value expectations.
• Internal audit must be able to demonstrate and measure its contribution and value delivery.
The Fundamental Question – Are you doing the right things or is there an “Expectation GAP”?
Internal Audit Forum
Dimensions of Internal Audit Value
• Independent assessment of risk and internal control
• Highlight significant changes, issues and concerns
• Partner with business units
• Develop and maintain human capital for the company
• Provide resources for significant company initiatives
• Enhance operational excellence
Source: Forum for Thought Leaders in Internal Auditing - Forces of Change and Transition, March 2000
Internal Audit Forum
Resources
• Collectively have skills over a wide range of areas
• Attention to continuing education (75+ hours per year to each staff member)
• Training plan to address skill needs linked to personal development plans
• Recruitment policy
– best and/or minimum standards
– people with business operations skills
Internal Audit Forum
Methods
• Adopt professional Internal Audit standards
• Procedures documented, updated and communicated
• Work programmes used
• Facilitation techniques used
– develop control self assessment approach
– facilitate workshops
Internal Audit Forum
Reporting - to Line Management
• Timely reports e.g. issues drafted and discussed throughout review
• Use different forms of communications
• Executive summary includes assessment of overall control environment
• Results graded
• Management participate in drafting audit recommendations
• Recommendations are solution based, prioritised and include target dates
• Consider cost / benefit of recommendations
• Short and concise
Internal Audit Forum
Reporting - CEO
• Formal and frequent
• Executive summary
• Comparison of activity to plan
• Continuing / deteriorating problems
• Assessment of overall control environment
Internal Audit Forum
Balanced Scorecard Example
Quantitative Measures•Number of Audits scheduled•Number of Audit Completed•Client Satisfaction Ratings•Staff Utilization
Client Service•Responsive to special requests•Delivery of high quality service•Management of client expectations•Building strong client relationships
Industry Knowledge•Deep industry knowledge• Applying that knowledge to help solve complex client issues
People Development•Coaching•Development
Technical Development• Development of relevant Internal Audit technical knowledge
Innovation• Number of best practices identified
& communicated within company or IAD
Internal Audit Forum
Wrap-Up
• The environment requires constant change and re-alignment of internal audit
• Your odds of successful transformation can be significantly increased if the right approach and support is used
PwC Insight
Successful internal audit functions in the future may have as much in common with change management as they do with the traditional domains of auditing.
Questions Questions and and DiscussionDiscussion
Internal Audit Forum
Richard MoorePartnerInternal Audit ServicesPricewaterhouseCoopers15th Floor Bangkok City Tower179/74-80 South Sathorn RoadBangkok 10120, THAILANDTel: 0-2344-1354Fax: 0-2286-2750Mobile phone: 0-1807-7602E-mail: [email protected]
Varunee PridanondaPartnerInternal Audit ServicesPricewaterhouseCoopers15th Floor Bangkok City Tower179/74-80 South Sathorn RoadBangkok 10120, THAILANDTel: 0-2344-1282Fax: 0-2286-0500Mobile phone: 0-1645-0114E-mail: [email protected]
Contacts
pwc