progressing corporate governance from compliance to competitive advantage building a world class...
TRANSCRIPT
Progressing Corporate Governance From Compliance to Competitive AdvantageBuilding a World Class Audit Organisation
Building a World Class Audit Organisation 2
Today’s Agenda
• Why transform?
• Building a World Class Internal Audit Organisation
• Quality Assurance
• Final Thoughts
June 12, 2015
Building a World Class Audit Organisation 3
Why transform?Drivers of Change
June 12, 2015
Building a World Class Audit Organisation 4
The Internal Audit Timeline
• First wave of transformation driven by corporate failures at the turn of the century• Internal audit functions existed, redflags identified, and implications were
correctly assessed• Deficiencies in Internal Audit framework inhibited proper response to issues
• Rebuilding of public trust placed significance on remedying weaknesses• Financial services sector regulators reassessment of role, responsibility and
effectiveness of Internal Audit as key element of safety and soundness of system• Underscored Board responsibility for oversight and functioning of Internal
Audit; definition of attributes of “high performance” function
June 12, 2015
Building a World Class Audit Organisation 5
The Internal Audit Timeline
• Second wave driven by global financial crisis (circa. 2008)• Crisis characterised as a “failure in risk management”• Internal Audit acknowledged as being uniquely positioned to assist
organisations understand and address risks and challenges• Increased expectations of stakeholders• Status quo cannot be maintained!
June 12, 2015
Building a World Class Audit Organisation 6
The World Tomorrow….
• Rapid change over the last 10 years is expected to continue for at least next five..
• Growth is a major priority, but little scope for organic expansion
• Growth based on strategic initiatives• New products and services• New geographic markets• Mergers and acquisitions• Joint ventures and strategic alliances
• Shift in risk focus from operational to strategic
June 12, 2015
Building a World Class Audit Organisation 7
The World Tomorrow….
• Regulatory change and complexity remains a priority, but the following must also be considered…• Government policy changes• Data security and privacy• Cost pressures• Changing consumer behaviours (social media, digital, mobile delivery
channels)• Emerging technologies• Shifts in competition
June 12, 2015
Building a World Class Audit Organisation 8
Building a World Class Internal Audit OrganisationAttributes of a High Performing function
June 12, 2015
Building a World Class Audit Organisation 9
Attributes of a High Performing function
June 12, 2015
• Focus on critical risks and issues
• Match talent model to the value proposition
• Leverage technology efficiently
• Enable a client service culture
• Deliver cost-effective services
• Engage and manage stakeholder relationships
• Promote quality improvement and innovation
• Align value proposition with stakeholder expectations
Building a World Class Audit Organisation 10
Focus on critical risks and issues
• The audit planning risk assessment and resource allocation is based on a top-down, strategic view of business risks
• The audit plan contains sufficient flexibility to respond to emerging risks and business issues
• Enterprise, emerging, and fraud risks are captured in the risk assessment
• Internal Audit has a clearly defined role in governance, risk and compliance (GRC) assurance
June 12, 2015
Building a World Class Audit Organisation 11
Match talent model to value proposition
• An appropriate mix of core internal audit skills and specialist staff exists to complete required activities in the Internal Audit mission and vision
• A formal career path for Internal Audit staff has been defined and is supported by senior management
• A continual learning and development model exists to improve internal audit’s knowledge of the business, experience, and credentials
• Staff performance is measured against the mission/vision of Internal Audit
June 12, 2015
Building a World Class Audit Organisation 12
Leverage technology effectively
• Audit management systems are used to improve audit effectiveness and efficiency
• Technology is used to improve audit process through data retrieval and testing
• Continuous audit techniques are leveraged to increase audit coverage and provide early warning of risk indicators
• Specific steps are taken to capture and share knowledge throughout the business
• GRC tools are used to leverage to ensure related activities are efficiently and effectively integrated
June 12, 2015
Building a World Class Audit Organisation 13
Enable a client service culture
• Training plans include elements to improve business acumen, judgement, and perspective
• All services provide balance, independence, objectivity and value
• Cultural bias towards customer service
• Metrics measure customer satisfaction based on stakeholder expectations
June 12, 2015
Building a World Class Audit Organisation 14
Deliver cost-effective services
• The staffing model effectively leverages management, staff, geographic and external resources to efficiently complete audit activities
• Productivity is actively measured and managed to ensure the most cost-effective delivery of services
• Audit processes are standardized and simplified to be cost effective
• Investments in audit infrastructure are based on a disciplined ROI approach
June 12, 2015
Building a World Class Audit Organisation 15
Engage and manage stakeholder relationships
• Stakeholders perceive Internal Audit as operationally excellent, a key business partner, and where appropriate, a provider of strategic support
• Capture expectations, communications strategies, and timelines
• Seek feedback regularly and capture on both one-on-one and survey basis
• Communicate value delivered to stakeholders on a periodic basis
June 12, 2015
Building a World Class Audit Organisation 16
Promote quality improvement and innovation
• Applicable quality standards have been defined and communicated
• Formal quality reviews are completed on a regular basis to ensure improvement opportunities are identified and addressed
• Innovation is embedded in the culture of Internal Audit and is consistently fostered and rewarded
June 12, 2015
Building a World Class Audit Organisation 17
Align value proposition with stakeholders’ expectations
• Mission and vision and clearly articulated and communicated
• Scope of services are well defined and communicated
• A strategic plan captures vison and milestones toward the desired future state
• The balanced scorecard includes metrics to measure progress toward the stated mission and vision
June 12, 2015
Building a World Class Audit Organisation 18
Where are we now?
• Attributes have been generally embraced and used as the basis for strategic Internal Audit development and improvement initiatives
• Varying degrees of success in meeting objectives
• Dynamic business environment has necessitated some tailoring
• Going forward, four priority areas have been identified:• Risk focus• Talent model• Business alignment• Technology
June 12, 2015
Building a World Class Audit Organisation 19
Risk focus
• Given changes to models, strategic risks are three times more likely to adversely impact business entities than operational risks
• Shift from assurance role to consulting focus (trusted advisor)
• Changing risk landscape requires Internal Audit to be involved at the optimal time to enable focus on strategic risk ahead of risk occurrence• Proactive perspective on transformational initiatives• Evaluation of risks related to strategic options• Evaluation of risks as part of ongoing initiatives
• Strong relationships across functions a must
• Adoption of a “how-we-can-help” mind set
June 12, 2015
Building a World Class Audit Organisation 20
Risk focus
• Internal Audit is not involved in developing or critiquing strategic initiatives , but should assess:• Project governance, management and supporting processes• Key risks• Business processes• Innovation and execution risks• Product/service development• Key project metrics and benefits realization• Processes for communication of key risks
June 12, 2015
Building a World Class Audit Organisation 21
A Proactive perspective
47
20
24
9
Proactive deployment of Internal Audit
Providing a proactive perspective and recommendations on internal control - before risk occurrence
Identifying risks during annual risk assessment process
Auditing processes and controls post-implementation
Auditing process and controls after risk occurrence
June 12, 2015
Building a World Class Audit Organisation 22
Talent and business acumen
• Disruptive business models require evolution of Internal Audit skill-sets, but little change over the last 10 years
• Limits audit scope and coverage – audit to skill-sets and not risks
• Talent gap fuels poor perception of Internal Audit’s relevance and value
• Proactive acquisition of skills needed to address critical risks is imperative• Specialist IT skills, e.g., cybersecurity, cloud services, mobile computing, ERP• Operational skills, e.g., tax, legal, HR, engineering
June 12, 2015
Building a World Class Audit Organisation 23
Talent and business acumen
• Technical skills alone are not enough!
• Business acumen is critical in achieving:• Understanding of the sectors in which the entity operates• Trends in the industry or sector• Clearly identify and link risks to business imperatives
• Options for development:• Exposure to training in operational areas• Formal rotation programmes
June 12, 2015
Building a World Class Audit Organisation 24
Talent and business acumen
• Effective talent management requires proactive plan to build future skills to stay in step with business initiatives:• Training• Hiring• Third party assistance
• Recognise benefits of co-sourcing or outsourcing to address talent gaps
June 12, 2015
Building a World Class Audit Organisation 25
Business alignment
• Many companies maintain multiple risk management functions, with similar processes:• Identify risks• Assess risks• Assign ownership • Manage• Monitor• Report
• Significant benefits to be realised by aligning three lines of defense – business functions, ERM and other risk and compliance functions, and Internal Audit
June 12, 2015
Building a World Class Audit Organisation 26
Business alignment
• Level of alignment varies significantly in practice:• Silos still exists!• Integration hampered by inadequate governance, different “language”, lack of
common framework and processes• Inefficiencies in risk management framework, resulting in gaps and overlaps
• Alignment and integration results in improved risk management “ecosystem”• Enhanced efficiency in each risk management function• Information regarding risks more clearly and consistently presented to
stakeholders
June 12, 2015
Building a World Class Audit Organisation 27
Business alignment
• Prerequisites for alignment:• Unified enterprise risk framework• Consistent processes across functions• Common evaluation criteria• Clearly defined roles and responsibilities between second and third lines of
defense• Understand scope of work done by second line of defense functions• Evaluate and leverage on work done by second line of defense functions
June 12, 2015
Building a World Class Audit Organisation 28
Business alignment
• Alignment leading practices:• Governance structure includes committee comprised of leadership from
second and third line of defense functions• Role of committee is to coordinate audit and monitoring plans across
functions; review and share results of efforts• On an annual basis, reviews all risks identified by ERM and matches to
assurance functions to determine collective coverage levels• Individual plans revised to address gaps and overlaps
• Results in more holistic coverage, more effective use of internal resources, including specialists
June 12, 2015
Building a World Class Audit Organisation 29
Technology
• Traditionally, extent to which technology was leveraged was limited to automating processes:• CAATs• Documentation of working papers• Development of issue tracking mechanisms• Reporting
• Expanded role of technology driven by amount and accessibility of data; advancements; ease of use; and affordability of tools
June 12, 2015
Building a World Class Audit Organisation 30
Technology
• Advances enable improved leveraging of data to provide greater business insights, increased efficiency, enhanced monitoring, activities, and better risk response
• Requires a mind-set shift to integrate data into all phases of audit life cycle
• Enter data analytics…• Traditional approach to risk identification based on combination of executive
meetings and use of limited financial data• May be subjective, especially in the absence of adequate business acumen
• Shift to use of data analytics in risk identification• Identification of risks, basis of resource allocation
June 12, 2015
Building a World Class Audit Organisation 31
Technology
• Implementation of data analytics is not an easy process and will require significant investment in tools and other resources
• Consider pilot data programmes:• Provide proof of concept for Internal Audit and stakeholders• Expose practitioners to working with data, and improve proficiency• Quick wins drive momentum
June 12, 2015
Building a World Class Audit Organisation 32
Finding True North
• True North is a lean concept developed by Toyota Motor Corporation• A fixed orientation point, designed to guide organisation from current state
to where it wants to be• In an environment of rapid transformation, it is easy to lose focus and/or fall
behind• Applicable to Internal Audit, given need for function to evolve to remain
relevant and valuable contributor to the business• Critical that Internal Audit develops a strategic plan to complement audit
plan• Focus on what Internal Audit needs to do to evolve, improve, and deliver
value to the organisation
June 12, 2015
Building a World Class Audit Organisation 33
Quality AssuranceMeeting and Exceeding Expectations
June 12, 2015
Building a World Class Audit Organisation 34
A demanding environment
• Increased focus on effective governance• Audit committees and executive management are demanding more of
internal audit• Demanding higher levels of internal audit quality in order to meet director
level oversight responsibilities
June 12, 2015
Building a World Class Audit Organisation 35
Achieving and maintaining audit quality
• To comply with the International Standards for the Professional Practice of Internal Auditing, Internal Auditing departments must:• Implement a quality assurance and improvement program• Secure an external quality assurance review every five years
• Initial five-year window for securing an external quality assurance review closed on December 31, 2006
June 12, 2015
Building a World Class Audit Organisation 36
Expectations of quality are pervasive
• Compliance with International Standards for the Professional Practice of Internal Auditing is reinforced by PCAOB Standard 2:
“Internal auditors normally are expected to have greater competence with regard to internal control over financial reporting and objectivity than other company personnel. This is particularly true in the case of internal auditors who follow the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.”
June 12, 2015
Building a World Class Audit Organisation 37
The quality assurance requirements
External QualityAssessment Reviews
Periodic InternalQuality Assessments
Ongoing Monitoring of Internal Audit Quality
June 12, 2015
Building a World Class Audit Organisation 38
Benefits of external quality assurance review
• Provides an independent assessment that Internal Audit is complying with globally recognized standards
• Affirms that Internal Audit is serving as a reliable source of information for risk, control and governance within the enterprise
• Compares the performance of the Internal Audit group to that of its peers
• Determines if Internal Audit has the right reporting structure, people and skill sets to address enterprise-wide risk and governance issues
• Assesses key stakeholder expectations of the function
• Determines whether Internal Audit processes and practices are aligned effectively with stakeholder expectations
• Explores how to raise the stature and visibility of the Internal Audit function
June 12, 2015
Building a World Class Audit Organisation 39
Beyond compliance
• Our experience shows leading companies:• View compliance with the standards as a mandatory and prerequisite• Seek to create strategic value from the external quality assurance review • Have already had external quality assurance reviews
June 12, 2015
Building a World Class Audit Organisation 40
A six-step approach to leveraging on the quality assurance process
• Commit to quality
• Design and implement a quality assurance programme
• Implement policies and protocols
• Conduct an external quality assurance review
• Correct and enhance
• Assess performance
June 12, 2015
Building a World Class Audit Organisation 41
Commit to quality
• Make a deliberate and documented commitment to quality assurance and improvement
• Commitment should be • Recognized as significant• Understood by the Internal Audit department and its stakeholders• Documented in the Internal Audit charter and approved by the audit
committee or the board of directors
• Successful implementation of a quality assurance and improvement program will demand a significant rigor throughout the entire audit process
June 12, 2015
Building a World Class Audit Organisation 42
Design and implement a quality assurance programme
• Build a quality assurance programme consistent with the IIA Standards
• Three components of an effective quality assurance program:• Ongoing monitoring• Periodic internal assessments• External assessments
• “The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.”
June 12, 2015
Building a World Class Audit Organisation 43
Implement policies and protocols
• Establish appropriate policies, procedures and controls to enhance quality and ensure conformance with IIA Standards
• Conduct a GAP analysis
• Benchmark against IIA Standards• 4 attribute standards• 7 performance standards
• Identify areas for improvement and remediate
June 12, 2015
Building a World Class Audit Organisation 44
Implement policies and protocols
Attribute Standards
• Purpose, authority and responsibility (Standard 1000)
• Independence and objectivity (Standard 1100)
• Proficiency and due professional care (Standard 1200)
• Quality assurance and improvement program (Standard 1300)
Performance Standards
• Managing the internal audit activity (Standard 2000)
• Nature of work (Standard 2100)
• Engagement planning (Standard 2200)
• Performing the engagement (Standard 2300)
• Communicating results (Standard 2400)
• Monitoring progress (Standard 2500)
• Resolution of management’s acceptance of risk (Standard 2600)
June 12, 2015
Building a World Class Audit Organisation 45
Implement policies and protocols
Common weaknesses
• Charters
• Reporting structure
• Policies and procedures
• Risk assessment
• Stakeholder input
• Chief audit executive reporting
• Audit tracking systems
In considering essential areas like these, the perspectives and expectations of Internal Audit’s stakeholders (senior management, the audit committee and the external auditor) should provide strong guidance in terms of how the function should assess and report on risks, controls and governance within the organization.
June 12, 2015
Building a World Class Audit Organisation 46
Conduct a quality assurance review
• Significant preparation will be necessary• Refer to the IIA’s Quality Assessment Manual
• Perform a periodic internal GAP analysis and assessment
• Determine type of external quality assurance review to be used• A full external quality assessment• Self assessment with independent validation• Requires extensive preparation, analysis and documentation
June 12, 2015
Building a World Class Audit Organisation 47
Conduct a quality assurance review
• Per the IIA Practice Advisory 1312-1, a full external assessment should address:• Compliance with the IIA standards and code of ethics• Internal audit’s charter, plans, policies, procedures, practices and applicable
legislative and regulatory requirements• Key stakeholder perspectives, including expectations of the board of
directors, audit committee, executive and operational management pertaining to the internal audit department
June 12, 2015
Building a World Class Audit Organisation 48
Conduct a quality assurance review
• Integration of internal audit within the organization’s governance process, including the relationships between and among participating groups
• Tools and techniques for internal audit• Self assessment, including a discussion of the knowledge and experience
held by the internal audit staff, the disciplines represented within the department, and the staff focus on process improvement
• Charter evaluation, a determination as to whether internal audit is fulfilling its charter and organizational expectations
June 12, 2015
Building a World Class Audit Organisation 49
Conduct a quality assurance review
• Select a provider to conduct the external quality assurance review
• Factors to consider:• Value to be delivered beyond simply indicating conformity to the IIA
Standards• The provider’s experience in delivering external quality assurance reviews• Knowledge and internal audit experience of the engagement team• Methodologies to be employed
June 12, 2015
Building a World Class Audit Organisation 50
Conduct a quality assurance review
• Methodology employed should focus on the core processes of internal auditing including:• Organization• Human resources• Technology• Working practices• Communications and reporting• Knowledge management• Performance metrics
June 12, 2015
Building a World Class Audit Organisation 51
Correct and balance
• The quality assurance review report should provide:• A set of actionable recommendations intended to ensure conformity with the
IIA standards and to enhance the strategic performance of the department• A benchmarking analysis that indicates the extent to which Internal Audit
has adopted best practices• An assessment of how well an Internal Audit function is adding value to the
company and meeting the expectations of key stakeholders• A strategic plan directed toward implementing changes needed to improve
performance and value• A tactical plan outlining specific change initiatives
June 12, 2015
Building a World Class Audit Organisation 52
Correct and balance
• Standards require that upon receipt of the final report, the chief audit executive should:• Communicate the results of the quality assurance review to the Audit
Committee• Prepare a written action plan that lays out how Internal Audit will:• Conform to the standards• Enhance its strategic performance, and• Respond to significant comments and recommendations contained in the
report
June 12, 2015
Building a World Class Audit Organisation 53
Assess performance
• Formulate specific action plans to remedy deficiencies
• Continually assess internal audit’s compliance with the standards
• Integrate performance measurement into a quality assurance and improvement program e.g. use of a “balanced scorecard”
June 12, 2015
Building a World Class Audit Organisation 54
Final ThoughtsReflections on our deliberations
June 12, 2015
Building a World Class Audit Organisation 55
Comments and queries?
June 12, 2015
Building a World Class Audit Organisation 56
Thank You!
June 12, 2015
Building a World Class Audit Organisation 57
A parting word….
“Considering the change today in the global risk landscape, boards today are forced to assess the limited resources they have available to provide assurance, as well as
assistance, as their mandate changes and responsibilities increase. This, along with an increased sensitivity to risk, will drive companies to reconsider Internal Audit’s
role and importance. Internal auditors must use this opportunity to gain the confidence of the audit committee, executive management, the board, and in some
circumstances, regulators”
Anton van Wyk, Global Institute of Internal Auditors Chair, South Africa
June 12, 2015
Building a World Class Audit Organisation 58
Contact Information
Compass Advisory Services Inc.8 Glydor GardensClermontSt. James, BB 24023Barbados T: (246) 826 [email protected]
Berkeley GreenidgeManaging Director
Governance . Risk . Compliance
June 12, 2015
Building a World Class Audit Organisation 59
© Compass Advisory Services Inc. All rights reserved.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (expressed or implied) is given as to the accuracy or completeness of the information contained in this publication, and to the extent permitted by law, Compass Advisory Services Inc. does not accept or assume any liability, responsibility, or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
June 12, 2015