session 3 an effective internal audit function · kpi’s & balanced scorecards session 3 –an...
TRANSCRIPT
Session 3
An Effective Internal Audit Function
PricewaterhouseCoopers Page 2
The fundamentals of an Internal Audit Function
Session 3 – An effective internal audit function
Structure IA charter Protocols
PricewaterhouseCoopers Page 3
Organisational structure – where does IA fit in ?
The preferred organisational structure for IA reporting
Board
Audit
CommitteeCEO / CFO
Divisional
management
Internal
Audit
Why ?
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 4
Internal Audit Charter
An appropriately positioned IA function looks and acts like another operational
division within the business. This requires an agreed mandate or charter which
clearly sets out:
– The mission, strategic focus and role of IA
– IA’s primary stakeholders and their key expectations
– How IA will operate to support the overall corporate strategy
– The key metrics by which the success of IA will be assessed
Should be revisited each year
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 5
Communication Plan
The detail behind the IA charter
Key deliverables and tasks
IA team responsibilities
Reporting timetable and deliverables
Engagement planning and execution
Example reports
Quality assurance
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 6
Complementary Risk Activities Combined Assurance
Collaboration between assurance providers
Develop common view of risk to organisation
Presents to Board how key risks are being
covered by assurance providers
THIS IS IS MORE THAN developing
improvements in risk-based internal auditing
Today Tomorrow
Assurance Need
Legal
External AuditTreasury
External Audit
CSR
Health & Safety
SOX
Risk
Legal
Compliance
Internal Audit
Treasury
Co Secretary
No single view of assurance across
organisation
Differing perspectives on risk (audit vs
business, inherent vs residual, BU vs Group)
Potential for duplication and gaps in assurance
Little Board/AC level visibility of the linkage
between sources of assurance
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 7
Scope of Internal Audit - The Internal Audit ContinuumAlignment with stakeholders’ value drivers will be reflected in internal audit’s position on the
migration model
Each business needs to consider the right mix for their circumstances, and the right
answer will depend on the expectations of key stakeholders
“Controls-focussed” “Value-add”
Management
participationStand-alone
function
Business
Process oriented
Enterprise risk
management
Financial risk
management
Supporting managementassessments
Traditionalauditing
Businessefficiency
Preventionoriented
Detectionoriented
Internalconsulting
Session 3 – An effective internal audit function
Transaction
oriented Risk management
continuum
Risk management
continuum
PricewaterhouseCoopers Page 8
Delivering
additional
value by
consent
Monetarysavings
ProcessImprovement
Efficiencygains
Duediligence
Emergingrisks
SystemsDevelopment
Investmentdecisions
CorporateGovernance
Projects andmajor
contracts
Financialsystems
Safeguardingassets
Businesssystems
Improving business performance
Assessing the future
-
Delivering future value
Strategy
fundamental assuranceAssessing the present
Core
internal
audit
Understanding the value drivers
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 9
Internal/external audit working together
Minimise duplication
Integrated approach
Maximise reliance
External Audit Internal Audit
Financial
reporting
Operational
efficiency
Issues of
judgement
Compliance
Financial
controls
Computer
Environment
Business Processes
Corporate Governance
Recognised overlap in audit scope between internal and external audit
External Audit Internal Audit
Financial
reporting
Operational
efficiency
Issues of
judgement
Compliance
Financial
controls
Computer
Environment
Business Processes
Corporate Governance
Recognised overlap in audit scope between internal and external audit
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 10
Quantitative Measures
• Number of Audits
scheduled;
• Number of Audit
Completed;
• Staff Turnover/Retention;
• Client Satisfaction Ratings;
• Timeliness of Performance
Feedback ;
• Training/CPE Hours;
• Staff Satisfaction Ratings.
Client Service
• Responsiveness to special
requests;
• Delivery of high quality service;
• Management of client
expectations;
• Building strong client
relationships;
• Effective management of audit
teams (meeting career and
development objectives,
providing timely feedback and
balance).
Industry Knowledge
• Development of deep industry
knowledge;
• Applying that knowledge to help
solve complex client issues;
• Presenting and/or publishing
industry topics;
• Assisting in the development of IA
practice aids or tools;
• Developing and contributing best
practices, emerging issues and
industry trends.
People Development
• Coaching
• Development
• Mentoring
• Training
• Recruiting
Technical Development
• Development of relevant
technical knowledge:
• Internal Audit
• Accounting
• Regulatory
• Technology
Innovation
• Number of best practices identified
& communicated within company or
IAD;
• Number of hours spent in industry
or other specialized training;
• Involvement in Professional
Organizations (IIA, CPA, etc.)
• Thought Leadership
• Use of technology in audits
• Creativity and efficiency
• Enhanced audit process
KPI’s & Balanced Scorecards
Session 3 – An effective internal audit function
PricewaterhouseCoopers Page 11
Measuring performance and value of internal audit
Illustrative Balanced Scorecard
• Quality of leadership and staff
• Appropriate use of specialists
• Understanding of business and global environment
• Chemistry / culture fit
• Commitment / manager involvement
• Development of internal resources
• Rapid and effective start-up
• Effective and timely communications
• Development and delivery of practical and reasonable
recommendations to improve governance, risk management
and control processes
• Overall customer satisfaction
• Linkage of key business risks identified
• Percentage of audit activities addressing key business risks
• Adaptability and responsiveness to emerging risks
• Understanding and fulfilling the needs and expectations of
stakeholders
• Opportunities for savings from issues identified
• Delivery of services on time and in budget
• Enhanced revenues and cash flows
• Responding to urgent requests
• Completion of plan
People Audit Process Effectiveness
Risk Management Value to the Business
Session 3 – An effective internal audit function
Session 5
Risk Assessment and Developing the
Annual Audit Plan
Risk Management Process
PricewaterhouseCoopers Page 14
Example of a risk management process
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Aligning risks,
responses and
reporting as part
of business
planning
1. Risk identification
Assess business
environment
Review strategic
objectives
Identify related key risks
across entire business
2. Prioritisation
Assess impact of risks
(quantitative and qualitative)
Assess likelihood
Assess time horizon (near term
v. long term)
3. Response assessment
Review current approach to
mitigating risk, and rate its
adequacy, e.g.
requires significant action
requires some action
well controlled
Plan improvement actions
4. Reporting
Summarise in risk report
Discuss with Group
1
2
3
4
2
1
3
4
PricewaterhouseCoopers Page 15
Project Risk
Mgmt
Framework
Incident
reporting
Business
planning
Corporate
comm’s
Ethics and
social
responsibility
Code of conduct
Statement of
ethics
Corporate
Risk
Framework
Risk Map,
policy and
language
Risk
organisation
and structure
Risk
management
style
Risk
management
process
Risk reporting
Standards and
monitoring
Accountability
and
responsibility
Policies
Performance
measuresRewards
Organisation
culture
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Example of a risk management process
The building blocks of embedded risk management
PricewaterhouseCoopers Page 16
The COSO II ERM Framework
The framework provides:
A definition of enterprise risk management
The critical principles and components of an effective
enterprise risk management process
Direction for organizations to use in determining how to
enhance their risk management
Criteria to determine whether their risk management is
effective, and if not, what is needed
Illustrations of how critical principles may look within an
organization
An overview of an implementation process
Illustrations that consider varying entity:
– Size
– Strategy
– Industry
– Complexity
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 17
The Framework Empowers Management and the Board to …
Leverage existing risk management processes
Ask the right questions so they can be confident of reports made to key
constituencies
Evaluate the effectiveness of their risk management
Identify ways to improve risk management
Integrate enterprise risk management and internal control
Integrate entity performance management and enterprise risk management
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 18
COSO II - The Framework
Starts with objectives:
– strategic
– operations
– reporting
– compliance
Applies to activities at all levels of the
organisation
Has eight interrelated components
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 19
• Promoting risk
management within
the business
• Audit risk
assessment drives
audit planning
• Promoting
enterprise-wide RM
• Facilitating
communication
between silos on
good practice
• Audit risk
assessment drives
audit planning
• Facilitating/ driving
the risk
management
process
• Risk assessment
drives audit
planning
• Providing
assurance on
adequacy of the
risk management
process
• Risk assessment
drives audit
planning
• Risk-based annual
audit plan
• Risk-based reviews
covering business,
operational,
financial and
compliance risks
Risk Management Maturity Framework
Risk
naive
Risk
aware
Risk
defined
Risk
managed
Risk
enabled
Session 5 - Risk Assessment and Developing the Annual Audit Plan
• No formal risk
management (RM)
approach
• Risks managed
locally and
informally
• Silo / ad-hoc
approach to RM
• Risk appetite
defined
• RM approach
defined and
documented
• RM process driven
by management
• RM linked to
objectives
• Board reviews and
manages key risks
• RM embedded in:
business planning /
acquisitions /
project
management /
capex appraisals /
performance
monitoring
Evolution over time
Ke
y R
M
ch
ara
cte
ristic
sIA
role
PricewaterhouseCoopers Page 20
Internal Audit’s role in Risk Management
IA takes on a huge variety of roles in practice
In the many companies it falls to IA to facilitate implementation
Best model is for IA to be:
– champion of risk management process; and
– centre of expertise on risk and control matters
IA should not own the process
IA should use outputs to develop/modify annual plan, BUT may need to perform
their own risk assessment as well
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Risk Assessment
PricewaterhouseCoopers Page 22
Pre-Engagement
Activities
Stage I:
Engagement
planning
Stage II:
Project Activities
Stage III: Quality
Assurance
Section 4: Client Communication
Section 2
Range of Services
Section 5:
Risk assessment
and Audit Plan
Section 7
Working Practices
Section 3
Risk Management
Section 6.1: Planning and Scoping
Section 6.3: Reporting
Section 6.2: Execution
Section 6.4: Wrap Up
Section 6.5: Follow Up
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Global Internal Audit Services Manual – Module overview
The internal audit methodology is depicted in the framework below:
PricewaterhouseCoopers Page 23
Mandatory requirements (Global ISA manual section 5)
For sourcing engagements where we have responsibility for driving the
development of the internal audit plan, perform high quality risk assessment and
audit plan formulation with the input and final approval of management and the
audit committee
On other sourcing engagements, try to make a positive impact on the client’s
process through advice and cooperation
Use industry and functional specialists to better understand risks and to identify
the best type of project to add to the audit plan
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 24
Risk Assessment Considerations
Changed operating environment
New personnel
New or revamped information systems
Rapid growth
New technology
New products or activities
Corporate restructuring, acquisitions, disinvestments
Prior history of problems
Probability
Materiality
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 25
Pro
bab
ilit
y (
Lik
elih
oo
d)
Impact
Strength of
control
environment
Change
Complexity of
Operations
Materiality
• Budget/actual $ value / Transaction volumes processed
• Extent area impacts on achievement of business objectives
• Regulatory compliance / reputation impact
• History of incidents,
culture, supervision
structures, etc
• Last audit results
• Management views &
concerns
• Internally - processes and
people / management
• Externally - regulatory
requirements
Risk assessment
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 26
Inherent and Residual risk
Inherent Risk Assessment: This is performed to assess risks that are direct
results of both external and internal factors BEFORE any controls or
responses are applied
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Applied
Controls
Internal Audit Focus
Residual Risk Assessment: This is performed to assess the remains of the
inherent risk assessment AFTER the effect of any applied controls or
responses.
PricewaterhouseCoopers Page 27
Low High
Inherent Risk
Residual risk
Desired risk
Internal Audit focus
Risk Management /
Management’s focus
Impact
Probability
High
Audit Universe
Risk Assessment
Risk Appetite
Audit Plan
+
+
=
Risk based planning – Inherent and Residual
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 28
Bridging the 'gap' – 1 step or 2
Risk exposure Exposure management
Desired residual
Risk ranking
Actual residual
Risk ranking
Risk
(1)
Acceptable
residual risk
Acceptable
residual risk
GAP
Treatment
plan
(3)
Existing
effective
control
(2)
Existing
effective
control
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 29
Exiting the activities giving rise to risk.
Risk avoidance may
involve exiting a
product line, declining
expansion to a new
geographical market, or
selling a division.
Action is taken to reduce risk
likelihood or impact, or both.
Action is taken to reduce risk
likelihood or impact, or both.
This typically involves any of
a myriad of everyday
business decisions.
Reducing risk likelihood orimpact by transferring or otherwise
sharing a portion of the risk.
Common techniques
include purchasing
insurance products,
engaging in hedging
transactions, or outsourcing
an activity.
No action is taken to affect risk likelihood or
impact.
It includes “Self-insuring”
against loss, relying on
natural offsets within a
portfolio, accepting risk
as already conforming to
risk tolerances.
Risk responses: actions taken to bring a risk to within, and maintain it at, an acceptable level - should be agreed upon
In considering its response, management assesses the effect on risk likelihood
and impact as well as cost
For many risks, appropriate response options are obvious and well accepted
For other risks, available options might not be readily apparent, requiring
investigation and analysis
Session 5: Case study – Workshop – Participants Material
Risk Assessment Case study
PricewaterhouseCoopers Page 31
ExercisePerform a risk assessment
Session 5 - Risk Assessment and Developing the Annual Audit Plan
You are Executive level management of your
company, XYZ Chemicals Plc, a multi – national,
with manufacturing, distribution and retail
operations around the globe.
You are participating in a risk assessment
workshop today with your colleagues
Consider and set the Risk Appetite, or
rating criteria for the company
Identify 5 major risks of your company
Rate and Rank the risks in terms of
Impact and Likelihood
Identify Management Action to mitigate
risk
PricewaterhouseCoopers Page 32
Part one: Consider and set the Risk Appetite
Draw a heatmap indicating your
groups’ interpretation of a catastrophic
and a negligable risk
Set values to these using the heatmap
Remember you shouldn’t just consider
financial impact!!
You have 15 minutes to do this
Impact
Likelihood
Session 5: Case study – Workshop – Participants Material
PricewaterhouseCoopers Page 33
Identified risks will be rated based on impact and probability, and risk maps will be generated to prioritise risks
Impact Financial impact in terms of
change to COMPANY total
funding, expenditures or
losses
Human resource impact in
terms of negative changes in
Global Staff Survey
Reputation Impact Strategy impact
1 Less than $500k Less than 0.5% No external comments No impact on strategy
2 $500k-5m 0.5% - 1%Isolated external comments within
the countryInternal dialog on strategy
3 $5-25m 1% - 3%Several external comments within
the country
Elements of strategy must be
re-visited
4 $25-100m 3% - 5%Comments in international media /
forum
Revision of overall strategy
needed
5 Greater than $100m Greater than 5.0%Reports in key international media
for more than 2 daysOverhaul of strategy needed
Probability Definition Description
1 Unlikely No occurrence expected in the next 5 years
2 Uncertain 1-2 occurrences expected in the next 5 years
3 Possible 1-2 occurrences expected in the next 2-3 yrs
4 Sometimes Multiple occurrences expected in the next 2-3 years
5 Often Multiple occurrences expected in the next year
This is an example only of an actual risk scale:
Session 5: Case study – Workshop – Participants Material
PricewaterhouseCoopers Page 34
Heat map
Probability
Impact
Action:
Red Flag: Action required
Programmed Action
Red Flag: Immediate
action required
Monitor
Session 5: Case study – Workshop – Participants Material
PricewaterhouseCoopers Page 35
Part 2: Identify 5 major risks of your company
Describe and Number your risks
Rate and Rank the risks in terms of
Impact and Likelihood from an
inherent risk point of view
Plot the risks on the heatmap (on a
Flipchart)
Probability
Impact
Action:
Red Flag:
Action required
Programmed
Action
Red Flag: Immediate
action required
Monitor
Session 5: Case study – Workshop – Participants Material
PricewaterhouseCoopers Page 36
Part 3: Identify 5 major risks of your company
Consider those controls that you
would expect to see in place against
each of those risks
Now Rate and Rank the risks in
terms of Impact and Likelihood from
an residual risk point of view taking
into account the controls you
believe to be in place
Plot the risks on the heatmap (on a
Flipchart)
Probability
Impact
Action:
Red Flag:
Action required
Programmed
Action
Red Flag: Immediate
action required
Monitor
Session 5: Case study – Workshop – Participants Material
PricewaterhouseCoopers Page 37
Low High
Inherent Risk
Residual risk
Desired risk
Internal Audit focus
Risk Management /
Management’s focus
Impact
Probability
High
Audit Universe
Risk Assessment
Risk Appetite
Audit Plan
+
+
=
Risk Assessment
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Developing the audit plan
PricewaterhouseCoopers Page 39
Definition: The total population of auditable areas and locations
Risk based planning – Audit Universe
The audit universe should include a complete list of all auditable areas within the
business
It should also include a full list of locations within the business
The risk assessment should be applied to the audit universe
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 40
Definition: The degree of risk an organisation will accept to achieve business goals
Risk based planning – Risk Appetite
Over how many years does management want the whole of the audit
universe covered?
How often should each location be visited?
What does management see as core financial or business as usual processes
How often should core financial / business as usual processes be reviewed?
How often (if ever) should low risk processes be reviewed?
Does management want to cover all high/low processes over a period of time?
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 41
Audit Universe
Business Risk
Assessment
Risks well
managed
Risks requiring
management actionChange
Reviews for inclusion in Audit plan
Risk based planning – How does it really work?
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Business as Usual /
assurance
Corporate risk appetite
Key risk areas to
cover – high and low
Number / frequency of
locations to be visited
PricewaterhouseCoopers Page 42
Developing the plan – some considerations
Key indicators for reviews to include in the plan
• Consider the following movements in your risk assessment that may
Risk / Issue DIV A DIV B DIV C DIV D DIV E DIV F Internal Audit Approach
Price and margin control and
optimisation
✓ ✓ ✓ ✓ ✓ ✓ A continuing focus on the management of price
strategy and its consistent implementation for the
business subject to review this year.
Inventory management ✓ ✓ ✓ Focus on management control processes adopted
to control inventory levels, realisable value and
physical security, particularly in A & B divisions.
Credit management ✓ ✓ ✓ ✓ ✓ ✓ Focus on credit control procedures adopted in the
businesses reviewed.
Effective implementation of
new systems, and efficient use
of new systems to avoid work
arounds.
✓ ✓ ✓ ✓ Reivew of adoption at the sites 6 to 9 months
following implementation of new systems.
Effective implementation of
new initiatives
✓ ✓ Review the new control procedures, and the level
of compliance with those procedures, to assess
whether a level of control appropriate to a national
centralised function has been established.
Review of key processes at J/V in Trinidad.
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 43
Annual plan – Example 1 (continued)
Key focus areas for 2006-07
In establishing the internal audit plan for the next 12 months, the following key
risks/issues have been considered and addressed:
Risk / Issue DIV A DIV B DIV C DIV D DIV E DIV F Internal Audit Approach
Price and margin control and
optimisation
✓ ✓ ✓ ✓ ✓ ✓ A continuing focus on the management of price
strategy and its consistent implementation for the
business subject to review this year.
Inventory management ✓ ✓ ✓ Focus on management control processes adopted
to control inventory levels, realisable value and
physical security, particularly in A & B divisions.
Credit management ✓ ✓ ✓ ✓ ✓ ✓ Focus on credit control procedures adopted in the
businesses reviewed.
Effective implementation of
new systems, and efficient use
of new systems to avoid work
arounds.
✓ ✓ ✓ ✓ Reivew of adoption at the sites 6 to 9 months
following implementation of new systems.
Effective implementation of
new initiatives
✓ ✓ Review the new control procedures, and the level
of compliance with those procedures, to assess
whether a level of control appropriate to a national
centralised function has been established.
Review of key processes at J/V in Trinidad.
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 44
Annual plan – Example 2
Session 5 - Risk Assessment and Developing the Annual Audit Plan
44%
25% 6%
25%
Core Business Processes
Financial & Compliance risks
Projects
Support Processes
44%
25%6%
25%
CoreBusinessProcesses
Financial &Compliancerisks
Projects
SupportProcesses
Focus of Audit Effort
Key Risks Identified for IA Focus
1. Supply chain may not be operating
optimally and effectively
2. Support centre that does not fully
support businesses
Financial controls over supplier
payments may not be operating
effectively.
3. Management information and KPIs
may not properly support
management of key risks
4. Benefits not realised from
investment proposals and projects
5. Store operations – inconsistent and
inappropriate stores processes
6. Changes to systems and processes
may not be properly implemented
7. Product contamination food/safety &
OH&S compliance
Key Audit areas
End to end review of the procure to pay processes
▪ Controls and business processes are effective and efficient
▪ Consistency of practices across the group
▪ Recommendations for improvements
Duplicate payments review
▪ Potential financial recovery of duplicate payments
▪ Assessment of controls effectiveness
▪ Reduced risk of inappropriate or invalid transactions
Management information on risks and controls
▪ Management information to support monitoring and reporting of risks and
effectiveness of internal controls
Benefits realisation from projects & capital expenditure
▪ Effectiveness of monitoring of benefits realised from projects implemented
▪ Consistency of capex proposal processes across business units,
particularly on ensuring benefits are realised
Store audit program
▪ Review effectiveness of the store audit process adopted by Retail
Operations Opportunities for improving procedures and getting better
consistency across the network
IT Changes & Upgrades
▪ Review changes to the systems and key processes resulting from system
changeovers including POS2 implementation at Freedom and changes in
Steinoff
OH&S and Food Safety
▪ Assessment of whether key risks identified are properly mitigated for Bay
Swiss
▪ OH&S review in manufacturing
PricewaterhouseCoopers Page 45
Finalising the audit plan
Output from
risk assessment
Finalise audit plan
Management evaluation/
prioritization of
risk assessment
Link risk assessment
to strategic/ operational plans
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Present Management with a
draft plan
Consider
management preferences
PricewaterhouseCoopers Page 46
ExercisePart 4 - Developing an audit plan
You have been given a risk assessment
report for Company XYZ
Using the report determine the top 5
audits you would include in your plan
and why
You have 20 minutes to do this
Session 5 - Risk Assessment and Developing the Annual Audit Plan
PricewaterhouseCoopers Page 47
PwC’s risk based planning approach Global IAS Manual
Session 5 - Risk Assessment and Developing the Annual Audit Plan
Strategic
Critical
HighLow
Imm
edia
teLong T
erm
Business ObjectiveA
ch
ievem
en
t T
imefr
am
e
Most
Critical
Mgmt
Concern
HighLow
Low
Hig
h
Risks
Mgmt
Concern
Lik
eli
ho
od
of
Occu
rren
ce
PlanningInherent risk
assessment?
Knowledge
of control
effectivenessN
o
Yes
Inh
ere
nt R
isks
Resid
ual R
isks
Develop Risk Profile
Develop Risk Profile
Report to Audit
Committee,
Management &
Other Internal
Audit
Stakeholders
Thank you