session 3 an effective internal audit function · kpi’s & balanced scorecards session 3 –an...

Session 3

An Effective Internal Audit Function

PricewaterhouseCoopers

The fundamentals of an Internal Audit Function

Session 3 – An effective internal audit function

Structure IA charter Protocols


Organisational structure – where does IA fit in ?

The preferred organisational structure for IA reporting

Board

Audit

CommitteeCEO / CFO

Divisional

management

Internal

Audit

Why ?



Internal Audit Charter

An appropriately positioned IA function looks and acts like another operational

division within the business. This requires an agreed mandate or charter which

clearly sets out:

– The mission, strategic focus and role of IA

– IA’s primary stakeholders and their key expectations

– How IA will operate to support the overall corporate strategy

– The key metrics by which the success of IA will be assessed

Should be revisited each year



Communication Plan

The detail behind the IA charter

Key deliverables and tasks

IA team responsibilities

Reporting timetable and deliverables

Engagement planning and execution

Example reports

Quality assurance



Complementary Risk Activities Combined Assurance

Collaboration between assurance providers

Develop common view of risk to organisation

Presents to Board how key risks are being

covered by assurance providers

THIS IS IS MORE THAN developing

improvements in risk-based internal auditing

Today Tomorrow

Assurance Need

Legal

External AuditTreasury

External Audit

CSR

Health & Safety

SOX

Risk

Legal

Compliance

Internal Audit

Treasury

Co Secretary

No single view of assurance across

organisation

Differing perspectives on risk (audit vs

business, inherent vs residual, BU vs Group)

Potential for duplication and gaps in assurance

Little Board/AC level visibility of the linkage

between sources of assurance



Scope of Internal Audit - The Internal Audit ContinuumAlignment with stakeholders’ value drivers will be reflected in internal audit’s position on the

migration model

Each business needs to consider the right mix for their circumstances, and the right

answer will depend on the expectations of key stakeholders

“Controls-focussed” “Value-add”

Management

participationStand-alone

function

Business

Process oriented

Enterprise risk

management

Financial risk

management

Supporting managementassessments

Traditionalauditing

Businessefficiency

Preventionoriented

Detectionoriented

Internalconsulting


Transaction

oriented Risk management

continuum

Risk management

continuum


Delivering

additional

value by

consent

Monetarysavings

ProcessImprovement

Efficiencygains

Duediligence

Emergingrisks

SystemsDevelopment

Investmentdecisions

CorporateGovernance

Projects andmajor

contracts

Financialsystems

Safeguardingassets

Businesssystems

Improving business performance

Assessing the future

-

Delivering future value

Strategy

fundamental assuranceAssessing the present

Core

internal

audit

Understanding the value drivers



Internal/external audit working together

Minimise duplication

Integrated approach

Maximise reliance

External Audit Internal Audit

Financial

reporting

Operational

efficiency

Issues of

judgement

Compliance

Financial

controls

Computer

Environment

Business Processes

Corporate Governance

Recognised overlap in audit scope between internal and external audit

External Audit Internal Audit

Financial

reporting

Operational

efficiency

Issues of

judgement

Compliance

Financial

controls

Computer

Environment

Business Processes

Corporate Governance

Recognised overlap in audit scope between internal and external audit



Quantitative Measures

• Number of Audits

scheduled;

• Number of Audit

Completed;

• Staff Turnover/Retention;

• Client Satisfaction Ratings;

• Timeliness of Performance

Feedback ;

• Training/CPE Hours;

• Staff Satisfaction Ratings.

Client Service

• Responsiveness to special

requests;

• Delivery of high quality service;

• Management of client

expectations;

• Building strong client

relationships;

• Effective management of audit

teams (meeting career and

development objectives,

providing timely feedback and

balance).

Industry Knowledge

• Development of deep industry

knowledge;

• Applying that knowledge to help

solve complex client issues;

• Presenting and/or publishing

industry topics;

• Assisting in the development of IA

practice aids or tools;

• Developing and contributing best

practices, emerging issues and

industry trends.

People Development

• Coaching

• Development

• Mentoring

• Training

• Recruiting

Technical Development

• Development of relevant

technical knowledge:

• Internal Audit

• Accounting

• Regulatory

• Technology

Innovation

• Number of best practices identified

& communicated within company or

IAD;

• Number of hours spent in industry

or other specialized training;

• Involvement in Professional

Organizations (IIA, CPA, etc.)

• Thought Leadership

• Use of technology in audits

• Creativity and efficiency

• Enhanced audit process

KPI’s & Balanced Scorecards



Measuring performance and value of internal audit

Illustrative Balanced Scorecard

• Quality of leadership and staff

• Appropriate use of specialists

• Understanding of business and global environment

• Chemistry / culture fit

• Commitment / manager involvement

• Development of internal resources

• Rapid and effective start-up

• Effective and timely communications

• Development and delivery of practical and reasonable

recommendations to improve governance, risk management

and control processes

• Overall customer satisfaction

• Linkage of key business risks identified

• Percentage of audit activities addressing key business risks

• Adaptability and responsiveness to emerging risks

• Understanding and fulfilling the needs and expectations of

stakeholders

• Opportunities for savings from issues identified

• Delivery of services on time and in budget

• Enhanced revenues and cash flows

• Responding to urgent requests

• Completion of plan

People Audit Process Effectiveness

Risk Management Value to the Business


Session 5

Risk Assessment and Developing the

Annual Audit Plan

Risk Management Process


Example of a risk management process

Session 5 - Risk Assessment and Developing the Annual Audit Plan

Aligning risks,

responses and

reporting as part

of business

planning

1. Risk identification

Assess business

environment

Review strategic

objectives

Identify related key risks

across entire business

2. Prioritisation

Assess impact of risks

(quantitative and qualitative)

Assess likelihood

Assess time horizon (near term

v. long term)

3. Response assessment

Review current approach to

mitigating risk, and rate its

adequacy, e.g.

requires significant action

requires some action

well controlled

Plan improvement actions

4. Reporting

Summarise in risk report

Discuss with Group

1

2

3

4

2

1

3

4


Project Risk

Mgmt

Framework

Incident

reporting

Business

planning

Corporate

comm’s

Ethics and

social

responsibility

Code of conduct

Statement of

ethics

Corporate

Risk

Framework

Risk Map,

policy and

language

Risk

organisation

and structure

Risk

management

style

Risk

management

process

Risk reporting

Standards and

monitoring

Accountability

and

responsibility

Policies

Performance

measuresRewards

Organisation

culture


Example of a risk management process

The building blocks of embedded risk management


The COSO II ERM Framework

The framework provides:

A definition of enterprise risk management

The critical principles and components of an effective

enterprise risk management process

Direction for organizations to use in determining how to

enhance their risk management

Criteria to determine whether their risk management is

effective, and if not, what is needed

Illustrations of how critical principles may look within an

organization

An overview of an implementation process

Illustrations that consider varying entity:

– Size

– Strategy

– Industry

– Complexity



The Framework Empowers Management and the Board to …

Leverage existing risk management processes

Ask the right questions so they can be confident of reports made to key

constituencies

Evaluate the effectiveness of their risk management

Identify ways to improve risk management

Integrate enterprise risk management and internal control

Integrate entity performance management and enterprise risk management



COSO II - The Framework

Starts with objectives:

– strategic

– operations

– reporting

– compliance

Applies to activities at all levels of the

organisation

Has eight interrelated components



• Promoting risk

management within

the business

• Audit risk

assessment drives

audit planning

• Promoting

enterprise-wide RM

• Facilitating

communication

between silos on

good practice

• Audit risk

assessment drives

audit planning

• Facilitating/ driving

the risk

management

process

• Risk assessment

drives audit

planning

• Providing

assurance on

adequacy of the

risk management

process

• Risk assessment

drives audit

planning

• Risk-based annual

audit plan

• Risk-based reviews

covering business,

operational,

financial and

compliance risks

Risk Management Maturity Framework

Risk

naive

Risk

aware

Risk

defined

Risk

managed

Risk

enabled


• No formal risk

management (RM)

approach

• Risks managed

locally and

informally

• Silo / ad-hoc

approach to RM

• Risk appetite

defined

• RM approach

defined and

documented

• RM process driven

by management

• RM linked to

objectives

• Board reviews and

manages key risks

• RM embedded in:

business planning /

acquisitions /

project

management /

capex appraisals /

performance

monitoring

Evolution over time

Ke

y R

M

ch

ara

cte

ristic

sIA

role


Internal Audit’s role in Risk Management

IA takes on a huge variety of roles in practice

In the many companies it falls to IA to facilitate implementation

Best model is for IA to be:

– champion of risk management process; and

– centre of expertise on risk and control matters

IA should not own the process

IA should use outputs to develop/modify annual plan, BUT may need to perform

their own risk assessment as well


Risk Assessment


Pre-Engagement

Activities

Stage I:

Engagement

planning

Stage II:

Project Activities

Stage III: Quality

Assurance

Section 4: Client Communication

Section 2

Range of Services

Section 5:

Risk assessment

and Audit Plan

Section 7

Working Practices

Section 3

Risk Management

Section 6.1: Planning and Scoping

Section 6.3: Reporting

Section 6.2: Execution

Section 6.4: Wrap Up

Section 6.5: Follow Up


Global Internal Audit Services Manual – Module overview

The internal audit methodology is depicted in the framework below:


Mandatory requirements (Global ISA manual section 5)

For sourcing engagements where we have responsibility for driving the

development of the internal audit plan, perform high quality risk assessment and

audit plan formulation with the input and final approval of management and the

audit committee

On other sourcing engagements, try to make a positive impact on the client’s

process through advice and cooperation

Use industry and functional specialists to better understand risks and to identify

the best type of project to add to the audit plan



Risk Assessment Considerations

Changed operating environment

New personnel

New or revamped information systems

Rapid growth

New technology

New products or activities

Corporate restructuring, acquisitions, disinvestments

Prior history of problems

Probability

Materiality



Pro

bab

ilit

y (

Lik

elih

oo

d)

Impact

Strength of

control

environment

Change

Complexity of

Operations

Materiality

• Budget/actual $ value / Transaction volumes processed

• Extent area impacts on achievement of business objectives

• Regulatory compliance / reputation impact

• History of incidents,

culture, supervision

structures, etc

• Last audit results

• Management views &

concerns

• Internally - processes and

people / management

• Externally - regulatory

requirements

Risk assessment



Inherent and Residual risk

Inherent Risk Assessment: This is performed to assess risks that are direct

results of both external and internal factors BEFORE any controls or

responses are applied


Applied

Controls

Internal Audit Focus

Residual Risk Assessment: This is performed to assess the remains of the

inherent risk assessment AFTER the effect of any applied controls or

responses.


Low High

Inherent Risk

Residual risk

Desired risk

Internal Audit focus

Risk Management /

Management’s focus

Impact

Probability

High

Audit Universe

Risk Assessment

Risk Appetite

Audit Plan

+

+

=

Risk based planning – Inherent and Residual



Bridging the 'gap' – 1 step or 2

Risk exposure Exposure management

Desired residual

Risk ranking

Actual residual

Risk ranking

Risk

(1)

Acceptable

residual risk

Acceptable

residual risk

GAP

Treatment

plan

(3)

Existing

effective

control

(2)

Existing

effective

control



Exiting the activities giving rise to risk.

Risk avoidance may

involve exiting a

product line, declining

expansion to a new

geographical market, or

selling a division.

Action is taken to reduce risk

likelihood or impact, or both.

Action is taken to reduce risk

likelihood or impact, or both.

This typically involves any of

a myriad of everyday

business decisions.

Reducing risk likelihood orimpact by transferring or otherwise

sharing a portion of the risk.

Common techniques

include purchasing

insurance products,

engaging in hedging

transactions, or outsourcing

an activity.

No action is taken to affect risk likelihood or

impact.

It includes “Self-insuring”

against loss, relying on

natural offsets within a

portfolio, accepting risk

as already conforming to

risk tolerances.

Risk responses: actions taken to bring a risk to within, and maintain it at, an acceptable level - should be agreed upon

In considering its response, management assesses the effect on risk likelihood

and impact as well as cost

For many risks, appropriate response options are obvious and well accepted

For other risks, available options might not be readily apparent, requiring

investigation and analysis

Session 5: Case study – Workshop – Participants Material

Risk Assessment Case study


ExercisePerform a risk assessment


You are Executive level management of your

company, XYZ Chemicals Plc, a multi – national,

with manufacturing, distribution and retail

operations around the globe.

You are participating in a risk assessment

workshop today with your colleagues

Consider and set the Risk Appetite, or

rating criteria for the company

Identify 5 major risks of your company

Rate and Rank the risks in terms of

Impact and Likelihood

Identify Management Action to mitigate

risk


Part one: Consider and set the Risk Appetite

Draw a heatmap indicating your

groups’ interpretation of a catastrophic

and a negligable risk

Set values to these using the heatmap

Remember you shouldn’t just consider

financial impact!!

You have 15 minutes to do this

Impact

Likelihood



Identified risks will be rated based on impact and probability, and risk maps will be generated to prioritise risks

Impact Financial impact in terms of

change to COMPANY total

funding, expenditures or

losses

Human resource impact in

terms of negative changes in

Global Staff Survey

Reputation Impact Strategy impact

1 Less than $500k Less than 0.5% No external comments No impact on strategy

2 $500k-5m 0.5% - 1%Isolated external comments within

the countryInternal dialog on strategy

3 $5-25m 1% - 3%Several external comments within

the country

Elements of strategy must be

re-visited

4 $25-100m 3% - 5%Comments in international media /

forum

Revision of overall strategy

needed

5 Greater than $100m Greater than 5.0%Reports in key international media

for more than 2 daysOverhaul of strategy needed

Probability Definition Description

1 Unlikely No occurrence expected in the next 5 years

2 Uncertain 1-2 occurrences expected in the next 5 years

3 Possible 1-2 occurrences expected in the next 2-3 yrs

4 Sometimes Multiple occurrences expected in the next 2-3 years

5 Often Multiple occurrences expected in the next year

This is an example only of an actual risk scale:



Heat map

Probability

Impact

Action:

Red Flag: Action required

Programmed Action

Red Flag: Immediate

action required

Monitor



Part 2: Identify 5 major risks of your company

Describe and Number your risks

Rate and Rank the risks in terms of

Impact and Likelihood from an

inherent risk point of view

Plot the risks on the heatmap (on a

Flipchart)

Probability

Impact

Action:

Red Flag:

Action required

Programmed

Action

Red Flag: Immediate

action required

Monitor



Part 3: Identify 5 major risks of your company

Consider those controls that you

would expect to see in place against

each of those risks

Now Rate and Rank the risks in

terms of Impact and Likelihood from

an residual risk point of view taking

into account the controls you

believe to be in place

Plot the risks on the heatmap (on a

Flipchart)

Probability

Impact

Action:

Red Flag:

Action required

Programmed

Action

Red Flag: Immediate

action required

Monitor



Low High

Inherent Risk

Residual risk

Desired risk

Internal Audit focus

Risk Management /

Management’s focus

Impact

Probability

High

Audit Universe

Risk Assessment

Risk Appetite

Audit Plan

+

+

=

Risk Assessment


Developing the audit plan


Definition: The total population of auditable areas and locations

Risk based planning – Audit Universe

The audit universe should include a complete list of all auditable areas within the

business

It should also include a full list of locations within the business

The risk assessment should be applied to the audit universe



Definition: The degree of risk an organisation will accept to achieve business goals

Risk based planning – Risk Appetite

Over how many years does management want the whole of the audit

universe covered?

How often should each location be visited?

What does management see as core financial or business as usual processes

How often should core financial / business as usual processes be reviewed?

How often (if ever) should low risk processes be reviewed?

Does management want to cover all high/low processes over a period of time?



Audit Universe

Business Risk

Assessment

Risks well

managed

Risks requiring

management actionChange

Reviews for inclusion in Audit plan

Risk based planning – How does it really work?


Business as Usual /

assurance

Corporate risk appetite

Key risk areas to

cover – high and low

Number / frequency of

locations to be visited


Developing the plan – some considerations

Key indicators for reviews to include in the plan

• Consider the following movements in your risk assessment that may

Risk / Issue DIV A DIV B DIV C DIV D DIV E DIV F Internal Audit Approach

Price and margin control and

optimisation

✓ ✓ ✓ ✓ ✓ ✓ A continuing focus on the management of price

strategy and its consistent implementation for the

business subject to review this year.

Inventory management ✓ ✓ ✓ Focus on management control processes adopted

to control inventory levels, realisable value and

physical security, particularly in A & B divisions.

Credit management ✓ ✓ ✓ ✓ ✓ ✓ Focus on credit control procedures adopted in the

businesses reviewed.

Effective implementation of

new systems, and efficient use

of new systems to avoid work

arounds.

✓ ✓ ✓ ✓ Reivew of adoption at the sites 6 to 9 months

following implementation of new systems.


new initiatives

✓ ✓ Review the new control procedures, and the level

of compliance with those procedures, to assess

whether a level of control appropriate to a national

centralised function has been established.

Review of key processes at J/V in Trinidad.



Annual plan – Example 1 (continued)

Key focus areas for 2006-07

In establishing the internal audit plan for the next 12 months, the following key

risks/issues have been considered and addressed:

Risk / Issue DIV A DIV B DIV C DIV D DIV E DIV F Internal Audit Approach

Price and margin control and

optimisation

✓ ✓ ✓ ✓ ✓ ✓ A continuing focus on the management of price

strategy and its consistent implementation for the

business subject to review this year.

Inventory management ✓ ✓ ✓ Focus on management control processes adopted

to control inventory levels, realisable value and

physical security, particularly in A & B divisions.

Credit management ✓ ✓ ✓ ✓ ✓ ✓ Focus on credit control procedures adopted in the

businesses reviewed.


new systems, and efficient use

of new systems to avoid work

arounds.

✓ ✓ ✓ ✓ Reivew of adoption at the sites 6 to 9 months

following implementation of new systems.


new initiatives

✓ ✓ Review the new control procedures, and the level

of compliance with those procedures, to assess

whether a level of control appropriate to a national

centralised function has been established.

Review of key processes at J/V in Trinidad.



Annual plan – Example 2


44%

25% 6%

25%

Core Business Processes

Financial & Compliance risks

Projects

Support Processes

44%

25%6%

25%

CoreBusinessProcesses

Financial &Compliancerisks

Projects

SupportProcesses

Focus of Audit Effort

Key Risks Identified for IA Focus

1. Supply chain may not be operating

optimally and effectively

2. Support centre that does not fully

support businesses

Financial controls over supplier

payments may not be operating

effectively.

3. Management information and KPIs

may not properly support

management of key risks

4. Benefits not realised from

investment proposals and projects

5. Store operations – inconsistent and

inappropriate stores processes

6. Changes to systems and processes

may not be properly implemented

7. Product contamination food/safety &

OH&S compliance

Key Audit areas

End to end review of the procure to pay processes

▪ Controls and business processes are effective and efficient

▪ Consistency of practices across the group

▪ Recommendations for improvements

Duplicate payments review

▪ Potential financial recovery of duplicate payments

▪ Assessment of controls effectiveness

▪ Reduced risk of inappropriate or invalid transactions

Management information on risks and controls

▪ Management information to support monitoring and reporting of risks and

effectiveness of internal controls

Benefits realisation from projects & capital expenditure

▪ Effectiveness of monitoring of benefits realised from projects implemented

▪ Consistency of capex proposal processes across business units,

particularly on ensuring benefits are realised

Store audit program

▪ Review effectiveness of the store audit process adopted by Retail

Operations Opportunities for improving procedures and getting better

consistency across the network

IT Changes & Upgrades

▪ Review changes to the systems and key processes resulting from system

changeovers including POS2 implementation at Freedom and changes in

Steinoff

OH&S and Food Safety

▪ Assessment of whether key risks identified are properly mitigated for Bay

Swiss

▪ OH&S review in manufacturing


Finalising the audit plan

Output from

risk assessment

Finalise audit plan

Management evaluation/

prioritization of

risk assessment

Link risk assessment

to strategic/ operational plans


Present Management with a

draft plan

Consider

management preferences


ExercisePart 4 - Developing an audit plan

You have been given a risk assessment

report for Company XYZ

Using the report determine the top 5

audits you would include in your plan

and why

You have 20 minutes to do this



PwC’s risk based planning approach Global IAS Manual


Strategic

Critical

HighLow

Imm

edia

teLong T

erm

Business ObjectiveA

ch

ievem

en

t T

imefr

am

e

Most

Critical

Mgmt

Concern

HighLow

Low

Hig

h

Risks

Mgmt

Concern

Lik

eli

ho

od

of

Occu

rren

ce

PlanningInherent risk

assessment?

Knowledge

of control

effectivenessN

o

Yes

Inh

ere

nt R

isks

Resid

ual R

isks

Develop Risk Profile

Develop Risk Profile

Report to Audit

Committee,

Management &

Other Internal

Audit

Stakeholders

Thank you

session 3 an effective internal audit function · kpi’s & balanced scorecards session 3 –an...

Documents