Internal audit operating at the strategic level

Transcription

1 Internal audit operating at the strategic level Strategic collaboration Auditing strategic risks Audit plan alignment Malcolm Zack Director Zack Associates Limited

2 Major retailer Zack Associates Limited Logos sourced from publically available internet sources

3 So what do we mean by strategic risk? Strategic risks are risks that affect or are created by an organization s business strategy and strategic objectives Deloitte. Exploring Strategic Risk - a global survey Poor Business Decisions Poor Execution Inadequate resource allocation Not responding to changes in the environment Risks identified in the strategic plans Financial Economic environment Political risks People

4 Allianz Risk Barometer Business Protiviti Interruption Audit Committee Top Risks 2016 Top sets of risks 2. Market (volatility, stagnation, competition Differ from sector to 3. Cyber 1. Regulatory incidents KMPG Change/Scrutiny Top Risk Management Issues sector 4. Natural 2. Managing Catastrophes 2016 Cyber Threats 5. Changes 3. Economic in Legislation conditions restrict growth KMPG Top Risks for Internal Audit Capital Not all top risks are 6. Macro 4. Succession economic and changes attracting talent and Markets 2016 strategic 7. Loss 5. of Privacy 1.Technology Reputation/Brand and information Risk Value security Management 8. Fire 6. Explosion Resistance 2.Third to change Party Risk Management 1. Increased regulatory expectations Most appear 9. Political 7. Rapid risks 3.Fraud speed (war, of terrorism) and disruptive Misconduct technology 2. Culture and conduct operational, value 10.Theft, 8. Culture: fraud 4.Crisis and - impact corruption Management on risk management 3. Regulatory reporting preserving risks. I.e 9. Volatility in global financial markets 4. Stress testing they could threaten 5.Data Security 10.Sustaining customer loyalty 5. Model risk management achievement of 6.Achieving Compliance 6. Cyber security business objectives/strategy 7.Risk Data aggregation 7. Third-party and relationships/vendor Reporting management So should we focus 8. Continuous risk assessment on risks or 9. Use of data analytics and objectives?! continuous auditing 10.Internal audit talent recruitment and retention

5 EXAMPLES. Wartsila Risk Management Report 2010 Source: Global Advantage

6 IIA standards Internal audit coverage of risks to achieving strategic objectives. Strategic opportunities and threats drive creation of short and longer term strategic initiatives/investments to deliver value. Executives responsible for risk management in persuit of strategic objectives IA evaluates IA focus on critical risks IA provide assurance IA skills Achievement of the organization's strategic objectives. Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts. Organisation strategy should be a foundational element of plan Aligns IA with strategic priorities Helps allocate IA resources. Leverage management and other assurance providers Consider providing assurance Assess if strategic risks are being managed. Evaluate mitigation methods Opportunity to deliver advisory services that impact organisation evolution directly Assess skills and knowledge in team Consider other sources if necessary

7 IIA Research Foundation More involved with strategic initiatives Better connected Become business partner/risk advisor Greater value when involved early on in inititative Link ERM to strategic thinking IA Gains knowledge and insight Skills include strategic planning and consulting Increase demand for advisory work, reality checks Balance assurance and advising management The reasons and benefits for internal auditing are clear but how do you go about getting your team involved?

8 Risk (what could happen?) Risk that.. Risk Risk Risk Factors (what contributes to the risk?) a.. b.. c.. Impact What outcomes if the risk is realised? Xxxxxx, yyyy Business Objectives affected Growth Customer Experience Operational Excellence Growth Key Controls Mgt.. Review.. Assurance/audits High level view of audit area Link strategic risks to the business objectives most impacted and identify sources of assurance and audit potential. Risk Customers Shareholder value Operational Excellence Stategic Financial Operational Regulatory Helps board audit committee understand where assurances over key strategic risks come from and any gap

9 Risk Risk and Opportunity Matrix Map audit plan candidates Complex operational areas. E.g. BCP, IT Security, Treasury Top Strategic projects Significant change New products/businesses pushing the envelope Important areas needing some audit review but less frequent Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations [Audit functions] often fail to provide assurance on strategy creation and execution, management's value creation work. Why firms should audit strategic risk Business Week July 2010 Opportunity how much is business moved forward?

10 Reviewing the strategic plan itself risk assessment assumptions and drivers, Information obtained, Scenarios planning and stress testing, softer areas (strong personalities and committment), alternatives rejected, Major Systems Sales Development Benefits Realisation So what could internal audit do? New Products Going into new markets Transformation Programmes Strategic Programme Office Diversification Expansion/Merger/takeover/demerger New locations

11

12 1 Sales Structure Reviews Market Growth 2 Service Improvement Market Growth 3 Telesales alignment Market Growth 4 Leadership Market Growth 5 Development/Pipeline Market Growth 6 RCEO coaching Market Growth/Market Share Gain 7 Customer Service alignment Market Growth 8 HR KPI Delivery All 9 People capability Market Share Gain/Specialist Growth 10 Regional Structure reviews Market Share Gain 11 Competitive/aligned reward & recognition Market Share Gain 12 Driver/Telesales/Sales Alignment Market Share Gain 13 Aligned with UK policies and practices Specialist Growth 14 Develop and support senior team Specialist Growth 15 Continous Evaluation of organisation Cost Reduction 16 Performance management Cost Reduction 17 Continous improvement focus Cost Reduction 18 Head count monitoring Cost Reduction 19 Management information integrity Acquistions 20 Communication platform/tools Acquistions 21 External framework in place Acquistions 22 Corporate Governance Acquistions 23 HRBPs prepared Acquistions

13 Where I have succeeded more Focusing audit team capabilities on initiatives that are important/critical to achieving the strategic goals. E.g. major projects, transformations, significant acquisitions. why isn t IA on this call? Attempts to review the strategy itself Helping management pull out risks with the strategy and risks arising because of the strategy that has been agreed has added more value. PLANNING RISK < EXECUTION RISK

14 Are YOU strategic enough? A place to start your thinking What is your Internal Audit Strategy for the next 3-5 years? Where is it now, Where does it need to go, and how will it get there? How often do you review it? And what are the risks to your strategy? Involve your Audit Committee. Work on strategic initiatives Well connected Recognised business partner/risk advisor Involved early Linkd ERM to strategic thinking IA sought for knowledge and insight Stratiegic Skills Demand for advisory work, Balanced assurance and advising management Development route for management

15 Obstacles and assumptions View of IA capability Its difficult Its confidential Where do you start? Strategic risk is just a category like the others but projects do lend themselves. Needs a different approach to auditing and reporting More advisory than assurance More upfront and ongoing involvement and challenge Dynamic reporting Needs audit team to be able to think strategically and have commercial understanding Look at the backgrounds do you have the right mix?

16 Risk Internal Audit and Strategic Risk Strategic collaboration - Essential Auditing strategic risks Be selective Audit plan alignment back to basics But. Complex operational areas. E.g. BCP, IT Security, Treasury Top Strategic projects Significant change New products/businesses pushing the envelope Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations [Audit functions] often fail to provide assurance on strategy creation and execution, management's value creation work. Why firms should audit strategic risk Business Week July 2010 Opportunity how much is business moved forward?

17 Remember to kick the tyres IA evaluates Achievement of the organization's strategic objectives. Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Remember Which business objectives are impacted or benefited from the results of your audit work? Link findings from audits back to the top risks and business objectives. Compliance with laws, regulations, policies, procedures, and contracts.

18 We still have to kick the tyres If the tyre s flat, your strategy is going nowhere