Financial Management Institute of Canada Professional Development Week November 23, 2010 Gatineau, QC

Transcription

1 Financial Management Institute of Canada Professional Development Week November 23, 2010 Gatineau, QC

2 Introduction Mohammed Siddiqui Chief Enterprise Risk Management and Audit Officer Hydro Ottawa Group of Companies 2

3 Agenda Who are Internal Auditors, how are they different from other auditors? What do they do, and for whom? Is what Internal Auditors do different based on country, industry, ownership, mission, or circumstances? What are the major challenges faced by Internal Auditors? Focus on stories from my experience, not on theory or standards 3

4 Polling Questions 1. Which function do you belong to? 2. Which province do you belong to? 3. Which are the most important deliverables of IA in the Federal Government (please rank)? 4

5 Who are Internal Auditors The perception People who: Always find jobs Get fat salaries Don t have any deadlines or heavy work schedules Main job is to find fault with others Well, wish this were true 5

6 The Reality Yes, well paid, but overworked Yes, in demand, but many challenges Serve many masters, and wide and varied scope of work What were you doing when the cookie jar was open or being raided? is among the many questions they have to contend with 6

7 Internal Auditors Professionals who have been around for several centuries in all commercial and non-commercial organizations, in every part of the world Trained to look at all areas of the organization, and advise and alert management of gaps and issues to help them achieve success Typically report to top management (CEO or CFO) and to the Audit Committee of the Board/Ownership 7

8 Membership Growth North America/Outside North America 180, , , ,000 ONA NA Outside NA 100,000 80,000 60,000 North America 40,000 20,

9 How are Internal Auditors Different from Other Auditors External: accuracy of financial reporting Government: compliance, mandate, integrity (ie. - tax, revenue, etc.) Regulatory: compliance (ie. - safety, engineering) Internal Audit: Internal Controls and Risks - The CAE juggles this complex network of relationships to keep IA vibrant & relevant... And so that the stakeholders sleep well! 9

10 Agenda Who are Internal Auditors in the context of the corporate world, how are they different from other auditors? What do they do, and for whom? Is what Internal Auditors do different based on country, industry, ownership, mission, or circumstances? What are the major challenges faced by Internal Auditors? Focus on stories from my experience, not on theory or standards 10

11 Public Sector Stakeholder concerns Recession, Unemployment, Pension Loss, Higher Taxes, Crime Rate, Poor Health Facilities, Lack of Safety Citizens Citizen Dissatisfaction, Loss of Reputation, Environment, Budget overspends, Delays in programs, non-disclosure of major issues Inadequate Resources, High Costs, Falling Service Levels, Bureaucracy Cash shortages, Labor Issues, Technology Issues/IT Infrastructure, Lack of Employee Engagement Accidents, Poor Work-Environment, Supply Chain Bottlenecks, Customer Issues Politicians DM, DG, Management, Bankers, Rating agencies Management/ Suppliers Line Staff/ Customers 11

12 Stakeholder stress points Is the organization in good shape? Is it achieving its objectives and targets? What is AT RISK in the organization? What could adversely impact the mission and goals of the organization?. 12

13 The CORPORATE GOVERNANCE Challenge How to grant managers enormous discretionary power over the conduct of the business while stopping them from misusing that power.. Result: The Boards, C-Level Suite, Regulators, Professional bodies, Auditors How is this working? 13

14 Governance and Control Framework Regulators Legislation External Auditors Owners, Shareholders Board/Audit Committee Suppliers Customers Executive (C Suite) Internal Audit ERM Compliance AICPA, CA, CGA 14

15 Specter of Disasters Fannie Mae/Freddie Mac Enron WorldCom AIG Sponsorship Adelphia Vivendi Satyam Computer Global Crossing Societe Generale Stock Options Backdating, Financial Statement Re-Statements, Wall Street Financial Meltdown = Lehmann, Goldman Sachs; Madoff, Stanford scams, etc. (a disturbing sample!) 15

16 What Went Wrong? Company Ethics? Greed Incomp? Arrogance External/ Political Barings Enron Earthquake No No WorldCom Maybe No FnM&FrM Societe G Madoff Satyam C No No No No 16

17 17

18 What could have caused businesses to fail in recent years? 75.0% 12.5% 5.5% 7.0% Incompetence Dishonesty External Factors Other 18

19 Why are the issues continuing to create disasters in the Corporate World? 40% 35% 30% 37% 35% 25% 20% 15% 14% 14% 10% 5% 0% Board Board and and Governance mechanisms are ineffective Executive teams are are too powerful Regulators are not competent Globalization of Economy 19

20 IA s Primary Role Providing an opinion on the status of governance, risk, compliance and control to management and audit committee 70.0% 65.5% 60.0% 50.0% 40.0% 30.0% 20.0% 13.8% 20.7% 10.0% 0.0% 0.0% In In the areas audited For For the the organization as a a whole Both Both 1 and 1 and 2 2 Not sure 20

21 Into the Top Cat s Lair When the Bosses are at PLAY, No one can have their SAY Whether we report functionally or administratively To the Top Cat or the Almighty, Our freedom is compromised, effectively and completely And our toes will get stepped on, SOX or no SOX 21

22 Polling Questions Should Internal Auditors take some of the blame for not highlighting governance, risk and control failures in an organization? Which stakeholder derives the maximum value from Internal Audit? 22

23 Should IA take some blame for not Highlighting Governance, Risk and Control Failures? 80.0% 70.0% 69.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% YES 10.3% Y E S NO 3.4% NO 17.2% 0.0% Yes to a large extent Yes, jointly with other oversight functions No. Management is fully responsible. Internal Auditors do their job in most cases. Management and boards does not take action. No. Internal Auditors cannot be expected to identify and stop bad business decisions, autocratic and unethical behaviour; which are the root causes of these disasters. 23

24 Internal Audit Value is in-the-eye-of-the-beholder and specific to the DNA of each organization Board/Audit Committee assurance that things working as they should be and risks are being adequately mitigated Operational Management help us improve our business processes & meet our strategic objectives Finance & Accounting Controls are adequate (alert us, but don t make us look bad) The true entrepreneur relies on it for objective and once removed insights and advice 24

25 Internal Auditing Core Value Elements 25

26 Stakeholder Maximum Value Gained from IA 1% External Agencies Final Ranking 10% Shareholders 22% Line Management 37% Audit Committee 30% Executive Management 26

27 Play video Value from IA 27

28 Agenda Who are Internal Auditors in the context of the corporate world, how are they different from other auditors? What do they do, and for whom? Is what Internal Auditors do different based on country, industry, ownership, mission, or circumstances? What are the major challenges faced by Internal Auditors? Focus on stories from my experience, not on theory or standards 28

29 CEO s Expectations of IA Monitor organization s risk environment and risk profile. Give recommendations on risk mitigation strategies. Provide objective view on effectiveness of organizational processes. Ensure integrity of financial reporting. Assess organization s compliance with applicable standards. 29

30 CFO, Hydro Ottawa: Value I seek from IA Assurance: financial and management information controls are sound leading to accurate results Improvements: processes, productivity, business performance Advice : give me the broad perspective, NOT a narrow, sectional view As a CFO, I d be very nervous if the organization I worked in did not have a strong ERM-IA regime. 30

31 Internal Audit Deliverables Universal Applicability Protect through Early Warning Signals which will help identify, manage and respond to actual and potential adverse situations (APAS) Improve through a discipline of Benchmarks and Tolerances and by building capabilities and processes to strengthen performance Optimize by implementing a process to Balance risk and return for routine and growth initiatives (Story) 31

32 Focus could Change Based on : Regulated vs Non-Regulated Environments Public vs Private Sector DNA of the Organization Industry Type Developing vs Developed World 32

33 Emirates experience IA s place within Emirates Reports to highest level of executive management Head of Audit has access to the ownership, if needed Works at every level of the organisation: from mail room to board room Seen as counsellor & conscience-keeper to the business (Governance, audit committee, board..) 33

34 Agenda Who are Internal Auditors in the context of the corporate world, how are they different from other auditors? What do they do, and for whom? Is what Internal Auditors do different based on country, industry, ownership, mission, or circumstances? What are the major challenges faced by Internal Auditors? Focus on stories from my experience, not on theory or standards 34

35 Major challenges for the IA profession Reporting structure under emerging governance and regulatory regimes Consistency of skills, competency, acceptability and experience of the Internal Audit Professional 35

36 IA s dual reporting situation Management takes the lead in identifying resources needed for ERM-IA, tapping into its value Audit Committees have their own stake and will derive value from ERM-IA as they see fit Mandating regulatory protection for IA is not a solution 36

37 Dual Reporting challenge Two stakeholders: Audit Committee/Owners and Management Both have an interest in a good, efficient IA set-up. There is no need for conflict! If IA does its job well, both stakeholders will give it the independence it needs, each for their own reasons & interests.or may not, precisely for the same reasons Need to create enough value and they ll line up at your door/or show you the door! 37

38 Internal Audit and Fraud Prevention Fraud is NOT always a part of corporate life. Fraud happens. We know that. We know too that neither IA nor anyone else can always prevent it. My Experience Internal Audit and a robust ICF can detect a fraud, probably after the fact. That in itself can serve as a deterrent to fraud. 38

39 Polling Questions Who in your experience has the biggest say in hiring and firing the CAE? 39

40 Who in your experience has a bigger influence on the Audit Committee and Board? 45.00% 40.00% 41.12% 35.00% 30.00% 25.00% 20.00% 15.00% 14.02% 23.36% 21.50% 10.00% 5.00% 0.00% CEO CAE CFO External Auditor CEO CAE CFO External Auditor 40

41 Kipling s Preposterous IF If you were required by Law to track behaviour in its full form If you were to have Direct Access to a smart and committed BOSS If you were trained and able to provide, fearlessly: Views and sound advice on anything and everything then, you ll be a true Internal Auditor, my son! Then, the world will be your stage forever... 41