INTERNAL AUDIT S ROLE IN BOARD-DRIVEN/OBJECTIVE CENTRIC ERM:

Transcription

1 INTERNAL AUDIT S ROLE IN BOARD-DRIVEN/OBJECTIVE CENTRIC ERM: TRANSFORMATION STRATEGIES TO MEET NEW EXPECTATIONS Presented by: Tim J. Leech FCA CIA CRMA Risk Oversight Inc. tim.leech@riskoversight.ca

2 Agenda Aligning customer expectations What needs to change? Defining responsibilities Building an Objectives Register Assigning & prioritizing objectives Assigning CRRR, RAR & IAL ratings Using ISO as a foundation Completing RiskStatuslines Independent assurance options BD/OC consolidation software Business case for change 2

3 Aligning customer expectations Surveys indicate declining satisfaction PwC has published the 2014 edition of their State of the Internal Audit Profession. The stated theme is bland: alignment of stakeholder expectations, and matching skills and capabilities to those expectations, helps internal audit enhance the value delivered to the organization. But there is a clear message to internal audit leaders, as well as to audit committee members and others with oversight responsibility for internal audit. About half the internal audit departments around the world are failing to deliver the assurance and advisory services their stakeholders need and know they need. Source: IIA Marks on Governance 3

4 Aligning customer expectations Surveys indicate declining satisfaction Source: KPMG 2014 Global Audit Committee Survey 4

5 Aligning customer expectations Surveys indicate declining satisfaction Source: KPMG 2014 Global Audit Committee Survey 5

6 Aligning customer expectations Surveys indicate declining satisfaction Only 49 percent of senior management and 64 percent of board members said they believed internal audit was performing well, and even chief audit executives gave a less than enthusiastic review with only 65 percent saying internal audit performed well. Internal audit lost a bit of ground with board members in terms of those who see the internal audit function as delivering significant value to the organization. In 2013, 79 percent of board members said they saw significant value in internal audit compared with 68 percent in Among senior management, only 45 percent see significant value in internal audit, virtually flat from 44 percent in Source: 6

7 Aligning customer expectations One CAE s Perspective Source: Chambers on the Profession Comment 7

8 Aligning customer expectations Key questions: So, what s the problem? What s creating dissatisfaction? 8

9 What needs to change? Some theories 1. Need demanding knowledgeable customers a large % of organizations have an IA function because they were told, at some point in their evolution, they should have one by regulators and/or external auditors; not because senior management and the board really wanted one. Engaged and demanding customers are needed to drive change. Boards are starting to seriously engage and demand, but IA direct report audit paradigms handicap change efforts and are evolving very slowly. (e.g. compliance with IPPF standard 2120, a form of attestation auditing) 9

10 What needs to change? Some theories 2. IA needs to be seen as very relevant. Boards and senior management are being told they must demonstrably oversee risk. Unfortunately, many board members and senior execs don t see how IA can help them meet this new expectation. (see CPA Canada report A Framework for Board Oversight of Risk and NACD reports on risk oversight - they largely ignore the role IA can play) IA has to change this perception ASAP. It won t be easy. 10

11 What needs to change? Some theories 3. Transition from supply driven to demand driven. Closely linked to #1, disinterested customers, IA has been largely supply driven, not demand driven by knowledgeable customers. IA must become demand driven by motivated and knowledgeable boards and senior executives to drive the necessary changes in IA methods and standards. The wellknown adage necessity is the mother of invention is a fundamental truth. 11

12 What needs to change? Some theories 4. Link risk assessment and performance. IA has not generally used assessment methods that visibly demonstrate the link between key objectives, risks/threats to achievement, risk treatments/controls, and performance. Process centric (SOX 404), risk centric methods (including risk registers ), and compliance centric methods often obscure the relationships. This must change to truly engage hard-nosed business-oriented customers. 12

13 What needs to change? Some theories 5. Transition to adult to adult interactions - IA is often cast by boards, regulators, and the IA profession itself via standards, certification curriculum, and training offerings, in the role of critical parent/child. When subjective opinions are provided by IA on what IA thinks constitutes effective control (which really means IA has decided the current residual risk status is outside risk appetite), it creates unnecessary conflict with management. There is a pressing need to move to adult to adult interaction in dealings with business units and senior management. The focus should be consensus agreement on acceptability of retained/residual risk status. 13

14 What needs to change? Some theories 6. More transparency on rigor and assurance levels. Current IA methods often lack transparency on the level of risk assessment rigor applied, and the amount of assurance being provided. Key customers are often not aware of what has not been included in the audit universe and how the decision was arrived at. More transparency and customer involvement and debate on rigor and assurance levels will increase customer engagement and speed transition from supply driven to demand driven. 14

15 What needs to change? Some theories 7. IIA needs to endorse the use of risk assessment methods that use ISO principles as a foundation. Many internal audit departments current use assessment methods that focus on providing subjective opinions on control effectiveness. This conflicts with core risk management fundamentals that dictate senior management and boards need to define their risk appetite for all types of risks. 15

16 Defining responsibilities See sample risk policy for roles 16

17 Building an Objectives Register KEY CONCEPTS 1. Cost/benefit tradeoff 2. Relevance to board/senior execs 3. Include top value creation and potential value erosion objectives 4. Integration with strategy 5. Regulator expectations 6. Will drive the work of IA, ERM staff, compliance, safety, environment, and other specialists 17

18 Building an Objectives Register HOW TO BUILD ONE 1. Strategic plan/public disclosures 2. Remuneration targets of top execs 3. Research on sector specific value killers (e.g. see Deloitte research) 4. Position guides of top execs 5. Analysis of regulator mandates/priority areas (e.g. SOX 404, FCPA, AML, Safety, cyber security, etc) 6. Real input from/engagement of top execs/board 7. Parent objective with children (e.g. Ensure all applicable laws and regulations are complied with = parent, Comply with FCPA = one child) 18

19 Assigning & prioritizing objectives KEY CONCEPTS ASSIGNING OBJECTIVES 1. OWNERS have substantial control over risk treatment strategy. 2. SPONSORS are logically positioned to coordinate assessment of objectives with multiple stakeholders. 3. Want the RISK OVERSIGHT COMMITTEE or equivalent fully engaged. 4. Top importance rated objectives, where there is no clarity who should be OWNER/SPONSOR, signal high retained risk. (e.g. Safeguard and enhance the company s reputation) 5. Avoid assigning assurance staff groups, including IA, Owner/Sponsor role 19

20 Assigning & prioritizing objectives KEY CONCEPTS - PRIORITIZING 1. Value creation ability 2. Potential to erode value 3. Importance to corporation 4. Importance to Owner/Sponsor 5. Current/target performance levels 6. Link to remuneration targets 7. Evolution of regulators focus (e.g. FCPA, AML) 8. Priority on board s agenda 9. Current public profile/media exposure 10. Expectations of external auditor/regulators 20

21 Assigning CRRRs RARs & IALs KEY CONCEPTS CRRRs Composite Residual Risk Ratings 1. CRRR rating scale is at the entity level 2. Focus is on deciding appropriate residual risk status escalation level (i.e. local mgmt/senior mgmt/board) 3. Goal is to produce concise and relevant consolidated reports for senior management and the board on residual risk status 4. All items with CRRR of 1 or greater indicate current status for that objective is outside of corporate risk appetite 5. A CRRR = 0 means residual risk status for that objective is deemed fully acceptable to management and the board 6. Ratings of 1 or greater must have an action plan 7. Generally, CRRRs of 4 or greater go to the board. 21

22 Assigning CRRRs RARs & IALs 22

23 Assigning CRRRs RARs & IALs KEY CONCEPTS RARs Risk Assessment Rigor ratings 1. Boards should be told the level of rigor applied to each objective 2. Higher rigor generally equals higher reliability 3. A large % of traditional risk register assessments are low rigor 4. A large % of traditional IA work has been done with low focus on risk identification and assessment and high focus/time spent on controls, a subset of available risk treatments. 5. A large % of traditional ERM and IA work has not linked conclusions on control effectiveness to data on impact of nonachievement of objectives, performance levels, or provided info on viable risk treatments not applied 6. Brain-storming is often the only risk identification method used by IA and ERM groups. History indicates, in isolation, it is often unreliable 23

24 Assigning CRRRs RARs & IALs 24

25 Assigning CRRRs RARs & IALs NIA No independent assurance LOW A high level assurance review has been completed and a feedback report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE MEDIUM An independent review has been completed to assess the completeness of risks identified, risk treatments and residual risk status information provided and a report provided to the OWNER/SPONSOR and RISK OVERSIGHT COMMITTEE HIGH In addition to the steps defined for MEDIUM, steps have been taken to confirm the existence and effectiveness of the risk treatments identified Y CONCEPTS IALs Independent 25

26 Using ISO as a Foundation 26

27 Completing RiskStatuslines 27

28 BD/OC Consolidation Software The majority of GRC software products on the market are process centric (SOX influence) and/or risk centric (support Risk Registers ) Risk Oversight is working with Resolver to build software that supports the BD/OC approach and has approached other major GRC software vendors that use process and risk centric methods currently to promote the use of BD/OC ERM and IA methods RiskStatusNet, the world s first BD/OC ERM and IA software system, is at the beta test stage. Final release of version 1.0 is anticipated in late

29 BD/OC Consolidation Software Key summary data for senior execs and board top value creation and potential value erosion objectives and related CRRRs, RARs, IALs. 29

30 Business case for change It s simple. If internal audit wants to remain relevant, have satisfied customers, and add maximum value it has to do a better job meeting evolving customer expectations This will require quantum, not incremental, changes to IA methods and tools 30

31 THANK YOU QUESTIONS? 31