MOVING UP THE INTERNAL AUDIT MATURITY CURVE MODEL

Transcription

1 MOVING UP THE INTERNAL AUDIT MATURITY CURVE MODEL Noah Gottesman The views and opinions expressed in this paper are those of the authors and do not necessarily reflect the official policy or position of Thomson Reuters.

2 2 TABLE OF CONTENTS PROTOCOLS 3 RESOURCES 3 METHODOLOGY 4 TECHNOLOGY 4 USING THE FIVE WHY S TECHNIQUE 5 CONCLUSION 5 INTERNAL AUDIT MATURITY CURVE QUESTIONS & ANSWERS 6 ABOUT THE AUTHOR 11

3 3 Under a microscopic lens and with exactly the right amount of light, a sample blob on a slide is transformed into an incredible image with intricate detail, depth and characteristics. A misalignment in the calibration of the microscope, however slight, and the complexity is distorted. The ongoing calibration of microscopes and other scientific equipment is a routine activity and highly necessary to ensure consistency, precision and accuracy. Similarly, departments must also undergo regular calibration activities to ensure that they are able to provide consistent, precise and accurate information about the risk appetite and risk management practices within their organizations. In developing the maturity model, many factors were considered, with the exception of department tenure and department size. Neither factor directly contributes to genuine maturity. Additionally, some could argue that either factor could potentially disrupt the department s perception within the organization and its ability to accomplish certain transformational aspirations. The maturity model is less about benchmarking the current state and more about positioning the future state of the department. PROTOCOLS When establishing the department, the audit committee (in the creation of the audit committee charter) lays out the key responsibilities and expectations for this department, but too often the informal discussions, expectations and alignment of activities are not documented and shared with the staff. As such, they are not provided with, trained on, or required to understand the underlying expectations and formal audit committee charter on which they will eventually plan and execute their work. Many will argue that those materials are readily available on most organizations public websites. They may also argue that staff have access to the charter, the methodology and the policies and procedures all of these documents being outputs of the audit committee charter. Protocols are not only about formal documentation, but also about informal documentation and other governance materials that exist at audit committee or organizational level and are held in the organization s intranet (internal website), file servers or content management systems. As informal documentation is not publicly available, it requires the staff to fend for themselves in searching, accessing, reviewing and referencing it. As protocols, not all of them are about department staff, but rather the desire of the audit committee to leverage the internal audit department for other stuff, such as benchmarking analysis (systems, processes, risks and controls) and training on emerging risks, trends in root cause, and background on cybersecurity, privacy, regulatory updates, etc. Protocols address both formal and informal expectations, requirements, roles, responsibilities and working relationships. Here are some of the ways in which departments can address protocols. Some of them are relatively easy, while others involve a more methodical approach: Develop ongoing definitions of activities that include assurance and advisory services Develop budgeting standards that align with the rest of the organization Track each activity as if the was a cost center Review how your department complies with the Internal Auditors Professional Practices Framework (IPPF) think about transparency, accountability and performance Review the frequency and type of interactions between the audit committee, executive management and external auditors to discuss expectations and the alignment of the plan of activities. These sessions should occur outside of regular audit committee meetings Create an ongoing communication plan that includes the many annual touch-points with executive and senior management RESOURCES The foundation developed within the above protocols is refined in the department s resources. Using a semi-awkward theme of future leaders start in, the department needs to focus more on the career paths of interns, staff, seniors, managers, directors, vice presidents and chief audit executives. Maturity within resources is a change in culture to focus more on the softer issues, such as career planning, mentoring, ongoing performance evaluations and knowledge sharing. This is not intended to detract from the execution of relevant and reliable assurance and advisory activities, but rather to offer an opportunity to alter the approach to scheduling resources based on career goals, cross-collaboration amongst audit teams and challenging staff in other ways. From another perspective, department documentation is a treasure trove of organizational data and insight. Rather than merely reusing the entire audit activity or specific good practices, the documentation can be distilled into some form of ongoing knowledge management for the entire department. The distillation would include items such as: Unique local practices Example procedures Business processes The current use of systems, applications, vendors, etc. Details of key personnel, outside of various management and organizational structures An department s knowledge management and sharing activities are vital to keeping proactive, rather than reactive in their ongoing understanding and assessment of the organization. Here are some of the ways in which departments can address resources. Some of them are relatively easy, while others involve a deeper alignment of the organization s HR practices with those of the department:

4 4 Develop career plans with all levels of professionals (within the department, company, etc.) Coordinate and schedule professionals based on past performance and career plans Develop both team and individual performance feedback loops as part of each activity (over 40 hours) Challenge negative performance feedback as an opportunity for coaching/mentoring, similar to the overall organization policy and procedures Provide multiple training opportunities that are either self-led or led by peers within the department or company Require ongoing knowledge sharing per activity take a coin, give a coin Recognize individual and team performance both inside and outside of the department METHODOLOGY Lather, rinse, repeat! Methodology should be basic enough to be summarized as an elevator pitch, expansive enough to allow for the multitude of activities that could perform, and interconnected enough to demonstrate the progression of activities. Having good or sufficient procedures does not create methodology; however a good or sufficient methodology can overcome poor procedures. It goes back to approach. If some procedures are either poorly written or executed, it falls to the methodology to showcase the review process. The methodology demonstrates a consistent approach. The methodology should not be an over-engineered set of steps, a magnitude of cross-references to policies and procedures, or so airy as to leave others to self-define what occurs next. It should be able to demonstrate the lifecycle of internal audit activities, beginning with the risk assessment, moving to the annual plan of activities, then to each activity, then to documentation wrapup and reporting and finally to findings and recommendations tracking. Here are some of the ways that departments can address methodology. The staff, through the executive, should maintain a consistent approach to defining the various activities and how they fit together. One key is to include how ongoing improvement is part and parcel of the methodology: Develop formal documentation that answers the Five Why s for Internal audit Annual/ongoing risk assessment Internal audit plan and coverage Issues, actions and remediation Benchmark your methodology, policies and procedures outside of external quality assessment reviews Map/cross-reference each to the strategic plan, objectives, and/or ERM/ORM activities Map/cross-reference findings and recommendations to the USING THE FIVE WHY S TECHNIQUE This technique was coined by Japanese industrialist Sakichi Toyoda and championed by Japanese engineer Taiichi Ohno, an engineer in the Toyota Industries production system, to help identify the root causes of manufacturing problems. Using this system, an individual asks the question Why? five times, each time diving deeper into the nature of the challenge or question in a way that follows on from the previous answer. The purpose is to identify the cause-and-effect relationships behind a particular problem, until a root cause is found. So Why Internal Audit? 1. Why? To provide an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes Why? To provide an alternative perspective on the governance, risk and control structure to that held by the external auditor and management. 3. Why? To champion organizational initiatives, continuous performance and continuous improvement throughout the organization; to evolve the overall culture of transparency and accountability. 4. Why? To coach, develop and mentor future business leaders who embody the organizational culture, understand the control environment and understand the impact of on the organization. 5. Why? This was intentionally left blank As professionals, our opportunity is to answer the 5 Why s for our own organizations The answers to the Five Why s should be clearly defined and communicated to: The audit committee Executive management Senior management Your colleagues Regulators Other stakeholders 1 As defined by The Institute of Internal Auditors (IIA) ( a global organization set up and aligned with other accounting, finance, risk and compliance associations. mandatory-guidance/pages/definition-of-internal-auditing.aspx

5 5 strategic plan, annual objectives or key initiatives Coordinate and champion a unified approach to internal controls and risk management TECHNOLOGY In the current digital age, there is abundant access to a great number of electronics for data collection activities. Unfortunately, the skill within is around collecting data as an activity that involves the various process, risk or control owners and the intended users of the documentation. In collecting data, it is important for all parties to understand how the activity fits the department s objective, the particular audit/ review objective and the approach/considerations involved in collecting data. At the heart of collecting data is technology, a vital component that empowers the department to operate in a more efficient and effective fashion. The proverbial black box in the corner does not always warrant a special skillset and it is critical for an department to no longer operate around the black box, but to develop the appropriate skillsets around data, information, applications, systems and/or domains. A component of those skillsets is the working relationships that the department develops with the various owners of data, information, applications, systems and/or domains. Too often these relationships are adversarial owing to a previous exception, report or finding. It is about time that at least one organizational firewall is taken down to develop a more collaborative approach moving forward. Here are some other ways that can begin to develop and improve their knowledge: Challenge current professionals to be experts in data governance Establish performance goals that incorporate certifications, IT systems, IT frameworks and IT standards Incorporate IT governance, IT systems, IT frameworks and IT standards into all aspects of the methodology and knowledge management Develop formal and informal working relationships with CIO, CTO, CISO and IT/IS professionals Seek IT professionals and train them on, the organization, etc. Appreciate that understanding a process is about learning how people interact with all types of technology CONCLUSION The maturity model is not only intended to assist departments in the calibration of activities, but also to assist in the dialogue of. Too often the overly detailed nature required for doesn t excite many, until an exception is identified. The challenge for internal audit professionals is to extend the dialogue by correlating the knowledge gained through the overly detailed areas into the wider perspective of the organization. To achieve this requires ongoing performance improvements in protocols, resources, methodology and technology.

6 6 INTERNAL AUDIT MATURITY CURVE QUESTIONS & ANSWERS PROTOCOLS Level 1 Level 2 Level 3 Level 4 Level 5 Questions: Beginning Defining Developing Maturing Optimizing Do you have an charter? How strong is the function's alignment with the expectations of the audit committee? How embedded is the Institute of Internal Auditors' Professional Practices Framework (IPPF) in your organization? How sophisticated is 's approach to managing its budget and resources? How well does communicate about its role and activities across the organization? We have an informal and/or undocumented charter. We have informal and/ or inconsistent alignment between the expectations of the audit committee and audit activities. We have limited knowledge of the IPPF. Internal audit does not have its own distinct budget or resources. minimal or no communication with the organization's stakeholders, except during audits. We have a limited charter that does not distinguish between assurance and advisory activities. We have limited alignment between the expectations of the audit committee and audit activities. We are developing our knowledge of the IPPF. a budget that is set by others and tracks direct costs against this. informal, spontaneous communication with key stakeholders across the organization. Our charter focuses on the types of assurance activities. Internal audit understands the expectations of the audit committee and attempts to align them with the plan of activities. Internal audit implements aspects of the IPPF. its own budget, which it is responsible for and it tracks direct costs against this. Our chief audit executive and the audit committee together approve the internal audit charter. The charter contains both advisory and assurance activities. Internal audit meets quarterly with the audit committee, executive management and the external auditor to align around the plan of activities - in addition to regular audit committee meetings. adopted the IPPF and has begun implementing an ongoing quality and improvement program. Internal audit budgets, monitors and tracks both direct and indirect costs. Internal audit actively communicates its role within the organization and is beginning to evaluate its reputation amongst senior management. Our charter, assurance and advisory activities are reviewed annually by the audit committee. The chief audit executive has a working relationship with the audit committee and Board committees. Over and above the meetings in the previous answer, sometimes internal audit presents on additional topics that are of interest to the stakeholders. adopted the IPPF, has an ongoing quality and improvement program and has had regular external quality assessment reviews every five years. Internal audit tracks activities by cost center for budgeting, expenses and time management purposes. Internal audit actively reports on the utilization of resources, cost overruns and cost savings. an active communication plan with the audit committee and senior management. Internal audit directors engage in operational discussions that involve benchmarking and strategic planning with senior management.

7 7 RESOURCES How aligned are resources, competencies and annual goals for your team? How does the function approach training and credential requirements for its team members? How deep is 's understanding of internal controls and corporate governance? How structured is 's approach to its performance and evaluation process? How formal is 's roles and responsibilties framework? Level 1 Level 2 Level 3 Level 4 Level 5 Questions: Beginning Defining Developing Maturing Optimizing We have no alignment between resources, their competencies and annual goals. There is no defined training program, nor are there any credential requirements. Internal audit resources have limited knowledge of internal controls and corporate governance. We have an informal performance evaluation process. We have informal roles and responsibilities. We have a limited training program and minimal credential requirements. Internal audit resources have developing knowledge of internal controls and corporate governance. We have insufficient coaching and performance evaluation feedback for all resources. We have limited roles and responsibilities, and expectations of maturity. Resources are scheduled based on their competency, annual goals and prior performance in order to balance growth and opportunity. a general training program and credential requirements. Internal audit resources are increasingly aware of issues like corporate culture, corporate governance and the various types of internal controls. We have informal coaching, performance evaluation and expectations for all resources. There are formal internal audit roles and responsibilities, and authority throughout the department. Internal audit resources are managed according to the previous answer. Internal audit also has a six-month junior executive rotational program to bring operational personnel into the department. a formal curriculum that educates all levels on the ongoing emerging risks within the industry. It defines continuing professional education (CPE) requirements. Certification requirements depend on role and career trajectory. Internal audit monitors different types/forms of internal controls throughout the year to report on corporate culture, corporate governance and issue trends. Post fieldwork, each audit team member is evaluated. Those evaluations are included in ongoing mentoring and coaching efforts. Formal roles, responsibilities and key department performance measures are tracked on an ongoing basis and communicated to stakeholders at pre-set intervals. Authority is cascaded throughout the department. In addition to the efforts in the previous answer, resource scheduling includes the activities of the 2nd line of defense (ERM, ORM and compliance) to ensure adequate coverage and reduce any potential duplication of effort. In addition to the elements in the previous answer, has also identified certain areas that require expertise and has developed a training program to encourage internal auditors to become subject matter experts. Internal audit resources serve as educational trainers for the organization on the different types/forms of internal controls and also report on corporate culture, corporate governance and issue trends throughout the year. In addition to performance evaluations, mentoring and coaching, career development and succession planning are main concerns. In addition to items in the previous answer, has sought to benchmark their processes against other organizations.

8 8 METHODOLOGY RESOURCES Are internal auditors recognized for their collaboration and knowledge sharing? How formal are 's policies and procedures? How strong is the linkage between 's risk assessment and its formal plan of activities? What involvement does have with internal controls? Level 1 Level 2 Level 3 Level 4 Level 5 Questions: Beginning Defining Developing Maturing Optimizing Internal auditors are not recognized by their department for their collaboration and knowledge sharing amongst team members. We have informal and/ or undocumented policies and procedures. There is no linkage between internal audit's risk assessment and its plan of activities. We have an inconsistent approach to testing internal controls. Internal auditors are sometimes recognized by their department for their collaboration and knowledge sharing amongst team members. We have limited policies and procedures that do not include independence and objectivity. There is inconsistent linkage between 's risk assessment and its plan of activities. We are overtly focused on testing internal controls (manually). formal documented policies, procedures and processes. The documented materials describe the key attributes of an or, such as independence, objectivity, due diligence and professionalism. There is alignment and direct linkage between 's risk assessment and its plan of activities. We are highly focused on testing internal controls, piloting computer assisted auditing techniques (CAATs). Internal auditors are recognized by their department for their collaboration and knowledge sharing amongst team members. Internal audit benchmarks policies, procedures and processes with other organizations. It evaluates individual performance in areas such as independence, objectivity, due diligence, integrity and professionalism. Internal audit knows the organization s strategic plan, objectives and annual goals. It uses this information to perform annual risk assessments, quarterly risk assessment updates, and to align the plan. Internal audit is beginning to evaluate the cost of testing internal controls and seeking opportunities to use computer assisted auditing techniques (CAATs). It is considering opportunities to develop certain continuous control monitoring approaches. Internal auditors are recognized by their department for their collaboration and knowledge sharing amongst team members. They are encouraged to use creativity to solve various challenges, while increasing their efficiency and effectiveness. In addition to the previous answer, actively participates in industry events, showcasing how they have transformed their department and its operations. In addition to the previous answer, knows the ERM, compliance and operational risk management plans. They are reflected in all risk assessments and coordinated with the 2nd line of defense. Understanding about internal control costs is shared amongst the 2nd and 3rd lines of defense. Internal audit performs CAATs. The 2nd line of defense has some continuous control monitoring approaches that verifies quarterly.

9 9 METHODOLOGY What is internal audit's approach to documenting its own activities? How well does communicate to stakeholders about its activities, obstacles and results? How well are 's exceptions and findings supported by its work? How familiar is with internal control frameworks and their deployment within the organization? Level 1 Level 2 Level 3 Level 4 Level 5 Questions: Beginning Defining Developing Maturing Optimizing We have limited documentation of activities. We have informal and/ or inconsistent communication of 's activities, obstacles and results. Internal audit results are inadequately supported by its work. There is no knowledge of internal control frameworks such as COSO, ISO and other industry-specific requirements. We have inconsistent documentation of activities. We have limited communication of 's activities, obstacles and results. Internal audit results are inconsistently supported by its work. There is limited knowledge of internal control frameworks such as COSO, ISO and other industryspecific requirements. We have formal documentation requirements for internal audit activities, with some cursory post-fieldwork reviews. We have communication of 's activities and results at pre-set intervals with various stakeholders. Internal audit results are adequately supported by its work. There is general knowledge of internal control frameworks such as COSO, ISO and other industryspecific requirements. Formal documentation templates, enablers and other tools are used by the internal audit team during planning, fieldwork and wrap-up. After fieldwork, reviews are performed by managers before draft reports are published. In addition to the previous answer, the department actively seeks feedback to improve upon existing efforts. Internal audit s key metrics are posted on the intranet for all personnel to review. materials that describe their range of activities and the cost savings that the organization has achieved based on their activities. Internal audit managers and directors review fieldwork to validate that exceptions and findings/issues are supported by both evidence and adequate supporting documentation. Internal audit provides high-level assistance to senior management on COSO To preserve internal audit s objectivity, assistance was capped, and another team performed an initial post-coso deployment review.

10 10 TECHNOLOGY How much understanding does the internal audit team have of the organization s information technology environment? What use of technology does make to improve its own efficiency? How sophisticated is 's approach to reviewing the organization's technology infrastructure? Level 1 Level 2 Level 3 Level 4 Level 5 Questions: Beginning Defining Developing Maturing Optimizing There is insufficient knowledge of the organization's information technology environment. There is insufficient use of technology to efficiently and effectively manage the process. Internal audit does not review the IT of its organization through a recognized IT framework such as COBIT, ITIL, NIST, PCI, HIPAA, etc. There is limited knowledge of the organization's information technology environment. There is limited use of technology to efficiently and effectively manage the process. There is a basic understanding of the organization's information technology environment. There is use of basic technology to manage the various processes. There is consideration of IT frameworks such as COBIT, ITIL, NIST, PCI, HIPAA, and many others. a team devoted to reviewing the information technology environment. adopted its own technology to assist with making processes more effective and efficient. provided foundational training for all team members on the various IT frameworks and has incorporated COBIT considerations and controls into its planning, fieldwork and reports. team members certified on the various information technology systems within their global environments. In addition to the previous answer, the technology has been rolled out throughout the organization to assist with other efforts beyond. Internal audit includes IT governance as part of its risk assessment and trains the team on various IT frameworks. COBIT considerations and controls are incorporated into its planning, fieldwork and reports.

11 11 ABOUT THE AUTHOR Noah Gottesman is a Certified Internal Auditor with over fifteen years of compliance,, internal control and risk management experience. He has worked with a variety of global clients across diverse industries and, at Thomson Reuters, continues to serve clients in his capacity as Audit Advisory and Innovation Director within Professional Services. He assists clients with implementing products and services and serves as an internal and external thought leader and knowledge resource on a range of topics within the governance, risk and compliance (GRC) umbrella of offerings. Prior to joining Thomson Reuters, Noah spent thirteen years with a big-four accounting firm.

12 12 RISK MANAGEMENT SOLUTIONS FROM THOMSON REUTERS Risk Management Solutions bring together trusted regulatory, customer and pricing data, intuitive software and expert insight and services an unrivaled combination in the industry that empowers professionals and enterprises to confidently anticipate and act on risks and make smarter decisions that accelerate business performance. For more information, contact your representative or visit us online at risk.thomsonreuters.com 2015 Thomson Reuters GRC03451/9-15