10 Risk Management Imperatives for Internal Auditing

Transcription

1 10 Risk Management Imperatives for Internal Auditing

2 Disclaimer Copyright 2009 by The Institute of Internal Auditors and its Audit Executive Center located at 247 Maitland Avenue, Altamonte Springs, Fla All rights reserved. Published in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission from the publisher. The IIA publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warrant as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be retained. Acknowledgment The IIA would like to specifically acknowledge Richard J. Anderson, CFSA, CPA, for his extraordinary assistance in organizing and facilitating the CAE roundtable along with his work in authoring the final report. Anderson is Clinical Professor for The Center for Strategy, Execution, and Valuation and Strategic Management Lab at DePaul University. J. Christopher Svare, managing director of Partners in Communication LLC in Northbrook, Ill., was also integral to the writing process and played a key role in developing the report. i the institute of internal auditors

3 Table of Contents Introduction Assess the Organization s Current Processes and Capabilities Coordinate With Other Risk and Control Functions...4 Develop a Unified Approach...4 Adopt an Enterprise View of Company Risks...5 Foster or Participate in an Enterprise Risk Council Participate in Summits With Key Stakeholders Help the Organization Develop Near-term Strategies Strengthen Top-level Communications Define Internal Auditing s Role Audit Risk Management Incrementally Assess Audit Skills and Capabilities Execute the Audit Strategy With Appropriate Reporting Keep up With Evolving Practices ii

4 10 Risk Management Imperatives for Internal Auditing Today s business environment is characterized by mounting pressures for stronger, more effective risk management. There is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in a post-meltdown world. Audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprisewide risk assessments. As one chief audit executive (CAE) puts it, The audit committee has been getting piecemeal looks at risk, and now they want the full picture. For the most part, internal auditors appear to be well aware of these pressures. In a recent IIA Global Audit Information Network (GAIN) survey, Internal Auditing s Role in Risk Management, nearly three-fourths of respondents said they see a growing need to provide their audit committee with a greater understanding of organizational risk management processes. In addition, 44 percent reported being asked by their audit committee for recommendations on how to enhance the organization s risk management process. When asked about current risk practices at their organization, more than 72 percent of respondents from Fortune 500 companies said the entity had either a formal or informal risk management program in place, and nearly two-thirds characterized their firm s practices as informal but evolving. Collectively, these findings show indications of organizational progress along the risk management maturity continuum. In light of this apparent progress, internal auditors need to examine whether they have achieved similar types of gains in promoting risk management goals or providing assurance over risk management activities. This issue was raised by PricewaterhouseCoopers (PwC) in a 2007 publication titled Internal Audit At the time, PwC analysts pointed to potential value gaps for internal audit functions failing to keep pace with maturing risk practices. The current evidence of evolving organizational risk management maturity heightens this concern. The question for internal auditors, simply put, is this: Have you kept up, or are you falling behind? Is there a value gap in the risk management arena that you need to address? Moreover, what are internal audit leaders doing in the area of risk 1 the institute of internal auditors

5 management that might work well in your organization? To explore these and other related issues, The IIA recently hosted a roundtable discussion in San Diego focusing on current risk management challenges. Attendees included CAEs from Fortune 250 organizations as well as representatives from professional service firms, The Committee of Sponsoring Organizations of the Treadway Commission, and the National Association of Corporate Directors. Several key themes emerged from the discussion, forming the basis for a series of leading internal audit practices. These 10 risk management imperatives can help CAEs better serve their organization and ensure they re keeping pace with evolving approaches to organizational risk. 2

6 1. Assess the Organization s Current Processes and Capabilities To strengthen organizational risk management, internal auditing should first conduct a detailed assessment of the organization s risk management processes, many of which might be undocumented and informal. The assessment should help build an inventory of risk processes and serve as a foundational baseline. It should also help determine the organization s ability to identify, analyze, monitor, and mitigate significant risks that could impede achievement of organizational objectives. Some key questions to consider in this evaluation: Is the organization taking a top-down, holistic approach to risk management that considers strategic, financial, operational, and compliance risks and is linked to your strategic and businessplanning processes? Does it identify who owns major risks? Is the organization formalizing and building consistency among its risk management processes? Does the organization have a systematic way to categorize and prioritize identified threats, project their likelihood of occurrence, and estimate their potential cost? Are appropriate steps being taken to build or reinforce the concept of a risk culture across the organization? Is the organization mapping risk exposures against existing riskmitigation measures to identify potential gaps and vulnerabilities in risk oversight to be brought to the attention of senior management and the board? Is the organization taking a portfolio approach to risk management? Does it take into account potentially significant variations in risk management processes across business units and within functions? Does the organization have an ongoing, sustainable process in place to identify and track emerging risks? 3 the institute of internal auditors

7 In The IIA s August 2009 survey of risk management practices, 68.8 percent of respondents indicated that internal audit activities conducted organizationwide risk assessments at their organization. Is the organization appropriately assessing its exposure to any high-impact, low-probability risks such as pandemic or systemic risks that could pose a major organizational threat? Has the organization established communication protocols and procedures to share risk information on an enterprisewide basis? Does the organization identify upside risk potential and share these insights with management and the board? 2. Coordinate With Other Risk and Control Functions Look for opportunities to partner with other risk and control functions while maintaining your functional independence and objectivity. For example, consider involving other risk and control functions in the assessment of risk management processes recommended in Imperative No. 1. Also consider how the functions can collaborate on an enterprisewide assessment of risk management processes. Roundtable participants agreed that most organizations would benefit from a common, single risk assessment developed by internal auditing in concert with other governance, risk, and control (GRC) functions in addition to a single risk profile. It s also important to establish communication protocols and procedures to share risk knowledge and information on an enterprisewide basis. Develop a Unified Approach Roundtable participants cited the lack of a common risk language and uniform risk management processes and methodologies as a significant obstacle to effective enterprise risk management (ERM). One CAE said an organization that lacks a single approach to risk management has a great opportunity to establish a common language and taxonomy for risk and risk elements. The CAE also suggested that internal auditors, risk managers, and other control leaders should develop and leverage common risk assessment methodologies and databases to enhance their overall effectiveness. 4

8 Adopt an Enterprise View of Company Risks Only by taking an enterprisewide approach to risk management can an organization effectively address the type of silo risk management behavior that contributed to the meltdown of so many financial services companies in recent years. Too often, organizations manage their risks on either a functional or line-of-business basis with insufficient oversight from an enterprisewide perspective. CAEs should coordinate and collaborate with their counterparts in finance and risk management to address silo issues and develop an effective ERM framework. Foster or Participate in an Enterprise Risk Council About a third of roundtable participants reported that their organization had some type of enterprise risk council that comprised members of management. Such groups tend to meet quarterly and track major risks. The councils provide a coordinated approach to strengthening risk management, said one roundtable CAE, adding that they help you cover your bases. Another CAE s organization instituted a risk council to achieve a common approach to risk management across the company after noting significant dissimilarities in the way various lines of business and functions were approaching the risk management process. What are the key success factors for such councils? The CAE of a major national retailer said it s important that the council reflect a diverse set of inputs and perspectives. An IT person will have a different vantage point than a line-of-business head, she said, adding that one never knows which council members will provide the most valuable insight. For example, the retailer s head of corporate communications is one of the top contributors to the company s Enterprise Risk Council, particularly with regard to issues surrounding reputational risk. It s also important to keep council members interested and participating, and to show them how they re helping the organization, said the CAE, who regularly shares articles and insights with council members to keep them engaged. In organizations currently without a risk council, internal auditing has an opportunity to serve as the catalyst for the formation of one. CAEs can advise management on the potential benefits of risk councils as well as leading operating practices. 5 the institute of internal auditors

9 3. Participate in Summits With Key Stakeholders To many observers, risk oversight is the No. 1 priority for directors and management alike in today s post-meltdown business environment. It s critical for CAEs to facilitate in-depth discussions with senior management and directors about risk management issues and priorities to ensure that internal auditing and other key risk players understand their chief stakeholders expectations. Ideally, such an effort would be conducted jointly by internal auditing and any other key risk and control players, such as the chief risk officer, in addition to senior financial officers. Plan to brief members of the audit committee and senior management on a regular basis and consider holding a series of educational seminars with directors to provide an ongoing vehicle for two-way communication on this essential topic. 4. Help the Organization Develop Near-term Strategies After assessing current risk management processes, and revisiting stakeholder expectations, try to facilitate the development of near-term organizational risk management strategies. Discussions at the roundtable point to the benefits of organizations taking a step-by-step approach to risk management. Accordingly, facilitate a plan to achieve the organization s next step in terms of risk management maturity as opposed to the final stage in the developmental process. Although internal auditing should refrain from any decision-making role in the development of risk management strategies, the CAE can serve as a valuable adviser to both senior management and the board of directors. If your organization lacks an ERM strategy, suggest options for consideration. Scope out the benefits of a step-by-step approach to ERM and suggest what these steps might be. Also consider delineating the roles of the various risk and control functions relative to risk management. 6

10 5. Strengthen Top-level Communications As the organization steps up its focus on risk management, keep executive management and the audit committee well-informed of the organization s progress and strategic direction. Explore how to enhance risk reporting to the committee and seek to make risk considerations a central discussion item on the audit committee s agenda. Encourage the audit committee and executive management to take a fresh look at the organization s risk appetite and risk tolerances. Roundtable participants agreed that risk appetites and tolerances are difficult topics for both management and directors to address, creating an opportunity for internal auditors to assist and serve as strategic advisers in these areas. As part of the process, suggest that the board of directors and executive management meet as a group to test how they would respond to various what-if risk management scenarios. Recognize that new members of the audit committee can serve as positive catalysts for change; encourage their input. At the same time, develop tactics to overcome obstacles to effective reporting, such as members of the audit committee with narrow viewpoints. Consider a CEO/CAE Partnership to Ensure a Holistic View of Risk One roundtable participant, the CAE of a major retailer, is partnering with the company s CEO to present a shared view of risk that combines the CEO s top-down view of risk with the CAE s bottom-up risk assessment. In the partnership, the CEO who also serves as the company s chief risk officer articulates the big risks and tells the CAE what the board is doing. In turn, the CAE gives the CEO the straight scoop about line-of-business activities and indicates where the CEO might be receiving misleading information. The CAE also assures the CEO that internal auditing s presentations to the audit committee and board of directors reflect the CEO s thinking. 7 the institute of internal auditors

11 6. Define Internal Auditing s Role After facilitating a strategic reassessment of the organization s approach to risk, work with chief stakeholders to develop an appropriate role and strategy for internal auditing related to risk management. If the organization s risk management processes are in the developmental stage, internal auditing might prefer to adopt a consulting role. Conversely, if risk management processes are developed sufficiently to audit, then internal auditing can play an assurance role. Practitioners should recognize that internal auditing s role will likely evolve along with the organization s risk management processes. Discussions with internal auditing s chief stakeholders are also an opportunity for the CAE to review both the near- and longer-term roles for the audit function as well as the value it can deliver at different stages of risk management maturity. At the end of this discussion process, all parties involved must share a clear understanding of what is expected of internal auditing and agree on the anticipated value to be delivered by the function. Internal auditing should also consider revising its charter to reflect its updated role and value proposition, and it should clarify with stakeholders any limitations of audit independence. For further insight, consult The Role of Internal Auditing in Enterprise-wide Risk Management, an IIA position paper issued in January 2009, available at 8

12 ERM at Midmarket Companies By David Landsittel, Chairman The Committee of Sponsoring Organizations of the Treadway Commission San Diego Roundtable Participant For years, internal auditors have been playing key roles in the implementation and management of enterprise risk management (ERM) processes at midmarket companies. For reasons of efficiency and resource management, internal auditing s focus has been on the development of processes related to ERM as opposed to the establishment of a separate ERM function. Not surprisingly, internal auditors have been taking the lead on ERM process development for midmarket companies. Given the extent of their work in compliance and operational auditing, internal auditors tend to develop a solid understanding of the businesses they serve from an enterprisewide perspective. In addition, internal auditors often have the organizational contacts and relationships needed to jump-start ERM process implementation. Most importantly, however, the skill sets and competencies needed to succeed in internal auditing correlate strongly with those needed for ERM implementation and management. In other words, internal auditors: Have the training and experience necessary to evaluate business processes starting with those integral to the maintenance of a sound system of internal controls and extending to those involved with the evaluation of operational processes. Are well-equipped to identify and assess risks tasks at the heart of traditional internal control auditing activities. Have, in their traditional roles, been instrumental in the formulation of recommendations to address and mitigate identified risks. Finally, the active involvement of internal auditing in ERM adds assurance that there will be appropriate correlation between the high-priority risks identified through ERM measures and the annual planning of the internal audit function. That is, the risk-driven allocation of internal audit resources to compliance and operational project alternatives will more likely be correlated with those ERM-driven risks that are assessed as the most important to the organization. 9 the institute of internal auditors

13 Key suggestion: Evaluate management s risk management processes and maturity levels as part of your annual audit plan. Recent survey data confirm that risk management practices are continuing to evolve in most organizations. Accordingly, internal auditing needs to re-assess management s risk management processes and maturity periodically and revise the annual audit plan appropriately. As risk management processes mature and become more formal, internal auditing should increase its assurance coverage of them. Changes to the audit plan will also require internal auditing to consider the skills and tools it needs to keep pace with these maturing processes. 7. Audit Risk Management Incrementally Roundtable CAEs spoke enthusiastically about the benefits of taking a step-by-step approach to auditing risk management. You can t audit all of your company s ERM activities but you can evaluate parts of them and look at how they get their data, said one CAE. Bite off manageable chunks; audit risks in a given area, said another. Don t try to be world-class all at once, said a third CAE. When it comes to setting priorities, audit committees and executive management want internal auditing to concentrate on areas posing the greatest risks those that could impact achievement of major corporate objectives. Make sure to identify and monitor key strategic, operational, and business risks, advised one roundtable CAE. Another recommended singling out the three to five risks that could destroy the organization, including the types of high-impact, low-probability risks that contributed to the subprime mortgage crisis. Other suggestions offered by the roundtable CAEs include: Keep in mind factors of vulnerability, speed of impact, and level of loss. Assess the degree of uncertainty for each major risk. List planned or completed audits related to each major risk. Consider risk factors identified in the company s 10-K report. 10

14 8. Assess Audit Skills and Capabilities One of the challenges facing internal auditors seeking to expand their scope of risk management activities is the perception that risk management is beyond the scope and capabilities of internal auditing. Many auditors think control first and lack an adequate business perspective, said one roundtable CAE. Internal auditing needs to provide value beyond compliance, and it s hard to add value when you ve been focusing on Sarbanes-Oxley, said another. As an organization s risk management capabilities increase, there needs to be a corresponding increase in the capabilities internal auditing can provide to the organization. In today s business world, internal auditors are being asked to identify and correlate risks across multiple lines of business and functions. They are also being asked to examine complex financial transactions and to make presentations to executive management and the audit committee. And when an organization s risk management capabilities have reached a sufficient level of maturity, internal auditors are being asked to provide assurance on ERM business processes. The perception that risk management is beyond the scope of internal auditing is the most significant challenge to an effective review of risk management, according to the GAIN survey on internal auditing s role in risk management. Respondents also cited internal auditors lack of knowledge about risk management practices and techniques as a significant handicap. The top skill needed to assess risk management processes effectively is business and industry knowledge, according to the survey, followed by risk management expertise and good communication and facilitation skills. In terms of business and industry knowledge, the survey results indicate it is particularly important to have a solid grasp of an organization s risk history, risk and control landscape, and risk appetite in addition to its mission, strategic plan, and business drivers. 11 the institute of internal auditors

15 To meet heightened stakeholder expectations, CAEs need to conduct a critical assessment of their staff capabilities and resources. Important questions to consider include: Do you have the skills, expertise, and business knowledge needed to achieve your short- and longer-term objectives? If your organization has advanced risk management capabilities, can you provide assurance over risk management activities? Do you need third-party assistance to secure access to the actuaries, subject-matter experts, and specialists required to interact effectively with senior management and the audit committee? Do you have an adequate budget? With the insights gained from such introspection, CAEs will be better able to address any gaps they discover between stakeholder demands on internal auditing and their ability to deliver on these demands. 12

16 9. Execute the Audit Strategy With Appropriate Reporting Effective reporting is central to successful internal auditing and risk management. Determine the type of reporting that best suits your particular internal audit function. For organizations with more formal or maturing risk management processes, it might be appropriate to perform audits and then issue assurance reports. For organizations that are just developing risk processes, internal auditing might play a more consultative role and issue consulting reports. If the organization has yet to produce any risk reports, internal auditing should consider other types of reporting that could provide management and directors with important updates on the organization s risk profile or other risk-related changes. Auditors should also consider providing the audit committee with periodic updates on the implementation of management s risk management strategy. Responses from The IIA s GAIN survey of risk management also support a variety of reporting approaches: 32.9 % 43 % 35.4 % 55.7 % of survey respondents provide assurance on the risk management process through written reports. provide written assurances that risks are correctly identified. provide consulting reports to improve or implement the risk management process. provide assurance through written reports on the management of key risks. During the roundtable event, CAEs discussed the various ways they report on their auditing of risk management. Most indicated that they are auditing and reporting on one aspect of risk management at a time as opposed to performing a single, organizationwide audit and producing a report covering all of the enterprise s risk 13 the institute of internal auditors

17 management processes. For example, at one roundtable CAE s organization, the internal audit function is currently reporting on the organization s risk responses and next year plans to review risk identification. At another CAE s company, internal auditing is prompting audits of individual risk functions, such as environmental health and safety, and issuing reports on that basis. CAEs also discussed the need to specify carefully the scope of their audits and resulting reports so as not to mislead readers into reaching conclusions that are more broadly based than is warranted by the scope of the work performed. Periodic reporting on risk to executive management and the audit committee was also a topic of discussion at the roundtable. Two common areas of focus for such reports, which are generally produced on a quarterly basis, are emerging risks and changes in the organization s risk profile. 14

18 10. Keep up With Evolving Practices As risk management practices and processes continue to evolve, it s important for CAEs to keep abreast of relevant internal audit practices and to ensure the organization benefits from their up-to-date insights and perspectives. For example, credit rating agency Standard & Poor s has begun to include ERM assessments in its ratings of nonfinancial companies (see page 16.) In addition, the National Association of Corporate Directors, The Committee of Sponsoring Organizations of the Treadway Commission, and other leading organizations are producing numerous studies and papers focusing on risk management practices that offer useful information and insights for internal auditors. To monitor changes in risk management relevant to your organization: Periodically search the Internet for new reports and studies on risk management. Ensure that you are receiving information from The IIA, professional services firms, and other key sources on the subject of risk management. Strengthen your organizational processes and capabilities to share risk management knowledge across the enterprise with key decision-makers. Consider designating a risk management knowledge leader within internal auditing who would acquire and distribute current risk management information and insights. CAEs are also advised to work with their chief stakeholders and other players in risk management to revisit organizational risk management practices and related internal audit strategies on a regular basis (quarterly, if possible). In doing so, CAEs should keep in mind the need to: Conduct ongoing risk assessments. Recognize change as it s occurring. Monitor emerging risks across the enterprise. Maintain an incremental, step-by-step approach to ERM implementation. Keep executive management and directors aware of continuing developments in risk management. 15 the institute of internal auditors

19 seven ERM Questions From Standard & Poor s In May 2008, credit rating agency Standard & Poor s (S&P) announced plans to include enterprise risk management (ERM) assessments in ratings of nonfinancial companies. In the third quarter of last year, S&P analysts began to incorporate specific ERM discussions into meetings with companies rated by the agency. The following questions provide the basis for these discussions and may be useful to internal auditors in assessing the state of their organization s risk management processes What are the company s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated? What is management doing about top risks? What size quarterly operating or cash loss has management and the board agreed is tolerable? 4. Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure the success of risk management activities? 5. How would a loss from a key risk affect top-management incentive compensation and planning/budgeting? 6. What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past? 7. Give an example of how your company responded to a recent surprise in your industry. How did the surprise affect your company differently than others? 16

20 Global Headquarters 247 Maitland Avenue Altamonte Springs, FL /09458/RS/JP