Effective and pro-active audit committee reporting

Transcription

1 Effective and pro-active audit committee reporting 16 June 2016 Anand Shah, KPMG Martin Robinson, IIA

2 Agenda 13:00-14:00 Registration and buffet lunch 14:00-14:10 Welcome and introduction Martin Robinson, Training Development Adviser, IIA :00 Effective and pro-active audit committee reporting Anand Shah, Senior Manager, Internal Audit, Risk and Compliance Services, KPMG 15:00-15:15 Q & A Tea break :15 Facilitated discussion 16:15-16:20 Feedback, summary and close

3 Effective and pro-active audit committee reporting Anand Shah June KPMG International Cooperative ("KPMG International"), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no services to clients. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 3 Document Classification: KPMG Confidential

4 Agenda: - What are we hearing? - What do we need to do to demonstrate value? - Core audit committee reporting content - Howshould we report and present to the audit committee?

5 Whatarewe hearing??

6 What we are hearing Emerging trends I want to know how you are using Data and Analytics to deliver efficient, effective audits We are overwhelmed by paper. We want shorter, sharper, more impactful documents We want greater visibility on overdue actions We are reviewing AC packs on ipads and other portable media you need to format it properly We need ratings that are more tailored to what we do to help us engage I want more information on emerging risks 6

7 Whatarewehearing- Data&AnalyticsExample 7

8 Whatarewehearing KPMGand Forbes survey The 2016 KPMG and Forbes surveyed of more than 400 CFOs and AC chairs on the performance, focus, value, and future of Internal Audit functions at their organisations. identified a value gap between what they identified as priorities and what they are receiving from their IA functions. Receive today Most valuable to receive Help assessing risks and risk management practices today 22% 51% 5% Informed perspective on 36% emerging risks 33% Focus on sustainable 41% profit generation Source: Seeking value through Internal Audit, KPMG International,

9 What do we need to do to demonstrate value to the audit committee? Severity Probability Categories

10 Managing our key stakeholders before they read our reports CEO Audit Committee Chair CFO 10

11 What do we need to do to demonstrate value to the audit committee? Back to basics what is the audit committee responsible for? Overseeing and monitoring the integrity of the financial statements of the organisation Reviewing the organisation s internal financial controls Monitoring choice of an organisation s key policies and principles, for example, risk management Responding to changing regulations and expectation and more 11

12 Core audit committee reporting content

13 What drives the audit committee reporting content? Company specific Geographic vs functional coverage? Regulatory requirements Audit committee charter Integrating with other assurance functions Hot topics that are of concern to the Board Changes to the business Time of the year reports are provided Annual Internal Audit Planning On-going monitoring and progress against the plan Year-end controls statement 13

14 What key information should be included? We need to clearly communicate any issues surrounding an organisation's risk management, governance and internal control processes. The commonly used reporting structures include the following headings: Executive Summary Key highlights Reviews completed High-priorities issues highlighted Internal Audit Resources & Performance KPI assessment Audit surveys Financial position Internal Audit Activity Report Audit planning updates Audits completed in the last quarter Control weaknesses and issues noted Follow up tracking: Outstanding recommendations Overdue recommendations Management comments Other activities or issues There isn t a one size fits all approach to reporting to audit committees 14

15 What other details could be included? Other areas that may sit within the Internal Audit remit and therefore need to be reported: Risk Management: Key risks and controls/activities Are these the right risks? Are these adequately mitigated? Changes in the key risks Co-ordination with other assurance providers Horizon scanning Compliance Management: Compliance with code of ethical conduct Assessment of compliance with regulations and requirements New or proposed legal and regulatory requirements affecting the organisation Education on new laws or regulations Other: Frauds and matters raised via whistle blowing process, with results and actions from any investigations 15

16 So howdo we report and present this information to the audit committee?

17 Good practice guidelines Group level issues addressed in the IA report; not minor matters Quantification and grading of issues High level pictures on the state of Internal Control and the direction of its movement Detail relegated to the appendices Clear analysis of hot spots and concerns Graphics and tabulated data Remember, the Internal Audit report is only one way to communicate. Regular communication with key stakeholders is just as important. No surprises approach! 17

18 Things to avoid Compromise wording: Significant improvements have been made in this area in the last 12 months. However, the management agenda reflects a number of issues whose resolution would enable further, necessary improvements to be made. Told you so wording: Whilst a number of improvements have been made in this area, further change is required if its management is to become world-class. Preventative wording: Wider variations in base rate and potential dynamic margin shifts to reflect market positioning would mean that the business would be more exposed to rate increases than decreases. Filler Statistics: In the last six months, we have issued 74 reports of which 27 were rated as significant. These are split by division in the table below. A further chart showing traffic light ratings etc.,. 18

19 Example Executive Summary Executive summary page 1 Key Highlights Full delivery of the internal audit plan. Regular monthly update meetings held with the Group Finance Director and Group Financial Controller with the status report and actions from these meetings forwarded to the Chair of the audit committee. Meetings held with all the Divisional Finance Directors to discuss their preferred ways of working and changes in the approach to delivering internal audit. We have also set up monthly or quarterly calls to discuss internal audit progress with each Division and have attended each of the Entity C audit committee meetings since our appointment. [Sample doughnut chart] Completed the transition of the internal audit function from an in house department to a full outsource provider and in doing so established clear working protocols and reporting templates. Met each member of the audit committee individually to fully understand their expectations of internal audit. Regular meetings held with Company B. These discussions have been around the scoping and sharing of findings from internal audit reviews to ensure our work is conducted in an efficient way. Prepared the proposed internal audit plan for 20XX-YY for consideration and approval by the audit committee. Reviews Completed High-Priority Issues Identified Good Satisfactory Weak No Rating Total A B C/D Group Entity A Entity B Entity C Entity D Entity E % 69% 19% 1% A full summary of all final reports and their grades is available in Appendix I. We have summarised all high-priority issues raised in the year and split these issues by Division and Group. 87 grade 1 issues have been raised in the year. From the analysis there also appears to be a relative even split between the Entity A and Entity B businesses which is expected given the decentralised nature of these business units. Around a third of the high risk issues relates to Entity C which can be attributed to the relative operational focus of the plan and areas not usually subject to internal audit. We will be working with Group and Divisional management in the coming months to ensure that these issues are addressed on a divisional basis. Entity C 20% Entity D 2% Entity B 24% Entity E 7% Group 13% Entity A 34% 19

20 Example Executive Summary Audit Plan Status and Results Issue ratings Activity Ref Internal Audit Activity Scope Planning Fieldwork Report [rating] Reported to AC Priority 1 Priority 2 Priority 3 Strategic 1 Strategic project management UK management office DEFERRED T0 FY11 processes 2 Back office optimisation UK, DE DEFERRED TO FY11 3 BCP / Crisis management (Canary UK Wharf) Complete Complete Satisfactory June Finance & procurement 4 Management of staff loans UK Complete Complete Satisfactory June Expenses harmonisation UK, DE DEFERRED TO FY11 6 European procurement & controls UK, DE DEFERRED TO FY11 7 Pensions controls DE TBC. The scope of Grant Thornton s external audit work over pension administration in KPMG DE is currently being confirmed. 8 Monthly close and consolidation UK, DE Complete Complete Needs Improvement Nov Key reconciliations and GL journals UK, DE, NL, CH Complete Complete Satisfactory Nov a Fnancial controls CIS Complete Complete Needs Improvement Nov Cashflow forecasting UK, DE Complete Complete Needs Improvement Sept Transfer pricing UK, DE, NL, CH, CIS DEFERRED TO FY10 12 VAT UK Complete Complete Needs Improvement Sept Payment review DE Complete Complete Needs Improvement June Follow up Treasury UK, DE Complete Complete Needs Improvement Sept Follow up key controls UK Complete Complete Satisfactory June Review of XXXXX contracts UK Complete Complete Complete Sept Facilities 16 Project AAA UK DEFERRED TO FY11 Service delivery 17 Pricing Initiatives UK, DE DEFERRED TO FY11 People & HR 18 Function HR controls UK, DE DEFERRED TO FY11 19 HR Project A UK Complete In progress 20 Follow up joiners, movers and UK, DE,CH leavers Complete Complete In progress 20

21 Example Executive Summary Results by Geography Americas Europe / EMEA SE Asia Audits Audit Results Audit Results Audit Results Red x Red x Red x Amber x Amber x Amber x Green x Green x Green x 21

22 Example formats on how to present Reports completed and key messages Audit Findings Key bullets to summarise: Number of reports issued since last audit committee report reference appendix where complete plan shown with status and, where appropriate, rating ( Audit Plan Status ). Reference to graphic showing % of ratings Year to Date i.e. In April/May, this will show all reports for the year. Use colour code as shown. As you build up comparable data, reference to previous years and any trend in ratings (e.g. % unsatisfactory reducing, etc.) Audit reports issued YTD 17% 30% Unsatisfactory (material to Group) Unsatisfactory Improvement required Satisfactory Key Audit Reports The following table summarises audit work completed, key findings and agreed management actions: Audit title/scope Overall rating Key findings Agreed actions Business A Unsatisfactory Poor adherence to company policies and procedures insufficient stocktaking controls and significant stock variances remain unexplained. Microsoft Exchange audit IT security review Indirect Procurement Cash Unsatisfactory Requires Improvement Satisfactory Excessive number of users with administrator access allowing them to view and modify all company . Lack of updated security patches exposing servers to security risks. Full stocktake scheduled in November 2004, followed by new process for PI counting and management checking. Management and third party administrator took immediate action to limit administrator access; action plans agreed for other issues, for completion by December 20XX. 53% 22

23 Example formats on how to present Internal Audit Performance Audit planning geographic or process coverage Performance against annual budget We have summarised below the movement of forecast internal audit budget Number Cost Budgeted reviews and costs per plan 14 xxx,000 Actual overruns - xx,x00 Actual savings - (xx,x00) Withdrawn/deferred (4) (xx,000) Additional requests 5 xx,000 Total cost for audits delivered 15 Xxx,000 audit committee attendance - Xx,000 Project management - Xx,000 Addition management costs - Xx,000 Overall internal audit costs 15 Xx,000 The net movement on budgeted costs is that internal audit is expected to be xx,000 under budget for the year Performance in completion of audits We have monitored and confirmed with management our adherence to due dates for completion of internal audit reviews Performance in delivery of audits As part of the ongoing monitoring of performance with individual review stakeholders we issue client satisfaction surveys. We have summarised below the survey results and the proposed actions to respond to feedback received: Issued Received Feedback forms xx xx The cumulative results of the feedback from auditees is as follows: Feedback results Very Satisfied Neither Dissatisfied Very satisfied satisfied nor dissatisfied dissatisfied No. of respondents An analysis by individual review is separately available. The following actions have been identified in response to surveys returned: Completed on due date Actual % Budget % Review Management comment Action Due date Completed on agreed revised due date xx Not completed on due date xx xx 23

24 Example formats on how to present FollowUp Tracking overdue actions Audit planning geographic or process coverage The table below shows the geographic coverage of completed Internal Audits for the last four years, management self assessment using the Minimum Control Questionnaire and the proposed three year cycle of site audits. Gaps in assurance are set out to support AC challenge. Management action status PG/Function Open Low Moderate High All All < 181 days > 180 days Overdue actions V. High All All All Total % Overdue Function A % Aged open actions Function B % Function C % Function D % Function E % 60 Function F % Function G % Function H % Function I % Total % Due in 90+ days Due within 90 days Due within 60 days Due within 30 days Overdue High Moderate Low 24

25 Recap Key messages - Managing stakeholders upfront - Clear and concise reporting - Continually evolving to demonstrating value 25

26 Thank you Anand Shah Senior Manager - Internal Audit, Risk and Compliance Services Anand.Shah@KPMG.co.uk Telephone: The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo are registered trademarks or trademarks of KPMG International. CREATE: CRT062522