Where did that risk come from?

Transcription

1 Of special interest to Chief audit executives Insights for 5executives Where did that risk come from? Help management connect the dots on emerging risk areas At the close of the quarterly Audit Committee meeting of a large technology company, Chief Executive Officer (CEO) Malcolm W. quietly pulled aside Melanie S., the company s Chief Audit Executive (CAE). There had been a significant drop in production at one of the company s largest facilities. Malcolm could plainly see during the meeting that key information, such as local labor issues, potential materials shortages and competitor data had been available to management. Yet they had failed to connect the dots. Malcolm wanted his prized CAE to get involved. Melanie s internal audit team had a broad view of the organization. It had the clearest understanding of risks and controls and was best positioned to help management identify emerging risks that had not yet been recognized by management. Malcolm was confident that Melanie and her team could not only help management minimize risks before they compromised the company s performance, but also turn them into opportunities for the business.

2 What s the issue? In 2012, EY commissioned Forbes Insights to conduct a global survey about internal audit. In our survey, 31% of respondents cited the ability to monitor for emerging risks as one of the top five adjustments they would like to make to their internal audit function second only to enhancing the risk assessment process (40%). Often, business unit leaders and management executives below the C-suite do not have clear visibility into activities occurring across the entire organization. This lack of visibility can have a swift and negative impact on the organization s ability to respond to the organization s changing risk profile. With the ability to gain an enterprise-wide view of the organization, internal audit is uniquely positioned to provide key insights that will enable management to anticipate and respond to both identified and emerging risks. Business units often do not have clear visibility into activities occurring across the entire organization. Internal audit can help connect the dots on emerging risk areas. What are the top adjustments you would like to make to your internal audit (IA) function? (Select your top five) Cost Value Risk Improve the risk assessment process 40% Enhance ability to monitor for emerging risks 31% Enhance coverage of identified key risks 20% Reduce audit fatigue on the business 20% Improve the overall control awareness and control behavior of the organization 16% Improve coordination with other risk functions 15% Help reduce the risk of fraud 13% Improve internal audit s objectivity/independence 11% Improve assurance across all types of risks 9% Become more relevant to achieving our organization s business objectives 24% Improve overall skills and talent 20% Improve IA reporting (putting issues in perspective to the risk and identifying trends) 16% Improve ability to advise the business on major change programs 16% Gain better access to specialty skills Increase performance improvement capabilities 12% 12% Improve global presence and coverage of remote locations 11% Improve ability to advise on entering new markets 10% Improve ability to benchmark business processes and control practices 5% Provide a more valuable talent pipeline for our organization 4% Reduce overall internal audit function costs without compromising risk coverage 22% Identify opportunities for cost savings in the business 21% Improve efficiency of the internal audit function 19% Use of tools/technology to reduce costs, improve risk coverage or deliver value 15% Improve efficiency and effectiveness of the control environment 13% Improve flexibility for staffing or budgeting; expand/contract as needed 10% Improve collaboration with, and reliance for, external audit 6% Gain access to offshore personnel at a reduced cost for routine work 4% We do not want to improve our IA function 3% 0 % 10 % 20 % 30 % 40 % 50 % 2 5 Insights for executives

3 Why now? With a continued focus on globalization and the ever-accelerating pace of technological innovation, organizations need to rethink operating models to remain competitive. There are a number of areas creating opportunities to increase efficiency and speed to market. These include: Operating and selling in emerging markets Technology that enables niche businesses to turn the competitive landscape on its head Greater use of third-party suppliers However, these opportunities also create risks that the business never had to focus on and think about. Economic volatility and increased regulatory scrutiny are also adding new dimensions to the risk landscape. In a world where change is the only constant, internal audit needs to become the forwardlooking eyes of management and the Board. In a world where change is the only constant, businesses striving to adapt cannot afford to fall behind. Internal audit needs to become the forwardlooking eyes of management and the Board, offering visibility not only into the risks they know and monitor today, but also where new risks may emerge as the business continues to change. 5 Insights for executives 3

4 How does it affect you? Not anticipating emerging risks can have negative consequences on an organization s operations, reputation and bottom line. To position internal audit to help management identify the risks that matter, both existing and emerging, the function will need to have the right competencies. This includes analytical skills, business acumen, regulatory knowledge, communication skills, and the ability to effectively evaluate risk indicators and leverage information from within and outside the organization. Internal audit needs to have the right competencies to help management identify the emerging risks that matter. 4 5 Insights for executives

5 What s the fix? There are six activities internal audit can undertake to add value and provide the insights management needs to address emerging risks: 1. Develop an internal audit-specific strategic plan and an operating framework. To maximize its relevancy to the organization, internal audit needs to develop an internal audit-specific strategic plan that aligns to the organization s broader strategic business priorities. The function then needs to develop an operating framework that focuses on the organization s strategic objectives, links to the enterprise risk management program and incorporates emerging risk into the risk assessment process. A dynamic risk assessment process should be the cornerstone of the framework. 2. Employ data analytics and leverage continuous monitoring, when available. When embedding data analytics into the framework, internal audit should pay particular attention to data gathering and analysis as a means to proactively identify changes in the risk profile. Predictive analytics can help drive future soft spots in the organization and refocus internal audit as changes occur. Continuous monitoring performed by the business can also highlight changes in the risk profile. Internal audit should have a link into any continuous monitoring leveraged by the business as a way to track and forecast potential emerging risk areas. 3. Develop communication protocols that foster open discussions with management and key stakeholders within the organization. This should include scheduling regular meetings with key members of business management, including the C-suite. These discussions should address not only emerging risks and key risk trends, but also other business and risk topics. Internal audit should also involve a wide range of stakeholders, such as finance, compliance and legal in regular discussions around emerging risks and the organization s overall risk profile. 4. Conduct regularly scheduled internal audit analyses and discussions of collected data with a view to connect the dots. Because of its enterprise-wide view of the organization s activities, internal audit is uniquely positioned to combine the results of its audit work and collected information to evaluate the cross-functional impact of changes in the risk profile. This process encourages greater coordination among audit teams, enables a more comprehensive analysis of the organization s current and potential risks, and provides an opportunity to help management identify emerging risks enabling them to appropriately respond in a timely fashion. 5. Sponsor the creation of or increase the involvement of a management risk committee. The management risk committee can help to assess whether management has identified and is addressing key current and emerging risks. Members of a risk management committee may include leaders of the business, strategy, finance, legal, credit, compliance, internal audit and other functions as appropriate. The knowledge and perspectives of these functions can help the organization get ahead of emerging risks and potentially seize a competitive advantage. 6. Establish a template for consistent reporting to senior management and the audit committee. Coordinated risk reporting will give the audit committee a broader perspective into the health of the organization. In our survey, stakeholders indicated they are seeking significantly higher risk coordination in the next two to three years. Depending on the audit committee s requirements or interest, internal audit may deliver periodic emerging risk updates to them. Developing and delivering such reports in partnership with management would provide a comprehensive and consistent view to the audit committee. An effectively crafted internal audit operating framework will enable the function to stay current on changes occurring internally, within the industry and within markets in which the organization competes. 5 Insights for executives 5

6 What s the bottom line? In our survey, 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance. Our client experience and research validate this belief. Similarly, 75% of survey respondents believe that their internal audit function has a positive impact on their overall risk management efforts. And yet, 80% acknowledge that their internal audit function has room for improvement. With visibility across the enterprise, internal audit can improve its value to the organization by providing management with much needed insights on emerging risks. Internal audit can help the organization anticipate the risks lurking around the corner and turn risks into results. 6 5 Insights for executives

7 With visibility across the enterprise, internal audit can improve its value to the organization by providing management with much needed insights on emerging risks. Want to learn more? The answers in this issue are supplied by: Brian M. Schwartz Americas Internal Audit Leader Ernst & Young LLP Craig D. Faris Americas Risk Transformation Leader Ernst & Young LLP For related thought leadership, visit 5 Insights for executives 7

8 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. About EY s Advisory Services Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business transformation or more specifically on achieving growth, optimizing or protecting your business having the right advisors on your side can make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and exceptional client service. We use proven, integrated methodologies to help you solve your most challenging business problems, deliver a strong performance in complex market conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your business needs. We want to hear from you! Please let us know if there are subjects you would like 5: insights for executives to cover. You can contact us at: fiveseries.team@ey.com 2013 Ernst & Young LLP. All Rights Reserved. SCORE No. BT0348 ED 0133 This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com/5