Mario A. Nazareth Group Chief Internal Auditor Mahindra & Mahindra Limited. Bombay Chartered Accountants Society 13 th July 2018

Transcription

1

2 Mario A. Nazareth Group Chief Internal Auditor Mahindra & Mahindra Limited Bombay Chartered Accountants Society 13 th July 2018

3 Mario A. Nazareth Group Chief Internal Auditor Mahindra & Mahindra Limited Bombay Chartered Accountants Society 13 th July 2018

4

5 How is Internal Audit defined?. independent, objective assurance and consulting activity Institute of Internal Auditors (IIA). independent appraisal function; supports management Association of Chartered Certified Accountants (ACCA). a way of ensuring businesses and public sector organizations use resources efficiently and apply process consistently Institute of Chartered Accountants of India (ICAI). provides independent assurance on effectiveness of internal controls, risk management processes and contributes to enhancing governance for achieving organizational objectives. (Proposed Revision) Institute of Chartered Accountants of India (ICAI)

6 .. an aid (to Management and the Board) on matters related to: Risk Governance Control

7 The Third line of Defense

8 Objectives of any Internal Audit Evaluate and improve the controls environment Assess whether financial and operating information is accurate and reliable Statutory compliances should be assured Streamline processes and look for redundant/ duplicate activities Attempt to bring about standardization through benchmarking Suggest improvement opportunities

9 Challenges facing an Internal Audit Team Companies are becoming multi locational, multi product A changing demographic profile because of business acquisitions and growth The rigors of Performance Management Systems adds to the strain Technology aids.. Technology inhibits too Staff turnover in Operations Operations Manuals and Process Flowcharts are they still considered relevant? New-age frauds data sampling could soon become a thing of the past continued overleaf

10 Challenges facing an Internal Audit Team (cont d) Outsourcing of operations are controls looked into or is cost the only factor? Data access privileges an illusion? Systems are made to support decision making and facilitate MIS. Do they highlight control weaknesses? Reviews of Controls & Commonality of processes strictly for Internal Auditors can they cope? Non documented processes and documentation to support business decisions how long more? Resources for Internal audit not always the brightest and the best

11 Expectations from Internal Audit Be in front of and understand the business Develop a Risk centric mindset Focus on process improvement; leverage technology effectively Move to new age audit areas including areas concerning Governance and Compliance Look at the big picture Transparency and sharpness in reporting Keep re-inventing yourself Avoid overstepping the Auditor s role Top level expectations

12 Changing attributes of an Internal Auditor.. Role: Policeman to Business enabler Viewpoint: Reactive to Predictive Outlook: Oversight to Insight Approach: Controls based to Risk based Skills set: Traditional Tools to Automated Tools Attitude: Staid to Innovative Interpretation: Data becomes Information

13 Unchanging characteristics.. Unyielding on values and ethics Knowledgeable and passionate Guided by instinct; perceptive by nature Friendly, yet aloof Tough, but with measured compassion Principled, with doses of pragmatism

14 Calendar of Significant Events in M&M Year Event 1964 Appointment of M&M s first Internal Auditor 1988 Constitution of the Audit Committee in M&M Pre , 05, 08, 10, 13 Co-sourcing of audits begins Hosted the Auditor Conclaves 2009 Begun to formulate In-house Standards, Policies, Guidance Notes 2015 Commenced the Internal Peer Review process 2016 M&M s 100 th Audit Committee meeting 2018 Re-formulation of In-house Standards, Policies, Guidance Notes NB: The above represent a selective list of events

15

16 . the voice of a Stakeholder

17 Rama Bijapurkar Independent Director

18 Sharpness in Reporting

19 The clutter of a thousand words Help get to the POINT

20 Reports - what s relevant to whom? for the CEO The Conclusion and Report Rating Relevant for the Senior Management The Executive Summary Relevant for the Operating Team

21 Audit Conclusions Our audit review indicates that there is need to introduce. The controls were found to be generally adequate in other areas selected for review. Our audit review has highlighted the need for enhanced monitoring to ensure.. This could be better achieved with the use of available System support. Our audit review has highlighted concerns about. and the absence of periodic reviews. These processes need to be considerably strengthened. Our review has highlighted the absence of a formally defined process for.. with possibilities of a bias creeping into. There is a risk that the Company.. could be exposed to needless litigation. The wide and unexplained gap between.. and.. could be a pointer to. Documentation in support of crucial decisions was not available for review. Our audit review has highlighted that there needs to be more rigor, with structured automation, in several of the key procedures and processes.

22

23 Questions in every Stakeholder s mind Are the Report Ratings and Observation Gradings biased? Are they Reliable? Is there a process for determining Ratings and Gradings? How do I interpret the Report?

24 Bias in Reporting the triple filter test What s the gut feel? Into which category do the Observations fall? What does the Rating Template indicate?

25 Rating - Long Term Scale AAA Highest Safety Rating - Short Term Scale A1 Very strong safety Statutory audit opinions Unmodified AA High Safety A2 Strong safety Modified A Adequate Safety A3 Moderate Safety Disclaimer BBB Moderate Safety A4 Minimal Safety Adverse BB Moderate Risk D Default IA indicators of assurance B High Risk A High C Very High Risk B Acceptable D Default C Minimal D Unacceptable

26 Internal Audit indicators of assurance A B C Overall Report Rating High Acceptable Minimal Individual Observation Grading C Critical M Major M Medium D Unacceptable L Low 4 alphabet 4 Colour Conclusion: Our audit review indicates that there is need to introduce. The controls were found to be generally adequate in the other areas selected for review. +

27 Year Calendar of Significant Events in M&M Event 2010 Rating and Grading System introduced across the Group Standardised Reporting at Audit Committees across the Group 2012 Mahindra Finance - Rating Template rolled out for audits of branches 2013 Template designed for Mahindra Holiday Resort audits NB: The above represent a selective list of events

28 Overall Report Rating Parameters A B C D Key internal controls provide a high level of assurance that processes are operating efficiently and effectively. Key internal controls provide an acceptable level of assurance that processes are operating efficiently and effectively. Key internal controls provide a minimal level of assurance that processes are operating efficiently and effectively. Immediate action is required to improve the operating effectiveness of controls. Key internal controls provide an unacceptable level of assurance that processes are operating efficiently and effectively. Critical observations were identified that require IMMEDIATE Senior Management attention to improve the operating effectiveness of controls.

29 Observation Grading and Root Cause Definitions Observation grading Critical Major Medium Low High risk, requires immediate Senior Management attention. High risk, requires Senior Management attention. Medium risk, requires corrective action. Low risk, with opportunities for improvement. Peoples issue Business Process IT Process Root cause definitions The exception noted results from non adherence to the laid down processes and procedures The process/ control gap is the result of an inherent limitation of the business process The process/control gap is the result of inherent limitations of the IT architecture supporting the business process

30

31 . the voice of another Stakeholder

32 Ramesh Iyer Vice Chairman and Managing Director Mahindra & Mahindra Financial Services Limited

33 Look at the Bigger Picture

34

35 Missing the woods for the trees

36 Age-old commonsense a thing of the past?

37 The Metamorphosis of an Audit Observation Data Knowledge Experience A holistic view

38 Data is effective only if it can be turned into information, and information into insight

39 Are we drowning in Information but starving versus for Knowledge?

40 Artificial vs Real Intelligence Are we drowning in Information but ignoring Knowledge?

41 Calendar of Significant Events in M&M Year Event 2006 Introduction of ACL in audits and data analytics Continuous Monitoring and development of audit Scripts More intensive use of ACL and other software in audits NB: The above represent a selective list of events

42

43 .Voice of the Auditee

44 Jasmin Suchak Deputy General Manager Corporate Management Services

45 Believing everybody is dangerous Believing nobody is very dangerous

46 The Auditee Evaluation Questionnaire An independent evaluation started in April 06 Currently 12 parameters format revised for F-08 audits A 5 point rating scale Strongly agree Agree Neutral Disagree Strongly disagree An Overall Satisfaction Score (1 to 10) Open comments Results shared with the Audit Committee

47 The Auditee Evaluation Questionnaire Scoring pattern Strongly disagree Disagree Neutral Agree Strongly agree 1. The Audit area was appropriately selected for review 2. The Audit engagement addressed the key concerns in the chosen area 3. The audit was conducted in a professional manner 4. The current Processes and Procedures were well explained to and understood by the Audit Team 5. The significant Audit Observations were promptly communicated and discussed by the Audit Team continued

48 The Auditee Evaluation Questionnaire continued 6. The audit Observations displayed sufficient depth of analysis and understanding of the issues involved 7. The Observations and Report were unbiased and objective 8. An opportunity was given to discuss the Observations in sufficient detail with all concerned before the Report was released 9. The Auditee s explanations were given due weightage in the framing of the Observations and Recommendations 10. The Recommendations are practical 11. The timelines agreed upon for completion of the Action Plans are realistic 12. The Recommendations once implemented will be value adding to the Sector/ organization

49 The Auditee Evaluation Questionnaire continued On a scale of 1 (lowest) to 10 (highest), how satisfied were you with the audit engagement Open Comments We welcome your comments and suggestions to help us serve you better particularly in those areas where your Ratings have been 2 or below.

50

51 Concluding Comments

52 . these make us proud Year Event 2008 Winners of the ACL Impact Award (Asia Pacific) 2012 Winners of the IIA Bombay Chapter Award for Innovation 2017 Group CIA is presented with IIA India s (First) Internal Auditor of the Year Award Winners of the IIA Bombay Chapter Award for Best Application of Technology

53 No one can whistle a symphony It takes a whole orchestra to play it - Luccock

54

55 If being an Auditor used to be a pleasure Which as years went by became an Today it might be viewed as a burden But not if there is a genuine acceptance of the contribution that wise and well meaning Auditors can play

56 Thank You