Advisory Services Governance, Risk & Compliance Caribbean Association of Audit Committee Members Inc. 2010 Conference Caretakers of Integrity and Accountability: The Role of Internal Audit in Corporate Governance PwC
Agenda Objectives Introduction The new role for Internal Audit Repositioning the Internal Audit function Questions
Objectives
Objectives Understand the new business environment and how it impacts on corporate governance practices Define internal audit s role in this new environment Identify the measures necessary to enable internal audit to fulfil this mandate 4
Introduction: Fitting the pieces together
Corporate Governance defined... No standard definition of corporate governance, but a number of common principles have been identified Direction and management of corporations Objective setting and achievement Risk assessment and monitoring Performance optimization Protection of stakeholders Enhancement and sustainability of shareholder value Accountability between management, board, and shareholders 6
The Role of the Board of Directors Core board responsibilities include: - Board dynamics (ensuring the board works effectively) - Management evaluation, compensation and succession planning - Strategy and planning - Transformational transactions (managing mergers and acquisitions) - Risk Management - Measuring and monitoring performance (financial and non-financial reporting) - External communications (disclosure to the market) - Tone at the top (demonstrating good business behaviour) 7
What works best Director responsibilities have increased substantially over the last 10 years Complexity of business operations Expanded geographical scope Increased demands on time for research, meetings, interaction outside of meetings Increasing trend towards to use of litigation in the event of adverse performance Approach involves delegating specific functions to board sub-committees Sub-committee composition specifically tailored to meet technical requirements of specific area 8
The Role of the Audit Committee Core responsibilities Financial reporting Oversight of risk management and internal control Regulatory compliance and ethics Relationships Board of Directors Management Internal audit External audit Other stakeholders 9
The Role of the Audit Committee Supporting initiatives to promote efficiency Training Developing and maintaining financial literacy Performance evaluation 10
The Role of the Audit Committee Significant linkage between oversight of risk management and internal controls and relationship with internal audit Underscored by definition of internal audit an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Institute of Internal Auditors 11
Risk Oversight vs. Risk Management Oversight is means by which the board determines that the entity has in place a robust process for identifying, prioritising, sourcing, managing and monitoring its critical risks and that the process is continuously improved as the business environment changes. Used to the board to: Obtain understanding of risk inherent in strategy and risk appetite Verify and assess critical assumptions underlying strategy Identify dysfunctional behaviour that can lead to excessive risk taking Provide feedback to executive management 12
Risk Oversight vs. Risk Management Risk Management is a function of management Includes appropriate oversight and monitoring to ensure policies are carried out and processes are executed in accordance with management s selected performance goals and risk tolerances 13
The Evolving Role of Internal Audit
After the Storm... It is acknowledged that risk management failures contributed to recent economic turmoil Corporate governance deficiencies nullified impact of risk management processes in place Lack of transparency, accountability and escalation in affected institutions Many directors and executive managers were unaware of extent of risk undertaken Fresh look needed... 15
Internal Audit at the Crossroads Recent focus for Internal Audit has been to support enhancement of internal controls and controls-related monitoring Internal controls now within the purview of business owners General level of internal controls has improved Value added by Internal Audit is perceived to have been decreased New value proposition required Focus on risk-assurance Paradigm shift to a risk-centric mindset 16
Internal Audit in the New Economic Environment Stakeholders primary concerns are risk assessment and risk management Internal Audit traditional focus is controls oriented Internal Audit must adopt an all-inclusive conceptual approach to audit, risk assessment, and risk management beyond the traditional narrow focus on internal controls Phased approach: Internal controls Compliance Informal risk assessment Functional enterprise-wide risk management 17
Changing Role for Internal Audit Transaction Focus Stand Alone Function Participating With Management Process Focus Supporting Management Self-Assessments Audit for Coverage Risk Exposure/Identification Enterprise Risk Management Auditor Detection Prevention Enhancement Consultant 18
The Prerequisites Engage stakeholders to understand and respond to, their expactations Partner with other risk and control functions within the organisation Stay in front of the business, rather than lag behind Focus on new, and significant change initiatives Audits performed to strengthen corporate objectives, and related risk management processes Incorporate COSO ERM to improve understanding of risk management processes Take a flexible approach Annual audit plan should include unallocated time to address developing issues and contingencies 19
Internal Audit of the Future: Trends and Challenges
Factors impacting on the future of Internal Audit Migration towards risk-centric approach will be driven by 5 key factors: Globalisation Changing Internal Audit roles Changes in risk management Talent and organisational issues Technological advancement 21
Globalisation Expansion of geographical scope of business will present challenges Political risks Culture Varying and increasingly complex compliance requirements Factors also impact to some degree on regional trade and commerce 22
Internal Audit roles Going forward, Internal Audit will need to address both controls, as well as risk assurance activities Re-allocation of time to allow for the following to be addressed: Risk management Anti-fraud programmes (risk assessments, detection, and investigations) Continuous auditing and monitoring Integrated IT audits Increased leverage of technology 23
Risk Management Traditional approach is generally risk based, but Risk assessments and monitoring need to adopt a more real-time dimension Broader scope of risks to be considered (e.g., health and safety, HR, reputational risks, etc.) Consideration of existing and emerging risks Set plans and schedules will become redundant More focus on as-needed reviews, as dictated by changes in risk profile Allocation of resources based on greatest or emerging risk becomes more critical 24
Talent and Organisational Issues Significant competition for talent Internally Externally Career path for Internal Audit losing popularity Possible use of rotational staffing models Integration with management training Organisational issues still remain Status within structure Independence Administrative reporting 25
Technological Advancement Internal Audit must be transformed to be in-step with the increased use of automation to support core business functions Pace and volume of transactions not compatible with traditional audit techniques Toolkit must allow for: Continuous monitoring and auditing Data extraction and analysis Fraud detection and prevention Knowledge management/best practices databases Predictive modelling tools IT security 26
The Ten Imperatives Achieve sufficient strategic stature for internal Audit within the organisation Develop and regularly update a formal strategic plan aligned with key enterprise-wide objectives and stakeholder expectations Communicate frequently with key stakeholders on their needs, expectations, and satisfaction with Internal Audit Align HR strategies with enterprise and stakeholder needs Adopt a risk-centric value proposition that focusses on enterprise risks 27
The Ten Imperatives Take an integrated approach to IT audit; enhance IT capabilities Leverage on technology to optimise audit operations Leverage Internal Audit knowledge and expertise Commit to continuous quality assurance and improvement Link performance measures with strategic goals 28
Questions
Thank You! 2010. All rights reserved. "" refers to the East Caribbean firm of or, as the context requires, the global network or other member Firms of the network, each of which is a separate and independent legal entity. PwC