Governance, Risk and Controls (GRC) Internal audit driving quality organisations

Transcription

1 Concurrent Session 1E Governance, Risk and Controls (GRC) Internal audit driving quality organisations Alan N. Siegfried CIA CCSA CFSA CGAP Chief Audit Executive, World Bank-IMF Federal Credit Union

2 GRC Internal Audit Driving Quality Organisations Alan Siegfried CIA, CRMA, CCSA, CFSA, CGAP, CPA, CISA, CBA, CSP, CITP, MBA Director of Internal Audit, World Bank-IMF Federal Credit Union Former Auditor General, Inter-American Development Bank Board Member & Audit Committee Chair, Bon Secours Health System Immediate Past IIA Chairman, North American Board Sydney, Australia 5 March 2012

3 Table of Contents Internal Audit Expectations Update GRC Challenges What IA Can Bring to the GRC Table Final Thoughts on IA Driving GRC for Quality Organisations 3

4 Our World at a Glance Global economic challenges and issues Economic growth slowed-recession Changing regulatory environment Financial markets turmoil Shrinking workforce and massive layoffs Budget restrictions Risk management efforts ineffective Stakeholder confidence shaken Uncertainty and unpredictability Opportunity for internal audit profession to demonstrate leadership in governance, risk management, and control 4 7

5 Illustrative Downturn Risks Short term cost-cutting with destructive operational or control implications Reliance on a third party supplier, distributor, counterparty or joint venture partners with financial difficulties; what contingency plans are in place Customer dissatisfaction; over valued receivables Liquidity issues due to the tightening of credit and reduced demand Increased incentives for financial fraud Disgruntled current and ex-employees who sabotage, pilfer assets Loss or damage to reputation Internal Audit Role Help management identify risks, design GRC strategies, assess and monitor effectiveness of applicable controls 5

6 Risk of Not Responding Diminished stature of Internal Audit in surfacing and addressing emerging risks Significantly reduced credibility as a trusted governance partner Diminished value of internal audit activities Seen as being inflexible and non-responsive to emerging risk Where were the Internal Auditors? 6

7 Understanding the Difference Governance The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives Risk management A process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization s objectives Control Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved 7

8

9 Financial Reporting Internal Audit Risk Management Internal Control Regulatory Compliance & Ethical Matters Audit Committees Areas of Focus External Audit Maintaining Measuring Effectiveness Communicating & Reporting 9

10 Key Components of Governance Oversight Stakeholders Governance Umbrella Board of Directors Ethical Values Organizational Alignment Risk Management Senior Management Internal Assurance External Risk Owners 10

11 10 Key Internal Audit GRC Challenges in the Year Ahead 1. Aligning internal audit coverage to meet new expectations 2. Realigning skills to address new requirements 3. Addressing internal auditing s role in assessing risk management 4. Leveraging technology to achieve greater efficiencies 5. Coping with diminished resources 6. Demonstrating value and adding to the bottom line 7. Maintaining stature with the audit committee 8. Developing a continuous focus on risks 9. Maintaining a focus to prevent and detect fraud 10. Implementing new IPPF 11

12 Potential Internal Audit GRC Involvement Participate in cross functional what if discussions to reconsider GRC risks and identify action plans Help design improved governance/ risk management / compliance monitoring processes (i.e., controls!) to address risks Redirect audit resources to re-assessed highest risk areas Risk assessment and risk management/monitoring practices Complex decision models such as risk/compliance monitoring and valuation Physical and system security in the aftermath of layoffs Treasury and cash/investment management Fraud risk management and loss prevention Operational reviews in processes that MUST continue to work Extended enterprise reviews 12 Internal audit review of risk/compliance management and organizational governance

13 What can Internal Audit Bring to the Table? Provide independent, objective assessments on: The appropriateness of the organization's GRC structure and The operating effectiveness of specific GRC activities. Act as catalysts for change by: Advising or advocating improvements to enhance the organization's GRC structure and practices and Providing assurance on the governance, risk management, and control processes within an organization 13 The IIA

14 GRC Challenges and Opportunities for Internal Auditors Embrace and execute a risk based approach with a balanced plan Availability of resources with relevant subject matter expertise, industry knowledge, leading practices, tools and technology Boards and management fear that potential fraud risks are not being addressed Better Overall Process Higher expectations from management and Audit Committee time constraints Better Risk Leadership Getting the right input 14 Better Knowledge of Limitations Audit Committee s and management s level of understanding of the internal audit

15 Internal Audit Value Proposition Moving the profession from recognized - to trusted - to valued contributions to your organization and assurance to stakeholders Understand the business; management s GRC strategies and objectives Focus on the right areas and the right risks Provide practical, relevant and persuasive recommendations An objective and informed reporter on governance, business risk, control, and compliance Proactive catalyst for positive change Trusted advisor on GRC issues Balance of consultative and assurance services Help protect AND grow the business Earn a Seat at the table Valued. Trusted. Recognized. 15

16 Corporate Social Responsibility Consider. Is your organization ready? To pay for what was formerly free? To take advantage of shifting demographics? To respond to activists? To anticipate your stakeholder s changing needs and expectations? IA as catalyst Understand your organization s approach and attitude Educate on breadth of risk and opportunity Assist in collecting data and benchmarking Assist in planning approach with appropriate measurements to monitor progress and risk management Ultimately, assist in designing new processes and supporting controls

17 Extended Business Relationships Supply-Side Partners Demand-Side Partners Licensees Infrastructure Vendors Suppliers Manufacturers Replicators Integrators Franchisees Distributors Advertising agencies Retailers Warranty providers Co-brand partners Joint developers Patent licensees OEMs IT outsourcing HR services Travel agencies Legal services Transaction processing Call centers Third party performance and stability How effective is your vendor management process? Are your key third parties meeting service level agreements? Are your third party relationships delivering the committed value? Do your key third parties have strong internal controls in place? Cost and revenue opportunities Have you been overbilled? Have all license fees/royalty payments been remitted accurately? Could a third party be preparing to audit your organisation?

18 Link business objectives to risks Evaluate the significance of the risk to business objectives Link Risks to Business Processes Evaluate Management and Control Activities Risk Assessment links business strategy & risks to process level risks & controls Performance objectives and major initiatives Revenue and cash flow Enhance product offering Expand into new markets Universe of key business risks Strategic Planning and resource allocation Major initiatives and programs Mergers, acquisition and divestures Economic and market dynamics Communication and investor relations Example Business processes Product Development Reputation and market share Deliver superior Customer service Provide quality products Operations Product development Sourcing Customer service Quality control Labor relations Information technology Revenue & Trade Manufacturing Operations Cost structure and capital management Maximize return on capital Maximize benefits from technology investments Increase operating efficiency Financial Market Liquidity and credit Accounting and reporting Tax Capital structure Supply Chain Distribution & Logistics Earnings and operating margins Achieve cost optimization Attract and retain top talent Governance Code of conduct Legal Regulatory Compliance Research & Development

19 IA focus on helping the organisation improve the GRC processes to drive quality Leverage organizational strategy Growth Strategy Branding Strategy (e.g., Organic vs. Acquisition (e.g., Premium vs. low cost Domestic vs. International) provider, key differentiators) Organizational Strategy Market Entry Strategy (e.g., Markets/Countries to enter, FDI vs. JV vs. partnership) Product Strategy (e.g., Product customization, Lifecycle management) Operations Strategy (e.g., Supply chain, project mgmt, level of centralization) Develop wellaligned IA strategy Internal Audit Strategy Time horizon aligned with org. strategy Driven by stakeholder expectations Compliance & making the business better Risk coordination IA initiatives Employ critical enablers throughout People, sector knowledge Critical IA Strategic Requirements Continuous risk coordination Innovation Internal Audit Business Drivers Run IA operations like a business Define Design strategic mandate Develop value charter & scorecard Determine org structure based on overarching business model Plan Execute Evaluate Conduct risk assessment Evaluate against strategy & key business drivers Determine operating structure Develop strategically aligned audit plan Execute against audit plan Use data analytics through out - build program Periodically recalibrate audit plan Assess KPIs against mandate & value scorecard Reevaluate strategy & audit plan Employ continuous improvement

20 Internal control GRC coordination: optimize coverage of key business risks by communicating & coordinating with other risk functions Future State Audit committee Governance committee Board oversight Executive management Risk committees Compliance committee CEO CFO CRO General Counsel Aligned mandate and scope Coordinated infrastructure and people Consistent methods and practices Common information and technology Business unit Business unit Business unit Business unit Coordinated GRC functions increase value, reduce costs, & improve business performance

21 Value of IA Driving an Effective GRC Program Development of a common framework Development of a sustainable process Assessment of key organizational risks Alignment of senior management and Board on key GRC components Ability to embed GRC ownership/accountability Integration of GRC functions

22 GRC Refreshed Look beyond likelihood (probability) Little or no predictive value; major value losses are often high impact / low likelihood (Black Swans) 9/11 Dot com bubble Financial scandals Oil / commodity price spikes Natural disasters Economic downturn Biases management to direct resources to high impact / high likelihood events Three key additional factors: Impact of an event on business value Organization s vulnerability to its effects Risk event s speed of onset Impact Degree to which event would affect enterprise value in absence of mitigating action Vulnerability Remaining risk after considering efforts to monitor, manage and mitigate impact Speed of Onset Time required for risk event to affect business

23 IA GRC Responsibilities TODAY Seeking to understand stakeholder expectations and evaluating effectiveness in meeting those expectations Developing and demonstrating strong communication skills to effectively convey findings and recommendations Embracing and executing a balanced, risk-based audit plan Providing leadership on issues of corporate governance, risk management, internal control, compliance, financial reporting, and fraud Willing to challenge status quo, and operating as change agents Providing a learning environment and career pathway 23

24 IA GRC Responsibilities TODAY (continued) Obtaining relevant professional certifications Staying informed on emerging trends in our profession? GRC best practices Risk assessment CAATs/data analytics Continuous controls monitoring/auditing Keeping abreast of new developments in our business, industry and regions, considering risks and taking a proactive role: Economic downturn Changes in consumer spending patterns and use of credit Margin pressure given competitor actions Currency destabilization Extended enterprise IFRS adoption worldwide Corporate responsibility and sustainability Espionage/technology terrorism Embedded processing units

25 Final Internal Audit Thoughts Risks facing our organizations are unprecedented and stakeholders expectations continue to increase Internal audit profession has an opportunity to step forward Individual practitioners and organizations must raise the bar to most effectively represent and advocate for our profession Our new challenges will bring new opportunities for our organizations, internal auditing as a profession, and each of us as professionals 25

26 Investment in Internal Audit Final Internal Audit Thoughts Stakeholders will look to us for balanced focus between compliance and business improvement, with more emphasis on business improvement Monitor Control and Compliance Risk-driven approach Leverage automated controls & data analysis Expanded risk coverage Efficient monitoring Leveraging ICFR, compliance and fraud Hindsight Business Insight Data-driven approach Focus on control and process effectiveness Leverage key performance and risk indicators Leverage benchmarks Share leading practices (internal and external) Insight Strategic and Value Advisor Strategy-driven approach Focus on key initiatives Industry expertise Process and controls optimization Operational auditing Functional expertise Data modeling Foresight Value to Organization 26

27 Thank You Questions?? 27 27