Heads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with

Similar documents
Integrated Assurance Across the Three Lines of #CW2017

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

Turning Risk into Advantage

Protecting information across government

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Achieving effective risk management and continuous compliance with Deloitte and SAP

COBIT 5 With COSO 2013

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Enterprise GRC Implementation

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Reference Framework for the FERMA Certification Programme

Driving Global Resilience

REPORT 2015/149 INTERNAL AUDIT DIVISION

ICAEW REPRESENTATION 68/16

Accelerate Your Enterprise Private Cloud Initiative

The UNISDR Private Sector Alliance for Disaster Resilient Societies

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Outstanding issues in Solvency II data management requirements

Managing IT Risk: The ISACA Risk IT Framework. 1 st ISACA Day, Sofia 15 October Charalampos (Haris)Brilakis, CISA

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

BHConsulting. Your trusted cybersecurity partner

Singapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition

Enabling efficiency through Data Governance: a phased approach

Security Director - VisionFund International

ITG. Information Security Management System Manual

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Strategic Security Analyst

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

IS Audit and Assurance Guideline 2002 Organisational Independence

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Developing an integrated approach to the analysis of MOD cyber-related risks

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

COSO ERM. To improve organizational performance & Governance COSO ERM. COSO Internal Control. COSO ERM_prepared by Nattapan T. 2

M&A Cyber Security Due Diligence

How Secure is Blockchain? June 6 th, 2017

Cybersecurity & Privacy Enhancements

The Integrated Auditor: Becoming the Go-to Resource Your Company Needs APRIL 24, 2018

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018

Session 5: Business Continuity, with Business Impact Analysis

TSC Business Continuity & Disaster Recovery Session

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

9 March Assessment Policy for Qualifications and Part Qualifications on the Occupational Qualifications Sub-Framework (OQSF)

National Coordinator - DRR & Disaster Management

Strategies for Deriving Maximum Benefit From Audit. Allan Boardman CyberAdvisor.London

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Cybersecurity and Data Protection Developments

Data governance and data quality: is it on your agenda or lurking in the shadows?

The value of visibility. Cybersecurity risk management examination

COSO Enterprise Risk Management

Cyber Crime Seminar 8 December 2015

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Getting Started with IT Service Management

Promoting accountability and transparency of multistakeholder partnerships for the implementation of the 2030 Agenda

Bradford J. Willke. 19 September 2007

John Snare Chair Standards Australia Committee IT/12/4

Pave the way: Build a value driven SAP GRC roadmap March 2015

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

NERC Staff Organization Chart Budget 2019

REPORT 2015/010 INTERNAL AUDIT DIVISION

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

INTELLIGENCE DRIVEN GRC FOR SECURITY

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

BHConsulting. Your trusted cybersecurity partner

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Headline Verdana Bold

Cybersecurity in Higher Ed

GRC Maturity. Benchmarking Your GRC Program. October 2014

Learning with the IIA Refreshing the profession: The New Internal Auditor. Jan Olivier 6 February 2019

HCL GRC IT AUDIT & ASSURANCE SERVICES

The Scottish Credit and Qualifications Framework and Chartered Banker Institute

CYBER RESILIENCE & INCIDENT RESPONSE

CHARTER OUR MISSION OUR OBJECTIVES OUR GUIDING PRINCIPLES

ISO 27001:2013 certification

Information Security Governance and IT Governance

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Securing Europe's Information Society

SAINT PETERSBURG DECLARATION Building Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity

IT123: SABSA Foundation Training

Demystifying GRC. Abstract

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Vaccine data collection tool Oct Functions, Indicators & Sub-Indicators

POSITION DESCRIPTION

The HIPAA Omnibus Rule

Presenter: Ian Musweu FCCA, FZICA, CRA. Head of Risk and Assurance Professional Insurance

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Audit of Information Technology Security: Roadmap Implementation

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

POSITION DESCRIPTION

Three Key Challenges Facing ISPs and Their Enterprise Clients

GDPR: A QUICK OVERVIEW

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

New Zealand Government IBM Infrastructure as a Service

Transcription:

Heads of Internal Audit Webinar Integrated Assurance 24 July 2013 In partnership with

WELCOME TO THE WEBINAR The audio for this webcast will be broadcast via your PC speakers you do not need to dial in. If you are unable to use your PC speakers please click on the Request icon on the WebEx tool bar to receive teleconference information. Please submit your questions in the Q&A window. If viewing in full screen mode, please click the icon in the floating participant panel tray. We will address as many questions as time permits at the end of the presentation.

THOMSON REUTERS GRC

WEBINAR PRESENTER Vicky Kubitscheck CFIIA Vicky is an independent advisor, and an executive member and Chief Risk Officer at Police Mutual Group. She has over 25 years' experience working alongside boards and executive management, and leading and managing the strategic development of governance, risk, regulatory and assurance frameworks both in the private and public sector and across a number of industries. Vicky chairs the Insurance Internal Audit Group (IIAG), is a member of the Institute t of Directors, a Fellow of the Chartered Institute of Internal Auditors and a Professional Member of the Institute for Operational Risk. She will be sitting on a new Advisory Group set up by the FRC to assist them in reviewing possible changes to the UK Corporate Governance Code and integrating the principles of the recommendations of the Sharman Panel with the FRC's Guidance on risk management and internal control (Turnbull).

INTEGRATED ASSURANCE Beyond boundaries of risk, compliance and governance AGENDA Introduction An overview The case for rethinking assurance What is Integrated Assurance Key features of integrated assurance Why is it important for effective governance Practical implementation Key considerations Practical examples Discussion

Integrated assurance An overview No universally agreed definition (yet) Variations in interpretation and application at different levels Various terms used eg Coordinated dassurance, Combined da Assurance, GRC Governance, Risk and Compliance, Enterprise Risk Management Common characteristic: coordination between assurance functions including internal and external audit Thrust of IIA definition coordination and role of internal audit Case for rethinking assurance in the boardroom Assurance is intuitive and often taken for granted until something fails Financial crisis exposed weaknesses in governance and quality of assurance Better appreciation of the assurance food chain to restore confidence Integrated view of risks and assurance over the effectiveness of risk Integrated view of risks and assurance over the effectiveness of risk management

The case for rethinking assurance a in the boardroom oo 7 Financial i crisis ii exposed weaknesses in boardroom practice risk and its assurance was disjoined Level of informed risk taking and oversight Adequacy of assurance against excessive risk taking Openness and transparency Accountability, skills and competency Common themes from post crisis analyses Boardsdid did notsufficientlychallengethe challenge the executive Boards did not understand their business models adequately or higher risk activities eg services, products, M&A processes Boards did not receive appropriate it management information to assure themselves for proper discharge of their oversight role

Restoring confidence ce in the boardroom oo 8 Rethinking assurance No risk free zone in the boardroom Assurance isa transaction to inspire i and maintain confidence The board sits at the highest level of the assurance food chain and sets the tone for its demand and supply Need to take assurance from an intuitive to a practical level in the boardroom More risk based assurance across the three lines of defence beyond functional boundaries and silos ie more joined up "Assurance is often intuitive among experienced non execs, but boards require an effective process to maximise the benefits of their experience" Glen Moreno, Chairman of Pearson, Deputy Chairman of the FRC, Ex Chairman UKFI, NED

Whatis Integrated Assurance? 9 Key characteristics of integrated assurance Promotes risk management and its assurance as an integrated process across functional boundaries Provides an holistic or aggregate view of risk assurance Enabling a view of residual risks based on the level of assurance it has over its controls and risk mitigation strategies Joined up view of risks one truth Based on a methodical process Identifies the principal risks and core business activities or processes against the business model and operating environment Maps the nature and level lof assurance available across all lines of defence df against each principal risk and core process ( assurance maps ) Assesses the adequacy of assurance activity across the against board s risk appetite and tolerances Determines enhancements to satisfy board s risk assurance requirements

Why it is important for effective governance? 10 The case for implementing integrated assurance Impact of different truths of risks and risk taking across the organisation Obscures effectiveness of risk ikstrategy and leads to blind risk taking ik ki that exceeds board s risk appetite Undermines integrity of valid assurance which truth to believe Reduces es board s confidence e in the organisation s risk mitigation and systems stemsof internal control Distracts management and the board from things that really matter Gaps, overlaps and duplication in assurance activity Sub optimal use of resources Blurs accountability between the three lines of defence Silo approach to risk identification, assessment, mitigation and reporting Inconsistent views and sub optimal decision making and uninformed risk taking

Implementing Integrated Assurance Three levels of application, each level building on the last 11 Level Level 1: Integrated Assurance Planning Level 2: Enhancing Integrated Assurance Level 3: Integrated Assurance Oversight Purpose of assurance mapping in respect of the principal risks of the enterprise To identify gaps in the provision or contribution of assurance across the 3 lines of defence df To determine the nature and level of assurance being provided from each line of defence in order to assess areas for improvements Building on Level 2, this level aims to collate the outcomes of the assurance activity that is operating at the optimal level across the 3 lines of defence Health warning the assurance map is not the goal Main application or purpose To inform internal audit planning and other risk assurance planning To identify areas where the quality of risk assurance methodology could be improved across all lines of defence To gain a holistic picture of the level of confidence in the underlying controls and risk mitigation strategy across all lines of defence. Facilitates forward looking risk and assurance discussions. ssions

12 Example template of assurance mapping at Level 1 application of integrated assurance 1. What to include in the mapping 2. Mapping across the three lines of defence 3. Defining the Key; will be different dff for each level of application

Practical implementation key considerations 13 Different levels of application and scope Three key levels of application (slide 8) 5 key options from Group Wide, Group level only to entity or even risk specific Pilot implementation identifying allies and partners Options depends on... Mandate from the top Resources and skills Risk and assurance maturity Top 3 key challenges hll Lack of definition Resources and ownership Risk maturity

Practical examples. And Discussion 14 Case study 1: Listed global telecommunications organisation Implementing Level 2 progressing to Level 3; led by Risk and Internal Audit Identified credible assurance providers in the 1 st and 2 nd lines of defence; extending scope and improvingintegrated integrated assurancereporting reporting to the Group Audit Committee Case study 2: UK based financial services company Deployed existing framework at Level 3 to provide the Group Audit Committee with a deep dive, integrated risk assurance view of a subsidiary prior to the Board s discussion on strategic development of the subsidiary; led by CRO Case study 3: Company serving a multi billion $ aviation industry Level 2 with elements of Level 3; led by Internal Audit Enhanced local accountability, risk management and risk assurance oversight at board level; further alignment between assurance and risks Case study 4: Listed global financial services Level 3 with focus on bringing together the key assurance providers to discuss risks, issues and assurance with a forward looking view; led by CRO Improved risk awareness and discussion at Group Audit and Group Risk Committee

15 Integrated assurance Promotingjoined upriskgovernance Any queries, please do not hesitate to contact me: at vicky@kubitscheck.com 2013 Vicky Kubitscheck

Don t miss out The next Heads of Internal Audit Service forum will take place on 10 September in London and will take a practical look at the key issues surrounding social, economic and political risk Summaries of past forums and recordings of previous webinars can be accessed via the Heads of Internal Audit Service section of the IIA website at www.iia.org.uk Thank you to IIA Partner Thomson Reuters for supporting this webinar

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback