douglas j anderson cia, crma managing director cae ... anderson... · cbok study 13 languages...
TRANSCRIPT
9/29/2016
1
Douglas J Anderson CIA, CRMA
Managing Director – CAE Solutions, IIA
Where Are We Now,
Where Are We Going,
and
How Will We Get There?
Agenda
• How Are We Viewed?
• Moving Forward
• How Can We Be Successful?
2
9/29/2016
2
How Are We
Viewed?
CBOK Study
13Languages
Global Interviews
100+
Countries
23
Global Surveys
1,124The purpose of the Common Body
of Knowledge (CBOK) 2015
stakeholder study is to gain a better
understanding of global
stakeholders’ expectations with
regard to Internal Audit’s purpose,
function and performance.
4
9/29/2016
3
CBOK Study Participants
Board members 34%
CEO 15%CFO 18%
Other C Suite 33%
5
Foundational Elements
More than
80%...
• Assess areas or topics that are significant
• Keep up to date with changes in the
business
• Sufficiently communicate audit plans
6
9/29/2016
4
Criteria to Evaluate Internal Audit
More than
70%…
• Quality of audit work/reliable results
• Usefulness of recommendations made
• Timely communication of risks
7
Should Be More Active Role in Connection With
Assessing Strategic Risk?
Yes58%No
24%
Unsure18%
8
9/29/2016
5
86%
76%
48% 48%
74%69%
53% 53%
0%
20%
40%
60%
80%
100%
Focusing on strategicrisks during audit
projects
Evaluating andcommunicating key
risks
Evaluating execution ofstrategic initiatives
Assessing reliability ofmetrics used to monitor
strategic initiatives
Board C-Suite
How
9
Beyond Assurance, What Should Be in Scope
71%
74%
76%
78%
78%
85%
60% 65% 70% 75% 80% 85% 90%
Assurance on compliance with legal and regulatoryrequirements
Alert operational management to emerging issuesand changing regulatory and risk scenarios
Consult on business process improvements
Identify appropriate risk management frameworks,practices and processes
Facilitate and monitor effective risk managementpractices by operational management
Identify known and emerging risk areas
10
9/29/2016
6
Assurance vs. Advisory
“Prime responsibility is around providing assurance on
the risks and controls… Business requests are
accepted, however, only if these do not compromise the
plan or the independence of IA”
Balance varies due to• Maturity and location• Competence of internal
auditMany assume “both” 11
Board Member from France
“The organization must be able to call upon internal audit
and benefit from its expertise without denaturing its
‘soul.’
In certain consulting engagements, there is a risk of
internal audit becoming a ‘low cost’ subcontractor.
Just because you are dealing with a reliable and
trustworthy person, it doesn’t mean that his expertise
should be diverted and exploited at will.”
12
9/29/2016
7
Moving
Forward
“Culture is the self-sustaining pattern of
behavior that determines how things are done.”Katzenbach, Oelschlegel, and Thomas
14
9/29/2016
8
Culture Is Increasingly the Culprit in
Organizational Debacles
44%
24%15%
3Fired
Demoted
Rules vs Character
“Corporate scandals of recent years have clearly
shown that the plethora of laws of the past century
have not eliminated the less savory side of human
behavior. Rules cannot substitute for character.”
Alan Greenspan
U.S. Federal Reserve Chairman
Chicago Tribune, 17 April 2004
16
9/29/2016
9
What Are We Doing?
• More than half of CAEs see
organizational culture as high risk
• But, 58 percent say
organizational culture is not
audited
Sources: IIA Financial Services Audit Center poll; IIA Audit Executive Center poll; North American Pulse of Internal Audit, 2016
Is Internal Audit Equipped?
2%
12% 26% 50% 9%IA is able to identify &
assess measures of culture
Strongly Dissgree Disagree Neither Agree Strongly Agree
80%
45%IA is able to identify &assess measures of
culture
Do Not Audit Culture Audit Culture18
9/29/2016
10
To Address a Toxic Culture, CAEs Recommend:
24%
12%
45%
40%
29%
37%
20%
37%
45%
43%
10%
17%
10%
Focus on culture in audit reports
Raise as separate topic withmanagement
Raise as separate topic with board
Coordinate efforts with othergovernance functions
Not effective Slightly effective Moderately effective Very effective Extremely effective
19
Culture
• Develop an approach to assess the critical
elements
• Gather objective and subjective information
about the organization’s culture
ouse professional judgment to evaluate
information that cannot be easily measured
• Build and use relationships
20
9/29/2016
11
Big Data
Risks of Using Data:
• Accuracy of data
• Ethical or barely legal?
• Responsive or convenient?
• Complete or available?
• Causation or correlation?
• Comprehensive or cherry-picked?21
Internal Audit Involvement in Evaluating
Data Quality
Very or
Extreme
Moderate Slight or
Not at All
22
9/29/2016
12
CAE Confidence in Strategic Decisions
Made Using Data
Slight or Not at All
Moderate
Very or Extreme
23
Use of Data
• Know what is collected, how it is analyzed, and
which decisions it supports
• Assess the risks
• Consider these risks in audit planning
• Make sure you have requisite skills
24
9/29/2016
13
Risk
Management
Theory or
Reality?
25
The possibility that events will occur and
affect the achievement of strategy and
business objectivesRisk
The culture, capabilities, and practices,
integrated with strategy and execution, that
organizations rely on to manage risk in
creating, preserving, and realizing value
Enterprise
Risk
Management
9/29/2016
14
COSO ERM
27
ISO 31000
28
9/29/2016
15
Measuring Risk
• Prioritization
– Adaptability
– Complexity
– Velocity
– Persistence
– Recovery
29
• Amount: Impact and Likelihood
Lik
elih
oo
d
Impact
Risk
• Risk is an inherent aspect of internal audit
• Digest the revisions to COSO ERM and
ISO 31000
• Become a “master” of risk theory and practical
application
30
9/29/2016
16
Non-Financial Reporting
• Non-GAAP measures
• Sustainability/integrated reporting
• Executive pay
• MD&A – CEO’s letter
• ??
31
How
9/29/2016
17
Internal Audit Structure
33
The Modern Internal Auditor
34
9/29/2016
18
No one wants to be the cop
35
Closing Thoughts
• We have a critical role to fill in an organizational
• Focus on what your stakeholders needs from you
• It’s all about risk
• The right attributes and attitudes are critical
36
9/29/2016
19
The Institute of Internal Auditors
Douglas J Anderson
Managing Director – CAE Solutions
uestions ???
37