richard nelson

8/8/2019 Richard Nelson

1/35

The Future of Internal AuditingThe Future of Internal Auditing

Richard NelsonRichard NelsonDirector Director

IIA UK & IrelandIIA UK & Ireland

ECIIAInternal Audit ConferenceIstanbul7 th & 8 th October 2004


2/35

Corporate Governance FailingsCorporate Governance Failings

Polly PeckPolly Peck Equitable LifeEquitable LifeMaxwellMaxwell ABB**ABB**

WickesWickes Barings*Barings*EnronEnron WorldCom*WorldCom*AIBAIB AholdAhold

MarconiMarconi Mutual FundsMutual FundsParmalat**Parmalat** VerizonVerizon


3/35

Some Reasons for FailureSome Reasons for Failure

s Executive greedExecutive greed

s Lack of understandingLack of understanding

s Compliant non-executive directorsCompliant non-executive directors

s Compliant external auditCompliant external audit

s Unquestioning analystsUnquestioning analysts

s Ineffective internal auditIneffective internal audit


4/35

Government ResponsesGovernment Responses

s IIA Inc submission to CongressIIA Inc submission to Congress

s NYSE recommendation on internal auditNYSE recommendation on internal audit

s Sarbanes-OxleySarbanes-Oxley

s UK Turnbull 2UK Turnbull 2

s UK FSA listing rules reviewUK FSA listing rules review


5/35

Other Recent Developments (2)Other Recent Developments (2)

s EU Winter reportEU Winter report

s SA King2 reportSA King2 report

s USA COSO ERMUSA COSO ERM

s USA PCAOBUSA PCAOB

s EU FEEEU FEE


6/35

Sarbanes-OxleySarbanes-Oxley

s Management must assess the effectivenessManagement must assess the effectivenessof the internal controls and procedures for of the internal controls and procedures for financial reportingfinancial reporting

s The auditor must attest to and report on theThe auditor must attest to and report on theassessment made by managementassessment made by management

s Thus internal controls need to beThus internal controls need to bedocumented in detail and subject todocumented in detail and subject torigorous audit testingrigorous audit testing


7/35

EU ProposalsEU Proposals

s Annual corporate governance statementAnnual corporate governance statementto include:to include:

- Composition of boards and committeesComposition of boards and committees

- Details of the risk management systemDetails of the risk management system

- The designated national codeThe designated national code


8/35

The Value AgendaThe Value Agenda

s Increase in standing of internal auditIncrease in standing of internal audit

s Assurance on main business risksAssurance on main business risks

s Assurance on internal control frameworkAssurance on internal control framework

s

Differing views on reasons for surprisesDiffering views on reasons for surprisess Few measures of value addedFew measures of value added


9/35

IIA Definition of Internal AuditIIA Definition of Internal Audit

s An independent, objective assuranceAn independent, objective assurance

and consulting activity designed to addand consulting activity designed to addvalue and improve an organisationsvalue and improve an organisationsoperation.operation.


10/35

IIA Definition of Internal AuditIIA Definition of Internal Audit

s It helps an organisation accomplish itsIt helps an organisation accomplish itsobjectives by bringing a systematic,objectives by bringing a systematic,disciplined approach to evaluate anddisciplined approach to evaluate andimprove effectiveness of riskimprove effectiveness of riskmanagement, control and corporatemanagement, control and corporate

governance processes.governance processes.


11/35

THE BOARD

Assessment of Effectiveness of Internal Control

(LSE Combined Code)OBJECTIVE:

Section D.2.1

The Directors should, at least annually, conduct a review of the effectiveness of the Groups system of controls including financial, operational and compliance controls and risk management internalcontrols and should report to shareholders that they have done so. The review should cover all controlsincluding financial, operational and compliance controls and risk management

BUSINESS UNITS

Letter of Assurance

BUSINESS UNITS

Risk Registers

INTERNAL AUDIT

Review of ControlFramework and RiskManagement Process

BUSINESS UNITS

Key Risk Indicatorsand Performance

Measures

BUSINESS UNITS

Specific studies/reviews

BUSINESS UNITS

Views of Senior Management

EXTERNAL AUDIT

Effectiveness of processes & informationsupporting the statutory

accounts

INTERNAL AUDIT

Effectiveness of management of Group &Business Unit Key Risks

Internal Audit Role


12/35

The Role of Internal AuditThe Role of Internal Auditin Enterprise-widein Enterprise-wideRisk ManagementRisk Management

IIA UK and Ireland:Position Statement


13/35

Enterprise-wide Risk ManagementEnterprise-wide Risk Management

A structured, consistent and continuousprocess across the organisation for

identifying, assessing, deciding on responsesand reporting on opportunities and threatsthat affect the achievement of its objectives.


14/35

Activities involved in ERMActivities involved in ERM

Communicaterisks consistently

at all levels

Provideassurance

Determinerisk appetite

EstablishInternal

environment

Provide central monitoring &coordination

Articulate &Communicate

objectives

Identify potential threats

to objectives

Select &implement

risk responsesUndertake

control & other response activities

Assess impact & likelihood of threats


15/35

Greater Greater likelihood of likelihood of

achievingachievingobjectivesobjectives

SuccessfulSuccessfulchangechange

MoreMoreinformedinformed

decisions &decisions &risk takingrisk taking

Fewer surprisesFewer surprises

CommonCommonreporting of reporting of

disparatedisparaterisksrisks

SharingSharingcrosscross

functionalfunctionalrisksrisks

Greater Greater managementmanagement

focusfocus

SharedSharedunderstandingunderstanding

of risksof risks

Capability toCapability totake on risktake on riskfor rewardfor reward

Benefits of ERMBenefits of ERM


16/35

Accountability for risk management

Implementing risk responses

Imposing risk management processes

C e n t r a l c o - o r d i n a t i n g p o i n t f o r E R M

Consolidated reporting on risks

Giving assurance on risk management processes

Giving assurance that risks assessed appropriately

Evaluating risk management reporting

Reviewing the management of key risks

Giving advice on managing risks

Facilitating risk responses

C h a m

p i o n i n g e s t a b l i s h m e n t o f E

R M

Developing risk managementstrategy for board approval

Maintaining&developingtheERM framework

Taking decisions on risk responses

Management assurance on risks

Core risk-basedinternal audit

roles

Legitimate internal auditroles with safeguards

Roles internalaudit should

not undertake

Internal Audits Role in ERM

Setting risk appetite


17/35

ERM and Internal Audit ERM and Internal Audit The SafeguardsThe Safeguards

Internal audit should not:Internal audit should not:

s Manage risks on managements behalf Manage risks on managements behalf

s

Make risk management decisionsMake risk management decisionss Give assurance on any part of the ERMGive assurance on any part of the ERM

framework for which it is responsibleframework for which it is responsible

Management is responsible for risk management

s Undermine management accountabilityUndermine management accountability


18/35

Risk Based Audit ApproachRisk Based Audit Approach


19/35

Risk Based Audit ApproachRisk Based Audit Approach

s Review the risk management processReview the risk management process

s

Start at the top of the organisationStart at the top of the organisation

s Repeat at each levelRepeat at each level


20/35

Review of Review of Risk Management ProcessRisk Management Process

s Discuss with individual managersDiscuss with individual managers

s Are objectives clearly identifiedAre objectives clearly identified

s Assess how they arrived at the key risksAssess how they arrived at the key risks

s

Facilitate/participate in workshops if Facilitate/participate in workshops if necessarynecessary

s Look at feedback process for key risksLook at feedback process for key risks


21/35

Risk based Audit ApproachRisk based Audit Approach

s If satisfactory then:If satisfactory then:- Select audit topics from risk registersSelect audit topics from risk registers

s If unsatisfactory then:If unsatisfactory then:- Facilitate risk identification process (workshops)Facilitate risk identification process (workshops)


22/35

Facilitation of Risk WorkshopsFacilitation of Risk Workshops

s Identify objectives and targetsIdentify objectives and targets

s Identify threats to achievement of objectivesIdentify threats to achievement of objectivesand targetsand targets

s Identify likelihood and impact of those threatsIdentify likelihood and impact of those threats

s Identify target likelihood and impactIdentify target likelihood and impact

s Agree key risk areasAgree key risk areas

s Identify controls to reduce risk to target levelsIdentify controls to reduce risk to target levels


23/35

Risk ReviewRisk Reviews Identify:Identify:

- Controls intended to reduce impactControls intended to reduce impact- Controls intended to reduce likelihoodControls intended to reduce likelihood

s Verify those controls are in place and workingVerify those controls are in place and working

s Identify possible improvements and redundantIdentify possible improvements and redundantcontrolscontrols


24/35

AdvantagesAdvantages

s Enables annual opinionEnables annual opinion

s Focuses on big issuesFocuses on big issues

s Board/Audit Committee has controlBoard/Audit Committee has control

s Responsive to changing eventsResponsive to changing events

s More interesting and challenging workMore interesting and challenging work


25/35

ReportingReporting

Report on:Report on:

s Assurance processAssurance process

s Key objectivesKey objectives

s Individual risks to achievement of keyIndividual risks to achievement of keyobjectivesobjectives


26/35

Year End Report

1. Overall Assessment2. Change in Group Risks over the

Year

3. Analysis of Letters of Assurance

4. Summary of Control Weaknesses

5. Review of Control Framework

6. Review of Risk ManagementProcess


27/35

HM / MH M M HL / LH ML / LM L LH H

PROBABILITY/IMPACTTOTAL RISKS

AUDIT COVERAGE

Audit Plan


28/35

Risk Map

High

Med

Low

Low Med High

PROBABILITY

I

MP

A

C

T

CURRENT LEVEL OF CONCERNGREEN = LOW

YELLOW = MEDIUMRED = HIGH


29/35

Future Influences on Internal AuditFuture Influences on Internal Audits Corporate governanceCorporate governance

s Information & communications technologyInformation & communications technology

s E-commerceE-commerce

s Communications with the boardCommunications with the board

s Increased demand for internal auditIncreased demand for internal audit

s Business riskBusiness risk


30/35

Future Influences on Internal AuditFuture Influences on Internal Audits Working with other risk managementWorking with other risk management

professionalsprofessionals

s Demand for independent appraisal of IADemand for independent appraisal of IA

s Need to improve understanding about IANeed to improve understanding about IA

s Facilitating workshops etc.Facilitating workshops etc.

s Globalisation of business and the job marketGlobalisation of business and the job market


31/35

Effectiveness of Internal AuditEffectiveness of Internal Audit

s Professional standardsProfessional standardss Independent reviewsIndependent reviewss Peer reviewsPeer reviewss Publications for Audit CommitteesPublications for Audit Committeess Comparative dataComparative datas Performance measuresPerformance measures


32/35

Performance MeasuresPerformance Measures

s No right answersNo right answerss Measure both inputs and outputsMeasure both inputs and outputss Must mean something to the businessMust mean something to the businesss What is IA contribution to the businessWhat is IA contribution to the businesss Agreement up front is the keyAgreement up front is the keys Tell them what you are going to doTell them what you are going to dos Do itDo its Tell them that you have done it.Tell them that you have done it.s Dont hide your light under a bushelDont hide your light under a bushel


33/35

SummarySummary

s Independence is a state of mindIndependence is a state of mind

s

Be proactiveBe proactives Be ambitiousBe ambitious

s Aim to surprise and delightAim to surprise and delight


34/35

SummarySummary

s Tell everyone how good you areTell everyone how good you are

s

Keep up with the latest developmentsKeep up with the latest developmentss Become your Audit Committee/BoardBecome your Audit Committee/Board

advisor advisor

s Get independent accreditationGet independent accreditation


35/35

ECIIA Internal Audit ConferenceECIIA Internal Audit Conference

Richard NelsonRichard NelsonDirector Director

Risk & Assurance ServicesRisk & Assurance ServicesNumericaNumerica

[email protected]@numerica.biz

Tel: 023 8079 5595Tel: 023 8079 5595
mailto:[email protected]:[email protected]:[email protected]

richard nelson

Documents