richard nelson
TRANSCRIPT
-
8/8/2019 Richard Nelson
1/35
The Future of Internal AuditingThe Future of Internal Auditing
Richard NelsonRichard NelsonDirector Director
IIA UK & IrelandIIA UK & Ireland
ECIIAInternal Audit ConferenceIstanbul7 th & 8 th October 2004
-
8/8/2019 Richard Nelson
2/35
Corporate Governance FailingsCorporate Governance Failings
Polly PeckPolly Peck Equitable LifeEquitable LifeMaxwellMaxwell ABB**ABB**
WickesWickes Barings*Barings*EnronEnron WorldCom*WorldCom*AIBAIB AholdAhold
MarconiMarconi Mutual FundsMutual FundsParmalat**Parmalat** VerizonVerizon
-
8/8/2019 Richard Nelson
3/35
Some Reasons for FailureSome Reasons for Failure
s Executive greedExecutive greed
s Lack of understandingLack of understanding
s Compliant non-executive directorsCompliant non-executive directors
s Compliant external auditCompliant external audit
s Unquestioning analystsUnquestioning analysts
s Ineffective internal auditIneffective internal audit
-
8/8/2019 Richard Nelson
4/35
Government ResponsesGovernment Responses
s IIA Inc submission to CongressIIA Inc submission to Congress
s NYSE recommendation on internal auditNYSE recommendation on internal audit
s Sarbanes-OxleySarbanes-Oxley
s UK Turnbull 2UK Turnbull 2
s UK FSA listing rules reviewUK FSA listing rules review
-
8/8/2019 Richard Nelson
5/35
Other Recent Developments (2)Other Recent Developments (2)
s EU Winter reportEU Winter report
s SA King2 reportSA King2 report
s USA COSO ERMUSA COSO ERM
s USA PCAOBUSA PCAOB
s EU FEEEU FEE
-
8/8/2019 Richard Nelson
6/35
Sarbanes-OxleySarbanes-Oxley
s Management must assess the effectivenessManagement must assess the effectivenessof the internal controls and procedures for of the internal controls and procedures for financial reportingfinancial reporting
s The auditor must attest to and report on theThe auditor must attest to and report on theassessment made by managementassessment made by management
s Thus internal controls need to beThus internal controls need to bedocumented in detail and subject todocumented in detail and subject torigorous audit testingrigorous audit testing
-
8/8/2019 Richard Nelson
7/35
EU ProposalsEU Proposals
s Annual corporate governance statementAnnual corporate governance statementto include:to include:
- Composition of boards and committeesComposition of boards and committees
- Details of the risk management systemDetails of the risk management system
- The designated national codeThe designated national code
-
8/8/2019 Richard Nelson
8/35
The Value AgendaThe Value Agenda
s Increase in standing of internal auditIncrease in standing of internal audit
s Assurance on main business risksAssurance on main business risks
s Assurance on internal control frameworkAssurance on internal control framework
s
Differing views on reasons for surprisesDiffering views on reasons for surprisess Few measures of value addedFew measures of value added
-
8/8/2019 Richard Nelson
9/35
IIA Definition of Internal AuditIIA Definition of Internal Audit
s An independent, objective assuranceAn independent, objective assurance
and consulting activity designed to addand consulting activity designed to addvalue and improve an organisationsvalue and improve an organisationsoperation.operation.
-
8/8/2019 Richard Nelson
10/35
IIA Definition of Internal AuditIIA Definition of Internal Audit
s It helps an organisation accomplish itsIt helps an organisation accomplish itsobjectives by bringing a systematic,objectives by bringing a systematic,disciplined approach to evaluate anddisciplined approach to evaluate andimprove effectiveness of riskimprove effectiveness of riskmanagement, control and corporatemanagement, control and corporate
governance processes.governance processes.
-
8/8/2019 Richard Nelson
11/35
THE BOARD
Assessment of Effectiveness of Internal Control
(LSE Combined Code)OBJECTIVE:
Section D.2.1
The Directors should, at least annually, conduct a review of the effectiveness of the Groups system of controls including financial, operational and compliance controls and risk management internalcontrols and should report to shareholders that they have done so. The review should cover all controlsincluding financial, operational and compliance controls and risk management
BUSINESS UNITS
Letter of Assurance
BUSINESS UNITS
Risk Registers
INTERNAL AUDIT
Review of ControlFramework and RiskManagement Process
BUSINESS UNITS
Key Risk Indicatorsand Performance
Measures
BUSINESS UNITS
Specific studies/reviews
BUSINESS UNITS
Views of Senior Management
EXTERNAL AUDIT
Effectiveness of processes & informationsupporting the statutory
accounts
INTERNAL AUDIT
Effectiveness of management of Group &Business Unit Key Risks
Internal Audit Role
-
8/8/2019 Richard Nelson
12/35
The Role of Internal AuditThe Role of Internal Auditin Enterprise-widein Enterprise-wideRisk ManagementRisk Management
IIA UK and Ireland:Position Statement
-
8/8/2019 Richard Nelson
13/35
Enterprise-wide Risk ManagementEnterprise-wide Risk Management
A structured, consistent and continuousprocess across the organisation for
identifying, assessing, deciding on responsesand reporting on opportunities and threatsthat affect the achievement of its objectives.
-
8/8/2019 Richard Nelson
14/35
Activities involved in ERMActivities involved in ERM
Communicaterisks consistently
at all levels
Provideassurance
Determinerisk appetite
EstablishInternal
environment
Provide central monitoring &coordination
Articulate &Communicate
objectives
Identify potential threats
to objectives
Select &implement
risk responsesUndertake
control & other response activities
Assess impact & likelihood of threats
-
8/8/2019 Richard Nelson
15/35
Greater Greater likelihood of likelihood of
achievingachievingobjectivesobjectives
SuccessfulSuccessfulchangechange
MoreMoreinformedinformed
decisions &decisions &risk takingrisk taking
Fewer surprisesFewer surprises
CommonCommonreporting of reporting of
disparatedisparaterisksrisks
SharingSharingcrosscross
functionalfunctionalrisksrisks
Greater Greater managementmanagement
focusfocus
SharedSharedunderstandingunderstanding
of risksof risks
Capability toCapability totake on risktake on riskfor rewardfor reward
Benefits of ERMBenefits of ERM
-
8/8/2019 Richard Nelson
16/35
Accountability for risk management
Implementing risk responses
Imposing risk management processes
C e n t r a l c o - o r d i n a t i n g p o i n t f o r E R M
Consolidated reporting on risks
Giving assurance on risk management processes
Giving assurance that risks assessed appropriately
Evaluating risk management reporting
Reviewing the management of key risks
Giving advice on managing risks
Facilitating risk responses
C h a m
p i o n i n g e s t a b l i s h m e n t o f E
R M
Developing risk managementstrategy for board approval
Maintaining&developingtheERM framework
Taking decisions on risk responses
Management assurance on risks
Core risk-basedinternal audit
roles
Legitimate internal auditroles with safeguards
Roles internalaudit should
not undertake
Internal Audits Role in ERM
Setting risk appetite
-
8/8/2019 Richard Nelson
17/35
ERM and Internal Audit ERM and Internal Audit The SafeguardsThe Safeguards
Internal audit should not:Internal audit should not:
s Manage risks on managements behalf Manage risks on managements behalf
s
Make risk management decisionsMake risk management decisionss Give assurance on any part of the ERMGive assurance on any part of the ERM
framework for which it is responsibleframework for which it is responsible
Management is responsible for risk management
s Undermine management accountabilityUndermine management accountability
-
8/8/2019 Richard Nelson
18/35
Risk Based Audit ApproachRisk Based Audit Approach
-
8/8/2019 Richard Nelson
19/35
Risk Based Audit ApproachRisk Based Audit Approach
s Review the risk management processReview the risk management process
s
Start at the top of the organisationStart at the top of the organisation
s Repeat at each levelRepeat at each level
-
8/8/2019 Richard Nelson
20/35
Review of Review of Risk Management ProcessRisk Management Process
s Discuss with individual managersDiscuss with individual managers
s Are objectives clearly identifiedAre objectives clearly identified
s Assess how they arrived at the key risksAssess how they arrived at the key risks
s
Facilitate/participate in workshops if Facilitate/participate in workshops if necessarynecessary
s Look at feedback process for key risksLook at feedback process for key risks
-
8/8/2019 Richard Nelson
21/35
Risk based Audit ApproachRisk based Audit Approach
s If satisfactory then:If satisfactory then:- Select audit topics from risk registersSelect audit topics from risk registers
s If unsatisfactory then:If unsatisfactory then:- Facilitate risk identification process (workshops)Facilitate risk identification process (workshops)
-
8/8/2019 Richard Nelson
22/35
Facilitation of Risk WorkshopsFacilitation of Risk Workshops
s Identify objectives and targetsIdentify objectives and targets
s Identify threats to achievement of objectivesIdentify threats to achievement of objectivesand targetsand targets
s Identify likelihood and impact of those threatsIdentify likelihood and impact of those threats
s Identify target likelihood and impactIdentify target likelihood and impact
s Agree key risk areasAgree key risk areas
s Identify controls to reduce risk to target levelsIdentify controls to reduce risk to target levels
-
8/8/2019 Richard Nelson
23/35
Risk ReviewRisk Reviews Identify:Identify:
- Controls intended to reduce impactControls intended to reduce impact- Controls intended to reduce likelihoodControls intended to reduce likelihood
s Verify those controls are in place and workingVerify those controls are in place and working
s Identify possible improvements and redundantIdentify possible improvements and redundantcontrolscontrols
-
8/8/2019 Richard Nelson
24/35
AdvantagesAdvantages
s Enables annual opinionEnables annual opinion
s Focuses on big issuesFocuses on big issues
s Board/Audit Committee has controlBoard/Audit Committee has control
s Responsive to changing eventsResponsive to changing events
s More interesting and challenging workMore interesting and challenging work
-
8/8/2019 Richard Nelson
25/35
ReportingReporting
Report on:Report on:
s Assurance processAssurance process
s Key objectivesKey objectives
s Individual risks to achievement of keyIndividual risks to achievement of keyobjectivesobjectives
-
8/8/2019 Richard Nelson
26/35
Year End Report
1. Overall Assessment2. Change in Group Risks over the
Year
3. Analysis of Letters of Assurance
4. Summary of Control Weaknesses
5. Review of Control Framework
6. Review of Risk ManagementProcess
-
8/8/2019 Richard Nelson
27/35
HM / MH M M HL / LH ML / LM L LH H
PROBABILITY/IMPACTTOTAL RISKS
AUDIT COVERAGE
Audit Plan
-
8/8/2019 Richard Nelson
28/35
Risk Map
High
Med
Low
Low Med High
PROBABILITY
I
MP
A
C
T
CURRENT LEVEL OF CONCERNGREEN = LOW
YELLOW = MEDIUMRED = HIGH
-
8/8/2019 Richard Nelson
29/35
Future Influences on Internal AuditFuture Influences on Internal Audits Corporate governanceCorporate governance
s Information & communications technologyInformation & communications technology
s E-commerceE-commerce
s Communications with the boardCommunications with the board
s Increased demand for internal auditIncreased demand for internal audit
s Business riskBusiness risk
-
8/8/2019 Richard Nelson
30/35
Future Influences on Internal AuditFuture Influences on Internal Audits Working with other risk managementWorking with other risk management
professionalsprofessionals
s Demand for independent appraisal of IADemand for independent appraisal of IA
s Need to improve understanding about IANeed to improve understanding about IA
s Facilitating workshops etc.Facilitating workshops etc.
s Globalisation of business and the job marketGlobalisation of business and the job market
-
8/8/2019 Richard Nelson
31/35
Effectiveness of Internal AuditEffectiveness of Internal Audit
s Professional standardsProfessional standardss Independent reviewsIndependent reviewss Peer reviewsPeer reviewss Publications for Audit CommitteesPublications for Audit Committeess Comparative dataComparative datas Performance measuresPerformance measures
-
8/8/2019 Richard Nelson
32/35
Performance MeasuresPerformance Measures
s No right answersNo right answerss Measure both inputs and outputsMeasure both inputs and outputss Must mean something to the businessMust mean something to the businesss What is IA contribution to the businessWhat is IA contribution to the businesss Agreement up front is the keyAgreement up front is the keys Tell them what you are going to doTell them what you are going to dos Do itDo its Tell them that you have done it.Tell them that you have done it.s Dont hide your light under a bushelDont hide your light under a bushel
-
8/8/2019 Richard Nelson
33/35
SummarySummary
s Independence is a state of mindIndependence is a state of mind
s
Be proactiveBe proactives Be ambitiousBe ambitious
s Aim to surprise and delightAim to surprise and delight
-
8/8/2019 Richard Nelson
34/35
SummarySummary
s Tell everyone how good you areTell everyone how good you are
s
Keep up with the latest developmentsKeep up with the latest developmentss Become your Audit Committee/BoardBecome your Audit Committee/Board
advisor advisor
s Get independent accreditationGet independent accreditation
-
8/8/2019 Richard Nelson
35/35
ECIIA Internal Audit ConferenceECIIA Internal Audit Conference
Richard NelsonRichard NelsonDirector Director
Risk & Assurance ServicesRisk & Assurance ServicesNumericaNumerica
[email protected]@numerica.biz
Tel: 023 8079 5595Tel: 023 8079 5595
mailto:[email protected]:[email protected]:[email protected]