Oklahoma City IIA Presentation How to Optimize your IA function

Oklahoma City IIA Presentation
How to Optimize your IA function
December 13, 2012
Agenda
1
IA current role and environment
►
The role of IA is evolving
►
Current environment: insights and trends
2
Issues/Challenges
►
Challenges of balancing cost, risk and value
►
Top 10 issues
3
Ernst & Young’s point of view
►
Our point of view
►
Our internal audit framework
►
Our approach
►
How to transform your IA department into a business advisor
Page 1
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Section 1
IA current role and environment
The role of internal audit is evolving
IA departments are facing challenges today that have altered their expectations, strained their resources, and caused a
paradigm shift in their processes. Expectations from the IA function have been driven especially by audit committees,
executive management, and stakeholder demands for stronger corporate governance and transparency.
New focus and capabilities have emerged over time in reaction to important regulatory developments. The global
financial crisis has had a major impact on stakeholder expectation as to what constitutes sound corporate governance
and risk management. Clearer accountabilities are impacting directors, accounting officers and risk/assurance functions.
Professionalism/
globalization
late 90s – early 00s
►
Wide variety of purpose i.e.
(advisory versus assurance)
► Adoption of common
standards for risk-based
auditing
Late 1990s
Page 3
Post-SOX
re-orientation
mid 00s to 2008
The SOX effect
early – mid 00s
►
Financial control and process
domination
► Limited investment in audit
development
►
►
Broader risk focus
Investing and retooling core
IA skills
2005
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
2008
Financial crisis
and beyond
2008 – 20XX
►
Enabling business
improvement while:
► Assurance is still
paramount
► Addressing potential
failures
20XX
Current environment: insights
75% of companies believe strong risk management has
a positive impact on their long-term earnings
performance.
75% of companies believe that their IA function has a
positive impact on their overall risk management efforts.
Yet, 80% of companies recognize that their IA function
has room for improvement – that it is not “leading class”
today.
And, 83% of companies have been asked to improve the
risk coverage that IA provides.
80% of organizations believe
there is a need to improve their
IA function.
Of these organizations, 80% of
believe they should make
improvements within
the next 24 months.
The top five priorities for IA functions
today are:
1. Improving the risk assessment process
2. Enhancing the ability to monitor emerging risks
3. Becoming more relevant to achieving the
organization’s business objectives
4. Reducing overall IA function costs without
compromising risk coverage
5. Identifying opportunities for cost savings in our
business
Organizations are striving to
make their risk functions 35%
more coordinated than they are
today.
Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs and CFOs
Page 4
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
80% surveyed believe cosourcing is a viable business
option for their IA department.
Current environment: trends in execution
IA risk assessment, regulatory requirements and enterprise
risk assessment, in order of importance, remain the top three
drivers of the IA plan.
IA plan focus
Companies’ IA plans are focused both in Information
Technology (IT) and business, with particular emphasis on
operational risks.
15%
19%
14%
IA is playing an increasing role in organizational issues,
including:
►
21%
►
13%
►
►
Major capital projects (49%)
IT systems implementations (42%)
Mergers and acquisitions (37%)
Material contracts (32%)
While still struggling to have a defined role in:
18%
►
►
Compliance
IT
Regulatory
Financial
Operational
Strategic
►
Major construction projects (25%)
New market entry (21%)
New product roll-out (17%)
Technology remains critical with 48% claiming IT security and
privacy risk assessments are top priorities.
Evolving trends require a different approach in thought, skills and execution
Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs , COOs and CFOs of Global 1000
Page 5
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Section 2
Issues/Challenges
Challenges of balancing cost, risk and value
IA departments struggle with the balancing act of reducing costs but increasing
value to the company, all while maintaining the appropriate risk coverage.
Cost
Risk
Value
Examples of factors that influence the balance level:
industry challenges
► economic issues
►
Page 7
government regulations
► stakeholder requirements
►
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Top 10: issues top of mind for chief audit executives (CAEs)
Plan
Execute
and
evaluate
Enablers
1
IA strategy: develop an IA-specific strategy document
2
Assurance and advisory: determine the appropriate mix for the audit plan
3
Thematic audits: structure portion of the plan around overarching themes
4
Issue-based audits: create a playbook of relevant reviews to address specific business
issues, leveraging subject-matter resources
5
Audit plan refresh: re-evaluate frequency of audit plan adjustments and formality
6
Risk coordination: coordinate with other risk and oversight functions for optimal coverage
7
Innovation: employ innovative audit techniques (e.g., data analytics, continuous
monitoring, integrated audits) to drive efficiency and results
8
Value charter and scorecard: track and monitor success of the IA function and share
9
Organizational structure: align to business structure and risk profile for optimal coverage
10
Competency and talent management: assess required and existing competencies for the
IA team to use IA function as a talent pipeline; develop roadmap to close gaps
Source – Ernst &Young Future of Internal Audit
Page 8
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Assurance and advisory: reevaluate the IA mandate and
stakeholder expectations to create the optimal balance
Assurance
Control and compliance
monitoring structure
IA function focused on evaluating
the design and the effectiveness
of internal controls in those areas
outlined in their charter or
mandate. Also includes focusing
on compliance with key
regulations and policies
Mandate
of IA
Advisory
Business insight
In addition to covering the
“basics,” the IA function is
designed to provide highquality, relevant business
insight as an integral part of
its activities. Business insight
is not a by-product, but an
explicit outcome from the
function’s activities.
Non-negotiable
Strategic and valued advisor
The IA function serves as a
subject-matter specialist to
business management around
strategic initiatives, challenges
and changes in the organization.
The function has the people,
knowledge and experiences to
effectively provide this level of
service.
Emerging trend
90% of those surveyed are trending towards advisory reviews, comprising more than 25% of the
audit plan and in general are trending upwards.
Page 9
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Issue-based audits: continually demonstrate IA’s value and
relevance by providing insight on strategic business issues
►
Merger, acquisitions and/or divestitures
►
Major construction projects
►
Material contracts
►
IT systems implementations
►
New market entry
►
New product launch
►
Material capital projects
Issued-based audits are top of mind for CAEs as IA struggles to balance cost, risk and
value
Page 10
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Innovation: seek opportunities to leverage innovative
techniques while executing audit plan
Cost
Risk
Value
Integrated audits
Data analytics
Continuous monitoring
Integrate across teams for greater
impact
Employ technology for greater
coverage and insight
Implement continuous monitoring
approach for processes, risks and
controls
CAEs are challenged with innovation due to lack of technology, skills and execution throughout the
audit life cycle
Page 11
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Section 3
Ernst & Young’s point of view
Our point of view: an internal audit function must drive
strategic value to the organization
As the economy continues to be unpredictive and volatile and emerging
markets become more relevant, executives continue to challenge their
risk management processes. They are looking for an IA function that is
efficient and effective that operates and interacts with the business –
one that drives strategic value for the business and its key stakeholders
while fully aligning with the company’s current needs and supporting
those strategies to move the company forward.
Our point of view is referenced below:
Looking beyond processes and controls, IA is in a strategic position
within the organization to provide:
►
key insights that enable the business to focus on the risks that
matter,
►
identification of enterprise-wide cost efficiencies, and
►
strategic insights that improve business performance.
IA’s scope aligns with the strategic direction of the organization and
enables the organization to operate at a level that improves
preformance and achieve strategic objectives. This kind of support
reaps multiple benefits for the organization, including increased
shareholder value, improved credit ratings and enhanced ability to
attract capital.
Given that 83% of corporate leaders will be pushing for enhancement to
their audit function in the next two years or less*, IA has the opportunity
to be more agile in driving competitive value across the enterprise.
* Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs and CFOs
Page 13
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Leading strategic internal audit function attributes
Our point of view
Outcome
performance
measurements
Tailoring of audit
responses allows
for adaptable
assurance needs
Business intelligence
and technology
underpins all IA work
Quality,
independence,
objectivity fully
embedded in IA work
Global people model
with wide range of
competencies
Value score card
monitors IA
performance
Page 14
Stakeholder driven
activities around
EGRC (enterprise,
governance, risk
and compliance)
Risk assessments
aligned to organizational
strategy and refreshed
at least quarterly
Focus on
organizational impact
and consistency with
EGRC
Sustainable
improvements to enable
business objectives
deemed imperative
Leading
Class IA
department
Flexible audit plans
that adapt to changing
significant risk areas,
not lower risk focus
Relevancy and
timeliness: focus on
significant areas
without exception;
monitor low risk
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Full integration in
overall governance
strucutre, leveraging
group wide best
practices
Our internal audit framework
Page 15
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Internal audit framework explained
Some common focus areas that we are seeing make a difference at multiple organizations supported by EY’s IA framework:
►
IA strategy
► Align with business on IA’s strategy, vision and mandate
► Coordinate with other risk/oversight functions for optimal coverage
►
Core delivery methodology
► Reevaluate risk assessment and audit plan refresh processes
► Re-engineer audit responses to risk
► Incorporate thematic audits and end-to-end process audits into audit plan
► Determine the appropriate mix of assurance and advisory effort
► Perform issue-based audits, leveraging subject matter resources
► Refresh IA reporting to board, management and auditees
►
People model
► Align IA organizational structure to business structure and risk profile for optimal coverage
► Revamp talent management processes (e.g., competency and rotation models, training, resourcing)
►
Support processes
► Track key performance indicators on a value scorecard to demonstrate value to key stakeholders
► Increase efficiency of audit process and transparency of data through a strong technology platform
► Consider IA branding and revitalize stakeholder engagement
►
Enterprise intelligence
► Employ innovative techniques (e.g., behavior analysis, data analytics, continuous monitoring) to drive
efficiency and results
Page 16
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
EY’s IA framework
…aligning to the organization’s strategy through each step of
the audit cycle
Core delivery methodology
Develop an
IA strategy
Establish
engagement
protocols
Develop IA strategy,
mandate, & charter
Conduct audit
needs
assessment
Develop audit
plan
Map key risks to risk functions, create
combined assurance coverage map
Execute
Communicate
results
Measurable
impact
Execute the audit plan using innovative
techniques & analytics throughout
Facilitate accelerated solutions development workshop
Communicate results IA stakeholders
Track measurable value
through an IA value scorecard
Establish protocols (e.g. audit
management office)
Create IA annual plan based on the
Audit Response Continuum
Page 17
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
The optimal internal audit operating approach leads to a
world class internal audit
Added value to your audit process
Insightful data analytics capability
Globally consistent approach
Leading Class
IA Function
Streamlined delivery costs
Technology enablement
IIA standards compliant
Page 18
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Our approach
ARC – Audit Response Continuum framework
ARC is a robust IA planning process.
► Audit approach selection is explicitly based
on:
►
►
►
►
The complexity and nature of the risk and
controls being audited
The objectives of the organization and the
degree of assurance required
Skills determined through roundtable planning
meetings
Provides for:
►
►
►
►
►
Page 19
A more sophisticated and broad approach to
planning and delivering IA engagements
Clearer alternatives in selecting the most
appropriate response
Explicit audit planning decision-making
Better language in discussions with the
stakeholder/auditee
More transparent reporting of effort
Audit
response
category
‘Standard’
audits
Risk and
control
framework
reviews
‘Complex’
audits
Education
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Audit response
1
Health check/Diagnostic
2
‘Standard’ sample testing audit
3
Project/Engagement monitoring
4
Pre-implementation review
5
Post-implementation review
6
Compliance audit
7
Risk interviews/verbal advice
8
Project management framework
9
Control process overview
10
Control framework review
11
End-to-End process audit
12
Deep dive
13
Investigation
14
Probity audits
15
Business coaching/Education
Our approach
Root cause analysis
Root cause analysis (RCA) is a structured
approach to identifying the underlying
factor(s) that resulted in a deviation from the
desired outcome in a given process or
situation.
► Asks “why?” (more than once, typically 5
times)
► Identifies all the possible causes of an issue
before narrowing down to the root causes (the
real problems) that should be addressed
2
0
Without effective
RCA, management
may become
distracted by
symptoms and
remain in a
constant “firefighting” state.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step7
Identify
the
problem
Categorise
major
causes
Brainstorm
Gather
data
Identify
most likely
causes
Choose
most likely
cause
Select and
test the
best
solution
Page 20
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Our approach
Data analytics
Data analytics: an integrated approach
Layer 1 – Analytical risk identification
► Analytical diagnostics are performed to identify risks
► Risks are validated / refined through analytical support
► Consider predictive, scenario-based models
Layer 2 – Analytical scoping/procedural development
► Using system data to prioritize the audits / locations /
sites for inclusion in the audit plan
► Detailed audit procedures are enhanced through the
inclusion of analytical test procedures
Layer 3 – Analytical testing
► Pre-audit analytics are performed to better equip field
auditors
► Analytical testing is used in place of, or in addition to,
manual test procedures to increase the effectiveness /
efficiencies of the audit plan
Layer 4 – Interactive reporting/Trend analyses
► Provides easy interpretation as well as drill-down
capabilities for more details
► Trend Analyses can be performed to better understand
risks in the organization, and to better focus audit /
remediation efforts
Leverage continuous monitoring for ongoing support
2
1
Page 21
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Initiating next steps to position your IA into a valued
business advisor
1
2
3
Assess your current needs
and determine where you
want IA to be.
Consider what is required
to meet IA’s goals.
Based on responses,
determine what is the best
option for moving ahead.
Page 22
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Questions???
Page 23
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our
shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider
communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal
entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information
about our organization, please visit www.ey.com
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global and of Ernst & Young Americas operating in the US.
About Ernst & Young’s Assurance Services
Strong independent assurance provides a timely and constructive challenge to management, a robust and clear perspective to audit
committees and critical information for investors and other stakeholders. The quality of our audit starts with our 60,000 assurance
professionals, who have the experience of auditing many of the world’s leading companies. We provide a consistent worldwide audit by
assembling the right multidisciplinary team to address the most complex issues, using a proven global methodology and deploying the
latest, high-quality auditing tools. And we work to give you the benefit of our broad sector experience, our deep subject matter
knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference.
© 2012 Ernst & Young LLP.
All Rights Reserved.
Confidential & Proprietary
Subject to Contract.
1208-1382337
Page 24
© Ernst & Young LLP 2012. All rights reserved.
Confidential & Proprietary
Subject to Contract.