Oklahoma City IIA Presentation How to Optimize your IA function
Oklahoma City IIA Presentation How to Optimize your IA function December 13, 2012 Agenda 1 IA current role and environment ► The role of IA is evolving ► Current environment: insights and trends 2 Issues/Challenges ► Challenges of balancing cost, risk and value ► Top 10 issues 3 Ernst & Young’s point of view ► Our point of view ► Our internal audit framework ► Our approach ► How to transform your IA department into a business advisor Page 1 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Section 1 IA current role and environment The role of internal audit is evolving IA departments are facing challenges today that have altered their expectations, strained their resources, and caused a paradigm shift in their processes. Expectations from the IA function have been driven especially by audit committees, executive management, and stakeholder demands for stronger corporate governance and transparency. New focus and capabilities have emerged over time in reaction to important regulatory developments. The global financial crisis has had a major impact on stakeholder expectation as to what constitutes sound corporate governance and risk management. Clearer accountabilities are impacting directors, accounting officers and risk/assurance functions. Professionalism/ globalization late 90s – early 00s ► Wide variety of purpose i.e. (advisory versus assurance) ► Adoption of common standards for risk-based auditing Late 1990s Page 3 Post-SOX re-orientation mid 00s to 2008 The SOX effect early – mid 00s ► Financial control and process domination ► Limited investment in audit development ► ► Broader risk focus Investing and retooling core IA skills 2005 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. 2008 Financial crisis and beyond 2008 – 20XX ► Enabling business improvement while: ► Assurance is still paramount ► Addressing potential failures 20XX Current environment: insights 75% of companies believe strong risk management has a positive impact on their long-term earnings performance. 75% of companies believe that their IA function has a positive impact on their overall risk management efforts. Yet, 80% of companies recognize that their IA function has room for improvement – that it is not “leading class” today. And, 83% of companies have been asked to improve the risk coverage that IA provides. 80% of organizations believe there is a need to improve their IA function. Of these organizations, 80% of believe they should make improvements within the next 24 months. The top five priorities for IA functions today are: 1. Improving the risk assessment process 2. Enhancing the ability to monitor emerging risks 3. Becoming more relevant to achieving the organization’s business objectives 4. Reducing overall IA function costs without compromising risk coverage 5. Identifying opportunities for cost savings in our business Organizations are striving to make their risk functions 35% more coordinated than they are today. Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs and CFOs Page 4 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. 80% surveyed believe cosourcing is a viable business option for their IA department. Current environment: trends in execution IA risk assessment, regulatory requirements and enterprise risk assessment, in order of importance, remain the top three drivers of the IA plan. IA plan focus Companies’ IA plans are focused both in Information Technology (IT) and business, with particular emphasis on operational risks. 15% 19% 14% IA is playing an increasing role in organizational issues, including: ► 21% ► 13% ► ► Major capital projects (49%) IT systems implementations (42%) Mergers and acquisitions (37%) Material contracts (32%) While still struggling to have a defined role in: 18% ► ► Compliance IT Regulatory Financial Operational Strategic ► Major construction projects (25%) New market entry (21%) New product roll-out (17%) Technology remains critical with 48% claiming IT security and privacy risk assessments are top priorities. Evolving trends require a different approach in thought, skills and execution Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs , COOs and CFOs of Global 1000 Page 5 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Section 2 Issues/Challenges Challenges of balancing cost, risk and value IA departments struggle with the balancing act of reducing costs but increasing value to the company, all while maintaining the appropriate risk coverage. Cost Risk Value Examples of factors that influence the balance level: industry challenges ► economic issues ► Page 7 government regulations ► stakeholder requirements ► © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Top 10: issues top of mind for chief audit executives (CAEs) Plan Execute and evaluate Enablers 1 IA strategy: develop an IA-specific strategy document 2 Assurance and advisory: determine the appropriate mix for the audit plan 3 Thematic audits: structure portion of the plan around overarching themes 4 Issue-based audits: create a playbook of relevant reviews to address specific business issues, leveraging subject-matter resources 5 Audit plan refresh: re-evaluate frequency of audit plan adjustments and formality 6 Risk coordination: coordinate with other risk and oversight functions for optimal coverage 7 Innovation: employ innovative audit techniques (e.g., data analytics, continuous monitoring, integrated audits) to drive efficiency and results 8 Value charter and scorecard: track and monitor success of the IA function and share 9 Organizational structure: align to business structure and risk profile for optimal coverage 10 Competency and talent management: assess required and existing competencies for the IA team to use IA function as a talent pipeline; develop roadmap to close gaps Source – Ernst &Young Future of Internal Audit Page 8 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Assurance and advisory: reevaluate the IA mandate and stakeholder expectations to create the optimal balance Assurance Control and compliance monitoring structure IA function focused on evaluating the design and the effectiveness of internal controls in those areas outlined in their charter or mandate. Also includes focusing on compliance with key regulations and policies Mandate of IA Advisory Business insight In addition to covering the “basics,” the IA function is designed to provide highquality, relevant business insight as an integral part of its activities. Business insight is not a by-product, but an explicit outcome from the function’s activities. Non-negotiable Strategic and valued advisor The IA function serves as a subject-matter specialist to business management around strategic initiatives, challenges and changes in the organization. The function has the people, knowledge and experiences to effectively provide this level of service. Emerging trend 90% of those surveyed are trending towards advisory reviews, comprising more than 25% of the audit plan and in general are trending upwards. Page 9 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Issue-based audits: continually demonstrate IA’s value and relevance by providing insight on strategic business issues ► Merger, acquisitions and/or divestitures ► Major construction projects ► Material contracts ► IT systems implementations ► New market entry ► New product launch ► Material capital projects Issued-based audits are top of mind for CAEs as IA struggles to balance cost, risk and value Page 10 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Innovation: seek opportunities to leverage innovative techniques while executing audit plan Cost Risk Value Integrated audits Data analytics Continuous monitoring Integrate across teams for greater impact Employ technology for greater coverage and insight Implement continuous monitoring approach for processes, risks and controls CAEs are challenged with innovation due to lack of technology, skills and execution throughout the audit life cycle Page 11 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Section 3 Ernst & Young’s point of view Our point of view: an internal audit function must drive strategic value to the organization As the economy continues to be unpredictive and volatile and emerging markets become more relevant, executives continue to challenge their risk management processes. They are looking for an IA function that is efficient and effective that operates and interacts with the business – one that drives strategic value for the business and its key stakeholders while fully aligning with the company’s current needs and supporting those strategies to move the company forward. Our point of view is referenced below: Looking beyond processes and controls, IA is in a strategic position within the organization to provide: ► key insights that enable the business to focus on the risks that matter, ► identification of enterprise-wide cost efficiencies, and ► strategic insights that improve business performance. IA’s scope aligns with the strategic direction of the organization and enables the organization to operate at a level that improves preformance and achieve strategic objectives. This kind of support reaps multiple benefits for the organization, including increased shareholder value, improved credit ratings and enhanced ability to attract capital. Given that 83% of corporate leaders will be pushing for enhancement to their audit function in the next two years or less*, IA has the opportunity to be more agile in driving competitive value across the enterprise. * Source – Ernst &Young Risk Survey conducted in December 2011 and January 2012 with Global Audit Committee Members, CAEs, CEOs and CFOs Page 13 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Leading strategic internal audit function attributes Our point of view Outcome performance measurements Tailoring of audit responses allows for adaptable assurance needs Business intelligence and technology underpins all IA work Quality, independence, objectivity fully embedded in IA work Global people model with wide range of competencies Value score card monitors IA performance Page 14 Stakeholder driven activities around EGRC (enterprise, governance, risk and compliance) Risk assessments aligned to organizational strategy and refreshed at least quarterly Focus on organizational impact and consistency with EGRC Sustainable improvements to enable business objectives deemed imperative Leading Class IA department Flexible audit plans that adapt to changing significant risk areas, not lower risk focus Relevancy and timeliness: focus on significant areas without exception; monitor low risk © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Full integration in overall governance strucutre, leveraging group wide best practices Our internal audit framework Page 15 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Internal audit framework explained Some common focus areas that we are seeing make a difference at multiple organizations supported by EY’s IA framework: ► IA strategy ► Align with business on IA’s strategy, vision and mandate ► Coordinate with other risk/oversight functions for optimal coverage ► Core delivery methodology ► Reevaluate risk assessment and audit plan refresh processes ► Re-engineer audit responses to risk ► Incorporate thematic audits and end-to-end process audits into audit plan ► Determine the appropriate mix of assurance and advisory effort ► Perform issue-based audits, leveraging subject matter resources ► Refresh IA reporting to board, management and auditees ► People model ► Align IA organizational structure to business structure and risk profile for optimal coverage ► Revamp talent management processes (e.g., competency and rotation models, training, resourcing) ► Support processes ► Track key performance indicators on a value scorecard to demonstrate value to key stakeholders ► Increase efficiency of audit process and transparency of data through a strong technology platform ► Consider IA branding and revitalize stakeholder engagement ► Enterprise intelligence ► Employ innovative techniques (e.g., behavior analysis, data analytics, continuous monitoring) to drive efficiency and results Page 16 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. EY’s IA framework …aligning to the organization’s strategy through each step of the audit cycle Core delivery methodology Develop an IA strategy Establish engagement protocols Develop IA strategy, mandate, & charter Conduct audit needs assessment Develop audit plan Map key risks to risk functions, create combined assurance coverage map Execute Communicate results Measurable impact Execute the audit plan using innovative techniques & analytics throughout Facilitate accelerated solutions development workshop Communicate results IA stakeholders Track measurable value through an IA value scorecard Establish protocols (e.g. audit management office) Create IA annual plan based on the Audit Response Continuum Page 17 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. The optimal internal audit operating approach leads to a world class internal audit Added value to your audit process Insightful data analytics capability Globally consistent approach Leading Class IA Function Streamlined delivery costs Technology enablement IIA standards compliant Page 18 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Our approach ARC – Audit Response Continuum framework ARC is a robust IA planning process. ► Audit approach selection is explicitly based on: ► ► ► ► The complexity and nature of the risk and controls being audited The objectives of the organization and the degree of assurance required Skills determined through roundtable planning meetings Provides for: ► ► ► ► ► Page 19 A more sophisticated and broad approach to planning and delivering IA engagements Clearer alternatives in selecting the most appropriate response Explicit audit planning decision-making Better language in discussions with the stakeholder/auditee More transparent reporting of effort Audit response category ‘Standard’ audits Risk and control framework reviews ‘Complex’ audits Education © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Audit response 1 Health check/Diagnostic 2 ‘Standard’ sample testing audit 3 Project/Engagement monitoring 4 Pre-implementation review 5 Post-implementation review 6 Compliance audit 7 Risk interviews/verbal advice 8 Project management framework 9 Control process overview 10 Control framework review 11 End-to-End process audit 12 Deep dive 13 Investigation 14 Probity audits 15 Business coaching/Education Our approach Root cause analysis Root cause analysis (RCA) is a structured approach to identifying the underlying factor(s) that resulted in a deviation from the desired outcome in a given process or situation. ► Asks “why?” (more than once, typically 5 times) ► Identifies all the possible causes of an issue before narrowing down to the root causes (the real problems) that should be addressed 2 0 Without effective RCA, management may become distracted by symptoms and remain in a constant “firefighting” state. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step7 Identify the problem Categorise major causes Brainstorm Gather data Identify most likely causes Choose most likely cause Select and test the best solution Page 20 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Our approach Data analytics Data analytics: an integrated approach Layer 1 – Analytical risk identification ► Analytical diagnostics are performed to identify risks ► Risks are validated / refined through analytical support ► Consider predictive, scenario-based models Layer 2 – Analytical scoping/procedural development ► Using system data to prioritize the audits / locations / sites for inclusion in the audit plan ► Detailed audit procedures are enhanced through the inclusion of analytical test procedures Layer 3 – Analytical testing ► Pre-audit analytics are performed to better equip field auditors ► Analytical testing is used in place of, or in addition to, manual test procedures to increase the effectiveness / efficiencies of the audit plan Layer 4 – Interactive reporting/Trend analyses ► Provides easy interpretation as well as drill-down capabilities for more details ► Trend Analyses can be performed to better understand risks in the organization, and to better focus audit / remediation efforts Leverage continuous monitoring for ongoing support 2 1 Page 21 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Initiating next steps to position your IA into a valued business advisor 1 2 3 Assess your current needs and determine where you want IA to be. Consider what is required to meet IA’s goals. Based on responses, determine what is the best option for moving ahead. Page 22 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Questions??? Page 23 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract. Ernst & Young Assurance | Tax | Transactions | Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com Ernst & Young LLP is a client-serving member firm of Ernst & Young Global and of Ernst & Young Americas operating in the US. About Ernst & Young’s Assurance Services Strong independent assurance provides a timely and constructive challenge to management, a robust and clear perspective to audit committees and critical information for investors and other stakeholders. The quality of our audit starts with our 60,000 assurance professionals, who have the experience of auditing many of the world’s leading companies. We provide a consistent worldwide audit by assembling the right multidisciplinary team to address the most complex issues, using a proven global methodology and deploying the latest, high-quality auditing tools. And we work to give you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our work worldwide. It’s how Ernst & Young makes a difference. © 2012 Ernst & Young LLP. All Rights Reserved. Confidential & Proprietary Subject to Contract. 1208-1382337 Page 24 © Ernst & Young LLP 2012. All rights reserved. Confidential & Proprietary Subject to Contract.
© Copyright 2024