Internal Auditing

JUNIO BEDANA MESINA GUILLERMO GREGORIO

Corporate Governance Failings

Polly Peck Maxwell Wickes Enron AIB Marconi Parmalat** Equitable Life ABB** Barings* WorldCom* Ahold Mutual Funds Verizon

Some Reasons for Failure

Executive greed Lack of understanding Compliant non-executive directors Compliant external audit

Unquestioning analysts
Ineffective internal audit

Government Responses
IIA Inc submission to Congress NYSE recommendation on internal audit Sarbanes-Oxley

Sarbanes-Oxley
Management must assess the effectiveness of the

internal controls and procedures for financial reporting assessment made by management

The auditor must attest to and report on the

Thus internal controls need to be documented in

detail and subject to rigorous audit testing

EU Proposals
Annual corporate governance statement

to include:
Composition

of boards and committees

Details
The

of the risk management system

designated national code

The Value Agenda

Increase in standing of internal audit Assurance on main business risks Assurance on internal control framework

Differing views on reasons for surprises

Few measures of value added

IIA Definition of Internal Audit

An independent, objective assurance

and consulting activity designed to add value and improve an organisations operation.

IIA Definition of Internal Audit

It helps an organisation accomplish its objectives

by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and corporate governance processes.

Internal Audit Role

BUSINESS UNITS BUSINESS UNITS

Letter of Assurance

Risk Registers

INTERNAL AUDIT Review of Control Framework and Risk Management Process THE BOARD Assessment of Effectiveness of Internal Control EXTERNAL AUDIT Effectiveness of processes & information supporting the statutory accounts BUSINESS UNITS Specific studies/reviews INTERNAL AUDIT Effectiveness of management of Group & Business Unit Key Risks BUSINESS UNITS Views of Senior Management

BUSINESS UNITS Key Risk Indicators and Performance Measures

The Directors should, at least annually, conduct a review of the effectiveness of the Groups system of OBJECTIVE: (LSE Combined Code) controls including financial, operational and compliance controls and risk management internal controls and should report to shareholders that they have done so. The review should cover all controls Section D.2.1 including financial, operational and compliance controls and risk management

The Role of Internal Audit in Enterprise-wide Risk Management

Enterprise-wide Risk Management

A structured, consistent and continuous process across the organisation for identifying, assessing, deciding on responses and reporting on opportunities and threats that affect the achievement of its objectives.

Activities involved in ERM

Articulate & Communicate objectives Determine risk appetite Identify potential threats to objectives Assess impact & likelihood of threats

Provide assurance

Establish Internal environment

Provide central monitoring & coordination

Communicate risks consistently at all levels

Undertake control & other response activities

Select & implement risk responses

Benefits of ERM

Greater likelihood of achieving objectives Greater management focus

Common reporting of disparate risks

Shared understanding of risks

Fewer surprises

More informed decisions & risk taking

Sharing cross functional risks

Capability to take on risk for reward

Successful change

Internal Audits Role in ERM

Legitimate internal audit roles with safeguards Core risk-based internal audit roles

Maintaining & developing the ERM framework Central co-ordinating point for ERM Consolidated reporting on risks

Roles internal audit should not undertake

Championing establishment of ERM Giving advice on managing risks

Developing risk management strategy for board approval

Setting risk appetite

Facilitating risk responses Reviewing the management of key risks Evaluating risk management reporting Giving assurance that risks assessed appropriately Giving assurance on risk management processes

Imposing risk management processes

Management assurance on risks Taking decisions on risk responses Implementing risk responses

Accountability for risk management

ERM and Internal Audit The Safeguards Management is responsible for risk management

Internal audit should not:

Undermine management accountability Manage risks on managements behalf Make risk management decisions

Give assurance on any part of the ERM framework for which it is responsible

Risk Based Audit Approach

Risk Based Audit Approach

Review the risk management process

Start at the top of the organisation

Repeat at each level

Review of Risk Management Process

Discuss with individual managers

Are objectives clearly identified

Assess how they arrived at the key risks

Facilitate/participate in workshops if necessary

Look at feedback process for key risks

Risk based Audit Approach

If satisfactory then:

Select audit topics from risk registers

If unsatisfactory then:

Facilitate risk identification process (workshops)

Facilitation of Risk Workshops

Identify objectives and targets
Identify threats to achievement of objectives

and targets

Identify likelihood and impact of those threats Identify target likelihood and impact Agree key risk areas Identify controls to reduce risk to target levels

Risk Review

Identify:

Controls intended to reduce impact Controls intended to reduce likelihood

Verify those controls are in place and working Identify possible improvements and redundant controls

Advantages
Enables annual opinion
Focuses on big issues

Board/Audit Committee has control

Responsive to changing events More interesting and challenging work

Reporting
Report on:
Assurance process

Key objectives
Individual risks to achievement of key objectives

Year End Report 1. Overall Assessment

2. Change in Group Risks over the Year

3. Analysis of Letters of Assurance 4. Summary of Control Weaknesses 5. Review of Control Framework 6. Review of Risk Management Process

Audit Plan

H H
TOTAL RISKS
AUDIT COVERAGE

HM / MH

M M

HL / LH

ML / LM

PROBABILITY/IMPACT

Future Influences on Internal Audit

Corporate governance Information & communications technology E-commerce Communications with the board Increased demand for internal audit Business risk

Future Influences on Internal Audit

Working with other risk management professionals Demand for independent appraisal of IA Need to improve understanding about IA

Facilitating workshops etc.

Globalisation of business and the job market

Effectiveness of Internal Audit

Professional standards Independent reviews Peer reviews Publications for Audit Committees Comparative data Performance measures

Performance Measures
No right answers Measure both inputs and outputs Must mean something to the business

What is IA contribution to the business

Agreement up front is the key Tell them what you are going to do Do it Tell them that you have done it. Dont hide your light under a bushel