2 key challenges and trends the iia strategic plan adapting the internal audit organization &...
TRANSCRIPT
IIA Midwestern Regional ConferenceSt. LouisSeptember 14, 2009
Achieving our Potential
2
Chairman of the Board, The Institute of Internal Auditors (IIA)General Manager, Finance Operations, Microsoft Corp
Rod Winters“Achieving Our Potential”
3
Key challenges and trendsThe IIA strategic planAdapting the internal audit organization & plan
Strategies for successFinal thoughts on Achieving Our Potential
Topics
4
Key challenges and trends impacting the profession
5
Governance failures around the globeRisk management efforts ineffectiveStakeholder confidence shakenLegislative / regulatory response anticipated
Opportunity for internal audit profession to demonstrate leadership in risk management, control and governance
“Where were the internal auditors?”
Challenging times
6
Business risk has changedShifting focus from financial reporting controls to strategic and business risksStrategic, operation, and business risk underlie 80% of the rapid declines in shareholder value
Changing risk profiles
Strategic & business
Operational
Finanical
Compliance
0% 10% 20% 30% 40% 50% 60% 70%
60%
20%
15%
5%
Source: PriceWaterhouseCoopers 2009
Great Expectations = Great Opportunities
• Demonstrate cost effectiveness of internal audit function
• Focus on assurance• No surprises
Yesterday Today• Drive strategic value• Provide risk intelligence• Challenge management assumptions• Focus on what is important• Offer direct and frequent interaction• Communicate important issues timelyB
oar
ds
&
Au
dit
Co
mm
itte
es
• Deliver more results with less expense
• Demonstrate tangible return on investment
• Validate existing controls• No surprises
• Assist with risk management initiatives
• Engagement early on emerging risks & business models
• Provide actionable recommendations• Communicate important issues timely
Lin
e &
Sen
ior
Man
agem
ent
7
Changes in risk management
Vulnerability vs. probabilityMove to continuous risk assessments, risk management competenciesChallenging assumptions on key strategies and emerging business modelsEvaluate risk across the extended enterprise, incorporating counterparty and partner risksBusiness continuity focus increasing
Trends
De-emphasize likelihood and focus on vulnerabilityCapability to engage with leaders on strategic risk Risk mitigation strategies cross organizational and political boundariesNeed for a flexible audit program that responds quickly to emerging risks
Impact
8
Globalization & extended enterprise
Enterprises increasingly globalVirtual enterprises blurring organizational boundaries Growth of outsourcing and off-shoring driving decentralizationDeep process and system integrationInternationalization of accounting standards (IFRS)
Trends
Governance and control complexity increasingCompliance risks multiply with new jurisdictionsPolitical and foreign corrupt practices (FCPA) risksRequires strong control system competenciesCultural awareness among audit staff
Impact
9
10
Increasing automation
Companies continue to look to automation as a strategy during economic downturn by gaining productivityTechnology risks will remain high, complexity increasing Data security is a competitive advantageAutomated nature of fraud
Trends
Increasing IT proficiency required among audit staff – integrated auditorsPre-implementation consulting on design of controlsIncreased importance on continuous monitoring, data analysis, and fraud-detection
Impact
Talent and staffing
Generational differences in work styles and motivationsComfort and proficiency with technologyNew competencies and skills required for auditorsGlobal teams in multiple geographies, dispersedRotational staffing models on the rise
Trends
Flexible organization, management and development modelsBalance professional and rotational resourcesVirtual teams, with different work styles 24/7 work environment
Cultural and geographical diversity Business acumen and IT skills are essential
Impact
11
12
The Global IIA & Strategic Plan
13
IIA Strategic PlanPreferred milestones by 2013
Internal Auditing is universally recognized as a profession
Defines the principles of the profession and
assures that the principles are available seamlessly
worldwide
Assures adherence to professional requirements
Is the preferred provider in the research,
development and dissemination of
knowledge to advance the profession
Is seen by its members and operates as one global organization
The
Glo
bal
Insti
tute
for I
nter
nal A
udito
rs
13
14
Adapting for success
14
15
March 2009 survey shows:47% have increased coverage of operational risks48% have increased coverage of cost/expense reduction or containment35% have increased coverage of the effectiveness of risk management40% have increased coverage of their companies exposure to third parties in financial distress
Being responsive to economic crisis
Source: Audit Director Roundtable Research & Institute of Internal Auditors
16
Diminished stature of internal audit in anticipating and addressing emerging risks
Seen as inflexible and non-responsive to emerging riskSignificantly reduced credibility as a trusted governance partner and strategic assetDiminished perception of value of internal audit activities and talentNo seat at the governance tableNo voice in the risk management debate
Risk of not responding
17
IIA Global CAE survey of Fortune 1000 companies show:
45% report that the economy has had a moderate to enterprise threatening impact on company51% have had their IA budgets decreased
45% in co-sourcing fees80% reduced travel70% reduced training34% staff reduction
20% project additional cuts in 2010
Doing more with less:economy's impact on IA resources
Source: Institute of Internal Auditors
18
Maximize use of technology to enhance efficiency, effectiveness, and quality
Knowledge management and sharingAutomate workpapers, risk assessmentAutomate issue tracking and reportingLeverage data mining and analysis to detect errors and test data populationsTechnology-enabled continuous assurance to embed sustained monitoring
Leverage technology
19
Efficiency through knowledge management
20
Efficiency through automated workflow: Project evaluations
21
Efficiency through automated workpapers
22
Increase coverage through Technology Enabled
Continuous Assurance
CAATS
Greater coverage
Less manual testing
Created as needed
ContinuousAssurance
Monitoring control owned by business
Periodically reviewed by IA
Business
ContinuousAuditing
InternalAudit
Repetitive; not project based
More automated testing
Centralized process
23
Sample TECA areas
Procure to Pay
• Travel and Entertainment • Duplicate expenses• Prohibited expenses• Inappropriate exchange rates
• Purchase card Use• Purchase Order Usage• Invoice Analysis• Payments Processing
• Employee vendor match• Duplicate vendor invoices
Accounts Receivable
• Global AR queries
Financial Reporting
• SAS 99 testing• Revenue recognition
Tax
• Global resource risk
Logical Access
• SOx Apps• SAP• MS Licensing
• Business Apps• Explore.MS• Sharepoint Access
SDLC
• Application development sign off monitoring
Customer preferences
• Reconciliation of privacy requests from one DB to another
Fraud detection
• Beneish Ratios• Charitable contributions
24
Increase coverage without increasing staffFocus on boulders not rocksLeverage technologyLeverage management control functions for leveraged assuranceChallenge existing audit approach for higher impact, lower cost executionClear roles & responsibilities – avoid duplication of effort or inefficiencies
Continue to increase auditor competenciesInternal Auditor Competency Framework
Value qualityInternational Professional Practices FrameworkExternal Quality AssessmentsRequire CIA certifications
Leading the IA team
25
Flexible planning
Committed
Planned
Exploring
•12+ months out•Exploring potential projects
•6+ months out•Planning projects with stakeholders
•Part of current year risk coverage plan
•Current 6 months•Committed projects
•Part of current year risk coverage plan
Key theme: Responsive to changing risks
26
Audit committee’s heightened desire for assurance on financial reporting risksEvaluate management’s judgments, estimates, and forecasts
Basis for goodwill assets, reserves, guidanceFinancial fraud assurance
Technology based population testing for key fraud indicatorsSignificant JE’sEtc.
Anticipate changes in regulatory environmentProactive assurance to AC on changing regulatory landscapeE.g. - upcoming changes to disclosure rules for compensation policies & executive pay
Financial assurance is still core
27
Challenge management assumptionsParticipate in cross functional ‘what if’ discussions to reconsider risks and identify action plans
Advise on design of risk management and monitoring controls responsive to changing conditions and cost reductionsRedirect audit resources to re-assessed highest risk areas
Complex decision models – such as risk monitoring and valuationPhysical and system security in the aftermath of layoffsOperational reviews in processes that MUST continue to workInvestment diversification policyConsumer loan, credit policyLiquidity management, hedging policyGovernance roles, responsibilities, practicesExtended enterprise reviews
Engaging on strategic & business risks
28
Does your company have an anti-corruption program?
Anti-corruption policyEducation programManagement’s monitoring activitiesBooks & recordsInternal audit anti-corruption program
Legal and compliance risk increased
29
Annual enterprise level risk assessmentAdvise management on internal controls and process improvementsAssurance projects to validate compliance with company anti-corruption policyPotential due diligence procedures during pre-close of M&A dealsEvaluations of overall effectiveness of Company’s compliance programTechnology Enabled Continuous Assurance (TECA) program monitoring
Anti-corruption audit program
30
Management tone at the top“Follow the Money”
Third party pay-on-behalf disbursementsDonations, gifts and T&EMarketing spend and samplesChannel incentives and rebates
High risk activitiesLobbying and influencing Customs agents and freight forwardersSales deal execution and channel managementGovernment facing programs
AC Audit Program Focus Areas
31
Closing thoughts
32
Risks to organizations are unprecedented Stakeholders’ expectations continue to increase Internal audit profession has an opportunity to step forwardIndividual practitioners and organizations must ‘raise the bar’ to most effectively represent and advocate for our professionOur new challenges will bring new opportunities for our organizations, internal auditing as a profession, and each of us as professionals
Closing thoughts
33
Demonstrate value to the businessBe a leader on issues of corporate governance and risk managementAnticipate, don’t wait to be askedBe a change agent and catalystBe a trusted advisor
Raise stakeholder expectations of internal auditBuild skills, capabilities, and reputation to meet heightened expectations and more strategic role
Hold ourselves accountable for our own future and the future of the profession
Comply with the IPPFRequire CIA certificationVolunteer locally, nationally, globally Advocate for the profession
Achieving our potential
34
Questions