IIA Midwestern Regional ConferenceSt. LouisSeptember 14, 2009

Achieving our Potential

2

Chairman of the Board, The Institute of Internal Auditors (IIA)General Manager, Finance Operations, Microsoft Corp

Rod Winters“Achieving Our Potential”

3

Key challenges and trendsThe IIA strategic planAdapting the internal audit organization & plan

Strategies for successFinal thoughts on Achieving Our Potential

Topics

4

Key challenges and trends impacting the profession

5

Governance failures around the globeRisk management efforts ineffectiveStakeholder confidence shakenLegislative / regulatory response anticipated

Opportunity for internal audit profession to demonstrate leadership in risk management, control and governance

“Where were the internal auditors?”

Challenging times

6

Business risk has changedShifting focus from financial reporting controls to strategic and business risksStrategic, operation, and business risk underlie 80% of the rapid declines in shareholder value

Changing risk profiles

Strategic & business

Operational

Finanical

Compliance

0% 10% 20% 30% 40% 50% 60% 70%

60%

20%

15%

5%

Source: PriceWaterhouseCoopers 2009

Great Expectations = Great Opportunities

• Demonstrate cost effectiveness of internal audit function

• Focus on assurance• No surprises

Yesterday Today• Drive strategic value• Provide risk intelligence• Challenge management assumptions• Focus on what is important• Offer direct and frequent interaction• Communicate important issues timelyB

oar

ds

&

Au

dit

Co

mm

itte

es

• Deliver more results with less expense

• Demonstrate tangible return on investment

• Validate existing controls• No surprises

• Assist with risk management initiatives

• Engagement early on emerging risks & business models

• Provide actionable recommendations• Communicate important issues timely

Lin

e &

Sen

ior

Man

agem

ent

7

Changes in risk management

Vulnerability vs. probabilityMove to continuous risk assessments, risk management competenciesChallenging assumptions on key strategies and emerging business modelsEvaluate risk across the extended enterprise, incorporating counterparty and partner risksBusiness continuity focus increasing

Trends

De-emphasize likelihood and focus on vulnerabilityCapability to engage with leaders on strategic risk Risk mitigation strategies cross organizational and political boundariesNeed for a flexible audit program that responds quickly to emerging risks

Impact

8

Globalization & extended enterprise

Enterprises increasingly globalVirtual enterprises blurring organizational boundaries Growth of outsourcing and off-shoring driving decentralizationDeep process and system integrationInternationalization of accounting standards (IFRS)

Trends

Governance and control complexity increasingCompliance risks multiply with new jurisdictionsPolitical and foreign corrupt practices (FCPA) risksRequires strong control system competenciesCultural awareness among audit staff

Impact

9

10

Increasing automation

Companies continue to look to automation as a strategy during economic downturn by gaining productivityTechnology risks will remain high, complexity increasing Data security is a competitive advantageAutomated nature of fraud

Trends

Increasing IT proficiency required among audit staff – integrated auditorsPre-implementation consulting on design of controlsIncreased importance on continuous monitoring, data analysis, and fraud-detection

Impact

Talent and staffing

Generational differences in work styles and motivationsComfort and proficiency with technologyNew competencies and skills required for auditorsGlobal teams in multiple geographies, dispersedRotational staffing models on the rise

Trends

Flexible organization, management and development modelsBalance professional and rotational resourcesVirtual teams, with different work styles 24/7 work environment

Cultural and geographical diversity Business acumen and IT skills are essential

Impact

11

12

The Global IIA & Strategic Plan

13

IIA Strategic PlanPreferred milestones by 2013

Internal Auditing is universally recognized as a profession

Defines the principles of the profession and

assures that the principles are available seamlessly

worldwide

Assures adherence to professional requirements

Is the preferred provider in the research,

development and dissemination of

knowledge to advance the profession

Is seen by its members and operates as one global organization

The

Glo

bal

Insti

tute

for I

nter

nal A

udito

rs

13

14

Adapting for success

14

15

March 2009 survey shows:47% have increased coverage of operational risks48% have increased coverage of cost/expense reduction or containment35% have increased coverage of the effectiveness of risk management40% have increased coverage of their companies exposure to third parties in financial distress

Being responsive to economic crisis

Source: Audit Director Roundtable Research & Institute of Internal Auditors

16

Diminished stature of internal audit in anticipating and addressing emerging risks

Seen as inflexible and non-responsive to emerging riskSignificantly reduced credibility as a trusted governance partner and strategic assetDiminished perception of value of internal audit activities and talentNo seat at the governance tableNo voice in the risk management debate

Risk of not responding

17

IIA Global CAE survey of Fortune 1000 companies show:

45% report that the economy has had a moderate to enterprise threatening impact on company51% have had their IA budgets decreased

45% in co-sourcing fees80% reduced travel70% reduced training34% staff reduction

20% project additional cuts in 2010

Doing more with less:economy's impact on IA resources

Source: Institute of Internal Auditors

18

Maximize use of technology to enhance efficiency, effectiveness, and quality

Knowledge management and sharingAutomate workpapers, risk assessmentAutomate issue tracking and reportingLeverage data mining and analysis to detect errors and test data populationsTechnology-enabled continuous assurance to embed sustained monitoring

Leverage technology

19

Efficiency through knowledge management

20

Efficiency through automated workflow: Project evaluations

21

Efficiency through automated workpapers

22

Increase coverage through Technology Enabled

Continuous Assurance

CAATS

Greater coverage

Less manual testing

Created as needed

ContinuousAssurance

Monitoring control owned by business

Periodically reviewed by IA

Business

ContinuousAuditing

InternalAudit

Repetitive; not project based

More automated testing

Centralized process

23

Sample TECA areas

Procure to Pay

• Travel and Entertainment • Duplicate expenses• Prohibited expenses• Inappropriate exchange rates

• Purchase card Use• Purchase Order Usage• Invoice Analysis• Payments Processing

• Employee vendor match• Duplicate vendor invoices

Accounts Receivable

• Global AR queries

Financial Reporting

• SAS 99 testing• Revenue recognition

Tax

• Global resource risk

Logical Access

• SOx Apps• SAP• MS Licensing

• Business Apps• Explore.MS• Sharepoint Access

SDLC

• Application development sign off monitoring

Customer preferences

• Reconciliation of privacy requests from one DB to another

Fraud detection

• Beneish Ratios• Charitable contributions

24

Increase coverage without increasing staffFocus on boulders not rocksLeverage technologyLeverage management control functions for leveraged assuranceChallenge existing audit approach for higher impact, lower cost executionClear roles & responsibilities – avoid duplication of effort or inefficiencies

Continue to increase auditor competenciesInternal Auditor Competency Framework

Value qualityInternational Professional Practices FrameworkExternal Quality AssessmentsRequire CIA certifications

Leading the IA team

25

Flexible planning

Committed

Planned

Exploring

•12+ months out•Exploring potential projects

•6+ months out•Planning projects with stakeholders

•Part of current year risk coverage plan

•Current 6 months•Committed projects

•Part of current year risk coverage plan

Key theme: Responsive to changing risks

26

Audit committee’s heightened desire for assurance on financial reporting risksEvaluate management’s judgments, estimates, and forecasts

Basis for goodwill assets, reserves, guidanceFinancial fraud assurance

Technology based population testing for key fraud indicatorsSignificant JE’sEtc.

Anticipate changes in regulatory environmentProactive assurance to AC on changing regulatory landscapeE.g. - upcoming changes to disclosure rules for compensation policies & executive pay

Financial assurance is still core

27

Challenge management assumptionsParticipate in cross functional ‘what if’ discussions to reconsider risks and identify action plans

Advise on design of risk management and monitoring controls responsive to changing conditions and cost reductionsRedirect audit resources to re-assessed highest risk areas

Complex decision models – such as risk monitoring and valuationPhysical and system security in the aftermath of layoffsOperational reviews in processes that MUST continue to workInvestment diversification policyConsumer loan, credit policyLiquidity management, hedging policyGovernance roles, responsibilities, practicesExtended enterprise reviews

Engaging on strategic & business risks

28

Does your company have an anti-corruption program?

Anti-corruption policyEducation programManagement’s monitoring activitiesBooks & recordsInternal audit anti-corruption program

Legal and compliance risk increased

29

Annual enterprise level risk assessmentAdvise management on internal controls and process improvementsAssurance projects to validate compliance with company anti-corruption policyPotential due diligence procedures during pre-close of M&A dealsEvaluations of overall effectiveness of Company’s compliance programTechnology Enabled Continuous Assurance (TECA) program monitoring

Anti-corruption audit program

30

Management tone at the top“Follow the Money”

Third party pay-on-behalf disbursementsDonations, gifts and T&EMarketing spend and samplesChannel incentives and rebates

High risk activitiesLobbying and influencing Customs agents and freight forwardersSales deal execution and channel managementGovernment facing programs

AC Audit Program Focus Areas

31

Closing thoughts

32

Risks to organizations are unprecedented Stakeholders’ expectations continue to increase Internal audit profession has an opportunity to step forwardIndividual practitioners and organizations must ‘raise the bar’ to most effectively represent and advocate for our professionOur new challenges will bring new opportunities for our organizations, internal auditing as a profession, and each of us as professionals

Closing thoughts

33

Demonstrate value to the businessBe a leader on issues of corporate governance and risk managementAnticipate, don’t wait to be askedBe a change agent and catalystBe a trusted advisor

Raise stakeholder expectations of internal auditBuild skills, capabilities, and reputation to meet heightened expectations and more strategic role

Hold ourselves accountable for our own future and the future of the profession

Comply with the IPPFRequire CIA certificationVolunteer locally, nationally, globally Advocate for the profession

Achieving our potential

34

Questions