2
Key challenges and trends
The IIA strategic plan
Adapting the internal audit organization &
plan
Strategies for success
Final thoughts on Achieving Our Potential
3
4
Governance failures around the globe
Risk management efforts ineffective
Stakeholder confidence shaken
Legislative / regulatory response anticipated
Opportunity for internal audit profession to
demonstrate leadership in risk management,
control and governance
“Where were the internal auditors?”
5
Business risk has changed
Shifting focus from financial reporting controls to
strategic and business risks
Strategic, operation, and business risk underlie
80% of the rapid declines in shareholder value
Compliance
5%
Finanical
15%
Operational
20%
60%
Strategic & business
0%
20%
40%
60%
80%
Source: PriceWaterhouseCoopers 2009
6
• Demonstrate cost
effectiveness of internal
audit function
• Focus on assurance
• No surprises
•
•
•
•
•
•
Drive strategic value
Provide risk intelligence
Challenge management assumptions
Focus on what is important
Offer direct and frequent interaction
Communicate important issues timely
• Deliver more results with
less expense
• Demonstrate tangible
return on investment
• Validate existing controls
• No surprises
• Assist with risk management
initiatives
• Engagement early on emerging risks
& business models
• Provide actionable recommendations
• Communicate important issues timely
7
Vulnerability vs. probability
Move to continuous risk assessments, risk management competencies
Challenging assumptions on key strategies and emerging business models
Evaluate risk across the extended enterprise, incorporating counterparty and
partner risks
Business continuity focus increasing
De-emphasize likelihood and focus on vulnerability
Capability to engage with leaders on strategic risk
Risk mitigation strategies cross organizational and political boundaries
Need for a flexible audit program that responds quickly to emerging risks
8
Enterprises increasingly global
Virtual enterprises blurring organizational boundaries
Growth of outsourcing and off-shoring driving decentralization
Deep process and system integration
Internationalization of accounting standards (IFRS)
Governance and control complexity increasing
Compliance risks multiply with new jurisdictions
Political and foreign corrupt practices (FCPA) risks
Requires strong control system competencies
Cultural awareness among audit staff
9
Companies continue to look to automation as a strategy during economic
downturn by gaining productivity
Technology risks will remain high, complexity increasing
Data security is a competitive advantage
Automated nature of fraud
Increasing IT proficiency required among audit staff – integrated auditors
Pre-implementation consulting on design of controls
Increased importance on continuous monitoring, data analysis, and frauddetection
10
Generational differences in work styles and motivations
Comfort and proficiency with technology
New competencies and skills required for auditors
Global teams in multiple geographies, dispersed
Rotational staffing models on the rise
Flexible organization, management and development models
Balance professional and rotational resources
Virtual teams, with different work styles
24/7 work environment
Cultural and geographical diversity
Business acumen and IT skills are essential
11
12
The Global
Institute for Internal Auditors
Internal Auditing is universally recognized as a profession
Defines the principles of
the profession and
assures that the principles
are available seamlessly
worldwide
Assures adherence to
professional requirements
Is the preferred provider
in the research,
development and
dissemination of
knowledge to advance the
profession
Is seen by its members
and operates as one
global organization
13
13
14
14
March 2009 survey shows:
47% have increased coverage of operational
risks
48% have increased coverage of cost/expense
reduction or containment
35% have increased coverage of the
effectiveness of risk management
40% have increased coverage of their companies
exposure to third parties in financial distress
Source: Audit Director Roundtable Research & Institute of Internal Auditors
15
Diminished stature of internal audit in anticipating
and addressing emerging risks
Seen as inflexible and non-responsive to emerging risk
Significantly reduced credibility as a trusted
governance partner and strategic asset
Diminished perception of value of internal audit
activities and talent
No seat at the governance table
No voice in the risk management debate
16
IIA Global CAE survey of Fortune 1000 companies
show:
45% report that the economy has had a moderate to
enterprise threatening impact on company
51% have had their IA budgets decreased
45% in co-sourcing fees
80% reduced travel
70% reduced training
34% staff reduction
20% project additional cuts in 2010
Source: Institute of Internal Auditors
17
Maximize use of technology to enhance
efficiency, effectiveness, and quality
Knowledge management and sharing
Automate workpapers, risk assessment
Automate issue tracking and reporting
Leverage data mining and analysis to detect
errors and test data populations
Technology-enabled continuous assurance to
embed sustained monitoring
18
19
20
21
Internal
Audit
Greater coverage
Less manual
testing
Created as
needed
Repetitive; not
project based
More automated
testing
Centralized
process
Business
Monitoring
control owned
by business
Periodically
reviewed by IA
22
Procure to Pay
Logical Access
• Travel and Entertainment
• Duplicate expenses
• Prohibited expenses
• Inappropriate exchange rates
• Purchase card Use
• Purchase Order Usage
• Invoice Analysis
• Payments Processing
• Employee vendor match
• Duplicate vendor invoices
• SOx Apps
• SAP
• MS Licensing
• Business Apps
• Explore.MS
• Sharepoint Access
SDLC
• Application development sign off monitoring
Accounts Receivable
• Global AR queries
Customer preferences
Financial Reporting
• Reconciliation of privacy requests from one DB
to another
• SAS 99 testing
• Revenue recognition
Fraud detection
Tax
• Beneish Ratios
• Charitable contributions
• Global resource risk
23
Increase coverage without increasing staff
Focus on boulders not rocks
Leverage technology
Leverage management control functions for leveraged assurance
Challenge existing audit approach for higher impact, lower cost
execution
Clear roles & responsibilities – avoid duplication of effort or
inefficiencies
Continue to increase auditor competencies
Internal Auditor Competency Framework
Value quality
International Professional Practices Framework
External Quality Assessments
Require CIA certifications
24
Committed
Planned
Exploring
• Current 6 months
• Committed
projects
• Part of current
year risk
coverage plan
• 6+ months out
• Planning projects
with stakeholders
• Part of current
year risk
coverage plan
• 12+ months out
• Exploring
potential projects
Key theme: Responsive to changing risks
25
Audit committee’s heightened desire for assurance on
financial reporting risks
Evaluate management’s judgments, estimates, and
forecasts
Basis for goodwill assets, reserves, guidance
Financial fraud assurance
Technology based population testing for key fraud indicators
Significant JE’s
Etc.
Anticipate changes in regulatory environment
Proactive assurance to AC on changing regulatory landscape
E.g. - upcoming changes to disclosure rules for compensation
policies & executive pay
26
Challenge management assumptions
Participate in cross functional ‘what if’ discussions to reconsider
risks and identify action plans
Advise on design of risk management and monitoring
controls responsive to changing conditions and cost
reductions
Redirect audit resources to re-assessed highest risk areas
Complex decision models – such as risk monitoring and valuation
Physical and system security in the aftermath of layoffs
Operational reviews in processes that MUST continue to work
Investment diversification policy
Consumer loan, credit policy
Liquidity management, hedging policy
Governance roles, responsibilities, practices
Extended enterprise reviews
27
Does your company have an anti-corruption
program?
Anti-corruption policy
Education program
Management’s monitoring activities
Books & records
Internal audit anti-corruption program
28
Annual enterprise level risk assessment
Advise management on internal controls and process
improvements
Assurance projects to validate compliance with company
anti-corruption policy
Potential due diligence procedures during pre-close of M&A
deals
Evaluations of overall effectiveness of Company’s
compliance program
Technology Enabled Continuous Assurance (TECA) program
monitoring
29
Management tone at the top
“Follow the Money”
Third party pay-on-behalf disbursements
Donations, gifts and T&E
Marketing spend and samples
Channel incentives and rebates
High risk activities
Lobbying and influencing
Customs agents and freight forwarders
Sales deal execution and channel management
Government facing programs
30
31
Risks to organizations are unprecedented
Stakeholders’ expectations continue to increase
Internal audit profession has an opportunity to step forward
Individual practitioners and organizations must ‘raise the
bar’ to most effectively represent and advocate for our
profession
Our new challenges will bring new opportunities for our
organizations, internal auditing as a profession, and each of
us as professionals
32
Demonstrate value to the business
Be a leader on issues of corporate governance and risk
management
Anticipate, don’t wait to be asked
Be a change agent and catalyst
Be a trusted advisor
Raise stakeholder expectations of internal audit
Build skills, capabilities, and reputation to meet heightened
expectations and more strategic role
Hold ourselves accountable for our own future and the
future of the profession
Comply with the IPPF
Require CIA certification
Volunteer locally, nationally, globally
Advocate for the profession
33
34