Els HostynPartner

Internal Audit, Risk & Compliance ServicesForensic

13 October 2009

FORENSIC

ADVISORY

Internal Audit and other assurance providers

2

MANAGE RISKS: Sound risk governance based on the three lines of defense model, puts Risk as part of the daily conversation and views Risk from an enterprise-wide perspective. The CRO not only needs to have a seat at the table but is to be an active participant in all key business decisions.

REVISE STRATEGY: If you are able to make the right strategic changes to your business now, you can significantly increase your competitive advantage in the future. Reviewing strategic choices depend on the state the company is in today (stressed – distressed – at risk - robust companies).

SECURE FINANCING: Credit will remain scarce for some time and banks will be more selective in providing it. Debt renegotiation and corporate financial restructuring will be at the heart of challenging discussions with the lenders, with sound cost management practice as a prerequisite.

Challenges for succeeding in turbulent timesChallenges for succeeding in turbulent times

5 themes stand out:

CASH IS KING: Unlike sales, costs and margins, working capital management is generally given little or no attention. And yet it is a key indicator for companies, not only of their financial management but also of their operational management of the purchasing cycle, sales cycle, as well as of inventory.

SAVE COSTS: Key challenge is to move to a low cost operating model that preserves flexibility and capacity to respond to future change, while embedding rigorous cost management and culture throughout the organization.

3

Increase added valueIncrease added value

4

Challenges & responses for Internal AuditChallenges & responses for Internal Audit

Continuous & Cost-efficient

Auditing

Integrated assurance

Increased added value

Strive for integrated assurance

5

New practice advisoryNew practice advisory

2050 Coordination

The chief audit executive should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

6

Classes of assurance providersClasses of assurance providers

Those who report to management and/or are part of management

Those who report to the board, including internal audit.

Those who report to external stakeholders

7

Different risk and control functionsDifferent risk and control functions

Internal auditExternal auditComplianceFraudQuality, Health & SafetyRisk managementSecurityLine managementBudgeting and controllingSustainability…

8

Roles & ResponsibilityRoles & Responsibility

Executive Management

and Group Board

1ST

2ND

3RD

The three lines of defence provide increased comfort

Business operations: Establish the risk and control environment

Oversight Functions: Corporate Risk Management, Finance, Treasury, etc

Strategic management, policy setting, functional oversight

Internal Audit: Independent challenge and assurance

Risk

Risk

Risk

Where are you ?

9

Internal Audit and External AuditInternal Audit and External Audit

Focus

Management

Audit Committee

Standards

Approach

Independence

Results

Risk and Control

Follow up

10

Internal Audit and Risk ManagementInternal Audit and Risk Management

11

Internal audit and fraud

1200 – Proficiency and Due Professional Care

1210-A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1220 – Due Professional Care

1220. A1 – Internal auditors must exercise due professional care by considering the:

•Extent of work needed to achieve the engagement’s objectives;

•Related complexity, materiality, or significance of matters to which assurance procedures are applied;

•Adequacy and effectiveness of governance, risk management, and control processes;

•Probability of significant errors, fraud, or noncompliance; and

•Cost of assurance in relation to potential benefits.

2060 – Reporting to Senior Management and the Board

The chief audit executive (CAE) must report periodically to senior management and the board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.

12

Internal audit and fraud

2120 – Risk Management2120. A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

2210 – Engagement Objectives2210. A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

13

Internal audit and Quality audit

• Organizational

• People • Scope/objectives

• Fieldwork • Regulations

14

Single audit Single audit

SINGLE AUDIT ?

Leve

l of (

inhe

rent

) ris

k(=

f(im

pact

, pro

babi

lity)

)

Current level of risk management (indicative of exposure to risk)

Hig

hLo

w

HighLow

Quadrant IIInternal audit performs

assurance work: “Is management correct in assessing these risks as

under control?”

Area of ex-post control. If no assurance can be given, back

to QI

Quadrant IManagement action plans

answer:”How can we manage the risk in a cost-

effective manner?”

Finance Inspection performs ex-ante review

Quadrant IIIInternal audit performs

advisory work: “Can these controls be reduced to free

means for QI management?”

Area of ex-post control. Traditional area of micro

management

Quadrant IVManagement and project monitoring: “Aren’t these risks evolving in a manner they need to be managed

more actively?”

Lower priority ex-ante review by Finance Inspection

15

The integrated assurance mapThe integrated assurance map

Role of the internal auditor ? Internal Audit to express an ‘integrated’ opinion on internal control ? Are we ready for the challenge ?

IIA Practice Guide on ‘Formulating and Expressing Internal Audit Opinions’

16

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2008 KPMG [Insert Legal Entity]), a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Belgium.

Presenter’s contact details:

Els Hostyn

PartnerKPMG Advisory+32 2 708 43 62ehostyn@kpmg.comwww.kpmg.be