www.globaliia.org

Joint IIA/ACFE Fraud ConferenceHoffman Estates, IL

May 11, 2012

Enhancing the Value of Internal Auditing

www.globaliia.org

Key Initiatives

Be a Risk and Control Expert

• Important to boards/management

• Recent financial crisis

• Many questions asked

• One other question needs to be asked?

• Required to be risk/control expert

www.globaliia.org

Enterprise Risk Assessment

• Be a catalyst

• Identify top risks

• Implement new SEC proxy disclosures of board’s role

www.globaliia.org

Enterprise Risk Assessment

• Asked by the audit committee

• Focused on identification, mitigation and quantification

• Aided by the chairman/CEO

• Formed a cross functional team

�Better understanding/buy-in

�Willingness of management to take ownership

www.globaliia.org

Enterprise Risk Assessment

• Developed a risk matrix

• Helped management realize the importance of identifying potential risks

• Embedded concept of risk into our DNA

• Invited business owners to audit committee

• Helped audit committee fulfill oversight responsibility

www.globaliia.org

Specialized Risk Assessments

• Requested by management• Management benefitted by:

�Stepping back from day-to-day operations

� Investing time to think about risks in a different way

� Identifying potential risks�Taking a fresh look at controls�Evaluating who should monitor

controls

www.globaliia.org

Specialized Risk Assessments

• Audit Team benefitted by:�Enhancing understanding of business

processes

�Improving on-going risk assessment process

�Increasing awareness of major risks and associated controls

�Building relationships and partnership with management

www.globaliia.org

Specialized Risk Assessment

• Audit Committee benefitted by:

�Helping them fulfill oversight responsibilities

�Increasing their understanding of key business risks

�Enabling them to assess management’s understanding of risk

www.globaliia.org

On-Going Audit Risk Assessment

• Enables internal auditing to develop a risk-based plan

• Complete a formal risk assessment – at least annually

• Select Risk Factors – Legal/Regulatory, Financial, Fraud, People, Technology, Operational

• Going forward, will need on-going, real time assessments

www.globaliia.org

Audit Project Level

• Assess risk during preliminary survey

• Evaluate what controls/monitoring processes in place

• Helps determine the amount of detailed testing

• Made decision about audit – go/no go

www.globaliia.org

Be A Risk And Control Expert

• Become indispensible

• Be recognized as an expert

– In assessing risk

– In evaluating what controls need to be in place

• Be focused on emerging risks

www.globaliia.org

Key Initiatives

Be Mindful of Fraud and Ethical Exposures

• Get your employees to think differently

• Identify the key elements of a fraud/ethics program

• Execute these programs (key point)

www.globaliia.org

Be Mindful of Fraud and Ethical Exposures

• Is your organization losing profit dollars to fraud?

• Will an effective program reduce these losses?

• Will management/audit committee expect more from internal auditing?

www.globaliia.org

Importance of Fraud

• Organizations lose 5% of annual revenue potential total fraud loss = $2.9 trillion.

• Average duration - 18 months

• Detection methods:

�Over 40% detected by tips

�15% by management review

�14% by internal audit

2010 ACFE Report to the Nations

www.globaliia.org

Elements of an Effective Fraud Program

Root Cause Reports

PREVENTION

RESPONSE

DETECTION

Hot Line UseFraud Risk Assessment

Continuous Monitoring

Investigative Protocols

www.globaliia.org

Performing a Fraud Risk Assessment

Have you performed a fraud risk assessment?

www.globaliia.org

Performing a Fraud Risk Assessment

• OBJECTIVES

�Determine where the organization is most susceptible to fraud

�Evaluate the controls in place

�Heighten management/audit committee’s awareness of fraud risks

www.globaliia.org

Fraud Risk Assessment Approach

• Obtain management support and buy-in

• Use a cross functional team

• Conduct brainstorming sessions with scheme and scenario approach

• Map controls to fraud scenarios

www.globaliia.org

Management’s Role in Fighting Fraud

• Setting the “Tone at the Top”

• Identifying key risks

• Implementing and monitoring controls

• Creating a culture through words and actions

�Fraud will not be tolerated

�Fraud will be dealt with swiftly and decisively

www.globaliia.org

Statement of Business Ethics

• Online statement includes policies, real life examples, and comprehension questions

• Requirement to sign the Certification of Compliance each year and make any disclosures

www.globaliia.org

Statement of Business Ethics ~

con’t…

• Follow-up mechanisms in place

• Obligation to report violations

• Disclosures are reviewed by Legal and the appropriate Department

www.globaliia.org

Auditors’ and Loss Prevention’s Role in Fighting Fraud

• Knowing the red flags of fraud

• Assessing where major fraud risks are

• Including fraud discussions and fraud audit steps on each audit

• Stress professional skepticism

• Perform data mining

www.globaliia.org

Auditors’ and Loss Prevention’s Role in Fighting Fraud

• Ensuring an effective hotline process is in place

• No retaliation policy

• Being involved in the training programs

• Benchmark with other companies

• Investigating fraud cases

• Root cause reporting

www.globaliia.org

Investigative Protocol

• Develop an investigative protocol

• Defines who is responsible for:

�Managing the investigation

�Conducting the investigation

�Reporting and communicating the results

www.globaliia.org

Investigative Protocol

• Ensures allegations are adequately researched to a conclusion

• Maintains consistency among investigations

• Specifies documentation and communication standards

www.globaliia.org

Key Initiatives

Be a Data Wizard

• Process of analyzing data from different angles to identify patterns or correlations in the data that can be summarized into useful information for the auditor to perform their detailed test work.

www.globaliia.org

Effectively Leveraging Technology

Importance of Effectively Leveraging Technology

Not important

at allSomewhat important Important

Very important

Extremely important

4% 19% 37% 31% 9%

Current Performance

Emerging Trends and Leading Practices Spring 2011IIA– Audit Executive Network

InadequateLimited/

developing AdequateAbove

average Exceptional

8% 40% 38% 12% 2%

www.globaliia.org

Data Analytics

• CBOK 2010: 10 imperatives for change

Step up your use of audit technology and tools!

IIA Research Foundation –March 31, 2011

www.globaliia.org

Barriers to Using Data Analytics

• Audit staff does not have the required skill sets

• Audit staff does not have access to the systems or data warehouses

• Audit management does not see the value of data analytics

• We own this challenge – we control the solution

www.globaliia.org

Major Benefits of Using Data Analytics

• Ability to review the entire population

• Provides a more complete analysis and improves audit coverage

• Improves auditor efficiency and effectiveness

• Drives down audit costs

• Share example of coupon monitoring/ ad coverage

www.globaliia.org

Definition of Continuous Monitoring

An automatic method used to perform control and risk assessments on a frequent basis.

www.globaliia.org

Continuous Monitoring

• Vendor to Employee data matches– email address– name– TIN to SSN– bank #– phones (home, emergency, work, and

fax)

www.globaliia.org

Continuous Monitoring ~ con’t…

• Changes in supplier critical fields including bank account information

• Payments to suppliers without a contract on file

• Reimbursements for entertainment

• Cash advance on corporate credit card vs. delinquencies

• Pcard abuse

www.globaliia.org

Key Initiatives

Be proactive in building relationships and communicating with your stakeholders

• Senior management

• Operating management

• Audit committee

• External auditors

• Audit team

www.globaliia.org

Getting to Know Management in Informal

Settings

• Set up lunches

� Discuss current events

� Cover their priorities

� Ask how auditing can help

• Participate in company sponsored events

� Community service projects

� Food drives

� United Way campaigns

www.globaliia.org

Be Cognizant of How You Do Not Want To

Be Perceived

• As people who criticize all things others are doing wrong

• As people who come in after the battle –shoot the wounded

• As adversaries

www.globaliia.org

Be Cognizant of How You Want To Be

Perceived

• As employees to help achieve business objective

• As employees who provide value

• As a valuable asset to management and the audit committee

• As auditors who provide assurance and insight and are objective

www.globaliia.org

Skills Necessary to Build Effective

Relationships

• Understand the business

• Proficient at conducting audits/projects

• Good listener - empathetic

• Adept at seeing the big picture

• Understand what moves the needle

• Effective negotiator

www.globaliia.org

Other Considerations

• Mention the positives

• Give credit for prompt action

• Communicate findings in a constructive manner

• Call a spade a spade

• Be mindful of how we interact and communicate with management

www.globaliia.org

Other Considerations

• Be viewed as a trusted business ally

• Meet regularly with senior management –bring your team

• Interact with audit committee – bring your team

• Build relationships based upon mutual trust/respect

www.globaliia.org

Other Considerations

• Build the relationship before you need it

• Building trust and understanding requires an investment of time and energy

• Process of building and sustaining relationships is never-ending

www.globaliia.org

Challenge Yourself To Do All You Can To

Enhance Your Value

• Be a risk/control expert

• Be mindful of fraud and ethical exposures

• Be a data wizard

• Be proactive in building relationships

www.globaliia.org

Enhancing the Value of Internal Auditing

Questions?

www.globaliia.org

Enhancing the Value of Internal Auditing

Thank you!