How Forward-Thinking and Contemporary Audit Executives are ... · Asset Risk –company inventory...
Transcript of How Forward-Thinking and Contemporary Audit Executives are ... · Asset Risk –company inventory...
11
Perspectives of 100 CAEs:
How Forward-Thinking and
Contemporary Audit Executives
are Enabling Positive Change
2
PARTICIPATE IN SESSION POLLING and
Q&A • Download the IIA Conferences App to
participate in polling during select
sessions
• Select the session through the
schedule icon and click on the polling
icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
3
About Tom
Tom O’ReillyDirector & Internal Audit Practice Leader
4
About Yulia
Yulia GurmanExecutive Director, Internal Audit and Corporate Security
Packaging Corporation of America
5
Packaging Corporation of America (PCA)
• Domestic company headquartered in Lake
Forest, IL
• One of the largest manufacturers of
containerboard and corrugated packaging
• 2018 revenue $7 billion
• Decentralized environment with more than
100 facilities located primarily across the
United States
6
Polling Question 1Please open the conference app to participate
7
What emerging risks are you covering?
Or describe with one word how
business is changing?
8
9
Business is Changing...
10
But Internal Audit Isn’t...
Source: MISTI 2018 and 2019 Internal Audit Topics on the audit plan survey charts.
11
… and Our Stakeholders are Noticing
of CAEs are extremely or moderately
confident in their organization’s ability to
identify and assess
emerging and atypical risks
HOWEVER
of CAEs say the board will turn to
management
for identification and assessment of
emerging and atypical risks
87%
78%
12
How to be a better Internal Audit Leader through:
• Expanding Audit Coverage
• Increasing Audit’s Subject Matter Expertise
• Positioning Audit to “Lead from the Front”
How can you use internal audit to
ENABLE POSITIVE CHANGE
in your organization?
Learning Objectives
13
Expand The Coverage
Of Your Audit Plan
14
Internal Auditing Definition
Internal auditing is an independent,
objective assurance and consulting
activity designed to add value and
improve an organization's
operations.
It helps an organization
accomplish its objectives by
bringing a systematic, disciplined
approach to evaluate and improve
the effectiveness of risk
management, control, and
governance processes.
CAE Considerations:
Do you have a risk assessment?
- does it reflect the strategic objectives and
emerging risks of your organization?
Do you include the right
stakeholders in your discussions?- review organizational changes
Re-evaluate Your Risk Assessment Approach
15
Four main objectives for every organization:
Organizational Objectives
Increase Revenue
Continually Innovate
Manage Human Resources
Decrease Costs
16
Polling Question 2Please open the conference app to participate
17
Our Audit Plan addresses strategic initiatives
а. No
b. Yes, but we could do better
c. Yes, we feel good about our risk coverage
d. We don’t have any strategic initiatives
18
19
20
Risk Assessment Questions
1. Business area risks and objectives
2. Changes in people, process, and
technology
• Succession Plan
• Emerging and Disruptive
Technology
• Automation
3. Major process/department initiatives
Risk Assessment Resources
1. Risk/Audit Universe
2. Internal Audit’s interface with
Enterprise Risk Management
(ERM)
3. External benchmarks
4. Peer network
How Can you Enhance Your Risk Assessment?
Building Relationships = Better Information
21
Real Life Examples
22
Strategic
Market
• Interest Rate
• Foreign Currency
• Commodity
• Derivatives
Liquidity and Credit
• Cash Management
• Debt Management
• Credit and Collections
• Funding
• Hedging
• Insurance
Accounting and Reporting
• General Ledger Close
• Consolidation Process
• Accounting, Reporting and
Disclosure
• Internal Control/SOX 404/302
• Information and Reporting
Integrity
Tax
• Tax Strategy and Planning
• Tax Optimization
• Transfer Pricing
• Property Taxes
Capital Structure
• Debt
• Equity
• Pension Funds
FinancialCompliance
Code of Conduct
• Ethics
• Fraud
Legal
• Contract
• Liability
• Intellectual Property
• Anti-Corruption / FCPA
• Technology Compliance
Support
Regulatory
• Trade
• Export Compliance
• Labor
• Securities
• Environmental
• Data Protection and Piracy
• International Purchases and
Sales
• Product Quality/Safety
• Health & Safety
• Competitive Practices/Anti-
Trade
• Sales and Marketing
• Technology Compliance
Support
• Customs
Governance
• Board Performance
• Tone at the Top
• Corporate Environment
• Corporate Social
Responsibility
Planning and Resource Allocation
• Organizational Structure
• Strategic Planning
• Budgeting & Forecasting
• JV’s/Alliances Partnerships
• Special Purpose Entities
• IT Strategy
Major Initiatives
• Vision and Direction
• Planning and Execution
• Measurement and
Monitoring
• Technology Implementation
• Business Acceptance
Mergers, Acquisition & Divesture
• Valuation and Pricing
• Due Diligence
• Execution and Integration
Market Dynamics
• Competition
• Economic Factors
• Customer Profile Trends
• Socio-Political
• Pricing Pressures
Legend
Addressed by company Internal Audit in 2018 and in 2017
Addressed by company Internal Audit in 2016
Communication & Investor
Relations
• Media Relations
• Investor Relations
• Employee
Communications
• Technology-
Enabled
Communications
(e.g. social media)
Operations
Sales and Marketing
• Marketing and
Advertising
• Sales and Pricing
• Customer Insight and
Analysis
• New Product
Development
• Technology-Enabled
Sales Channels
• Sales Order Processing
• Customer Support and
Management
• Warranty
Supply Chain
• Engineering
• Material Planning
• Sourcing and
Procurement
• Production and Inventory
Control
• Distribution
• Third party /
subcontractors
People
• Recruitment and
Retention
• Development
and Performance
• Succession
Planning
• Compensation
and Benefits
• Labor Relations
• Payroll/Timekeep
ing
Information Technology
• Information
Management /
Infrastructure
• Security/Access
• Availability/Conti
nuity
• Integrity
Hazards
• Natural Events
and Terrorism
Physical Assets
• Real Estate
• Property, Plant,
and Facilities
Risk Universe Coverage: 2018 and 2019
23
Succession Planning – Inappropriate planning for attrition of key executives could result in
business disruption, loss of key customer relationships, or loss of IP.
Top Risk Identified by Management Sample Audit Plan
Procurement (Location #1, Location #2)
Distributor Pricing
Intellectual Property
Anti-Corruption Program
Subcontractor & Consignment Inventory Program
New Product Research and Development – Ineffective use of R&D investments will hinder
ability to develop new products or meet customer needs.
Asset Risk – company inventory stored internally or at third-party locations may not be secure,
counted, recorded, transferred, or disposed of according to procedures.
Intellectual Property – Inability to enforce patents or protect intellectual property (from theft)
could result in a loss of product market share and future sales.
Procurement – Ineffective supplier and sourcing strategies, negotiating, engaging and vendor
monitoring could cause business interruptions and result in higher material costs.
Product Pricing – Gross margins could erode if pricing processes, procedures, and systems are
not working optimally and average selling prices continue to decrease.
Talent Management – Inefficient employee development and recruiting operations may hinder
our ability to promote and hire qualified internal and external candidates.
Corporate Vision and Strategy – If the corporate strategy is not vetted, communicated, and
accepted within the company, current and long-term initiatives may fail.
Anti-Corruption – Potential bribes paid to government and commercial third parties may result
in regulatory fines and damage company’s reputation.
Voice of Management: Risk Identification Interview Results
24
Regulation and Compliance Risks
Cost Cutting
Managing Talent
Pricing Pressure
Emerging Technologies
Market Risks
Expansion of Government’s Role
Slow-recovery and Double-Dip Recession
Social Acceptance Risks / Corporate Social Responsibility
Ethics, Anti-Corruption Program
20xx Top Business Risks 20xx Audit Plan
Critical Control Reviews, Travel and Expense by Location
Distributor Pricing
Procurement (Location #1, Location #2), Distributor Reviews
Risk Research Benchmarking
25
Summary of 20XX Key Themes By Business Area
Key Themes
• Include Initiatives
• System Changes
• Control Changes
• Industry Risks
• Other?
Business
Area/Segment A
• Include Initiatives
• System Changes
• Control Changes
• Other?
Business
Area/Segment B
• Include Initiatives
• System Changes
• Control Changes
• Other?
Business
Area/Segment C
Through the course of the Risk Assessment process, Internal Audit identified themes that would be considered the high-priority risk
areas for 20XX to address. Additional themes that support Medium priority risk areas are included in the full 2019 Audit Plan as well.
• Continuous growth of a Company’s business; systems and other technology changes; growing risk areas
like cybersecurity; and changes in regulatory environment require a robust plan that will remain flexible
and continue to adapt to changes in the business.
• Changes to the proposed plan will be communicated timely to management and the Audit Committee.
26
Increase the Use of Subject
Matter Expertise
27 Source: Internal Auditing’s Value to Stakeholders - Internal Audit Foundation
Expertise Improves
Insight
Use Subject Matter Experts (SMEs)
Improves Internal
Audit Value
28
Polling Question 3Please open the conference app to participate
29
Did you ever have to “avoid” risky
area coverage due to lack of
subject matter expertise?
а. Yes b. No
30
31
• Assess your own team’s skillset and experience and determine gaps
• Become one!
• Attend targeted training
• Learn from others
• Look for SMEs in your Company:
• Employees
• Guest Auditor Program
• Use consulting firms
• Tip: Engage your staff to work on the project so they can learn from the experts
How Do You Find The Right SMEs?
32
• Your team members learn new skills
• Develop in-house expertise
• Cover new risk areas
• Strategic risks
• “Non-traditional” audit areas
• Obtain benchmarking information
• If consultants are engaged, ask for benchmarking data for similar companies and share with management
Additional Value Of Using SMEs
33
Lead from the Front
3
34
1 2 3Education:
● Show trends and emerging risks
● Share innovative practices on
how to mitigate certain risks
What Can CAEs Do?
Help the Audit Committees and
Management understand:
● Which risks are more predominant
for your industry and organization
● Specific implications of each
identified risk
Propose Solutions:
● Risk coverage game plan
● New technology use (if applicable)
● Resource needs
● Special advisory projects
CAEs can help Management and the Board (Audit Committee) by offering the
following:
35
Learn and Innovate Every Day!
Publications News Network Research
36
Resources
Available at the IIA Bookstore
37
Are You Ready?
38
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.