PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

Role of Internal Audit in Corporate Governance

September 2010

Tumin Gültekin, Partner

PricewaterhouseCoopers 2

Internal Audit transformation

ContentsSection

Page

1. Determining the role of internal audit

3

2. Transforming the role regarding corporate governance

11

3. Questions

24



Determining the role of internal audit

PricewaterhouseCoopers

Overall structure

Board / Audit Committee

Inte

rna

lau

dit

Executive Management

Risk Committee (not required)Risk Committee (not required)

Risk Management System

ORSA Process

Internal Model

Internal Control system

Risk Management Function

Actuarial Function

ORSA

Compliance function



As companies move toward enterprise risk management, Internal Audit must also evolve – or risk a diminished value proposition

20th Century InternalAudit Model

Controls assurance based on cyclical or routine audit plans

The Common InternalAudit Model

Controls assurance based on a risk-based internal audit plan

The Risk-CentricInternal Audit Model

Risk and control assurance based on the effectiveness of risk and control processes implemented by management

Source: Internal Audit 2012

If the view (among stakeholders) grows that all Internal Audit does is test controls, then resource levels will have to come down. Chief Audit Executive, Financial Services Industry

Traditional internal auditing will probably diminish in value if the organization moves towards formal risk management. Senior Executive, Rating Agency



Aligning Internal Audit activity to corporate risks; strategic objectives; driving stakeholder value

Source: PwC, composite of various studies of US and UK markets

60% 20% 15% 5%

Strategic & business

• Strategic, operational and business risks underlie 80% of the rapid declines in shareholder value.

• Gaps exist between the current focus of many Internal Audit functions and the significant risks their organisations face.

• Over the past five years, internal auditors have been concentrating on basic financial reporting and compliance risks.

Operational Financial Compliance



Internal Audit functions need to have a clear view of where they want to be positioned

“Controls-focussed”“Strategic/Operational

focus”


Some of the typical gaps in the role of internal audit

Gaps common to many internal audit functions

1 Risk assessment typically not aligned with drivers of shareholder value

2 Internal audit activities focus on low value activities and controls or replicates external audit procedures

3 Financial and human resource limitations and constraints

4 Use of technology tools is limited and they are not integrated

5 Audits are planned with overly broad objectives and scope

6 Routine audits do not fully leverage available data analytical tools

7 Assignment process and travel requirements create significant process inefficiencies

8 Communications (reports, etc) and ratings consume significant resources

9 Recommendations are not impactful

10 Process is weighted toward repetition vs. relevance

Gaps in coverage and inefficient processes are also driving a need for change




Transforming the role regarding corporate governance


How internal audit can add value

Strategy Organization

Technology People

Process

Organization

• Board expectations

• Dynamic mission vs. static / limited purpose

• Organisational alignment

• Flexibility

People

• Stature across enterprise

• Achieve mission/objectives

• Attract and retain talent

• Source of talent

• Successful progression to management roles in the organisation

• Potential leaders of departments or business units

Strategy Implementation

• Enterprise strategy

• Stakeholders’ expectations

• Shareholders value drivers

• Risk management alignment

Technology

• Effective utilisation

• Enhance risk-based approach

• Leveraged to change process

• Substitute for labor Process

• Process efficiency

• Willingness to change

• Effective communicationTransforming the role regarding corporate governance


How internal audit can add value – Solvency II related

Strategy Organization

Technology People

Process

• ORSA

• System of governance

• Internal control system

• Risk management system

• Solvency II project

• Policy and procedures, documentation

• Responsibilities

• Proper resource and expertise

Assessment and improvement of...

• Risk management strategy

• Stakeholders’ expectations

• Policies

• Investment

• Reinsurance

• Risk etc

• Data requirements

• IT systems and architecture

• Data quality and consistency

• Model

• Technical provisions

• Systems security and controls


• Reporting

• Management

• Internal

• External


An approach to transforming internal audit

Strategic Objectives

• Understand what the strategic objectives of the organisation are

Stakeholder Value

• Understand what drives/devalues stakeholder value within the organisation

Strategic Risks

• Understand what the strategic risks of the organisation are

Strategy & Risk People Process Technology

Capabilities Assessment

• Inventory of existing skills

• Conduct gap analysis

• Determine adequacy of resources to respond to all key risks

Talent Management

• Use of internal and external resources

• Consider implementing a rotational staffing model to attract and retain talent

Audit Cycle Improvements

• Align Internal Audit with organisation’s strategic objectives

• Reduce audit cycle time by conducting more targeted audits

• Increase value derived from focus on higher-risk areas

• Improve communication to stakeholders through concise, impactful reports

Optimisation of Technology

• Reduce the labor content of audits by increasing the effectiveness of lower-risk audits

• Provide real time monitoring of significant risks

• Explore areas where technology can streamline or standardise a process

• Test entire data populations electronically



Value enhancement and efficiency

This approach is focused on aligning the IA strategy with the value-producing processes and activities of the organisation, while streamlining the IA operations to drive efficiency

Process

Technology

Operating Strategy

Internal Audit Strategy

Organisation

People

Process

Technology

Value Enhancement Focus

Improving Inefficiencies & Managing Costs

Company Strategy / Shareholder Value Drivers/ Strategic Risks



Transformed vs. traditional risk assessment approach

Audit plan

Identify Stakeholder Value Creating Activities

Understanding Enterprise Risks (Strategic, Financial, Operations, Compliance)

Evaluate Impact to Shareholder Value

Define Audit Universe (eg geography, business unit)

Identify Risks (financial operations, compliance)

Evaluate Impact of Risks within Audit Universe

Traditional Approach

Traditional “bottom-up” approach based on stakeholder interviews and analysis. Focus is on coverage of identified risk areas, geography and business operations.

Stakeholder Value Based Approach

“Top-down” approach where coverage is driven by issues that directly impact shareholder value, with clear and explicit linkage to strategic issues of the organisation.



Some strategies for strengthening the role of internal audit in corporate governance

Strategies

1Identify stakeholder expectations of internal audit; ask what management, the board, and the audit committee value

2 Assess overall governance structure, policies, corporate culture and ethics

3 Assess risk management structure and activities

4 Link the company’s strategic objectives and shareholder value drivers to internal audit’s scope

5 Consider how previously unaudited areas might be audited, then align auditable risks to the audit plan

6 Eliminate routine, low-value audits

7 Assess financial governance and reporting processes; and fraud control and communications process

8 Identify inefficient processes, develop implementation plans for process efficiencies

9 Review updated internal audit plan, along with cost-reduction ideas, with key stakeholders to gain support

10 Implement (add measurement, feedback and adjustment processes for continuous improvement)

What would be the greatest strategic value internal audit could and should contribute?How could do the companies manage the risks to shareholder value?




Questions



PwC – enhancing the value delivered by internal audit

© 2009 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP (US).

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

Documents

Transcript of PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.