The Future of Internal Audit · Challenges facing Audit Committees cont….. KPMG has identified...
Transcript of The Future of Internal Audit · Challenges facing Audit Committees cont….. KPMG has identified...
Top Issues for Audit Committees in the Future
IIA Armenia Conference
18-19 November 2017
SpeakerIIA Global Chairman – 2012-2013ECIIA President 2010-2011IIA UK and Ireland President 2005-2006
------------------------------------------------------Holder of the CIA, CMIIA, CRMA, QIAL qualifications
------------------------------------------------------31 years experience in Internal Audit 29 years at managerial level
-------------------------------------------------------IA Project Expert for the EC and the OECD
Experience in the Public and Private sectors, including spells as:• VP Capability & Head of the Centre of Internal Audit Excellence - Huawei• Head of Internal Audit for a number of Health organisations in the UK• Head of Internal Audit for the UN Special Tribunal for the Lebanon• Head of Internal Audit for the UN War Crimes Tribunal for Bosnia Herzegovina• Project Manager for EC funded projects in Poland, Romania, Turkey• Project Manager for Development Agency funded projects in Kenya, South Africa and
Botswana• Project Expert for EC/OECD funded projects in Croatia, Kosovo, Serbia, Hungary, Latvia,
Estonia, Lithuania, Czech Republic, Macedonia
Agenda
1. Roles and Responsibilities of Audit Committees
2. Challenges facing Audit Committees
3.Actions Audit Committees might consider
Roles and Responsibilities of Audit Committees
An audit committee is a selected number of members of a company's board of directors whose responsibilities include helping auditors remain independent of management. Most audit committees are made up of three to five or sometimes as many as seven directors who are not a part of company management.
Financial Times
Roles and Responsibilities of Audit Committees cont….
The Primary Role of the Audit Committee:
Is to provide oversight of the financial reporting process, the audit process (both internal and external), the system of internal controls and compliance with laws and regulations..
Roles and Responsibilities of Audit Committees cont….In practice this means that the Audit Committee will
Review significant accounting and financial reporting issues, along with professional and regulatory pronouncements, so they understand the potential impact on the financial statements.
Review the results of the external audit with management and the external auditors.
Review significant internal audit findings, approve the internal audit plan and review the appointment and termination of the CAE.
Review the arrangements for Risk Management and their effectiveness in regard to the Company’s risk appetite.
Review internal controls and their effectiveness, in particular considering any management reports and observations on their operation.
Have Executive sessions with the CAE and separately the External Auditor.
Roles and Responsibilities of Audit Committees cont….
The Three Lines of Defence - the key to risk responsibilities in an organisation
Roles and Responsibilities of Audit Committees cont….
Understanding the Three Lines of Defence is fundamental to the Audit Committee’s understanding of the governance oversight role
The First Line, that is operational management, which has ownership, responsibility and accountability for
directly assessing, controlling and mitigating risks.
The Second Line, that is activities covered by several components of internal governance (compliance, risk
management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation.
The Third Line, An independent internal audit function will, through a risk-based approach to its work,
provideassurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an organisation’s risk landscape.
Challenges facing Audit Committees
WHO KNEW?
APPEARS THAT A
NUMBER OF SENIOR EXECS
KNEW
Challenges facing Audit Committees cont…..
SHOULD THE AC HAVE KNOWN?
Challenges facing Audit Committees cont…..
TONE AT THE TOP
Challenges facing Audit Committees cont…..
Wells Fargo - Bank employees opened millions of credit-card accounts customers hadn’t approved in order to hit profit targets
As of October 1, 2016 the bank eliminated product sales goals for its retail banking team. It also appointed a new community banking chief, and fired about 5,300 employees connected to the scandal,
SALES TARGETS DRIVING THE WRONG BEHAVIOUR
Challenges facing Audit Committees cont…..
So the previous slides would suggest the following challenges
Culture: what is the pervading culture of the company?
Tone at the Top: is there a Good Tone at the Top?
Ethics: is there evidence of an ethical approach?
Risk Management: is risk being identified and managed?
Challenges facing Audit Committees cont…..
KPMG has identified the following:
Risk Management is the top concern – the effectiveness of risk management programmes, cyber security risks and the company’s control of risks
Audit Committees are looking to Internal Audit to focus on the critical risks to the business, including key operational risks (e.g. cyber security and technology risks) and controls, and not just regulatory or compliance risks. They want the IA plan to be flexible and business responsive.
A significant number of Audit Committees rated Culture and Tone at the Top as a top challenge
A number cited short term pressures and aligning short and long term aims as the top challenge
believe that their Committee agenda is not properly focused on these issues
Taken from KPMG – 2017 Global Audit Committee Pulse Survey
Challenges facing Audit Committees cont…..
Taken from KPMG – 2017 Global Audit Committee Pulse Survey
Are not satisfied that their agenda is properly focused on CFO succession planning
Are only somewhat satisfied
Audit Committees want to devote more time to the finance organisation including talent management, training, resources as well as succession for key finance executives
Few Audit Committees believe that their companies have robust implementation processes for the new Accounting Standards due on stream at the beginning of 2018
Audit Committees believe they need to better understand the business and its key risks to improved the effectiveness of their oversight. They view more experience in cyber security and IT as being essential for improved oversight
Challenges facing Audit Committees cont…..
Taken from KPMG – 2017 Global Audit Committee Pulse Survey
Challenges facing Audit Committees cont…..
So do you know whether:
1. All recognised revenue is genuine and isn’t being reversed once the Financial Statements are agreed?
2. Third party suppliers are complying with anti-slavery, anti-child employment and anti-illegal materials laws?
3. Losses are being accounted for appropriately?
4. The Internal Audit plan is focussed on the key risks of the company and is flexible enough to meet the potential for speedy change in risks?
5. The Risk Management arrangements are effective and all key risks to the company have been identified?
6. KPI’s are incentivising inappropriate behaviour?
From Events and Surveys the key challenges appear to be:
Better Focus for the Internal Audit activity
Risk Management
Culture/Tone at the Top/Ethics
Cyber Security/IT
Better Understanding of the Business
Aligning short and long term aims
Succession Planning in the Finance area
Concerns that Audit Committees should consider
Concerns that Audit Committees should consider cont….
Consider what Internal Audit may be able to do to meet the challenges?
Taken from KPMG – 2017 Global Audit Committee Pulse Survey
Taken from Protiviti– Setting the 2017 Audit Committee Agenda
Is this the Mandate you can use to meet the challenges?
Concerns that Audit Committees should consider cont….
Risk Management
Make sure there is regular reporting of the Risk Register and the steps taken to mitigate risk
Has Internal Audit evaluated the system of Risk Management?
Has the Contingency Plan been operationally tested?
Do not make assumptions that all has been considered:
The £300M airport in St Helena where no account was taken of the wind shear created by the mountain, making it dangerous to land
In the Gulf of Mexico, cutting corners to save money.
Concerns that Audit Committees should consider cont….
Culture/Tone at the TopIt is important that the Audit Committee retains an independent stance from the Executive management.
Culture frequently is impacted by the way that the CEO acts.
In the DOW case the CAE was ignored when raising issues about $1M of CEO expenses, being told to let things lie
In 2011, the CEO repaid $719,923 in overpaid expenses between 2007-2010
In 2011 the CAE was moved to a Finance Control job
In 2013 he resigned writing the DOW CONFIDENTIAL Memo detailing his concerns
Concerns that Audit Committees should consider cont….
A dispute between the CAE and the CEO should be a RED FLAG for the Audit Committee
When governance fails, unwanted culture flourishes
Where toxic culture exists, governance erodesRichard Chambers – IIA CEO
The Audit Committee are the Guardians of the Governance process
If Governance fails, the Audit Committee has failedPhil Tarling
Concerns that Audit Committees should consider cont….
Cyber Security and IT Issues
The number 1 concern for Audit Committees
Ensure that the Internal Audit plan has sufficient
resource applied to this area
Ensure that some of the actions opposite are taken on
board by the Executive team
ISACA Cyber Security Survey - 2016
Concerns that Audit Committees should consider cont….
The other Cyber concern is the Talent Pool,
Of the surveyed companies, the majority took between three to six months to fill a vacant Cyber Security position
The available resource likely needs to be sufficient to deal with such a gap
Concerns that Audit Committees should consider cont….
ISACA Cyber Security Survey - 2016
Concerns that Audit Committees should consider cont….
Better understanding of the businessThis applies equally to the Audit Committee and the Internal Auditors and allows more insight into the risks that the organisation face and the actions that can be taken to mitigate those risks.
Have regular presentations to the Board on selected operational areas
Better aligning of long and short term aimsUnderstanding of the business should help achieve this objective
Succession Planning in the Finance areaAs part of the Planning process insist on there being succession planning for various scenarios
Summary
Years ago Non Executive Directors were cronies of the Chairman and/or CEO
Those Days are gone
Non Executives, and therefore the Audit Committee, are a key element in Effective Governance.
The Audit Committee therefore need to be aware of the challenges that they face in fulfilling their role and ensuring that the three Lines of Defence are operating effectively to defend the organisation.
• Phil Tarling
• Internal Audit Consultant
• Tel:+441329282155
• Mob:+447802656986
• Email: [email protected]
• http://www.tarlingassurancerisk.co.uk.
Thank You