290 likes | 576 Views
What’s Next For Internal Audit … lesson’s learned from the economic crisis and the challenges that lie ahead…. Richard Chambers, CIA, CGAP, CCSA President and Chief Executive Officer The Institute of Internal Auditors Richard.f.chambers@theiia.org. Topics.
E N D
What’s Next For Internal Audit…lesson’s learned from the economic crisis and the challenges that lie ahead… Richard Chambers, CIA, CGAP, CCSA President and Chief Executive Officer The Institute of Internal Auditors Richard.f.chambers@theiia.org
Topics • A decade in retrospect…evolving into the new definition • Impact of the current economic crisis on internal audit • 10 key challenges facing internal auditors in the year ahead • Beyond the current crisis: planning strategically for the long term • Final Thoughts
A Decade of Dynamic Change 2009 1999 INTERNAL AUDIT REDEFINED Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Enhanced proficiency in assessing controls were byproduct of SOX CONTROLS Internal audit’s proficiency in assessing risks has increased dramatically RISK Internal audit’s role in corporate governance is still evolving GOVERNANCE
Lessons Learned from the Current Crisis: Impact on Our Companies • 87% of respondents report that their companies have been negatively impacted • 45% report moderate or worse impacts (55% of F100 respondents) • 4% indicate that impacts threaten the future of their companies
Lessons Learned from the Current Crisis: Impact on Our Internal Audit Budgets All Respondents • 2008 and 2009 have witnessed little overall growth and notable reductions in some internal audit functions • 2010 promises little relief • Projections are it will reflect the lowest instance of growth since pre-SOX • Almost 20 percent of all respondents and 17% of F1000 project outright declines next year. Fortune 1000
10 Key Challenges In The Year Ahead • Aligning internal audit coverage to meet new expectations • Realigning skills to address new requirements • Addressing internal audit’s role in assessing risk management • Leveraging technology to achieve greater efficiencies • Coping with diminished resources • Demonstrating value and adding to the bottom line • Maintaining stature with the audit committee • Developing a continuous focus on risks • Maintaining a focus to prevent and detect fraud • Implementing new IPPF
Aligning Internal Audit Coverage To Meet New Expectations Areas of Increased Coverage Implications for Internal Audit • Shift in internal audit focus has been swift and dramatic. • Following years of intense focus on SOX financial controls – coverage is shifting to: • Operational risks • Compliance risks • Cost/expense reduction or containment • Supplier or counterparty risks
Realigning Skills To Address New Requirements Implications and Strategies The Challenge • Acquisition of new skills is underway – operational audit courses are very popular • Rotational staffing models are gaining popularity as swift way to infuse knowledge of business into internal audit • Alternative staffing strategies are also gaining traction • Shifting coverage requires different skills: • Knowledge of the business/operations • Better understanding of risk management • Deeper understanding of specialized risks • CAEs have also identified new priorities: • Data mining & analysis • Risk assessment • Information technology • Risk management • Fraud detection
Addressing Internal Audit’s Role In Assessing Risk Management Strategies for Success The Challenge • 76% currently prepare an organization wide risk assessment • 59% report risk management is informal but evolving • 55% report risk management will be a higher priority during the coming year • 79% informally provides consulting and advice on risk management practices • 46% provide independent assurance on risk management • Only 27% provide assurance through written audit reports over the risk management process • 34% report there is a perception that assessing risk management is beyond the scope of internal audit • Provide assurance to executives and board on: • Risk management processes, both design and effectiveness • Management of key risks, including the effectiveness of controls and mitigation • Reliable and appropriate assessment and reporting of risks • Provide consulting assistance: • Share tools and techniques used to analyze risks and controls • Be a catalyst to introduce ERM • Provide advice, facilitate workshops, coach on risk, control and a common language, framework and understanding; • Act as the central point for coordinating, monitoring and reporting on risks • Support management in identifying ways to mitigate risk IIA Position Paper “The Role of Internal Audit in Enterprise-wide Risk Management,” reissued January 2009
Leveraging Technology To Achieve Greater Efficiencies Internal Auditing’s Role The Challenge • 2010 will mark the third consecutive year in which internal audit functions report marked decreases. • Capacity is declining, but expectations are not. • High performing internal audit functions leverage technology as a “capacity multiplier” • Integrated internal audit infrastructure software • Integrate work papers, risk assessments, reporting, issues tracking • Automate administrative activities and monitoring • Data retrieval/testing software • Automate testing • Require as a core competency skill for staff • Run testing routines outside audits • Data mining/analysis software • Predictive analysis and modeling • Knowledge tools and databases • “Best practices” to share with management • Business process benchmarking tools
Coping With Diminished Resources The Challenge Strategies for Success • Take a “holistic” look at your department: don’t “salami slice” • Take a hard look at: • Structure and processes • Procedures – particularly use of technology • Take an innovative approach to professional development and other HR practices • Consult with your stakeholders – where do they get value? • Update your risk assessment before making staffing reductions • Communicate the plan and impact to the Audit Committee before implementation • Above all - maintain a risk-based focus
Demonstrating Value And Adding To The Bottom Line Potential “Low Hanging Fruit” The Challenge • Pressures on the “bottom line” have never been greater • Management is looking to internal audit to identify fraud, waste, and inefficiency • 49 percent of respondents report an increase in cost containment and expense reductions during the past year • 45 percent expect further increases in 2010 • The challenge for internal audit is to swiftly identify actionable opportunities to enhance the bottom line • This presents an opportunity to demonstrate value • Organization control structure/span of control • Contract administration • Construction and capital projects • Outsourcing agreements • Sales Commissions • Vendor payments and contract compliance, including duplicate payments • Overtime payments • Revenue assurance • IT infrastructure spend • Additional streamlining of SOX compliance
Maintaining Stature With The Audit Committee Strategies for Success The Challenge • Stature with audit committees has been enhanced in the past decade • Audit committees have been keenly focused on financial controls • Internal audit’s shifting focus creates a threat that some audit committees will lose interest • Ensure the audit committee drives or embraces a broader focus on risks • Involve the audit committee in discussions on risk assessment results and changes to internal audit’s coverage • Ensure internal audit’s charter aligns with potential coverage • Reinforce the strong value that a comprehensive risk based approach to internal audit coverage will bring
Developing A Continuous Focus On Risks Strategies for Success The Challenge • Audit committees are looking for no surprises • Risks are evolving dynamically • Annual risk assessments are no longer adequate for many industries/companies • An increasing number of internal audit functions are assessing risks more frequently • Beyond an annual risk assessment process – risk assessment should have a continuous component • Continuous risk assessment process is formalized within internal audit and aligned with business units • Risk assessments are transparent and interactive – involving senior management, external auditors, and the audit committee • Emerging risks are identified and addressed through flexible internal audit coverage
Maintaining A Focus To Prevent And Detect Fraud Strategies for Success The Challenge • Current economic environment increases fraud risks by: • Employees experiencing personal financial duress • Executives seeking to manage/meet earnings expectations • Third party vendors also under financial stress • Reductions in internal audit budgets and internal controls in general increase fraud risks • Fraud risk identification & response • Fraud consideration in each audit • Fraud investigations • Hotline operations/support • Support education & training • Help “Officer” – Program • Help establish Corporate Compliance Program
Implementing New IPPF An Overview of the IPPF • IIA released new changes to the International Professional Practices Framework (IPPF), effective January 2009 • Overview of changes • ‘Should’ replaced with ‘must’ • Interpretations added to selectedStandards • Changes to some language • Six new Standards • Recent Practice Guides and Advisories • Auditing IT Projects (03/09) • Auditing External BusinessRelationships (05/09) • Formulating and Expressing InternalAudit Opinions (04/09) • Managing the Risk of the Internal Audit Activity (04/09)
Beyond the Current Crisis: Planning Strategically for the Long Term
Planning Strategically The Mandate Key Objectives • Internal auditing is a dynamic and evolving profession • A “high performing” internal audit function in 1999 would be average in 2009 • The “curve” is constantly shifting • Staying on the leading edge requires a strategic view of the future • To position internal audit for success in a dynamic uncertain environment • To stimulate creative thinking about the future • To turn around or stimulate performance • To align internal audit with the strategic thinking of the enterprise
Strategic Considerations • Who are internal audit’s stakeholders? • What their current needs and expectations? • How are those expectations likely to evolve over 3-5 years? • What is the strategic outlook for the enterprise? • How are enterprise risks likely to evolve? • What key capabilities or disciplines will internal audit need to possess? • How will they be obtained? • What is the vision for internal audit? • What are the key strategic objectives necessary to achieve the vision. • How will progress be measured?
A Parting Thought The Strategic Evolution of Internal Audit: The “Line of Sight” Hindsight Foresight Insight
Richard Chambers, CIA, CGAP, CCSA President and Chief Executive Officer The Institute of Internal Auditors Richard.f.chambers@theiia.org