1 Internal Audit’s Role in Enterprise Risk Management March 22, 2016 Chris Kalafatis, Manager, Risk Advisory Services

2 Agenda Enterprise Risk Management (ERM) – Definition / Framework – Benefits – Structure Role of Internal Audit (IA) – How IA can help – Key considerations – Limitations In-depth Discussion of IA’s Role in ERM

3 ERM Definition / Framework Structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. Various ERM frameworks exist - describe approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise.

4 ERM Benefits Enhanced corporate governance – ERM, Governance, Risk and Compliance are linked Improved regulator, investor and rating agency confidence Improved ability to respond to changing business demands Ability to evaluate the likelihood / impact of major risks Provides an integrated as opposed to silo approach Promotes an open, positive, risk-aware culture

5 Typical ERM Structure Plan Coordinate Monitor Report Analyze Aggregate Report Facilitate

6 IA’s Role – How IA Can Help Two most important ways that IA provides value to the organization are providing objective assurance that: – major business risks are being managed appropriately (core ERM role) – the risk management and internal control framework is operating effectively

7 IA’s Role – How IA Can Help Seat at the Table Understand the organization’s business and strategic risks, risk management philosophy and overall risk appetite In-depth operational and process understanding

8 IA’s Role – How IA Can Help Educate - Many senior executives don’t understand ERM. IA can facilitate identification and evaluation of risks. Facilitate - ERM requires quality risk assessments. IA can play a lead role in the organization by facilitating risk assessments and formulation of risk responses. IA can also play a consultative role in coaching management in responding to risks.

9 IA’s Role – How IA Can Help Coordinate - IA can play a value-added coordination role to ensure consistent deployment across the enterprise. Evaluate - IA can evaluate risk management, either for the organization as a whole or for a division, subsidiary or a unit.

10 IA’s Role – Key Considerations Key considerations to ensure IA’s independence and objectivity is maintained: – Be clear that management is responsible for risk management. – The nature of IA’s responsibilities should be documented in the IA charter and approved by the audit committee. – IA should not manage any of the risks on behalf of management. – IA should provide advice, challenge and support to management’s decision making, as opposed to making risk management decisions themselves. – IA cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties. – Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.

11 IA’s Role – Limitations Activities IA should not undertake: – Setting the risk appetite – Authorizing and dictating the implementation of risk management processes – Assuming the role of management in providing assurance on risks and risk management performance – Making decisions on risk responses – Implementing risk responses on management’s behalf – Accepting accountability for risk management

12 IA’s Role – Limitations

13 In-Depth Discussion of IA’s Role in Risk Management

14 Key Points Industry trends include the IA function becoming a strategic advisor on enterprise-wide risks A fully optimized IA function can significantly enhance its ability to help an organization with ERM since it doesn’t have a single view of risk The Three Lines of Defense Model is blurry To properly address risks, the IA function must have: – Courage – Sufficient training – Forward thinking risk management practices – Understanding of emerging risks Failure to have a sufficient IA function that identifies key risks can have major impact on an organization

15 Internal Audit Trends and Optimizing the IA Function

16 Internal Audit Trends

17 Optimizing the Internal Audit Function Develop a strategic roadmap Be a critical part of the organization’s governance structure Be a valued and used as a decision support tool Serve as a catalyst for analyzing risk across the organization Performs a risk assessment and develops an audit plan to include corporate functions, compliance, and IT in the audit universe Be a proactive function that brings value to the organization, identifies better ways to operate, save money, reduce risks and stay compliant Maintain proactive communication with the Audit Committee and External Auditors Ensure your IA activities will be relied upon by third parties Serves as the 3rd Line of Defense

18 The Lines of Defense to Manage Risk is Blurry

19 The Lines of Defense to Manage Risk is Blurry

20 The Lines of Defense to Manage Risk is Blurry

21 The Lines of Defense to Manage Risk is Blurry Audit Objective: Determine if responsibility for data privacy is clearly defined and whether strategies are in place to comply with data privacy laws, regulations and standards. Audit Results: There is no owner for data privacy at the company level. There are various efforts in Legal, IT, and HR, but these are not fully coordinated. An inventory of data subject to privacy laws, regulations and standards does not currently exist. Although limited risk assessments at a department level have been completed, management has not performed an enterprise risk assessment related to data privacy to identify and prioritize areas of focus.

22 The Lines of Defense to Manage Risk is Blurry It is not acceptable to place boxes of completed credit applications by the trash on a public street in New York….

23 Be Courageous

24 Be Courageous

25 Be Courageous IA must have the courage to tell stakeholders the unvarnished truth, whether they want to hear it or not The business has to know the audit function has power Organizations’ risk management benefits when the business supports the IA function and helps promote its mission and value

26 Sufficient Training

27 Sufficient Training

28 Sufficient Training

29 Sufficient Training IA departments need to enhance training efforts to fully assist in risk management – 40% of IA staff receive fewer than 40 hours of training per year – Training doesn’t include sufficient levels of business/industry knowledge, critical thinking and leadership skills = key to helping the organization identify and manage risks

30 Forward Thinking Risk Management Practices

31 Forward Thinking Risk Management Practices

32 Forward Thinking Risk Management Practices

33 Forward Thinking Risk Management Practices

34 Forward Thinking Risk Management Practices How satisfied are you that your organization’s IA function delivers the value that it should?

35 Forward Thinking Risk Management Practices Are IA departments auditing the key risks? How are they doing it without management and Audit Committee feedback? How about emerging risks? How can misaligned audit departments demonstrate the value they add to their organizations’ strategies? Is it surprising Audit Committee’s are not fully satisfied?

36 Emerging Technology Risks

37 Emerging Technology Risks

38 Emerging Technology Risks Technology risks are extremely difficult to manage because they are constantly evolving IA needs to respond proactively by helping organizations identify, monitor, and address emerging IT risks and advising their boards on how best to do so

39 Lack of Internal Audit Involvement in Risk Management

40 Lack of IA Involvement in Risk Management

41 Lack of IA Involvement in Risk Management 60 Minutes cited lab tests that found some samples of laminate flooring contained very high levels of formaldehyde, which is a carcinogen Some pieces had 20 times the limit allowed under California law Long-term exposure to chemicals at those levels "would increase the risk for chronic respiratory irritation, change in a person's lung function, increased risk of asthma" and be especially dangerous for children

42 Lack of IA Involvement in Risk Management CEO and CFO resigned, significant legal expenses, damaged reputation, and sales declines Stock - 2 year high was $109, now $11 IA function primarily a SOX function, no audits of vendor management, customs compliance and factory inspections Could IA have helped prevent this???

43 Internal Audit Consulting and Advisor Roles for ERM

44 IA Consulting and Advisor Roles for ERM Roles IA may undertake to assist in risk management: – Making available to management tools and techniques used by IA to analyze risks and controls – Providing advice, facilitating workshops, coaching the organization on risk and control, and promoting the development of a common language, framework and understanding

45 Questions Chris Kalafatis, CPA, CIA, CFE Manager, Risk Advisory Services Phone: