Internal Audit & Enterprise Risk Management Working Together Luis Fernandez March 10th, 2015 9/20/2018
…and find ways to better align our process. Let’s think about risk… 9/20/2018
Let’s talk about… Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Objective Is this happening? Collaboration of risk-management and internal-audit functions is helping organizations improve efficiency, decision-making, and results. Is this happening? 9/20/2018 (Reference 1)
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Overview In 1999 IIA revised the definition of internal auditing to include both assurance and consulting activities. In 2004 the Commission of Sponsoring Organizations of the Treadway Commission (COSO) released its integrated framework for ERM. IIA issues a position paper delineating the core roles of IA in regard to ERM. (IIA, 2004a). 9/20/2018 (Reference 2)
Overview…cont’d ERM is defined by COSO (2004, 2) as: “…a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” 9/20/2018 (Reference 2)
Overview…cont’d When announcing the release of the COSO framework, the IIA issued a statement commenting on the internal auditor’s role in risk management (IIA, 2004b). “Internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management’s risk processes.” 9/20/2018 (Reference 2)
Overview…cont’d 9/20/2018
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Trends in Financial Services Convergence Barriers separating Banks, Brokerage and Insurers are coming down. CROSS SELLING! Consolidation Acquisitions. Reduce operating expenses and increase market share. Changing Business Models Ways to make more profit (Technology, etc.) Challenge: Customization and Personalization of product lines. Changes in structure for revenue models. 9/20/2018
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
IA’s challenge: It needs to reconsider its role! Board Oversight Execution – A clear differentiator Change Management Operating style and culture – Critical to execution effectiveness Change the mindset! From control oriented to risk oriented. Board Oversight: Shareholders looking for skillful members to demonstrate oversight of risk management activities. Execution – A clear differentiator: Timely and effective identification and communication of issues. Good judgment. Change Management: Over reliance on objective factors and historical data points. Firms do not react to aggressive business strategy and increasing risk in appetite. Operating style and culture: Accountability and clear roles and responsibilities. Full Transparency (rapid escalation of issues). Attention to detail. Continuous improvement. 9/20/2018
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Is audit focused on the real risks? Financial Compliance 12% 6% 6% 12% 13% 68% Operational Strategic/Business 13% 68% How value is destroyed in companies – reasons for decreases in shareholder value However, a significant percentage of internal audit resources are focused on financial controls in most organizations. 9/20/2018 (Reference 6)
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
What should be the approach? Audit Plan √ Evaluate impact of risks within universe. Identify different risks (financial, operational, Compliance). Define Audit Universe. Identify shareholders value by creating business assessment activities. Understand Enterprise Risks (Strategic, Financial, Ops, Compliance). Evaluate impact to shareholder value. √ √ Transformed Traditional 9/20/2018 (Reference 6)
ERM three-dimensional matrix: 9/20/2018 (Reference 5)
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
How do we assess risk priorities? Result: Audit universe is prioritized based on impact on shareholder value drivers, and the current and targeted maturity of the processes, programs and initiatives 9/20/2018 (Reference 6)
Sample Risk Assessment Framework Result: A practical framework is created based on risk information and judgment. 9/20/2018 (Reference 6)
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Audit Plan Result: Audit plan is based on impact on shareholder value drivers, regulatory requirements/priorities and audit judgment. 9/20/2018 (Reference 6)
How do we continue the process? Result: The relevance of the framework is driven per behavior of each of the elements of the audit program/plan, and audit judgment. 9/20/2018 (Reference 6)
Table Content Objective Overview Trends in Financial Services Internal Audit Challenge Real Risks? Approach Assessment Framework Audit Plan Role of IA in ERM 9/20/2018
Summarizing - Role of IA in ERM Core Internal Auditing Roles in ERM Giving assurance on risk management processes Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of risks Reviewing the management of key risks Roles internal auditing should not undertake Setting the risk appetite Imposing risk management processes Management assurance on risks Taking decisions on risk responses Implementing risk responses on management’s behalf Accountability for risk management 9/20/2018 (Reference 2)
Luis Fernandez luisfernandezlange@gmail.com (704) 724-2481 9/20/2018
References Kristina Narvaez & John Bugalla, October 22,2012, CFO.com Laura de Zwaan, Jenny Stewart and Nava Subramaniam, Internal Audit Involvement in ERM, Griffith University, Queensland Australia, No. 2009-02 Andre Brodeur & Martin Pergler, Top-dow ERM: A pragmatic Approach to Managing Risk from the C-Suite, McKinzey working papers on risk, #22 Institute of Internal Auditors, The Professional Practices Framework, January 22 COSO – ERM Enterprise Risk Management - Integrated Framework, Executive Summary, September 2004. Mike Brown & Rich Reynolds, Applying Risk Assessment to Your Audit Plan, The Future of Internal Audit, Corp Executive Board, 2010. Walter Festand - GARP (Global Association of Risk Professionals, Common Themes in SEC and FINRA Exam Priorities, February 12, 2015 9/20/2018