Embed Size (px)
Citation preview
Internal Audit and Risk Is there enough tension? Is the balance right?
What would you like to change?
whatwouldyouliketochange.com.au
The global financial crisis has highlighted weaknesses in risk management and has also raised questions about the focus of Internal Audit. Organisations are looking at ways to learn from this experience while keeping an eye to the future and emerging risks. In this paper, we explore the emerging changes in risk management practices and what this means for internal auditors.
What did we learn from the GFC?Has the risk focus been too static? Many organisations understood their risks and were able to quantify the capital they needed to support the risks they were taking. However, what hadn’t necessarily been factored in were the strategies to manage risk in a changing environment. For example, were there levers which could have been pulled to minimise the adverse impact or indeed optimise returns? The best time to consider options is ahead of time and those organisations that considered scenarios and how they would respond in a crisis were better equipped to act when they needed to.
Has the view of risk been too transactional? Assessing risk, for example, at a project, deal or product level, is an important discipline. However, the question arises how to monitor risks across the business, where aggregated information can inform decisions about whether to increase or reduce exposures in a risk area. This is clearly relevant to financial risks, but can also be relevant to operational areas, eg in IT where individual changes may be manageable but the aggregate changes may not be.
Are there role conflicts that need to be better managed? Generally risk assessments are performed by the people who are responsible for managing the risks. This creates good alignment but can also mean that risk assessments may not be objective; for example, where managers want a particular project or initiative to go ahead they may downplay or not see the risks. There is a role here for risk functions and Internal Audit to challenge decisions.
Has risk appetite been too divorced from risk management? The recent downturn has highlighted areas where a different view of risk might have been taken (or risk might have been mitigated more quickly) had there been a better connection between risk appetite and the levers for managing risk. There is an opportunity for greater discussion and alignment of board and management views on risk appetite, supported by appropriate analysis. The depth of analysis is also important: many organisations realised that they didn’t have an appetite for the level of risk being taken, but this assessment was not made at the time the risks were taken.
•
•
•
•
PricewaterhouseCoopers | �
� | Internal audit and risk – Is there enough tension? Is the balance right?
Trends in the marketReflecting on recent experience, we are seeing businesses revisit the way they consider risk and control, for example:
Strategy, risk and risk appetite discussion – Top-down discussion of risk and risk appetite, linked to strategy discussions in a way that is more challenging than in the past. We see many boards and management teams debating their risk appetite and the discussion is very healthy, often drawing out different points of view that can then be debated and resolved. This is usually a broad discussion ranging from financial and operational risks to reputational exposures. The discussion helps in forming the strategy and setting targets and limits on growth and risk.
Many organisations do not have a forward view of risk; linking this discussion to the strategy and the organisational view of the possible outcomes the business may face helps to adjust the risk profile as external circumstances change.
Focus on the levers of risk management – Thinking has evolved into recognition that there is a need to link broad risk appetite statements to not only the management of risk, but also the levers that exist to manage risk down should the position exceed the risk appetite or should the risk appetite change. There are different levels of levers, from reducing new business levels, hedging, insurance etc through to capital raising and reducing dividend payments. This is a whole of business view where it can be that one part of the business may need to rein in its risk to support another part of the business.
Appropriate information to support the discussion – A top-down view of risk together with an aggregated portfolio view of risk can be developed using models which are not overly complex. The area where the work is to be done is in developing the views that will support the strategic discussions and which can be monitored at the same level to show how the position is changing. The need for real-time risk information is also becoming apparent.
Back to basics with risks, controls and assurance – Many risk management failures are the result of break-downs in basic controls – controls which were assumed to be working properly or where the assurance was not adequate. There is renewed focus on the design of controls and accountability for exercising and monitoring controls (Figure �.�).
So what does this mean for Internal Audit?Internal Audit is uniquely placed to offer a wide and deep perspective – from the organisation’s strategic view of risk and risk appetite through to the way in which risk is being managed within the business. However, frequently Internal Audit’s focus is on individual audits, rather than on the tremendous value it can bring by looking across the organisation. Reflecting on these lessons, we highlight some areas on the following page, where Internal Audit can bring further insight and value.
•
•
•
•
PricewaterhouseCoopers | �
Risk appetite – The board sets the risk appetite at a high level but how do board members know it’s being applied in practice? Internal Audit can provide this view and can also challenge the approach if the consideration of risk appetite is not sufficiently detailed or comprehensive.
Risk management: a whole-of-business view – Internal Audit is uniquely placed to provide a view on the effectiveness of risk management across the business. How deeply risk management is embedded, the maturity of risk management across the organisation, the quality of the indicators in place for monitoring risk. This requires a new level of reporting and analysis, above the level of individual audit reports. It also requires a new view of risk and control (Figure �.�).
A more real-time view of risk – Even though Internal Audit may be risk focused, the company’s risk assessment may become out of date. While this is an organisational responsibility, if management does not produce a real-time view of risk, Internal Audit may need to fill the gap to ensure that the risk focus continues to be up to date.
A whole assurance view – Many organisations have realised that they don’t understand how all their assurance or monitoring functions fit together, whether there are gaps or overlaps and whether the comfort they think they are getting is actually what they are getting. There is an opportunity for Internal Audit to form this view and also to provide comfort over the effectiveness of sources of management assurance, for example the work of risk, compliance, safety, quality and other monitoring or functions.
Overall, there is an opportunity for Internal Audit to take a whole of organisational view, which provides comfort that value is being protected, but also a more forward-looking view, showing that value is also being enhanced (Figure �.�).
1.
2.
3.
4.
Strategyimplications
Corporategovernance
Law andregulation
Projects and major contracts
Business processand systems
Financial processand systems
Safeguardingassets
Investmentdecisions
Systemsdevelopment Emerging risks Due diligence
Processimprovement
Efficiency gains Monetary savings
Delivering future value
Improving business performance
Assessing future governance, risk management and control
Assessing current governance, risk management and control
Valueenhancement
Valueprotection
Figure 1.1 Focus areas for Internal Audit
Back to basics with risks and controlsMany organisations use a traditional model to address the presence of risk in their control environment. While this approach assumes (incorrectly) a linear alignment between objectives, risks, controls and events, it has worked successfully for operational and financial reporting risk. However, it is less successful in evaluating controls when several risks are affected by compliance obligations.
Recognising the interdependencies that exist between events, controls, risks and compliance obligations enables real synergies to be obtained.
This can be achieved through a framework that consolidates all the organisation’s existing controls. The framework provides a common structure, greater monitoring efficiency and an opportunity to drive consistency and standardisation across the organisation. However, no one framework is suitable for every business. In deciding which one is suitable for your business, you will need to consider the organisation’s maturity in managing risk.
A risk map visually demonstrates the relationship between risk and control. The length of the line between inherent risk and residual risk is determined by the effectiveness of controls (Figure �.�).
Business Unit (BU) level controls, also known as entity-level controls, are those controls which span across the business, for example, codes of conduct and whistle-blower programs. ‘Process-pervasive controls’ are those built around processes, while ‘risk-specific controls’ are those installed within processes.
Internal Audit can provide a great viewpoint back to the business and Board Audit Committee on how effectively the control framework is operating and in particular the maturity of risk management. This is reflected in the effectiveness of controls at the different levels. Internal Audit may not need to go as deep into those parts of an organisation with effective BU-level controls – as would be required when process level controls are not mature and higher levels of monitoring are not in place.
Controlframework
BU-level controls
Residual risk
Organisation Technology
Preventive Detective
Risk specific controls
Process pervasive controls
Pro
cess
es
Consequence
Like
lihoo
d
Inherent risk
� | Internal audit and risk – Is there enough tension? Is the balance right?
Figure 1.2 Risk map: Framework to assess and evaluate controls
PricewaterhouseCoopers | �
Getting startedAs with all strategies, it is important to define where you want to be, identify the gaps between that state and where you are now, then build a plan to implement change. Here are some steps to consider that reflect the critical success factors:
Ensure you have the engagement and support of the Board Audit Committee and senior management.
Set realistic goals to avoid the danger of getting trapped in massive data capture and analysis. The data to be captured should be from existing data sources and should add value through making connections that are not currently being made.
Build in time to allow more cross-audit review and analysis. Make greater use of themes and root-cause analysis to extract value adding trends. Also leverage the work of other assurance functions.
Equip the team for the new way of reporting and bringing together views on the effectiveness of risk management.
Communicate the nature and benefits of the changes.
�.
�.
�.
�.
�.
� | Internal audit and risk – Is there enough tension? Is the balance right?
pwc.com.au
Contacts
© �0�0 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers, a partnership formed in Australia or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.
Internal Audit Robin Low Partner, Internal Audit Leader Tel: (0�) 8��� �977 E: [email protected]
Patrick Farrell Partner, Melbourne Tel: (0�) 8�0� ���0 E: [email protected]
Andrew McPherson Partner, Sydney Tel: (0�) 8��� ��7� E: [email protected]
Josh Chalmers Partner, Brisbane Tel: (07) ���7 8�9� E: [email protected]
Kim Cheater Partner, Adelaide Tel: (08) 8��8 7�07 E: [email protected]
Cameron Jones Partner, Perth Tel: (08) 9��8 ��7� E: [email protected]
Mark Ridley Partner, Canberra Tel: (0�) ��7� 9��� E: [email protected]
RiskSteve Ingram Partner, Melbourne Tel: (0�) 8�0� ��7� E: [email protected]
Julie Coates Partner, Sydney Tel: (0�) 8��� ��98 E: [email protected]
Sandra Birkensleigh Partner, Brisbane Tel: (07) ���7 8�08 E: [email protected]
