2

INTERNAL AUDIT…

A CREDIBLE PLAYER IN THE GRC FIELD...? !

IIA Netherlands Congress 18-19 June 2015

Peter Diekman

3

For internal audit to be a credible player in the GRC field, it

must include soft controls in the audit approach

Whilst auditing the appropriateness of the system of internal

controls remains to be an important task, it will be insufficient

to address the issues raised by audit committees and

managing boards

Each company is built on two pillars, i.e. “Culture” and

“Structure”.

An internal audit function solely focusing on “Structure” whilst

ignoring “Culture” does not add sufficient value to the

organisation.

Statements

Corporate governance

Good governance, including honest and

transparent acting by management, as well as

adequate supervision, encompassing

accountability regarding the supervisory role, is

essential condition for public trust in the

managing board and supervisory board.

Application of and compliance with the Corporate

Governance Code guarantee good corporate

governance.

4

Corporate governance

• Determining aspects of good governance:

– Integrity / honesty

– Transparency

– Supervision

– Accountability regarding supervision

– Are there any subsequent aspects

determining “good governance”?

5

Dimensions of corporate

governance

– Quality of supervision

• Knowledge and time spent by supervisory board members

• Unanswered questions about behaviour, attitude and moral issues

– Quality Internal Audit

• Single focus on system of controls

• Inclusion or exclusion of behavioural aspects

– Quality of external audit

• Independence

• Engagement owned by supervisory board / audit committee

• Single focus on financial reporting

• Fear for focusing on behavioural aspects

– Quality internal controls

• Policies and procedures

• ICT controls

– Quality of compliance function

• Focus and awareness of law and

regulations

• Some focus on behaviour, but still

linked to law and regulations

• The degree in which financial

ethics forms part of compliance

– Corporate social responsibility

• Economic principles

• Legal principles

• Ethical principles

• Being a good citizen

Other aspects of corporate governance

6

Dimensions of corporate

governance

Corporate governance is seen as the

driver of business performance that is

achieved at both micro and macro

levels.

A country’s economy and competitive

position depend on the drive and

efficiency of its companies, and the

effectiveness with which their boards

discharge their responsibilities.

Management must be free to drive

their companies forward, but exercise

that freedom within a framework of

effective accountability

Sir Adrian Cadbury

Financial Aspects of Corporate Governance, 1992

7

Dimensions of corporate

governance

– Corporate Governance is about “good

business governance”

– “Good business governance” depends on

behaviour of management and staff

– This is why “soft controls” or “soft skills” are

regarded to be increasingly important in the

context of corporate governance

8

Dimensions of corporate

governance

• According to the UN*, good governance encompasses eight aspects i.e.:

• Consensus Oriented

• Participatory

• Following the Rule of Law

• Effective and Efficient

• Accountable

• Transparent

• Responsive

• Equitable and Inclusive

9

* Source: Agere, Sam (2000). Promoting good governance. Commonwealth Secretariat. ISBN 978-0-85092-629-3

Dimensions of corporate

governance

“In business, 1% of the people is always corrupt, 1% is always honest and 98% of the people behave depending on the situation”

Prof. Dr. Muel Kaptein

Rotterdam School of Management

10

Dimensions of corporate

governance

• Muel Kaptein: “Why good people

sometimes behave badly”*

– Instructions are unclear

– Situations cannot be discussed

– Bad examples and tone set by management

– People are not involved

– Instructions cannot be achieved

– People are invisible

– People are disempowered

* Muel Kaptein: “Waarom goede mensen soms de verkeerde dingen doen”, Business Contact, 2011

11

Eight soft controls *

Frequency of deviations

Reporting of deviations

Clarity

Tone / example

setting

Practicability

Involvement

Transparency

Discuss

ability

Accountability

Enforcement

* Model by Muel Kaptein

12

Dimensions of corporate

governance– Why do good people do bad

things?

• Leaders are being followed without criticism

• Even if someone does not have coercive power, he/she may have strong influence upon others

• Certainly if the influencer is someone with “authority”, one’s own responsibility might be deferred to the person with authority

• The paradigm is that one abides by the law and one has to simply follow the leader...”Befehl ist Befehl”

13

Dimensions of corporate

governance

14

Obedience

“Milgram experiments”

15

Dimensions of corporate

governance– More than 65% of all people in the

experiment went all the way to administer electric shocks of 450 volts

– More than 65% of all people allowed to be overruled by or deferred their ethical decision to a person of “authority”

– This does not only happen in a laboratory environment, but may happen in a business environment on a daily basis

– This is why a focus on attitude, behaviour, atmosphere and soft controls in business is so important

16

Prof. Stanley Milgram

Yale University

Relevance for Internal Audit

– If leadership profiles

become dominant,

individuals in the

organisation may

• …act in accordance with

instructions, without

questioning

• …defer opining by

themselves

• …create a ‘tick the box’

mentality

– Have a focus on leadership

styles

– Try to determine whether

there is open and

transparent communication

between leaders and staff

– Try to ascertain the level of

assertiveness of staff

– Employ behavioural

specialists in your IA team

17

Clear ethical codes

Effectiveness of ethical codes, policies and

procedures depends on:

– Clarity of such codes, policies and procedures

– Degree that this is being discussed among all

employees

– The degree management sets the behavioural

example

– Whether or not disobedience is allowed

18

Clarity

• Ethical codes

• Norm awareness

• Euphemism

• Rules pressure

• Prohibitions

• Descriptive norms

• Broken Windows

Theory

19

Clarity - Code of ethics

20

Clarity - Code of Ethics

21

Clarity

Be clear about

expectation and about

what is wanted and

unwanted behaviour.

Give a clear example.

Clear expectations people know

what to do people do what they

are supposed to do

22

Clarity – Norm awareness

Ethical codes are only effective if they are activated at crucial points in time

Activate all kind of behavioural norms and values at crucial points in time

Activated norms result in affective reactions where people (wish to) see themselves as ethical individuals

23

Clarity – Norm awareness

Activating ethical behaviour...

24

The Ten Commandments

experiment...

The ‘compulsory eyes’

experiment…

Clarity - Euphemisms

A: A euphemism is a polite expression used in place of words or phrases that otherwise might be considered harsh or unpleasant

• Jokes = bullying

• Lubricant = bribes

• Creative accounting = fraud

• Align the organisation = dismiss staff

B: How we pronounce things broadcasts a strong message about expected and wanted behaviour and accordingly it will influence behaviour!

25

Discuss ability

• Communication

• Pressure from the group

• Conformity

26

‘Terschelling silenced a whistle blower’

Volkskrant 28 February 2015

“The municipality of the island of Terschelling has paid

€ 155K to a whistle blower and asked him to step down. The whistle blower, an accountant, reported a booking scandal. Also, he warned for financial problems in connection with a reorganisation.”

The municipality expected a 'positive attitude‘ and ‘conformity’. The whistle blower’s signal of financial problems was interpreted as a direct assault on managers in charge. He obviously positioned himself as an outlier.

27

The Asch paradigm

– “It is scary to be seen as an outlier”

– “It is save to behave like others regardless of

my own opinion or view”

– “If I behave differently, I might not be

accepted by my peers”

– “I don’t dare to discuss this with my boss, as

he expects me to conform with the standing

policies and procedures”

28

Pressure from the group

conformity

29

Conclusions

Self reflection:

• Am I able or am I not able to express my own opinion?– Why am I able?

– Why am I not able?

Observations in business organisations:

• Are difficult issues, cumbersome situations, dilemmas and mistakes discussed?

Interventions:

• In discussions: Play devil’s advocate, vote anonymously

• Conduct intervision sessions and learn from each other

• Praise transparency regarding difficult situations, dilemmas and mistakes

30

Relevance for Internal Audit

• Is there an ethical code?– Is this code activated?

– Do people understand the true meaning of it?

• Do you observe instances of ‘group behaviour’?– Ask people why they

behave as they do

– Try to imagine what happens with staff that is seen as an outlier

• How does staff deal with (personal) dilemmas?– Are there group discussion?

– Are intervision sessions held?

– Are people able to speak out?

• Do you observe instances of bullying?– Are euphemisms used?

– Are complaints centrally reported?

– Is there a ‘person of trust’?

31

Conclusion

32

“Mistakes are allowed.

Let’s discuss them, solve

them and learn from them”

Risk

33

New rules & roles for

Supervisory Board

• Minimum requirements for time spent and number of

supervisory positions

• Mandatory training and CPE requirements

• Proven leadership skills

• Proven knowledge of risk management

• Proven experience with audit

• Maintain contacts with managing board members and

senior management

34

Risk Management

– What is risk management?

• Control risk

• Be clear about risk border lines

• Pricing of risk

• Monitoring risk

• Inform about risk

35

Risk appetite

• Determine the maximum level of risk acceptable for the company

– Who determines the risk appetite?

– How to quantify risk appetite?

– Which qualitative risks are taken into consideration?

– Is risk appetite static or dynamic?

– Do management and supervisors understand risk?

“I believe that this company can survive a € 500M disaster...”

36

Risk appetite

– How good are we in determining risk?

– Research* has revealed that we are being

influenced in different ways when making

estimates

• We use too small random samples

• We allow to become biased through references

• Availability heuristics influence our estimates

* Source: Daniel Kahneman – Thinking, fast and slow, chapters 10 thru 13, Farrar, Staus and Giraux, New York, 2011

37

Risk appetite

– Heuristics – the

doctrine of finding

– Heuristics plays an

important role while

making an estimation

– Availability heuristic

• Events that recently

happened come first to

mind...

Prof. Daniel Kahneman

Princeton University

38

Risk appetite

– Availability heuristic

• Events that are readily available in our memory such as

» Sexual escapades of politicians

» An aeroplane crash

» Personal experiences have more impact than experiences regarding other individuals

• The result is that events that are “available” will influence our ability to make an estimation. This is why our estimations are often biased or prejudiced.

39

Risk appetite

Events and risks

• How do you divide the risk of dying of a brain illness or of a traffic accident?

• Which one is a bigger “killer”: a Tornado or asthma?

• What is the risk of dying from a lighting strike or of botulism?

• How do you divide the risk of dying from illness or due to an accident?

Estimated result

• 80% of respondents indicate that dying due to a traffic accident is more likely

• Most respondents argue that a tornado is a bigger “killer” than asthma

• The risk of a lighting strike is considered considerably bigger than the risk of botulism

• The risk of death due to an illness or an accident is considered equally likely

Statistical result

• Brain illness results in twice

as many deaths than

accidents

• Asthma is a 20x bigger

“killer” than a tornado

• Botulism results in 52x

more casualties than a

lightning strike

• Illness results in 18x more

deaths than accidents

40

Risk Management Dimensions

Control dimension Risk dimension

41

Control dimension

1e line2e line

3e line

Role:

• Determine

Strategy

• Execute

strategy

• Monitor the

business

Role:

• Prepare

• Support

• Analyse

• Control

• Report

• Advice

Role:

Audit

Reporting

Managing board

(Senior) line management

Finance

HR

Legal

Compliance

Risk Mgt

Actuary

Communication

Internal Audit

Supervisors / Audit CommitteeRegulators

42

Risk Management Dimensions

Control dimension Risk dimension

43

Risk Dimension

• Risk analysis is a process of consecutive phases

• Criteria for risk analysis

• Likelihood of an event

• Impact of an event

• Organisation vulnerability for risk events

• Velocity of risk events

• Inquire about perceived risk on the work floor

• Demonstrate and discuss the results

• Determine the appropriate risk response

44

Risk Dimension

Scale of likelihood – Example

Rating Frequency Definition Likelihood Definition

5 Frequent More than once in 2 years Almost certain >90% risk

4 Likely Once in 2-10 years Likely 65% - 90% risk

3 Possible Once in 10-20 years Possible 35% - 65% risk

2 Not likely Once in 20-30 years Not likely 10% - 35% risk

1 Rare Less than once in 30 years Rare < 10% risk

Annual frequency Likelihood

45

Risk Dimension

Rating Description Definition

5 Extreme • Financial loss > € x m

• Severe loss of reputation

• Criminal pursuit

• Revoke of licence

• Casualties

• Several senior managers quit

4 Material • Financial loss between € X and € Y m

• Loss of reputation

• Regulatory intervention

• Loss of vendors and clients

• Legal claims

3 Average • Financial loss between € Y en € Z m

• Short term negative publicity

• Critical report from regulator

• Unrest among employees

2 Low • Modest financial loss

• Critical press articles

• Mandatory incident reporting to regulator

1 Insignificant • Hardly financial damage

• Negative publicity can be refuted

• Isolated issues among employees

Impact scale - example

46

Risk Dimension

Rating Description Definition

5 Very high • No scenario plan

• Lack of reacting capacity

• Remedial measures insufficiently implemented

• No contingency plan

4 High • Only scenario plan for most important risks

• Limited reacting capacity

• Remedial measures partly implemented

• Limited contingency plan

3 Average • Stress testing and vulnerability analysis performed

• Reacting capacity available

• Remedial measures implemented, not tested

• Contingency plan available, not tested

2 Low • Strategic options defined

• Proper reacting capacity available

• Remedial measures implemented and tested

• Contingency plan available and tested

1 Very low • Realistic option being executed

• Reacting capacity available at all levels

• Regular testing of plans and measures

Vulnerability scale - example

47

Risk Dimension

Rating Description Definition

5 Very high • Event becomes immediately visible.

Hardly possible to give a warning

signal

4 High • Event becomes visible within a few

days

3 Average • Event becomes visible in a few

months

2 Low • Event becomes visible in half a year

1 Very low • Event becomes visible after one

year

Velocity* scale - example

* Velocity is the time between occurrence of the event and the time that the event surfaces

48

Risk DimensionIm

pa

ct

Hig

h

HighLow

Lo

w

Likelihood

1 5

1

5

9

Risk 3

Risk 1

Risk 5

Risk 2

Risk 4

Risk 6

9

49

Critical view

on

Risk Management

Particularly following the banking / economic / geopolitical crisis...

• It has become obvious that management does not or insufficiently understand the risk models

• “Economics” and “Risk Management” do not have sufficient real impact on the way companies are managed

• Real strategic issues are NOT or insufficiently on the agenda of the board

• Risk management is approached way too much from a mathematical perspective

• Risk Management models do NOT work in times of economic crisis and are only tested under normal economic conditions

• Human behaviour is often irrational and highly biased, which is ignored in the risk management models.

50

Compliance function

Some quotes from the business…

• “Oh yeah…we also have to include ‘compliance’”

• “The compliance officer does not understand our business”

• “Compliance is an impediment for agility and profitability”

• “Gate keeper for integrity”

• “Necessary hurdle”

• “Cash burner”

• “Liaison for regulators”

51

Compliance function

52

Compliance function

Individual competencies1. Integrity and steadfastness

2. Investigative and focussed on innovation

3. Analytical skills

4. Judgement skills and discretion

5. Independence

6. Context

7. Communication

8. Effectiveness

Knowledge

9. Risk Management

10. Environment

11. Moral and Ethics

12. Awareness

13. ICT

Practice14. Applied knowledge

15. Proportionality

16. Critical and resistance

17. Responsiveness

18. Result drivenA sheep with five legs….

53

Compliance Risk

Compliance risk is the uncertain event

that people behave in a non-compliant

fashion as a result of which certain

objectives will not be achieved

54

Compliance Risk

• The compliance function focuses on human behavioural risk

• The norm for this behaviour is:• Law and regulation

• Internal policies and procedures

• Cultural norms, that you have learned from your parents as from the time you lied in the crib...

‘soft controls!’

55

High

Low

Principles based Rules based

“Trust me”

Le

ve

l o

f tr

ust

“Tell me”

“Prove me”

The lower the level of trust, the more important transparency is

Rules versus Principles Based

Comply with law

And regulation

Keep employee

Knowledge at

Proper level

Properly inform

consumers

Maintain strong

Market position

Regulation

56

Implementing compliance

1.Responsibility for compliance rests with the board of directors

2.Senior management is responsible for managing compliance risk

3.Senior management must communicate and pursue compliance policy

4.Senior management must ensure a permanent compliance function

5.De compliancefunctie must be independent

6.The compliance function must be well staffed and have an appropriate budget

7.The compliance function advises senior management how to manage compliance risk

8.The compliance function is subject to internal audit

9.Companies must alway comply with law and regulation

10.The compliance function may be out-sourced, but it remains the responsibility of management

57

Relevance for Internal Audit

– Compliance is a specialism. Does Internal Audit

have sufficient knowledge of compliance to

perform the audit?

– Send internal audit staff to compliance courses

– See to it that internal audit staff that is involved in

compliance audit spend sufficient audit hours to

gain experience

– Compliance and Internal Audit are the corner

stones for business integrity and the company’s

licence-to-operate

58

Prof. Dr. Peter A.M. Diekman RA

Forensic Consultancy Bussum BV

Bussummerweg 12

1261 CA BLARICUM

Netherlands

T +31 651 527383

E peter.diekman@fcbconsult.com

W www.fcbconsult.com

59