Upload
david-fernandes
View
273
Download
1
Embed Size (px)
Citation preview
Session G4 Slide # 1
Overcoming Small Department Challenges
Session G Wednesday, September 17th, 2014
16:00 – 17:00
David Fernandes
Internal Audit’s Evolving Role in Corporate GRC Strategy
TOPICS Your Expectations
Past, Present & FUTURE
GRC Overview
Good to GREAT
IA’s Evolving Role in Corporate GRC Strategy
Session G4 Slide # 2
YOUR EXPECTATIONS
How many in Audit Department ? <5 < 10
Who owns Risk? Board, Audit Committee, Legal?
Is there ANY Strategy in Place?
STRATEGY – What is it ???
Session G4 Slide # 3
IA’s Evolving Role in Corporate GRC Strategy
TOPICS Your Expectations
Past, Present & FUTURE
GRC Overview
Good to GREAT
Session G4 Slide # 4
IA’s Evolving Role in Corporate GRC Strategy
TRADITIONAL ROLE OF INTERNAL AUDIT.
Assurance: Assure stakeholders that the corporate policies and internal controls ensure compliance with the statutory obligations …
Assessment and Recommendations: Review the effectiveness of the control procedures to ensure that the organization achieves its objectives,
Oversight: The basis by which management maintains oversight and control of their organizations, analyze risk, directing resources to areas in need of development.
Advisory Services: internal auditors are also expected to assistance via recommendations for effective ERA and ERM.
Session G4 Slide # 5
Goals & Challenges
Past
Session G4 Slide # 6
SYMPTOMAudit Committees and Board Members are placing increasing reliance on the role of Internal Audit in assessing and mitigating fraud and corruption risks by improving the effectiveness of governance, risk management and control processes.
CAUSE?Executives and Corporate boards are under increased oversight and scrutiny by regulators, shareholders and external auditors.
TREATMENTThe consequence is that internal audit professionals are faced with a growing number of information requests, new compliance requirements, and the constant pressure to do more with less.
IA’s Evolving Role in Corporate GRC Strategy
Present
Session G4 Slide # 7
RISK MANAGEMENT
• The IPPF Performance Standard 2120, states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”
• Shareholders, board members and management are placing a greater emphasis on how internal auditors can play a role in evaluating and mitigating risks, IT and operations, managing fraud risk, as well as increasing their involvement in corporate governance.
• Effective internal audit functions help organizations ensure key business risks are being managed appropriately and that the system of internal control is operating effectively.
• As the internal audit role of performing risk assessments becomes embedded in the risk management processes, the discipline receives more emphasize in the key job responsibilities.
IA’s Evolving Role in Corporate GRC Strategy
Future
Session G4 Slide # 8
FRAUD
• The growing number of regulations and the successful expansion of multinational organizations into new markets increases compliance risk.
• Internal auditors are expected to have sufficient knowledge to evaluate the risk of fraud in their organizations, and are required to report to the board any fraud risks found during their investigations.
• Develop an operational compliance program which defines the thresholds that risks would require mitigation or additional management, appropriate control testing, and defining the rules governing the creation of issues for reporting and resolution .
IA’s Evolving Role in Corporate GRC Strategy
Future
Session G4 Slide # 9
GOVERNANCE
• Section 301 of the Sarbanes-Oxley Act, states “The audit committee establishes procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters, including procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters”
• Audit Committee’s will look to internal audit to provide assurance for their independent business insight, including performing reality checks on key management decisions.
• GRC strategies must integrate legal, compliance, risk, SOX control processes to better leverage information, gain operational efficiency, and provide greater transparency into overall business risks.
• GRC strategies must establish a common, integrated discipline around regulations, policies, risks, controls, and issues,
IA’s Evolving Role in Corporate GRC Strategy
Future
TOPICS Your Expectations
Past, Present & Future
GRC OVERVIEW
Good to GREAT
IA’s Evolving Role in Corporate GRC Strategy
Session G4 Slide # 10
11
GRC OVERVIEW
Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
• Fraud Detection• Segregation of Duties • Compliance Issues• Regulatory Issues
The current trends point to GRC software’s increasing importance and expanding corporate presence with IT GRC And Enterprise GRC much closer but still separate strategies:
1. Vendors historically focused on EGRC are supporting content like the Unified Compliance Framework and offering integration capabilities with security and IT management applications.
2. Vendors historically focused on the IT GRC are adding on enterprise relevant content and offering product flexibility to support enterprise GRC functions.
Session G4 Slide # 12
IA’s Evolving Role in Corporate GRC Strategy
TOPICS Your Expectations
Past, Present & FUTURE
GRC OVERVIEW
Good to GREAT
IA’s Evolving Role in Corporate GRC Strategy
Session G4 Slide # 13
Workflow Engine
This is how to make sure people know when and how to conduct assessments, audits, remediation's, action plans, and other relevant tasks.
Fundamental to GRC is the ability to understand the relationships
between risks, controls, policies, requirements, assets, processes,
and other objects
14Session G4 Slide #
4 Key Concepts of a GRC Platform
Analysis of vast GRCinformation is necessary for business decision-makers, auditors, regulators, and boards of directors
Reporting Capabilities
Relational Database
These features allow organizations to create, review, update, distribute, and archive records such as policies and audit findings.
Document Management
Design a Sustainable Controls Framework
Business leaders view controls as a necessary nuisance, making it difficult for Controllers and their teams to demonstrate how controls can add value to the business.
The business typically agrees with the accounting group about “why” controls are necessary, but disagrees about “how” to best implement them.
Most controls frameworks improve on a linear scale, but business complexity at small to midsized companies often increases exponentially.
Leverage Experience Update FrequentlyEngage Business Leaders
Pair finance leaders with business leaders to ensure sufficient knowledge of the business and the risk environment.
Articulate the benefits of increased assurance to persuade business leaders to participate in controls updates.
Revisit the framework at least twice a year (Interim & Roll Forward) or during periods of significant business change.
15Session G4 Slide #
Goals & Challenges
16Session G4 Slide #
Gaps
Goals
IA’s Evolving Role in Corporate GRC Strategy
Culture: An essential element of a “great” program is building a culture of integrity. Culture is comprised of the underlying values, beliefs, attitudes and expectations
shared by an organization. Integrity is central to any effective GRC Strategy GRC programs must contribute to a culture of ethical and compliant behavior to
be change values and perceptions
17Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
Culture: An essential element of a “great” program is building a culture of integrity.Culture is comprised of the underlying values, beliefs, attitudes and expectations shared by the company.Integrity is central to any effective GRC StrategyGRC programs must contribute to a culture of ethical and compliant behavior to be change values and perceptions
Disjointed operating strategies
Lack of effective oversight mechanisms
Organizational silos
Wasted resources and information
Unnecessary complexity
Lack of data integrity
An aligned operating strategy
Effective oversight mechanisms
Integrated risk and control activities
Resource and personnel optimization
Streamlined business processes
Quality data and information
18Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
Tone: The starting point for any world-class GRC.
A GRC culture must permeate throughout the entire organization.
Balanced performance metrics should be considered in the performance measurement
of senior management. Empower and properly resource individuals
who have day-to-day responsibilities to mitigate risks.
Testing and Reporting: Assure the control environment is effective
Ensure policies and procedures are communicated and fully understoodImplementing appropriate controls,
which should be tested and ultimately monitored and audited on a regular basis
Perform periodic cultural assessments and reinforce the desired behaviors while
remediating the negative ones
Move from Good and GREAT – Core Values
TOPICS Your Expectations
Past, Present & FUTURE
GRC Overview
Good to GREAT
Top Evolving Areas
Session G4 Slide # 19
IA’s Evolving Role in Corporate GRC Strategy
20Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
International Operations• Enhance oversight and visibility
On Site Visits, Inspections• Enhance global compliance controls:
Import / Export, Ethics, FCPA• Roll out training for policies and procedures - across all locations
Third Party Partners• Participate in Third Party reviews
Due Diligence, Selection, On Boarding, Data Controls• Vendor Audits – focus on compliance with US regulations, FCPA • Enhance relationships to create self reporting processes
21Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
Mergers & Acquisitions• Perform “Post Mortem” reviews:
Assess Planning, Due Diligence, • Perform a “Risk Assessment”:
integration processes, process controls and IT systems, key spreadsheets• Implement performance tracking and metrics.
Outsourcing• Participate in shared service planning & decision making• Program Governance”
Review RFP content / Bids, selection methodology• Review SLA’s, post implementation benefits• Enhance performance management goals & metrics
22Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
IT Security & Privacy• Perform “Reputational Risk” reviews:
Social Media, Personally Identifiable Information (PII) privacy attacks) • Perform security audits around cloud & social media platform risks
Facebook, Twitter, LinkedIn – Identity Theft• Audit Disaster Recovery / Business Continuity Plans:
Business Impact, Crisis Management, test disaster recovery performance..
Talent Management• Review “Line Of Sight Systems (LOSS)
Are corporate goals and employee understanding aligned Review programs around retention, learning and development.
• Review “On Boarding” process – background checks, emergency management, medical programs
• Audit need identification processes, goal development, evaluating and reporting performance, recruitment incentives and reward programs.
23Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy
24Session G4 Slide #
IA’s Evolving Role in Corporate GRC Strategy