Internal Audit’s Evolving Role in Corporate GRC Strategy

Session G4 Slide # 1

Overcoming Small Department Challenges

Session G Wednesday, September 17th, 2014

16:00 – 17:00

David Fernandes

Internal Audit’s Evolving Role in Corporate GRC Strategy

TOPICS Your Expectations

Past, Present & FUTURE

GRC Overview

Good to GREAT

IA’s Evolving Role in Corporate GRC Strategy


YOUR EXPECTATIONS

How many in Audit Department ? <5 < 10

Who owns Risk? Board, Audit Committee, Legal?

Is there ANY Strategy in Place?

STRATEGY – What is it ???





GRC Overview

Good to GREAT



TRADITIONAL ROLE OF INTERNAL AUDIT.

Assurance: Assure stakeholders that the corporate policies and internal controls ensure compliance with the statutory obligations …

Assessment and Recommendations: Review the effectiveness of the control procedures to ensure that the organization achieves its objectives,

Oversight: The basis by which management maintains oversight and control of their organizations, analyze risk, directing resources to areas in need of development.

Advisory Services: internal auditors are also expected to assistance via recommendations for effective ERA and ERM.


Goals & Challenges

Past


SYMPTOMAudit Committees and Board Members are placing increasing reliance on the role of Internal Audit in assessing and mitigating fraud and corruption risks by improving the effectiveness of governance, risk management and control processes.

CAUSE?Executives and Corporate boards are under increased oversight and scrutiny by regulators, shareholders and external auditors.

TREATMENTThe consequence is that internal audit professionals are faced with a growing number of information requests, new compliance requirements, and the constant pressure to do more with less.


Present


RISK MANAGEMENT

• The IPPF Performance Standard 2120, states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

• Shareholders, board members and management are placing a greater emphasis on how internal auditors can play a role in evaluating and mitigating risks, IT and operations, managing fraud risk, as well as increasing their involvement in corporate governance.

• Effective internal audit functions help organizations ensure key business risks are being managed appropriately and that the system of internal control is operating effectively.

• As the internal audit role of performing risk assessments becomes embedded in the risk management processes, the discipline receives more emphasize in the key job responsibilities.


Future


FRAUD

• The growing number of regulations and the successful expansion of multinational organizations into new markets increases compliance risk.

• Internal auditors are expected to have sufficient knowledge to evaluate the risk of fraud in their organizations, and are required to report to the board any fraud risks found during their investigations.

• Develop an operational compliance program which defines the thresholds that risks would require mitigation or additional management, appropriate control testing, and defining the rules governing the creation of issues for reporting and resolution .


Future


GOVERNANCE

• Section 301 of the Sarbanes-Oxley Act, states “The audit committee establishes procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters, including procedures for the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters”

• Audit Committee’s will look to internal audit to provide assurance for their independent business insight, including performing reality checks on key management decisions.

• GRC strategies must integrate legal, compliance, risk, SOX control processes to better leverage information, gain operational efficiency, and provide greater transparency into overall business risks.

• GRC strategies must establish a common, integrated discipline around regulations, policies, risks, controls, and issues,


Future


Past, Present & Future

GRC OVERVIEW

Good to GREAT



11

GRC OVERVIEW

Session G4 Slide #


• Fraud Detection• Segregation of Duties • Compliance Issues• Regulatory Issues

The current trends point to GRC software’s increasing importance and expanding corporate presence with IT GRC And Enterprise GRC much closer but still separate strategies:

1. Vendors historically focused on EGRC are supporting content like the Unified Compliance Framework and offering integration capabilities with security and IT management applications.

2. Vendors historically focused on the IT GRC are adding on enterprise relevant content and offering product flexibility to support enterprise GRC functions.





GRC OVERVIEW

Good to GREAT



Workflow Engine

This is how to make sure people know when and how to conduct assessments, audits, remediation's, action plans, and other relevant tasks.

Fundamental to GRC is the ability to understand the relationships

between risks, controls, policies, requirements, assets, processes,

and other objects

14Session G4 Slide #

4 Key Concepts of a GRC Platform

Analysis of vast GRCinformation is necessary for business decision-makers, auditors, regulators, and boards of directors

Reporting Capabilities

Relational Database

These features allow organizations to create, review, update, distribute, and archive records such as policies and audit findings.

Document Management

Design a Sustainable Controls Framework

Business leaders view controls as a necessary nuisance, making it difficult for Controllers and their teams to demonstrate how controls can add value to the business.

The business typically agrees with the accounting group about “why” controls are necessary, but disagrees about “how” to best implement them.

Most controls frameworks improve on a linear scale, but business complexity at small to midsized companies often increases exponentially.

Leverage Experience Update FrequentlyEngage Business Leaders

Pair finance leaders with business leaders to ensure sufficient knowledge of the business and the risk environment.

Articulate the benefits of increased assurance to persuade business leaders to participate in controls updates.

Revisit the framework at least twice a year (Interim & Roll Forward) or during periods of significant business change.


Goals & Challenges


Gaps

Goals


Culture: An essential element of a “great” program is building a culture of integrity. Culture is comprised of the underlying values, beliefs, attitudes and expectations

shared by an organization. Integrity is central to any effective GRC Strategy GRC programs must contribute to a culture of ethical and compliant behavior to

be change values and perceptions



Culture: An essential element of a “great” program is building a culture of integrity.Culture is comprised of the underlying values, beliefs, attitudes and expectations shared by the company.Integrity is central to any effective GRC StrategyGRC programs must contribute to a culture of ethical and compliant behavior to be change values and perceptions

Disjointed operating strategies

Lack of effective oversight mechanisms

Organizational silos

Wasted resources and information

Unnecessary complexity

Lack of data integrity

An aligned operating strategy

Effective oversight mechanisms

Integrated risk and control activities

Resource and personnel optimization

Streamlined business processes

Quality data and information



Tone: The starting point for any world-class GRC.

A GRC culture must permeate throughout the entire organization.

Balanced performance metrics should be considered in the performance measurement

of senior management. Empower and properly resource individuals

who have day-to-day responsibilities to mitigate risks.

Testing and Reporting: Assure the control environment is effective

Ensure policies and procedures are communicated and fully understoodImplementing appropriate controls,

which should be tested and ultimately monitored and audited on a regular basis

Perform periodic cultural assessments and reinforce the desired behaviors while

remediating the negative ones

Move from Good and GREAT – Core Values



GRC Overview

Good to GREAT

Top Evolving Areas





International Operations• Enhance oversight and visibility

On Site Visits, Inspections• Enhance global compliance controls:

Import / Export, Ethics, FCPA• Roll out training for policies and procedures - across all locations

Third Party Partners• Participate in Third Party reviews

Due Diligence, Selection, On Boarding, Data Controls• Vendor Audits – focus on compliance with US regulations, FCPA • Enhance relationships to create self reporting processes



Mergers & Acquisitions• Perform “Post Mortem” reviews:

Assess Planning, Due Diligence, • Perform a “Risk Assessment”:

integration processes, process controls and IT systems, key spreadsheets• Implement performance tracking and metrics.

Outsourcing• Participate in shared service planning & decision making• Program Governance”

Review RFP content / Bids, selection methodology• Review SLA’s, post implementation benefits• Enhance performance management goals & metrics



IT Security & Privacy• Perform “Reputational Risk” reviews:

Social Media, Personally Identifiable Information (PII) privacy attacks) • Perform security audits around cloud & social media platform risks

Facebook, Twitter, LinkedIn – Identity Theft• Audit Disaster Recovery / Business Continuity Plans:

Business Impact, Crisis Management, test disaster recovery performance..

Talent Management• Review “Line Of Sight Systems (LOSS)

Are corporate goals and employee understanding aligned Review programs around retention, learning and development.

• Review “On Boarding” process – background checks, emergency management, medical programs

• Audit need identification processes, goal development, evaluating and reporting performance, recruitment incentives and reward programs.





Documents

Internal Audit’s Evolving Role in Corporate GRC Strategy