Upload
duongmien
View
226
Download
0
Embed Size (px)
Citation preview
Internal audit operating at the strategic level
Strategic collaboration
Auditing strategic risks
Audit plan alignment Malcolm Zack – Director Zack Associates Limited
Strategic risks are risks that affect or are created by an organization’s
business strategy and strategic objectives – Deloitte. Exploring Strategic Risk -
a global survey
So… what do we mean by strategic risk?
• Poor Business Decisions
• Poor Execution
• Inadequate resource allocation
• Not responding to changes in the environment
• Risks identified in the strategic plans
• Financial • Economic environment • Political risks • People
Allianz Risk Barometer 2016 1. Business Interruption 2. Market (volatility, stagnation, competition 3. Cyber incidents 4. Natural Catastrophes 5. Changes in Legislation 6. Macro economic changes 7. Loss of Reputation/Brand Value 8. Fire Explosion 9. Political risks (war, terrorism) 10.Theft, fraud and corruption
Protiviti –Audit Committee Top Risks 2016 1. Regulatory Change/Scrutiny 2. Managing Cyber Threats 3. Economic conditions restrict growth 4. Succession and attracting talent 5. Privacy and information security 6. Resistance to change 7. Rapid speed of disruptive technology 8. Culture: - impact on risk management 9. Volatility in global financial markets 10.Sustaining customer loyalty
KMPG Top Risk Management Issues 2016 1.Technology Risk Management 2.Third Party Risk Management 3.Fraud and Misconduct 4.Crisis Management 5.Data Security 6.Achieving Compliance 7.Risk Data – aggregation and
Reporting
KMPG Top Risks for Internal Audit – Capital and Markets 2016 1. Increased regulatory expectations 2. Culture and conduct 3. Regulatory reporting 4. Stress testing 5. Model risk management 6. Cyber security 7. Third-party relationships/vendor
management 8. Continuous risk assessment 9. Use of data analytics and continuous
auditing 10.Internal audit talent recruitment and
retention
Top sets of risks Differ from sector to sector Not all top risks are strategic Most appear operational, value preserving risks. I.e they could threaten achievement of business objectives/strategy So should we focus on risks or objectives?!
• Achievement of the organization's strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.
• Organisation strategy should be a foundational element of plan
• Aligns IA with strategic priorities
• Helps allocate IA resources.
• Leverage management and other assurance providers
• Consider providing assurance
• Assess if strategic risks are being managed.
• Evaluate mitigation methods
• Opportunity to deliver advisory services that impact organisation evolution directly
• Assess skills and knowledge in team
• Consider other sources if necessary
Executives responsible for risk management in persuit of strategic objectives
Strategic opportunities and threats drive creation of short and longer term strategic initiatives/investments to deliver value.
IIA standards - 2120 – 3 Internal audit coverage of risks to achieving strategic objectives.
IA provide assurance
IA skills IA
evaluates IA focus on critical risks
IIA – Research Foundation
• More involved with strategic initiatives – Better connected
• Become business partner/risk advisor
• Greater value when involved early on in inititative
• Link ERM to strategic thinking
• IA Gains knowledge and insight
• Skills include strategic planning and consulting
• Increase demand for advisory work, reality checks
• Balance assurance and advising management
The reasons and benefits for internal auditing are clear… but how do you go about getting your team involved?
Risk
(what could happen?)
Risk Factors
(what contributes to the risk?)
Impact What outcomes if the risk is realised?
Business Objectives affected
Key Controls Assurance/audits
Risk that…..
a..
b..
c..
Xxxxxx, yyyy
Growth
Customer
Experience
Mgt..
Review..
High level view
of audit area
Risk Operational
Excellence
Risk Growth
Customers
Shareholder
value
Risk Operational
Excellence
Stategic Financial Operational Regulatory
Link strategic risks to the business objectives most impacted and identify sources of assurance and audit potential.
Helps board audit committee understand where assurances over key strategic risks come from and any gap
Risk and Opportunity Matrix R
isk
Opportunity – how much is business moved forward?
Top Strategic projects Significant change New products/businesses “pushing the envelope”
Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations
Complex operational areas. E.g. BCP, IT Security, Treasury
Map audit plan candidates……
[Audit functions] “often fail to provide assurance on strategy creation and execution, management's value creation work”. – “Why firms should audit strategic risk” – Business Week July 2010
Important areas
needing some audit review but less frequent
So what could internal audit
do?
Sales Development
New Products
Going into new markets
Diversification
New locations
Expansion/Merger/takeover/demerger
Transformation Programmes
Reviewing the strategic plan itself • risk assessment assumptions and drivers,
Information obtained, Scenarios planning and stress testing, softer areas (strong personalities and committment), alternatives rejected,
Major Systems
Strategic Programme Office
Benefits Realisation
1 Sales Structure Reviews Market Growth
2 Service Improvement Market Growth
3 Telesales alignment Market Growth
4 Leadership Market Growth
5 Development/Pipeline Market Growth
6 RCEO coaching Market Growth/Market Share Gain
7 Customer Service alignment Market Growth
8 HR KPI Delivery All
9 People capability Market Share Gain/Specialist Growth
10 Regional Structure reviews Market Share Gain
11 Competitive/aligned reward & recognition Market Share Gain
12 Driver/Telesales/Sales Alignment Market Share Gain
13 Aligned with UK policies and practices Specialist Growth
14 Develop and support senior team Specialist Growth
15 Continous Evaluation of organisation Cost Reduction
16 Performance management Cost Reduction
17 Continous improvement focus Cost Reduction
18 Head count monitoring Cost Reduction
19 Management information integrity Acquistions
20 Communication platform/tools Acquistions
21 External framework in place Acquistions
22 Corporate Governance Acquistions
23 HRBPs prepared Acquistions
• Where I have succeeded more
• Focusing audit team capabilities on initiatives that are important/critical to
achieving the strategic goals. E.g. major projects, transformations, significant acquisitions.
• “why isn’t IA on this call?”
• Attempts to review the strategy itself –
• Helping management pull out risks with the strategy and risks arising because of the strategy that has been agreed has added more value.
PLANNING RISK < EXECUTION RISK
Are YOU strategic enough? A place to start your thinking…… What is your Internal Audit Strategy for the next 3-5 years? Where is it now, Where does it need to go, and how will it get there? How often do you review it? And… what are the risks to your strategy? Involve your Audit Committee….
Work on strategic initiatives
Well connected
Recognised
business partner/risk
advisor
Involved early
Linkd ERM to strategic thinking
IA sought for
knowledge and insight
Stratiegic Skills
Demand for
advisory work,
Balanced assurance and advising management
Development route
for management
Obstacles and assumptions
View of IA capability
Its difficult
Its “confidential”
Where do you start?
Strategic risk is just a category like the others… but projects do lend themselves. Needs a different approach to auditing and
reporting
More advisory than assurance
More upfront and ongoing involvement and challenge
Dynamic reporting
Needs audit team to be able to think
strategically and have commercial understanding
Look at the backgrounds – do you have the
right mix?
Internal Audit and Strategic Risk
Strategic collaboration - Essential
Auditing strategic risks – Be selective
Audit plan alignment – back to basics
But…….
Ris
k
Opportunity – how much is business moved forward?
Top Strategic projects Significant change New products/businesses “pushing the envelope”
Projects /initiatives providing high benefit to the business but lower risk.e.g. rolling out new stores/locations
Complex operational areas. E.g. BCP, IT Security, Treasury
[Audit functions] “often fail to provide assurance on strategy creation and execution, management's value creation work”. – “Why firms should audit strategic risk” – Business Week July 2010
Remember • Which business objectives are impacted or
benefited from the results of your audit work?
• Link findings from audits back to the top risks and business objectives.
• Achievement of the organization's strategic objectives.
• Reliability and integrity of financial and operational information.
• Effectiveness and efficiency of operations and programs.
• Safeguarding of assets.
• Compliance with laws, regulations, policies, procedures, and contracts.
IA evaluates
Remember to kick the tyres……