Upload
trinhdung
View
216
Download
0
Embed Size (px)
Citation preview
2
« Public sector innovation is about new ideas that work at
creating public value »
OECD, Oslo Manual on Innovation & 2014 Conference
OECD, Innovation Measurement Framework
Infrastructure and Institutional Framework
Demand
Other
Items
Education
and public
research system
Innovation
Policies
The Firm
Product
Innovations
Process
Innovations
Marketing
Innovations
Organisational
Innovations
3
« Changes provide challenges for internal auditors to do things
differently so that internal audit add greater value and remain relevant as part of the internal
control & governance structure. »
The Institute of Internal Auditors, Internal Audit and Innovation
The IIA – The Competency Wheel, October 2014
The Competency Wheel
This competency wheel depicts the six nontechnical skills that are key to internal audit innovation as well as the three eneblers for those skills.
4
« There is nothing more powerful that an idea
whose time has come » De
gre
e o
f su
pp
ort
for
inn
ova
tion
Time
ContactAwareness
Understanding
Engagement
Involvement
Commitment
“I’m being told about something”
“I know what it is”
“I see the implication for me/us”
“This looks OK”
“Let’s test it. Let’s do it”
“We like to do it this way”
Time
De
gre
e o
f s
up
po
rt f
or
inn
ov
ati
on
Internalisation“Why did we do it any
other way?”
Contact
Awareness
Understanding
Engagement
Involvement
Commitment
Internalisation "Why did we do it any other way?"
"We like to do it this way"
"Let’s test it. Let’s do it"
"This looks OK"
"I see the implication for me/us"
"I know what it is"
"I’m being told about something"
5
Internal
Audit
Do more
with less
Minimise
impacts
Maximise
insights
Streamline
processes
Get the right
resources
Leverage
hi-tech
Evidence
value
addition
6
Continuous ERM Auditing
PRACTICAL TIPS
• Systematic in-depth review of ERM
system
• Feeds of a structured ERM database
• Quarterly consolidation of cumulative data
• Standardised assessment criteria
• Multi-faceted assessment model
VECTORS FOR VALUE ADDITION
• Evergreen focus on emerging & orphan
risks
• Embedded & streamlined assessment
• Regular feedback to the governing bodies
• Robust opinion based on broaden scope
7
ERM OPERATIONAL PROCESS
Objective
Setting
Risk
Identification
Opportunity
Management
Risk
Assessment
Response
Defined
Actionee
Defined
Due Date
Defined
Control and
Monitoring
Accurately set Very well
identified
Very well
managed
Financially
Assessed Always Always Always
Key Control and
KPI
Set Identified Managed Globally
Assessed Often Often Often
Key Control
without KPI
Insufficient Insufficient Insufficient Insufficient Sometimes Sometimes Sometimes Insufficient
Absence Absence Absence Absence Never Never Never
ERM COMPLIANCE PROCESS
Has a yearly self assessment of internal
Controls been done addressing both the
design and operating effectiveness?
Number of
Key
Controls?
Is the
Confirmation
Letter Sign-
Off?
Numbers of
Weakness
Declared?
Done and tests formalized and documented 0 Yes #
Done but tests not formalized 0 < x < 5 No
Done through interviews rather than test
(light approach) 6 < x < 10
Not done x = or > 10
ERM SUPPORT PROCESS
Existence of
training?
IT tool is
deployed?
Well
developed Company tool
Sufficient Excel
Insufficient
Other tool
Yes No tool
Consideration of the Risk of Fraud in the ERM Reports
Functions Division 1 Division 2 Division 3 Division 4 Division 5
Compliance YES YES YES YES YES
Finance Partially YES YES Partially Partially
Procurement NO Partially Partially NO Partially
Sales NO Partially YES NO YES
Governance Bid Process Business Ethics Export Control Budget and
Reporting
Program
Controlling Purchase to Pay Payroll and Bonus IT and SAP Access Treasury and Cash Enterprise Risk Mgt
Entity 1 B A B B
Entity 2 B
Entity 3 B B B B A
Entity 4 A A B B A B B B B
ERM Audit Conclusion
Summary of the Audit Observation Grading Agreed Action Plan
ERM Internal Control self-assessment
must be better substantiated by formal
testing and documentation
B
• Using your existing policy, identity your
key controls that will serve as
reference for the annual self-
assessment
• Make sure that tests are backed with
robust sample testing and test results
• Submit the signed dashboard and test
sheets to ERM team to get their
validation and feedback
8
GRC Maturity Grading model based on COSO2013
PRACTICAL TIPS
• Tri-dimensional grading model
• Consistent and aligned criteria per level
• Outcomes based rules for overall opinion
• Articulation with audit objectives
VECTORS FOR VALUE ADDITION
• Promotion of an holistic assessment
• Generally accepted GRC framework
• Easy-to-use and objective model
• Allowing robust comparisons over time
9
Prepared by: Reviewed by:
Project
Risk
COSO COMPONENT Rating of Control Objective Risks
Control objectives assessment and findings impacts on
Governance
Control Objectives assessment and findings impacts on Risk
Management
Control objectives assessment and findings impacts on business control environment
Individual Control Objectives Scoring and Grading
Control # Control Objective CE RA CA IC MA Imp. Of Cont. Obj Grade Awarded Grade Awarded
Grade Awarded
Type of IA Objectives
Control Objective Score
Control Objective
Rating
1 Control Objective 1 Risks x x x 3 3 Level 3: Partially
Adequate 3.00
Level 3: Partially
Adequate
2 Control Objective 2 Risks x x x 3 3 Level 3: Partially
Adequate 3.00
Level 3: Partially
Adequate
3 Control Objective 3 Risks x x x x 3 1 Level 1:
Unreliable D 1.00
Level 1: Unreliable
Weighted Average Score for each of the IA objectives
3.00 3.00 1.00
# IA Objectives
Control
Maturity
Level
Weight
Assigned
Individual
Objective
Grading
1 Control objectives assessment and Findings
impacts on Governance 3.00 33.33%
Level 3: Partially
Adequate
2 Control objectives assessment and Findings
impacts on Risk Management 3.00
33.33%
Level 3: Partially
Adequate
3 Control objectives assessment and Findings
impacts on Business Control Environment 1.00
33.33%
Level 1:
Unreliable
Scale FINAL OVERALL GRADING
Level 1: Unreliable
Level 2: Weak Level 2: Weak
Level 3: Partially Adequate
Level 4: Adequate
Individual Objectives Grading
Rating Combination – Irrespective of GRC Dimension Overall Grading
Adequate Adequate Adequate Adequate
Adequate Adequate Partially Adequate Adequate
Adequate Adequate Weak Partially Adequate
Adequate Partially Adequate Partially Adequate Partially Adequate
Adequate Partially Adequate Weak Partially Adequate
Partially Adequate Partially Adequate Partially Adequate Partially Adequate
Partially Adequate Partially Adequate Weak Partially Adequate
Adequate Adequate Unreliable Weak
Adequate Partially Adequate Unreliable Weak
Adequate Weak Weak Weak
Adequate Weak Unreliable Weak
Partially Adequate Weak Weak Weak
Weak Weak Weak Weak
Partially Adequate Partially Adequate Unreliable Weak
Partially Adequate Weak Unreliable Weak
Weak Weak Unreliable Unreliable
Unreliable Unreliable Partially Adequate Unreliable
Unreliable Unreliable Weak Unreliable
Unreliable Unreliable Unreliable Unreliable
Adequate Unreliable Unreliable Unreliable
Outcomes Based Rules
10
Level 4: Adequate Internal control environment has been adequately designed and effectively implemented to mitigate risks to an acceptable level. Reasonable assurance can be provided that risks were effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels that is acceptable to the organization.
• Promotes appropriate ethics and values within the business (P1) • Effective business performance management and accountability (P5) • Effective communication of risk and control information within the business
(P3, P14) • Effective cc-ordination of business activities (P3) • Effective communication of business performance, information and results
within the business (P3, P14) • Compliant with applicable corporate governance requirements (P2, P12,
P15)
• Implemented controls (including IT information systems) are adequately designed and operating effectively (P10, P11,P13, P16)
• Controls (including IT information systems) are well documented (P13, P16)
• Miner errors or misstatements identified, but net material or significant (PG) • Compliant with laws / regulations I corporate policies and procedures (P4,
PG, P12, P15) • Ali previously reported internal control deficiencies are remediated and
actioned (P17)
• Risk registers effectively maintained (P7) • Potential fraud risks are assessed, and responded to (PB) • Potential risk impacts regarding changes in the business / IT information
system environments. and/or at management level are assessed and responded to (P9, P11)
• lmplemented risk responses are adequately designed and operating effectively (PG, P7)
• Risk treatments are well documented (P7) • Miner risk materialization may occur. but net with material or significant
impact (PG) • RM Policy and RM Framework fully implemented and complied with (P4) • RM assurance activities are operating as intended (P7, P16)
Level/Conclusion Governance Control Risk
Summary Description
Level 3: Partially adequate, needs some improvement Internal control/ environment has been generally designed and implemented to mitigate risks to an acceptable level, but certain key process / areas require some improvement. Partial assurance can be provided that risks were effective/y managed, and that business and control objectives will be achieved. Management has accepted risk levels that is slightly higher than what is acceptable to the organization.
• Generally ethics and values are effectively promoted within the business, with miner exceptions
• Generally business performance management and accountability is effective, with miner exceptions
• Generally risk ad control information is communicated within the business, with minor exceptions
• Generally business activities are effectively coordinated with minor deficiencies noted
• Generally business performance, information and results are effectively communicated within the business with minor gaps noted
• Some minor lapses in compliance with
• Generally implemented controls (including IT information systems) are adequately designed and operating effectively, with minor exceptions
• Generally controls (including IT information systems) are well documented, with minor gaps and deficiencies noted
• Some errors or misstatements identified, but not material or significant • Some lapses in corporate policies & procedures • Most previously reported internal
• Risk registers are maintained, but require some updates • Generally potential fraud risks are assessed and responded to • Generally potential risk impacts regarding changes in the business l IT
information systems environment, and/or at management level are assessed and responded to
• Generally implemented risk responses are adequately designed and operating effectively, with minor exceptions
• Generally risk treatments are well documented, with minor gaps and deficiencies noted
• Potential risk materialization outside acceptable risk tolerance levels, but not with material or significant impacts
• RM Policy and RM Framework partially implemented and complied with • RM assurance activities is partially operating as intended
Level 2: Weak, needs major improvements Internal control environment is weak and ineffective Io mitigate risks to an acceptable levels and major improvement in certain key process / areas is required. Limited assurance can be provided that risks were Effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels excessive/y higher than what is acceptable to the organization.
• Ineffective promotion of ethics and values within the business • Ineffective business performance management and accountability • Ineffective communication of risk and control information within the
business • Ineffective co-ordination of business activities • Ineffective communication of business performance, information and
results within the business • Ineffective compliance with applicable corporate governance requirements
• Controls (including IT information systems) are generally present with some design or operating effectiveness inadequacies
• Controls (including IT information systems) are net adequately documented to ensure continuity and effective hand-over of procedures should there be a change of control owners
• Major lapses in compliance with laws I regulations I corporate policies & procedures
• Significant errors or misstatements identified • Some previously reported
• Risk registers are incomplete and not up to date • Potential fraud risks are ineffectively assessed and responded to • Potential risk impacts regarding changes in the business/ IT information
systems environment, and/or at management level are ineffectively assessed and responded to
• Risk responses are generally present with some design or operating effectiveness inadequacies
• Risk treatments are net adequately documented to ensure continuity and effective hand-over of procedures should there be a change of control owners
• Potential of major risk materialization outside acceptable risk tolerance levels, with material impacts
• RM Policy and RM Framework ineffectively implemented & complied with • RM assurance activities are ineffective
Level 1: Unreliable, needs immediate attention Internal control environment is unstable and unreliable to mitigate risks to an acceptable level, and significant improvement in key process/areas in urgently required. No assurance can be provided that risks were effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels that is unacceptable to organization
• Inappropriate ethics and values promoted within the business • Inadequate business performance management and accountability • Inadequate communication of risk and control information within the
business • Inadequate co-ordination of business activities • Inadequate communication of business performance, information and
results within the business • Limited I non compliance with applicable corporate governance
requirements
• Unpredictable environment for which controls (including IT information systems) have net been designed or implemented
• Material errors or misstatements identified • Significant lapses in compliance with laws I regulations/corporate policies • None I few previously reported internal control deficiencies are remediated
and actioned
• Risk registers are unreliable or non existent • Potential fraud risks are inappropriately assessed and responded to • Potential risk impact regarding with changes in the business/ IT information
systems environment, and/or at management level are inadequately assessed and responded to
• Unpredictable environment for which risk responses have net been designed or implemented
• Potential of significant risk materialization outside acceptable risk tolerance levels with material and significant impacts
• RM Policy and RM Framework not implemented and complied with • RM assurance activities are inadequate and unreliable
11
Auditing focused on Issue Resolution and Management Commitment
PRACTICAL TIPS
• Allocate 50% of the standard audit time to
problem solving and strategic thinking
• Replace the audit report by a customised
summary template to key stakeholders
• Develop after-audit services to monitor
progresses
VECTORS FOR VALUE ADDITION
• Efforts are more focused on solutions
• Wellreasoned, funded and thorough
recommendations
• Impact on decision-making and executive
managers
• Outcome-oriented mindset of the
organisation
12
• Procedure—A written explanation of the process.
• Training—Teaching the process.
• Supervision—Adhering to and improving the process.
Processes
Daily Operations
Work, Tasks,
Business
A B
Implement the Solutions
(improvements)
Problems
Containments
Investigation
Cause Mapping
Root Cause Analysis
1.Problem What’s the problem?
2.Analysis Why did it happen?
3.Solutions What will be done?
DID Happen Incident, Crisis, Failure,
Error, Defect, Delay
COULD Happen Near-miss, Potential, Risk,
FMEA, RCM
13
Data
Data Data
Data Data
Data
Information
Idea
Data Quality
•Clarity
•Accuracy
•Precision
•Relevance
•Completeness
•Consistency
Data Orientation
•Egocentrism
•Socio-centrism
•Assumptions
•Prejudices and Fears
•Relativistic Thinking
•Wishful Thinking
Critical Thinking
“Judging”
Good
Idea
Bad
Idea
14
Unique Auditing Slidedeck & Logical Writing
PRACTICAL TIPS
• Combination of Planning Memorandum,
Kick-off & Closing Presentation and
Report
• Information provided once and for all
• Slides used an re-used along the mission
• Specific communication merging strategy,
structure and format
VECTORS FOR VALUE ADDITION
• Allocation of resources to substantive
work
• Optimised focus on key messages
• Clarity and visual cues for the
stakeholders
• Attractive and easy-to-read documents
15
Answer Answer Answer
A A A A A A A A A
Key ideas
Supporting
ideas
Answer Main
message
Overriding
Question
Question
why or how or what ?
Question Question Question
• Build a one-sentence thesis statement from
scratch, based on one or two research
keywords
• Eliminate the linguistic and structural
ambiguities
• Build a logical argument based on the thesis
statement developed
• Find and eliminate the known
counterarguments
• Build the paper’s abstract based on the thesis
statement and arguments developed
• BackgroundGoalThesis Statement
Procedures Implications
• Build the full paper based on the abstract
developed
• Modify the thesis statement, argument,
abstract again and again
Build the
Thesis Statement
Build the
Logical Argument
Build the
Abstract
Build the
Body
16
Professional Tutorship & Career Acceleration Programme
PRACTICAL TIPS
• Sponsorship of the Director General
• Close interaction with Human Resources
• Integration in the overall talent
programme
• Attractive training and audit assignments
• Mastery of broad-based technical skills,
familiarity with all business units, ability to
build networks across the organisation
VECTORS FOR VALUE ADDITION
• Higher retention of talented employees
• Future group leaders well versed with
GRC
• Enhanced IA capacity with regular inflow
• Positive ratchet effect on internal audit
17
Phase I – Sourcing Phase II – Training + Assignment Phase III – Deployment
Strategic Workforce
Planning
Job Assignments
Training
Analysis of Group's
needs
for future leaders
Partnership with
Corporate HR
and universities
Sourcing
Step 1
Turn Key Project
Secondment
Executive Placement
Business S
econdment
Step 2
Step 3
Step 4
18
Junior Auditor
Year1
Understand theenvironment
Junior Auditor
Year 2
Select Domain area of expertise
Senior Auditor
Year 3
Follow Domain Areastraining + Plan move
Group Internal Audit Career Path
Junior (2 – 3 years)
Senior (3 – 5 years)
Lead (5 – 8 years)
Manager (8 – 10 years)
Director (10+ years)
Proficiency
Level Novice
Junior
Associate
Senior
Principle
Standard Roles
Administrator
Client Manager
Consultant
Operations Mgr/Drtr
Process Analyst
Process Manager
Product Manager
Project/Program Mgr
Service Architect
Service Delivery Mgr
Service Manager
Solution Architect
Solution Manager
Support Analyst
Support Engineer
Team Leader
Technical Architect
Technical Engineer
IDM Career Framework
Portfolio & Internal Service
Domain (Level 1)
Sub-Competence
AQDA Deal Assurance
AQDA Contract Assurance
AQDA Account Recovery
AQDA Quality Management System
AQDA Quality Management in Accounts
AQDA Quality Management in Projects
Client Management Client Management
RACG Client Security Management
RACG Internal Security Management
RACG Security Support
RACG Business Continuity Management
RACG Client Continuity Management
RACG Risk and Internal Control Management
Service Management Service Delivery Management
Service Management Compliance
Service Management Process Service Management
Service Management Lean Management
T&T Program control
T&T Governance and Steering
Competences
IDM roles and competences that could be covered by GIA skills
20
Lessons learned from lean6sigma auditing
PRACTICAL TIPS
• Roll-out of Sipoc, Pareto, Ishikawa,
Valuestream, Raci tools
• Packaged toolbox with built-in support
• Broaden capabilities for auditing complex
systems
• Partnership with the quality function
VECTORS FOR VALUE ADDITION
• Summarised and targeted communication
• Enhanced analytical skills
• Advanced sharing of business knowledge
• High-quality reusable deliverables
21
S Customer
C O P Process Input Supplier
I
Définir les indicateurs de
suivi
Effectuer les revues de
portefeuille
• Politique crédit en vigueur • Politique de garantie
Définir les acteurs du suivi
Gouvernance
• Base de données sur la production globale (notation portefeuille,
taux de défaut global et par marché, etc)
CASA règlementaire • Lettres jaunes
• Anciennes recommandations
cais
se r
égio
na
le
Demander un transfert en recouvrement le cas
échéant
Décider des modalités de
suivi du dossier
Gouvernance
Audit interne
cais
se r
égio
na
le
Service recouvrement
• Modification politique de Crédit/Délégations
• Comité de suivi des risques (analyses qualitatives et
quantitatives) • Requêtes sur plusieurs critères:
par marché, par typologie d’encours (sains, sensibles,
défaut)
• Suivis recommandations
• Transfert des dossiers
Output
CA
SA
CASA / IGL
Opérationnels (Chargés d’affaires et de clientèle)
• Plan de formation • Demande de modification de
dossiers (nouvelles garanties, etc.)
Suivre et piloter le portefeuille
global
CLIENT • Données clients • Analyse contrepartie
Demander une modification du dossier
Direction de la transformation
22
Integrated Audit Plan Preparation Package
PRACTICAL TIPS
• Development of a thematic audit universe
• Definition of criteria for prioritisation
• Broaden inputs for plan definition
• Clear takeaways for each input
• Template for outputs aggregation
VECTORS FOR VALUE ADDITION
• Objective-based business-centric
planning
• Substance over form
• Identification of management guiding
threads
• Qualitative vs quantitative approach
23
Legend:
A – Group’s strategy
B – MEcon and Performance
C – Fraud and Corruption
D – Governance Processes
E – BRM
F – ICS
G – H&S
H – IT and RBSC Changes
I – 2016 Audit Results
J – Sel. Interviews
PRODUCT LINEs Growth and Innovation People Performance and Costs Asset Light Sustainable
Development
OTH RMX AGG CEM Innov Digital Cust.
Excel. Fin. Proc.
Sh.
Serv.
Retail
Sol. Sust. Log
CAPEX
Mgt. H&S
GOVERNANCE, RISK AND CONTROL PROCESSES
Argentina D
Brazil D, F, J
Chile D, F
Ecuador D
Colombia
CREST
Costa Rica D
I B, I B
E
E E
A, B, C
A
E
B, E
B, C, E
M/M
B, E
M/M
B, E E B, E
B, C
I H A
B
E
G
G
G
G
A, E