Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Welcome!Adapting to Change for Internal Audit
and Anti-Fraud Professions
Imran Zia, MSc, ACA, FCCA, CIA, CISA, CFEChief Internal Auditor
Gulf Drilling International
Adapt or Disappear ?
It is not the strongest of the species that survives, nor the most intelligent, but the
one most adaptable to changeCharles Darwin, 1809
Digital Universe is Huge and is Growing Exponentially
1 Zettabyte = 1 Trillion GB1 Exabyte=1 Billion GB
World’s largest taxi company owns no taxis (Uber)
Largest accommodation provider owns no real estate(Airbnb)
Largest phone companies own no telco infrastructure(Skype, WeChat)
World’s most valuable retailer has no inventory(Alibaba)
Most popular media owner creates no content (
World’s largest movie house owns no cinemas (Netflix)
Largest software vendors don’t write the apps (Apple& Google)
source: www.ibmforentrepreneurs.com
Only 11% of the Fortune 500 companies from 1955still exist today
The average time that companies stay in the top 500has fallen from 75 years to 15 years.
75% of the companies that were listed on the S&P500 Index in 2012 will be replaced in 10 years time
New York Times reported that the company'sdigital transformation is projected to make 30% ofcurrent jobs obsolete by 2020.
A recent study by Economist found that 94% of theresponsibilities of accountants and auditors will becompleted by robots in 20 years’ time.
Source: 2016 Global Chief Audit Executive Survey by Deloitte
85 % CAEs expect their organization tochange moderately to significantly
In 64 % cases the Audit Committeeneeds Internal Audit to evolve
More than half of CAEs (57 percent) arenot convinced that their teams have theskills and expertise needed to deliveron stakeholders’ current expectations
Only 28 percent of CAEs believe thattheir functions have strong impact andinfluence within the organization
Didn’t innovate fast enough
Less focus on clients
Insisted on their OS
Continued to believe that theycould make a come back
Source: http://accaiabulletin.newsweaver.co.uk/accaiabulletin/jj7m1jilyc4
Is Internal Audit Next BlackBerry ?
Today we live in a VUCA world
V – Volatile
U – Uncertain
C – Complex
A – Ambiguous
We can’t make the Uncertainty go away, but we can change the way we respond to it
Every uncertainty is also a new Potential Future, but a signal that it's time to get ready for change
The Only Sustainable Advantage is to
Learn Faster than the Change
OR
Staying Ahead of Risk
Internal Auditorsneed to beOutsighters – Abilityto ComprehendForthcomingChanges)
Predict the Weather, Don’t just report it
Risk Centric Vs Objective Centric Audit Risk Assessment
Risk Registers & Risk Heat Maps - mostly don’t depictresidual risks; and are not linked with company’s topValue Creation Objectives
Audit Risk Assessment often does not cover company’smost important Value Creation / Strategic Objectives
Small Coverage of the total Risk Universe each year
More Focus on Internal Controls of the audited area whilethe residual risks linked with key strategic areas areignored
The Way Forward
What Could Go Wrong; and What Needs to Go Right
Objective Centric Risk Assessment – Use Company’sObjectives Register not an Audit Universe
Form opinion on company’s Residual Risk Status ratherthan reporting effectiveness of internal controls only
The Value Gap Between Internal Audit and Our Stakeholders
IIA Standard 2201 – Planning Considerations – requiresinternal auditors to consider:
• The objectives of the activity being reviewed;
• The significant risks to the activity, its objectives, resources andoperations and the means by which the potential impact of risk is keptto an acceptable level
Will this approach identify the "critical risks to the enterprise"and lead to the audits that matter ?
Will this enable Internal Audit in providing assurance, insight,and advice on the management of business critical risks ?
Staff for the audits we perform, not perform audits based on the staff we have
If business risks and audits are ever-changing, then the skills &experience that we have need to change at that speed as well
Change doesn’t occur once a year - Internal Audit RiskAssessment must be Dynamic not Static
Focus on the risks that matter to organization objectives.Those are the risks that need to be addressed in the audit plan
Ask the question - will this audit engagement add value
Audit Where The Risk Is Going To Be, Not Where It Has Been
Prevent internal control or risk issues when you can,rather than identify them when they already existand represent
Auditing the risks that impact today and tomorrow,not limiting your focus to what has happened in thepast
Being involved in new initiatives, providingconsulting advice
Are we looking at the Value in all the wrong places ?
“Value” is what the customer places a value on, notwhat internal audit would like to consider valuable
There is a huge risk when internal auditdepartments are so consumed with the idea ofadding value (which they measure through dollarsavings, process improvements, and such) that theyfail to provide the assurance that our customersneed
Who is Responsible to Assess & Manage Risk ?
Risk Management is not a Department, it isAttitude
The people who should own risk are the peoplewho own performance and the achievement ofobjectives
If you are to be an effective manager and achieveyour objectives, you need to be able to manage therisks to the achievement of your objectives
The Corporate Frog Story
Forbes magazine recently called culture the most overlooked element of audits
Organization Culture
Here and Now
The Risk Culture
How organization dealswith Multiple tomorrows
Problem – Imbalance between the Two
A poor mismatch between the culture and the riskculture in an organization can lead to catastrophes
A Hard Look at the Soft Stuff
There is a need to move away from a focus on today’s issues to a balanced look at today’s and tomorrow’s concerns
Significant Deviations from the Board’s Espoused Values
Silo-based Functioning
Layered Management Reporting
Excessive Short-termism
Control Management instead of Risk Management
Black Holes
The most significantnon-financial cost maybe the negativereputation of theinternal audit rolethroughout theorganization.
Likeable Auditors
A study shows that if an auditor is likable and gives a well-organized argument, managers tend to comply with hissuggestions, even if they disagree and the auditor lacks supportingevidence.
Identify & expand areas of commonality wheninteracting with others
Understand and adapt to communication styles
Don’t pass judgement
Pull more and push less
Board / Top Management with No/little Idea of InternalAudit Capabilities
ByAligning with the Expectations of Ignorant Boards, Weare Doomed to Repeat the Failures of the Past
Way-out
Educate the Board / Top Management of our Capabilities &Responsibilities
Expand our capabilities to address key risk areas
How likely is it that the Business Strategy has been accurately established ?
The most recent Global Risksreport by the World EconomicForum ranks cyber attacks asone of the top 10 risks mostlikely to cause a global crisis
Attackers had access to theorganizations’ environments foran average of 205 days beforethey were discovered.
Worldwide spending oncybersecurity is predicted to top$1 trillion for the five-yearperiod from 2017 to 2021,
Why Hackers Could Cause the Next Global Crises
Internal Audit Needs to Up Its Cyber Security Game
Source: Global Perspectives and Insights: Emerging Trends, The Institute of Internal Auditors
Top 4 Cyber Security Mistakes
Assuming We’re Not a Target
Approaching IT as Just an IT Issue
Neglecting to Understand and Update our Network
Relying Solely on Anti-Virus Technologies
Focus Points
Cyber Security threat never sleeps, and companies can’tafford to be asleep
Cyber-defense Tactics & Tools Cannot Remain Static
Way-Out - Job on Hand
Treat Cyber Risk as enterprise-wide Risk, not just an ITissue
Measure the impact of security breaches with achievementof corporate objectives
Apply advance solutions to detect attacks even if there areno known signatures
I
M
P
A
C
T
High 3 6 9
Medium 2 4 6
Low 1 2 3
Remote Likely Probable
L I K E L I H O O D
Meeting Internal Audit Objectives without Auditing
Internal Audit Reports do the Function a Great Disservice
Typical Audit Report conveys what we want to say rather thanwhat leaders of the organization need to know
Reporting opinion on sufficiency of Internal Controls ratherthan full range of risk responses / treatments in place
Way Forward
It is critical to communicate “What Matters” to stakeholders
Provide stakeholders with the information they need, whenthey need it; and in a form that is actionable
Change is our final product – A recommendation has no valueunless it leads to a necessary change by management
Stop When It Is Obvious – You are not in a court of law
Quality Assurancebased on quantityand not on quality
Working Papers forworking papers sake
Evidence Collection
What else ?
Distractions
Generation gap between the people setting thepolicies and the people facing the results of thosepolicies
Insanity – Doing the same thing over and over again and expecting different Results - Albert Einstein
Embrace Change – Think Outside the Box
Quantum Transformation in Internal Audit Paradigm - TheElectric Light did not come from the continuous improvementof candles
Future Focussed Auditing - My Interest is in the FUTUREbecause I am going to spend rest of my life there
Audit That Matters - Focus on success (value creation) morethan avoiding failure (value preservation)
More Value Addition - You can’t do a good job, if your job isall you do
Welcome!Adapting to Change for Internal Audit
and Anti-Fraud Professions
Imran Zia, MSc, ACA, FCCA, CIA, CISA, CFEChief Internal Auditor
Gulf Drilling International