Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
An Integrated An Integrated ApproachApproach to the Internal to the Internal Control SystemControl System
-- New New MethodologyMethodology forfor EvaluatingEvaluating Design and Design and EffectivenessEffectiveness --
Carolyn Dittmeier
President, IIA ItalyVice President, Head of Internal Auditing Poste Italiane
2
Corporate Governance Paper
IIA Italy
Corporate Governance Paper
IIA Italy
New Corporate Governance playersNew Corporate Governance New Corporate Governance playersplayers
Stock Exchange Governance Code Stock Exchange Governance Code
Anti Anti corruptioncorruption ((LawLaw 231) 231) SarbanesSarbanes ((LawLaw 262)262)
BankBank RegulationsRegulations
Increasing legislation and regulation of governance IncreasingIncreasing legislationlegislation and and regulationregulation of governanceof governance
3
Numerous corporate governance players
Audit Committee
Board of Statutory Auditors
Compliance Officer
Other Control Bodies
Internal Audit
Compliance Function
SecurityQuality
CFO
Human Resource & Organization
OperationalManagementSafety Privacy
Board of Directors
Inspectorate
4
Cost Cost efficiencyefficiency
EffectivenessEffectiveness
Cost of governance exceeds benefits in risk reduction
Inadequate/fragmented risk coverage
PossiblePossible consequencesconsequences::Numerous Corporate
Governance Players
Numerous Corporate
Governance Players
5
I. Global business risk assessmentI. Global business risk assessment
Key points to an Integrated Corporate Governance Model:Key points to an Integrated Corporate Governance Model:
Corporate Governance PaperAssociazione Italiana Internal Auditors
• Three Control Levels• Optimizing Relationships• Single Evaluation Criteria
II. Unified Internal Control SystemII. Unified Internal Control System
III. Mechanisms of AssuranceIII. Mechanisms of Assurance
• 150,000 Employees• 14,000 Post offices• 200 Logistic Centres• 40.000 Vehicles• 2,700 ATM
Logistics, postal and courrier expressBanking, financial services and insurance
€ 15.900 Total Sales (mil)
of which:
€ 5.300 Logistics/Postal
€ 4.400 Financial/ Banking
Business CaseIts
Business
General Strategy
Leveraging upon a major national network, integrating new innovative services to core businesses
6
BOARD OF DIRECTOBOARD OF DIRECTORSRS
CHIEF INFORMATION OFFICE
RISK MGMT/SECURITY
PURCHASING REAL ESTATE
RETAIL NETWORK
CHIEF EXECUTIVE CHIEF EXECUTIVE OFFICEOFFICE
HUMAN RESOURCES AND ORGANIZATION
INTERNAL AUDITING
COMMUNICATION AND PUBLIC
AFFAIRSSTRATEGIC PLANNING
LEGAL AFFAIRS
CORPORATE AFFAIRS
ACCOUNTANCY & CONTROL
FINANCE
MAIL LOGISTICS AND OPERATIONS
EXPRESS AND PARCELS PHILATELY BANCOPOSTA
Business Case
7
CourtCourt AuditorsAuditors
StatuStatutorytory AuditorsAuditorsCompliance OfficerCompliance Officer
BUSINESS UNITS
COMPLIANCE FUNCTION AUDIT
CHAIRMANCHAIRMAN
AUDITFINANCIAL &
RETAIL NETWORK
INTERNAL AUDITING
PLANNING ETHICS
AUDITLOGISTICS
POSTAL
AUDIT SUPPORT
PROCESSES
INTEGRATED PROCESS AUDIT
Business CaseCourtCourt AuditorsAuditors
StatuStatutorytory AuditorsAuditors
Compliance OfficerCompliance Officer
AUDIT Bancoposta
CHAIRMANCHAIRMAN
CEOCEO
STANDARDS/ RESEARCH
GEOGRAPHICAL AREA MANAGERS
9
Governance milestones 1994 - Public Economic Entity
1998 - Transformation to a stock company “Poste Italiane - Società per Azioni”
2001 - Poste Italiane is subject to supervision of Financial Regulatory Bodies
2002- Implementation of Internal Audit replacing Inspectorship
2003 - Implementation of Ethics Officer
2005 - Code of Ethics
2006 - Implementation of Enterprise Risk Management Model
2007 – Introduction of Sarbanes – Accounting Officer
Business Case
10
I. Global Business Risk I. Global Business Risk AssessmentAssessment
Key points to an Integrated Corporate Governance ModelKey points to an Integrated Corporate Governance Model
Corporate Governance PaperAssociazione Italiana Internal Auditors
11
Reputationalrisks
Strategic risks
Compliancerisks
Operationalrisks
Financial risks
Accountingrisks
Global Business Risk Assessment?
Volume/Ricavie
Obiettivi di Business
Sicurezza
Affidabilità delle informazioni
Redditività
CustomerSatisfaction
Quota di mercato
Contenimento Costi
Obiettivi di Governo
Employeewelfare
Obiettivi Poste
Efficienza di Processo
Innovazione Tecnologica
Rispetto della normativa
Certezza operativa
Efficacia edEfficienza IT
Integrazione
Volume/Ricavie
Obiettivi di Business
Sicurezza
Affidabilità delle informazioni
Redditività
CustomerSatisfaction
Quota di mercato
Contenimento Costi
Obiettivi di Governo
Employeewelfare
Obiettivi Poste
Efficienza di Processo
Innovazione Tecnologica
Rispetto della normativa
Certezza operativa
Efficacia edEfficienza IT
Integrazione
Compliance
Rischi Interni
Partner/Fornitori
Contesto Legale
Altri Processi
Processi Ammin./Contab.
Monitoraggio/Informativa
Risorse Umane
Rischi Esterni
Attacchi/Eventi esterni
Concorrenza
Scenario Socio-
Economico
Risk Model Poste
Processi IT
Infrastruttura/ Risorse tecniche
Pianificazione
Fattore umano
Disegno Processo/Sistemi
Governo e controllo direzionale
Rischi Non Operativi
Rischi Operativi
Mercato/Cliente
Tecnologia
Integrazione
Compliance
Rischi Interni
Partner/Fornitori
Contesto Legale
Altri Processi
Processi Ammin./Contab.
Monitoraggio/Informativa
Risorse Umane
Rischi Esterni
Attacchi/Eventi esterni
Concorrenza
Scenario Socio-
Economico
Risk Model Poste
Processi IT
Infrastruttura/ Risorse tecniche
Pianificazione
Fattore umano
Disegno Processo/Sistemi
Governo e controllo direzionale
Rischi Non Operativi
Rischi Operativi
Mercato/Cliente
Tecnologia
Integrazione
OBIETTIVI
RISCHI POTENZIALI
CONTROLLI
RISCHI RESIDUI
OBIETTIVI
RISCHI POTENZIALI
CONTROLLI
RISCHI RESIDUI
Risk Model based on Goal Model
Goal Model Poste
Business Case
Enterprise Risk Management framework adopted in 2006
ERM Business Maturity Checkpoints
1. Risk Framework1. Risk Framework
2. Control Risk Self2. Control Risk Self--Assessment Assessment worshopworshop
3. 3. Strong Strong professionalprofessional developmentdevelopment programsprograms
4. 4. Budget and incentive system Budget and incentive system incorporatingincorporating Key Risk Key Risk IndicatorsIndicators
5. 5. Full risk management cultureFull risk management culture
14
II. A Unified Internal II. A Unified Internal Control SystemControl System
• Three Control Levels• Optimizing Relationships• Single Evaluation Criteria
Key points to an Integrated Corporate Governance ModelKey points to an Integrated Corporate Governance Model
Corporate Governance PaperAssociazione Italiana Internal Auditors
15
Three levels of control activities within theEnterprise Risk Management Model
Audit Audit CommitteeCommittee
Company BodiesCompany Bodies
Definition of Objectives
Control activities
COSO:
1st Level Control Activity (Line Control)
Internal environment
Risk Management
Information and communication
2nd Level Monitoring Activity (Risk Management,Compliance, Controller)
3rd Level Assurance Activity (Internal Audit)
InformationalInformational ReportingReporting
CommunicationCommunication byby meetingsmeetings and and presentationspresentations
ProvidingProviding DirectivesDirectives
Optimizing Relationships between Control bodies and functions
In relation to their assurance, consulting or other roles
A Unified Internal Control System
16
OverallInternal Control
Semiannual
Bimonthly
Periodic :Risk Management Bancoposta
Compliance Function BancopostaCompany Business Units and Depts
Bimonthly
Internal Audit, Human Resources, Legal Affairs; CFO; Security/Risk Mgmt
Reporting & Interchange between Governance & Control Bodies
Quarterly
Business Case
17
FinancialReporting control
Risk and Compliance issues
Monthly
INTERNAL AUDITING
CFO
COMMITTEE
CourtCourt AuditorsAuditors
StatuStatutorytory AuditorsAuditors Compliance OfficerCompliance Officer
BOARD OF DIRECTOBOARD OF DIRECTORSRS
18
Integrated methodology for business control identification and evaluation
Focusing separately on:
A Unified Internal Control System
Control DesignControl Design
Control Operating EffectivenessControl Operating Effectiveness
19
How to evaluate the Integrated Internal Control System
Control ObjectivesControl
Objectives
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivityCoverageCoverage
StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
Relevance Red-flag analysis
Resourcesavailability
Effectiveness, Efficiency and cost effectiveness
Complianceverification
20
Definition of a ‘control’?
Input Standard
Input Capture/ Measurement
Output
Comparisoninput / standard
Correction
A set of activities whose purpose is to identify and correct errors and anomalies in order to reach defined control objectives, risk based
21
Control Objectives, risk based(examples)
Quality and timeliness of operations
Reliability and integrity of Company information (financial and operational)
Proper and effective contractual relations with customers and suppliers
Compliance to Regulations
Prevention of fraud
Business continuity
22
How to evaluate the Integrated Internal Control System
Control ObjectivesControl
Objectives
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivityCoverageCoverage
StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
Relevance Red-flag analysis
Resourcesavailability
Effectiveness, Efficiency and Cost effectiveness
Complianceverification
Production of fresh cheese according to quality standards
For every fresh cheese lot, the Production Dept requests, up to 5 days before the fermentation process, requests from the Purchasing Dept quantities of milk supplies on the basis of approved monthly sales forecasts.
Upon supply of milk (<3 days) the Production Dept proceeds:•Pasteurisation (2 hours) •Coagulation of casein (2 hours)•Drainage of whey (1 hour); •Pressing and salting (1 hour)(time frame automatically recorded in 3 of 4 phases)
The Quality Dept verifies respect of production time standards. If non compliant, it blocks the packaging process, requesting the lot to be destroyed and re-produced.
Following authorization given by Quality Dept, the Production Dept proceeds to package the fresh cheese within 24 hours for delivery by the Distribution Dept by the next day.
Process
Activity 1Supply request
Activity 3Packaging
Case study: quality cheese production
Activity 2Production
Control overProduction Time
Standards
23
Control components
Lot destruction when out of time
standard
Check
Control objectives: Ensure fresh cheese according to quality standards
Information System
Ensure the absence of pathogens in the milkEnsure production-time for avoiding pathogenic generationEnsure temperature-preservation for avoiding pathogenic generation
Replacement of Production lot
Authorization for packaging
Actual time frame(automatic)
Time Limitation Standards
Control overProduction Time
Standards
Case study: quality cheese production
24
ReactivityReactivity
RelevanceRelevance StrengthStrength
ControlDesignControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
CoverageCompliance
test
Red-flag analysis
Resourcesavailability
Control ObjectiveControl
Objective
25
1
2 2
Control evaluation:scale of 1-5 (1-2 positive, 3-4-5 negative).
2
3
4
Discre
tion
Inte
grat
ion
Inde
pend
ent Se
greg
atio
n
Autom
atio
n
Adapt
abilit
y Trac
eabi
lit
y
2 - 3 - 32
Case study: quality cheese production
4
Discre
tion
Inte
grat
ion
Inde
pend
ence
Segr
egat
ion
Autom
atio
nAda
ptab
ility
Trac
eabi
lity
2 - 3 - 32
3StrengthStrength
ScenarioScenario
scenario 1^scenario 1^ Known and positive designKnown and positive design
scenario 2^scenario 2^
scenario 3^scenario 3^
Known; design non positiveKnown; design non positive
Unknown designUnknown design
Risk Tolerance
Risk Tolerance
Risk Acceptance
Risk Acceptance
ReactivityReactivity
CoverageCoverage StrengthStrength
ControlDesign
ControlDesign
Operating effectivenessOperating
effectiveness
Adequacy
RelevanceCompliance
test
Red-flag analysis
Resourcesavailability
Control ObjectivesControl
Objectives
Effectiveness, Efficiency and cost effectiveness
Audit ProgramAudit Program
Audit Exception Level Audit Exception Level
Control operating effectiveness evaluation: good (3)
Test 1: 20% - Test 2: 5%
Control design evaluation: positive (2)
Test 1
Verify Information system utilized for standard check
Test 2Examine Sample of production lots checked by Quality Dept
Case study: quality cheese production
27
28
Corporate Governance PaperAssociazione Italiana Internal Auditors
I.I. Global business risk assessmentGlobal business risk assessment
Key points to an Integrated Corporate Governance Model:Key points to an Integrated Corporate Governance Model:
• Three Control Levels• Optimizing Relationships• Single Evaluation Criteria
II. Unified Internal Control SystemII. Unified Internal Control System
III. Mechanisms of AssuranceIII. Mechanisms of Assurance