Upload
phungdung
View
222
Download
0
Embed Size (px)
Citation preview
Copyright © 2013 Deloitte Development LLC. All rights reserved. 1
Internal Audit: Making Sure Your Own Defenses Are Not Your Weakest
Donna Epps Partner, Forensic and Dispute Services and Service Line Leader, Anti-Fraud Consulting Deloitte Financial Advisory Services LLP Sandy Pundmann Partner, Deloitte & Touche LLP
1
Copyright © 2013 Deloitte Development LLC. All rights reserved. 2
• Our analysis found that self-reported full compliance with the standards was remarkably similar for all types of entities.
• This suggests that the additional corporate governance and oversight that is required by an entity being a public company has little or no observable impact on the internal audit function’s compliance with professional standards.
• This could imply that those charged with governance either are not aware of the issue of noncompliance or do not consider compliance important.
New Deloitte analysis of noncompliance
Claimed full compliance with IIA Standards by entity type
Public sector/government 52% Not-for-profit/nongovernmental 48% Publicly traded company 48% Privately held company 45%
Source: Deloitte analysis of IIA 2010 Global Internal Audit Survey data
Copyright © 2013 Deloitte Development LLC. All rights reserved. 3
38%
26%
36% 36%
49% 47%
63%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Overall $0.5 billion or less
$0.5 - $1 billion $1 - $5 billion $5 - $15 billion $15 - $25 billion $26 billion or more
Source: Deloitte analysis of IIA 2010 Global Internal Audit Survey data
New Deloitte analysis of noncompliance (continued) Public company CAE-reported compliance with IIA Standard AS 1300, Quality Assurance and Improvement Program, by revenue/budget (USD)
Copyright © 2013 Deloitte Development LLC. All rights reserved. 4
• Compliance with AS 1300 is reportedly only 26 percent for public companies with revenues of $0.5 billion or less, therefore compliance with IIA Standards at those public companies may be as low as 26 percent.
• The major reasons given by CAEs for noncompliance are assertions that: The standards are not appropriate for small entities ـ The standards require greater IA resources than are available ـ .Compliance is not supported by management or the board ـ
• The rate of compliance for entities with revenue or budgets over US$26 billion, where the first two reasons should not apply, is still only 60 percent.
• The core issue appears to be insufficient management and board support for their IA function to comply with the self-described “essential,” “mandatory,” and “basic requirements” set out in the IIA’s Standards.
New Deloitte analysis of noncompliance (continued)
Copyright © 2013 Deloitte Development LLC. All rights reserved. 5
Ask the head of internal audit: • Has IA had an external quality assurance and risk-based assessment in the
past five years? What were the results? • Is the IA function in full compliance with all IIA Standards? • If applicable, what are the reasons for noncompliance, when was the board
informed of the noncompliance, and is there a formal plan to become compliant?
• If there is noncompliance, consult your entity’s legal adviser to understand potential legal and regulatory exposures that may arise. Identify potential reputational and other business risks, too.
• If there is noncompliance with IIA Standards, and hence also noncompliance with the IIA’s Code of Ethics by the chief audit executive, discuss the potential risks and the impact on the “tone from the top” that such noncompliance may create.
Recommendations
Copyright © 2013 Deloitte Development LLC. All rights reserved. 6
• Commission an independent strategic assessment of the IA function to identify other actions to help align it with your entity’s risks and obtain value from it.
• Work with your head of internal audit, CEO, and those charged with governance to consider any appropriate changes to bring your entity’s IA function promptly into full compliance with all IIA Standards and to align its activities strategically.
Recommendations (continued)
Copyright © 2013 Deloitte Development LLC. All rights reserved. 7
Internal audit maturity and value continuum
Attribute Basic High-Value
Org
aniz
atio
n/
Peop
le
Competency Financial Financial and Operational Financial, Operational, and Strategic
Governance No Involvement Limited Involvement Internal Audit as Adviser/Facilitator
Charter/Role Financial Controls and Compliance with Policy/ Procedures
Financial Controls and Operational Effectiveness
Business Controls and Risk Adviser
Proc
esse
s/
Met
hodo
logi
es Risk Focus Financial and
Compliance Financial, Compliance, and Operational
Enterprise Risks (Strategic, Operational, Financial, and Regulatory Risk)
Methods Sarbanes-Oxley Controls and Compliance Checklists
Process and Controls Internal Audit Programs
Risk Intelligence Frameworks
Reports Financial and Compliance Issues
Process and Operational Improvements
Proactive Risk and Trends Analysis and Dynamic Reporting
Stak
ehol
der/
Tech
nolo
gy
Style Corporate Police/Reporter Consultative Trusted Adviser
Perspective Historical/Reactive Current Proactive/Future
Technology Basic Project Management and Administrative Systems
Data Analysis and Continuous Auditing/Monitoring
Copyright © 2013 Deloitte Development LLC. All rights reserved. 8
The value of internal audit Modern internal audit functions play a vital role in creating and preserving value to meet the changing needs of the organization
Not just compliance Provide greater scru/ny of emerging risk areas, adding value to the business and insight to management.
Adds value up front Increased involvement in strategic projects, advising on risk management up front.
Greater focus on untradi6onal risk areas Incorporates untradi/onal risk areas in opera/ons, finance, security , privacy, and technology risk management.
Infuses data analy6cs and technology Seamless use of data analy/cs, visualiza/on, and other leading prac/ces in security and technology.
• The NYSE requires listed companies to have an internal audit func/on.
• NASDAQ proposed a new rule to the SEC requiring that all listed companies have internal audit departments.
Market Requirements
Copyright © 2013 Deloitte Development LLC. All rights reserved. 9
Value proposition of internal auditing for key stakeholders What should you expect from your internal audit department?
Governing bodies and senior management rely on internal auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes.
Internal auditing provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.
With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice and counsel.
Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes.
Risk Control
Governance
Assurance
Integrity
Objectivity
Analyses Assessments
Catalyst
Insight
Accountability Independence
Copyright © 2013 Deloitte Development LLC. All rights reserved. 10
The evolution of internal audit – strategist and adviser/facilitator
Risk focus
Rotational (Financial and Compliance)
Governance
No Involvement
Role
Assurance on Compliance with Policies/Procedures
Responsibility
External Assessment
Risk focus
Enterprise Risks Governance
IA as Adviser/Facilitator
Role
Enterprise Risk Advisory
Responsibility
Consultative Approach
The IA function is moving to higher maturity levels.
Copyright © 2013 Deloitte Development LLC. All rights reserved. 11
• Is the internal audit department properly funded and as cost-effective as possible? Does it have the resources it needs to meet expectations?
• Is internal audit responsive to the needs of today’s environment? • Is internal audit cognizant of new laws, regulations, and best practices? • Are internal audit personnel experts in their field and can they proactively
consult on internal controls and risk management? • Is the internal audit process designed to identify whether the organization is
controlling those areas that are important to control and not just what is easy to control?
• Have the audit committee, senior management, and the CAE reconciled their expectations for internal audit?
Questions for the CFO to consider
Copyright © 2013 Deloitte Development LLC. All rights reserved. 12
• Is internal audit focused on the right risks areas? • How does internal audit relate to, and interact with, other risk management-
related functions, such as legal, security, environmental health and safety, loss prevention, quality and risk management, compliance, and credit risk? Are there duplications of effort or gaps between internal audit and these groups?
• Has management reached a supportable conclusion as to whether internal audit complies with IIA Standards?
• Is the internal audit department viewed as objective and competent by management and the independent auditors?
• Is internal audit properly positioned in the company and have the full support of management?
Questions for the CFO to consider (continued)
This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2013 Deloitte Development LLC. All rights reserved.