Promoting and Supporting Effective Organizational Governance

Managing
Internal Audit
Activity
 Current Scenario

Post Enron, the Wall Street financial crisis and global

governance failures have prompted the question:
Where was internal auditing in all this?

Hence, the questions:

• How can internal audit address governance?
• What do stakeholders want?
• What is internal audit delivering?
• What does it mean to audit culture?
• How can internal audit overcome barriers?
 Key Components of Governance
Oversight
Stakeholders

Ethical Values
Governance “Umbrella”
Board of Directors

Organizational Alignment

Risk Management Assurance

Senior Management
Internal External

Risk Owners

4
 Three Lines of Defense
• All three lines of defense
should exist—strongest
when separate, and clearly
defined.
• When blended approach
exists, apply safeguards:
• Report to AC directly.
• Ensure effective AC
and board monitoring,
and governance
oversight.
• Communicate and
document potential
risks of combining
lines.
• Consider an executive
to whom all internal
assurance groups
report directly.
It is effectively managed when….
• Results achieved the purpose and the
responsibilities included in the charter
• Activities conforms with the definition of
internal auditing and the standards; and
• Auditors and all individuals part of the audit
demonstrate conformance with the code of
ethics and the standards
 What do Stakeholders Want?
• Demand side for Governance and Strategic
Performance audits:
 Board cares more about governance failure risk
(value preservation orientation).
 Executive management cares more about
strategy/performance risk (value creation orientation).

• The majority of CAEs (57%) report that their board or

equivalent supports internal audit reviews of governance
policies. This perception was fairly consistent across
regions with a high of 65% and a low of 52%.

8
 Specific CAE Role
• Planning (Goals-realizable within specified operating plans;
Engagement work Schedule-activities, when,
estimated time; staffing and fin budget)

• Communication and approval-submit to senior

management for approval and Board for info summary of audit activities’
work schedule, staffing and fin budget annually

• Resource Management-job description, requirements,

promotion criteria, adequate salary, organizational expectations, IA engage
in personnel planning (selecting qualified staff, training needs, performance
appraisal, counsel on performance and professional development)
• Policies and Procedures-Personnel Manual
objectives and goals; history, fringe benefits, vacation and sick leaves pay policies,
dev n training programs. Audit Technical Manual
(a)General/Specific (engagement class; theory n purpose of IA; engagement
scope, work program and time budgets’ working papers, engagement
communications, internal controls, internal administration, performance standards;
(b)Special technical topics (IT auditing; Statistical Sampling; Procedures for
suspected fraud; fraud investigation) (c) Administration of individual engagement
(Notification to client; preliminary survey and work program; time budget and
changes; engagement procedures; changes on engagement work programs;
working papers preparation, review and control; communication draft review with
clients; Format and review; Clients reply and follow up on observations and
Administrative Policy and
recommendations).

Procedures Manual (internal audit charter; relationship of IA with

other organizational units; responsibilities of personnel; IA activity and Org Chart;
delegation guide; uniqueness of IA activities; Personnel records; travel instructions;
expense reports, time reports, staff evaluation; Filing system; Report preparation
review; engagement research responsibilities; training and education programs.
• Coordination-CAE should share information and coordinate
activities with other internal and external providers of relevant assurance
and consulting services to ensure proper coverage and minimize duplication
efforts.
 What can Internal Audit Bring to the Table?
 Provide independent, objective assessments on:

 The appropriateness of the organization's governance structure and

process
 The operating effectiveness of entity-level controls and specific
governance activities

 Act as catalysts for change by:

 Advising or advocating improvements to enhance the organization's

governance structure and processes
 Providing assurance on the governance processes within an
organization
 Facilitating governance best practices

12
 Internal Audit Governance-Related Activities

 Governance Assurance Engagements

 Information integrity: relevant, reliable, and timely information for
strategic decision making
 Assuring information integrity of decision-relevant inputs, thus allowing
board/executive management use of information with confidence
 Typically in “little bites” (the “nudge” approach)

 Governance Consulting/Advisory Services

 Providing decision context, interpretation, and insight
 Conducting comprehensive, enterprise-wide reviews to improve
governance structures and processes
 Educating the board and facilitating governance best practices (e.g.,
board self-evaluation)

13
 Internal Audit Skill Sets
• Need ability to identify and assess hard
and soft measures of organizational
culture

• Need to combine subjective and

objective information

• Need confidence in relying on qualitative

factors or intuition
 Auditing Culture
Culture—“the way we do things around here” (Bower)—embeds many
intangibles (e.g., soft controls) that pose audit challenges.
• Management and board competence, philosophy, and style
• Mutual trust and openness
• Strong leadership and powerful vision
• High performance and quality expectations
• Shared values and understandings
• High ethical standards

Strategies for Addressing Culture

• Communicate with senior executives about their views of governance
culture.
• Develop trust with the audit committee that allows subjective judgments.
• Find a champion who supports auditing organizational culture.
• Define roles of what internal audit can realistically do to help improve
organizational governance.
• Consider incorporating governance audit into internal audit charter.

16
 Good Strategy is not Enough!

“Culture eats
strategy for
breakfast.”

Peter Drucker
 Culture-Driven Governance Challenges
A Risk-based Approach
 Availability of resources with relevant subject matter expertise,
industry knowledge, leading practices, and tools and technology
 Fear that potential fraud risks are not being addressed

Better Overall Process

 Higher expectations from management and AC time/resource
constraints on Internal Audit

Better Risk Management Leadership

 Getting the right input from top management and the board
 Enhancing top management/board risk management capabilities

Better Knowledge of Limitations

 AC’s and management’s level of understanding of the Internal Audit
function

18
 Internal Audit Governance
Responsibilities—TODAY
Seeking to understand stakeholder expectations, and evaluating
effectiveness in meeting those expectations

Developing appropriate internal audit soft skills to add value to the

organizational governance process

Developing and demonstrating strong communication skills to

effectively convey findings and recommendations

Embracing and executing a balanced, risk-based audit plan

Providing leadership on issues of corporate governance, risk

management, internal control, compliance, financial reporting, and
fraud

Willing to challenge status quo, and operating as change agents

19
 Internal Audit Governance
Responsibilities—FUTURE
Internal auditors who step up and effectively address the challenges
can demonstrate their positive contributions.

They will:
• Be recognized as effective leaders, and continue to elevate their
stature and reputation in the workplace

• Likely get additional challenges as their role continues to grow in

importance

To Be Successful: Strive for improvement through innovative

techniques and practices (e.g., using leading indicators of risk and
performance, key risk indicators [KRIs] and KPIs), professionalism,
continual development, and dedication to the profession.
 …Final Internal Audit Thoughts
Stakeholders will look to us to focus on compliance and governance improvement,
with more emphasis on governance improvement.

Strategic and Value

Advisor
Business Insight
Investment in Internal Audit

Monitor Control and

• Strategy-driven
Compliance
• Data-driven approach approach
• Focus on control and • Focus on key initiatives
• Risk-driven approach
process effectiveness • Industry expertise
• Leverage automated • Leverage KRIs and KPIs • Process and controls
controls and data
analysis
• Leverage benchmarks optimization
• Expanded risk coverage • Share leading practices • Operational auditing
(internal and external) • Functional expertise
• Efficient monitoring
• Leveraging ICFR, • Data modeling
compliance and fraud
Foresight
Insight
Hindsight

Value to Organization

21
 Can an Internal
Audit Activities be
Outsourced?