François Tabourot, Executive Vice-President Antoine Damelincourt, GRC Consultant
Turn Internal Audit into an Operational Governance Tool
Integrate Audit Into Your Risk Management Perspective
Turn Internal Audit into an Operational Governance Tool Internal Audit can be transformed into an Operational Governance tool. To succeed, however, top management must be willing to implement a new operational governance policy founded on the analytical data gathered by Internal Audit. Is your organization ready to face this change? As per the IIA definition, Internal Audit is “a department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” This definition highlights the two potential roles of Internal Audit; both the traditional and accepted role of Compliance Review and the relatively newer role of consultancy advocated by industry experts and stakeholders.
All actors involved in Internal Control (regulator, consulting firms, and professional bodies such as the IIA) agree: Internal Audit needs to take into account the risks the company faces. Some experts go even further, arguing that, in the absence of a dedicated risk function, Internal Audit should lead the Risk Management process for companies and should spearhead the constitution of a Risk team, if one is lacking. These recommendations are both of a tactical nature, like advocating the use of a risk based approach to create an Audit plan, and of a strategic nature with the inclusion of Internal Audit in a global, holistic Enterprise Risk Management (ERM) framework. However, even if a consensus is clearly reached in many position papers and frameworks, a sobering fact remains: Internal Auditors themselves declared in an IIA survey from March 2011 that the two main obstacles to integrating their function in a Risk Management framework are “that it is beyond the scope of Internal Audit” and “lack of support from management”. Does the fact that Auditors consider Risk Management “beyond their scope” mean that the Audit department exists only in a vacuum, separated from the ERM universe? Does Audit’s well known independence isolate them from an enterprise-wide holistic risk management program? Does “lack of support from management” indicate that Internal Audit is not considered significant? Or at least not significant enough to accomplish more for the company? In order to reconcile the collective theoretical vision of an integrated ERM framework naturally encompassing the Audit function with the actual implementation of such a
©MEGA - May 2012
vision, it seems critical to educate and convince top management of the potential value of a risk-focused Internal Audit function. What facts, what ideas, what value proposition would convince executives to adopt a holistic ERM framework aimed at managing the company’s risks, using Audit as the backbone of the company’s system of defense? The answer to these questions is twofold. First, the challenges of Internal Audit today, in light of the recent changes in environment, must be clearly exposed and understood by all parties involved. Second, the potential benefits of an integrated approach through ERM have to be evangelized. Switching to a risk-based, integrated framework will allow a company to identify, assess, address, and monitor the risks that could prevent the company from achieving its objectives, with improved cost-efficiency and maximized business value. It does not call for a complete overhaul of the Internal Audit function but rather for a shift in the way Audit is integrated in the company’s overall Risk Management and control policy. It will enhance governance by providing the Audit Committee with consolidated, comprehensive, and detailed – but risk-centric – reporting and recommendations.
©MEGA - May 2012
The New Challenges of Risk Management
The past decade, capped by the financial crisis, has brought many changes to the risk environment in which companies are operating. New risks have emerged, existing risks have dramatically increased and in both cases require more thorough and deliberate attention today. On top of that, control regulations have clearly proliferated, not only within enterprises but also at industry, country, continent and worldwide organization levels. These changes have made the need for reliable Internal Audit backed by strong management support that much more crucial.
An Increased Workload New Regulations, New Obligations Clearly, the new regulations of the last decade and the obligations they impose on companies are a radical environment change in themselves. Firms now have to adjust their operations and their control framework to comply with new sets of regulations. This regulatory pressure has been expressed by CEOs as their primary risk concern; in a 2012 Gartner survey, 22% of surveyed CEOs placed regulatory issues at the top of their risk list1. This issue has organizations facing two separate pains. Firstly, attaining and maintaining compliance is costly. Secondly, new regulations immediately create new risks of non-compliance with these regulations. Complying with the new regulations has both a direct and indirect impact on the bottom line. Direct impact may include increased cost and fines for non-compliance; indirect impact may include damage to reputation or image. In the US, for example, the Dodd-Frank Act has imposed stringent reporting obligations on financial institutions. Even if this law does not yet call for a specific and systematic process to be implemented, it still adds new requirements to which companies must comply. Many controls and policies have to be implemented (the tally is now at over 3,000 pages and counting with 396 rules currently on the roster) and maintained in order for the firm to be compliant; lack of compliance here could have significant negative impacts as mentioned earlier. Finally the Dodd-Frank Act adds new constraints on the relationship with regulators, on the release of financial products on the market, and its strong focus on consumer protection adds operational constraints on day-to-day business processes, including the implementation of new rules in an existing framework. The impact of the Sarbanes-Oxley Act has already been debated extensively by consulting firms guiding organizations along their compliance journey. At the heart of SOX, the 404 Top-Down analysis puts an additional burden on companies, forcing them to devote resources to a thorough examination of their accounting risks. It is interesting here to note that the PCAOB Auditing Standard 5, designed to guide accountants in their application of SOX, states that this 404 analysis is “an audit of internal control over financial reporting 1
Gartner CEO Survey, March 2012
©MEGA - May 2012
that is integrated with an audit of financial statements”, and advises firms to use the risk analysis to rank their risks by priority in order to focus on critical risks and better allocate resources. Consumer protection and safety improvement have been legislative concerns for many years. Whether it is hygiene and cold chain for the food-processing industry or workplace safety rules for construction and manufacturing, every sector is now subject to an increasing set of rules, controls, regulations and guidelines that impact their operations. Not only do the companies need to operate in compliance with these rules, they also have to control and maintain their enforcement while doing business as usual if time allows! The regulatory inflation obviously adds significant expense for organizations, consuming money but above all resources and manpower. In a highly regulated, control-heavy environment, Internal Audit departments add significant value, thanks to their methodological, systematic approach. Compliance reviews, top-down analysis of controls, or exhaustive risk evaluation are tasks for which the Audit function is particularly well suited. They can focus an independent and objective eye on the company’s operations and bring the organization closer to compliance. In that respect, the increase of regulatory obligations is an opportunity to set up an empowered Internal Audit function. A Consensus among Stakeholders and Experts The need to reinforce the role of Internal Audit seems all the more obvious if we consider the outstanding literature published on this subject by Risk Management experts. Consulting firms (including the big four), think tanks and professional bodies all recognize the need for effective risk management, which can be achieved by strengthening the Internal This new role would have Internal Audit function in an ERM framework.
Audit involved in assessing risks companies face and acting as a general advisory body to senior management on the state of the organization’s performance in terms of Risk Management.
In 2004, COSO published its framework on Enterprise Risk Management2, advocating a comprehensive approach to the Risk Management process. The key to this comprehensive approach is to have all members of the organization committed to achieving Risk Management objectives. According to the COSO ERM Framework, Internal Audit should have an expanded role in Risk Management. This new role would have Internal Audit involved in assessing risks companies face and acting as a general advisory body to senior management on the state of the organization’s performance in terms of Risk Management. The enhanced role of Internal Audit as outlined by COSO in 2004 has been further expanded by consulting firms in their latest white papers. All of them insist not only on the need for a comprehensive Risk Management framework but also for the key role Internal Audit has to play within this framework. Ernst & Young, for instance, advises that Internal Audit should use a “3D control rating” in order to provide the Board with a clear view of
COSO, Enterprise Risk Management Integrated Framework, 2004
©MEGA - May 2012
Control performance3. In a March 2011 joint white paper, Oracle and the IIARF argued that Internal Auditors have the necessary skills to tackle risks within the organization4. Such a role is supported in the paper by statistics from a survey on the role of Internal Audit, showing that Internal Audit still has a long way to go before it reaches its proper place within the Risk Management framework. Finally, KPMG presents its recent Audit consultancy services offer by emphasizing the role skilled Auditors can play in managing risks for an organization seeking to outsource its Internal Audit function5. The consensus among experts is that Internal Audit should be part of a holistic, comprehensive Risk Management program. In addition, companies today are confronted with a particularly hostile economic environment and an even greater need for effective control to support operational excellence objectives.
Risk Management: an Operations Governance Practice Involved Management The accumulation of financial scandals, frauds, bankruptcies, and more generally, Risk and Control Management failures over the past few years, like a splinter in the corporate foot, serve as a painful reminder that Internal Audit matters. It is particularly hard to recover from a scandal caused by a governance failure, and in some cases, as Lehman Brothers proved, it is impossible. Clearly, the first benefit of a powerful, efficient Risk Management framework should be the assurance that such failures would not happen and threaten the very existence of the organization. “Too big to fail” has proven For a Risk Management to be ineffective. effective, senior management
must listen to risk management The issue with some of the past Risk professionals and support their Management failures is not so much that a risk framework was not in place, it usually mission. was. The problem was management did not always heed the warnings of its risk managers, or worse, ignored them. For Risk Management to be effective, senior management must listen to risk management professionals and support their mission. If Internal Audit detects weaknesses but its report to the Board are not acted on, the auditors’ efforts have been in vain and the resources consumed during the audit have been wasted. Even if the cost of detecting the problem has been spent, the risk remains unmanaged. An effective audit must have the support of senior management. Risk Management in general and Internal Audit in particular can significantly contribute to operational excellence only if their recommendations prevail over any other company constraint. A Constant Need for Informed Decisions Today, knowing how to make business decisions with regards to the risks they gene3
Ernst & Young, 5 Insights for Executive : Risk & Control, 2011
IIARF sponsored by Oracle, Internal Auditing’s role in Risk Management, March 2011
©MEGA - May 2012
rate is the number one skill expected from management. Organizations develop their business in an increasingly competitive and risk-intensive environment. Managers now arbitrate in a depressed economic situation Managers now arbitrate in a which narrows the leeway between risk and depressed economic situation operational performance. Companies are vying for every available bit of market share. The which narrows the leeway crucial need for performance can itself lead between risk and operational to new risks.
Innovation is one of the best examples where new technologies, that are novel by definition, generate literally unknown risks. Yet one must venture into unknown territories to outstrip competition. It basically comes down to a balanced decision between the rewards of investment in a new domain and the risks that come with it. In such a decision process, operations management should “embed” risk management for well informed decisions. Another significant impact is the shrinking part of profit from financial revenue for organizations and shareholders. They now have to increasingly rely on their operations for revenue generation. This return to the real economy, as opposed to the finance based growth, adds pressure on operations to perform at a high level. Therefore, risks have to be managed efficiently in order to prevent them from threatening the success of the operational processes. In the already mentioned Gartner 2012 survey, one of the key findings was according to CEOs “most of the top 15 business risks are associated with maintaining operating margins”6. In this economic downturn, companies need to focus on a realigned economy. It is through the excellence of their operations that they will create value and growth. And it is in that respect that Internal Audit has a critical role to play, or an opportunity to seize.
Gartner, op cit
©MEGA - May 2012
Benefits of an Integrated Risk-Audit Approach
Increased Internal Audit efficiency Better Resource Allocation In a “do more with less” world, it becomes crucial to get the most benefit possible out of limited resources. There is no reason why this constraint would not affect Audit departments: companies have a finite pool of internal auditors and they have to cover an ever increasing range of risks, obligations and procedures. Why should a risk-based approach to Internal Audit be the appropriate answer? Following the principles exposed by the SOX 404 audit, a periodic ranking of risks by exposure and severity will allow organizations to better allocate their resources to the risks that could really jeopardize the operations. All risks should be covered of course, but depending on the value at risk, it seems only logical, almost instinctive, to focus first on the most potentially damaging ones. Furthermore, risk rankings like these would also make for efficient staffing, putting the most senior auditors with the most appropriate skills on the most challenging risks. In terms of resource allocation, a risk-based approach to Internal Audit makes perfect sense. Stakeholders appear to be aware of that need, as demonstrated in a recent survey on the evolving role of Internal Audit, which Forbes Insights conducted on behalf of Ernst & Young. In fact, 74% of respondents believed that there was “room for improvement”; even more disturbing are the 56% who do not believe Internal Audit is helping their organization and the more than 63% who declare they do not include Internal Audit in the strategy and business decisions7. Internal Audit as a Performance Lever Better resource allocation efficiency is not the only benefit of adopting a risk-based Internal Audit approach. By assessing the risks, this approach provides a more accurate performance review of the Risk Management framework. A successful Audit whose recommendations have been implemented Audit gives management more should lead to a lowered risk score in subsequent assessments. It will become control over operations by reporting easier to manage Audit efforts in the long periodically and methodically run and paint a clear picture of Audit pertheir level of performance and formance expressed in business terms.
highlighting potential room for improvement.
Simply put, Internal Audit provides management with the required feedback on the Audit function work within Risk Management. It is not only a simple measure of the Audit function’s success, but a potential indicator of business performance. Additionally, 7
Ernst & Young, Unlocking the Strategic value of Internal Audit, November 2010
©MEGA - May 2012
Internal Audit reviews and evaluates each process periodically. This means that Internal Audit will eventually cover the entirety of the company’s processes, hence ensuring exhaustiveness of the performance assessment and providing a basis for operational performance trends analysis. Internal Audit gives management more control over operations by reporting periodically and methodically their level of performance and highlighting potential room for improvement. The international consulting firm PWC actually emphasizes the importance of metrics and an “Audit Scorecard”8 in managing Internal Audit; they even go one step further, advocating the use of these scorecards to serve as basis for annual evaluation of the whole organization. Audit then becomes a performance driver and measurement for the company.
An improved Overall Risk Management Framework Internal Audit’s Contribution While the Audit Department’s resource allocation process may be efficient, the real measure of its quality is to be found in the actual coverage of the company’s risks. Once again, if the company’s management does not heed the warnings and findings of Audit, all efforts will have been for naught. Furthermore, Audit should work in coordination with various departments in order to deal with risks. Since Audit is not the sole department responsible for managing the company’s risk, one of the key success factors is the ability to coordinate their actions with other departments. There lies the value of a companywide framework devoted to the prevention of risks. This is what is known as an ERM framework. It should be noted that right after the publication of COSO’s white paper on ERM9, the IIA published its own paper on the role of Internal Audit in such Establishing a holistic risk a framework10, showing the interconnection management framework, with between the two subjects and the fact that Internal Audit at its heart, allows Internal Audit belongs in the ERM sphere.
for a more exhaustive coverage of risks.
Establishing a holistic risk management framework, with Internal Audit at its heart, allows for a more exhaustive coverage of risks. Audit’s main assets are its proven methodology and the skills of its auditors. Increasing their involvement in Risk Management results in two main advantages: –– Auditors can use their understanding of each of the company’s processes to better identify and analyze risks either impeding or resulting from that process. Especially with adequate staffing, auditors have knowledge and experience that can be extremely beneficial to the company in a Risk Management capacity. –– The methodical approach ensures exhaustive coverage of the company’s operations, 8
PWC, Maximizing Internal Audit, 2010
COSO, op cit
IIA, The role of Internal Auditors in Enterprise Wide Risk Management, September 2004
©MEGA - May 2012
leaving little to no blind spots. Internal Audit’s principal mission is to cover every company process on a regular basis. They know the processes and they go through them regularly, thus being able to notice changes and trends such as increased risk or improved performance. Putting Internal Audit at the heart of the of risk management system, is simply taking advantage of the knowledge and expertise of professionals who are best equipped for such responsibilities. The Need for Coherence The coordination of the various departments involved in Risk Management is the key for having an efficient ERM framework in place. In addition to Audit, many departments are involved in Risk Management. Operational Risk, Compliance, Quality, Legal, IT Security, Finance, etc. One could even argue that all departments are involved as soon as whoever owns an asset or a process in fact owns the risks and controls associated with this asset. However, what should be a strength is too often turned into a weakness because of conflicting and redundant tasks. In a finanIn order to get the best results cial company, the Compliance department from an audit mission, auditors sets up tests and controls relative to the should be able to access all appropriateness of products to certain caterecommendations and action plans gories of customers. Internal Audit controls the new product creation and approval proresulting from other departments, cess. Clearly, there is room for synergy raand hence avoid redundancies ther than just leaving blind spots: Internal while consolidating them. Audit can use the results of the tests run by Compliance, and Compliance capitalizes on the observations made by Audit. The need for compliance obviously involves Internal Audit, Compliance and ORM because all of them are involved in risk assessments. A debriefing and common review of findings could make these assessments easier and more accurate since they would benefit from multiple and consolidated perspectives. The same idea applies to recommendations and action plans. In order to get the best results from an audit mission, auditors should be able to access all recommendations and action plans resulting from other departments, and hence avoid redundancies while consolidating them. Besides an improved risk coverage, the need for consistency can lead to making Internal Audit responsible for ensuring that attributions of each department in the risk management framework are established and followed. It can even go one step further by making sure that process owners are made aware of and responsible for their controls and risks. For many companies, the perception is that control owners also own the risks. That’s wrong. Accountability is in Operations and Internal Audit can and should ensure that ownership is correctly attributed. Such a framework allows all functions involved in Risk Management to present a united front and a single source of consistent information to the Audit Committee and
©MEGA - May 2012
to management. It means better collaboration and coordination between stakeholders, consolidated and consistent reporting and efficient connection between the Risk Management and the Board. Stakeholders speak with one voice, make the message much clearer, stronger and above all… harder to ignore! An article published in 2005 by Internal Auditor11 emphasizes the role Internal Audit could play here, describing it as a “cornerstone of corporate governance”.
Improving Operations Management Even within a streamlined, efficient Risk Management system like the one described above, Internal Audit is still viewed as a necessary evil or just waste of time. We’re here to tell you this perception is wrong: putting the exposure to risk under control is in itself a significant benefit, demonstrating that Internal Audit creates value. When integrated into a holistic ERM framework, Audit provides two main benefits: it plays the role of an internal insurance policy, and it directly contributes to operational efficiency. Generating Value By its most basic definition, Risk Management is a way of guaranteeing that the company’s processes reach their objectives with an agreed upon exposure to risks, by preventing the occurrence or limiting the consequences of these risks. Keeping this definition in mind, we can say that Internal Audit can help a company reach its objectives more safely and that it is a key contributor to operational efficiency. Internal Audit findings can lead to process improvement by detecting underperforming areas. A flaw detected by an audit will be the target of a recommendation which will in time solve the issue at hand and improve the targeted process. That is the most obvious way in which it can be used as a performance improvement tool, but there are other, less direct ways. For instance, detecting a Compliance breach does not create value for the company, but, should that breach come to the attention of a regulator, then the company could suffer direct losses (i.e. fines, decline in sales, etc.) or indirect losses (i.e. damage to reputation and image). In these cases, Internal Audit can prevent losses, which is another way to generate value for the company. The importance of preventing losses, especially reputation losses, cannot be stressed enough. One breach of compliance, one commercial mistake, could cause a social media storm with dramatic consequences. It is not surprising that Reputation Risk is ranked in an Economist Intelligence Unit as the highest risk facing companies today with an index score of 52. Compliance and Regulatory risk scored second with a distant 4112. Incidentally, these are two types of risks that Internal Audit should strive to get under control. Internal Audit’s Tools Do Support Governance Internal Audit uses business processes to structure its work. Audit missions, findings and recommendations are structured by business processes, and the Audit department 11
Getting a leg up, Internal Auditor, June 2005
Digital Risk: the challenge for the CRO; Economist Intelligence Unit; September 2005
©MEGA - May 2012
is supposed to audit all the processes of the company in a given amount of time, as described in the Audit program. It means that each business process of the organization is audited, reviewed, its risks assessed and its areas of improvement identified. As a result, there are a multitude of metrics and indicators that exist to measure each process performance. Risk Assessment scores have already been mentioned above as a management tool, to monitor how risk levels evolve with time, but it is possible to go even further. We suggest using statistics already available through the Internal Audit work to monitor and manage operations performance. For instance, the number of recommendations could be an indicator of the room for improvement on one process. Taking this a step further and checking this indicator periodically would also allow stakeholders to view the average time for completing a recommendation, thus understanding the reactivity of the people involved in the process. Evaluations of the risks or the controls (both their design and their execution) are also a way to gather data relevant to business performance improvement. Evaluation of the controls can also be particularly useful to design a Business Continuity Plan. All in all, we strongly believe that Internal Audit can significantly contribute to operational performance, provided the information is circulated and shared across the organization. Above all, we advocate that all the work already done by auditors is capitalized upon. Every item that can be used should be used, especially if it is easily available in a data system, to drive performance forward. This is a crucial condition for the Audit Department to efficiently contribute to enterprise performance.
©MEGA - May 2012
Turn Internal Audit Back into an Operational Governance tool
Over the years, companies have strengthened the support functions directly involved in business operations. Their goal was to optimize and improve the company’s business organization and operations, while taking into account an ever changing business environment. The finance department was first, but IT, HR and Quality Management have all been reinforced. To optimize these functions, a large range of methodologies have been developed: Just in Time Manufacturing, Participative Management, Total Quality Management and Process Optimization, just to name a few. At the same time, globalization and increased competition led companies to consolidate their positions through mergers and acquisitions, relocations abroad, and joint ventures; these practices were further boosted by financial market dynamics. Traditional optimization efforts were pushed to the background as the focus shifted to purely financial gains. It is in this context that Internal Audit appeared as a safeguard against abuses. However, as a result of the financial crisis, the increase in energy costs and the economic realignment in the world, we are witnessing resurgence in process optimization and continued improvement. Companies are striking a better balance between financial and operational governance, which is helping to optimize business operations. At MEGA, we strongly believe that the knowledge, skills and competences of internal auditors are the best way to face economic challenges. Their relationships with the CFO, the Audit Committee, shareholders, and advisory boards, coupled with their independence and impartiality, are the way to meet 21st century challenges.
©MEGA - May 2012
MEGA International: the company
–– Created in 1991 –– 300 people –– 130 consultants –– More than 2,400 clients –– More than 75,000 users in more than 40 countries –– 8 offices: France, Italy, UK, Germany, USA,Mexico, Japan, Singapore –– More than 25 partners all around the world In 2011 MEGA is named a leader in Enterprise Architecture by the major analysts Gartner and Forrester.
©MEGA - May 2012