• Kickstart Internal Audit in 2014
Oct 20, 2015
•
Kickstart Internal
Audit in 2014
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 2
Following the webinar, all attendees will receive a link to a
copy of the recorded webinar. You can download a PDF
version of the slides through the Attachments link.
If you are experiencing technical difficulties during the
webinar, let us know by clicking on the Questions link at the
top of your screen. Please provide your e-mail address for a
swift reply.
We will have a formal Q&A at the end of this webinar, we
encourage you to submit your questions throughout the
webcast. We will address your content questions at the end
of the webinar.
If you are having trouble hearing the audio through the
computer, separate phone lines are available.
International +44 (0) 1452 552 630
United States +1 877 894 4122
Conference ID 31151469
A Reminder…
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 3
CPE and Supplemental Information
We are issuing 1.5 CPE credit for this webinar
• To be eligible for CPE credit, you must answer four (4)
out of the five (5) polling questions throughout the
duration of this webinar.
• You will receive your CPE certificate within 4-6 weeks
of the webinar.
• You can download the the CPE Course Evaluation Form
through the Attachments link.
– Return this evaluation form to Lark Scheierman at
Protiviti via e-mail: [email protected]
• Download the PDF version of today’s presentation and
related publications through the Attachments link.
Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 4
Today’s Presenters
Brian Christensen is a member of Protiviti’s executive leadership team and is
the global leader of the firm’s Internal Audit and Financial Advisory Solution. In
this role, he is responsible for the development and execution of Protiviti’s
internal audit products. He has more than 25 years of experience in helping
clients increase the value of their internal audit function. He holds a bachelor’s
degree in accounting from the University of Wisconsin. He is a frequent
speaker on auditing and risk topics at national conferences.
Dave Brand is a Managing Director in Protiviti’s Chicago office. He leads the
global IT Audit practice for Protiviti. He has over 15 years experience working
with companies across multiple industries in the areas of IT Auditing, Computer
Aided Auditing Techniques, audit formation, risk assessments and audit
committee reporting.
Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 5
Today’s Presenters
Keith Keller is a Managing Director in Protiviti’s Atlanta office. He is a member
of the Financial Services team and serves as the market lead for the Internal
Audit and Financial Advisory Solution. Keith is a seasoned executive with more
than 30 years of business experience working with a variety of organizations to
enhance their business performance through risk management, operational
effectiveness and enhanced governance.
Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 6
Definition of Internal Auditing
“Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.” – Source: The IIA
Supports Current Internal Auditing Practice Environment.
Fosters Enterprise Risk Management
Addresses Role of Internal Auditing in Governance
Trouble hearing the audio through the computer? Dial in! Phone: + 1 877 894 4122, Conference ID: 31151469
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 7
And new and emerging risks are arising that need to be addressed
Management
Audit Committees
Standard Setters
• IIA Standards and Practice Advisories
• Regulatory Bodies
• New COSO Framework
Regulators
The demands and expectations placed on internal audit are growing constantly:
Increased Demands
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 8
Assessing Success in 2013
Tone at the Top Process Issues
IT Matters Risk
Management
Corruption Risk Sustainability
Regulatory
Matters
Financial
Reporting
Matters
Kickstart 2014
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 10
Planning Ahead
As we enter 2014, what can we expect in the year ahead? No one knows for
sure, but change will be a big part of what is on the horizon.
• The challenges and opportunities highlighted
in this presentation are based on our
experiences and input from audit leaders and
their departments
• We spent 2013 in partnership with
organizations from around the world, through
benchmarking surveys, client projects, and
interviews, to gain insight into the key areas
of concern for their organizations
• We are happy to share our insight with you
today to help kickstart 2014
Different industries face different
issues and priorities. The
applicability and prioritization of
the challenges included in this
presentation will vary by industry.
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 11
Establish Open Dialogue
The complexity and velocity of
change in an increasingly
interdependent world are
altering the dynamics of doing
business.
• Provide observations and ideas for
consideration by management, the board
and audit committees as they:
– Continue to navigate uncertainty
– Make and execute appropriate plans for
the future
• Discuss major challenges the organization
currently faces and will likely face in the
near term
• Summarize top-of-mind issues facing your
organization and key stakeholders
As a result of this presentation, we hope it will help internal audit:
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 12
Road Map for 2014 and Beyond
Flash
Reports
and
Bulletins
IT Audit
Survey
IT Security
and Privacy
Survey
2013
SOX
Survey
IA
Capabilities
and Needs
Survey
Internal
Auditing
Around
the World
Regulations and
Standard Setters
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 14
Poll Question #1
Do you believe you are well informed on
COSO’s updated Internal Control – Integrated
Framework 2013?
• Yes
• No
• Unsure
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 15
• In March 2013, the NASDAQ proposed a new rule to require listed companies to have
an internal audit function
• In light of the breadth and nature of the comments from its issuer community and
other stake holders, the NASDAQ determined in May 2013 to withdraw its proposal so
that it may adequately consider these comments
• It also stated, its intent to revise the proposed rule, taking into account the comments
received, and resubmit it
• NYSE currently requires all listed companies to have an internal audit function
– The exchange recently approved a one-year transition period for newly listed
companies to establish this function
• We expect the NASDAQ to offer this same flexibility to listed companies when it
resubmits is proposal
NASDAQ and NYSE
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 16
• Mandatory Auditor Rotation – The House of Representatives approved a bill that prohibits the PCAOB
from forcing public companies to change or rotate their independent auditing firms
• Updates to IIA Standards – Standards 1110, 2010.A2 and 2410.A1, 2450.
• New Practice Advisories – 2320-4, 2120-3, 2320-3
• On December 10, 2012, the PCAOB issued the report “Observations from 2010 Inspections of
Domestic Annually Inspected Firms regarding Deficiencies in Audits of Internal Control over Financial
Reporting”
– Summarizes inspection observations related to deficiencies in registered public accounting firms’
audits of ICFR for public companies
– Describes the most pervasive deficiencies
• On October 24, 2013, the PCAOB issued Practice Alert #11,which highlights areas in which significant
auditing deficiencies have been cited frequently in PCAOB inspection reports over the last three years
Auditor Rotation, Standards, and PCAOB
Inspection Reports
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 17
PCAOB Reproposes Auditing
Standard, Related Parties, and
Related Amendments, Including
Amendments Regarding
Significant Unusual Transactions
PCAOB Auditing Standard No. 16, Communications with Audit Committees,
and Amendments to other PCAOB Standards Approved by SEC
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 18
SEC Action Against Fraud
Examples from 2013
Source: http://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml
Archer-Daniels-Midland Co. - SEC charged the Illinois-based global food processor for failing to
prevent illicit payments made by foreign subsidiaries to Ukrainian government officials in violation of
the FCPA. ADM agreed to pay more than $36 million to settle the SEC's charges. (12/20/13)
Weatherford International - SEC charged the Swiss-based oilfield services company with
authorizing bribes and improper travel and entertainment for foreign officials in the Middle East and
Africa to win business. Weatherford agreed to pay more than $250 million to settle cases with the
SEC and other agencies. (11/26/13)
Stryker Corporation - SEC charged the Michigan-based medical technology company with violating
the FCPA by bribing doctors and other government officials in five countries to obtain or retain
business and make $7.5 million in illicit profits. Stryker agreed to pay more than $13.2 million to settle
the SEC's charges. (10/24/13)
Diebold - SEC charged the Ohio-based manufacturer of ATMs and bank security systems with
violating the FCPA by bribing officials at government-owned banks with pleasure trips to popular
tourist destinations in order to illicitly win business. Diebold agreed to pay $48 million to settle SEC
and Justice Department cases. (10/22/13)
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 19
Financial Services Hot Topics
Consumer Financial Lending and Deposits Product
Mortgage Lending and Services
Remittance Transfers
Third-Party Risk Management
Complaints, Issue Management and Responsible Business Conduct
Fair Lending
Unfair, Deceptive and Abusive Acts or Practices
Specialized DFA Consumer Protections
Anti-Money Laundering and Sanctions
Common Issues
The Role of Technology
Broker-Dealer Investment Advisors
New Data Collection and Reporting Requirements
Disclosure and Reporting of Representative Compensation for Recruits
Expansion of FINRA’s Minor Rule Violation Plan
Hedge Fund Examinations
Due Diligence and Supervision of Third-Party Service Providers
Identify Theft Prevention/”Red Flags”
Impact on Compliance Functions and Compliance Governance
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 20
COSO – Why Change
Environment changes… •…have driven Framework updates
Expectations for governance oversight
Globalization of markets and operations
Increased complexity of business and organizational
structures
Demands and complexity in laws, rules, regulations
and standards
Expectations for competencies and accountabilities
Use of, and reliance on, evolving technologies
Expectations relating to preventing and detecting fraud
COSO Cube (2013 Edition)*
Large-scale governance and internal control
breakdowns
Risk and risk-based approaches receive greater
attention
Source: Chapter 2 of COSO Internal Control: Integrated
Framework (2013). *
Source: Updated COSO Internal Control Framework FAQs-Second Edition
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 21
COSO – What’s Changed
Codifies 17 principles that support the five components of internal control 1
Clarifies role of objective-settling as a precursor to internal control 2
Reflects increased relevance of technology 3
Incorporates an enhanced discussion of governance concepts (the oversight role of the board
and its committees) 4
Expands the reporting category of objectives to include non-financial and internal 5
Enhances consideration of anti-fraud expectations in its own principle 6
Increases the focus on non-financial reporting objectives to broaden use 7
Additional approaches and examples for operations, compliance and non-financial reporting
objectives 8
Source: Updated COSO Internal Control Framework FAQs-Second Edition
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 22
COSO’s IT Implications
Connecting IT to the COSO Principles
Impacts to Existing IT SOX Documentation
Linkage of COSO to Other Frameworks
Impact of PCAOB Inspection Reports on IT Documentation
Register via the Attachments Link for our January 15, 2014 webinar where we will discuss the IT
implications associated with the 2013 COSO Framework.
Technology Considerations
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 24
Poll Question #2
Does your organization conduct an IT audit risk assessment?
• Yes, it is conducted separately from the overall risk assessment
• Yes, it is conducted as part of the overall risk assessment
process
• No, an IT audit risk assessment is not conducted
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 25
Audit Process Knowledge Overall Results
"Need to
Improve" Rank Areas Evaluated by Respondents
Competency
(5-pt. scale)
1
(tie)
Data Analysis Tools: Data Manipulation 3.3
Fraud: Monitoring 3.4
2
(tie)
Auditing IT: New Technologies 2.9
Fraud: Fraud Risk Assessment 3.4
3
(tie)
Data Analysis Tools: Statistical Analysis 3.3
Fraud: Fraud Detection/Investigation 3.4
4
(tie)
Fraud: Management/Prevention 3.5
Computer-Assisted Audit Tools (CAATs) 3.1
5 Data Analysis Tools: Sampling 3.4
Source: 2013 Internal Audit Capabilities and Needs Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 26
Audit Process Knowledge CAE Results
"Need to
Improve" Rank Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Data Analysis Tools: Data Manipulation 3.2
2 Auditing IT: New Technologies 3.1
3 Data Analysis Tools: Sampling 3.4
4
Computer-Assisted Audit Tools (CAATs) 3.3
Data Analysis Tools: Statistical Analysis 3.3
5 Fraud: Fraud Risk Assessment 3.7
Source: 2013 Internal Audit Capabilities and Needs Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 27
PCAOB Inspection Reports
Placed unwarranted reliance on certain important system generated data and reports
after underlying ITGCs failed testing; failed to identify/test manually generated
reports
Failed to test controls over completeness and accuracy of delivery data received
electronically from vendors. Further failed to evaluate the implications of the
significant differences between the delivery and invoice date in testing unbilled
revenue
The following are representative of the IT-specific findings from 2010 PCAOB
Inspection Reports.
Failed to identify that the issuer used spreadsheets, not the inventory application, as
the primary system for maintaining pricing and quantities, and failed to test any
controls
Failed to select and test controls over user-definable settings in the issuer’s general
ledger system
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 28
Information management as strategic priority – CIOs are more active in
governance oversight and execution, along with crisis communications. More CIOs are
in place today within companies, reflecting a recognition that data is a critically
important asset that must be managed differently and even more effectively than other
assets.
Lack of key data policies – One in four companies do not have a written information
security policy (WISP) and one in three lack a data encryption policy.
Less-than-ideal data retention and storage practices – Few address data with a
detailed and comprehensive classification system. Many, in fact, treat all of their data
the same, rather than classifying it appropriately.
Unprepared for a crisis – In light of the many well-publicized data breach incidents
and numerous data breach and privacy laws, a surprisingly high number of companies
are not adequately prepared to respond to such a crisis.
Source: 2013 IT Security and Privacy Survey
IT Security and Privacy is a Priority
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 29
Social Media Risk and the Audit Process
Source: 2013 Internal Audit Capabilities and Needs Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 30
Social Media Risk and the Audit Process
Source: 2013 Internal Audit Capabilities and Needs Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 31
Social Media Risk and the Audit Process
Source: 2013 Internal Audit Capabilities and Needs Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 32
Top Technology Challenges
2013 2012
IT security: data security, cyber security
and mobile security
Information security (including data privacy,
storage and management)
IT governance Cloud computing
Lack of ERP implementations,
development and knowledge Social media
Social media Risk management and governance
Vendor management Regulatory compliance
Cloud computing Technology integration and up gradation
Emerging technology and infrastructure
changes Resource management
Big data and analytics Infrastructure management
PCI compliance Fraud monitoring
Business continuity/disaster recovery
Source: Protiviti’s 3rd Annual IT Audit Benchmarking Survey
Sarbanes-Oxley Compliance
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 34
Poll Question #3
Does your organization have plans to continue
automating controls to gain efficiencies within the
SOX compliance process?
• Yes
• No
• Unsure
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 35
Poll Question #4
In the last year, has your organization experienced
an increased level of reliance by the external
auditor on the work of internal audit?
• Yes
• No
• Unsure
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 36
PCAOB Practice Alert #11
• Identify and sufficiently test controls that are intended to address the risks of material
misstatement
• Sufficiently test the design and operating effectiveness of management review
controls that are used to monitor the results of operations
• Obtain sufficient evidence to update the results of testing of controls from an interim
date to the company's year end (i.e., the roll-forward period)
• Sufficiently test controls over the system-generated data and reports that support
important controls
• Sufficiently perform procedures regarding the use of the work of others; and
• Sufficiently evaluate identified control deficiencies
Highlights areas in which significant auditing deficiencies have been cited
frequently in PCAOB inspection reports over the last three years. These include
failures to:
Source: Public Company Accounting Oversight Board Alert # 11
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 37
PCAOB Practice Alert #11
Risk assessment and the audit of internal control
Selecting controls to test
Testing management review controls
Source: Public Company Accounting Oversight Board Alert # 11
Information technology ("IT") considerations
Roll-forward of controls tested at an interim date
Using the work of others
Evaluating identified control deficiencies
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 38
Sarbanes-Oxley Key Findings
SOX compliance costs are rising, as are external audit fees. However, for most
organizations, the cost of SOX compliance remains at a manageable level
Organizations continue to report significant improvements in their internal control
structures since Section 404(b) became a requirement
The automation of controls remains an enticing option and perhaps the “final
frontier” for achieving significant improvements and efficiencies
More companies are adjusting compliance efforts to focus on high-risk processes
and walkthroughs
External auditor reliance on these efforts, continues to evolve, due in part to
guidance from the PCAOB
SOX compliance oversight responsibilities are shifting away from project
management to internal audit functions
Source: 2013 Sarbanes-Oxley Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 39
Changes in Sarbanes-Oxley Compliance
Processes Over Past Year
Source: 2013 Sarbanes-Oxley Survey
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 40
Companies Are…
Source: 2013 Sarbanes-Oxley Survey
Managing Risk through
Collaboration
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 42
Poll Question #5
Do The IIA Standards support internal audit’s role in
managing risk?
• Yes
• No
• Unsure
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 43
• Practice Advisory 2120-3: Internal Audit Coverage of Risks to Achieving
Strategic Objectives - The internal audit activity must evaluate risk exposures
relating to the organization’s governance, operations, and information systems
• IIA Performance Standard 2010.A1 - The internal audit activity’s plan of
engagements should be based on a risk assessment, undertaken at least annually.
The input of senior management and the board should be considered in this process.
• IIA Performance Standard 2120.A1 - Based on the results of the risk assessment,
the internal audit activity should evaluate the adequacy and effectiveness of controls
encompassing the organization’s governance, operations, and information systems.
This should include: (a) reliability and integrity of financial and operational
information, (b) effectiveness and efficiency of operations, (c) safeguarding of assets,
and (d) compliance with laws, regulations, and contracts.
Internal Audit’s Role in Managing Risk
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 44
Three Lines of Defense…
• The IIA’s Position Paper, The Three Lines of Defense in
Effective Risk Management and Control, addresses how
organizations can holistically mitigate risks in a business
environment that is continuously growing in complexity
• The paper is designed to provide guidance to
organizations regardless of their size or the level of
formality to their risk management approach
• It discusses the uses for risk management frameworks,
But more importantly it highlights a critical
component that most frameworks do not
adequately address; how specific duties should be
assigned and coordinated within the organization
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 45
Key Obstacles to Integration
and Alignment of Risk Management
• Poor alignment of strategy and risk management
• Growth of silos and/or lack of cooperation amongst
silo leaders
• Mismatches with stakeholder expectations
• Gaps and overlaps in ownership of risk/control
responsibilities
• Lack of engagement from risk and process owners
• Vague objectives and incoherent control
requirements
• Fragmented, diffused reporting of risk and control
data
• Conflicting points of view and duplicative efforts
(e.g., risk assessment, documentation, testing, etc.)
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 46
Understanding and
responding to a
changing risk profile
Have we articulated a statement of risk appetite?
How do we determine if we are doing the right thing in accepting, reducing, sharing or avoiding risk?
What are our emerging risks? How do we identify these and how often?
What are our top 10 risks?
Understanding Risk: Getting Started
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 47
“Many organizations want to lower their
risk profile by fostering a collaborative
culture where everyone in the
organization understands risk and their
role in helping the business to manage
and mitigate them.”
“The call for both greater collaboration,
and an enterprise focus on risk, is
accelerating internal audit’s path to the
‘top table’ in the organisation, where it
can be a true partner to management
and the board.”
Source: Internal Auditing Around the World Volume IX
Managing Risk through Collaboration
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 48
Seeking Alignment
Executive
Management Board of Directors Audit Committee
External
Audit
Process Owners
Internal
Audit Control
Repositories
Systems
Models
Issue
Management
Risk
Assessment
Methodologies
Policies
Procedures
Quantification
Legal
Security
Risk
Manage-
ment
Compliance
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 49
Ten Major Challenges Facing Businesses
1 Regulatory changes and increased regulatory scrutiny may affect operations
2 Economic conditions in current markets may not present significant growth
opportunities
3 Uncertainty surrounding political leadership may limit growth opportunities
4 Succession challenges and the ability to attract and retain top talent may constrain
efforts to achieve operational targets
5 Organic growth through existing customers presents a significant challenge
Source: Setting the 2014 Audit Committee Agenda – The Bulletin Volume 5, Issue 5
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 50
Ten Major Challenges Facing Businesses
6 Ensuring privacy/identity management and information security protection could
require resources the organization may not have; cyber threats could significantly
disrupt core operations
7 Resistance to change could restrict the organization from making necessary
adjustments to the business model and core operations
8 Uncertainty surrounding costs of complying with healthcare reform legislation will
limit growth
9 Anticipated volatility in global financial markets and currencies may create
challenges
10 Other challenges such as the inability of the organization’s operations to meet
performance expectations as well as competitors; disruption of the organization’s
business model; and an unexpected crisis that could impact the organization
Source: Setting the 2014 Audit Committee Agenda – The Bulletin Volume 5, Issue 5
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 51
Questions and Answers
Register via the Attachments Link for our January 15, 2014 webinar where we
will discuss the IT implications associated with the 2013 COSO Framework.
© 2014 Protiviti Inc. An Equal Opportunity Employer. This document may not be copied nor distributed to any third party.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. 52
Powerful Insights. Proven Delivery.®
Phone: +1 312 476 6401
Chicago, IL
David Brand Managing Director
Powerful Insights. Proven Delivery.®
Phone: +1 602 273 8020
Phoenix, AZ
Brian Christensen Executive Vice President – Global Internal Audit
Powerful Insights. Proven Delivery.®
Phone: +1 404 443 8224
Atlanta, GA
Keith Keller Managing Director