EYe on Internal Audit
Roundtable
December 8, 2009
Internal Audit’s role in effective risk coverage
Albeit painful, progress ultimately results from turbulence. The current turbulence is causing companies to challenge their risk management processes and ask how they can further improve their risk management efforts. Recent events have
impacted approaches to risk management and organizations’ abilities to identify and manage different types of risk. Never has there been a more critical time to define a path forward for the “future of risk.”
Internal auditors have a significant opportunity to help audit committees and senior management enhance their organization’s risk management activities. According to risk professionals, the financial crisis and its aftermath have raised the necessity to change the approach to risk1.
1Source : InSights for European Audit Committtee Members – Issue 7 – April 2009 (Tapestry Network)
The following topics have been discussed by the Roundtable attendees.
The approach to risk must be more holistic
The ultimate responsibility and ownership for Risk Management should reside with the Board & Senior management. As a best practice, strong support from top management is considered to be a prerequisite for embedding a valuable risk management process.
In some companies we see ‘separate’ risk functions taking over (a part of) the responsibility from line management. This is considered an undesired development as the possibility for a disconnect between managing the risk and day to day business is created. Responsibility for Risk Management should remain (or be brought back) to where risks occur, in day to day management processes. Management ownership will also encourage a broader vision to risks as they occur on a continuous basis.
On December 8, 2009 Ernst & Young hosted the next in a series of Internal Audit Roundtable discussions.
Key topics covered during this EYe on Internal Audit Roundtable:
1. Internal Audit’s Role in effective risk coverage 2. Capital project assurance
Below we will share with you the insights from the discussions between the participants.
2
EYe on Internal Audit Roundtable , December 8, 2009 One of the examples discussed is the emerging risk of
third party relationships. As the economic downturn has significantly weakened financial resilience of some companies, the risk of continuity of supply (or of the financial investment) might become more important than before. Management should implement the right procedures around third party risk assessments (as part of their normal operating procedures), rights to control these risks (eg third party audits) are considered a higher priority than before.
Company’s perspective to risk must be more dynamic
The world is changing rapidly and so are the key risks for a company. The impact of emerging risks can influence a company’s objectives both on the short and the long term. Risk Management should
therefore not only focus on impact and likelihood. As a separate dimension timing becomes more apparent, this relates to both the frequencyof the risk
assessment (more frequent than before) but also the timing of the risk response as risks emerge quicker and response time is shorter.
An interesting example that came up in the
discussion is cost reduction programs. Risk Managers should review the impact of cost savings on the short and long term objectives and regularly update the risk assessment. An example of a specific program risk, is not realizing the identified benefits. Also the
risk of the cost reduction program itself should be considered for scoping, as programs bear specific risks in itself such as headcount reductions, asset valuations etc.
The risk horizon must extend further into the future
Alignment between risk
management, the strategy and long term business planning is an
important cornerstone. Aligning the horizon between the two is
achieved most efficiently and effectively when Risk Management and performance management are well aligned. This will also provide management with a constant focus on risks and integrates the management of these risks into the business processes. Managers who decide about the business should also decide about the risks relating to that business. While the opportunities are
considered, the related risks should be identified and managed as well.
Culture: a prerequisite
One of the recurring themes in the discussion is embedding risk management in the culture of a company and its people. If risks are not managed properly by the business, management (possibly through Internal Audit) should identify the root cause and the incentives that initiated this behaviour.
Bringing the responsibility back to where it belongs (with line management) also means educating the business in risk management capabilities. A strong driver for an effective implementation and continuing execution should be the tone at the top.
An interesting twist to this discussion was that diversity programs within companies could further enhance Risk Management capabilities. Due to distinctive differences between the cultures, sexes, ethnicity and backgrounds a broader view on risks can be achieved. As an example one of the
participants mentioned that females are more responsible by nature and therefore easier in facing and dealing with risks. Perhaps something to consider while evaluating your (risk) management efforts?
* Source : Ernst & Young’s2009 Global Business Risk Report
The top 10 strategic business risks for global leading firms (2008 rankings in parentheses)
1 The credit crunch (2) 2 Regulation and compliance (1) 3 Deepening recession (New) 4 Radical greening (9) 5 Non-traditional entrants (16) 6 Cost cutting (8)
7 Managing talent (11)
8 Executing alliances and transactions (7) 9 Business model redundancy (New) 10 Reputation risks (22)
3
EYe on Internal Audit Roundtable , December 8, 2009
Capital project assurance
Organizations are increasingly relying on (capital) programs as the engine for driving performance improvements and delivering key organizational developments. Yet a number of highly visible programs from both the public and private sector have failed to deliver their objectives. This is supported by an Ernst & Young survey, with 43%
accelerating reviews of capital investment programs.
Internal Audit functions are finding different ways to respond to the pressure to provide more assurance that programs are being controlled effectively and report back to management and audit committee. In the round table we discussed ideas how to approach these type of reviews supplemented with some practical experience from a NUON Energy case study.
Specific characteristics
Capital projects carry very specific characteristics such as the large size of the project, relatively low occurrence, unique design and complex technology, wide variety of stakeholders etc. Key take away is that risks should be (as far as possible) properly identified before the project has started and not during the project (which is the case in most projects) as the potential to add value decreases significantly.
The focus for the risk assessment should go beyond the financial and governance risks and cover the operational and technical risks associated with the project.
The lack of experience in assessing the risk for these projects partly originates with the project team. In most cases the project team consists of a mixed experience level (as these projects only occur sporadically) or is not familiar with the risk management specifics of the company (because some are hired externally for their specific
knowledge). The same ambiguity often resides within Internal Audit, due to the low frequency and unique characteristics, the specific knowledge is in most circumstances difficult to facilitate in-house.
Case Study
Our guest speaker shared insights and learnings from a Capital project review (total project investment amounts to € 1,8 billion):
1. A clear project definition is very important, especially in technically very complex building projects. All involved parties need to agree on the technical details up front, to avoid discussions between project owner, project team and end user in the execution phase;
2. Considerations between risk appetite of the project/company and choices to transfer risks to third parties (through a contract) should be made explicitly. When risks are kept within the project appropriate controls should be implemented to manage these risks. When risks are transferred externally, contractual terms come into play;
3. Stakeholder management (to minimize risks resulting from permitting issues), Project
management and Governance structures are key to a successful completion of the project;
4. To keep Board and Shareholders well informed clear reporting on e.g. progress in relation to financials is required.
One of the key measures in projects is to ensure that risks associated are comprehensively identified and managed. Internal Audit can play an important role by challenging the project governance and assessing the adequacy of project controls to ascertain that the project (management) team timely observes and sufficiently mitigates the material project risks. The experience is that a project management team might need some time to understand that Internal Audit is there to help them to achieve their objectives and is not only time-consuming.
4
EYe on Internal Audit Roundtable , December 8, 2009 The roundtable participants agreed that specific skills
and project management experience (in addition to audit skills) are a prerequisite to be able to perform project audits.
A topic on which the participants did not agree, is to what extent Internal Audit can be involved in delivering assurance on specific project deliverables (for example detailed design). Some participants felt this would impair the independence of Internal Audit and its role should not extend further than a review (on behalf of management) on the risks associated with the project related to the company’s business objectives. Internal Audit should not be involved in the procedures to manage the quality of the project deliverables. Others found that Internal Audit is well equipped to execute these reviews and should support the business with their expertise.
For more information, please contact:
Risk Advisory Services Robbert Aerts
+31 88-4071243 robbert.aerts@nl.ey.com
Ernst & Young
Assurance | Tax | Transactions | Advisory About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
For more information, please visit www.ey.nl Ernst & Young Advisory is a trade name of Ernst & Young Accountants LLP. This is a limited liability partnership incorporated under the laws of England and Wales with registered number OC335594.
Ernst & Young Accountants LLP has its registered office at 1 Lambeth Palace Road, London SE1 7EU, United Kingdom, its principal place of business at Boompjes 258, 3011 XZ Rotterdam, the
Netherlands and is registered with the Chamber of Commerce Rotterdam number 24432944.
The Ernst & Young organization is divided into four geographic areas and firms may be members of the following entities: Ernst & Young Americas LLC, Ernst & Young EMEIA Limited, Ernst & Young Far East Area Limited and Ernst & Young Oceania Limited. These entities do not provide services to clients.
© 2010 Ernst & Young Advisory
All rights reserved.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.