Promoting and Supporting Effective Organizational Governance:
Internal Audit’s Role
Sridhar Ramamoorti,
Ph.D., CIA, CFSA, CGAP, CRMA
and
Alan Siegfried, CIA,
CISA, CPA, CRMA, CCSA
Available free of charge at:
www.theiia.org/goto/CBOK
CBOK 2015 Practitioner Study
• CBOK is the Global Internal Audit Common Body of Knowledge :
– The global practitioner survey is the largest ongoing study of internal audit professionals in the world.
– More than 25 free reports about practitioners and the profession will be released from July 2015 to July 2016.
– Download free reports from the CBOK Resource Exchange at The IIA website at any time
(www.theiia.org/goto/CBOK).
CBOK 2015 Practitioner Survey
• Practitioner Survey Results
– Survey completed April 1, 2015 – 14,518 usable survey responses
• Participation Levels
– 100% representation from IIA institutes – Responses from 166 countries
– 23 languages
CBOK 2015 Practitioner Study
CBOK 2015 Practitioner Study
Age was obtained from 12,780 respondents; Organization Type was obtained from 13,032 respondents; Gender was obtained from 14,357 respondents; and Staff Level was obtained from 12,716 respondents.
Recent governance crises have increased the need for Internal Audit’s involvement and review of governance practices and policies.
• Definition: Includes review of governances process
• Critical Role: Internal Audit’s critical role in promoting and supporting effective Organizational Governance
• Internal Audit Positioning and Credibility: Internal Audit’s
position, stature, and credibility (e.g., functional and administrative reporting lines) to empower/enable them to become a value-added contributor within the organization’s governance structure
• Internal Audit’s Role: Assurance and Advisory services in organizational governance
• Auditing Culture: Key enabler and driver
• Competencies: Internal audit skill sets and competencies
• Wrap up: Insights, Future Trends, and Strategy
• Concluding Remarks
Executive Summary
Organization of Report
Post Enron, the Wall Street financial crisis and global governance failures have prompted the question:
Where was internal auditing in all this?
Hence, our report is organized as follows:
• How can internal audit address governance?
• What do stakeholders want?
• What is internal audit delivering?
• What does it mean to audit culture?
• How can internal audit overcome barriers?
9
Key Components of Governance Oversight
Ethical Values
Organizational Alignment
Three Lines of Defense
• All three lines of defense should exist—strongest when separate, and clearly defined.
• When blended approach exists, apply safeguards:
• Report to AC directly.
• Ensure effective AC and board monitoring, and governance
oversight.
• Communicate and document potential risks of combining lines.
• Consider an executive to whom all internal assurance groups report directly.
Internal Audit: Position/Stature/Credibility within the Organization’s Governance Structure
• Seventy-five percent of participants indicated that the chief audit executive (CAE) in their organization reported administratively to either the chief executive officer (CEO)/president, or the audit committee/board of directors.
– 48% report to CEO or equivalent – 12% report to audit committee – 15% report to board of directors
• Seventy-two percent of participants indicated that the CAE reported functionally to either the audit committee (or
equivalent), or the board of directors.
– 54% report to audit committee or equivalent – 18% report to board of directors
15
What do Stakeholders Want?
• Demand side for Governance and Strategic Performance audits:
Board cares more about governance failure risk (value preservation orientation).
Executive management cares more about
strategy/performance risk (value creation orientation).
• The majority of CAEs (57%) report that their board or
equivalent supports internal audit reviews of governance policies. This perception was fairly consistent across
regions with a high of 65% and a low of 52%.
Key Findings from 2015 CBOK Survey
• Only 4 out of 10 say that a governance code is in place at their organization.
• More than 6 out of 10 say that their
organizations have a long-term strategic plan in place.
• About 27% say that internal audit conducts extensive reviews of organizational
governance.
• Only 16% say that internal audit conducts
extensive reviews of organizational strategy.
22
What is Internal Audit Delivering?
• Globally, an average of 70% of internal audit reports provide moderate to extensive activities related to the review of governance policies and
procedures.
Compliance with the King Governance Code mandated in South Africa so that there are high levels of internal audit activity
Existence of:
Hard Controls (Tangible, Relatively Easy Measurement)
Soft Controls (Intangible, Difficult-to-Measure)
• North American internal audit reveals the lowest level of governance reviews!
CAEs perform governance audits through the “little bites” strategy.
Some internal audit functions may not be mature enough to perform these audits.
If governance risk is perceived low, then risk-based audits would justify only a little effort being devoted to this area.
26
What can Internal Audit Bring to the Table?
Provide independent, objective assessments on:
The appropriateness of the organization's governance structure and process
The operating effectiveness of entity-level controls and specific governance activities
Act as catalysts for change by:
Advising or advocating improvements to enhance the organization's governance structure and processes
Providing assurance on the governance processes within an organization
Facilitating governance best practices
27
Potential Internal Audit Governance Involvement
• Participate in cross-functional ‘what if’ discussions to reconsider governance risks and identify action plans.
• Help design ‘how to’ improve governance processes to better address risks.
• Redirect audit resources to reassess highest risk areas:
M&A activity in 2015—exceeded $5 trillion—underscored the importance of governance reviews
Risk assessment and risk management/monitoring practices
Complex decision models—relying on information—the relevance of “information integrity risk”
Culture, Strategy, IT governance
Fraud risk management and loss prevention
Extended enterprise reviews
• Internal audit review of organizational governance (assurance and advisory engagements).
28
Internal Audit Governance-Related Activities
Governance Assurance Engagements
Information integrity: relevant, reliable, and timely information for strategic decision making
Assuring information integrity of decision-relevant inputs, thus allowing board/executive management use of information with confidence
Typically in “little bites” (the “nudge” approach)
Governance Consulting/Advisory Services
Providing decision context, interpretation, and insight
Conducting comprehensive, enterprise-wide reviews to improve governance structures and processes
Educating the board and facilitating governance best practices (e.g., board self-evaluation)
Internal Audit Skill Sets
• Need ability to identify and assess hard and soft measures of organizational
culture
• Need to combine subjective and objective information
• Need confidence in relying on qualitative
factors or intuition
31
Auditing Culture
Culture—“the way we do things around here” (Bower)—embeds many intangibles (e.g., soft controls) that pose audit challenges.
• Management and board competence, philosophy, and style
• Mutual trust and openness
• Strong leadership and powerful vision
• High performance and quality expectations
• Shared values and understandings
• High ethical standards
Strategies for Addressing Culture
• Communicate with senior executives about their views of governance culture.
• Develop trust with the audit committee that allows subjective judgments.
• Find a champion who supports auditing organizational culture.
• Define roles of what internal audit can realistically do to help improve organizational governance.
• Consider incorporating governance audit into internal audit charter.
Good Strategy is not Enough!
“Culture eats strategy for
breakfast.”
Peter Drucker
Lack of Support Can Be a Hurdle
35
Culture-Driven Governance Challenges
A Risk-based Approach
Availability of resources with relevant subject matter expertise, industry knowledge, leading practices, and tools and technology
Fear that potential fraud risks are not being addressed Better Overall Process
Higher expectations from management and AC time/resource constraints on Internal Audit
Better Risk Management Leadership
Getting the right input from top management and the board
Enhancing top management/board risk management capabilities Better Knowledge of Limitations
AC’s and management’s level of understanding of the Internal Audit
function
36
Internal Audit Governance Responsibilities—TODAY
Seeking to understand stakeholder expectations, and evaluating effectiveness in meeting those expectations
Developing appropriate internal audit soft skills to add value to the organizational governance process
Developing and demonstrating strong communication skills to effectively convey findings and recommendations
Embracing and executing a balanced, risk-based audit plan
Providing leadership on issues of corporate governance, risk
management, internal control, compliance, financial reporting, and fraud
Willing to challenge status quo, and operating as change agents
Internal Audit Governance Responsibilities—FUTURE
Internal auditors who step up and effectively address the challenges can demonstrate their positive contributions.
They will:
• Be recognized as effective leaders, and continue to elevate their
stature and reputation in the workplace• Likely get additional challenges as their role continues to grow in importance
To Be Successful: Strive for improvement through innovative
techniques and practices (e.g., using leading indicators of risk and
performance, key risk indicators [KRIs] and KPIs), professionalism,
continual development, and dedication to the profession.
38
…Final Internal Audit Thoughts
Monitor Control and Compliance
•Risk-driven approach
•Leverage automated controls and data analysis
•Expanded risk coverage
•Efficient monitoring
•Leveraging ICFR, compliance and fraud
•Data-driven approach
•Focus on control and process effectiveness
•Leverage KRIs and KPIs
•Leverage benchmarks
•Share leading practices (internal and external)
• Strategy-driven approach
• Focus on key initiatives
• Industry expertise
• Process and controls optimization
• Operational auditing
• Functional expertise
• Data modeling
Value to Organization
Investment in Internal Audit
Hindsight
Stakeholders will look to us to focus on compliance and governance improvement, with more emphasis on governance improvement.
Business Insight
Insight
Strategic and Value Advisor
Foresight
Alan Siegfried
Current Board/Audit Committee member, Managing Director Quetzal GRC, LLC, and
Accounting and Information
Assurance faculty, Robert H. Smith School of Business, Univ. of MD.
Former CAE of several international organizations and Big Four partner.
410.570.5400 (c) Email:
siegfal@gmail.com Dr. Sridhar Ramamoorti
Managing Director, Quetzal GRC, LLC and
School of Accountancy faculty, Michael J. Coles College of Business, Kennesaw State University.
470.578.2675 (o) 630.347.9172 (c) Email:
sri.ramamoorti@gmail.com
Author Information
CBOK 2015 Releases
Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Nov. 2015 Dec. 2015
Driving Success in a Changing World: 10 Imperatives for Internal Audit
Navigating
Technology’s Top 10 Risks: Internal Audit’s Role Staying a Step Ahead: Internal Audit’s Use of Technology
A Global View of Financial Services Audits:
Challenges, Opportunities, and the Future
Who Owns Risk?
A Look at Internal Audit’s Changing Role Combined Assurance: One Language, One Voice, One View Responding to Fraud: Exploring Where Internal Auditing Stands
Auditing the Public Sector:
Managing Expectations, Delivering Results
Delivering the Promise:
Measuring Internal Audit Value and Performance Mapping Your Career:
Competencies Necessary for Internal Audit Excellence
CBOK 2016 Releases
Jan. 2016 Feb. 2016 Mar. 2016 Apr. 2016 May 2016 Jun. 2016
Engaging Third Parties for Internal Audit Activities:
Strategies for Successful Relationships
Interacting with Audit
Committees:
The Way Forward for Internal Audit
CAE Career Path:
Characteristics and
Competencies of Today’s Internal Audit Leaders
GREAT Ways to Motivate Your Staff Maturity Levels for Internal Audit
Departments Around the World
Regional Reflections:
Africa
The Top 7 Skills CAEs Want:
Building the Right Mix of Talent for Your Organization Lifelong Learning for Internal Auditors:
Certification and Training Levels Worldwide
IIA Standards:
Conformance and Trends Quality
Assurance and Improvement Program Trends
Promoting and Supporting Effective
Organizational Governance:
Bench marking Internal Audit Maturity Women in IA:
Representation and Trends Ethical Pressures Faced by
Internal Auditors
YOUR DONATION DOLLARS AT WORK
This presentation is FREE, thanks to the generous contributions from
individuals, organizations, IIA chapters, and IIA institutes around
the world
.
Download your FREE copy today at the
CBOK Resource Exchange.
www.theiia.org/goto/CBOK