The Differentiator A Great Internal Auditor. The Institute of Internal Auditors of Thailand

Transcription

1 The Differentiator A Great Internal Auditor The Institute of Internal Auditors of Thailand September 2014

2 The Changed Agenda of a Great Internal Auditor

3 Transforming the internal audit mission Moving out from an outdated definition of internal auditing Outdated definition of internal auditing, as published by the IIA prior to 1999 Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To this end, internal auditing furnishes them with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost. Current definition of internal auditing, as published by the IIA Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Appraisal function Outdated definition Examine and evaluate activities Assist members of the organization in the effective discharge of their responsibilities Promote effective control at reasonable cost Current definition Assurance and consulting activity Add value and improve organization Help an organization accomplish its objectives Evaluate and improve the effectiveness of risk management, control and governance 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 2

4 The evolution of internal audit Strategist and advisor/facilitator The IA function is moving to higher maturity levels Risk focus Risk focus Rotational (Financial and Compliance) Governance No involvement Role Assurance on compliance with Policies/ Procedures Responsibility Enterprise Risks Governance IA as Advisor/Facilitator Role Enterprise Risk Advisory Responsibility Consultative Approach External Assessment 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 3

5 A shift from assurance provider to strategist/facilitator of risk management Risk management for value creation Facilitator of Risk Management Integrated risk response process Information sharing between specialist silos Going beyond probabilistic risk management programs Assurance Provider Assurance on management reports for: Effective identification and evaluation of risk Effective risk management process Appropriate review of key risks 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 4

6 Transforming internal audit IA maturity value model Basic High Value Perspective Focus on the past; retrospective look on what happened Focus on present survey battlefield, shoot wounded Future help the wounded, map the minefield Style Corporate police Fact finder/father knows best Planning/risk focus Rotational/Based on history (Financial and compliance risks) Existence of CAE Not likely IA Director Risk-based audit plan (Operational, compliance and financial risks) Trusted advisor (auditing and consulting) Enterprise risk-focused audit plan (Full spectrum of risks) Chief Audit Executive/Member of C suite Reporting lines CFO/COO CEO Audit Committee Chair Objective and mandate Compliance to policies and procedures Assurance on internal control systems an compliance Business risk assurance Independence and objectivity Hopefully Generally Absolutely SoX ownership Owns Participates Validates IT Auditing Ill-defined GCCs, security, applications Consulting to improve IT infrastructure Fraud prevention and detection Generally not addressed Reactive Proactive Risk Management Limited assessment Thorough assessment ERM Champion Governance No involvement Limited involvement IA as advisor/facilitator Technology Limited Automated workpapers and use of CAATs for data analysis Advanced use of CAATs and continuous assurance approach Results Small findings Assurance on key audit units Proactive risk management contribution/dynamic reporting 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 5

7 Optimizing the internal audit function Protect enterprise value Financial, compliance and general IT risks Balance sheet orientation Exception reporting and problem identification Inherent risks and rotational coverage Internal audit s value proposition Enhance enterprise value Operational, organizational and strategic risks Risk Intelligence orientation Proactive reporting and solutions development Focus on emerging risks and trends Optimal balance protect/enhance Independent and objective assurance with value-added advice An advisory orientation helps enable internal audit to enhance enterprise value 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 6

8 Top Issues for Audit Committees in 2014

9 Internal audit hot topics Governance Fraud Risk The changing relationship between audit committees and chief audit executives. How should audit committees evaluate the internal audit function? Improving audit committee performance is internal auditing stepping up to the plate? Governance structures of foreign companies with U.S. subsidiaries. Internal audit s role in auditing management compliance process (how are issues surfaced and monitored?) Executive compensation should internal auditors/audit committees be concerned? Status reporting of fraud investigations. What are organizations doing to protect customer data, in light of recent incidents of customer data loss? Auditing for environmental fraud. Working relationships between in-house legal counsel and internal audit departments. Lessons learned/best practices in auditing the U.S. Foreign Corrupt Practices Act globally. How to monitor hotlines. Convergence of risk management, compliance, and internal audit. Case study article on ERM implementation. Assessing risk associated with complex financial instruments (derivatives, swaps, etc.) Effective reporting of risk assessment results (leading practices). Reputation risk, especially in light of recent high-profile instances of corporate reputation damage. How to create a top-down, risk-based audit plan. Source: The Institute of Internal Auditors 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 8

10 Internal audit hot topics (cont.) Technology Ethics Finance and compliance Business continuity planning. Identity management. Social media risks. IT security vulnerability/top IT audit risks. Emerging technologies. Advanced cyber threats (cyber intelligence and warfare). Mobile security. Internal audit's role in protecting customer data. Case studies of audits involving the organization's moral principles, rules, standards, or tone at the top. Merging of compliance and ethics departments. Auditing ethics and compliance programs. The price of not auditing ethics in an organization. Internal auditing's role in off-balance-sheet items. Risks associated with business combinations. Best practices in post-acquisition audits. Auditing the due diligence process. Life after Sarbanes-Oxley: financial vs. operational auditing. How should internal and external auditors work together? Source: The Institute of Internal Auditors 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 9

11 Using Technology

12 Best practices Leverage on technology Analytics is not a separate science or a tool, but leveraging analytics is a matured way of performing internal audits. Data analytics can be leveraged on the following areas of internal audit life cycle: Risk assessment Transaction profiling Compliance sensitive transaction testing Management Reporting Internal Audit Reporting Continuous Auditing 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 11

13 Are your Board Directors also worried about these..? Missing Prices Duplicate Payment Missing Credit Checks Unusual Returns Invalid or Duplicate Supplier Master Delayed Collections Statutory Audit Findings Unauthorized Credit Duplicate Invoices Unused Credit Memos Unauthorized Journal Entries Split Purchase Orders Inaccurate Manual Overpayments to vendors Journal Entries Unauthorized credit Billing Errors Inaccurate Financial Reports Supplier Fraud Delayed Supplier Payments Incorrect Payment Terms Unapproved or Illegal Suppliers Unauthorized Access 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 12

14 These issues arise due to. Survey of 425 companies TOP 10 CONTROL CHALLENGES* Segregation of Duties DRIVERS DRIVERS Lack of Staff False Positives Access to Data Visibility to Issues Mergers & Acquisition Decentralized Operations Outsourcing Duplicate Payments Manual Processes Employee Reimbursements Compliance with Policy Automation Checks Approval Standardization/Consistency Signatures/Authority *Accounts Payable Network Benchmark: AP Controls May Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 13

15 Board Still in of the Directors dark are still in the Dark Many board members and senior executives are still in the dark about the overall health of their organizations and have a lack of nonfinancial data that they can act upon. As with the first survey, corporate leaders believe that it is extremely important to monitor non-financial indicators Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 14

16 Board Directors & Senior Management, need better Transparency 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 15

17 The Solution GRC Analytics & Monitoring An organization must develop and sustain a capability or program to set objectives, identify the boundaries and obstacles Establish a system to let management know when it is getting close to (or crossing) a boundary or approaching an obstacle. Once detected, management must quickly and appropriately respond to minimize the impact on the organization. As issues are encountered and addressed, management should continuously improve the program to more effectively and efficiently prevent, detect and respond to similar issues in the future. Source: OCEG Red Book 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 16

18 Unit A Activity 1 Activity 2 COSO Guidance on Monitoring Internal Controls Drivers: COSO observed that many organizations were not fully utilizing the monitoring component of a system of internal control Monitoring Information & Communication Control Activities Risk Assessment Objectives: Help organizations improve the effectiveness and efficiency of their internal control systems. Provide practical guidance that illustrates how monitoring can be incorporated into an organization s internal control processes Control Environment 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 17

19 Monitoring activities should be built into normal, recurring operating activities of an organization 4. Develop and implement costeffective procedures to evaluate that persuasive information Implement Monitoring Prioritize Risks 1. Understand and prioritize risks to organizational objectives 3. Identify information that will persuasively indicate whether the internal control system is operating effectively Identify Information Identify Controls 2. Identify key controls across the internal control system that address those prioritized risks 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 18

20 Without monitoring, even good controls deteriorate over time Critical financial processes such as travel expense management, order to cash and procure to pay have many business rules or policies associated with them that address accounting, reliability and anti-fraud issues. To ensure that policies and rules are followed, many ERP and financial applications have built-in internal controls with simple gated logic. However, the existence of these built-in automated controls does not ensure that they are turned on, that they are configured appropriately, and that they are not regularly overridden or bypassed thus establishing the need for a solution that can monitor these controls. Gartner Research Paper (Nov 2012) Transaction Controls Monitoring Can Improve Productivity and Financial Governance 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 19

21 Companies should leverage Controls Automation and Monitoring to improve control effectiveness and reduce compliance cost Manual-based risk and control management Technology-enabled risk and control management Start Manual Automated Monitoring Approach not driven by risk Redundant controls Manually-intensive business & IT processes and controls Inefficient testing Reactive approach to identifying & addressing control issues Key Risk Indicator Capability Risk based approach Rationalized controls Management platform Manually intensive testing procedures Testing requires large sample sizes Uses automation to find potential risks based on threshold violations Based on the principle of automating leading indicators to prevent risk events KRI s can be sourced from GRC system Responses include alerts and risk assessment workflows Leverage application-based business & IT process controls Efficient testing of controls Some automated testing capabilities Reduced testing sample sizes Efficient operation of controls Continuous monitoring controls Efficient operation of controls Proactive approach to identifying & addressing control issues Demonstrated effectiveness of controls Sustainable compliance processes ROI / Business value Continuous Control Monitoring Capability Framework provides an infrastructure for creating and maintaining automated rules to test and monitor business processes. Leverage pre-delivered content Build your own control monitoring with a variety of techniques 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 20

22 Comparing manual, automated, and continuous control monitoring Manual controls Technology-enabled controls Manual Manual approvals Manual reporting Paper-based reconciliations Controls Automated Access controls Segregation of duties Application/configurable controls IT general controls Monitoring Transaction monitoring Master data monitoring Access controls monitoring SOD monitoring Application/configurable control monitoring IT general controls monitoring Monitoring technology can be used in several capacities: As key detective controls used to meet control objectives To monitor the continued effectiveness of existing key controls (preventive and detective) 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 21

23 What is a Continuous Control Monitoring (CCM)? Continuous Monitoring solutions are technology-enabled, detective controls utilized to actively monitor controls, transactions, and configurations. Typically, these solutions provide functionality to notify owners when exceptions are detected. Activity Transaction monitoring Master data monitoring Access control monitoring Segregation of duties monitoring Configurable control monitoring Gartner Definition CCM for transactions is used to continuously monitor ERP and financial application transaction information to improve governance and automate audit processes. CCM for master data automates controls related to ERP and financial application data. CCM for access control is used to monitor accesses to sensitive functions by authorized users CCM for segregation of duties is used to manage a number of access conflicts present in ERP and financial applications CCM for application configuration is used to monitor the presence, appropriate configuration and modification of built-in application controls. Gartner ID Number: G : Magic Quadrant for Continuous Controls Monitoring; 23 March Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 22

24 Case studies

25 Common internal control challenges in procure to pay process 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 24

26 Internal Control Examples: Segregation of duties Scenario A Prevent potential SOD violations Users granted excessive payables system privileges obtain the capability to create transactions for unapproved disbursements Current practice When users change roles or responsibilities, unneeded access is typically not removed Over time, an accumulation of excessive access privileges tends to build up, leading to periodic cleanup projects Value of monitoring Any time a user profile is maintained, a comparison is performed to a pre-established constraint matrix If any SOD violations are detected, the security administrator is warned at the time of user profile maintenance The monitoring routine can also be run in mode batch to evaluate all users Scenario B Actual SOD violations Users with excessive payables system privileges perform transactions that violate segregation of duties Current practice A select number of users have been granted access privileges that violate the SOD matrix for justifiable business needs These users are expected to only use these privileges on an infrequent basis related to system maintenance, but the actual activity is not monitored Value of monitoring Automated and continually check and validate transactional data from enterprise applications against control parameters and business rules Identify suspicious activity, errors, and exceptions that may be disguised through high volumes of data 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 25

27 Internal Control Examples Transaction monitoring Scenario A Loan price is fair and uniform Individual loan agents circumvent the company's loan processing system to approve loans and inflate the fees and interest rates charged Current practice Loan price is calculated based on a set of business rules Manual intervention can override the calculated loan price Price overriding may not be detected causing a control failure Value of monitoring Calculated loan price is recalculated by the monitoring solution Significant deviation from the precalculated loan price is detected and reported Preventive or corrective measures could be initiated Scenario B Duplicate payments are not made Error in the invoice processing system may lead to duplicate payment to a supplier for the same invoice number or purchase order Current practice Invoice is compared against entered purchase order and past invoices False entry of invoice in separate payment cycles may lead to duplicate payment Duplicate payments may go undetected causing a control failure Value of monitoring Every invoice paid is compared against the list of past invoices If a duplicate payment was made due to an error or a fraud, the situation is detected and reported Preventive or corrective measures could be initiated 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 26

28 Internal Control Examples Changes in control configurations Scenario A System-based three-way match Failure of the system to enforce a match between the purchase order, receiver, and vouched invoice could lead to unauthorized payments Current practice The system only allows payments when a match is made between the purchase order, the receiving records, and the vendor invoice Changes to the parameters and match criteria are not monitored or reviewed Value of monitoring The matching configuration file is monitored for any changes Any change is reported and reviewed for appropriateness The documentation of changes/lack of changes is retained Scenario B Infrastructure-level security settings Unapproved changes to system security configurations allow for inappropriate access Current practice The extensive installation of Unix servers individually maintain password integrity options, such as expiration, reuse, and minimum length Changes to the password parameters are not monitored or reviewed Value of monitoring The password configuration settings are monitored for any changes Any change is reported and reviewed for appropriateness The documentation of changes/lack of changes is retained 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 27

29 ERP Continuous Audit

30 GRC Solution Board of Directors, CEO, CFO Business Manager Process Owners Dashboards GRC Intelligence Reports Key Risk & Control Indicators GRC Manager Process Risks Assessments Issues es Procedures Remediation Policies Access Controls GRC Controls Configuration Controls Preventive Controls Applications Alerts Transaction Controls Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting Data repository GRC system of record End-to-end GRC process management Continuous monitoring of access, policies & controls Preventive and detective controls Controls risk monitoring Application Manager IT Manager Identity Mgmt Data Security Infrastructure Change Mgmt Records Mgmt Digit Rights Information security Enterprise access provisioning IT configuration management 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 29

31 SAP s unified GRC approach SAP GRC risk management Aggregated detection of risks and control monitoring Access Control Process Control GRC control differentiators Automates and embeds GRC into core and mainstream business processes Standardizes on common GRC content, rules, and technology Secure SOD and compliant IDM/provisioning Control monitoring for business process Helps tackle current pressing issues while providing a framework for emerging regulations Turns GRC into a strategic advantage driving competitive differentiation and higher level of business performance 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 30

32 Oracle Advanced Controls Enforce business controls to ensure compliance and mitigate risk Application Access Controls Governor (AACG) Transaction Controls Governor (TCG) Oracle Advanced Controls Configuration Controls Governor (CCG) Preventive Controls Governor (PCG) 2014 Deloitte Touche Tohmatsu Jaiyos Advisory The Differentiator A Great Internal Audit 31

33 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 200,000 professionals are committed to becoming the standard of excellence. About Deloitte Southeast Asia Deloitte Southeast Asia Ltd a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. Comprising over 250 partners and 6,000 professionals in 23 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal entities. About Deloitte Thailand In Thailand, services are provided by Deloitte Touche Tohmatsu Jaiyos Co., Ltd. and its subsidiaries and affiliates. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication Deloitte Touche Tohmatsu Jaiyos Co., Ltd.