An Integrated Approach to the Internal Control System

Transcription

1 An Integrated Approach to the Internal Control System - New Methodology for Evaluating Design and Effectiveness - Carolyn Dittmeier President, IIA Italy Vice President, Head of Internal Auditing Poste Italiane 1

2 Increasing legislation and regulation of governance Anti corruption (Law 231) Sarbanes (Law 262) Stock Exchange Governance Code Bank Regulations New Corporate Governance players Corporate Governance Paper IIA Italy 2

3 Numerous corporate governance players Compliance Officer Audit Committee Board of Directors Board of Statutory Auditors Other Control Bodies CFO Quality Internal Audit Security Compliance Function Inspectorate Human Resource & Organization Safety Privacy Operational Management 3

4 Numerous Corporate Governance Players Possible consequences: Cost efficiency Cost of governance exceeds benefits in risk reduction Effectiveness Inadequate/fragmented risk coverage 4

5 Corporate Governance Paper Associazione Italiana Internal Auditors Key points to an Integrated Corporate Governance Model: I. Global business risk assessment II. Unified Internal Control System Three Control Levels Optimizing Relationships Single Evaluation Criteria III. Mechanisms of Assurance 5

6 Business Case Its Business General Strategy Logistics, postal and courrier express Banking, financial services and insurance Leveraging upon a major national network, integrating new innovative services to core businesses 150,000 Employees 14,000 Post offices 200 Logistic Centres Vehicles 2,700 ATM Total Sales (mil) of which: Logistics/Postal Financial/ Banking 6

7 Business Case Compliance Officer INTERNAL AUDITING CHAIRMAN BOARD OF DIRECTORS RS CHIEF EXECUTIVE OFFICE LEGAL AFFAIRS Court Auditors Statutory tory Auditors CORPORATE AFFAIRS ACCOUNTANCY & CONTROL RISK MGMT/ SECURITY HUMAN RESOURCES AND ORGANIZATION STRATEGIC PLANNING COMMUNICATION AND PUBLIC AFFAIRS FINANCE CHIEF INFORMATION OFFICE PURCHASING REAL ESTATE BUSINESS UNITS RETAIL NETWORK MAIL EXPRESS AND PARCELS LOGISTICS AND OPERATIONS PHILATELY BANCOPOSTA COMPLIANCE FUNCTION 7 AUDIT

8 Business Case CHAIRMAN CEO Court Auditors Statutory tory Auditors INTERNAL AUDITING Compliance Officer STANDARDS/ RESEARCH PLANNING ETHICS AUDIT Bancoposta AUDIT FINANCIAL & RETAIL NETWORK AUDIT LOGISTICS POSTAL AUDIT SUPPORT PROCESSES GEOGRAPHICAL AREA MANAGERS INTEGRATED PROCESS AUDIT

9 Business Case Governance milestones Public Economic Entity Transformation to a stock company Poste Italiane - Società per Azioni Poste Italiane is subject to supervision of Financial Regulatory Bodies Implementation of Internal Audit replacing Inspectorship Implementation of Ethics Officer Code of Ethics Implementation of Enterprise Risk Management Model 2007 Introduction of Sarbanes Accounting Officer 9

10 Corporate Governance Paper Associazione Italiana Internal Auditors Key points to an Integrated Corporate Governance Model I. Global Business Risk Assessment 10

11 Global Business Risk Assessment? Operational risks Compliance risks Reputational risks Strategic risks Financial risks Accounting risks 11

12 Business Case Enterprise Risk Management framework adopted in 2006 Obiettivi Goal Model Poste Poste Obiettivi di Business Efficienza di Processo Volume/Ricavie Obiettivi di Governo Rispetto della normativa Sicurezza Affidabilità delle informazioni OBIETTIVI RISCHI POTENZIALI Risk Model Poste Rischi Interni Fattore Disegno umano Processo/Sistemi Compliance Processi IT Rischi Esterni Governo e controllo direzionale Monitoraggio/ Informativa Scenario Socio- Economico Concorrenza Mercato/ Cliente Contenimento Costi Customer Satisfaction Employee welfare CONTROLLI Risorse Umane Processi Ammin./ Contab. Pianificazione Partner/ Fornitori Quota di mercato Redditività Innovazione Tecnologica Certezza operativa Integrazione Efficacia ed Efficienza IT RISCHI RESIDUI Rischi Non Operativi Rischi Operativi Altri Processi Infrastruttura/ Risorse tecniche Integrazione Contesto Legale Attacchi/ Eventi esterni Tecnologia Risk Model based on Goal Model

13 ERM Business Maturity Checkpoints 1. Risk Framework 2. Control Risk Self-Assessment worshop 3. Strong professional development programs 4. Budget and incentive system incorporating Key Risk Indicators 5. Full risk management culture

14 Corporate Governance Paper Associazione Italiana Internal Auditors Key points to an Integrated Corporate Governance Model II. A Unified Internal Control System Three Control Levels Optimizing Relationships Single Evaluation Criteria 14

15 Three levels of control activities within the Enterprise Risk Management Model Company Bodies Audit Committee Definition of Objectives Risk Management Internal environment Information and communication COSO: Control activities 3 rd Level Assurance Activity (Internal Audit) 2 nd Level Monitoring Activity (Risk Management, Compliance, Controller) 1 st Level Control Activity (Line Control) 15

16 A Unified Internal Control System Optimizing Relationships between Control bodies and functions Informational Reporting Communication by meetings and presentations Providing Directives In relation to their assurance, consulting or other roles 16

17 Reporting & Interchange between Governance & Control Bodies Business Case Statutory tory Auditors BOARD OF DIRECTORS RS Monthly Court Auditors Compliance Officer Bimonthly CFO Financial Reporting control Quarterly INTERNAL AUDITING Overall Internal Control Semiannual Bimonthly COMMITTEE Internal Audit, Human Resources, Legal Affairs; CFO; Security/Risk Mgmt Risk and Compliance Periodic : issues Risk Management Bancoposta Compliance Function Bancoposta Company Business Units and Depts 17

18 A Unified Internal Control System Integrated methodology for business control identification and evaluation Focusing separately on: Control Design Control Operating Effectiveness 18

19 How to evaluate the Integrated Internal Control System Risk Tolerance Control Objectives Risk Acceptance Control Design Adequacy Effectiveness, Efficiency and cost effectiveness Operating effectiveness Relevance Strength Resources availability Red-flag analysis Coverage Reactivity Compliance verification 19

20 Definition of a control? A set of activities whose purpose is to identify and correct errors and anomalies in order to reach defined control objectives, risk based Input Standard Input Capture/ Measurement Comparison input / standard Correction Output 20

21 Control Objectives, risk based (examples) Quality and timeliness of operations Reliability and integrity of Company information (financial and operational) Proper and effective contractual relations with customers and suppliers Compliance to Regulations Prevention of fraud Business continuity 21

22 How to evaluate the Integrated Internal Control System Risk Tolerance Control Objectives Risk Acceptance Control Design Adequacy Effectiveness, Efficiency and Cost effectiveness Operating effectiveness Relevance Strength Resources availability Red-flag analysis Coverage Reactivity Compliance verification 22

23 Process Case study: quality cheese production Production of fresh cheese according to quality standards Activity 1 Supply request Activity 2 Production Control over Production Time Standards Activity 3 Packaging For every fresh cheese lot, the Production Dept requests, up to 5 days before the fermentation process, requests from the Purchasing Dept quantities of milk supplies on the basis of approved monthly sales forecasts. Upon supply of milk (<3 days) the Production Dept proceeds: Pasteurisation (2 hours) Coagulation of casein (2 hours) Drainage of whey (1 hour); Pressing and salting (1 hour) (time frame automatically recorded in 3 of 4 phases) The Quality Dept verifies respect of production time standards. If non compliant, it blocks the packaging process, requesting the lot to be destroyed and re-produced. Following authorization given by Quality Dept, the Production Dept proceeds to package the fresh cheese within 24 hours for delivery by the Distribution Dept by the next day. 23

24 Case study: quality cheese production Control objectives: Ensure fresh cheese according to quality standards Ensure the absence of pathogens in the milk Ensure production-time for avoiding pathogenic generation Ensure temperature-preservation for avoiding pathogenic generation Control over Production Time Standards Control components Actual time frame (automatic) Time Limitation Standards Information System Check Lot destruction when out of time standard Replacement of Production lot Authorization for packaging 24

25 Control evaluation:scale of 1-5 (1-2 positive, negative). Control Objective Adequacy 2 Control Design Operating effectiveness 1 Relevance Coverage Strength 3 Reactivity Resources availability Compliance test Red-flag analysis Discretion Integration Independe nt Segregatio n Automatio n Adaptabilit y Traceabilit y 25

26 Case study: quality cheese production Discretion Integration Independence Segregation Automation Adaptability Traceability Strength 3

27 Case study: quality cheese production Coverage Risk Tolerance Control Design Relevance Strength Scenario Control Objectives Adequacy Effectiveness, Efficiency and cost effectiveness Reactivity Control design evaluation: positive (2) Resources availability Risk Acceptance Operating effectiveness Compliance test Red-flag analysis Control operating effectiveness evaluation: good (3) Test 1 Audit Program Verify Information system utilized for standard check Test 2 Examine Sample of production lots checked by Quality Dept scenario 1^ 1^ scenario 2^ 2^ scenario 3^ 3^ Known and and positive design Known; design non non positive Unknown design Audit Exception Level Test 1: 20% - Test 2: 5% 27

28 Corporate Governance Paper Associazione Italiana Internal Auditors Key points to an Integrated Corporate Governance Model: I. Global business risk assessment II. Unified Internal Control System Three Control Levels Optimizing Relationships Single Evaluation Criteria III. Mechanisms of Assurance 28