Coordinated Governance: A Winning Relationship Between Internal Audit and the Organization s Other Risk and Control Functions

Similar documents
Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Office of the Chief Information Officer

Introduction to TTC s Enterprise Risk Management (ERM) Program. TTC Audit and Risk Management Committee

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Beyond risk identification Evolving provider ERM programs

Introduction to Enterprise Risk Management at UVM DRAFT

Risk Assessment & Enterprise Risk Management

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

IFAD Policy on Enterprise Risk Management

The Role of the Board in Enterprise Risk Management

Fraud Risk Management

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Internal audit value optimization for insurance organizations

From Information Management to Information Governance: The New Paradigm

How to Develop Successful Enterprise Risk and Vendor Management Programs

Solutions. Master Data Governance Model and the Mechanism

How quality assurance reviews can strengthen the strategic value of internal auditing*

Self-Assessment A Product Audit Are You Happy with Your Product Results

How to stay competitive in a converging healthcare system kpmg.com

Shared Assessments Program Case Study

Moving Forward with IT Governance and COBIT

Enterprise risk management: A pragmatic, four-phase implementation plan

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Contents. Evolving Trends in Core Banking Transformation (CBT) Challenges Faced in Core Banking Transformation (CBT)

Director Notes. Strategic Risk Management: A Primer for Directors

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Are you looking at procurement as an end-to-end process?

RE: PCAOB Rulemaking Docket Matter No. 041: Concept Release on Audit Quality Indicators

Business Process Optimization Certificate Program

Developing an effective internal audit plan profiling our experiences 10 December 2015

DISCIPLINE DATA GOVERNANCE GOVERN PLAN IMPLEMENT

Argyle Conversations

IT Governance. What is it and how to audit it. 21 April 2009

ISC s Journey in Integrating Change Management and Project Management

A Simple Customer Journey Framework. By Claudio Costa Your Coaching's Blog

Response to Consultation. Strengthening Home and Community Care: Successful Transition to a New Model

Fraud Prevention and Deterrence

Solutions Master Data Governance Model and Mechanism

Report of the Mutual Fund Directors Forum. Practical Guidance for Directors on Board Self-Assessments

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

KPMG s Financial Management Practice. kpmg.com

Integrated Risk Management:

How To Transform It Risk Management

GE Capital What are the key components of a sales force effectiveness program?

Strategic Risk Assessment. A first step for improving risk management and governance. COVER STORY. By Mark L. Frigo and Richard J.

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

Regulatory Excellence Framework

October 9, Lyman Terni, Consultant Tim Villano, Chief Technology Officer. Current Awareness of the Cybersecurity Framework

Model Risk, A company perspective Peter K. Reilly, FSA Valuation Actuary & Head of Actuarial Strategic Initiatives Aetna, Inc

2015 Trends & Insights

RESPONSE TO BC MINISTRY OF HEALTH POLICY PAPER: INFORMATION MANAGEMENT AND TECHNOLOGY

Placing a Value on Enterprise Risk Management ADVISORY

#KPMG Ignite. Join the conversation

Take the right steps 9 principles for building the Risk Intelligent Enterprise

IT Insights. Managing Third Party Technology Risk

Prosci change management webinar

IT Standards & Contract Management

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Compliance Risk Management Survey A Point of View

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

IT Governance Overview

The Unique Alternative to the Big Four. Identity and Access Management

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Improving Financial Performance, Governance and Compliance

Information Security Governance:

Begin Your BI Journey

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

ENTERPRISE RISK MANAGEMENT POLICY

Third-party assurance optimization Value creation strategies for service providers

PASB Information Technology Strategy Information Technology Services (ITS) January 2015

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

How To Write An Impactful Audit Report

Enterprise Risk Management in Colleges and Universities

Framework for Enterprise Risk Management

The Framework for Quality Assurance

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

Healthcare Internal Audit: In a Time of Transition

CONTINUOUS AUDITING: A STRATEGIC APPROACH TO IMPLEMENTATION. A CaseWare IDEA Research Report

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

igrc: Intelligent Governance, Risk, and Compliance White Paper

Open Certification Framework. Vision Statement

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

NEW PERSPECTIVES. Data Analysis Challenges: C1 is customer provided. Anticipate IRS Audits: System Development and Implementation Projects:

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Transforming risk management into a competitive advantage kpmg.com

Board oversight of risk: Defining risk appetite in plain English

Case Studies of Excellence through Management by Process

OCIO Strategy Page 1 CTZ

SDLC- Key Areas to Audit in IT Projects ISACA Geek Week /21/2013. PwC

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

Compliance & Internal Audit Collaboration

Global Technology Audit Guide. Auditing IT Governance

Risk appetite How hungry are you?

When you hear the word engagement, you

UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply

Change Management. SAP Consulting & Thaibev IT Department

State of Michigan Department of Technology, Management & Budget

Transcription:

Coordinated Governance: A Winning Relationship Between Internal Audit and the Organization s Other Risk and Control Functions

Coordinated Governance: A Winning Relationship Between Internal Audit and the Organization s Other Risk and Control Functions Bonnie Howard Chief Auditor, Citigroup, Inc. Dick Anderson Partner, PricewaterhouseCoopers, LLP December 5, 2006

What s happened to companies in today s Risk and Control environment Issues Sox required Testing Concern about Risks Higher Compliance Fines Desire for More Assurance Corporate Reaction Create an Internal Control function Create an ERM function Expand the compliance group Expand Internal Audit

Result: A Group of Separate Risk and Control Functions Separately developed mandates and missions Separate processes Lack of coordination Duplicative efforts Competition for attention Different schedules, reporting formats

Oversight of risk and compliance activities are experiencing: Cost and resource explosion Audit Committee Risk Committee Business and Board overload Competition for scarce resources Internal Audit Internal Audits Compliance FCPA Anti-Fraud Risk Mgmt Privacy Finance Credit Ops Risk Law Dept SOX Premium pay for resources Businesses

Today s environment from the standpoint of businesses Significant increase in risk and compliance operating expenditures Slope of the expense curve can t continue Lack of clarity around roles and responsibilities of various risk and control functions Especially in relation to each other People apparently duplicating efforts

Who should drive the solution? First, given the magnitude of the costs and issues, someone in the organization will have to address this issue Internal Audit can: Champion the effort and help shape the right response, or Take a wait and see attitude and ride along Does Internal Audit have an opportunity to drive the governance processes?

How best to approach this Start at the top! You need: issue? Top level support and agreement on the issue and objectives Principles or ground rules Organizational structures may be off the table Unique role in internal audit (and other functions) must be recognized Define who the players are Many organizations haven t really defined their governance players You need the right players in the game Recognize the maturity of your governance and risk and control environment Different approaches work at different points

Case Study I: High level solution Major organization realizing that they need: Common view on risks but not ready for ERM Coordination of risk and control groups Organization is not ready to get into structural and reporting lines Needed to get moving Solution: Form a Common Risk Analysis Committee

Objectives of the Committee Common Risk Analysis Steering Committee Overall Objectives Agree on a common risk management concept for various functions across the Company who deal with risk ( risk management functions ) Maintain independence/objectivity of each risk management function Rationalize and harmonize approaches to risk across the Company Increase information sharing across the risk management functions

Case Study I: High level solution Common Risk Management Concept Utilize common risk definitions and risk analysis framework across the company Facilitate risk identification Consider how the company could measure/assess risk dynamically Facilitate ongoing discussion of the company s control processes

Case Study I: High level solution Maintain Independence/Objectivity Recognize the right of any risk management function to disagree and disengage Recognize the need to protect objectivity of the various risk management functions

Case Study I: High level solution Rationalize and Harmonize Approaches Share planning schedules and strategies Modify risk management timing/approaches as appropriate Eliminate duplication by leveraging work done by other risk management functions

Case Study I: High level solution Increase Information Sharing Evolve the Steering Committee into a standing Risk Management Committee Increase the amount and types of information being shared Foster an information sharing mindset among risk management functions

Case Study II: Complex organization with mature risk and control functions and normal level of coordination Looking for logical not necessarily all integration opportunities Taking it in steps: Integration across capabilities Linkage to business units Operating changes Starting with a pilot program and learning as you go

Case Study II: The phases are straightforward, but scoping can be difficult Step 1: Identify the principles framework for a detailed assessment Step 2: Establish the scope of the assessment Step 3: Analyze how operating levers are used to apply one or more principles Step 4: Prioritize, selecting one principle in one business unit for a pilot program Step 5: Integrate across capabilities, embed in business units and make operating changes Step 6: Expand pilot across another principle or business unit

Case Study II: Example Principles Objective setting Risk appetite and tolerance Policies and standards Risk and control assessments Structure, roles and responsibilities Communications and training Monitoring Testing Reporting Issues management

Case Study II: Scoping alternatives baseline analysis across all business units and principles provides comprehensive roadmap Categorized principles Execute moderate depth analysis across all or a subset of all risk and compliance activities across all ten categorized principles Analysis yields areas for potential integration and roadmap to integration Provides the most comprehensive output Enables gaining the greatest efficiency in the shortest time frame Control units Business units

Case Study II: Scoping alternatives deep dive into single principle across all existing risk/compliance activities and business units optimizes individual processes Categorized principles Execute deep dive analysis across existing risk and compliance activities of a single or small set of categorized principles Typically, analysis yields areas of integration and optimization for individual processes across the enterprise. Does not yield roadmap to integration Can also be used to optimize an activity, such as risk and control self assessment. Can be conducted on the processes, data, or both Control units Business units

Deep dive analysis of one principle Operating levers to be researched: Processes Technology People Information Questions: Can they be standardized? Can they be integrated/optimized? How be data be shared?

Case Study II: Scoping alternatives deep dive into one business unit across all principles and activities provides needed focus Categorized principles Execute deep dive analysis across all or a subset of all risk and compliance activities and principles for a single business unit Analysis typically yields roadmap for business unit to be more efficient in its existing risk and compliance activities. Does not address overlap, duplication, or inefficiencies across business units Approach used to assist IT organizations, for instance, to organize themselves more efficiently Control units Business units

Case Study III: Complex Global Organization with Mature Self-Assessment Process Situation: As self-assessments matured multiple and duplicative control touchpoints on business units (Compliance, Audit, Self-Assessment, others) Bottoms up and Kitchen Sink approach all levels of importance Goals and benefits not clear Costly Stress and overload But controls became stronger and there were less surprises overall benefits were clear How to do less but keep the benefits?

Case Study III: Complex Global Organization with Mature Self-Assessment Process Five major steps to improve coordination: Role definitions to increase understanding and collaboration three layers of control Cross functional forums meet quarterly in all businesses, regions and countries: clear accountability to drive efficiency and effectiveness One point person in each major business go to person Agree reliance and coordination to eliminate unnecessary duplications where appropriate Communication and training reinforce business responsibility for control and encourage collaboration, problem solving and transparency among the control functions

Case Study III: Complex Global Organization with Mature Self-Assessment Process Project Touchpoint goals: Reduce unnecessary, multiple control touchpoints Develop a seamless and non-duplicative control environment Enhance working relationship between businesses and control functions Testing Coordination and Reliance Guideline Detailed review of all self assessments and control testing Identify and eliminate duplications Most duplications and excessive testing are in self-assessments were able in some cases to reduce self-testing by over 50% Touchpoint process itself strengthened the relationship between business units and control functions.

Case Study III: Complex Global Organization with Mature Self-Assessment Process Challenges Change expectation that all issues will be selfidentified; shift to focus on important risks Must have senior leadership tone and sponsorship from the top A cultural change permeate businesses and daily interactions Takes time But benefits can be significant!

Q&A

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information