Internal Audit’s Guide to Planning, Managing and Addressing Risks

Publié le par hanswillertbleuazurconsultingeu

As time passes and the modern-day enterprise evolves, so does the role of the internal auditor. What was once a function that was perceived as rule enforcers and compliance police is expanding into one that is a trusted advisor within the business. The last several years have introduced an enormous amount of change, but the proliferation of technology within the enterprise is accelerating every aspect; from operations to decision making.

The progressive steps organizations are taking as a result of the digital age present a bevy of benefits, but in turn, create a slew of challenges and risks. Subsequently, the internal audit function has been forced to adapt along the way, assuring key stakeholders in the business that risks have been identified, but above all, addressed and mitigated.

While identifying and managing risks tied to the business fall on management, it’s internal audit’s responsibility to focus on closing the loop. That’s why our second article focuses on the effective audit follow up, in addition to outlining the how and when tied to escalating risks.

A DYNAMIC AND ITERATIVE PROCESS

The COSO Internal Control – Integrated Framework (2013) provides that a “risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.” (emphasis added). To be effective, internal audit should be aware of and responsive to changes in known risks and additionally the emergence of new ones.

A purpose for the traditional (i.e., annual risk assessment) is to allow internal audit to develop a planning horizon which is understood by stakeholders and, in particular, executive management and the audit committee as a basis for the risks identified. In this process there can also be a push to finalize the internal audit “plan” so that budgets, schedules and staffing can be arranged.

With the emerging concept of “risk velocity”—measuring how fast a risk may affect an organization—is recognition that the typical risk assessment process is one that is not dynamic and iterative nor responsive to change in real time. Change does not occur on an annual basis. The move to a continuous and dynamic audit plan is significant for most internal audit departments. Some departments are already moving on this path and have had to adjust from a static process focused on listening to management on a seasonal basis to monitoring business objectives and risks that are rapidly changing.

Tony Redlinger, internal audit director with IHS Markit, observes the difficulties of the timely capture of risks as “asking the pertinent questions often without the broader knowledge of what the business is getting into, where the technology often advances much faster than the controls.”

BEYOND THE TYPICAL INTERNAL AUDIT RISK ASSESSMENT

What approaches internal audit functions can take to ramp up the process to achieve more dynamic audit planning?

One technique is to increase the frequency of the process and design a rolling service of assessments and audit planning. If existing processes can be made more streamlined and efficient, the time trajectory can be intensified to occur more frequently. Potentially, a concerted effort can result in an audit plan being updated every six months instead of annually. Since the risk identification process ideally is ongoing, management should be encouraged to implement a schedule to periodically review risks, while reserving the ability to accelerate reviews if a company objective changes, or risk factors increase.

For example, if management is considering an acquisition in a new jurisdiction, it could require the reevaluation of risk factors to determine how the decision could impact operations. Such processes can be formally linked into internal audit planning. Of course, existing sources of risk information should be identified and integrated into internal audit planning.

Other assessment processes including Enterprise Risk Management activities, department self-assessments and other functionspecific reviews in high-impact areas depending on industry (e.g., environmental hazards, cybersecurity threats, etc.), should connect and feed into internal audit processes.

Internal Audit 1

TECHNOLOGY TOOLS AND REALISM ABOUT SURVEYS

In the typical risk assessment, preparatory materials are provided and participants are asked a series of questions during sessions with audit staff. This process is expected to produce information to guide the allocation of resources and activities within internal audit so as to optimize the match between the company’s greatest risks and the corresponding mitigation efforts. The availability of sophisticated technology tools such as online surveys can seem to make it cheap and easy to gather voluminous data from a larger population, and to conduct statistical analysis of that data.

Dr. Hernan Murdock, vice president of the audit division at MISTI, finds surveys and questionnaires to be a technique to collect information. “[Questionnaires] promote risk and control awareness, while encouraging transparency and accountability,” he says.

Potentially, this means we can conduct a much larger assessment with the same resources. There is definitely a place for crowdsourcing risk as well as casting a wide net for particular fact patterns of concern, such as use of third-party sales intermediaries or collection of consumer personal data. Still, more data is not always better data. The essence of a good risk assessment is not popular opinion, mechanically sliced and diced; it is informed opinion and expert judgment applied to the facts. Be careful with gathering far more data than can be followed up on or that can be analyzed meaningfully which can result in human-judgment bottlenecks in the process.

Ordinarily, risk assessments gather information from senior executives and managers, as well as a sample of senior operational personnel in the business units. To the extent that “risk owners” are not in these groups, they are usually sought out, and sometimes manager-level input is also requested.

Front-line workers should be considered as well. It’s usually those who are in the details on a daily basis that have the best perspectives on risks and low-hanging fruit when it comes to increasing operational efficiency.

THE RISK OF THE INTERNAL AUDIT RISK ASSESSMENT

Here we are not talking about the risk assessment that drives the audit plan. Rather, this is the risk that the internal audit function itself will not achieve its objectives as a result of the risk assessment. Should you perform this type of quality engagement as well? See IIA’s Standards for the Professional Practice of Internal Auditing 2120—Risk Management: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

The internal audit function in this regard should consider risks such as:

  • The potential that the audit risk assessment is inaccurate or incomplete leading to an ineffective audit plan
  • Audit staffing that is insufficient in terms of quality and capacity to deliver useful results on every engagement
  • Changes in business and risk not promptly identified so that the audit plan can be updated
  • Audit communications failing to provide information organizational stakeholders need, when they need it
  • Governance roles not able to understand audit results and their implications for management of the organization

Internal Audit 2

Beyond Quality: The Four-Part Approach for Audit Efficiency and Effectiveness

STEP 1: PLAN FOR ORGANIZATIONAL GROWTH

While the concept of quality is uniform for internal auditors of different varieties and capacities, effectiveness and efficiency can vary from organization to organization. Accordingly, clear definitions for these terms—the expectations for your team—must be established and adopted to plan for growth.

Use these questions as guidance when defining exactly what effectiveness and efficiency mean for you and your team:

  • Are we equipped with the up-to-date tools needed to conduct the best work possible?
  • Do we have the right resources and skill sets required to deliver our audit plan?
  • Are we contributing to organizational improvement? If so, can others see this?
  • Have we obtained any validation of our team’s quality, such as notification from managers or executives?
  • Is feedback effectively distributed to team members, so they know what areas to improve?
  • What quantifiable metrics can we associate with these definitions?

While you and your team’s definitions of effectiveness and efficiency are crucial, it is also important to gain the approval of key stakeholders involved in internal audit.

A major reason that process improvement initiatives fail, according to one Harvard Business Review article is that the people whose work will be directly impacted are often left out of the process.

Accordingly, feedback from stakeholders at the helm of the financial success of your company should also be incorporated. Here are a few stakeholders who should weigh in on your definitions of effectiveness and efficiency:

  1. Internal stakeholders: Board of directors, audit committee, executives, senior management and department leads
  2. External stakeholders: Regulators, standard-setters, vendors, customers and external audit teams

STEP 2: DO THE WORK NEEDED TO SET EXPECTATIONS

The second step of this process continues to articulate the definitions of effectiveness and efficiency, and sets expectations for your team.

By this stage, you should have an internal definition of effectiveness and efficiency, and you have tempered that definition in the context of what key internal and external stakeholders need. To better set your organization up for success, make these definitions more actionable and specific through the assignation of qualitative and quantitative metrics.

As described in a Forbes article, Forrester reports 74 percent of firms say they want to be “data-driven,” but only 29 percent are actually successful at connecting analytics to action. Actionable insights appear to be the missing link for companies that want
to drive business outcomes from their data.

Make these definitions more actionable and specific for your team by assigning qualitative and quantitative metrics for each. To collect qualitative and quantitative metrics, try the following tactics:

  • Look back at past performance data to determine quantitative metrics:
    • How many audits were scheduled?
    • How many were completed?
    • How was staff utilized?
    • What were the budgeted hours as compared to the actual hours?
  • Go on a listening tour of departments impacted by your work to determine qualitative metrics:
    • What do clients think of your team’s performance?
    • What do other internal stakeholders think of your team’s performance?
    • Do they consider you and your team leaders in their role or order-takers?
    • Would they want to engage in future projects with your team?

With these actionable definitions in hand, the expectations for your team should be crystal clear. It is ultimately up to chief audit executives to hold their teams accountable for efficient and effective—along with quality—work.

STEP 3: CHECK PROGRESS AGAINST SET EXPECTATIONS

To check the quality, effectiveness, and efficiency of your team’s work, internal audit leaders should look at individual performance on an ongoing basis—not just an annual one. After all, it is easier and less problematic for leaders to reevaluate individual performance in small increments before it becomes a major issue.

In organizations of all sizes, a traditional once-per-year approach to employee reviews is fading away in favor of more ongoing ones. As a Washington Post article describes, today’s employees have come to expect instant feedback in many other areas of their lives, and performance reviews should be the same. Besides, the article states, one report found that two-thirds of employees who receive the highest scores in a typical performance management system are not actually the organization’s highest performers.

Chief audit executives should encourage the completion of self-appraisals. A Harvard Business Review article explains that an effective self-appraisal should focus on what you have accomplished and talk about weaknesses carefully, using language with an emphasis on growth and improvement, rather than admonishment. Highlight your team’s blind spots that they might not be aware exists.

In short, employees want more frequent and iterative assessments of their work, and internal audit leaders need to step up to deliver this and ensure quality, effectiveness, and efficiency at all stages.

STEP 4: ACT UPON WHAT YOU HAVE LEARNED

By this step, internal audit leaders have an array of tools at their disposal, including:

  • Actionable definitions of effectiveness and efficiency for their teams
  • Qualitative and quantitative metrics to bolster these definitions
  • Information gathered from self- and manager-guided evaluations
  • An understanding of how team members have performed along these guidelines

With this information in hand, many opportunities for growth are apparent—simply compare where you want your team members to be against where they are right now. By
implementing these fact-based changes into your internal audit processes, leaders set the stage for cyclical organizational and personal improvement.

According to a survey, this type of continuous improvement yields a positive ROI for organizations, helping increase revenue, along with saving time and money—an average annual impact of $6,000. Additionally, these improvements are designed to compound with each cycle.

Just as the approach to monitoring and improving audit quality is ongoing and cyclical—there are always improvements yet to be made—this approach to improving effectiveness and efficiency is fluid as well.

By weaving this four-part process into the fabric of your internal audit methodology, leaders can improve effectiveness and efficiency in their organizations.

 

Click here to access Workiva’s and MISTI’s White Paper

Insurance Global Trends in 2017

Publié le par hanswillertbleuazurconsultingeu

A brief summary of the key regional trends :

  • Analytics, Customer Centricity and Digital Innovation achieve similar scores across all our regions.
    • Customer-Centricity trails marginally in North America.
    • Noteworthy is the perfect score of 60 attained for Digital Innovation in Asia-Pacific, which indicates that this was the number-one priority here in all four measures underlying the priority score (money, time, staffing and training).
  • Underwriting and Risk Management both score considerably higher in North America than they do elsewhere – as we saw in the first priorities table, Underwriting is 3rd in the list of priorities in North America, despite not getting above 7th place in any other regions, and its Risk Management score is more than 80% higher than the runner-up’s (Europe).
  • There is a step-up in focus on Claims in Europe and North America compared to Asia-Pacific.
  • With Distribution Diversification, we have the exact inverse scenario, with Asia-Pacific leading the pack, possibly a reflection of the emerging markets within it necessitating high-scale low-cost distribution, which traditional models cannot provide.
  • Fraud is also a marginally higher priority in Asia-Pacific.
  • Europe and Asia-Pacific lead North America with their focus on Internet of Things.
  • Cybersecurity and Mobile achieve similar (lowish) scores for all regions; Product Development is relatively high across the board.
  • Regulation is the biggest deal in Europe, where respondents quoted in particular Solvency II and the Insurance Distribution Directive (IDD) as being causes for concern.

InsuranceNexus

Click here to access Insurance Nexus detailed survey analysis

The Imperative to Raise Enterprise Risk Intelligence

Publié le par hanswillertbleuazurconsultingeu

How to raise enterprise risk intelligence

  • Break down silos and collaborate. To ensure all risks are addressed, finance, operations, compliance, legal and IT functions should work together in managing enterprise risks. According to 53 percent of respondents, there is little, if any, collaboration among these functions to achieve a clearly defined enterprise risk management strategy.
  • Focus on accomplishments that will make a difference. The findings reveal a significant gap between the most important features of a risk intelligence platform and what features are actually accomplished. The features considered most important but rarely accomplished are:
    • Business continuity response (produces plans, runs business impact analyses, resiliency controls and engages stakeholders in crisis drills and recovery)
    • Incident/issue risk response (coordination of classification, collaboration, evidence, policies and reporting across the organization for all operational and security risk events)
    • Operational risk & compliance (creates risk registers and runs Risk and Compliance Self-Assessments (RCSAs) against critical business processes to report key risk indicators (KRIs), findings and loss events)
    • Threat and vulnerability mitigation (automates continuous risk correlation, prioritization and remediation of assets and operation criticality, threat reachability, control and vulnerabilities)
  • Establish a formal budget for enterprise risk management. It is critical to allocate resources specifically designated to achieving a well-executed enterprise risk management program. Fiftyeight percent of respondents say their organizations do not have a formal budget.
  • Engage management and the board of directors in the organization’s risk strategy. The inability to get started was one of the top three barriers to achieving risk management objectives. Senior leadership’s involvement will incentivize and motivate collaboration and a formal process for achieving the objectives of a risk management program.
  • Achieve clarity of your IT assets and infrastructure. A clear map of the infrastructure and categorization of assets, especially high value and knowledge assets, is key to ensuring appropriate risk measures are in place. Only 24 percent of respondents say they have categorized assets based on their business criticality.
  • Assign accountability for the achievement of specific risk management objectives. According to the findings, either no one person has overall responsibility or it is dispersed throughout the organization.
  • Measure effectiveness in risk intelligence efforts. Only 31 percent of respondents say their organizations have specific metrics to determine how well risks are being managed. Many organizations represented in this study are not measuring such key objectives as time to contain threats and attacks, time to identify and pinpoint high-risk areas and time to remediate after containment of the attack.
  • Consolidated risk reporting is essential. Sixty-three percent of respondents say it is essential or very important to have a centralized or consolidated risk reporting (one set of metrics) in order to achieve a strong security posture.
  • Replace complexity with ease of use. The number one barrier to achieving risk management objectives is the complexity of technologies that support risk management objectives. Understandably, the number one feature of a risk management solution is ease of use (53 percent of respondents). Investments in risk management technologies that end up on the shelf because of complexity and the lack of in-house expertise will frustrate any attempts to achieve an enterprise risk management program.

ERM Survey

2017_Report_on_ERM