Transcript Slide 1
Upward
Hacia arriba
Today
Onward
Adelante
(1941)
Impact of Corporate Governance on the
Internal Audit Profession
Glenn E. Sumners, DBA, CIA, CFE
“Internal auditing is an endless journey towards an everychanging destination.” Glenn E. Sumners
Dominican Republic
Punta Cana
2012
Presenter (presentador)
{Su foto}
Glenn E. Sumners
Director
Louisiana State University
Center for Internal Auditing
Glenn Sumners, DBA, CIA, CFE is on the faculty of Louisiana State
University where he is the director of the Louisiana State
University Center for Internal Auditing (LSUCIA). He was named
Educator of the Year in 1987 by the IIA and received the LCPA
Lifetime Achievement in Accounting Education Award in 1999. In
2006, Professor Sumners received the Bradford Cadmus
Memorial Award from the IIA. He is a member of the IIA Society
Emeritus. In 2012, he was inducted into the IIA American Hall of
Distinguished Audit Practitioners. Three LSUCIA students have
placed first in the international manuscript competition.
Eighteen students from the LSUCIA Program have won
international award for the highest score on the CIA exam. In
2012, The CIA Award for the highest student score was named
the Dr. Glenn E. Sumners Award.
He provides quality assurance reviews, consulting, and training
to internal audit groups and audit committees. He has made
over 1200 presentations in the last 25 years. He has been invited
to speak in 25 countries.
Governance (gobierno)
Agenda (orden del día)
Adding Value: The expanding role of Internal Auditing (valor agregado)
• The Value Proposition (la prpuesta de valor)
• Addressing Governance (relación con el gobierno corporat)
• Infrastructure (infraestructura) Integration (Integración)
• Assessing Risk (evaluación de riesgos) (Borderless organizations)
(organizaciones sin fronteras)
•
•
•
•
Internal (interno)
External (externo) (Strategies) (Estrategias)
Risk Threats (riesgos amenaza)
Risk Opportunities (riesgos oportunidades)
Governance Agenda (gobierno
orden del día)
Adding Value: The expanding role of Internal Auditing (toward governance)
• Job enlargement
• Job satisfaction
• Job enrichment
• Addressing Governance (infrastructure and integration)
• Assessing Risk (broader perspective) (borderless organizations)
• Internal
• External (strategies)
• Enhancing Controls
• Control Activities
• Management Controls
•
•
•
•
•
Plan (tactical and strategic) (planning committee)
Organize (delegation of accountability)
Staff (needed competencies outpacing competencies) (CFIA) (CBOK) (Surveys)
Direct (policies and procedures) (control activities)
Monitor (change management) (custodial managers)
• Environmental Controls
COSO – Tone at the Top (infrastructure) (integration) (permeation)
• Control Environment
Agenda (orden del día)
• Enhancing Controls (mejorar los controles)
• Control Activities (actividades de control) (time allocation)
• Management Controls (controles de gestión)
• Plan (Tactical and Strategic) (Comité de Planificación))
• Organize (Delegation of Accountability) (organizar)
• Staff (I K W – RP) (BS and CS) (personal)
•
•
•
•
Needed competencies outpacing competencies
CFIA
CBOK (Business Knowledge)
Surveys (Encuestas) (Critical Thinking – Hours – Business)
• Direct (Policies and Procedures) (directo)
• Monitor (Oversight, Analytics, Change Management) (custodial
managers)
• Control Environment (Entorno de control interno))
• All components of COSO reside in the Control Environment)
• Virgin territory
COSO – Tone at the Top (infrastructure) (integration) (permeation)
(infraestructura) (integración) (penetración)
Internal Auditing: Adding Value
(Auditoria Internía: Agregando Valor)
(Mature)
(Embryo)
(Maduro)
(Embrión)
(Radar)
Governance
Risk
•Opportunities
•Threats
(Gobierno)
(Riesgos)
Controls
(Controles)
Control Environment
Management Controls
Control Activities
Board
External
Entity
Process
Audit Committee
• Charter
Internal Audit
• Charter
Unit
Evolution of the Profession (evolución de la profesión)
Quality (calidad)
Question: Can you be in 100% compliance and go out of
business?
Integration
• GRC
Evaluation
• Check the box
• Reality
Governance (Gobierno Corporativo)
SOD
Board (Junta)
• Selection Process (Proceso de Seleccíon)
CEO
COB
Audit
Committee
Risk
Committee
Compensation
Committee
Sub.
(comité de
auditoría)
(comité de
riesgos)
(comité de
compensación)
• Stock options
• Bonus plans
Obj.
CAE
CRO
• Global
• Strategic
• Counterproductive
• Salaries
AAA
• Up, up, up,
and away
(CRMA)
Issues (cuestiones):
•
•
•
•
Accountability – Governance, Risks, and Controls (responsabilidad)
King III
Transparency (transparencia)
Sustainability (sostenibilidad)
Personal Opinion (Opinión personal)::
The CEO and CFO should not be involved in selecting members of the Board, Audit Committee, Risk Committee,
or Compensation Committee
Reporting (Reportaje)
Board (Junta)
CEO
Audit Committee
(Comité de Auditoría)
Functional
(Funcional)
•
•
•
•
•
Proactive Review
Primary Report
Audit Plan
Overview of Administrative
Executive Session (Reunión Ejecutiva)
Charter
• Performance Evaluation
• Promotions
• Hiring – Rotation - Termination
Internal Audit
(Auditoria Interna)
Administrative
(Administrativo)
• Resources
• Office Space
• Budget
• Training
• Travel
• Staffing
Best Business Crimes
Mr. Kozlowski had the
company’s (Tyco)
internal auditors report
to the board through
himself, and ensured
they would not audit a
Tyco unit through which
the fraudulent loans and
other payments were
made.
• CAE
• Charter (Estatutos)
“The internal auditors should have an independent reporting line directly to the Audit Committee.” SAS #99
“Three principle factors contribute to independence and objectivity: the organizational positioning of the function, the corporate
stature of the chief internal auditor, and the reporting of the chief internal auditor to the audit committee.
For day-to-day operational purposes, the chief internal auditor should report administratively to a senior officer who is not directly
responsible for preparing the company’s financial statements. The commission encourages an administrative reporting
relationship in which the chief internal auditor reports directly to the CEO.” NCFFR (1987)
Risk Management Process
(Proceso de Administractión de Riesgos)
(Integration and Linkage)
(Integración y conexion)
Limitations (limitaciones):
• Limited Oversight
• Limited Knowledge
• Limited Experience
• Limited Accountability
• Technology
• Interconnectivity
Audit Committee (comité de auditoría)
of Board of Directors
CEO
Oversight
Oversight
Comprehensive
Report
(oversight)
(Responsibility)
Factors (factores):
• Chaos Theory
• Prediction
• Butterfly Effect
• Tipping Point
CRO
(Execution)
• Organizations (5/9)
• Ethics
Risk Management (gestión de riesgos)
CAE
Macro (Resource Allocation)
• Fraud Risk
• Analytics
What does CRMA really mean?
(Certified Risk Management Assurance)
• Long-term Planning
• Integration
Input
Input
Priority
Feedback
Audit
Status (Estado):
• Check the box
• Reality (Realidad)
Auditor in Charge (AIC)
Micro (Engagement Planning)
The Risk Complexity Multiplier
(El multiplicador de la complejidad de riesgo)
10 x 100 x 1000
Governance Integration
ERM Implementation (Endless Activity)
(Adapt to Change)
Need
• Globalization
• Technology
• Information
• Market Volatility
• Interconnectivity
• Staffing
• Rate of Change
Context
Identify
Priority
Risks
•
•
•
•
Strategic
Operational
Financial
Compliance
Governance Challenges:
• Control Environment
• Internal Environment
• Goals and Objectives
• Tone at the Top
Risk Environment
• Oversight
• Accountability
• Ownership
• Monitor-Adjust
Risk Management
Status
Gap
Analysis
Desired
ERM
Business
Plan
Integration
Continuous
Integration
Process
Dynamic
Process
Size
Industry
Strategy
Competition
Cycle
• Challenge
• Change
Question (Pregunta)
What are the five primary reasons controls fail?
(Cuales son las 5 razones principales por las cuales los controles fallen?)
1.
2.
3.
4.
5.
________________________________
________________________________
________________________________
________________________________
________________________________
Why? (Porqúe?)
Increase
Sugar
10
“V O l l” =
Milk
9
Eggs
12
Technically, Ken is innocent.
Bacon
16
Stamps
15
Fraud
?
Times
Why
Internal Control – Failures
(Control Interno – Fracasos)
What are the five primary reasons controls fail?
1.
2.
3.
4.
5.
Lack of integrity
Weak control environment
Inconsistent objectives
Poor communication (Up, Down, and Across)
Inability to understand and react to changing
conditions
Internal Control – Integrated Framework
Question:
How many of these relate to “Governance”?
COSO Control (Addressing Governance)
Entity (entidad)
Process (proceso)
Info. & Communication
Control Activities
Unit A
Monitoring
Activity 1
Aggregate (agregado)
Activity 2
Challenge (desafío):
• Evolving from Control Activities
to the Control Environment
Risk Assessment
Unit (unidad)
Control Environment
(Entorno de Control)
“Management should periodically check the batteries in their moral compass.” GES
Audit Plan to Address Governance
Review
Approach
• Audit Committee – Best Practices
• Charter
• Checklist
• GAP Analysis
• Documentation
• Unit
• Entity
Mandatory Audits - Entity
• Employee Survey
• ERM
• Conflict of Interest
• Complaint Process
• Executive Expense Report
• Analytical Audit
• Ethics Audit
•
•
•
•
•
•
•
Accruals
Change
Reserves (Step #1)
Transformation Transactions
Top-side Closing
Revenue Recognition
Compensation
• Governance
Question: How much time does it take to do an entity level audit?
COSO Risk (Riesgo)
Focus:
• Internal Environment
• Strategies
• Integration
TIPS
Objectives
(Objetivos)
Internal Environment
(Ambiente de Control)
Division
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Info. & Communication
Monitoring
ERM – Conceptual Framework
Detrimental
A
Job Specificity
AAA
Objective
COSO Risk Objectives
• Strategic
• Operations
•
Compliance
•
Financial
OR
(racionalización)
Rationalization
(oportunidad)
(presión)
Pressure
(monitoreo)
Monitoring
(anular)
Override
(controles)
Subjective
Controls
Audit Focus
Beneficial
(Riesgos)
Organization
Risks
(Gobierno Corporativo, Riesgos y Controles)
Opportunity
Corporate Governance, Risk and Controls
R
C
M
P O R
R
C OR M
P O R
R
C
OR
M
P
COSO Components
• Control Environment
• Monitoring
• Information & Communication
• Risk
• Control Activities
Question: What is the solution?
Audit plans from top down that parallel the business plan.
o
R
Enterprise Risk Management Integrated Framework
(gestión del riesgo institucional del marco integrado)
(Strategies) (Estrategias)
Linkage:
•
Objectives
•
Risk
•
Strategies
Uncertainty (Incertidumbre)
Risk Sources (Fuentes de riesgo)
Changing Circumstances
Condition
(las circunstancias cambiantes)
(Condicion)
Threats
(Amenazas)
Opportunities
Threats
(Oportunidades)
(Amenazas)
Threats
Opportunities
Technology
(Tecnología)
External:
Uncontrollable
Internal:
Controllable
Opportunities
(Oportunidades)
Strategies
Operations
Reporting
Compliance
New Products
(Oportunidades)
(Nuevos productos)
Threats
(Amenazas)
(Amenazas)
Opportunities
(Oportunidades)
Opportunities
Threats
(Oportunidades)
(Amenazas)
Threats
Opportunities
(Amenazas)
(Oportunidades)
International
Operations
(Operaciones
Internacionales)
Regulations
(Regulaciones)
Tactical Planning
(la planificación táctica)
Timely
Transparent
Reporting
Strategic Planning
(planificación estratégica)
Reasonable
Assurance
Internal Auditing
(Auditoría Interna)
Other Governance Challenges
for Board, Audit Committee, and CAE
• Technology (Tecnología)
• Continuous Monitoring
• Globalization (Globalización)
• Fraud (Fraude)
• Detection to Prevention
• Detrimental to Beneficial
• Risk Interconnectivity
• Staffing (Dotación de Personal)
•
•
•
•
•
•
•
•
Business Knowledge
Technology
Risk
Governance
Control Environment
CFIA
CBOX
Surveys
• Critical Thinking
• Hours of Preparation
• Who Studies
• Analytics (Análisis)
• Integration
• Monitoring Process
• Audit Process
• Embody
• Governance
Preguntas y Respuestas
Questions & Answers
Información de contacto
Glenn E. Sumners, DBA, CIA, CFE
[email protected]
www.sumnersauditservices.org
225-445-4565
8222 Walden Road
Baton Rouge, LA 70808 USA
Conclusiones
The primary challenge of the internal audit profession will
be fulfilling the prime directive to add value through
enhancing governance, risks, and controls.
These challenges will lead to the job enlargement and job
enrichment of the profession.