Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years. A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.

The quality assessment should address the following objectives:

1. Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.
2. Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.
3. Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.

In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:

1. The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).
2. The entity’s control environment and the CAE’s audit practice environment.
3. The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.
4. The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.
5. The International Standards for the Professional Practice of Internal Auditing.
6. The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.
7. The tools and techniques employed by the department, with emphasis on the use of technology.

The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole. By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile. OpenPages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.

If you are interested in learning more about conducting an IA quality assessment for your company, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.

• “Take an integrated approach to IT audit, one designed to strengthen IT capabilities. IT audit strategies need to lay the groundwork for integrating IT audit expertise within audit teams. An IT audit plan should center on an annual IT risk assessment, reflecting a clear linkage between IT risk assessments and IT audit planning. In addition, it should address risks within individual business processes and provide for continuous enhancement of IT audit capabilities. It’s also important for the plan to be clearly articulated, formally documented, and well aligned with organizational IT strategies and objectives.”

One of the key roadblocks to an integrated approach to IT audit is the sheer complexity of data gathering and management. In the past, it represented a tremendous amount of effort for internal audit to collect relevant information and to govern access to that information securely. A centralized technology platform for identifying, assessing and monitoring risk and controls presents a unique and unprecedented opportunity to help the business focus on making risk decisions based on management’s risk appetite and tolerances.

This common framework and process can make the business more predictable in meeting IT, financial and management objectives and can help managers anticipate major risk and control problems of the future. As a partner with IT and the business in managing risk, internal audit should be a driving factor in evaluating technological and process-based changes and evolving the organization’s risk management practices.

• “Adopt a risk-centric value proposition that focuses continually on enterprise risks.  To meet rising stakeholder expectations, internal audit needs to embrace a risk-centric approach to delivering value.  That requires providing assurance on risks as well as controls, maintaining an ongoing focus on risk, and keeping the audit committee and senior management well informed about changing risk exposures.”

Traditionally, internal audit has focused on assuring that internal policies and procedures are being followed and that the business is in compliance with external regulations. This has been accomplished through the monitoring and assessment of internal controls and tracking of issues that are raised during audits. The methodology tended to be bottom-up, check-the-box, account-based auditing intended to provide independent assurance that the business is operating as designed with as much transparency as possible.

By functioning as a consultative arm to the business and helping to establish an enterprise-wide risk and control framework, audit has the capacity to influence the continued improvement of process level controls as well as the macro level control environment. Internal audit can bring to the business best practices for measuring, managing and prioritizing risks while cross pollinating effective management techniques and internal controls across the enterprise.

To learn more about Internal Audit and its evolving role in ERM, check out this white paper.

In the first session of the event titled, “Aligning Risk Reporting with Risk Oversight,” Rick will outline how most boards believe that the CRO is solely responsible for all things risk-related, and that the CCO is solely responsible for all things compliance-related – which in reality, is virtually impossible. He’ll explain that the CRO and CCO are responsible for ensuring that there is an effective risk and compliance process in place to reduce exposure and litigation and that the CRO and CCO need to be sure they are giving the board the appropriate level of information needed to govern. In his presentation, Rick will describe how companies need a programmatic way to report on risk, controls, issues, and other risk and compliance related information to support the senior executives and board.

At OPUS 2010, Jo Morton, Business Analyst, Internal Audit at Williams Companies, Inc. and Lawrence Joiner, Manager of Internal Audit Operations at Williams presented an informative session titled, “An OpenPages Approach to Auditing Standard 5 Compliance.” In their session, Jo and Lawrence outlined how Williams has been able to move beyond a “process by process” review and up to an Account Level review that truly is an AS5 “Top-down Approach” In the following conversation, Jo Morton describes her session and her overall OPUS 2010 experience.

And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.

What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”

It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.

© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.

1. Uncertainties of economic/legislative environments
2. Risk management/oversight
3. Financial statement issues (e.g., fair value, asset impairment, consolidation, revenue recognition)
4. Financial communications/disclosures
5. Tone at the top, culture, and compensation/incentives
6. Legal/regulatory compliance (FCPA)
7. Impact of cost reductions (talent, controls, compliance)
8. Audit committee’s effectiveness and efficiency
9. Funding pensions/benefit costs
10. CFO and internal audit resources

With risk management being near the top, additional insight is provided with answers to the following questions:

What role does your board/audit committee play in the development of the company’s risk appetite?

• Approves a formal, written statement of the company’s risk appetite 4%
• Approves the company’s risk appetite generally, but not a formal, statement of risk appetite 47%
• Discusses company’s risk appetite at least annually 25%
• Does not discuss the company’s risk appetite 23%

Who in management is your board’s primary contact or interface regarding the company’s risk management system/processes?

• CEO 35%
• CFO 30%
• Internal audit 15%
• Chief risk officer 11%
• Other 4%
• No primary contact has been identified 5%

Certainly food for thought when considering what your company’s audit committee sees as most relevant, and how it operates.

© Steinberg Governance Advisors, Inc. 2010. The information presented here does not constitute legal or any other type of professional advice. Companies are encouraged to consult legal counsel concerning their responsibilities for legal and regulatory compliance.

The first set of objectives focus on the primary elements of a successful ERM program and require the CRO to take the lead. It begins with the company’s strategic planning process and ensuring that risk management is fully embedded as part of the process. This means not only having a solid understanding of the risks associated with the company’s strategic objectives, but also knowing the appropriate risk responses in anticipation of potential risk events. Equally critical is the linkage of the company’s performance management, risk management and compensation management systems. Without this linkage, the company cannot successfully achieve its desired results over the long-term. In addition, the CRO must champion the usage of both quantitative and qualitative risk measures to ensure an appropriate amount of sound business judgment is applied when analyzing statistical model results. Finally, frequent and consistent communication regarding performance in light of the company’s risk appetite must be maintained.

On the flip side, the CAE can augment a successful ERM program in several ways. First, the CAE can provide an independent viewpoint of the program’s effectiveness using peer comparison and industry benchmarks. Beyond benchmarking, the CAE can also use a risk-based audit methodology to focus the audit resources on areas of greatest risk. This is driven by a robust risk assessment process that incorporates, but is not limited to, management’s viewpoint. The CAE must also proactively and aggressively investigate all potential areas for fraud. Most importantly, the CAE should strive to maintain open channels of communication with management and the board of directors as a constructive feedback mechanism.

Working together to achieve these objectives, the CRO and CAE can provide the ultimate value to the company and all of its stakeholders. My next entry will focus on how technologies such as the OpenPages ERM platform can make achieving these objectives all the more effective and efficient.

To be effective at sustaining the ERM program, CROs can look to Internal Audit and the Chief Audit Executive (CAE) for help. The CRO and CAE share many similar objectives and when the two executives work in tandem, they can add great value to the company and its various stakeholders. At the same time, each of these executives has unique responsibilities that require independence. Below is a summary of the CRO and CAE roles.

Beyond their individual roles, it is critical that the CRO and CAE adopt a common risk management framework and methodology. I’ve seen many clients attempt to utilize various forms of risk assessment and spend more time trying to reconcile the differences rather than spending the time working together to mitigate the risks themselves. Once a common framework and methodology is in place, then a common infrastructure and technology platform, like OpenPages, can streamline the program to add even greater value to the enterprise. Working together, the CRO and CAE can then focus on specific strategies to ensure the ongoing success for an ERM program. I’ll discuss these strategies in my next blog entry, so stay tuned!

• Understand the entity’s risk philosophy and concur with the entity’s risk appetite 
• Know the extent to which management has established effective enterprise risk management of the organization 
• Review the entity’s portfolio of risk and consider it against the entity’s risk appetite 
• Be apprised of the most significant risks and whether management is responding appropriately

The last area is one that cruise line leader Carnival Corporation has taken to heart. In a recent interview with Erik Krell from Business Finance, Carnival’s vice president and chief audit executive Richard Brilliant explained how his team “has done a phenomenal job in developing a framework that enables us to provide risk reporting to the board that they never had before. The reporting not only allows directors to understand how risks are mitigated, but also provides ongoing risk monitoring as well as tracking of action plans for improvements.”

Brilliant says that presenting new, precise information to the board about the company’s overall ability to manage governance, risk, and compliance issues has really improved the dialogue about how the company could better respond to risk in the business. Further, Brilliant notes, “the board can also more clearly see over time how things have improved.”

To read the full interview click here.