IIA – NSW Chapter
16 February 2010
IA role in providing assurance over RM processes
IA in 2010 and beyond – role as
leader of 3rd line of defence
© 2010 Deloitte Touche Tohmatsu
Positioning of Internal Audit
Three Lines of Defence
Risks
Divisional Management & Board
1st Line
2nd
3rd
Corporate
Division 1
Divisional 2
Division 3
Subsidiary 1
Subsidiary 2
Risk Management
Line
Operational
Risk
Compliance
Risk
Financial Risk
Strategic Risk
Assurance Providers – IA lead role
Line
Internal
Audit
External
Audit
Safety
OHS
Other
Compliance
© 2010 Deloitte Touche Tohmatsu
Future challenges – a value adding “third line of
defence”
•
•
•
•
•
•
•
•
•
Having the confidence to reduce process level risk focus to business risks and to use
the “one view of risk” concept in their approach and planning
Providing assessment of adequacy and effectiveness of RM process
Taking on the role of driving the alignment of assurance providers – this lead role may
bruise egos – GRC concepts and assurance framework
Managing the expectation of management to “add value” to the business – the value is
long term sustainability through effective operation of the 3 lines of defence model –
management needs to understand that – investors and directors increasingly do
Reassessing IA reporting lines so as to be properly aligned as an assurance guardian
in the governance structures – who do we report to?
Having the courage to overturn current resourcing models to bring in more breadth of
specialism into the department – middle management replacement and the role of the
graduate
Enhancing training programmes – focus on specialist training v bringing talent through
– user of more comprehensive co-source models for practice development
The data challenge – “enhanced audit efficiency and quality” v “doing management’s
job regarding continuous risk monitoring”
Managing the expectation to help manage down external audit fees in a tight market –
an assurance guardian cannot continue with substantive procedures and low level
compliance testing whilst at the same time hiring top people
© 2010 Deloitte Touche Tohmatsu
What role has the third line got to provide assurance
that the second line is doing it’s job?
•
IIA standards – 2120 – Risk Management – “The internal audit activity must evaluate
the effectiveness …………..of risk management processes.”
•
Common sense that it does in line with 3rd line role
•
“Implied through work v direct head on”
•
APRA requirements and others
•
Enabling ASX Principle 7 disclosures
•
King III
© 2010 Deloitte Touche Tohmatsu
The Challenge of Independence
© 2010 Deloitte Touche Tohmatsu
The challenge of independence from risk
•
Role in organisation are often blurred outside of certain industries such as FSI and
transport
•
Risk assessment for IA planning often dressed up as Risk Management
•
IA department needs to be confident it can independently assess the process
© 2010 Deloitte Touche Tohmatsu
Balancing IA Consulting and Assurance Roles wrt ERM
Internal Audit’s Role
Major ERM Activities
• Giving assurance on the risk management process
Core/Safe –
consistent with
Standards
• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
• Evaluating the reporting of key risks
• Reviewing the management of key risks
• Facilitating identification and evaluation of risks
Should be
performed with
certain safeguards
– temporary role
• Coaching management in responding to risks
• Coordinating ERM activities
• Consolidated reporting on risks
• Championing establishment of ERM
• Developing risk management strategy for Board approval
• Setting risk appetite
• Imposing risk management processes
Should not be
performed by
internal audit
• Providing management assurance on risks
• Making decisions on risk responses
• Implementing risk responses on management’s behalf
• Assuming accountability for risk management
© 2010 Deloitte Touche Tohmatsu
Approach to the review
© 2010 Deloitte Touche Tohmatsu
Framework for review – adequacy of the process
•
COSO ERM framework
•
Maturity model
•
9 principles model Deloitte
© 2010 Deloitte Touche Tohmatsu
COSO Framework
© 2010 Deloitte Touche Tohmatsu
Expected maturity
•
Level of regulation around RM – APRA, OHS etc
•
Degree of quantification required
•
Level of risk in organisation – inherent and experienced
•
Style of management and style of the Risk Committee
•
Agree up-front
© 2010 Deloitte Touche Tohmatsu
Risk management - Maturity
Systematically build and improve risk management capabilities
Risk management capabilities evolve ...
Capabilities
are
characteristic
of individuals,
not of the
organization
Initial
Process
established
and
repeating;
reliance
on people is
reduced
Repeatable
Policies,
processes and
standards
defined and
formalized
across the
company
Defined
Actual
Maturities
© 2010 Deloitte Touche Tohmatsu
Risks
measured and
managed
quantitatively
and
aggregated on
an enterprisewide basis
Continuous
improvement
of
business
risk
management
Managed
Optimizing
Expected
Maturities
Maturity and structure
Supporting
Functions
Risk Definition
5
4
Common Risk
Framework
3
2
Roles &
Responsibilities
1
Business Units
0
Functions
(IA, Risk Mgmt.)
Transparency/
Visibility
Risk Infrastructure
Executive
Management
Risk Infrastructure
& Oversight
Current state
Mature state
Future/ target state
© 2010 Deloitte Touche Tohmatsu
9 principles for building Risk Intelligence
Risk Governance
Risk
Governance
Principle 1: A common definition of risk, which addresses both
value preservation and value creation, is used consistently
throughout the organisation
Principle 2: A common risk framework supported by appropriate
standards (e.g., COSO ERM, ISO, etc.) is used throughout the
organisation to manage risks
Principle 3: Key roles, responsibilities and authorities relating to risk
management are clearly delineated within the organisation
Principle 4: Governing bodies (e.g., Boards, Audit Risk Committees,
etc.) have appropriate transparency and visibility into the
organisation’s risk management practices to discharge their
responsibilities
© 2010 Deloitte Touche Tohmatsu
9 principles for building Risk Intelligence
Risk Infrastructure & Oversight
Risk
Infrastructure &
Oversight
Principle 5: Executive management is charged with and has primary
responsibility for designing, implementing and maintaining an
effective risk program
Principle 6: A common risk management infrastructure is used to
support the business units and functions in the performance of
their risk responsibilities
Principle 7: Certain functions (e.g. internal audit, risk management,
compliance etc.) provide objective assurance as well as monitor and
report on the effectiveness of the organisation’s risk program
© 2010 Deloitte Touche Tohmatsu
9 principles for building Risk Intelligence
Risk Ownership
Principle 8: Business units (departments, agencies etc.) are
responsible for the performance of their business and the
management of risks they take within the risk framework
established by the executive management
Principle 9: Certain functions (e.g. Finance, Risk Management, IT,
Compliance, etc.) have a pervasive impact on the business and
provide support to the business units as it relates to the
organisation’s risk program
© 2010 Deloitte Touche Tohmatsu
Benchmarking in the industry
•
Brings relevant value
•
Role that co-source provider can bring in the review
© 2010 Deloitte Touche Tohmatsu
Effectiveness of the process
•
This is more tricky
•
Need to be careful in defining the scope – in first year avoid extending to
effectiveness
•
Results of audits improving over time
•
Residual risks reducing as evidenced by RM process
•
Risks that occurred during the year - were they previously identified – were they
correctly rated
•
Survival during GFC
© 2010 Deloitte Touche Tohmatsu
Some pitfalls
© 2010 Deloitte Touche Tohmatsu
Managing the politics
•
Conflictual – often relates to someone who is not up to it
•
CRO/RM are tough jobs
•
Conflictual – often relates to management who have not bought in
•
Risk committee v management relationships
© 2010 Deloitte Touche Tohmatsu
“There is no better way of
confirming your key role in 3rd line
of defence than having the courage
to evaluate the 2nd line –
operational to strategic”
© 2010 Deloitte Touche Tohmatsu
General information only
This presentation is provided as general information only and does not consider your specific objectives, situation or needs. You should not rely on the information in this presentation or disclose it or refer to it in any document.
We accept no duty of care or liability to you or anyone else regarding this presentation and we are not responsible to you or anyone else for any loss suffered in connection with the use of this presentation or any of its content.
About Deloitte
About Deloitte Australia
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning
multiple industries. With a globally connected network of member firms in 140 countries, Deloitte brings
world class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's
150,000 professionals are committed to becoming the standard of excellence.
In Australia, Deloitte has 12 offices and over 4,500 people and provides audit, tax, consulting, and financial
advisory services to public and private clients across the country. Known as an employer of choice for
innovative human resources programs, we are committed to helping our clients and our people excel.
Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and
making a positive impact in their communities. For more information, please visit Deloitte’s web site at
www.deloitte.com.au.
Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to
markets and clients, commitment to each other, and strength from diversity. They enjoy an environment of
continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are
dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in
their communities.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for
a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.
Confidential This document and the information contained in it is confidential and should not be used or
disclosed in any way without our prior consent.
Liability limited by a scheme approved under Professional Standards Legislation.
© 2010 Deloitte Touche Tohmatsu. All rights reserved.