Internal Audit in brief

12 October 2009

Welcome to the third edition of “Internal Audit In Brief” – the newsletter that gives Internal Audit leaders a summary of the topical issues we are seeing in the market place.

As Internal Audit functions continue to take stock of their role within organisations, many departments have increasingly been expected to do more with less.

This issue covers some aspects of the broader risk and assurance landscape that are faced by many internal auditors, including:

Business continuity: Are you prepared for a major incident (like the Mexican flu)?
Incidents such as the escalating Mexican flu pandemic will test the effectiveness of many organisations’ approaches to business continuity management (BCM). Read more
Assurance Maps: Can assurance mapping help you derive more value from your Internal Audit function?
None of us will deny that this has been a tough year and times ahead look rather similar. The results of last year’s PwC Internal Audit survey clearly showed that there was a significant increase in the remit of Internal Audit functions, while many are experiencing a shortage of skills and resources. Read more
Focusing on Fraud: Where should Internal Audit focus its attention?
The 2009 PwC Internal Audit survey showed that fraud prevention was within the remit of 60% of those sampled and that 67% anticipated that fraud would be an area of increased focus in the future. When fraud occurs, questions are often asked, fairly or otherwise, as to why the problem was not spotted sooner. So where should Internal Audit focus its attention? Read more
Controls Excellence: Internal Audit’s role in promoting key control skills.
Current market conditions and volatility have exposed weaknesses in control frameworks. But how is this possible in a world where leading global companies see risk management and a sound control environment as an integral part of the way they manage their businesses? Read more
Reviewing Corporate Governance: What role can Internal Audit play?
It is clear that governance failures contributed materially to excessive risk-taking in the lead up to the financial crisis. “Weaknesses in risk management, board quality and practice and control of remuneration need to be addressed” concluded a recent study of the governance of UK banks. This is also one of the main topics of the next G20 summit in Pittsburgh. This points out the importance of sound governance practices at the top of the organisation. It also raises the question about who establishes the effectiveness of the Board and its Committees, and what role Internal Audit can play in this context. Read more
COBIT – IT assurance guide and Internal Control Maturity Model.
Most internal auditors will recognise the importance of reviewing the IT Governance and IT processes in their organisation. The IT Governance Institute (“ITGI”, an ISACA body) has issued an IT governance framework as well as guidance on how to use its Control Objectives for Information and related Technology framework (called (“COBIT”). Read more
Internal audit round-table meetings
Sharing best-practice ideas is a good, effective way of dealing with the challenges that internal auditors face. For this reason, PwC periodically hosts round-table meetings based on matters the Internal Audit community has raised with us. You are all invited to participate and share your views and experience. Read more

We trust that you find the above information useful. Should you have any question, please do not hesitate to contact us.

Best Regards,

Marc Daelman
Lead Partner Internal Audit Services
Tel: +32 (0)2 710 7159

Business continuity

Are you prepared for a major incident (like the Mexican flu)?

Incidents such as the escalating Mexican flu pandemic will test the effectiveness of many organisations’ approaches to business continuity management (BCM). Inadequate preparation, coupled with increased and prolonged levels of absenteeism, will pose an ongoing threat of operational disruption that can lead to severe financial loss and reputational damage. Organisations should review the effectiveness of their arrangements to ensure they are fit for purpose and provide sufficient operational resilience, as well as offering assurance to senior management and other stakeholders that reasonable measures to manage the risk are in place.

When reviewing BCM arrangements, organisations should scrutinise the assumptions made on levels of absenteeism over an extended period and refine their approach accordingly, perhaps with different responses and management strategies according to the severity of prevailing conditions. Pandemic arrangements will need to cover a broad remit of actions and be reflective of the size and nature of the organisation. Some common areas of focus will include the following:

Critical activities

Which activities must be maintained and what levels of staff are essential?
Who else can cover roles or be trained to do so (be aware of specific requirements in regulated sectors)?
Which activities can be de-prioritised as absenteeism rates rise?

IT

Is there sufficient remote access, broadband capacity and equipment available to provide home working capabilities to large numbers of staff?
Can the IT department maintain operations with reduced staff over an extended period?
Is any training required to familiarise staff with home working protocols? Will the IT security risk be controlled?

Incident management structure

Are the right people involved (e.g. Risk and BCM Managers, HR, Communications, IT, Health & Safety etc.) with ongoing management of the impacts of the pandemic and will they be committed for its duration?
Has the team participated in pandemic-focused exercises and simulations?

Supply chain

Have critical suppliers and other third-party service providers been engaged to evaluate their pandemic preparedness and plans?
Are contingency plans in place to manage supplier default or reduced performance?

Reducing spread of infection

Have you made sufficient cleaning facilities or hand-hygiene products available?
Are travel policies reflective of the risk?
Have policies for flexible working been adapted as appropriate?
Are changes to policies defining absenteeism required?

Awareness and communication

Are staff aware of how the organisation is responding to the pandemic and how they can help?
How is information from external sources captured and used?
How is communication and coordination with external parties, e.g. public bodies, media, customers, suppliers, etc. being prepared for and managed?

Contracts

What is the treatment of pandemic events under your insurance arrangements, e.g. business interruption insurance, and do they provide indemnity against loss?
What is the position for fulfilment of contracts with customers and suppliers during a pandemic?

A pandemic will have a broad range of effects on the global economy and will present organisations with many challenges – some that will be beyond their control, but many that can be met with comprehensive and intelligent business continuity planning.

Organisations that plan for and manage the pandemic well will benefit from increased operational resilience, as well as an enhanced reputation and improved relationships with customers and suppliers. As a result, they should be in a better position to capitalise on opportunities when the pandemic ends.

For more information, please contact Luc Hendrikx.

Assurance maps

Can assurance mapping help you derive more value from your Internal Audit function?

None of us will deny that this has been a tough year and times ahead look rather similar. The results of last year’s PwC Internal Audit survey clearly showed that there was a significant increase in the remit of Internal Audit functions, while many are experiencing a shortage of skills and resources.

Something which must be bothering most Heads of Internal Audit, Audit Committees and Boards is how to maintain or even increase the level of assurance provided by Internal Audit functions in these times when costs are under constant pressure. Two of the steps that we have seen used effectively by organisations have been:

A more transparent prioritisation of risks
A better understanding of the roles and scope of the work undertaken by the various assurance providers within an organisation.

These steps enable assurance to be focused on areas which matter most, while also enabling the resources inside and outside of Internal Audit to be utilised most effectively and efficiently. This is, however, more difficult than it looks as most organisations do not have a clearly documented framework showing where assurance comes from.

Herein lies the problem – that in many cases Internal Audit may be asked to look at areas on which there may already be certain levels of assurance being provided by other functions within the organisation (overlaps). Equally there may be significant gaps where there is not enough assurance provided by any other assurance, compliance or controls function. This is where “assurance mapping” can be a very useful exercise.

An assurance map is usually presented in the form of a colour-coded grid that has the key business areas or risks on one side and the various forms or providers of assurance on the other. The colours represent the quality and level of assurance. Once completed, the assurance map offers a platform from which to drive efficiencies and identify important gaps and overlaps.

With sponsorship from management and the Audit Committee, it can be an excellent basis for highlighting the most important issues in an organisation. It is also a sound basis to determine the skill sets that the Internal Audit function really needs.

For more information, please contact Marc Daelman.

Focusing on fraud

The 2009 PwC Internal Audit survey showed that fraud prevention was within the remit of 60% of those sampled and that 67% anticipated that fraud would be an area of increased focus in the future. When fraud occurs, questions are often asked, fairly or otherwise, as to why the problem was not spotted sooner. So where should Internal Audit focus its attention?

Set out below are some areas to consider:

Accountability

It is vital that there is clarity within the organisation as to where responsibilities lie in relation to fraud, corruption and other integrity risks. What is the role of Internal Audit, other “gatekeeper functions” (such as Compliance, HR, Security and in-house Legal), as well as line management in the prevention, detection and investigation of fraud?

Code of ethics and conduct

Does the organisation have a code of ethics and business conduct that is effective in meeting your needs? How well has this code been communicated to everyone in the organisation? Has there been appropriate use of more-focused training for people in key risk areas? How well are leaders within the organisation showing real leadership on the need to act ethically at all times?

Whistleblower programme

A whistleblower or speak-up programme is recognised as an important part of an anti-fraud strategy. Internal Audit teams may need to consider the effectiveness of their programme compared to others within their industry. How well is the programme managed? Do the current arrangements maximise the likelihood that employees will voice legitimately held concerns?

Risk assessment

How effective is the organisation at identifying and evaluating fraud risks? Are there new threats emerging (for example for legislative changes, business acquisitions, system or process changes) that will result in different levels of risk? We often find that risk assessments lack detail and are too narrow in focus, reflecting perhaps the fact that staff involved in the assessments have insufficient experience of fraud or do not have access to relevant information sources and fraud-risk databases.

Detection processes

Are business units, Internal Audit teams or others putting in place procedures (ranging from simple spot checks to more sophisticated data mining) to detect possible fraud? In our experience, a sound detection strategy both increases the likelihood of detecting fraud and creates a deterrent effect. In planning all Internal Audit reviews, is the risk of fraud being properly considered, including the risk of management override of control?

Investigation process

An effective investigation process, underpinned by a clear policy, comprises a number of elements. These include consistent reporting of possible incidents of fraud, evaluation of who should conduct the investigation, sound fraud investigation procedures and effective oversight by those charged with governance. Internal Audit teams may need to consider the effectiveness of the existing investigations processes within organisations and how well the investigations process is applied in practice.

Skills and experience

Does the team have the right training in relation to fraud, corruption and other integrity risks? For example, do Internal Audit staff have:

Access to information or training on changes in legislation or emerging fraud risks?
- Relevant skills in relation to data mining to detect fraud?
- Relevant training for data gathering when conducting a fraud investigation?

For more information, please contact Rudy Hoskens.

Controls excellence

Internal Audit’s role in promoting key controls skills

Current market conditions and volatility have exposed weaknesses in control frameworks. But how is this possible in a world where leading global companies see risk management and a sound control environment as an integral part of the way they manage their businesses? What is even more perplexing is that a number of the organisations where these weaknesses are being exposed are the very companies also required to comply with Sarbanes-Oxley (SOX).

It is worth reflecting briefly on the ‘post-Enron and WorldCom’ era. In the first year of SOX the main focus was on achieving SOX compliance. Companies planned to spend the next few years embedding SOX in the business-as-usual activity, and driving process efficiencies.

We expected the process to continue evolving, but instead it has often stood still, with SOX being viewed as a compliance exercise, something companies have to do to get a tick in the box, and not as an integral part of how they achieve their business objectives and drive real value.

How has the downturn affected controls?

When a recession hits, the immediate reaction by organisations is often to cut costs and reduce the focus on non-core and non-revenue-generating activities. Head count reductions cut into, or even eliminate, layers of experienced middle management, and important control functions are frequently impacted by these changes. Long-running frauds or discrepancies may come to light as changes in the level of business activity mean concealment is no longer possible.

Internal Audit’s role in promoting key controls skills

To maximise the benefit that Internal Audit can bring, it must help the organisation to understand that a well controlled business is a sustainable business. It is imperative to focus on achieving strategic objectives through providing assurance that risks are managed and the right controls are in place. Few Internal Audit operations would want to be viewed as compliance functions purely focused on adhering to regulations. The goal is to add broader value and there is plenty of evidence that better controlled organisations are more successful.

Visible control weaknesses are resulting in a pull for greater risk and controls understanding and skills so that this becomes a business enabler and differentiator. With a clear understanding of risk and the appetite for risk within the organisation, managers can take informed strategic decisions that drive value, building in the right controls in the right places across the organisation. Internal Audit should be a leading promoter of this, setting standards for control improvement, optimisation and awareness.

Ensuring that people across the organisation have the right skills and risk and control awareness is a must. Internal Audit departments could not be better placed to support this training need whilst providing ongoing control improvement guidance.

For more information, please contact Stijn Verhulst.

Reviewing (corporate) governance

What role can Internal Audit play?

It is clear that governance failures contributed materially to excessive risk-taking in the lead up to the financial crisis. “Weaknesses in risk management, board quality and practice and control of remuneration need to be addressed” concluded a recent study of the governance of UK banks. This is also one of the main topics of the next G20 summit in Pittsburgh. This points out the importance of sound governance practices at the top of the organisation. It also raises the question about who establishes the effectiveness of the Board and its Committees, and what role Internal Audit can play in this context.

The functioning of a company’s Board, Audit Committee or Remuneration Committee is not part of the normal scope of Internal Audit. The main reason is probably that Internal Audit itself obtains its mandate from that same board. board or board committee reviews are therefore usually self-evaluations (which may be facilitated by Internal Audit though), or external reviews. In Europe, regulatory requirements currently seem to evolve towards internally facilitated self-assessments on a yearly basis, combined with an external review every 2 to 3 years and with transparent disclosures in the annual report.

However, reviewing governance extends beyond the board or board committee reviews only. Indeed, good governance shows up in various dimensions of the organisation, such as clear guidance on strategy and risk appetite, clear allocation of accountabilities, transparent reporting up to the board, using relevant performance and risk indicators, etc. All this should be traceable within the organisation, not just up to the level of the parent board or board committee, but also at the level of relevant subsidiaries. Especially in the governance (or board responsibility) domains ‘par excellence’: strategy and target setting, risk management and remuneration. These are all areas which clearly pertain to the internal audit universe. And for which boards and audit committees will be happy to rely on internal audit.

For all questions on organisational or board governance and for reviews of board or board committee functioning, contact Ingrid Loos.

COBIT – IT assurance guide

Most internal auditors will recognise the importance of reviewing the IT Governance and IT processes in their organisation. The IT Governance Institute (“ITGI”, an ISACA body) has issued an IT governance framework as well as guidance on how to use its Control Objectives for Information and related Technology framework (called (“COBIT”).

COBIT is a framework of best practices for information technology (IT) management and governance. It provides IT managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximising the benefits derived through the use of information technology and developing appropriate IT governance andcontrol in an organisation.

In 2007, ISACA published an interesting paper titled ‘IT Assurance Guide – Using COBIT’. This detailed guidance explains how COBIT can be used to support assurance-related reviews. The IT Assurance Guide provides guidance on how to plan, scope and perform assurance reviews for each of the IT processes. It also explains how to apply a risk-based approach in the scoping process. Leveraging from the COBIT framework, it contains detailed testing guidance for each IT process and control objective.

Our experience shows that the guidance proves to be very useful for internal and external auditors that are less familiar with IT-related audit work. Although the objective of the guidance is not to provide a detailed audit programme, it does give points of focus that can be used for the preparation and execution of the audit programme.

The IT Assurance Guide also includes an internal control maturity model. The maturity model is a very useful tool for high-level assessments of processes so that it can be determined which processes need most attention in the assurance programme. In addition, it can be used to summarise the results of your assurance review. We also see that maturity models are starting to be used by organisations for self-assessments. The COBIT framework and the maturity model enables the organisation to execute and report self-assessment in a structured manner so as to assign priorities to areas for which action is most urgent.

PricewaterhouseCoopers Belgium was involved in the design and development of the COBIT framework and other related activities within ISACA such as the development of Risk IT (the new IT-related risk management framework). We also developed our own COBIT-related service offerings such as our COBIT-based Tr-ICS (Technology related In Control Services) methodology. This methodology and related tool provides us with the flow and technology we use to prioritise the 34 COBIT processes and analyse the assessments of these IT processes. These assessments are performed on process-maturity and control-quality levels and help us to assist our clients in identifying areas requiring improvements as well as to consult them on action to be taken to increase the overall process maturity. The figure below illustrates the high-level workflow of the tool.

For more information please contact Bart Kuipers or Luc Hendrikx.

Internal audit round-table meetings

Sharing best-practice ideas is a good, effective way of dealing with the challenges that internal auditors face. For this reason, PwC periodically hosts round-table meetings based on matters the Internal Audit community has raised with us. You are all invited to participate and share your views and experience.

Lunch sessions are held in our Brussels office, where the topics will be introduced and there will be opportunity for discussion with your peers and with us. For further information please visit:

We trust that you find the above information useful. Should you have any question, please do not hesitate to contact us.

Best Regards,

Marc Daelman
Lead Partner Internal Audit Services
Tel: +32 (0)2 710 7159