Synergy of Internal Audit and Risk

Management for better Governance

Norman Marks
Evangelist and Mentor
People are changing
 IBM 2012 Global CEO Study

• For the first time [since 2004], technology now

tops the list of external forces impacting
organizations.
• Above any other external factor — even the
economy — CEOs expect technology to drive
the most change in their organizations over
the next three to five years.
 Big Data
• 2 billion gigabytes of data created every day in
2012
• “More data crosses the internet every second
than were stored in the entire network 20
years ago”
• Walmart collects >2.5 petabytes of data every
hour from its customer transactions
Harvard Business Review, October 2012
 McKinsey Global Institute

We are on the cusp of a tremendous wave of

innovation, productivity, and growth, as well
as new modes of competition and value
capture—all driven by big data as
consumers, companies, and economic
sectors exploit its potential.
Turbulent times
 What is changing?

 People’s expectations for technology

 Decision-making
 Business products and services
 Business processes
 Controls and risks
 Risk Management and Auditing?
 Risk Management Change

• Recognize risk in every decision

• Decisions constantly change risks
• Monitor and manage risk continuously
• Manage risk at the speed of the business
 Internal Audit Change
• We must be relevant
• Provide assurance on what matters
• Provide assurance when it matters
• Help the organization succeed
• Partner with risk management
Auditors need to change!
“The problem is never how to get new,
innovative thoughts into your mind,
but how to get the old ones
out.”
Dee Hock
Management and board members
are not aligned on their perception
of internal audit’s value and
performance, and it appears as if
board members may be settling for
too little
What is our job?

Is it to perform audits?
Is this a high quality IA function?
Metric Achievement
Percentage of audit plan completed 98%
Number of audit findings Up 10%
Recommendations accepted and implemented 90%
Auditee survey results (average from 0 to 5) 4.3
Cost savings (duplicate payments, vendor overcharges) $3,000,000
Internal audit budget 2% below budget
IIA Quality Assurance Review Generally complies
 Company failed
 Internal audit failed
 Focused on audits of controls and adding value
 Forgot about assurance on major risks
 Was internal audit irrelevant?
 Has internal audit become
irrelevant?
Walker Review of Corporate Governance of UK
Banking Industry, November 2009

 Didn’t mention internal audit

 We were not blamed – why not?
 Has internal audit become
irrelevant?
Financial Crisis Inquiry Commission (US), January
2011

 3 mentions of internal audit in 633 page report

 We were not blamed – why not?
What is our job?

Is it to perform audits?
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organization’s operations. It helps an
organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance
processes.
Assurance = peace of mind
Consulting = make a difference
 Is this peace of mind?
Metric Achievement
Percentage of audit plan completed 98%
Number of audit findings Up 10%
Recommendations accepted and implemented 90%
Auditee survey results (average from 0 to 5) 4.3
Cost savings (duplicate payments, vendor overcharges) $3,000,000
Internal audit budget 2% below budget
IIA Quality Assurance Review Generally complies
What is Assurance? Peace of Mind
What is Assurance?
 This is peace of mind
To: Chair, Audit Committee
From: Head of Internal Audit
Annual Internal Audit Report
We have completed the internal audit plan, which was designed to
address the more significant risks to the organization….
In our opinion, based on the work performed, the systems of
governance, risk management, and internal controls system
provide reasonable assurance that the more significant risks are
managed within organizational tolerances.
Patty Miller, IIA Chair 2008–2009
Historic Internal Mainstream Internal Cutting Edge
Audit Audit Audit
Audit entities based Prioritize audit entities Focus on strategic, business
Focus
on rotational plan based on risk and process risk

Perspective Historic Historic Future

Style Corporate police Father knows best Consultant and advisor

Compliance with policies Assurance on financial

Mandate Business assurance
and procedures control, compliance

Risk Focus Financial Financial plus Enterprise risks

Compliance work Audit work programs for Risk frameworks,

Toolkit
programs key processes / controls self-assessments
Automated testing and
Technology None Automated workpapers
continuous monitoring
Assurance; key audit Proactive risk management;
Results Small “findings”
entities dynamic reporting

32
“… expectations have risen, and all internal
audit functions need to rise to this new
floor: providing assurance on a broader
range of critical risks and clearly
communicating deeper insights.”
RELEVANT
PROVIDE ASSURANCE
THAT MATTERS
PROVIDE ASSURANCE
ON WHAT MATTERS
PROVIDE ASSURANCE
ON WHAT MATTERS
NOW!
PROVIDE ASSURANCE
NOW
ON WHAT MATTERS
NOW!
Can you help the business manage
at speed?
 The greatest danger for most of us
is not that our aim is too high and
we miss it,

but that it is too low and we reach

it.
Michelangelo
 1) Turn ignition key.
2) Shift into drive.
3) Press foot firmly on the throat
of mediocrity.
Mercedes ad
 Thank You!
Norman Marks nmarks2@yahoo.com
Evangelist and Mentor http://www.theiia.org/blogs/marks/
http://normanmarks.wordpress.com/
Twitter: @normanmarks