5

Insights for executives

Risk and controls

How can Internal Audit go deeper and help gauge the organizations overall health?
When Gerry Dixon, Ernst & Youngs Global Risk Leader, visited one of his clients recently, he heard a familiar complaint. The CFO knew that his Internal Audit function was doing a good job overall, but it needed to place the information it was giving to members of the C-suite and the Audit Committee in a better context. The internal controls information Internal Audit was providing wasnt enough for the CFO to truly gauge the health of the organization, said Mr. Dixon. He needed to know more than whether a control was passing or failing. He needed to understand how big a risk a failing control was, whether management knew about it and what theyre doing to x it. Senior executives and Audit Committees want more than a one-dimensional view of the tness of controls within their organizations. They want a holistic view that gives them a broad, yet balanced view of the risk and control environment, as well as of any emerging trends. A standard control rating system offers an effective means of communicating important information to senior executives and Audit Committees. However, control ratings alone dont always tell the whole story. Senior executives need to be pushing their Internal Audit function to provide a three-dimensional perspective of internal control ratings.

The answers in this issue are supplied by:

Gerry Dixon Global Risk Leader gerry.dixon@ey.com +1 212 773 7824

Steve Singer Global Internal Audit Leader steven.singer@ey.com +1 513 612 1856

1
1D control environment
finance department

Why the push for an internal control ratings system?

Control ratings, in one form or another, have been around for decades. But with increased attention and regulations like the Sarbanes-Oxley Act, control ratings became more important. Now, in the wake of the recent economic downturn, Audit Committees and executives are placing even more emphasis on having their Internal Audit functions not only identify existing issues, but also anticipate the risks that may be lurking around the corner. Broadly speaking, control ratings offer several distinct benets:

Audited entity 1. Treasury 2. Accounts Payable 3. Shared Services 4. Derivatives 5. Fixed Assets

Satisfactory

Needs improvement

Unsatisfactory

Ability to see the state of the control environment at a glance Benchmarking against which management and the Audit Committee can measure improvement or slippage Identifying trends in the control environment Putting the control rating results in context with the activitys risk prole Recognizing managements awareness of control weaknesses and its proactive remediation of them

Using a single-dimension approach, control ratings can be as simple as pass or fail, or as complex as having ve levels of performance. The more commonly used system applies three rating levels: Satisfactory, Needs improvement and Unsatisfactory. These kinds of ratings enable the Audit Committee to assess the strength of the companys controls. But a rating of unsatisfactory in isolation doesnt let Audit Committee members know how important the businesss activity is within the organization, the levels of risk it may pose or what management may be doing about it.

ey.com/5

What does a three-dimensional control ratings approach consist of?

In a three-dimensional control ratings environment, ratings include: Control rating. This rating assigns a performance level, or grade (Satisfactory, Needs improvement, Unsatisfactory), to the control environment of an auditable entity. It provides a snapshot of the current control environment. However, it doesnt give any insight into managements plans for improvement. Inherent risk. Periodic risk assessments of activities (e.g., business unit, process) focus audit resources on those activities that present the greatest risk to the organization. More recently, some organizations are using cross-functional groups representing Internal Audit, Compliance and Risk Management to get a common view of risks across the company. Inherent risk ratings enable executives, the Audit Committee, management and others to understand and prioritize the risks in the context of the companys overall risk prole. They also help management better understand where to put its resources to strengthen areas of weakness. Management preparedness. Executives often hear complaints from management that it was already aware of and working to resolve many of the issues raised in the audit report. Asking management teams to provide their control issues and improvement efforts during the planning phase of an audit will enable them to receive full credit for their efforts in the audit report. In addition, measuring managements preparedness enables senior executives and the Audit Committee to determine whether management is on top of its business unit, understands its strengths and weaknesses, and is addressing areas in need.

3
3D control environment
Finance department

Why consider a three-dimensional control ratings approach?

More than simply identifying an area in need of improvement, Internal Audit can use three-dimensional ratings to give executives the visibility they seek and help management teams prioritize risk levels, says Jacquie Wagner, a former chief audit executive for three Fortune 500 companies and a current consultant to Ernst & Young. Internal Audit can also give management teams credit for identifying issues and having plans for resolution before the audit. If they arent given credit for identifying issues before Internal Audit enters the picture, they are less likely to raise the problems that they know exist. More often, they keep quiet, hoping that Internal Audit wont nd the issues. Thats not a good strategy. As illustrated below, a three-dimensional rating provides executives and Audit Committees with a broader view of the organization. It also enables them to more effectively prioritize issues based on the entitys inherent risk and awareness by management, rather than solely on the control rating. For example: Though Treasury (No. 1) has a high inherent risk, it also has high management preparedness and receives a control rating of Satisfactory. Derivatives (No. 4) received a control rating of Needs improvement, has a high inherent risk, and low management preparedness. Executives can now make an informed decision to give Derivatives a higher priority for resolution than even Shared Services Centers (No. 3) which received an Unsatisfactory control rating and has low management preparedness, but also has lower inherent risk. Accounts Payable (No. 2), which in a 1D control environment appeared to management of equal importance in priority due to its shared Needs improvement control rating, can now be more clearly prioritized below Derivatives, given Accounts Payables much higher level of management preparedness.

ey.com/5

What needs to happen to make it work?

For a three-dimensional control ratings approach to be successful, executives will need to take a tone-from-the-top approach. Theyll need to articulate the need for Internal Audit to develop the approach. And theyll have to encourage management buy-in. Getting managements support for three-dimensional control ratings is not an easy process, given the skepticism management can have for Internal Audit, acknowledges Steve Singer, Global Internal Audit Leader. Executives need to change managements view that working with Internal Audit doesnt need to be adversarial. In fact, there are three simple, collaborative steps to take: Senior executives should recommend adding management preparedness into Internal Audits formal planning process. Before an audit, Internal Audit should ask management to formally state where it has identied control weaknesses, the plan it has developed to deal with them, the date it expects to complete the improvements, and who has responsibility for making sure the improvements happen. During the audit, Internal Audit may nd deciencies that management doesnt know about. For those issues that management does know about, Internal Audit can acknowledge them as part of its tracking process and give management due credit. For their part, management teams need to understand that its not about exposing what they dont know. Its about giving them credit in areas where they have identied issues and developed a plan to resolve them.

Whats the bottom line?

The economy may be well along the road to recovery, but executives continue to challenge their Internal Audit function to deliver results that make the business work better, smarter and faster. In a recent survey Forbes Insights conducted on behalf of Ernst & Young, 74% of respondents believed that there was room for improvement, and nearly every respondent believed that improvements should occur within the next 12 to 24 months. Introducing a three-dimensional control ratings process as part of an Internal Audit transformation will enable executives and the Audit Committee to gain a broader, more balanced perspective of the health of their organization. It will also help Internal Audit to more effectively plan audits in the future, prioritizing efforts based not only on an audited entitys previous control rating, but also on its inherent risk to the organization. As well, a three-dimensional control ratings system can open the lines of communication between Internal Audit and management. More collaborative relationships, built on respect and trust, result in greater transparency and operational efciency across all levels of the organization.

ey.com/5

Visit ey.com/5
The key to improved business performance
Unlocking the value of Internal Audit

Unlocking the strategic value of Internal Audit

Three steps to transformation

Internal Audit global cosourcing

A case study with commentary

Internal Audit global cosourcing: a case study with commentary A panel of four Ernst & Young professionals examines the differing viewpoints and comments on the hypothetical situations facing the officers of the global XYZ Technology Group.

The key to improved business performance: unlocking the value of Internal Audit Executives are looking to Internal Audit to help deliver a more sustainable, efficient and effective function. Learn how Ernst & Young can help.

Unlocking the strategic value of Internal Audit: three steps to transformation Internal Audit can play an essential advisory role within the organization capable of providing key insights that enable the business to focus on the risks that matter.

Ernst & Young Assurance | Tax | Transactions | Advisory

We want to hear from you! Please let us know if there are subjects you would like 5: Insights for executives to cover. You can contact us at: fiveseries.team@ey.com

About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. About Ernst & Youngs Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 20,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. Its how Ernst & Young makes a difference. 2011 EYGM Limited. All Rights Reserved. EYG No. BT0088 (Supersedes EYG No. BT0082)
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.