new-assurance-challenges-facing-chief-audit-executives
Description
New Assurance Challenges Facing Chief Audit Executivesby Simon D'ArcyExecutive Summary• Internal audit’s raison d’être is to provide assurance on the effectiveness of the management andcontrol of significant risks.• Assurance can only ever be reasonable but not absolute—continuing corporate failure due toinadequate risk management and control challenges the value of such reasonable assurance.• Chief audit executives can use objective criteria to demonstrate the integrity of their reasonableassurance propositions.• Objective criteria include completeness, frequency, future orientation, explicitness, objectivity, andsubject matter knowledge.• A key challenge for CAEs is that of a shift of mindset away from just doing audits, to auditing actuallyproviding assurance of demonstrable integrity.IntroductionLooking back over the last 15 to 20 years, it does seem that at one time the biggest challenge facing theprofession of internal auditing was whether the unique scope and contribution of internal audit was clearlydefined, understood, or indeed actually needed. Much of the thought leadership around internal auditing in1recent years has focused on this challenge. Two publications by PricewaterhouseCoopers in 2007, and a2heads of internal audit summit “The Future of Internal Auditing Starts Here” in May 2008 jointly facilitated bythe Institute of Internal Auditors and Deloitte, have all concluded that internal audit’s primary role is clearlyto provide ...
Sujets
Informations
| Publié par | Undrou |
| Nombre de lectures | 16 |
| Langue | English |
Extrait
New Assurance Challenges Facing Chief Audit Executives
1 of 6
www.qfinance.com
New Assurance Challenges Facing Chief Audit Executives
by
Simon D'Arcy
Executive Summary
•
Internal audit’s raison d’être is to provide assurance on the effectiveness of the management and
control of significant risks.
•
Assurance can only ever be reasonable but not absolute—continuing corporate failure due to
inadequate risk management and control challenges the value of such reasonable assurance.
•
Chief audit executives can use objective criteria to demonstrate the integrity of their reasonable
assurance propositions.
•
Objective criteria include completeness, frequency, future orientation, explicitness, objectivity, and
subject matter knowledge.
•
A key challenge for CAEs is that of a shift of mindset away from just doing audits, to auditing actually
providing assurance of demonstrable integrity.
Introduction
Looking back over the last 15 to 20 years, it does seem that at one time the biggest challenge facing the
profession of internal auditing was whether the unique scope and contribution of internal audit was clearly
defined, understood, or indeed actually needed. Much of the thought leadership around internal auditing in
recent years has focused on this challenge. Two publications by PricewaterhouseCoopers in 2007,
1
and a
heads of internal audit summit “The Future of Internal Auditing Starts Here” in May 2008
2
jointly facilitated by
the Institute of Internal Auditors and Deloitte, have all concluded that internal audit’s primary role is clearly
to provide assurance on the effectiveness of risk management. In fact, in many organizations internal audit
already clearly does this, as demonstrated in Protiviti’s June 2007 publication
Internal Auditing Around
the World
.
3
It is clear—and has been since Turnbull (1999),
4
if not before—that boards have a duty to get
themselves assured on the effectiveness of their systems of internal control. There is no doubt that chief
audit executives see that their raison d’être is to provide such assurance, and many will claim, with some
justification, that they have provided and will continue to provide this assurance. Therefore, on the face of it,
CAEs have responded to their most fundamental challenge.
The Problem with Assurance
If Turnbull (1999) marks the turning point in corporate governance, it has nevertheless not marked a
turning point in the steady stream of corporate failures and disasters, which are often due to ineffective risk
management and control. The role of internal audit in these scenarios has been, if not quite exonerated, then
at least found not liable, by virtue of one of the basic precepts of internal audit assurance—that it can only
ever be reasonable and not absolute.
However, with the market turmoil of 2007 and 2008, the steady stream of failures has become a torrent
of biblical proportions—initially, at the time of writing (September 2008), sweeping away the foundations
of some major global financial institutions and likely to spread to other sectors as systemic market and
recessionary risks crystallize. Accompanying the unfolding disasters is a damning commentary from
governments and media on the hopelessly inadequate risk assessment and management capability of those
corporates. The spotlight has been on the managers of risk and the attitude of senior executives to the
assessment and management of risk. However, it will not be long before the spotlight moves toward the
assurers of the effectiveness of risk management, and whether those assurers were in any way culpable.
Rightly or wrongly, many will assume that reasonable assurance from internal audit should have identified
and reported on the inadequacies of the risk management process, or at least been capable of doing so.
There is now a new challenge facing CAEs—that they are able to demonstrate that their assurance
propositions have integrity and can withstand scrutiny against some key criteria. Internal audit assurance
New Assurance Challenges Facing Chief Audit Executives
2 of 6
www.qfinance.com
involves judgment, and there is an inherent imperfection in a process that relies on judgment. However, there
is a difference between an omission or oversight based on accepted fallibility, and one where the scope of
assurance was too narrow, where assurance conclusions lacked clarity, or were delivered too infrequently,
or where work undertaken lacked sufficient knowledge or objectivity. Assurance delivered on the basis of a
flawed proposition is indeed unreasonable assurance.
Therefore, in rising to meet that challenge, CAEs have been aspiring to create assurance propositions that
are:
•
Complete: They cover all significant risks.
•
Frequent: They provide assurance with sufficient frequency.
•
Explicit: They give assurance outcomes that are clear and unambiguous.
•
Future-oriented: They offer assurance that controls will continue to be effective in the future, not just
that they have been effective in the past.
•
Objective: They provide objective assurance based on sound knowledge.
Demonstrating the Integrity of Assurance in a Post-Credit-Crunch World
Most CAEs I have spoken with on the topic are in agreement that the above are valid criteria against which
to assess assurance to demonstrate that the assurance given has integrity. However, there is no formulaic
result or correct answer that the assessment should derive. Some CAEs are quite clear that their current
risk-based methodologies score quite favorably in the assessment. The following is an amalgam of my own
thoughts, assessments, and actual solutions, developed across four financial services organizations in the
past decade in trying to respond to the challenge.
Completeness
First, were all significant risks in scope for my internal audit function? How sympathetic would or should
a stakeholder be if the explanation was “sorry, out of scope” for not providing any assurance coverage
on a significant risk area where a major issue had arisen. The default position is for “everything” to be in
scope, because that is where assurance adds the most value. However, my experience is that “everything”
means different things to different people, and it still leads to mismatches between expected assurance
coverage and actual audit coverage. The cry of “where were the auditors?” when something goes wrong
is less rhetorical and more actual than you might imagine. It served my function to define “everything” up
front, rather than have to explain omissions retrospectively. This is becoming even more sensible in an
environment where many point to the least tangible risk areas, such as strategy, sustainability, and culture,
as those where assurance is most needed. (In fact, many respected observers are pointing to poor culture
and behavior as being what has led to the economic meltdown, rather than policy or process failure.) If
something is going to be agreed as out of scope, it is better to be in a position to have clearly defined and
agreed it, even if by doing so you are reducing the value of your assurance proposition.
Figure 1. The assurance spectrum
The best method I have found for creating an assurance universe, and to use as a basis for an assurance
contract with the organization, is to list the significant risks (there are normally around 20, and such a list
is often referred to as a risk map or significant risk register) as recognized and agreed by the board. What
is clear is that the significant risk register must include all financial, strategic, and operational risks as a
minimum, including liquidity and sustainability risks. The internal audit profession is now turning its attention
to the new paradigm risks that have been made painfully clear by the credit crunch—systemic/globalization
risk, behavioral risks, and supply chain risks.
Frequency
The Combined Code on Corporate Governance, which sets the rules for FTSE-listed companies and is
also recognized as a benchmark by nonlisted and public sector companies in the United Kingdom, implies
a minimum annual assessment of the effectiveness of internal control (as a proxy for the effectiveness of
management of significant risks).
New Assurance Challenges Facing Chief Audit Executives
3 of 6
www.qfinance.com
However, a once-a-year assessment—even if it is about all the risks—does not appear to be frequent
enough. The organizations for which I have worked have generally used a very compelling risk-based
approach that prioritizes the assurance requirement over three years. But with this scenario it seemed to me
that even a once-a-year assessment can only cover one-third of the assurance requirement (accepting that
it would always include the highest-priority areas). I have posed the frequency question many times to senior
managers, board members, and audit committee chairs. Their answer tends to be in the negative—i.e., it
would be unreasonable that a major risk management breakdown should go unnoticed by internal audit until
it was too late because the CAE’s view of that risk was out of date, because it had not been looked at for six
months or more, and was not due to be looked at again for another six months or more.
In fact, the best frequency would be if CAEs were in a position to provide a complete opinion all of the
time. Logistical and practical constraints make this impossible. However, I have been able to produce
more frequent assessments by focusing on each of the risk categories for which assurance is required and
creating a strategy for delivering the outputs that I need so that I can stand in front of an audit committee
once a quarter and deliver conclusions that have demonstrable integrity. Such strategies comprise
combinations of continuous assessment techniques, ongoing reviews, and revisions of conclusions
previously arrived at, as well as baseline assessments.
Reviews and Assessments
Baseline reviews
are undertaken where management of the risk is relatively stable. These are time-framed,
in-depth reviews of established controls and processes. The conclusions from such reviews may have a long
shelf life and, if stability continues, may only need a light refresh to remain valid.
Continuous assessments
involve regular or continuous reviews of a range of information and activity that
indicate whether controls are operating as intended. They are used where conclusions have previously been
established but more certainty is required to ensure that those conclusions remain valid between baseline
reviews. They include a review of the output of other risk and control functions—for example, compliance.
Ongoing reviews
are used where projects and other business initiatives may bring changes to the risk and
control framework and reduce the value of reviewing preexisting processes and controls, or where control
environments are unstable/immature and action is being undertaken to establish or remediate controls.
Orientation
In thinking about frequency challenge, I also started to think about the orientation of assurance. By
orientation, I mean whether the assurance is just focused retrospectively, on things that have happened
in the past, or whether it can and should look to the future. The Combined Code implies that the annual
assessment will be a retrospective view of the previous year, much like the external auditor’s opinion on
the financial statements. However, in much the same way as external auditors consider the going concern
aspects of firms, it seemed to me that my conclusions should have some element of future proofing.
Again, I considered the value of assurance that was anchored in the past (especially when it could refer to
an event as long as 364 days in the past). If a risk had already crystallized, any assurance was old news
and irrelevant. If controls were effective, for how long would they continue to be effective? I felt that my
assurance would be more reasonable if I could “future proof” it.
But how much future proofing can and should be given? I achieved this by attaching a shelf life to quarterly
conclusions. This is a concept where I vary how long my assurance conclusions are likely to remain valid,
depending on certain broad criteria. For example, if the control environment is either currently unstable or
will be subject to some major change in the near future, the validity of any conclusions will be short-lived. If
the area is stable and likely to remain so, then a long shelf life can be given—and easily refreshed using the
continuous assessment technique. In the organizations where I have employed this approach, in any set of
quarterly conclusions the shelf lives given have varied considerably across risk categories. In fact, the more
I have used this approach, the more I find that the fact that an explicit view on shelf life has been given has
become as important as the actual length of time which is stated.
New Assurance Challenges Facing Chief Audit Executives
4 of 6
www.qfinance.com
Explicitness
The requirement (by boards) for CAEs to give opinions on the effectiveness of the system of internal control
and risk management is one of the biggest areas of debate and challenge facing the profession at the
moment. Because of the legal implications of opinions, many CAEs will not give them, and will only report
issues as they arise. Some CAEs who are prepared to give opinions do so without much thought of the
consequences, or do so in the vein of “everything is effective apart from the following issues.”
Setting aside the legal status argument, in my experience such approaches are potentially flawed. The
default position of the recipients of assurance is one of assuming that all other controls and risk management
activities across the enterprise are effective and will continue to be so, unless they have specifically
been told otherwise. Unless that was truly the intended message, the assurance that is being provided is
misleading. That is why I have worked on providing separate conclusions (as opposed to opinions, to avoid
the legal connotation) for each significant risk category (and sometimes at a risk subcategory level) each
quarter. My preference has been to go for a binary conclusion, where “this risk is effectively managed” is
signaled by a green symbol, and “this risk is not effectively managed” is represented by a red one.
For a “green” conclusion nothing further is required in the way of explanation other than an indicator of the
breadth and depth of coverage used to reach the conclusion. For a “red” conclusion the list of supporting
issues, as well as the reliability indicator, are described.
My experience is that the binary approach is a step too far for some, so I have also employed a three-level
and a four-level approach, where the conclusions range from “well controlled,” through “acceptable level of
control” and “controls require improvement,” to “insufficient control.” The point is that it is the explicitness of
the conclusion (at the level of significant risk) and the reliability indicator which provide the assurance that
is intended, rather than the summary of issues reported. The approach encourages much greater challenge
and scrutiny—but I have found that to be a good thing.
Objectivity and Subject Matter Expertize
These are not new concepts or challenges for CAEs, but the challenge is to rethink them in the framework
of the new assurance paradigm. Many cite independence of opinion as an end in itself, but it is only valuable
if it enhances objectivity. After all, in any walk of life, not just in internal audit, we tend to be more convinced
by the conclusion of someone who has no vested interest in what that conclusion is. Similarly, we tend to be
more convinced by a conclusion if it is given by someone who really knows the subject to which it relates.
Therefore, regardless of the completeness, frequency, future orientation, or explicitness of a conclusion, it
can only provide reasonable assurance if we have confidence in the objectivity and expertize in the subject
matter of the person giving it. Therein lies the challenge, as sometimes one element can only increase at
the expense of another. In meeting this challenge, I have found that it is the recognition of the dynamic
relationship between objectivity and subject matter expertize which allows dynamic management of it.
Conclusion
In common with many disciplines, the challenge for CAEs is not one of technique or technical development,
but one of focus. In many ways, the biggest challenge is one of a shift of mindset away from planning to
deliver some audits, toward planning to deliver an assurance outcome of demonstrable integrity. However,
I believe it is a challenge that must be met, so that assurers have a stronger chance of helping their
organizations to avoid corporate calamity due to risk management and control failure.
Making It Happen
•
It is most important that you have a solid anchor or hook on which to hang your assurance. Ideally
this should be the board-defined risk exposures. If your organization does not have these, help your
organization to define them.
•
It will take several quarters to build rhythm and momentum, and up to 18 months to achieve a baseline
assurance for all of the risks of equivalent requisite quality.
New Assurance Challenges Facing Chief Audit Executives
5 of 6
www.qfinance.com
•
If you already know something, and are confident in that knowledge, do not waste valuable resources
on proving something you already know. Reliable knowledge, however gained, contributes to your
assurance.
•
If you set off down this path, there will be many naysayers. They will challenge whether you can
realistically deliver all the work that is necessary, claiming that you can only scratch the surface. Stay
focused. The best way to convince naysayers is with the outputs and outcomes. The number of audit
man-days has always been, and always will be, an input measure, and is no guide to whether good,
bad, or indifferent assurance is produced.
•
Less—in terms of number of issues—is definitely more. The number of audit issues in any one
organization should genuinely reflect the competence of risk management and not the number of
auditors
•
You will need to spend as much—if not more—time converting your own people to the cause. Old
habits die hard. The only way to do this is to be persistent and unwavering in your assurance strategy.
Be prepared to repeat…and repeat and repeat.
•
Make use of early converts and use them shamelessly to help spread the message.
More Info
Periodicals:
•
Internal Auditing
, monthly magazine of the Institute of Internal Auditors UK and Ireland:
www.iia.org.uk/
en/Publications/IA_and_BR_Magazine
•
Internal Auditor
, monthly periodical of the IIA, Florida:
www.theiia.org/intauditor
Articles:
•
Chambers, Andrew. “The board’s black hole—Filling their assurance vacuum: Can internal audit rise to
the challenge?”
Measuring Business Excellence
12:1 (2008): 47–63.
•
D’Arcy, Simon. “Bubble trouble—The wrong attitudes to risk.”
Mortgage Finance Gazette
(February 4,
2009). Online at:
www.mfgonline.co.uk/article/Bubble-trouble-the-wrong-attitudes-to-risk-228895.html
•
Perry, Michelle. “Weathering the storm.”
Financial Services Review
(May 2008): 10–12. Online at:
tinyurl.com/djcazk
•
Piper, Arthur. “A matter of opinion.” Interview with Alec Richmond, then President of IIA UK and
Ireland.
Internal Auditor
(June 1, 2007). Online at:
www.thefreelibrary.com/Internal+Auditor/2007/
June/1-p5634
Report:
•
Turnbull, N. “Internal control: Guidance for directors on the combinal code.” The Institute of Chartered
Accountants in England and Wales, September 1999
Notes
1 PricewaterhouseCoopers (PwC), “Internal audit 2012: A study examining the future of internal auditing and
the potential decline of a controls-centric approach.” PwC (2007); also “State of the internal audit profession
study: Pressures build for continual focus on risk.” PwC (2007). Both downloadable from
www.pwc.com
(search on titles).
2 Institute of Internal Auditors (UK and Ireland) in association with Deloitte, “Towards a blueprint for the
internal audit profession.” London: IIA (2008). Online from:
www.iia.org.uk
.
3 Protiviti,
Internal Auditing Around the World
. Four volumes published between 2005 and 2008 with profiles
of internal audit functions at leading international organizations. The series tells the stories of 16 successful
internal audit functions and examines common denominators that separate these leaders from their peers.
Available from the Protiviti website:
www.knowledgeleader.com
.
4
Internal Control: Guidance for Directors on the Combined Code
(the Turnbull Guidance) was originally
published by the Institute of Chartered Accountants in England and Wales in 1999 and was followed by a
number of subsequent revisions.
New Assurance Challenges Facing Chief Audit Executives
6 of 6
www.qfinance.com
To see this article on-line, please visit
http://www.qfinance.com/auditing-best-practice/new-assurance-challenges-facing-chief-audit-executives?full
© 2010-2024 YouScribe