Internal Audit in brief

22 March 2010

Welcome to the fourth edition of Internal Audit In Brief. In this issue we address the following topics:

 

Finance function effectiveness

Executives, the Board and Heads of Internal Audit now want to understand not only how the business is mitigating risk, but also how well they are performing and how improvements can be made.

Most Boards and Audit Committees are looking to their Internal Audit teams to provide more value and avoid non value-adding tasks. When considering performing reviews of back office functions (e.g. Finance) most Finance Executives, Chief Executives, Boards and Heads of Internal Audit now want to understand not only how the business is mitigating risk, but how well they are performing and how to make improvements.

The assurance over a function's performance needed to manage the business and pursue strategic objectives with confidence, should not only consider internal activity, but have a view of what top performers are achieving and how they are doing this. So how would Internal Audit review a Finance Function's performance?

Some important areas to consider:

How do you frame the analysis? 
The analysis needs to combine a qualitative assessment and comparative metrics across the dimensions of delivery of the back office function. The PwC Finance Function Assessment uses the following dimensions:

  1. Business insight: How do you align Finance with the business to provide an effective performance management and challenge mechanism?
  2. Efficiency: What initiatives could you undertake to improve the efficiency and effectiveness of the finance processes?
  3. Compliance and control: How do you ensure you have the appropriate balance of robust controls without constraining the business?

Many audits have to dedicate significant amounts of valuable time and resources focusing on compliance and control whilst opportunities to provide insight and improve the performance of the function, and therefore highlight the further value Internal Audit can add, are missed.

What approaches are available to assess Finance Function performance?

  1. A baseline of data with external comparators (benchmarking) – The mapping of the size, shape and performance of the Finance Function to common process definitions allows benchmarking against organisations of similar complexity. The benchmarks help identify opportunities for performance improvement;
  2. Voice of the Customer Survey – A survey requesting feedback from their customers, ie those around the business which use, or interact with, Finance;
  3. Executive Interviews – Perceptions and suggestions from all C-Suite executives on the activity and performance they require from Finance.

How could the output of an assessment benefit Internal Audit and the organisation?

Helping the Finance Function improve their performance can ensure Internal Audit is seen as a true "business partner". The assessments will help Internal Audit provide a framework to support Executive strategic discussions and allow Internal Audit to monitor the business continuously. The output would demonstrate to the Audit Committee, and the Functional Directors, that Internal Audit are focusing on the real "value add" by providing:

  1. A high value, strategic analysis focussing on the data as fact based evidence;
  2. Customer feedback and executive perspectives – reinforcing and supporting the results;
  3. Feedback including both internal divisional and external peer group comparisons;
  4. High-level set of recommendations to help make sustainable progress toward your future vision for Finance.

For organisations undergoing significant change in their Finance Function, what has resonated is the concept of a robust baseline, and a framework of measures to manage change.

When should a Finance Function review be included in the Internal Audit Plan?

  1. A new CEO or new CFO is appointed;
  2. There is pressure to reduce costs but the Finance team don't know where to start;
  3. There is a requirement to better align Finance with the business, or management want to; improve Management Information;
  4. Transformation of Finance or the business is planned/underway;
  5. Significant change to the business (ie merger or divestment).

For more information, please contact Marc Daelman.

 

Fraud isn't going away and no industry is immune

How prevalent is fraud? What is its real damage? Who perpetrates it? What are the most common problem areas? Are there really any effective ways of mitigating the risk? Read more

The IIA has released new guidance for Internal Auditors on this topic in December 2009 and PwC has released its fifth Global Economic Crime Survey for which we have results at global and Belgian level.

The survey is based on interviews with senior representatives of 3,037 companies in 55 countries - 62 of these being in Belgium. The survey addresses fraud and its associated integrity risks in a period of economic downturn, unprecedented in our working lifetime. The survey looks at the root causes of economic crime, and the way in which it affects businesses.

Our Belgian Survey has found that:

  1. There is a steep increase in bribery and corruption in the past 12 months. Globally though, there has been a slight decline in this area;
  2. The crisis has an impact on fraudulent behaviour. 53% of respondents who reported fraud believed that there had been an increase in the level of economic crime compared to 12 months ago;
  3. Over 24% of the Belgian companies surveyed have been faced with one or more significant cases of economic crime during the past 12 months.

Copies are available via: http://www.pwc.com/be/en/publications/2009-Economic-Crime-Survey.jhtml

In many companies internal audit plays a key role in raising awareness, detecting fraud and acting on cases identified. The IIA has released new guidance on the topic which can be found on the IIA's website: http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/internal-auditing-and-fraud-1/

For more information, please contact Rudy Hoskens.

 

Banking banana skins 2010

PwC is delighted to share the 13th Banking Banana Skins Survey produced by the Centre for the Study of Financial Innovation (CSFI). This Survey, aimed at senior executives in the banking industry, identifies high-level issues where the banking industry may be vulnerable.

Banking Banana Skins 2010, sponsored by PwC, puts together a league table identifying potential sources of risks to banks and ranks them by severity. This year's survey is based on over 400 responses from 49 countries.

With political interference as this year's top risk and too much regulation at number three, the concern is that the financial crisis has taken the banking industry's future out of its own hands. The dash by governments to rescue their banks from disaster may have staved off a collapse of the system, but it has left attitudes to the banking industry deeply politicized. A proportionate response is now needed to avoid damaging the banks' long term capacity to return public funds and enable them to play their essential role in the wider economy effectively.

To download publication, please click on the following link: http://www.pwc.com/gx/en/banking-capital-markets/banana-skins/assets/banking-banana-skins-2010.pdf

For more information, please contact Roland Jeanquart.

 

Climate change – A key risk to performance that demands assurance

As a strategic, regulatory and/or performance issue, climate change has become a major boardroom discussion point and Internal Audit has a key role to play. Read more

Climate change is now established as a key political, public and corporate issue. The 15th United Nations Climate Change Conference (COP15), which took place in Copenhagen in December 2009, the work of regulators, and initiatives like the Carbon Disclosure Project reflect its rising importance and significance to public and private organisations. As a strategic, regulatory and/or performance issue, climate change has become a major boardroom discussion point.

Creating a well-defined plan

The business implications of climate change are broad, yet they can prove to have a positive outcome for your organisation with a proactive, well-defined response plan. A well designed response – one that is integrated with the corporate strategy, operational and management processes – can improve your organisation's ability to adapt to emerging risks, operate efficiently, perform well, engage stakeholders and enhance the value of your brand.

Although there is no clear or easy way to anticipate all emerging risks and their magnitude, climate-related risks can be considered under two categories:

First order risks relate to direct and geophysical impacts on a business which have the potential to directly affect business continuity. They will most likely affect physical assets and operational activities. For example, power generation companies may face costs for physical asset protection.

Second-order risks relate to indirect impacts and responses by internal and external stakeholders and competitors. These risks have the potential to impact access to capital, market legitimacy and overall reputation. For example, manufacturers face increasing raw material prices, transparency on carbon impact becomes a condition of supply agreements, and publicly available carbon intensity league tables.

Both categories of risk have the potential to affect short- and long-term financial performance and profitability if they are not sufficiently mitigated.

Reporting and disclosure

The most commonly adopted guidance on greenhouse gas emissions reporting is the World Resources Institute's Greenhouse Gas Protocol. As various other regulatory standards are emerging, and current carbon-related reporting is variable in its quality and content, the demand for more transparent and accurate information is growing. From within the organisation, it is important that appropriate steps are taken to ensure that the proper processes and controls are in place to cover these new streams of information.

The role of the Internal Auditor

Leading organisations are setting strategic and performance goals in response to climate change and undertaking more detailed risk analysis. With new and emerging regulations, extra supply chain demands and resulting financial implications, organisations have to be prepared.

Internal Audit has a key role to play in providing appropriate risk oversight and monitoring to your organisation's strategic objectives and plans as well as the operation of business processes, systems and controls. Internal Audit should work collaboratively with all stakeholders to realign audit coverage to focus on the processes that are critical to delivering and reporting performance. For example, Internal Audit can:

  1. Facilitate an assessment of first- and second-order risks to the business;
  2. Test the response to key first- and second-order risks;
  3. Review the integration of climate change response into core business processes;
  4. Test readiness and response to the requirements of the Carbon Reduction Commitment (including financial impacts);
  5. Ensure proper protection through insurance for potential risk areas that may result from climate change;
  6. Review vendors' and suppliers' adherence to contract requirements;
  7. Review controls around any internal carbon trading mechanisms;
  8. Ensure systems, processes and controls facilitate readiness for third-party assurance of greenhouse gas emissions.
For more information, please contact Ilse Moens

 

Internet Security – a key strategic risk

PwC's Global IT Security Survey demonstrates the elevated importance of internet security with the Board. Read more

The 2010 PwC Global Information Security Survey showed that 67% of Chief Information Officers say the increased risk environment has elevated the importance of internet security with the Board. 77% said the increasingly tangled web of regulations and industry standards have added to the sense of urgency to tackle internet security.

Set out below are some of the key areas that Internal Audit should consider:

Understanding your risks

The internet has made it possible for organisations to quickly expand their ability to do business across many different countries, cultures and continents, and with relative ease.

But the same technologies and techniques that make it easy for organisations to have this global reach are also available to criminals, who are getting smarter at figuring out ways to abuse brands, steal data for their own profit and do so by hiding behind the anonymity of the internet.

Given that the internet is becoming ever more complex and dynamic, combined with readily available, low cost and plentiful hacking tools, the internet is an attractive place for criminals to operate.

Business impact

Security threats hurt sales, reduce overall consumer trust and dilute the brand equity that an organisation has carefully built over the years. Within just a few days or weeks, with some well-timed attacks, your business could be left feeling the pain – from an operational, reputational and financial perspective.

Typical defence programmes

In the past, organisations have tried to protect their brands and data through methods such as perimeter firewalls, intrusion detection systems or by setting up monitoring alerts on key systems.

But given the added sophistication of the internet, and for many organisations its critical strategic importance, setting up a solid business protection strategy, taking a more holistic and technological approach to control brands, data and intellectual property, is essential.

Business protection strategy

The ideal brand and business protection program should be a co-ordinated, cross-departmental and automated approach that goes beyond just the IT, Internal Audit and legal departments – it must also involve brand management, marketing, loss prevention, risk and supply chain management.

This business protection scheme also needs to be more proactive, whereby departments are able to:

  1. Track down abusers;
  2. Identify emerging threats before they become real problems;
  3. Anticipate reputational risks;
  4. Protect data confidentiality;
  5. Divert site traffic and its associated click stream and revenue when necessary.

The following core objectives must be considered:

  1. Strategic alignment with the business;
  2. Value delivery of security;
  3. Proactive security risk management;
  4. Effective resource management;
  5. Monitor potential risks and alerts;
  6. Performance measurement of security.

For more information, please contact Marc Sel

 

Maximizing Internal Audit: A 10-step imperative for thriving in a challenging economy

In today's challenging business environment, maximizing internal audit is an imperative.

This PwC paper outlines an approach to maximizing internal audit resources to illuminate issues in an organisation and to reposition internal audit as a key factor in a broad range of significant governance, strategic, financial and operational risk, and compliance issues.

To download the brochure, click on the following link: http://www.pwc.com/en_US/us/internal-audit/assets/maximizing-internal-audit.pdf

For more information, please contact Marc Daelman.

 

Global Internal Audit Survey

Thank you to those of you who took the time to complete our Global Internal Audit Survey. We look forward to discussing the results with you shortly.

The survey findings will provide you with a broad overview of the key issues being faced by Internal Audit functions around the world and how your organisation compares.

For those who have not participated to the survey but would be interested to benchmark their internal audit function against peers we refer to the survey that is run by PwC's Global Best Practices team.

For more information, please contact Marc Daelman.

 

Strategic decision making

After the financial markets crisis and subsequent economic downturn, Internal Audit departments are reassessing whether they are focused on the right risks. Practice has learnt that best of class organizations are able to react fast on changes in the economical environment, and are able to align strategy decisions to these changes to maintain shareholder value in a short amount of time.

Commentators have noted that if Internal Audit departments want to be relevant going forward, they need to consider strategic risk.

A good starting point is for Internal Audit to have a role in reviewing their organisation's strategic decision making process (SDMP). A common approach to facilitate the review of a SDMP can be split up in three stages:

  1. Understanding of the SDMP in place;
  2. Compare the design of the SDMP against stakeholders expectations and best practice; and
  3. Consider operational effectiveness of the current SDMP.

A better understanding of an organisation's SDMP and the culture and leadership style of the organisation is imperative to benchmark SDMP's against best practices. Interviews with the corporate planning department, the risk team and other key stakeholders can enable Internal Audit to familiarize themselves with an organisation's SDMP, as well as a review of other information available that support the SDMP (e.g. strategic plans, review programs to support strategy decision,…) Such an understanding is crucial to assess whether the SDMP in place is operating effective and efficient. This creates a new challenge for Internal Audit departments to deploy skills and capability on SDMP.

Are you focused on the right risk?

For more information, please contact Marc Daelman.

 

Regulatory update

  • Setting a smarter course for growth, the PwC 13th Annual Global CEO Survey looks at what measures CEOs are taking in response to the recession, how they view the post-crisis business environment and what changes they are making to adapt their organisations. To be aware of the issues that may be on the mind of your CEO, download the publication: http://pwc.co.uk/eng/publications/13th_annual_global_ceo_survey.html
  • Further updates on Solvency II can be found at: http://www.pwc.com/solvencyII
    For more information on this subject, please contact Roland Jeanquart.

 

Internal audit roundtable meetings

Sharing best-practice ideas is a good, effective way of dealing with the challenges that internal auditors face. For this reason, PwC periodically hosts round-table meetings based on matters the Internal Audit community has raised with us. You are all invited to participate and share your views and experience.

Lunch sessions are held in our Brussels office, where the topics will be introduced and there will be opportunity for discussion with your peers and with us. For further information please visit:

Roundtable meetings

 

Should you wish to discuss further any of the topics covered, or if we can help you in any way with the development and delivery of Internal Audit Services, please contact me or one of the subject matter experts mentioned with each of the topics.

Please continue to share with us your views on 'Internal Audit In Brief' and suggestions on how we can maximise its value to you going forward.

Marc Daelman
Internal Audit Territory Leader
PwC Bedrijfsrevisoren/ Reviseurs d'Entreprises
Tel: +32 (0)2 710 7159