No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

Reinventing Internal Audit, Part 1

by Tim Leech
May 20, 2015
in Uncategorized
Reinventing Internal Audit, Part 1

This article was reprinted with permission from the April 2015 issue of Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., InternalAuditor.org.

Recent governance-related developments require the profession to revisit some of its long-held paradigms.

For at least the past decade, internal auditing has been in a state of growth and progressive change. And while it has evolved and advanced significantly, many practitioners nonetheless remain bound by some fundamental, confining paradigms. These paradigms include:

  • Internal auditors plan, execute and report results of point-in-time audits.
  • Internal auditors assess internal controls and report opinions on whether they believe controls are effective.
  • Internal auditors report what they believe to be control deficiencies, material weaknesses, significant deficiencies or opportunities for improvement.
  • Direct-report auditing is the primary approach used globally. In a direct-report engagement, the auditor evaluates the subject matter for which the accountable party is responsible. The accountable party does not make a written assertion on the subject matter.
  • The profession has been primarily supply-driven rather than demand-driven, as Boards and C-suites have often not specified their assurance needs, leaving internal audit departments to form their own views regarding which objectives/topics to focus on.
  • Internal audit often does not know (or require that management and Boards define) the type and amounts of residual risk the company and its Board are prepared to accept.

Many internal audit departments have not assessed and reported on risks to the organization’s top strategic/value-creation objectives or the effectiveness of its overall risk management framework. According to Enhancing Value Through Collaboration, an IIA Pulse of the Profession report, internal auditors surveyed dedicated a mere 8 percent of resources to their company’s strategic objectives in 2014.

The profession’s long-established practices have generally been viewed as adequate — even good to excellent — but their relevance to today’s stakeholders has begun to diminish. A shifting governance landscape places the profession’s traditional methods in jeopardy and points to the need for radical change. As stakeholder expectations evolve, internal audit must revisit existing paradigms and rapidly adjust to maintain its relevance.

Global Developments

Key developments over the last several years have significant implications for Boards, senior management and, in particular, internal auditing. The changes they’ve brought span across industries and geographical boundaries and are far-reaching in scope.

Increased Board Risk Responsibility

Following the 2008 global financial crisis, commissions were convened around the world to help understand what had gone wrong and prevent destabilizing events in the future. From these efforts, consensus emerged that Boards and, to a lesser degree,  regulators, had not adequately discharged their duty to oversee what is increasingly being called management’s “risk appetite and tolerance.” Consequently, Board responsibility for overseeing management’s risk appetite and tolerance has risen significantly.

Creation of the Financial Stability Board

Shortly after the onset of the global financial crisis, the Group of Twenty, an assembly of representatives from the world’s largest economies, created a new international regulatory advisory body — the Financial Stability Board (FSB). The board currently includes government officials and financial sector and securities regulators from around the world. With unprecedented speed, it has formulated and disseminated paradigm-shift guidance that could effectively spur the re-engineering of corporate governance globally.

Among the FSB’s most significant contributions to date is a November 2013 guide for national regulators, companies and auditors titled “Principles for an Effective Risk Appetite Framework.” The guide’s authors define new and bold proposals for management, Boards and internal auditors. Details of the role proposed for internal auditors are shown in “FSB’s Guidance for Internal Audit” on page 48. In essence, the FSB calls on practitioners to transition from providing point-in-time, direct-report, subjective opinions on control effectiveness for a small percentage of an entity’s risk universe to reporting on the reliability and effectiveness of an organization’s entire risk appetite framework. The scope of reporting would include the reliability of enterprise risk status reports provided to the Board by senior management. Although the FSB framework was aimed primarily at the financial services industry, the core concepts it promotes are relevant to all sectors.

Adoption of FSB Guidance

Regulators around the world have started to enact regulations that reflect key FSB recommendations — particularly the need to assign primary responsibility for risk management and reporting to management and risk appetite and tolerance oversight to Boards. The revised UK Corporate Governance Code, issued in September 2014, provides one of the most notable illustrations of this activity. It positions responsibility for risk oversight squarely with Boards of Directors; calls on management to design,  implement and maintain effective risk governance frameworks; and asks Boards to seek independent assurance that management has designed, implemented and maintained effective risk governance frameworks. Other countries that want to improve the integrity of their capital markets are expected to follow the UK’s lead.

Reduced Audit Client Satisfaction

As these regulator-driven developments gain traction globally, PricewaterhouseCoopers’ 2014 State of the Internal Audit Profession Study paints a picture of a significant decline in Board and senior management satisfaction with traditional, direct-report internal audit services. One of the report’s most disturbing findings is that half of senior management and nearly 28 percent of Board members say internal auditing adds less than “significant value” to their organization. Moreover, only 49 percent of senior management and 64 percent of Board members say internal auditing is delivering on expectations.

FSB’s Guidance for Internal Audit

In its Principles for an Effective Risk Appetite Framework, the Financial Stability Board proposes specific responsibilities for internal audit and other independent assessors. The framework states that internal audit should:

  • Routinely include assessments of the risk assessment framework (RAF) on an institution-wide basis, as well as on an individual business line and legal entity basis.
  • Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and also report on the implementation of the RAF to the Board and senior management as appropriate.
  • Independently assess the design and effectiveness of the RAF periodically, as well as its alignment with supervisory expectations.
  • Assess the effectiveness of the implementation of the RAF, including linkage to organizational culture, as well as strategic and business planning, compensation and decision-making processes.
  • Assess the design and effectiveness of risk measurement techniques and management information systems used to monitor the institution’s risk profile in relation to its risk appetite.
  • Report to the Board and senior management in a timely manner any material deficiencies in the RAF and report on alignment (or otherwise) of risk appetite and risk profile with risk culture.
  • Evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.

Click here to view a preview of Tim Leech’s presentation this summer at The IIA’s 2015 International Conference.


Tags: Data GovernanceHIPAA
Previous Post

Corporate Counsel Say Regulatory Environment Bad For Business

Next Post

A CCO Job Function: Managing Talent

Tim Leech

Tim Leech

Tim LeechTim J. Leech, FCPA, CIA, CFE, CRMA, is Managing Director at Risk Oversight Solutions Inc. Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating Board risk oversight expectations and add real value.  He has more than 25 years of experience in the Board risk oversight, ERM, internal audit and forensic accounting fields, including expert witness testimony in civil and criminal proceedings and global experience helping public and private sector organizations with ERM and internal audit transformation initiatives and the design, implementation and maintenance of integrated GRC/ERM frameworks.  Leech has provided training for tens of thousands of public and private sector Board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His newest breakthrough methodology, “Board & C-Suite Driven/Objective Centric ERM and Internal Audit,” has been licensed by the IIA for global deployment starting in the fall of 2014 and his article “Reinventing Internal Audit,” featured in the April 2015 issue of Internal Audit, has received global recognition.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
A CCO Job Function: Managing Talent

A CCO Job Function: Managing Talent

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT