Aligning Corporate Strategy with Risks in order to avoid a Crisis
A Sharper Focus By Ahmar Azam Iia 70 Years Celebration Magazine
1. A Sharper Focus Page 1 of 5
Submit Q Log Out
Change Custom Password
Update Your Profile
GLOBAL PERSPECTIVES ON RISK,
CONTROL, AND GOVERNANCE
FEATURES BACK TO BASICS ITAUDIT ASK THE EXPERTS FRAUD FINDINGS IN THE PROFESSION ABOUT US DIGITAL EDITION
February 2011
A Sharper Focus
Heightened stakeholder expectations are pushing audit departments to put greater emphasis on the key
elements of internal auditing.
Ahmar Azam, CA
ICS Compliance LLC
P
oor corporate governance has contributed to the adverse economic conditions in the United States, the financial crisis
in Europe, the real estate bubble in the United Arab Emirates, and the pressures of the global recession. The roller
coaster ride that this generation of business leaders has experienced is unlike anything witnessed since the Great
Depression. Globally, governments are endeavoring to put the economy back on track. On one side, these changes
are presenting opportunities, particularly for professionals in governance, risk, and compliance (GRC). On the other side, the
changes are forcing the internal audit profession to reconsider its existing model.
Over the past two years, executive management and boards of directors of organizations have demanded greater
assurances from internal auditing that internal controls and risk management procedures are in place to help achieve
business objectives, generate greater value, and meet shareholders’ expectations. In response to these unprecedented
expectations, many internal audit functions have focused on addressing the key components of internal auditing while
ensuring that auditors are leveraging the resources within the organization, both in terms of people and processes.
LEVERAGING RESOURCES
Organizations typically have a board of directors, audit committee, regulators, external auditors, and management as their
major stakeholders. Understanding the goals of the organization’s stakeholders and protecting their interests are mission-
critical to audit functions. The internal audit department is a third line of defense after the business and risk managers.
Performing this role is particularly difficult for internal audit functions when the economy declines. In a recession, budgets are
slashed, people are overworked, and segregation of duties may be compromised, leading to increased risk of fraud and error.
In situations like this, audit resources need to be strengthened, but this is not happening. According to a 2010 IIA Audit
Executive Center survey, more than half of U.S. Fortune 500 internal audit departments faced budget cuts since 2007. As a
result, today’s auditors need to identify every opportunity to leverage the GRC efforts that exist at different management
levels within the organization, which can minimize costly duplication of GRC efforts. For example, in 2010, the audit
department at one community bank was not leveraging the GRC efforts at that organization at all. Both management and
internal auditing were performing separate U.S. Sarbanes-Oxley Act of 2002 testing in its entirety. In addition, auditors were
not invited to attend risk management meetings, and the audit risk assessment did not take management’s risk identification
and management process into account. This silo approach led to an inefficient audit process that could have been prevented
if auditors had used their vertical and horizontal view of the organization to identify and eliminate such duplications.
http://www.theiia.org/intAuditor/feature-articles/2011/february/a-sharper-focus/index.cfm?... 2/13/2011
2. A Sharper Focus Page 2 of 5
Sarbanes-Oxley brought a turning point in corporate governance by putting the focus of risks and controls at the business
unit and process level. Today, as the process has evolved, elements of GRC, such as Sarbanes-Oxley testing, risk
assessment, and compliance, are also embedded at the process level and are controlled and monitored by process owners.
Risk-savvy audit professionals focus on leveraging the good work of management in GRC, and their organizations create
processes to hold executives accountable for the “what if” scenario through a risk and reward system.
A BETTER AUDIT APPROACH
Building trust and relationships with management at all levels is an intricate element of an internal audit function’s success.
An important goal of an organization should be to create an environment in which the process owners trust the audit function,
value its contributions, and see it as a partner. Less successful audit departments tend to be those that process owners
perceive to be taking a “gotcha” approach. When that happens, process owners don’t easily provide information and
cooperation. A partnership between internal auditing and process owners can be achieved without compromising
independence and objectivity. Such cooperation also can improve the audit function’s effectiveness and efficiency.
The speed of trust gained from this partnership can give the audit function unprecedented access to information. However,
this information must be managed and leveraged appropriately to bring effectiveness within both the audit function and the
organization. The board, management, and internal auditing need to implement communication tools that ensure that
information is analyzed, used, and forwarded timely. The audit function also must communicate effectively with its
stakeholders, particularly the audit committee.
Establishing a trusted relationship with audit clients is an important component of a multifaceted audit approach that
addresses the key components of internal auditing: risk assessments, control testing, compliance, fraud, process
improvement, and quality reviews.
Risk Assessments
Risk assessments cannot simply focus on the risks that are driving the existing lines of revenue; they also should identify and
understand the future risks that may prevent the organization from achieving its goals tomorrow. Identifying risks is not a
point-in-time exercise, especially for sophisticated sectors like financial services; it is ongoing and dynamic. Every time the
organization explores a new line of revenue, it needs to identify:
The additional risks it would bring to the organization.
Who would own that risk.
Who would own the resulting internal controls.
The residual risk.
The impact on the existing risk and control environment.
Whether the existing GRC model has the capability to manage that risk.
Whether it is worth taking that risk.
This analysis should play a major role in the decision process, which makes sense when the return on investment is greater
than the unmitigated risk of that investment. Internal auditors have the benefit of looking at risks within the organization, both
vertically and horizontally. They also have an understanding of each stakeholder’s expectations. They can help set up
processes at an operational level that help the organization make its risk identification, management, and monitoring
processes more reliable and resilient.
In today’s business environment, risk identification and management is happening at different levels of the organization.
Internal auditors’ risk assessment process needs to incorporate the risk assessment and risk management that exists
throughout the organization. Efficiency is brought about by populating the entire risk universe, identifying the owners of risks,
evaluating how they are managing those risks, quantifying the residual risk, and identifying ways for internal auditing to
leverage these risk assessment efforts.
Control Testing
http://www.theiia.org/intAuditor/feature-articles/2011/february/a-sharper-focus/index.cfm?... 2/13/2011
3. A Sharper Focus Page 3 of 5
Whether by way of point-in-time testing of internal controls or continuous auditing, today’s internal auditing is moving beyond
transactional testing. Audit efforts need to be as much forward-looking as past-focused. Most enterprise resource planning
(ERP) systems have built-in tools that complement the efforts of the internal audit function through continuous monitoring and
exception reporting. By focusing on red flags that these tools have identified, audit functions can catch issues before they get
out of control.
Moreover, IT audits can no longer operate in a silo within the audit function, nor can they only focus on areas such as IT
general controls and vulnerability and penetration testing. The application controls within the ERP system need to be
understood fully to identify opportunities to create exception reports leading to early warning of issues, covering both fraud
and error.
Assigning responsibilities for ownership of internal controls, monitoring controls, and holding the control owners accountable
contributes to an effective GRC environment. This allows auditors to focus on items that really matter in meeting
stakeholders’ objectives. For instance, in the area of account reconciliation, as long as management checks a sample of
transactions each month, without compromising segregation of duties, the internal auditor does not need to do the same
check. Instead, auditors should test a sample of transactions to verify that management is doing what it is supposed to do.
Compliance
With an ever-changing regulatory landscape across various industries, especially in the financial services sector, compliance
has evolved into one of the most important functions in any organization. Most enforcement actions against banks and
monetary penalties levied by the regulators are due to noncompliance with regulations and ineffective policies and
procedures.
Compliance and audit departments cannot afford to operate in isolation. Although internal auditors are responsible for
auditing the compliance function, effectiveness in both functions cannot be brought about unless the audit and compliance
teams fully understand each others’ mandate in a transparent manner. A mature compliance department has three broad
responsibilities:
Ensuring that the organization’s policies and procedures comply with laws and regulations, and protecting the interest
and goals of the stakeholders.
Monitoring whether process owners are in compliance with the policies and procedures.
Ensuring that compliance and internal controls are embedded in the organization’s business processes, prospectively
and retrospectively.
Understanding the mandate of the compliance department, identifying opportunities to leverage its work, and effectively
monitoring its function should be an integral part of the audit process. Focusing on areas where compliance has identified
problems creates value and lowers the audit function’s costs.
Fraud
According to the Association of Certified Fraud Examiners’ 2010 Report to the Nations on Occupational Fraud & Abuse, a
typical organization loses 5 percent of its annual revenue to fraud, translating to a global fraud loss of US $2.9 trillion. In
today’s environment, an effective audit plan must include fraud as a key component. Risk assessments should include fraud
risk and evaluate how the process owners are managing it. Auditors should provide guidance to process owners and
compliance professionals in identifying controls that can prevent fraud and assist in devising ways of monitoring those
controls.
Organizations should create an environment where employees are trained to identify fraud and feel secure in reporting it.
Their compliance and internal audit functions share responsibility for ensuring the integrity and effectiveness of the reporting
process.
Process Improvement
To earn the respect of process owners, internal auditing must contribute to process improvement — simply identifying a
problem is not enough. Providing ideas for improvement builds a relationship of trust and is easy to measure.
http://www.theiia.org/intAuditor/feature-articles/2011/february/a-sharper-focus/index.cfm?... 2/13/2011
4. A Sharper Focus Page 4 of 5
Today, many audit functions see their department as a profit center, quantifying their value to the organization by the amount
of fraud and errors they caught or prevented, as well as the benefits gained through process improvements. To add more
value, achieve improvements, and gain access to the best practices, audit functions depend on training, assistance from
professional services firms, and interaction with audit peers in other organizations.
Quality Reviews
In today’s business environment, self-governance and self-evaluation are critical components of process improvement. To
avoid complacency, internal audit functions should perform a periodic quality review of their own practices.
The International Standards for the Professional Practice of Internal Auditing (Standards) provides excellent guidance that
audit functions can use to undergo a quality review. The Standards require internal audit departments to undergo an external
quality assessment every five years and internal quality assessments periodically. These assessments should evaluate the
department’s conformance with the Standards, Code of Ethics, and Definition of Internal Auditing; the adequacy of its charter,
goals, policies, and procedures; its contribution to the organization’s governance, risk management, and control processes;
compliance with applicable regulations; and the effectiveness of improvement activities. Completing such assessments as
part of a quality assurance and improvement program brings transparency to the audit process and facilitates an increase in
trust and respect of the audit function.
AN ENHANCED AUDIT FOCUS
By incorporating these six components into their audit approach, internal auditors can more effectively assess the business,
identify areas for improvement, and contribute to managing business risks. This becomes increasingly important as today’s
audit committees demand that their organizations have an effective, robust, and reliable governance framework in place,
along with continuous compliance, monitoring, and reporting. These expectations — and the regulatory environment — will
only get tougher in the future. An enhanced focus on internal auditing can help organizations stay focused on business
growth, weather stormy market conditions, and enhance shareholder value.
To comment on this article, e-mail the author at ahmar.azam@theiia.org.
A SHARPER FOCUS
A SHARPER FOCUS Heightened stakeholder expectations are pushing audit departments to put greater emphasis on the key elements The prime function of
an organization is how ready the company is in its payments. This morale and its existence require the company’s liquidity position. Internal Audit as a watch to
every transaction holds the funds to its spending towards business and authorized payments. This payment monitoring through regularized system , regulated
by the internal audit make the company obliged to the payments to the stakeholders, through maintaining its sound system of authorized payments. Rashid
Pervez IIA Membership # 1394262
Posted By: Rashid Pervez
2011-02-07 12:06 AM
SHARPER FOCUS
Dear, "Sharper focus" of internal auditing you have discussed is very relevant.However in most developing countries there is a need to enhance conducive
enveronment of GRC in public sector.This is because legal framework defining roles and relatioship of oversight ,management and evaluation is lacking
automotic driving forces as it is in private sector.The greater moving forces for GRC in private sector is axiomatic from the fact that the oversight, management
and resources all belong to the same and specific owner.Thus ,the legal framework and tone at the top is very paramaount in enahcing sharper focusing of
internal auditing.I believe that GRC comes next to the tone at the top and legal framework.Regardless of current obstacles , I believe that we internal auditors
still have a great role to play by marketing those prerequisites of GRC in our develing countries.We have to dare forevermore in highlighting of likely
consequences if uconduciveness for GRC are not resolved .Now, it is luck that in many africa countries that importance of empowering the internal audit
activties is on move.Matured evaluation of Good Governance is a cornerstone for making the Internal Audit Activities to deploy GRS tools to the expectations of
stakeholders. I recommend for your blog, Venance S Nijimbere CIA
Posted By: venance S.Nijimbere
2011-02-04 8:43 AM
Feel free to provide feedback about this article. Your comment will display below.
http://www.theiia.org/intAuditor/feature-articles/2011/february/a-sharper-focus/index.cfm?... 2/13/2011
5. A Sharper Focus Page 5 of 5
Name:
Email:
Subject:
Comment:
Post
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
The Institute of Internal Auditors • 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.internalauditoronline.org Home IIA Home Privacy Policy
Contents of this site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors.
http://www.theiia.org/intAuditor/feature-articles/2011/february/a-sharper-focus/index.cfm?... 2/13/2011