The Internal Auditor Governance and Risk Management 18

The Internal Auditor, Governance and Risk Management 18 November 2014 Phil Tarling, CMIIA, CIA, QIAL, CRMA

Speaker’s Background Vice President, IA Centre of Excellence, Huawei Past Chairman - Global IIA (2012 -2013) Past President of the ECIIA (2010 -2011) Past President of the IIA UK and Ireland (2005 -2006) Provided Capacity building in Internal Audit & PIFC since 1998 § Previously worked in the UK, Estonia, Latvia. Lithuania, Poland, Hungary, Czech Republic, Kenya, South Africa, Romania, Macedonia, Croatia, Serbia, Kosovo and Turkey § Now responsible for developing internal audit capacity in a worldwide Chinese owned telecoms company § § § The Internal Auditor, Governance and Risk Management

Huawei – A Global Company • 140+ countries , 150 nationalities, 15 Regional Headquarters , 150, 000+ employees, £ 39. 5 bn revenues Huawei Headquarters Accounting share center Biding center (Planning) Supply center & Hub R&D center Training center Technical support center The Internal Auditor, Governance and Risk Management

Agenda 1. Current Expectations of Internal Audit 2. Corporate Governance & the Players in the Organisation 3. Risk Management in the Organisation 4. Encompassing Role of Internal Audit The Internal Auditor, Governance and Risk Management

Current Expectations of Internal Audit The Internal Audit definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes The Internal Auditor, Governance and Risk Management

Elements included in the Internal Audit remit Governance “…a set of relationships between company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. ” (OECD) Risk Management Managing the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood Controls Control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved The Internal Auditor, Governance and Risk Management

Four Pillars of Effective Governance Management External Audit Internal Audit Board of Directors “Internal auditing is perhaps the most important pillar in effective corporate governance and risk management. It has a unique position and can cover much broader risk areas than any external audit could. ” - Lord Smith of Kelvin The Internal Auditor, Governance and Risk Management

Global International Standards 2110 Governance The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: § Promoting appropriate ethics and values in the organisation § Ensuring effective organisational performance management and accountability § Effectively communicating risk and control information to appropriate areas of the organisation § Effectively co-ordinating the activities of and communicating information among the Board, external and internal auditors and management The Internal Auditor, Governance and Risk Management

Key Elements of Governance • Promotion of Ethics & Values • Organisational Performance • Accountability • Risk and Control requirements • Communication of Information • Leadership & Direction The Internal Auditor, Governance and Risk Management

Promotion of Ethics & Values • Tone at the Top • Setting the right example Tesco puts $35 m private jet up for sale Private plane being sold by Tesco boasts leather seats, maple wood interior and DVD players The Internal Auditor, Governance and Risk Management

Organisational Performance • Regular monitoring • Remuneration linked to performance The Internal Auditor, Governance and Risk Management

Leadership & Direction • Vision • Mission • Values • Forward looking • Balancing performance & compliance • Gaining ownership The Internal Auditor, Governance and Risk Management

Risk Management & the Organisation Why does Risk Management matter? To counter Fraud To counter stupidity With over 1 million views on their promo video and a tonne of bad press, Nokia has been forced to admit that ‘The video demonstrates the benefits of optical image stabilization only and the video is not shot on a Lumia 920′. The Internal Auditor, Governance and Risk Management

Risk Management & the Organisation Why does Risk Management matter? To counter Nature The Internal Auditor, Governance and Risk Management

COSO ERM Definition Enterprise Risk Management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The Internal Auditor, Governance and Risk Management

COSO Enterprise Risk Management The Internal Auditor, Governance and Risk Management

The components of ERM Internal environment First Line Implements Objective setting Event Identification Risk assessment Second Line Oversight Risk response Control activities Information and communication Monitoring Third Line Evaluates The Internal Auditor, Governance and Risk Management

The principles behind good Risk Management 1. Every organisation should be headed by an effective Board, which is collectively responsible for the success of the organisation 2. There should be a clear division of responsibilities at the head of the organisation between running the board and running the organisation’s business. No individual should have unfettered powers of decision 3. The Board should have a balance of Directors, including independent non executive directors so that no one individual or group of individuals can dominate the decision taking. The Internal Auditor, Governance and Risk Management

The principles behind good Risk Management… 4. There should be a formal, rigorous and transparent process for appointments to the board 5. The board should be supplied in a timely manner with the information required to enable it to discharge its duties. All directors should receive induction when they join the board and should regularly update their skills and knowledge 6. The board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and the individual directors The Internal Auditor, Governance and Risk Management

The principles behind good Risk Management… 7. A significant proportion of Director’s remuneration should be linked to the organisation’s performance 8. There should be a formal and transparent process for the determination of the remuneration of the top management of the organisation 9. The board have a responsibility to maintain a sound system of internal control to protect the organisation’s assets and to enhance performance 10. The board should have formal and transparent processes for the appointment of the internal and external auditors, their relationship with such and the reporting procedures to be used in respect of financial and internal control processes. The Internal Auditor, Governance and Risk Management

The encompassing role of Internal Audit Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation. 1 st line: Business Management 2 nd line: Risk Mgt / Compliance / Others 3 rd line: Risk Based Internal Audit External Audit and the Regulators are the Referee and Linesman The Internal Auditor, Governance and Risk Management

The Three Lines of Defence DIRECTION Board of Directors/ Audit Committee Senior Management ASSURANCE 3 rd Line of Defence 2 nd Line of Defence 1 st Line of Defence Financial Control Enterprise Risk Management Regulators Quality External Audit Inspection RISKS CONTROL Internal Control COMPLIANCE Operational Management Security Ethics & Legal It should assist in defining where Internal Audit should be and where it shouldn’t be The Internal Auditor, Governance and Risk Management

Shared Purpose of the Three Lines First Line Management Know the objectives Know the Risks Implement Controls Recommend Process change Second Line Identify objectives Identify Risks Implement Mitigation Report Exposure Third Line Identify objectives Identify Risks Evaluate Controls Provide Assurance ERM Department IA Department The Internal Auditor, Governance and Risk Management

Internal Audit’s role in Risk Management 3 Lines of defence shows there is: • Synergy • Commonality of purpose And there can be: • Holistic use of outcomes • Reliance upon each other’s work But could there be pitfalls The Internal Auditor, Governance and Risk Management

Internal Audit’s role in Risk Management So with those advantages Can the first, second and third lines of defence work together? They can, but SHOULD they? Some time ago the IIA introduced the FAN The Internal Auditor, Governance and Risk Management

Internal Audit’s role in Risk Management It is still relevant The Internal Auditor, Governance and Risk Management

Combined Internal Audit and Risk Management We are all trying to win the game Each line has a specific job that contributes to Winning So in our organisations what are the important elements: • Recognition that first line role is more than just revenue generation or service provision • Coordination of the same purpose of all three lines, but providing input to the individual needs of each line • Retention of Internal Audit Independence The Internal Auditor, Governance and Risk Management

The Development of GRC Governance Structure Escalation Path Audit Committee Board sub-committee. Conducts an ERM deep-dive every six months Global Enterprise Risk Sponsors Risk and Resiliency Operating Committee Head of Audit & Risk (Governance, Risk and Controls) VPs from Finance, Engineering, Sales, IT, Supply Chain and Services meet to discuss cross-functional risks every six weeks IT Audit ERM Business Audit Ethics and Investigations Potential Downsides • Loss of independence and objectivity • Blurs the reporting lines – typically the CFO will have responsibility for Risk, the CEO for Audit Potential Upsides • All governance, risk management and control compliance issues are in the one area The Internal Auditor, Governance and Risk Management

And if you have to combine If you have to have a combined approach you need to clarify: • Management remain responsible for Risk Management • Internal Audit must not be the owner of risk • With a joint HIA and CRO the Board should be aware that the division of time does not impact IA independence or coverage • Ideally a joint Head of Audit & Risk should not give assurance on RM activities but this may not be possible to avoid so steps have to be taken to provide as much objectivity as possible The Internal Auditor, Governance and Risk Management

Why are there concerns with GRC UK Parliamentary Commission on Banking – First Report 2013 “Changing Banking for Good”. A blurring of responsibility between the front line and compliance staff risks absolving the front line from responsibility for risk. Internal audit’s independence is as important as that of the Chief Risk Officer and the Head of Group Compliance The “three lines of defence” have not prevented banks’ control frameworks failing in the past in part because the lines were blurred and the status of the front-line, remunerated for revenue generation, was dominant over the compliance, risk and audit apparatus. The Internal Auditor, Governance and Risk Management

How should we audit The Risk Based Internal Audit approach links to • Business Objectives - identify what the business is trying to achieve • Business Risks – identify what the risks are to the achievement of those objectives • Controls – identify the controls that are necessary to deal with the risks • Assurance – provide the Board with Assurance that Governance Risk and Compliance are being controlled O R C A The Internal Auditor, Governance and Risk Management

Internal Audit at the higher level Should cover • The Governance environment § Policies, culture and structure • The Governance Process § How the policies are implemented • The Governance Procedures § Monitoring systems The Internal Auditor, Governance and Risk Management

Internal Audit at the higher level cont. . The Simple role § § § Check job descriptions See that personal appraisals are regularly held Are there individual objectives linked to the organisation’s Do managers know who they are responsible to Do they know who they are accountable to Do they know what the words mean BUT this is the simple compliance model IT does not meet the international standards on the role of IA The Internal Auditor, Governance and Risk Management

Internal Audit at the higher level cont. . The Difficult role • Audit how accountability actually works in the organisation • Audit the adequacy of the information flows to top managers • Audit how the Board work, how they communicate the strategy • Audit how the strategy is complied The Internal Auditor, Governance and Risk Management

What should be the role of Internal Audit The Audit Plan should contain audits of: § § § Strategic Planning Managerial Accountability Board communication The system of Personal Appraisals Personal Objective setting And others at the higher level… The Internal Auditor, Governance and Risk Management

At this level Internal Audit is not easy Have we the right qualified auditors? If not then get the qualified auditors that you need We are not higher executives – we do not understand Then find people who do or go on training courses – internal auditors have to learn to be at the top table nowadays Resistance from the Board/Executive level Use the Standards to convince, Be patient in trying to convince, Make sure that every job adds value and use this as a lever, Do NOT promise what you cannot deliver The Internal Auditor, Governance and Risk Management

Thank You Phil Tarling Office: +441189208506 Mobile: +447802656986 Email: phil. tarling@huawei. com Twitter: @philtarling The Internal Auditor, Governance and Risk Management