Internal Audit Reporting Perspectives from Chief Audit Executives

1Ernst & Young

A common challenge for many Chief Audit Executives (CAE) is presenting the results of the internal audit outcomes in the most effective and impactful manner. Most CAE are requested to issue an opinion on the adequacy of internal controls following an internal audit. Such audit opinions provide clarity regarding the severity of the identified issues and increase the comparability in time and also between audit objects. However, using standard audit opinions may be arbitrary and could result in debates on the rating rather than the identified issues. This challenge has been discussed with CAE's representing various industries during a recent round table in Amsterdam hosted by Ernst & Young:

How can audit findings of entities across the company be reported in a comparable way?

How can internal audit findings be reported in a way that facilitates prioritization and follow up?

How can Internal Audit apply audit opinions without being seen as a police officer?

How can internal audit opinions support desired change within a company?

'The Internal Audit Roundtable is part of a series of recurring events

and aims to provide a platform for companies to collaborate with peers.

The goal is to identify, through deliberations, practical step change solutions

that can contribute towards maximizing the value that organizations can derive

from their investments in managing risks.'

>> Introduction

2 Internal Audit Reporting Perspectives from Chief Audit Executives

A number of different systems for audit opinions are used by internal audit functions. The most common varieties are: • Binary: internal controls are or are not appropriate in the situation, for example: internal controls are satisfactory or unsatisfactory, effective or ineffective, meet expectations or do not meet expectations, etc.

• Graded: the effectiveness of internal controls is rated using a grading system, for example: red-yellow-green, 1-2-3-4-5, etc.

• Directional: provides additional information about the direction of the opinion since a previous report, for example Satisfactory, but diminished since last year.

Most participants at this roundtable use one of the above systems. A leading global company in the Technology industry recently started a transformation program designed to become even more relevant by acting as a business partner to the organization; providing value-added advice in a dynamic and constant changing market environment. Changing the report rating and issue tracking approach was part of this major transformation program.

In the past the Internal Audit function assessed the effectiveness of internal controls using a 5 scale grading system “ABCDN”, equivalent to the frequently used system where audit reports are rated with Good, Fair, Unsatisfactory, Unacceptable, Not Rated.

The internal audit function found that this traditional audit rating approach: • did not give sufficient insight into risk development, nor did it allow for comparability. For example the materiality of a C-rated (unsatisfactory) financial review in a small country did not compare with a C-rated review of a major business process. As a result, if the % of C-ratings went down, you could not conclude that the risk level for the whole company decreased.

• drove management to focus on reports with an overall C rating (unsatisfactory) and put less attention on reports with more positive audit ratings.

• reinforced the “police role” of internal audit, emphasizing the rating and not focusing on a constructive dialogue around materiality, urgency and solutions.

The internal audit function decided to develop a new audit report rating system to move away from the traditional “police role” and at the same time increasing comparability and understanding of audit findings.

Ernst & Young point of view:______________________________________________________

Why the push for an internal audit report rating system?

Audit ratings and opinions, in one form or another, have been around for decades. But with corporate governance regulations requiring management to provide an in-control statement overall ratings and opinions have become more important. Certainly, Management and Audit Committees will look at the internal audit function before issuing a positive in-control statement in its annual report.

Broadly speaking, audit opinions and ratings offer several distinct benefits:• ability to see the state of the control environment at a

glance• benchmarking against which management and the Audit

Committee can measure improvement or slippage• identifying trends in the control environment• putting the audit rating results in context with the activity’s

risk profile• recognizing management’s awareness of control

weaknesses and its proactive remediation of them

Using a single-dimension approach, control ratings can be as simple as pass or fail, or as complex as having five levels of performance. The more commonly used system applies three rating levels: “Satisfactory,” “Needs improvement” and “Unsatisfactory.” These kinds of ratings enable the Audit Committee to assess the strength of the company’s controls. But a rating of “unsatisfactory” in isolation does not let Audit Committee members know how important the business’s activity is within the organization, the levels of risk it may pose or what management may be doing about it.

>> Internal Audit report rating revisited

3Ernst & Young

Leading internal audit functions consider the extent to which the audit findings may impact the achievement of business objectives and use a variety of quantitative and qualitative measures to reach the audit opinion. Important elements of these measures are impact and likelihood, but also more implicit business objectives such as reputation or environment.

The internal audit function of a leading global company in the Technology industry decided to use Value at Risk (V@R) principles to quantify the business impact of internal audit findings.

Ernst & Young point of view:__________________________________________________________________________________________________________________

Considering a three dimensional audit ratings approach

As highlighted on previous page traditional audit rating approaches pose several challenges as they:1. often do not provide insight into the importance of the business’s activity within the organization or the levels of risk it may

pose;2. do not give insight whether management knew about the identified audit issues and what they are doing to fix it.

A three dimensional ratings approach should provide these two data points in addition to the performance level (“Satisfactory”, “Needs improvement”, “Unsatisfactory”) of the control environment of an auditable entity.

The first data point is often available by leveraging inherent risk ratings from (Enterprise) Risk Assessments. These risk assessments can deploy quantitative techniques including both probabilistic techniques such as value at risk, market value at risk, loss distributions, and back-testing, as well as non-probabilistic techniques such as sensitivity analysis, scenario analysis, stress testing, and benchmarking.

The second data point addresses the fact that Executives often hear complaints from management that it was already aware of and working to resolve many of the issues raised in the audit report. Internal Audit could give management teams credit for identifying issues and having plans for resolution before the audit. If they aren’t given credit for identifying issues before Internal Audit enters the picture, they are less likely to raise the problems that they know exist. More often, they keep quiet, hoping that Internal Audit won’t find the issues. This is not a good strategy. Asking management teams to provide their control issues and improvement efforts during the planning phase of an audit will enable them to receive full credit for their efforts in the audit report.

A three-dimensional rating provides executives and Audit Committees with a broader view of the organization. It also enables them to more effectively prioritize issues based on the entity’s inherent risk and awareness by management, rather than solely on the traditional audit rating.

With the V@R method the IA function wants to: • present findings in a more visual and quantified manner which enables the business to focus on the main findings.

• increase the insight into the development of risk across the company and to allow for more comparability.

• shift focus from overall point in time ratings to a continuous improvement orientation based on materiality and urgency through a constructive dialogue with the auditee.

4 Internal Audit Reporting Perspectives from Chief Audit Executives

The V@R methodology, applied by a leading global company in the Technology industry, is designed to highlight the likelihood and the urgency of an audit finding, ensuring management attention at the right level in the organization. Key design principles included: • Moving from a one dimensional system to a more balanced view (including was goes well);

• Resolving comparability challenges by explicitly highlighting impact and value;

• Solicitation of action through enabling prioritization based on urgency.

Audit findings are visualized as a bubble placed in the Likelihood – Urgency grid. The size of the bubble visualizes the impact of the finding based on the financial business impact which is determined by the possible loss in Cash. Items that cannot be quantified such as brand or reputation risks are represented by squares. The likelihood (Y axis) represents the probability of the V@R materializing in the next 12 months. Urgency (X axis) refers to the required speed of action required to remediate the root cause of the audit findings.

The V@R pilot has been running for a year now and Internal Audit has found the advantages of this approach to be twofold: Management attention at the right level in the organization is ensured and the business is enabled to focus on the main findings as they are presented in a more visual and quantified manner. The additional complexity in evaluating audit outcomes did pose significant challenges as many business stakeholders liked the traditional rating system for the simple answer on ‘good’ or ‘bad’.

One participant of the roundtable concurred that an important element of changing the internal audit ratings approach is to change mindsets in the entire company. The CAE of a leading global company in the technology industry responds that it indeed is a process. The new internal audit rating approach facilitates a very interesting dialogue with stakeholders as the outcome is more robust and more factors are taken into consideration. Nevertheless implementing a new method of internal audit rating is a journey. As part of this journey steps have been taken to further align with stakeholders to increase business buy in through: • Continued calibration of audit reports which is required as the process matures;

• Integrating value@risk with Enterprise Risk Management (ERM) through management self assessments of the value at risk as part of its ERM risk reporting;

• Merging the Value@Risk outputs with action-tracking and follow-up for a more comprehensive view of risk.

>> Value at risk put into practice

5Ernst & Young

Using V@R as an internal audit rating approach is a relatively new concept. Through our discussion with CAEs we found that it offers a number of advantages. V@R, as an integral part of the overall enterprise risk management, can play an important role in changing the relationship with stakeholders from being a “police man” to a business partner. V@R does not only measure internal audit findings but can also help comparing findings across the company to facilitate meaningful discussion with stakeholders. It can also drive prioritization and follow up on audit findings that matter.

Throughout the discussions during the roundtable a number of emerging topics on the CAE agenda have been mentioned, such as: • How to quantify the risk appetite of a company? • How can innovation (e.g. tooling and techniques) be utilized by Internal Audit?

• What is the impact of culture on controls? • What are the key elements of a risk assessment, how do these link to business opportunities and how can internal audit facilitate a company-wide risk assessment?

These topics will certainly be good areas of discussion during a next round table.

For more information, please contact:Maurice van der Sanden, Internal Audit solution leader+31 6 2125 1636Maurice.van.der.sanden@nl.ey.com

Or

Tonny Dekker, Risk Leader Belgium and The Netherlands+31 88 407 1004Tonny.dekker@nl.ey.com

>> Closing remarks

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

© 2012 Ernst & Young LLP.All rights reserved.

www.ey.com/nl