Internal audit strategy for non-profits
41
Internal Audit Strategy and Risk Approach for Not for Profit Organizations A practical model Debashis Gupta India April 2, 2015 Debashis Gupta
-
Upload
debashis-gupta -
Category
Documents
-
view
52 -
download
0
Transcript of Internal audit strategy for non-profits
Internal Audit Strategy and Risk Approachfor Not for Profit OrganizationsA practical model
Debashis GuptaIndia
April 2, 2015Debashis Gupta
Discussion Points
Internal Audit Context Conceptual framework Model Resourcing Process Risk
Debashis Gupta
Internal Audit
Context & challenges
Debashis Gupta
Context
1. Wide geographical distribution of project/program sites/units
2. Range of programs/themes – research, publication, participatory action research, community capacity building…
3. Range of program delivery mechanisms4. Range of network, collaborations and
funding mechanisms, with associated stakeholder demands
5. Volunteers, partners (with/without formalized arrangements)Debashis Gupta
Myriad Stakeholder concerns
1. Range of stakeholders – network/ collaborators, donors – bilateral, multilateral, Foundations, private…
2. Range of funding mechanisms/windows – earmarked/non-earmarked…
3. Associated delivery commitments/ performance agreements…
4. Results frameworks, independent evaluations
5. Reporting obligations
Debashis Gupta
What this means for Internal Audit (‘asks’)
1. Range of program management/ control & governance structures, including at partner organizations, to be considered
2. Impact on beneficiaries/communities
3. Need to ensure continuity of programs
4. Frequently, lack of recourse
(legal/other) e.g. reg. volunteers
Debashis Gupta
Internal Audit – Walking a tightrope
Multiple stakehol
ders
Financial recording
& reporting
Cost Mgt.
Special projects/ initiatives
Risk
Mgt.
Ethical conduct
Partners
Volunteers
Juggling with sometimes conflicting priorities in a dynamic environment…
Internal Audit - expectationsIn uncertain times how does a modern day IA function add value to the Audit Committee/ Board of Directors?
93% of respondents agreed or strongly agreed that the IA function could add value by o Greater level of
engagement with stakeholders
o Enhance focus on compliances
o Closer monitoring of critical processes to isolate outliers
o Adopting a leaner approach to audit by focusing on high risk areas.
Source: IIA survey 2012
How Internal Audit copes (response)
1. Put beneficiaries/communities first2. Substance over form 3. Intent & transparency vs. procedure4. Assurance strategy – convergence/
synergies (IA, Monitoring, Evaluation,…)5. Capacity building (consulting role)
Debashis Gupta
Internal Audit
Conceptual Framework/s
Debashis Gupta
Internal Control & Governance Frameworks & models
1. COSO Internal Control Framework (now COSO 2013 ver.) – endorsed for SoX
2. CoCo (Canada)3. Continuous Control Monitoring (CCM) &
Continuous Audit (CA) models/systems4. Risk Management & Governance f/ws:
ISO:31000 Kings (IOD SA) COSO ERM Cadbury 3 Lines of Defence
Debashis Gupta
Internal Audit
A Practical Model
Debashis Gupta
Internal Audit model(Things to set)
1. Governance: Vertical & lateral inter-relationships and reporting (ensuring IA independence & objectivity):
Board of Trustees/Governors/Directors (individual entity-level)
Group/Network-level Collaboration – other auditors/evaluators
2. Structure: Level of delivery/execution (with associated frequency):
Local/Project execution-level (Operational) Regional and/or HQ (often Strategic)
(IIA IPPF-sensitive)Cont’d…
Debashis Gupta
Internal Audit model(Things to set)
3. Assurance promise (% mix): Financial (inputs) Program (outputs and/or outcomes)
4. Resourcing: Mix of internal & co-sourced, local and global
5. Process: Risk focus at all stages Planning (focus on significant risks) Execution/delivery (focus on key controls) Reporting (risk/objective-focused) Issue tracking (with consequence mgt.)
6. Consulting – Control & risk (facilitation)
Debashis Gupta
Internal audit - Evolution
Compliance-focus to Control-focus Control-focus to Risk based audit (RBA) RBA to objective-centric (risk cumulative),
enterprise-wide focus Risk/objective-based to Performance-centricPath – along the maturity scale as per IIA:Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The Institute of Internal AuditorsDebashis Gupta
Internal Audit – Evolution
Traditional transaction-based compliance auditing
Risk-based audit scoping + Process and transaction audits
Process audits & Risk-based audits
Risk-based internal audits – based on enterprise risk register
Audit of Enterprise Risk Management framework
Debashis Gupta
Internal Audit Evolution –QA/BenchmarkingUSING IIA GUIDELINES
Debashis Gupta
Internal Audit
Resourcing
Debashis Gupta
Internal Audit
Resourcing Strategy – Possible model1. Local – outsourced on ‘Co-sourcing’ model
(where appropriate resources available)
2. Centralised unit capacities to be built up for:A. Review of strategic & sensitive functions/projectsB. Improved monitoring of co-sourced auditorsC. Review of policies & processesD. Facilitating new initiatives e.g. control self
assessment, risk management
3. Explore potential to involve ‘guest’ auditors across regions/functions.
Debashis Gupta
Outsourced vs. Co-sourced audits
Outsourcing Org. agrees audits, auditor devises audit plan, programs,
report. Audit monitoring solely by auditor Working papers (WPs) not shared by auditors Audit wrap up & action finalisation by auditors
Capacity enhancement auditor responsibility
Co-sourcing Org. devises audit plan, jointly develops audit programs,
reporting. Active audit monitoring by Org. WPs reviewed by Org. and available on demand Org. actively participates in joint wrap up & agreement
on actions Org. arranges/ participates in training of auditors
Debashis Gupta
Internal Audit
Process
Debashis Gupta
Internal Audit process
Planning1. Wide coverage – aim to cover all
significant locations and processes in multi-year cycle (e.g. once every 3 yrs)
2. Focus on fostering efficiencies/cost savings & best practices.
3. Project /program audits at various stages – planning, execution, closure
4. Supporting functions coverageKey: Risk weightage
Debashis Gupta
FY ..AuditPlan
Risk Assessment -Interviews with Management
Risk Assessment - Survey of Process
Owners
IntegratedTeam - Risk Assessment
ProcessUniverse
PrioritizeAudit Areas &
Draft Plan
Endorsement of key
stakeholder
Previous Internal Audit Reports
INPUT OUTPUTPlanning Process
LocationUniverse
Unit/Process RiskUniverse
Validate:
FormalApproval
Internal Audit Planning ProcessRisk based audit scoping – a model
Debashis Gupta
CO
MM
UN
ICATIO
N
PROCESS / PROCEDURAL CONTROLS
MONITORINGCONTROLS
Control environment
Con
trol e
nviro
nmen
t
INTERNAL AUDIT PROCESS – EXECUTION
PROCESS / PROCEDURAL
CONTROLS
Key controls, contributing to mitigation of the most significant risks identified and assessed for evaluation of control existence, efficacy and implementation.
Debashis Gupta
Risk
Context – Internal Audit & Risk Status Conceptual frameworks Possible roadmap
Debashis Gupta
RISK BASED INTERNAL AUDIT – Purpose
Purpose of risk based internal audit is:
• To provide assurance on the effectiveness of controls and the management of risks to assist the company in achieving its objectives.
• To improve the company’s operations by adding value, supporting management and providing a platform for learning.
Debashis Gupta
Internal Audit & Risk
Traditional Internal audit model
Controls assurance based on cyclical or routine audit plans
Improvedinternal audit model
Controls assurance based onrisk-based internal audit plan
Risk-centricinternal audit model
Assurance on the effectivenessof risk management in additionto controls assurance
Debashis Gupta
Risk convergence
Internal Audit Compliance Risk Management
Internal Audits
Cost efficienc
y
Laws & regulations
Anti Fraud
Privacy
Program/Project implementation
Business
• Lack of co-ordination • Competition for attention
• Risks falling through cracks • Duplication of efforts
Debashis Gupta
Using a standard framework
How the complexities are being overcome by organizations
Internal Audit Compliance Risk Management
Objective setting Risk ID Control IDDeficiency
management
Business Functions
• Creating structure across/within functions, businesses and regulatory requirements
• Aligning with management & regulatory expectations• Choosing the right place to start: new and developing functions, union of
similar silos, areas rife with duplication, integrated/related environmentsDebashis Gupta
ENTERPRISE RISK MANAGEMENT(ERM)
Context & reportingOften required, confirmation by Board on:Continuous monitoring of risk management
system and satisfaction with current risk mitigation measures
Responsibility for ensuring an appropriate risk management process
Risk management aimsRisk mitigation strategies & practices.
lot of ask!
Debashis Gupta
Risk is the effect of uncertainty on objectives.- ISO 31000:2009
Risk is the chance of something happening that will impact objectives.
- AS/NZS 4360:2004Thus, risk can be defined as the potential for loss caused by an event (or a series of events) that could adversely affect the organisation's ability to achieve its objectives, or something that diminishes the effectiveness of the organisation.
Risk can be a HAZARD but can also enable the organisation to take full advantage of OPPORTUNITIES.
DEFINITIONS OF RISK…
Debashis Gupta
Risk Complexity
Key Characteristics Internal Audit Approach
Risk Naïve No formal approach developed for risk management
Promote risk management and rely on audit’s risk assessment
Risk Aware Scattered silo based approach to risk management
Promote enterprise-wide approach to risk management and rely on audit’s risk assessment
Risk Defined Strategy and policies in place and communicated. Risk appetite defined
Facilitate risk management/liaise with risk management and use management’s assessment of risks where appropriate
Risk Managed Enterprise wide approach to risk management developed and communicated
Audit risk management processes and use management’s assessment of risk as appropriate
Risk Enabled Risk management fully embedded into the operations
Audit risk management processes and use management’s assessment of risks
ERM Continuum
WHERE ARE WE ON THE RISK MANAGEMENT CONTINUUM?
Debashis Gupta
Risk Management Framework-1
1. Articulate business objectives
2. Assess significant risks across entire spectrum
4. Ensure alignment of objectives, risks & controls across the enterprise
3. Build in balanced controls to manage business risks
ERM methodology primarily based on COSO* framework
* Committee of Sponsoring Organizations (COSO) of the Treadway CommissionDebashis Gupta
Risk Management Framework-2
ERM framework primarily based on ISO:31000
Debashis Gupta
ERM – Possible Roadmap
1. Developing a Risk Management Policy2. Developing a Risk Management
Framework covering:Structure, roles & responsibilitiesMethodologies, systems & toolsProcesses of risk identification, assessment,
prioritization, monitoring & reporting (in line with preferred framework e.g. ISO:31000 or COSO-ERM)
Cont’d…
Debashis Gupta
ERM – Possible Roadmap…3. Formal enterprise risk management
strategy can follow a two-pronged approach:
Risk management by process owners Risk identification, assessment & reporting
by ‘risk officers’ & ‘coordinators’ (existing functionaries co-opted in an ‘embedded’ role) facilitated by a nodal dept. (IA/ERM?) Identify the critical risks that the organisation is
facing, current or recommended actions to address these
Devise plans to continuously monitor and report on the most critical risks.
Cont’d…Debashis Gupta
ERM – Possible Roadmap…
4. Formal reporting on risk profile to Board/s (at least annually) - Risk review which identifies key risks across the company e.g.
Governance Risk Strategy and Policy Risk Funding risk (e.g.Risk of Dependency on too
few source/s of income/revenue/funding) Financial Management Risk PR and external communications Risk
Cont’d…
Debashis Gupta
ERM – Possible Roadmap…
5. Once ERM is fully rolled out, and all aspects of the ERM process are handed over to management consequent to the organization gaining the requisite degree of maturity on the risk management continuum, the role of Internal Audit can be limited to auditing the implementation of the ERM framework.
Debashis Gupta
ERM – Possible Roadmap…Process Business
Owners-M1 Leaders
RC*- CO M11
RC*- CO M12 RO*- Region M1
RC*- CO M13IA/ERM Nodal Committee
RC*- CO M21RO*-Region M2
RC*- CO M22
*RC = Risk Coordinator Process BusinessRO = Risk Officer Owners-M2 Leaders
Risk Identification Risk Assessment Risk Reporting
Bus
ines
s F
unct
ions
Debashis Gupta
Step# Description Responsibility Date agreed
1 Identify the key processes carried out within the business
Group ???
2 Identify the main purpose/objective of each of the key processes
Group ???
3 Map each key process at sub-process/activity level
Respective dept.
???
4 Develop risk rating scale for each process IA/ERM ???
5 Identify & prioritise key risks of each process (facilitated by IA/RM, if required)
Respective dept.
???
6 Identify mitigating measures in place/ proposed for each key risk
Respective dept.
???
7 Presentation of key risks and associated mitigating measures to MCT
Respective dept.
???
ERM – Possible Roadmap…
Debashis Gupta
Thank You
Debashis Gupta
