1

Ways of working towards innovation in auditing

BENOÎT HAREL, DIRECTOR, IFACI CERTIFICATION

2

« Public sector innovation is about new ideas that work at

creating public value »

OECD, Oslo Manual on Innovation & 2014 Conference

OECD, Innovation Measurement Framework

Infrastructure and Institutional Framework

Demand

Other

Items

Education

and public

research system

Innovation

Policies

The Firm

Product

Innovations

Process

Innovations

Marketing

Innovations

Organisational

Innovations

3

« Changes provide challenges for internal auditors to do things

differently so that internal audit add greater value and remain relevant as part of the internal

control & governance structure. »

The Institute of Internal Auditors, Internal Audit and Innovation

The IIA – The Competency Wheel, October 2014

The Competency Wheel

This competency wheel depicts the six nontechnical skills that are key to internal audit innovation as well as the three eneblers for those skills.

4

« There is nothing more powerful that an idea

whose time has come » De

gre

e o

f su

pp

ort

for

inn

ova

tion

Time

ContactAwareness

Understanding

Engagement

Involvement

Commitment

“I’m being told about something”

“I know what it is”

“I see the implication for me/us”

“This looks OK”

“Let’s test it. Let’s do it”

“We like to do it this way”

Time

De

gre

e o

f s

up

po

rt f

or

inn

ov

ati

on

Internalisation“Why did we do it any

other way?”

Contact

Awareness

Understanding

Engagement

Involvement

Commitment

Internalisation "Why did we do it any other way?"

"We like to do it this way"

"Let’s test it. Let’s do it"

"This looks OK"

"I see the implication for me/us"

"I know what it is"

"I’m being told about something"

5

Internal

Audit

Do more

with less

Minimise

impacts

Maximise

insights

Streamline

processes

Get the right

resources

Leverage

hi-tech

Evidence

value

addition

6

Continuous ERM Auditing

PRACTICAL TIPS

• Systematic in-depth review of ERM

system

• Feeds of a structured ERM database

• Quarterly consolidation of cumulative data

• Standardised assessment criteria

• Multi-faceted assessment model

VECTORS FOR VALUE ADDITION

• Evergreen focus on emerging & orphan

risks

• Embedded & streamlined assessment

• Regular feedback to the governing bodies

• Robust opinion based on broaden scope

7

ERM OPERATIONAL PROCESS

Objective

Setting

Risk

Identification

Opportunity

Management

Risk

Assessment

Response

Defined

Actionee

Defined

Due Date

Defined

Control and

Monitoring

Accurately set Very well

identified

Very well

managed

Financially

Assessed Always Always Always

Key Control and

KPI

Set Identified Managed Globally

Assessed Often Often Often

Key Control

without KPI

Insufficient Insufficient Insufficient Insufficient Sometimes Sometimes Sometimes Insufficient

Absence Absence Absence Absence Never Never Never

ERM COMPLIANCE PROCESS

Has a yearly self assessment of internal

Controls been done addressing both the

design and operating effectiveness?

Number of

Key

Controls?

Is the

Confirmation

Letter Sign-

Off?

Numbers of

Weakness

Declared?

Done and tests formalized and documented 0 Yes #

Done but tests not formalized 0 < x < 5 No

Done through interviews rather than test

(light approach) 6 < x < 10

Not done x = or > 10

ERM SUPPORT PROCESS

Existence of

training?

IT tool is

deployed?

Well

developed Company tool

Sufficient Excel

Insufficient

Other tool

Yes No tool

Consideration of the Risk of Fraud in the ERM Reports

Functions Division 1 Division 2 Division 3 Division 4 Division 5

Compliance YES YES YES YES YES

Finance Partially YES YES Partially Partially

Procurement NO Partially Partially NO Partially

Sales NO Partially YES NO YES

Governance Bid Process Business Ethics Export Control Budget and

Reporting

Program

Controlling Purchase to Pay Payroll and Bonus IT and SAP Access Treasury and Cash Enterprise Risk Mgt

Entity 1 B A B B

Entity 2 B

Entity 3 B B B B A

Entity 4 A A B B A B B B B

ERM Audit Conclusion

Summary of the Audit Observation Grading Agreed Action Plan

ERM Internal Control self-assessment

must be better substantiated by formal

testing and documentation

B

• Using your existing policy, identity your

key controls that will serve as

reference for the annual self-

assessment

• Make sure that tests are backed with

robust sample testing and test results

• Submit the signed dashboard and test

sheets to ERM team to get their

validation and feedback

8

GRC Maturity Grading model based on COSO2013

PRACTICAL TIPS

• Tri-dimensional grading model

• Consistent and aligned criteria per level

• Outcomes based rules for overall opinion

• Articulation with audit objectives

VECTORS FOR VALUE ADDITION

• Promotion of an holistic assessment

• Generally accepted GRC framework

• Easy-to-use and objective model

• Allowing robust comparisons over time

9

Prepared by: Reviewed by:

Project

Risk

COSO COMPONENT Rating of Control Objective Risks

Control objectives assessment and findings impacts on

Governance

Control Objectives assessment and findings impacts on Risk

Management

Control objectives assessment and findings impacts on business control environment

Individual Control Objectives Scoring and Grading

Control # Control Objective CE RA CA IC MA Imp. Of Cont. Obj Grade Awarded Grade Awarded

Grade Awarded

Type of IA Objectives

Control Objective Score

Control Objective

Rating

1 Control Objective 1 Risks x x x 3 3 Level 3: Partially

Adequate 3.00

Level 3: Partially

Adequate

2 Control Objective 2 Risks x x x 3 3 Level 3: Partially

Adequate 3.00

Level 3: Partially

Adequate

3 Control Objective 3 Risks x x x x 3 1 Level 1:

Unreliable D 1.00

Level 1: Unreliable

Weighted Average Score for each of the IA objectives

3.00 3.00 1.00

# IA Objectives

Control

Maturity

Level

Weight

Assigned

Individual

Objective

Grading

1 Control objectives assessment and Findings

impacts on Governance 3.00 33.33%

Level 3: Partially

Adequate

2 Control objectives assessment and Findings

impacts on Risk Management 3.00

33.33%

Level 3: Partially

Adequate

3 Control objectives assessment and Findings

impacts on Business Control Environment 1.00

33.33%

Level 1:

Unreliable

Scale FINAL OVERALL GRADING

Level 1: Unreliable

Level 2: Weak Level 2: Weak

Level 3: Partially Adequate

Level 4: Adequate

Individual Objectives Grading

Rating Combination – Irrespective of GRC Dimension Overall Grading

Adequate Adequate Adequate Adequate

Adequate Adequate Partially Adequate Adequate

Adequate Adequate Weak Partially Adequate

Adequate Partially Adequate Partially Adequate Partially Adequate

Adequate Partially Adequate Weak Partially Adequate

Partially Adequate Partially Adequate Partially Adequate Partially Adequate

Partially Adequate Partially Adequate Weak Partially Adequate

Adequate Adequate Unreliable Weak

Adequate Partially Adequate Unreliable Weak

Adequate Weak Weak Weak

Adequate Weak Unreliable Weak

Partially Adequate Weak Weak Weak

Weak Weak Weak Weak

Partially Adequate Partially Adequate Unreliable Weak

Partially Adequate Weak Unreliable Weak

Weak Weak Unreliable Unreliable

Unreliable Unreliable Partially Adequate Unreliable

Unreliable Unreliable Weak Unreliable

Unreliable Unreliable Unreliable Unreliable

Adequate Unreliable Unreliable Unreliable

Outcomes Based Rules

10

Level 4: Adequate Internal control environment has been adequately designed and effectively implemented to mitigate risks to an acceptable level. Reasonable assurance can be provided that risks were effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels that is acceptable to the organization.

• Promotes appropriate ethics and values within the business (P1) • Effective business performance management and accountability (P5) • Effective communication of risk and control information within the business

(P3, P14) • Effective cc-ordination of business activities (P3) • Effective communication of business performance, information and results

within the business (P3, P14) • Compliant with applicable corporate governance requirements (P2, P12,

P15)

• Implemented controls (including IT information systems) are adequately designed and operating effectively (P10, P11,P13, P16)

• Controls (including IT information systems) are well documented (P13, P16)

• Miner errors or misstatements identified, but net material or significant (PG) • Compliant with laws / regulations I corporate policies and procedures (P4,

PG, P12, P15) • Ali previously reported internal control deficiencies are remediated and

actioned (P17)

• Risk registers effectively maintained (P7) • Potential fraud risks are assessed, and responded to (PB) • Potential risk impacts regarding changes in the business / IT information

system environments. and/or at management level are assessed and responded to (P9, P11)

• lmplemented risk responses are adequately designed and operating effectively (PG, P7)

• Risk treatments are well documented (P7) • Miner risk materialization may occur. but net with material or significant

impact (PG) • RM Policy and RM Framework fully implemented and complied with (P4) • RM assurance activities are operating as intended (P7, P16)

Level/Conclusion Governance Control Risk

Summary Description

Level 3: Partially adequate, needs some improvement Internal control/ environment has been generally designed and implemented to mitigate risks to an acceptable level, but certain key process / areas require some improvement. Partial assurance can be provided that risks were effective/y managed, and that business and control objectives will be achieved. Management has accepted risk levels that is slightly higher than what is acceptable to the organization.

• Generally ethics and values are effectively promoted within the business, with miner exceptions

• Generally business performance management and accountability is effective, with miner exceptions

• Generally risk ad control information is communicated within the business, with minor exceptions

• Generally business activities are effectively coordinated with minor deficiencies noted

• Generally business performance, information and results are effectively communicated within the business with minor gaps noted

• Some minor lapses in compliance with

• Generally implemented controls (including IT information systems) are adequately designed and operating effectively, with minor exceptions

• Generally controls (including IT information systems) are well documented, with minor gaps and deficiencies noted

• Some errors or misstatements identified, but not material or significant • Some lapses in corporate policies & procedures • Most previously reported internal

• Risk registers are maintained, but require some updates • Generally potential fraud risks are assessed and responded to • Generally potential risk impacts regarding changes in the business l IT

information systems environment, and/or at management level are assessed and responded to

• Generally implemented risk responses are adequately designed and operating effectively, with minor exceptions

• Generally risk treatments are well documented, with minor gaps and deficiencies noted

• Potential risk materialization outside acceptable risk tolerance levels, but not with material or significant impacts

• RM Policy and RM Framework partially implemented and complied with • RM assurance activities is partially operating as intended

Level 2: Weak, needs major improvements Internal control environment is weak and ineffective Io mitigate risks to an acceptable levels and major improvement in certain key process / areas is required. Limited assurance can be provided that risks were Effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels excessive/y higher than what is acceptable to the organization.

• Ineffective promotion of ethics and values within the business • Ineffective business performance management and accountability • Ineffective communication of risk and control information within the

business • Ineffective co-ordination of business activities • Ineffective communication of business performance, information and

results within the business • Ineffective compliance with applicable corporate governance requirements

• Controls (including IT information systems) are generally present with some design or operating effectiveness inadequacies

• Controls (including IT information systems) are net adequately documented to ensure continuity and effective hand-over of procedures should there be a change of control owners

• Major lapses in compliance with laws I regulations I corporate policies & procedures

• Significant errors or misstatements identified • Some previously reported

• Risk registers are incomplete and not up to date • Potential fraud risks are ineffectively assessed and responded to • Potential risk impacts regarding changes in the business/ IT information

systems environment, and/or at management level are ineffectively assessed and responded to

• Risk responses are generally present with some design or operating effectiveness inadequacies

• Risk treatments are net adequately documented to ensure continuity and effective hand-over of procedures should there be a change of control owners

• Potential of major risk materialization outside acceptable risk tolerance levels, with material impacts

• RM Policy and RM Framework ineffectively implemented & complied with • RM assurance activities are ineffective

Level 1: Unreliable, needs immediate attention Internal control environment is unstable and unreliable to mitigate risks to an acceptable level, and significant improvement in key process/areas in urgently required. No assurance can be provided that risks were effectively managed, and that business and control objectives will be achieved. Management has accepted risk levels that is unacceptable to organization

• Inappropriate ethics and values promoted within the business • Inadequate business performance management and accountability • Inadequate communication of risk and control information within the

business • Inadequate co-ordination of business activities • Inadequate communication of business performance, information and

results within the business • Limited I non compliance with applicable corporate governance

requirements

• Unpredictable environment for which controls (including IT information systems) have net been designed or implemented

• Material errors or misstatements identified • Significant lapses in compliance with laws I regulations/corporate policies • None I few previously reported internal control deficiencies are remediated

and actioned

• Risk registers are unreliable or non existent • Potential fraud risks are inappropriately assessed and responded to • Potential risk impact regarding with changes in the business/ IT information

systems environment, and/or at management level are inadequately assessed and responded to

• Unpredictable environment for which risk responses have net been designed or implemented

• Potential of significant risk materialization outside acceptable risk tolerance levels with material and significant impacts

• RM Policy and RM Framework not implemented and complied with • RM assurance activities are inadequate and unreliable

11

Auditing focused on Issue Resolution and Management Commitment

PRACTICAL TIPS

• Allocate 50% of the standard audit time to

problem solving and strategic thinking

• Replace the audit report by a customised

summary template to key stakeholders

• Develop after-audit services to monitor

progresses

VECTORS FOR VALUE ADDITION

• Efforts are more focused on solutions

• Wellreasoned, funded and thorough

recommendations

• Impact on decision-making and executive

managers

• Outcome-oriented mindset of the

organisation

12

• Procedure—A written explanation of the process.

• Training—Teaching the process.

• Supervision—Adhering to and improving the process.

Processes

Daily Operations

Work, Tasks,

Business

A B

Implement the Solutions

(improvements)

Problems

Containments

Investigation

Cause Mapping

Root Cause Analysis

1.Problem What’s the problem?

2.Analysis Why did it happen?

3.Solutions What will be done?

DID Happen Incident, Crisis, Failure,

Error, Defect, Delay

COULD Happen Near-miss, Potential, Risk,

FMEA, RCM

13

Data

Data Data

Data Data

Data

Information

Idea

Data Quality

•Clarity

•Accuracy

•Precision

•Relevance

•Completeness

•Consistency

Data Orientation

•Egocentrism

•Socio-centrism

•Assumptions

•Prejudices and Fears

•Relativistic Thinking

•Wishful Thinking

Critical Thinking

“Judging”

Good

Idea

Bad

Idea

14

Unique Auditing Slidedeck & Logical Writing

PRACTICAL TIPS

• Combination of Planning Memorandum,

Kick-off & Closing Presentation and

Report

• Information provided once and for all

• Slides used an re-used along the mission

• Specific communication merging strategy,

structure and format

VECTORS FOR VALUE ADDITION

• Allocation of resources to substantive

work

• Optimised focus on key messages

• Clarity and visual cues for the

stakeholders

• Attractive and easy-to-read documents

15

Answer Answer Answer

A A A A A A A A A

Key ideas

Supporting

ideas

Answer Main

message

Overriding

Question

Question

why or how or what ?

Question Question Question

• Build a one-sentence thesis statement from

scratch, based on one or two research

keywords

• Eliminate the linguistic and structural

ambiguities

• Build a logical argument based on the thesis

statement developed

• Find and eliminate the known

counterarguments

• Build the paper’s abstract based on the thesis

statement and arguments developed

• BackgroundGoalThesis Statement

Procedures Implications

• Build the full paper based on the abstract

developed

• Modify the thesis statement, argument,

abstract again and again

Build the

Thesis Statement

Build the

Logical Argument

Build the

Abstract

Build the

Body

16

Professional Tutorship & Career Acceleration Programme

PRACTICAL TIPS

• Sponsorship of the Director General

• Close interaction with Human Resources

• Integration in the overall talent

programme

• Attractive training and audit assignments

• Mastery of broad-based technical skills,

familiarity with all business units, ability to

build networks across the organisation

VECTORS FOR VALUE ADDITION

• Higher retention of talented employees

• Future group leaders well versed with

GRC

• Enhanced IA capacity with regular inflow

• Positive ratchet effect on internal audit

17

Phase I – Sourcing Phase II – Training + Assignment Phase III – Deployment

Strategic Workforce

Planning

Job Assignments

Training

Analysis of Group's

needs

for future leaders

Partnership with

Corporate HR

and universities

Sourcing

Step 1

Turn Key Project

Secondment

Executive Placement

Business S

econdment

Step 2

Step 3

Step 4

18

Junior Auditor

Year1

Understand theenvironment

Junior Auditor

Year 2

Select Domain area of expertise

Senior Auditor

Year 3

Follow Domain Areastraining + Plan move

Group Internal Audit Career Path

Junior (2 – 3 years)

Senior (3 – 5 years)

Lead (5 – 8 years)

Manager (8 – 10 years)

Director (10+ years)

Proficiency

Level Novice

Junior

Associate

Senior

Principle

Standard Roles

Administrator

Client Manager

Consultant

Operations Mgr/Drtr

Process Analyst

Process Manager

Product Manager

Project/Program Mgr

Service Architect

Service Delivery Mgr

Service Manager

Solution Architect

Solution Manager

Support Analyst

Support Engineer

Team Leader

Technical Architect

Technical Engineer

IDM Career Framework

Portfolio & Internal Service

Domain (Level 1)

Sub-Competence

AQDA Deal Assurance

AQDA Contract Assurance

AQDA Account Recovery

AQDA Quality Management System

AQDA Quality Management in Accounts

AQDA Quality Management in Projects

Client Management Client Management

RACG Client Security Management

RACG Internal Security Management

RACG Security Support

RACG Business Continuity Management

RACG Client Continuity Management

RACG Risk and Internal Control Management

Service Management Service Delivery Management

Service Management Compliance

Service Management Process Service Management

Service Management Lean Management

T&T Program control

T&T Governance and Steering

Competences

IDM roles and competences that could be covered by GIA skills

19

Human Capital

Management

Organizational

Development

Enterprise

Optimization

20

Lessons learned from lean6sigma auditing

PRACTICAL TIPS

• Roll-out of Sipoc, Pareto, Ishikawa,

Valuestream, Raci tools

• Packaged toolbox with built-in support

• Broaden capabilities for auditing complex

systems

• Partnership with the quality function

VECTORS FOR VALUE ADDITION

• Summarised and targeted communication

• Enhanced analytical skills

• Advanced sharing of business knowledge

• High-quality reusable deliverables

21

S Customer

C O P Process Input Supplier

I

Définir les indicateurs de

suivi

Effectuer les revues de

portefeuille

• Politique crédit en vigueur • Politique de garantie

Définir les acteurs du suivi

Gouvernance

• Base de données sur la production globale (notation portefeuille,

taux de défaut global et par marché, etc)

CASA règlementaire • Lettres jaunes

• Anciennes recommandations

cais

se r

égio

na

le

Demander un transfert en recouvrement le cas

échéant

Décider des modalités de

suivi du dossier

Gouvernance

Audit interne

cais

se r

égio

na

le

Service recouvrement

• Modification politique de Crédit/Délégations

• Comité de suivi des risques (analyses qualitatives et

quantitatives) • Requêtes sur plusieurs critères:

par marché, par typologie d’encours (sains, sensibles,

défaut)

• Suivis recommandations

• Transfert des dossiers

Output

CA

SA

CASA / IGL

Opérationnels (Chargés d’affaires et de clientèle)

• Plan de formation • Demande de modification de

dossiers (nouvelles garanties, etc.)

Suivre et piloter le portefeuille

global

CLIENT • Données clients • Analyse contrepartie

Demander une modification du dossier

Direction de la transformation

22

Integrated Audit Plan Preparation Package

PRACTICAL TIPS

• Development of a thematic audit universe

• Definition of criteria for prioritisation

• Broaden inputs for plan definition

• Clear takeaways for each input

• Template for outputs aggregation

VECTORS FOR VALUE ADDITION

• Objective-based business-centric

planning

• Substance over form

• Identification of management guiding

threads

• Qualitative vs quantitative approach

23

Legend:

A – Group’s strategy

B – MEcon and Performance

C – Fraud and Corruption

D – Governance Processes

E – BRM

F – ICS

G – H&S

H – IT and RBSC Changes

I – 2016 Audit Results

J – Sel. Interviews

PRODUCT LINEs Growth and Innovation People Performance and Costs Asset Light Sustainable

Development

OTH RMX AGG CEM Innov Digital Cust.

Excel. Fin. Proc.

Sh.

Serv.

Retail

Sol. Sust. Log

CAPEX

Mgt. H&S

GOVERNANCE, RISK AND CONTROL PROCESSES

Argentina D

Brazil D, F, J

Chile D, F

Ecuador D

Colombia

CREST

Costa Rica D

I B, I B

E

E E

A, B, C

A

E

B, E

B, C, E

M/M

B, E

M/M

B, E E B, E

B, C

I H A

B

E

G

G

G

G

A, E

24

« Oser ; le progrès est à ce prix. Toutes les conquêtes sublimes

sont plus ou moins des prix de hardiesse. »

Les Contemplations