Farid Aractingi - The changing face of the Internal Audit in Europe

Internal Audit:
The changing face of the Internal Audit in Europe
Auditor of the future: trusted & influencing advisor
Farid ARACTINGI
ECIIA, President

Enhancing governance through internal audit2
GOVERNANCE in view of sustainable performance
INTERNAL AUDIT in the heart of good governance
ECIIA at the service of Internal Audit
We now live in an incredible world…
… but incredibly crazy
so we need to refocus on basics:
performance – and sustainable performance

Crazy world: globalization & unstable environments
 Speedy transformations for Society & Business
Bankruptcy
Sovereign
debts
rise - fall – rise again
of BRICS
Industrial
Delocation
then / or Relocation
Demographic
imbalance
Cultural
standardization
economic fight
easy access to
Technologies
Dematerialization
of intermediaries
"Premium vs Low-cost"
.. 2.0
...3.0
...4.0
Digital
bahavior
Social
networks
impacts
Climate
deregulation
Agility
requirement
Frugality
approach
 Excesses / cycle of ‘permanent’ crisis
Biotechnologies
Artificial
Intelligence
Cyberattack
Migration
flows
Global
Supply chain

12-2001 07-2002 07-2007 01-2008 09-2008 12-2008 04-2010 04-2010 06-2017 04+11-2017 07-2017
2002
2003
2004
ERM approach
EU directive
2009
2010
remuneration
and introduction of
standardised EU
regulatory reporting
2013
Audit Committee
Missions
Requirements
Liability
2016 and later…
Crazy world: the terrible decade
from crisis to restoration of confidence through regulation
Bank for International Settlements
60 central banks

Crazy world: Command & Control interrogations
Three reasons why good strategies fail:
Execution, Execution, Execution…
(Lawrence G. Hrebiniak, Wharton)
But can better execution be taught?
You can at least make people aware of the key
variables…
“A mediocre strategy well executed is better
than a great strategy poorly executed”
(The execution trap, Harvard Business Review)
 42,600 references in Google
What is sustainable
performance?
How do we measure that a Board is effective?
Is there a “golden triangle”
with A.C., I.A. and E.A.?
Why do companies need good governance?

Crazy world: today’s response is “the 21st century leitmotiv"
[ Good governance* ]
for a sustainable performance
(*) Governance is a performance tool
(*)
October 4th 2017
(*) Etymology :
From latin gubernare, and therefore from the Greek Kivernao (Κυβερνάω) that means “govern”
To govern is both “do the right things”
and “do the things right”

what means a good Governance?
what impact for Internal Audit teams & structure?
how can ECIIA help the profession in these (r)evolutions?
But:

... What means a good Governance?

SYSTEM composed by all
processes, structures, laws, regulations and
institutions aimed at defining the way the company
is managed, run and controlled
3 KEY WORDS
 Formalisation
 Transparency
 Capacity to say “no”
Improve the DECISION QUALITY,
in view of sustainable performance
STAKE HOLDERS
Board of Directors, Executive Management, Operating Management,
Employees, Analysts, Clients, NGO’s, …
Within the organisation
WHAT?
HOW? WHO?
WHERE?
WHY?
Always, continuously, and not to tick boxes before formal milestones
WHEN?
Mandatory – and payback is immediate when the first risk has been
put under control
HOW MUCH?
Good governance: W5H2 of Governance

bureaucracyhyper-liberalism
Compliance Efficiency Internal
Audit
Internal
Control
Risk
Management
Shared
repositories
With an inseparable tryptic
at the service of good governance
Governance
Good governance: I.A. involvement
A guarantee of balance and, therefore, a guarantee of performance

Good governance
The 3 Lines of Defence model, as a mean for effective organisation
Board of Directors
Protect shareholder interests
• Approve the guidelines proposed by the Board of Directors: accounts, dividends, capital
transactionles administrateurs
• Elect directors
Secure long-term sustainability of the Cie
• Validate the strategy
• Control the operations
• Co-manage the company in crisis mode
Executive Management
Board of Directors – Audit Committee
Deliver short-term operational performance
• Propose a strategy
• Conduct operations aligned with the strategic plan
 “Make your numbers”
 “Grow your people”
General shareholder assembly

1STLINE
Operational
management
• has ownership, responsibility and accountability for assessing, controlling
and mitigating risks
2NDLINE
Internal
governance
functions
(Group support & control functions)
• monitors and facilitates the implementation of effective risk management
practices by the 1st line
• assists risk owners in reporting adequate risk-related information throughout
the organization
3RDLINE
Internal Audit
• provides assurance to the Group governing body and senior management
on the organization’s effectiveness in assessing and managing its risks and
related internal control systems, including the manner in which the 1st and
2nd lines operate.
To ensure clarity of roles and responsibilities in organizational governance, the “3 LoD model”
defines each level of control:
Good governance
Internal audit positioning within this 3 LoD

... Impact for Internal Audit teams & structure?

As an internal auditor
what do I have to do?
“To enhance and protect
organizational value
by providing risk-based and objective
assurance, advice and insight”

What I.A. do they need?
Focused on our distinctive features
 Independence
▪ essential marker of our profession
 Cross-functionality, sponsor of:
▪ long-term and sustainable performance rather than isolated shining star
▪ global coherence, rather than silo approaches
 Discipline of execution
▪ key success factor for decision-making after fruitful and contradictory debate
 Pragmatic courage
▪ speak the truth with neither arrogance nor complacency
 Guardian of the temple (the Internal Control temple…)
Auditor: a robust and well-equipped business
partner, supported by both a panoramic 360° vision
and a proven methodology, able to make a diagnosis
but also to advise.

Engaged in skills refurbishing
Auditor: committed to the transformation of our
stakeholders, relying on their business processes to get
the strategic vision, while keeping operational energy.
Required basics on technical audit skills
+
Conjugate antonyms:
 Analysis capacity vs synthesis capacity
 Scepticism by default vs intuition feeling
 Process Control vs innovative recommendations
 Understanding of business stakes vs naïve creativity
 Written & oral communication vs English gentleman behaviour
 Confidentiality vs transparency at the right level
 Targeted sampling vs predictive analysis with big data

Reliable actors of good governance
Auditor: its concern is no longer confined to financial
risks alone. It should cover all themes:
▪ deployment of strategies ▪ adequacy of resources ▪ degradation of
image ▪ new business models ▪ corruption & fraud ▪ …
Rework your behaviour
 Understand complex and volatile contexts
• calls for both subtlety and determination
• augments credibility of our reports
• gives a new aura to our jobs
 More than ever
• start with business processes and operational objectives
• analyse related risks
• imagine those which are unlikely but with devastating impacts

I.A. involvement:
Our transformation
The profession is evolving a lot
and it is now important than ever to be more:
 Rigourous
 Professional
 Good communicator
 Flexible/Reactive
 Global coordinator
to “get a seat at the table ”
financial
controller
trusted
business
partner

... And how can ECIIA help the profession
in these (r)evolutions?

European Confederation of Institutes of I.A. (ECIIA)
Represents the I.A. profession in Europe and Mediterranean basin
Collaboration tool
(Research – Other tbd)
from a national
to the European dimension
Lobbying tool
vàv European bodies
Coaching
institutes
Exchange
between presidents
35 National Institutes
47.000 members
Way to work:
Furthering the development of
good Corporate Governance and Internal Audit
at the European level,
through knowledge sharing,
developing key relationships,
and impacting the regulatory environment

ECIIA advocacy targets
influence
Objective:
Promote good corporate governance
& appropriate recognition of I.A. in European
regulations and Corporate Governance codes
European Parliament European Commission Banking Authority
Central Bank Insurance & Occupational Securities
Pensions Authority & Markets Authority
collaborate with
1 2 3
4 5 6
FERMA Confederation of Public Finance Control
Risk Management Directors Associations
represent interests of lobby group representing Accountancy
publicly quoted compagnies enterprises of all sizes Europe
Objective:
Build relationships with key institutions interested in
Corporate Governance at European level
Organize common events, make common
publications...
1 2 3
4 5 6

A position paper: “At the junction of corporate governance and cybersecurity”
22
Example #1: Cybersecurity corporate governance
(publication with Ferma)

Example #2: Hot topics for I.A. 2018
(co-publication from : )

Hottopics
for2018AuditPlan
[ select to
see more ]

QUESTION
ANSWER
www.eciia.eu
info@eciia.eu

APPENDIX

GDPR and the data protection challenge
 Not only a cybersecurity issue…
 Governance angle…
 Wider geographic aspect
[ Back to Hot
Topics 2018 ]

 Aware, yes: but..
 Governance issues
 Creating a ‘cyber culture’
Cybersecurity: a path to maturity – 1/4
The 5 core functions of effective cyber security:
■ Identify ■ Protect ■ Detect ■ Respond ■ Recover

The internal audit can play a role in the :
 Development
 Implementation
 Ongoing assessment
 Independent overall assurance on efficiency &
effectiveness
of cyber risk management plans

Our proposal for
cyber governance(*)
(*) Proposal from ECIIA Ferma position paper at
the junction between cybersecurity and
governance

Risk Management & Internal Audit relationship in cyber
[ Back to Hot
Topics 2018 ]

Regulatory complexity and uncertainty – 1/2

The role of Internal Audit
 Assist for the inventory of the Regulator Bodies requirements
affecting the company
 Assess the company approach to managing global compliance
activities
 Evaluate company’s response to any notable instance of non
compliance
 Ensure compliance training programs offered to employees and
other stakeholders are appropriate
 Collaborate with compliance for an integrated approach of risks
ad controls of non compliance
 Provide assurance with regards to the design and operating
effectiveness of the organization compliance framework
Regulatory complexity and uncertainty – 2/2
[ Back to Hot
Topics 2018 ]

Pace of innovation – 1/2

The role of internal audit:
 Conduct assessment of the organisations emerging
products, technologies,…in relation to industry standards
 Evaluate changes in the business model impacting the risks
and controls linked with innovation
 Review policies and procedures around innovation in terms
of governance, controls, data integrity, security and privacy
and supplier management compliance
 Evaluate disaster recovery and business continuity plans in
light of the innovation and new technologies
 Assess governance , risks and controls implemented for the
new products, technologies,…
Pace of innovation – 2/2
[ Back to Hot
Topics 2018 ]

Political uncertainty
[ Back to Hot
Topics 2018 ]

Vendor risk and third party assurance – 1/2

The role of internal audit
 Review third party identification due diligence processes and
controls
 Evaluate contract management processes used by Management
to track third party relationships
 Monitor regulatory developments related to third parties
 Enforce and ensure consistency of right to audit clauses in third
parties contracts
 Assess third party compliance with company information security
standards
 Assess continuous monitoring system of reporting data from
third party business partners
Vendor risk and third party assurance – 2/2
[ Back to Hot
Topics 2018 ]

The culture conundrum – 1/3

The role of internal audit
 The Scope of internal audit includes the risk and control culture of
the organisation.
 Assess:
• processes (e.g. appraisal and remuneration)
• actions (e.g. decision making)
• “tone at the top”.
 Whether in line with the values, ethics, risk appetite and policies of the
organisation.
 Consider attitude and assess approach taken by all levels of
management to risk management and internal control.
 Including management’s:
• actions taken in addressing known control deficiencies
• regular assessment of controls.

Risk culture - definition
“Risk culture is a term describing the values, beliefs, knowledge and
understanding about risk shared by a group of people with a common
purpose, in particular the employees of an organisation or of teams or
groups within an organisation.”
(Under the Microscope – Guidance for Boards, Institute of Risk Management, 2012)
Auditing cultural indicators – main approaches:
1. Incorporate into each audit (e.g. root cause analysis)
2. Thematic - auditing cultural indicators throughout organisation
(e.g. recruitment, training, performance management and reward)
[ Back to Hot
Topics 2018 ]

 The demographic challenge
 New roles
 New skills
 New attitudes
 A new view of the workforce
Workforces: planning for the future – 1/2

Workforces: planning for the future – 2/2
[ Back to Hot
Topics 2018 ]

Evolving the internal audit function – 1/2

Evolving the internal audit function – 2/2
 Reporting lines for internal audit: report to the Board, Audit
and Risk Committees
 Reporting should include:
• a focus on significant control weaknesses and breakdowns
together with a robust root-cause analysis;
• any thematic issues identified across the organisation;
• an independent view of Management’s reporting on the risk
management of the organisation, including a view on Management’s
remediation plans highlighting areas where there are significant
delays;
• at least annually, an assessment of the overall effectiveness of
the governance, and risk and control framework of the organisation,
together with an analysis of themes and trends emerging from
Internal Audit work and their impact on the organisation’s risk profile.
[ Back to Hot
Topics 2018 ]

Farid Aractingi - The changing face of the Internal Audit in Europe

Recommended

Recommended

More Related Content

Similar to Farid Aractingi - The changing face of the Internal Audit in Europe

Similar to Farid Aractingi - The changing face of the Internal Audit in Europe (20)

Recently uploaded

Recently uploaded (20)

Farid Aractingi - The changing face of the Internal Audit in Europe