The evolving role of the internal auditor - KPMG

1 The evolving role of theinternal auditorValue creation and preservation from an internal audit perspectiveADVISORYThe evolving role of the internal auditor 1 IntroductionChanging stakeholder expectations and a new view of risk management areprompting an important shift in the role of internal audit (IA) in manyorganisations. New demands from theboard, senior organisational leaders, andregulators are requiring internal auditgroups to refocus their efforts beyondregulatory compliance s more, as regulatory complianceresponsibilities have expanded andregulators and various rating agencies,among others, have adopted evaluationcriteria including enterprise riskmanagement (ERM), the need forenhanced rigor and transparency and aconsolidated view of risk managementcapabilities has become this environment , many leaders haverecognised the need for internal audit toplay a larger role one that expands onits historic focus on value preservation (a control focus) to encompass activitiesrelated to value creation (a performancefocus).

2 Such a shift could enable internalaudit with the objectivity of itsperspective and the rigor of its processes to bring value to the business in newways. internal audit s existingorganisation-wide perspective andmandate and its access to all areas of the business, personnel, andresources uniquely position it to expand its white paper will discuss the newchallenges internal audit departmentsface in the context of their evolving roleand responsibilities. It will consider howIA can begin to address these challengesand thereby create value fororganisations thus reasserting itstraditional role as an independent audit s existingorganisation-wideperspective and mandateuniquely position it toexpand its role. 2007 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swisscooperative.

3 All rights reserved. Liability limited by a scheme approved under Professional Standards evolving role of the internal auditorThe changing role of internal auditAccelerating change has characterisedthe business landscape for many yearsand can be expected to continue. Newcompetitors, technologies, and financialinstruments; changing cost structuresand regulations; increasingly integratedglobal economies; and otherdevelopments are creating new risks andopportunities for organisations toconsider. As these developments evolve,they will open newdoors for internalaudit to regain its historic influence as anindependent adviser to management insupporting top management s goals,monitoring enterprise risk, and enhancingregulatory compliance efforts asdiscussed the leadershipagendaInternal audit s newopportunities andchallenges are similar to those that areevolving for chief financial officers (CFOs) at many leading , the CFO has beenresponsible for areas such as risk,financial reporting, compliance withcapital market regulations, andinfrastructure the value preservation roles.

4 Today, CFOs are being asked totake on additional responsibilities, andthey are increasingly at the centre ofleadership decision-making and are increasingly expectingtheir CFOs to play a strategic,consultative role in leading the business one that is driven by the needs of thebusiness rather than traditionalaccounting responsibilities. In manyleading organisations, the CFO owns,participates in, or influences valuecreation activities including financeThe changing IA environment Supporting the leadershipagenda Impact on value creation evolving skill sets to meet a new role Participation in strategydevelopment Integrated versus siloed riskmanagement Newfocus on fraud 2007 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swisscooperative.

5 All rights reserved. Liability limited by a scheme approved under Professional Standards evolving role of the internal auditor 3 Developing a consolidated single view of riskAlong with efforts to manage risk acrossthe enterprise, many organisations arestruggling with overlapping and oftenburdensome compliance tendency has been to employmultiple approaches to risk identification,measurement, and monitoring,depending on the purpose of the effort( , Sarbanes-Oxley [S-O]) or theperspective of the department involved( , compliance, internal audit ,operations). Each framework ordepartment tends to have its own viewsof risk and risk focus. For example, S-O Financial statement risks Compliance Reputation andregulatory risks internal audit Process- and control-level risks (inclusive of reputation,regulatory, and operational risk) Operations Market, credit, currency,and other operational risksIn addition, howrisk is measured andrated also differs across departments.

6 For example, those focused on S-O may use a system of high/medium/low,while internal audit may use a number-based and mergers andacquisitions as well as post-mergerintegration, strategic sourcing, operationsimprovement, and the technologyenablers needed to achieve are focused on activities that addvalue, and their functions are driven by anawareness of the organisation s key , CFOs focus on how to applytheir organisations analytical and financialskills to manage those , internal audit has newopportunities to both expand itstraditional value preservation activitiesand leverage its skills in newways tosupport value creation. Leadingorganisations increasingly expect internalaudit to use its quantitative skills and riskknowledge to support improvements inrisk management.

7 internal auditpersonnel can bring their core skills of risk and control analysis to theseincreasingly important activities. Over time, IA will need to continueexpanding its skills as its roleencompasses activities at the top of the leadership risk across the enterpriseThroughout organisations, leaders are focused more fully than ever on managing risk agendas have the support of their boards as well as their regulators, a few of which are including ERM as ascorecard component. As practical usesof ERM have evolved, they have beenwidely embraced and deployed as ameans of bringing new discipline to the process of risk audit has a multifaceted role toplay in the ERM arena. The Institute ofInternal Auditors notes that internalaudit s core role with regard to ERM is to provide objective assurance to theboard on the effectiveness of anorganisation s ERM activities to helpensure key business risks are beingmanaged appropriately and that thesystem of internal control is operatingeffectively.

8 1In addition, many companiesare looking to internal audit to supportstrategic business objectives. That effortextends to ERM activities such as: Risk identification and prioritisation Alignment of people, processes, andsystems with business strategy Definition of key performance indicators Analysis and quantification of riskfactors in new business ventures andstrategies Understanding of shared risks amongvarious projects and audit s discipline, its knowledgeof the organisation s key risks, itsenterprise-wide view, and its familiaritywith the COSO framework2enable it(unlike any other group) to bring animportant perspective and discipline to an ERM Institute of internal Auditors Web site, FAQs, What is Enterprise Risk Management (ERM) and what role in it does internal auditing play?

9 20072 The Committee of Sponsoring Organisations of theTreadway Commission. 2007 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swisscooperative. All rights reserved. Liability limited by a scheme approved under Professional Standards evolving role of the internal auditorOften, regulators, compliancedepartments, operational riskdepartments, and external auditors askfor similar (and sometimes identical)information about the state of internalrisk management. In addition,multinational companies have to copewith differences in home and host risk management standards andregulatory requirements in address these issues, many leadingorganisations are moving away from a siloed or geographic approach to amore consolidated risk assessment,management, and monitoringperspective.

10 This effort involvesformulating, at the board level, a singleview of what organisational risk is andhow it can be measured and efforts to integrate numerouscompliance and risk managementrequirements into one process (or atleast fewer processes) while continuingto meet the needs of variousstakeholders can be challenging fororganisations. The goal is an enterprise-wide approach to compliance andgovernance that minimises the overlap in management structure and theduplication of existing processes,systems, controls, and data flows. The single view of risk focus andidentification, measurement, andmonitoring allows senior management toidentify and slice top risks that face theorganisation as a whole across allbusiness lines. IA can support thebusiness with development of related with regulationsOrganisations evolving desire for a singleview of risk is increasingly reflected inexternal stakeholders demand forsomething similar.