AUDIT FUNCTION STRATEGY (Driving Audit Value, Vol. I ) - The best practice strategy guide for maximising the audit added value at the Internal Audit Function level

Global Recognition for

AUDIT FUNCTION STRATEGY

DRIVING AUDIT VALUE (VOL. I)

Audit Function Strategy offers profound insights and hands-on advice on the achievement of the highest performance levels for Internal Audit. The book will prove to be a bible for all Chief Audit Executives who strive to deliver the best audit value to the organisation they serve. Driving Audit Value (Vol. I) also guides Audit Committees and Executive Management for what can be expected of a state-of-the-art Internal Audit function and how to benefit from unlocked audit potentials.

Henk van Blokland, Head of Internal Audit OC Oerlikon Management AG, Switzerland

Hans Beumer has developed an excellent internal audit resource with thought-provoking strategies and concepts based on actual experience. Relevant and practical for new or experienced practitioners. Truly passionate about the value of internal audit to organizations.

Robert Kuling, Chairman of the Board of Directors for IIA North America, Partner - Risk Advisory, Deloitte, Canada

The question ‘how can internal audit truly add value' is probably as old as the profession itself. The book of Hans Beumer provides – for the first time – a holistic, in-depth analysis of how audit value is created (or destroyed) and what strategies the CAE has to optimize it. Like a forensic surgeon, Beumer decomposes the elements and drivers of audit value and provides practical context and guidance from his rich practical experience as CAE and internal audit practitioner.

Markus T. Schweizer, Managing Partner, Strategic Solutions, Germany / Switzerland / Austria, Ernst & Young Ltd., Switzerland

The author describes Audit Function Strategy by cracking the value code of internal auditing in an amazing way, that can be considered as a real blueprint and must have for all ambitious internal auditors and CAEs. Especially the hints regarding an overarching internal audit strategy and the different value trees were a big pleasure to read. In summary, this book offers an outstanding blend of guidance, best practice and real life examples that help to improve.

Torben Hilbertz, SVP Internal Audit Abu Dhabi Airports, Abu Dhabi, UAE

"Audit Function Strategy provides a crystal clear and easy to follow road map for enhancing the strategic value of the internal audit activity. This book tells you both how to maximise the added value and evaluate your progression. Hans Beumer takes the internal audit theory and best practice and makes it applicable, sharp, measurable and actionable. This book will have a profound impact on the improvement of internal audit activities in companies worldwide, as it closely ties the internal audit's customer value proposition to the expectations of companies' boards, management and other key stakeholders."

Kurt Hausheer, retired Chairman of the Audit Committee and Board of Directors member of OC Oerlikon from 2008 to 2015, and former Managing Partner Advisory at PwC, Switzerland

The Author has done a flawless job in writing this monumental book for the internal audit professionals. Each section of this book is carefully backed with detailed illustrations, and it goes a long way towards promoting a state of the art internal audit function. This book will be a good investment and will be a collector's items for the internal audit professionals.

Jareen Yao, Director – Internal Audit, Risk & Compliance, KPMG Services Pte. Ltd. Singapore

ALSO AVAILABLE FROM HANS BEUMER

Success for Everyone

Happiness for Everyone

Kumano Kodo

Travel Guide to Self-Actualization

20’000 km by Train

Visit www.hansbeumer.com

THE SUCCESSFUL BUSINESS SERIES

AUDIT

FUNCTION

STRATEGY

DRIVING AUDIT VALUE (VOL. I)

The best practice strategy guide

for maximising the audit added value

at the Internal Audit Function level

HANS BEUMER

HB Publications

Zug, Switzerland

www.hansbeumer.com

Text Copyright © Hans Beumer 2017

Figures and Tables Copyright © Hans Beumer 2017

Cover Stock Media Copyright © Billion Photos via Canva.com

International Professional Practices Framework and International Standards for the Professional Practice of Internal Auditing, available at: https://global.theiia.org/standards-guidance. Lake Mary, FL: Copyright © 2017 by The Institute of Internal Auditors, Inc. All rights reserved.

Cover designed by Nikita Beumer

Edited by Audrey Beumer

All rights reserved. No part of this book may be reproduced by any mechanical, photographic, or electronic process, or in the form of a phonographic recording, nor may it be stored in a retrieval system, transmitted, or otherwise be copied for public or private use without the express written permission of the publisher, except for the use of brief quotations in a book review.

First edition published in January 2017

This book is available as:

-Hardcover:      ISBN 978-3-906861-13-5

-EBook:            ISBN 978-3-906861-14-2

Printed and distributed by Lulu Press, Inc.

This book is not intended to provide personalised business advice. It offers the viewpoints and extensive experience of the Author, but the views expressed should not be taken as instructions or commands. The reader is responsible for his or her decisions and actions for the business of Internal Audit and related topics. The Author and Publisher expressly disclaim any liability, loss, damage, or risk, business, personal or otherwise, that is incurred as a consequence, directly or indirectly, of the use and application of any of the contents of this book.

CONTENTS

FOREWORD

BOOK STRUCTURE

PART I -  AUDIT ADDED VALUE

Where were the Auditors?

No risk, no reward

How to deliver big audit results

Audit Added Value

IA Function Strategic Model©

PART II - AUDIT ADDED VALUE DRIVERS

Audit Added Value Driver 1: Audit Value

IPPF’s audit value requirements

Understanding customer expectations

Measuring actual audit value

Customer value proposition

Customer expectations as value driver

Special topic: managing customer expectations

Increasing Audit Value Tree©

Audit Added Value Driver 2: Audit Cost

IPPF’s audit cost requirements

Cost efficiency: reducing the cost of the IA Function

Planning efficiency: reducing the cost per audit person-day

Audit efficiency: reducing the cost per audit engagement

Audit cost as value driver

Special topic: right-sizing the IA Function

Decreasing Audit Cost Tree©

PART III - AUDIT ADDED VALUE ENABLERS

Audit Value Enabler 1: Internal Audit Charter

IPPF’s requirements for the IA charter

Organisation

Authority

Independence

Objectivity

Responsibility

Compliance

IA charter as value enabler

Special topic: CAE roles beyond the boundaries of the IA charter

Audit Value Enabler 2: Understanding the Business and Company

IPPF’s requirements for understanding the business and company

Industry

Business model

Business process maturity

Product life cycle

Regulatory environment

Financial statements

Goals, strategies and objectives

Structure and organisation

Business operations

Management tools, technologies and reporting systems

History of significant issues

Understanding the business and company as value enabler

Special topic: understanding management style, turnover, incentive schemes, pressure, culture and ethics

Audit Value Enabler 3: Annual Audit Plan

IPPF’s annual audit planning requirements

Time coverage

COSO-ERM framework

Coordination

Audit resources

Understanding the business and company

Business objectives

Audit universe

Risk assessments

Progress reporting and follow-up audit work

Putting the plan together

Plan review and approval

Annual audit plan as value enabler

Special topic: why it matters to perform strategy-related audit work

Audit Value  Enabler 4: Coordination

IPPF’s coordination requirements

Audit committee/board

Management

Audit team

External audit

Risk Management

Other corporate functions

Coordination as value enabler

Special topic: the audit assurance strategy of the audit committee

Audit Value Enabler 5: Reporting

IPPF’s reporting requirements

Generic value enablers

Audit committee reporting

Annual audit plan report

Audit engagement report

Knowledge sharing report

Performance reporting

Progress reporting

Reporting as value enabler

Special topic: the annual report of the IA Function

Audit Value Enabler 6: Performance Management

IPPF’s performance management requirements

Performance management cycle

Performance targets

People

Price

Product

Process

Performance management as value enabler

Special topic: the IA Function balanced scorecard

RECOMMENDED READING LIST

VOL. II OF DRIVING AUDIT VALUE: AUDIT RISK MITIGATION

VOL. III OF DRIVING AUDIT VALUE: AUDIT ENGAGEMENT STRATEGY

ABOUT THE AUTHOR

FOREWORD

Audit Function Strategy serves several purposes. For:

Chief Audit Executives (CAEs): to benchmark the Internal Audit (IA) Function against the best practices and to increase the added value of the IA Function.

Boards and audit committees: to oversee the performance improvement of the company’s IA Function and to better understand the challenges and opportunities for the company’s CAE.

Executive management (CEO, CFO): to increase the benefits of the IA Function for the business and operations, and to have the CAE improve the cost-efficiency and effectiveness of the IA Function.

Other management: to better understand the activities, focus and priorities of the IA Function.

Teachers and students: to teach and study IA Function best practices based on a proven strategic model.

Advisors, consultants, freelancers: to use as a frame of reference for the best practice IA Function strategy model.

The Institute of Internal Auditors: to enhance the IPPF model with best practice elements.

Audit Function Strategy differs from all the other books about Internal Audit, in the way it combines the theoretical knowledge and the best practice frameworks with the practical experiences of a seasoned CAE:

This is the first and only book that develops a clear strategy for the IA Function. It reflects on the IA Function from an entirely new perspective by defining its added value, how this added value can be measured, and how this added value can be attained through value drivers and value enables.

The IA Function Strategic Model© provides transparency for the main success principles for an IA Function, providing a unique new frame of reference for understanding and managing audit strategy at the IA Function level.

This book includes the practical experiences, examples, tips and foremost solutions, from a seasoned CAE. The content of this book draws upon 28 years of business experience, of which 16 years as leader of Internal Audit Functions of globally operating corporations.

Audit Function Strategy is the best practice guide for ensuring Internal Audit’s success in the company. Follow the strategic principles explained in this book for becoming successful in achieving the objectives of an IA Function. It does not matter whether the audit team consists of one, fifty or three hundred auditors. Apply the fundamental success principles described in this book and a successful career as CAE is easily attainable.

This book is part of a series on Internal Audit best practices called Driving Audit Value. The first three in the series are:

1. Audit Function Strategy: This Driving Audit Value (Vol. I) describes the strategies for creating the maximum audit added value at the level of the IA Function. The book explains and analyses the two main value drivers and the six main value enablers.

2. Audit Risk Mitigation: This book is fully dedicated to understanding, identifying, measuring and mitigating six audit risks for both the IA Function level and the audit engagement level. The developed Audit Risk Models create a unique new framework as a reference for understanding and mitigating the audit risks. Volume II of Driving Audit Value will be available from February 2017 (see the book preview on page 203).

3. Audit Engagement Strategy: The strategic model for driving the audit value at the level of the audit engagements is described in Driving Audit Value (Vol. III), which will be available from May 2017. At the audit engagement level the audit added value, value drivers, and value enablers also exist, though with a different content when compared to the level of the IA Function (see the book preview on page 205).

Books published under The Successful Business Series describe the professional experiences in various lines of business. The Series has the intention of helping you make your business successful.

Read to advance your life,

drs. Hans Beumer

January 2017

BOOK STRUCTURE

The primary purpose of this book is to provide a practical approach and concrete tools to maximise the added value of the IA Function. For this reason, the book is split into three parts:

Part I: Audit Added Value

Part I determines the reasons for needing an audit strategy at the IA Function level and shows how all the chapters and elements of the audit value drivers and the audit value enablers fit together. This is summarised in the Audit Added Value Tree, and the comprehensive IA strategy model for driving audit value at the level of the IA Function. This model connects all 48 individual elements of the value enablers, and shows the relationships between the individual building blocks in the strategy model.

Part II: Audit Added Value Drivers

Part II proves that audit cost and audit value are the primary audit added value drivers of the IA Function. In two chapters, the topics are analysed, where efficient, effective and practical guidance is provided to maximise the added value capacity of each subject.

Part III: Audit Value Enablers

Part III presents the six most significant value enablers for the IA Function: the IA charter, understanding the business and company, the annual audit plan, coordination, reporting, and performance management. In six chapters, the topics are analysed, in which efficient, effective and practical guidance is provided to maximise the value enabling capacity of each subject.

Figure 1 - Book Structure

It is easy to recognise that increasing the audit value has 11 main determining factors, whereas reducing the audit cost has 3 main determining factors. This reflects the following:

The potential for increasing the audit value is significant. There are only a few restrictions towards the upside value potential of the IA Function. These upside boundaries reflect the key roles and responsibilities as laid down in the IA charter and in the IA Function strategy. The value enablers create many sound opportunities for increasing the audit value. The IA Function is close to the (upside) value boundaries, when it both achieves a high audit coverage of the company’s objectives and risks profile, and regularly brings significant issues to the attention of management and the board.

The potential for reducing the audit cost has downside limitations. The purpose of reducing the audit cost is to increase the efficiency of the use of the resources (cost efficiency) while maintaining a constant level of output (value). It indicates that there is a limit to which the costs can be reduced, which is reached when the output starts deteriorating because of the insufficient quantity and quality of the resources. That is why the right-sizing of the IA Function is so important: it establishes the boundaries below which the output will start deteriorating (compromising the execution of the IA Function strategy). The IA Function is close to the (downside) cost boundaries, when it is lean, efficient and effective.

IA Function level versus IA engagement level

Audit Function Strategy describes the added value, the value drivers, and the value enablers at the level of the IA Function. Although all of these have a direct impact on the execution of the individual audit engagements, this is not further detailed in this book. At the audit engagement level the added value, the value drivers and the value enablers also exist, though with different content. The strategic model for driving audit value at the level of the IA engagements is described in Audit Engagement Strategy. I refer to the book preview on page 205.

Managing the strategic audit risks

At the level of the IA Function, six significant risks may occur: inherent risk, control risk, detection risk, focus risk, support risk and value risk. The strategic model for managing these risks to the audit value at the level of the IA Function is described in Audit Risk Mitigation. I refer to the book preview on page 203.

Lifting the IA Function to the highest level of added value

This book is the best practice guide for maximising the added value of the IA Function. It clearly describes what best practice processes look like and provides detailed guidance to allow each IA Function to realise its own maximum added value. However, it does not cover the topic of how to lift the current status of the IA Function to this best practice strategy model. Such roadmap can be best developed using a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) for benchmarking the current IA Function strategies, processes and procedures against the value drivers and the value enablers presented in this book.

PART I

-

AUDIT

ADDED

VALUE

Figure 2 – PART I: Audit Added Value

Where were the Auditors?

Major corporate scandals 2010-2016

VOLKSWAGEN EMISSIONS SCANDAL

September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.

Possible IA Function issues:

Understanding the regulatory environment

Risk assessment

Focus of audits

Auditor skills

FIFA CORRUPTION SCANDAL

May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.

Possible IA Function issues:

IA charter

Support

Risk assessment

Focus of audits

BP OIL SPILL SCANDAL

April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.

Possible IA Function issues:

Risk assessment

Focus of audits

Auditor skills

YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS

December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.

Possible IA Function issues:

Risk assessment

Focus of audits

Auditor skills

WELLS FARGO SCANDAL OF FAKE ACCOUNTS

September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.

Possible IA Function issues:

Understanding culture

Risk assessment

Focus of audits

Auditor skills

OLYMPUS ACCOUNTING AND BRIBERY SCANDAL

October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.

The company paid more than $0.5 billion to settle criminal and civil investigations.

Possible IA Function issues:

Understanding transactions

Split IA-EA audit work

Risk assessment

Focus of audits

Auditor skills

PETROBRAS CORRUPTION SCANDAL

March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.

Possible IA Function issues:

Risk assessment

Focus of audits

Auditor skills

LIBOR RIGGING SCANDAL

June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.

Possible IA Function issues:

Understanding transactions

Risk assessment

Focus of audits

Auditor skills

Where were the internal auditors?

These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors? The answers to this question are manifold:

The IA Function did not have the topics in their