Eliciting Management Support to the Internal Audit Function

Eliciting Management Support to the Internal Audit Function Theme: Internal Audit and Transformational Leadership Winning is a choice, , , . You have to make it- Choose to attain Risk Resilience, The Road lead to Performance Excellence ‘Overcoming Audit Complexities’.

Financial Services Solutions Limited Our Risk Management Services Our Risk Management transformation Solutions include; Background of FSS Risk Management Services Regional players, National Governments, County Government, Public Sector, and Organizations of all types and sizes face internal and external increasingly changing factors that make achievement of their objectives uncertain “the Risk”. While good governance imperative require all organizations want to manage their risk, lack of capacity to effectively manage risk in line with best practice may be their major constraint. • Enterprise Risk Management Review and framework Development. • Financial Services Risk Management (Credit Market and Operational Risk). • Financial Crime Risk Management Programs development. • Business Continuity Policy Development. • Regulatory Compliance. Enterprise Risk Management (ERM): We help all type of organizations in reviewing existing risk management regime, develop holistic and integrated ERM FSS Risk Services limited was formed with a goal to help organizations build framework and build Risk Management capacity: We help organizations make ERM an ongoing management process embedded throughout the organization to identify and protect enterprise value by taking a Risk smart approach to managing existing and emerging risks that can prevent your company from achieving entity goals. financial, Operational and Strategic Management. We work with all organizations to help them develop, implement and continuously improve a framework for integrating the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture. We help them to establish consistent processes within a comprehensive framework to ensure that risk is managed effectively, efficiently and coherently across their organization. Our Risk solutions are modeled along best practice (principally ISO 31000, and COSO-ERM Frameworks) and ensure compliance with regulatory requirements e. g. Basel II, Solvency II, and other global best-in-class initiatives. Financial Services Risk Management (FSRM): Financial institutions must manage their risks in a holistic manner for improved financial performance and compliance to regulations. We support all Financial services participants and actors including upcoming Mobile financial services gain capacity and firm understanding on dealing with Financial services Risks. Skill them up on methodology to identify measure and mitigate them. Financial Crime Risk Management (FCRM): Despite widespread coverage in the press, and governments and regulators' efforts to reduce fraud, economic crime continues to be a menace to businesses in Africa and around the world. FSS pro-active services are designed for responsible and progressive organizations that decide to conduct pro-active Fraud prevention; Fraud Risk Assessments as well establish a This approach helps our clients focus on their areas of increased risk, bridge process to manage such a crisis, should one occur. We further help in Designing and silos to effectively manage risk across organizational boundaries and pursue implementing employee awareness testing, Reviewing your code of ethics and not only risk mitigation and enhance transparency through Risk analytics, but whistleblower program in relation to best practices. also allow intelligent risk taking as a means of value creation that supporting Compliance and regulatory risk management: at FSS we support organization regulatory compliance, enhanced competitive positioning , capital, liquidity, orchestrate compliant operational regimes: Our supportive consulting approach help funding efficiencies. client put in place a process to identify, monitor and manage an organization's ethics, We intervene through consultancy, in-house training, open workshops, sharing of thorough leadership and current tread in the locale of Risk Management. FSS Anti money laundering and regulatory compliance responsibilities. We help develop mechanism to anticipate and react to compliance and regulatory requirements to avoid or recover from compliance failures, support growth objectives, protect shareholder value and avoid reputational/brand risks.

Table of Contents 1 2 Establishment of an effective internal environment 3 Is internal auditor’s ‘independence’ a threat to management 4 Process monitoring and communication 5 FSS Introduction Conclusion

Introduction q The Past 10 Years Have Witnessed Seismic Changes - Headlines Have Included/professional development q Major realignment in internal audit’s reporting relationships q Significant change in internal audit’s focus, roles, and responsibilities q Greater employment of risk-based methodologies in determining priorities and allocating resources q New communications strategies and practices to address enhanced stakeholder expectations q Increased resources for internal audit functions to address increased demands q Need for quality oversight q Supporting risk taking function becoming priority agenda FSS Slide 4

Introduction (Continued) “Internal auditing is an independent, objective assurance and consulting activity designed to add value improve an and organization's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. ” THEIIA v Objectivity v Reporting structure v Risk management v Staffing v Prioritization v Adding Value FSS

Introduction (Continued) Internal Audit Standard Nature of work – Governance 2110: The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: q q FSS Promoting appropriate ethics and values within the organization Ensuring effective organizational performance management and accountability Communicating risk and control information to appropriate areas of the organization Coordinating the activities of and communicating information among the board, external and internal auditors and management

Introduction (Continued) Internal auditors are expected to; q maximize the assurance provided to the Board, the Audit Committee and Management, q contribute to the continuous improvement strategies of the organization without impairing its objectivity and independence, q provide guidance and expertise in areas including, but not limited to, corporate governance, ERM, fraud policies and prevention, and information technology systems, in addition to the traditional area of internal controls. FSS Slide 7

Introduction (Continued) Current changing demand crisis in Confidence q Public is skeptical q Stakes are greater q Public trust has diminished q Greater challenges q More director liability q Financial system stressed q Increasing Fraud /mistrust with investment agents q Business failures continue q Risks neither understood nor managed q Governance mechanisms suspect/Regulations q Interested parties: Ratings agencies/Regulators/Lawmakers/Boards of Directors/Credit analysts q Commercial banks/Investment banks FSS

Creating an effective Internal Audit environment Independent, Objective and Proficiency and Due Professional Care q Effective internal audit functions help organizations accomplish their business goal q Right environment underscore the growing importance of effective governance and establishing, maintaining and improving governance, risk management q Governance require and effective and independence Internal Audit established by the organizational and reporting structure. . FSS Slide 9

Creating an effective Internal Audit environment FSS Slide 10

Creating an effective Internal Audit environment q Objectivity IA should have no personal or professional involvement with or allegiance to the : area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements. q Reporting Structure : should report to a level within the organization that allows the internal IA audit activity to fulfill its responsibilities and remain independent. This often results in a dual reporting relationship between executive management and the audit committee. Whatever, the reporting relationship there must be organizational independence. q Staffing : broad range of skills and expertise, and ongoing professional development are critical A to the formation and maintenance of an effective internal audit activity. q Prioritization: CAE independence should provide the necessary organizational knowledge The for staying in sync with risks and the organization’s overall priorities that allow for effective management of internal audit resources. q Adding Value IA serves management and the board, assesses the ethical climate and the : effectiveness and efficiency of operations, and provides a safety net for organizational compliance with rules, regulations, and overall business practices. q Building Confidence and Trust: Becoming the trusted partner of helping growth and improved performance (applying business wide expertise on risk and strategy). FSS Slide 11

Creating an effective Internal Audit environment Auditor Key factors/Qualification q Objectivity, independence , professionalism q Auditor ability to link audit issues to performance results q People skill/communication skills q Good Communication and Interpersonal Skills q Interviewing Skills q Intelligent and pertinent questions q Listen attentively q Analytical Skills q Ability to assimilate data and determine how it relates to the audit criteria q Analyze information and report results q Training and Experience q Standards, regulations, auditing techniques, and audit management skills q Ability to think inside and outside the box FSS

Creating an effective Internal Audit environment q Creating the environment : The success of the auditing program depends significantly upon the selection of the right people for the task q Right personnel from cross-functional groups q q q FSS Document & training Engage stakeholder in in Audit Planning Use recommendation/improvement proposals as a kpi Perform audits on a regular basis Responsibility becomes part of job description Must be taken seriously by employee and manager - Part of performance review

Establishment of an effective internal environment ‘Selling’ Ref: Lawrence Sawyer Theory’ q Philosophy of assisting management and the Board in achieving the organization’s objectives through well-reasoned audits, evaluations, and analyses of operational areas. q Modern internal auditor to act as a counselor to management rather than as an adversary, as an active players influencing events in the business rather than criticizing all degrees of errors and mistakes. q Future “catching a manager doing something right” and providing recognition and positive reinforcement. Writing about positive observations in audit reports. q Who understands and forecast the benefits of providing more balanced reporting while simultaneously building better relationships. q make internal auditing more relevant and more interesting through a sharp focus on operational or performance auditing. This approach helped catapult the chief audit executive into the role of a respected and knowledgeable adviser who was thought to be reasonable, objective, and concerned about helping the organization achieve the stated goals. FSS Slide 14

Establishment of an effective internal environment ‘Selling’ q Efficient auditing can identify inadequate / ineffective / inefficient collection of data & measurements q Data not being used, not being used efficiently, wrong data being measure or being measure at wrong point in process q For example, data being collected regarding scrap rate, but the data is never presented to anyone OR data has consistently shown a high rate and no action has ever been taken or discussed q Efficient auditing can identify redundancies in systems q eliminate or reduce is an obvious cost savings q For example, redundant manual system and electronic system to avoid validation of electronic system FSS

Establishment of an effective internal environment ‘Selling’ q Compliance is a regulatory requirement for our industry! q Efficient auditing can identify those areas where the company has added more requirements than needed from both a regulatory and business perspective q Complicated system uses resources and is prone to error (i. e. , noncompliance) q Improvement of compliance level in governance issues, regulatory Compliance risk management and internal controls; q Greater possibility of getting unqualified financials; q Improved service delivery. q Cost saving measure q Uniform systems and consistency FSS

Communicating and Monitoring results q Good auditing cannot be reflected in a poorly documented report q Issue TIMELY q Write to your “customer” q Write for impact q Make the report talk q Recognize their priorities q Lead (don’t lose) the “customer” q Fast tract open issue. S FSS

Process monitoring and communication q Utilize standard format for consistency q Audit scope, purpose, references, standards, procedures q Executive summary q Highlight hot issues (positive and negative) q Audit summary and specific non-conformances q Identify high risk areas q Audit recommendations for improvement and / or potential issues q Part of report or separate document? FSS

Auditor independence, A threat of not q Internal audit is an independent objective assurance activity. q To ensure that the activity is carried out objectively, the internal auditor must have his/her independence protected. q Independence is assured in part by having an appropriate structure within which internal auditors work. q Independence is also assured in part by the internal auditor following acceptable ethical and work standards. q Risks if auditors are not independent FSS Slide 19

Process monitoring and communication q Objectivity The comments and opinions expressed in the Report should be objective and unbiased. q Clarity -The language used should be simple and straightforward. q Accuracy The information contained in the report should be accurate. q Brevity -The report should be concise. q Timeliness The report should be released promptly immediately after the audit is concluded, within a month. FSS Slide 20

Conclusion Let make internal auditing not only am audit tool but more importantly as performance improvement tool, a regulatory compliance enabler , but as a necessary means to continuously improve the efficiency of business practices and product quality. This is the future and key buy in for internal Audit FSS

Patrick Gitau-MBA, CFE, CIA, CRISC, GRCP . Fraud Management, Internal Assurance, Governance, Risk Management & Compliance Consultant Educational Qualifications Profile brief · A Risk Expert with multinational experience having undertaken Assignment in Nigeria, Benin and Ghana (West Africa) Zambia and Malawi, and South Africa (South Africa ) Afghanistan (Central Asia) and Kenya providing risk centric Business Advisory and Capacity Building through training. MBA –Finance with Merit Diploma in Business Management Diploma in IT Application & Systems Diploma 1 Data Processing Management Diploma Legal Studies Diploma Project Management · · · Professional Qualifications · Certified Internal Auditor -CIA Certified Fraud Examiner-CFE Certified Governance Risk and Compliance Professional –GRCP Certified in Risk and IT controls-CRISC ACCA Part Qualified · · Experience · Independent Consultant-Jan 2013 todate Senior Manger –GRC @ Pw. C - Jan 2012 -13 Risk Management Specialist –Globacom Nigeria-Aug-2009 -Dec 2011 Manager- Risk , Fraud and Revenue Assurance –Essar -July 2008 -August 2009 Risk Analyst –Zain Kenya -2000 - 2008 Co-Founder of ACFE Kenya Chapter and GARP Kenya Chapter · · · Business Development -KPLC 1997 -2000 Temporary Employments-1994 -1997 Various Vocation, Business Advisory and Training · · Language skills: FSS · English (Fluent) Previously was a Senior Manager in Governance Risk and Compliance (GRC) Business at Pw. C, dedicating 17 years of Risk Management, Mobile Financial services, Revenue Assurance, Corporate Fraud Management and Business Development. Having been involved in setting up Risk & Control functions , expertise in Internal Audits , ERM, Tele-Banking services (Mobile money services) and Fraud governance plus has been involved in successful multiple Project Risk Assurance/Product Assurance provides a distinctive wealth of knowledge He is founding secretary of the Local Chapter of Risk Management Professionals –GARP Kenya and pioneer board member and first training Director of chapter of Fraud Examiners -ACFE Kenya and has been instrumental in creating Fraud fighting capacity for Kenya. Other Key experience include Auditing for Fraud, Project Management and Risk and Fraud Management Training Key expertise Risk Management ·Enterprise Risk Management (ERM)–ISO 31 K/COSO /Basel III/Risk IT/SOX /GRC Capability ·Fraud Analysis for Investments, Integrity system set up and review, Fraud Health & policy design, Fraud Risk Assurance ( Assessments, Examination and Prevention /Fraud Training ) ·Revenue , Projects and product Assurance ·Internal audit , BCM, CMMI , IT Risk, IT policy development and process reviews Business ·Business Development, Strategy & Financial Mgt, Entrepreneurship and Business Training ·Tele-Banking Service and Customer Services Technology capabilities : ·Platforms: MS Windows 2000/XP/7 |Development: Foxpro/VB/Dbase | ERPs: Oracle, SAP ·Productivity Tools: MS Office Suite/SQL /Visio/CRM’s /FMS’s and RAM’s /Quick. Books/Sage/CAATS Methodology: Transform and Change Management/Global IAS/BCM/ERM/GRC Methodologies

Questions & Answers FSS 23

Patrick Gitau, MBA-Finance CIA, CFE, CRISC, GRCP FSS Risk Services & Advisers Thank you FSS