Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
What Every Internal Auditor Should Know Perspectives of a Chief Compliance Officer
IIA: November 11, 2011 Jon Rydberg
Agenda
1. Opening Comments
2. Weak Infrastructure May Drive Value Destruction
3. Case Study: “When Sales Mask Performance”
4. Focal Points and Ideas
5. Closing Remarks
Disclaimer - This presentation is not about the presenter’s current or previous employers. The contents are observations taken from various points over his career.
1. Opening Comments
1. Opening Comments Objective
1. Internal Audit and Compliance is often misunderstood. Some companies…
▫ Establish them to “check a box.”
▫ Lack the knowledge to achieve value.
▫ Believe they are “above it.”
▫ Believe they are “control cops” (e.g., “Sales Prevention Team”).
▫ Believe they are necessary evils, draining cash with no ROI.
2. My objective is to promote these functions as mechanisms to:
▫ Establish the boundaries for compliant and ethical business activity;
▫ Proactively identify and evaluate emerging risks; and
▫ Provide recommendations that enhance infrastructure and protect enterprise value – a core responsibility of every executive.
1. Opening Comments Definitions and Assumptions
1. Corporate Infrastructure is:
▫ People, process, technology
▫ Policies, procedures and internal controls
▫ Training, measurement and accountability
2. Value Destruction is:
▫ Reduction in stock price
▫ Damage to customer satisfaction and brand
▫ Demoralization of the workforce
▫ Fines, penalties, debarment
3. ROI should also be viewed as the lack of “Value Destruction.”
6
Assurance • Compliance with policy / laws (e.g., ITAR)
Advisory
• Business advisory (e.g., International biz
design; Executive MBO setting)
• Policy development (e.g., FCPA, Code of
Conduct).
Assurance • Compliance with policy / law (e.g., T&E)
• Reliable financial reporting (e.g., SOX)
Advisory
• Efficient and effective operations (e.g.,
Procure-to-Pay process review)
• Achieving strategic objectives (e.g., ERP
implementation help, due diligence, cost audit)
Chief Compliance Officer • Promote standards of conduct.
• Design policies to prevent improper conduct.
• Manage company hotline and investigations.
Chief Audit Executive • Identify and mitigate vulnerability and risk.
• Serves as an advisor to the Board, CEO, CFO.
• Integrates risk management into strategy.
1. Opening Comments Understanding Internal Audit and Compliance
2. Weak Infrastructure May Drive Value Destruction
2. Weak Infrastructure May Drive Value Destruction Share Shock – Share Price Declines >30%
Approximately 25% of F1000 companies with share shock experienced failures in infrastructure.
Source – Corporate Executive Board Can be linked to weak risk management, corporate infrastructure or oversight.
9
2. Weak Infrastructure May Drive Value Destruction Ten Largest Settlements in Last 12 Months
Source - Nera
Can be linked to weak risk management, corporate infrastructure or oversight.
Settlement Costs Excluding Investigation and Legal Support
$0 $200 $400 $600 $800
Siemens (2008)
KBR/Halliburton …
BAE (2010)
Snamprogetti (2010)
Technip S.A. (2010)
JGC Corporation (2011)
Daimler AG (2010)
Alcatel-Lucent (2010)
Panalpina (2010)
Johnson & Johnson …
Criminal Fines (Total for All: $2,228)
Disgorgement (Total for All: $946)
10
Amounts in $US, millions
2. Weak Infrastructure May Drive Value Destruction Ten Recent FCPA Settlements
Source – Resources Global Can be linked to weak risk management, corporate infrastructure or oversight.
Settlement Costs Excluding Investigation and Legal Support
3. Case Study: “When Sales Mask Performance”
3. Case Study “When Sales Masks Performance”
Sa
les
Time
1
1 / Increasing Sales Impact
• Employees are measured on financial performance.
• Employees are held accountable for not hitting targets, but are not measured on performance in other areas.
• Tone from the top is founded on trust and there is little mention of Compliance, Ethics or Controls.
• As the organization‟s revenue base grows, bonuses are strong, stakeholders are happy and the focus on infrastructure and internal behavior shrinks.
• Cultural norms develop around heroics. Employees do what is needed to get the job done.
Sa
les
Time
2 / Stability or Limited Volatility Impact
• Despite limited volatility, success is still strong. Confidence grows. Company goes public.
• In order to meet Shareholder expectations, new revenue streams are found (new products, new markets, acquisitions).
• Measurement on short-term financial performance becomes stronger.
• Organization is too busy to think internally. Money is saved by not investing in “oversight” functions.
• Even less focus on infrastructure as the organization invests its financial and human resources on revenue maintenance or growth.
• Employees are hired and put into action with little training.
• The business has grown large and complex, outpacing its infrastructure. Yet, margins remain strong due to decent sales and limited internal investments.
Stability or Limited Volatility
2
3. Case Study “When Sales Masks Performance”
Sa
les
Time
3 / Declining Sales Impact
• Limited revenue to cover fixed costs. Bottom-line profits shrink.
• Pressure is high and even more focus is place on doing what is needed to get the job done.
• Few written Policies and Procedures govern how work is accomplished.
• Environment is now ad-hoc and out of control. Employees continue to act through heroics.
• Mistakes are made affecting cost of quality, customer satisfaction, litigation expense, revenue leakage, cost overruns, injury, etc.
• Bottom-line profit shrinkage is exacerbated relative to industry competitors because the organization lacks process repeatability, efficiency, compliance and cost control.
Kaboom! Share Shock 3
3. Case Study “When Sales Masks Performance”
1. Investors lose confidence due to slip in profits.
2. Significant investments required to build infrastructure around a sinking ship.
3. The immediate response for oversight and business control is disregarded by tenured workforce.
Bu
sin
ess
Vo
lum
e a
nd
Co
mp
lex
ity
Collapsing Infrastructure
Management Team
3. Case Study “When Sales Masks Performance”
3. Focal Points and Ideas
1. Identify warning signals.
2. Create efficient and sustainable processes.
3. Mitigate bad behavior.
4. Provide a legal defense.
Consider the following benefits.
- Controls drive accurate financials Keeping officers out of jail:
- Controls drive ethical behavior Avoiding $335m of FCPA fines:
- Controls prevent duplicate payments Enhance working capital:
- Controls facilitates working systems Mitigating system re-work:
- Controls limit workers compensation Eliminating safety issues:
- Controls ensure inventory accuracy Minimizing production delays:
3. Focal Points and Ideas So Where Could Internal Audit or Compliance Have Helped?
ROI = Positive!
• Are we operating as planned?
• Are the processes and controls operating effectively?
• Are policies being adhered to as intended?
• How can the process, be enhanced?
• What are other companies doing?
• Can we further leverage our technology?
• Where is this process going?
• Can it scale?
• Should new technologies be considered?
Oversight
(Reactive)
Insight
(Proactive) Foresight
(Strategic)
18 Confidential, Not For Re-distribution
3. Focal Points and Ideas Balance Internal Audit According to Your Needs
Spectrum of Capability
Confidential, not for re-distribution
Sample Emerging Risk Chart 100% of Boards Want Insight Into
Emerging Risks, 51% Are Provided Them
3. Focal Points and Ideas Use Internal Audit’s Risk Assessment for Strategic Foresight
20
Increased Quality
Increased Risk
Maturity
Level
Distinguishing
Factors Capability Description Capability Characteristics
5 Optimized
Continuously
Improving
Process
Continuous Improvement –
Continuously improving controls
enterprise-wide
• Proactive improvement of processes & controls, based on costs
• Enterprise-wide risk strategies
• Use of statistics data to analyze & improve costs, performance, & risks
• Formal & flexible cost / benefit analysis
• Best practices identified & shared across organization
• Application processes and technology are fully integrated organization
wide
4 Managed Predictable
Process
Quantitative – Risks managed
quantitatively enterprise-wide;
“Chain of accountability”
• Objective is process control of outputs
• Detailed statistical measurement & use of key performance indicators
• Cost & cycle times well known
• Early-warning systems, risk analytics, and contingency preparation
• Experienced personnel with requisite knowledge & expertise in place
3 Defined
Standard,
consistent
process
Qualitative / Quantitative –
Policies, process and standards
defined and institutionalized;
“Chain of certification”
• Proactive management & flexibility
• Standard roles & training
• Standardized processes company-wide
• Stable & measurable processes
• Standards & verification mechanisms
• Consistent reporting & reporting of exceptions & near-misses
2 Repeatable
Disciplined
Process
Intuitive – Process established and
repeating; reliance on people
continues; controls documentation
lacking
• Management objectives & planning
• Some documented policies & procedures, signs of implementation
• Stability increased
• Organizational knowledge & training
• Clear accountability & understanding of roles/commitments
1 Initial
No Process
Evident
Ad Hoc / Chaotic – Control is not a
priority -- Unstable environment
leads to dependency on heroics
• Unpredictable & subject to “firefighting” & crisis management
• Little or vague documentation/policies
• Highly dependent on key individuals & heroics
• Instability, especially during crisis
• Inconsistent reporting mechanisms
• Undefined roles & accountability
3. Focal Points and Ideas Internal Audit can Benchmark Your Infrastructure
21
3. Focal Points and Ideas Utilize Internal Audit Software for Proactive Risk Management
3. Focal Points and Ideas Keys to a Successful Internal Audit or Compliance Function Rollout
Tone From The Top
• Public announcement. • State the purpose (compliance, process improvement, mixture).
Accountability • Without it, your investment is meaningless. • Establish a structured reporting process to Management, the Board, and
back to employees!
Establish Defined Programs (GE examples) Driving culture has to be the results of defined, tangible programs.
• Cultural programs: Leadership engagement; Risk assessment; Training; Communication; Evaluation
• Compliance programs:
– Ownership by an executive (don‟t blame the staff, legal or compliance).
– Assess (list the regulations we must comply with).
– Resource (hire and assign domain experts)
– Relate (build it into the business process, don‟t outsource it).
Budget Appropriately
• Balance your spend and budget with GAIN. • Establish an amount that you can stomach without reason to adjust.
3. Focal Points and Ideas The Key to Being Compliant
Seven Pillars of the Federal Sentencing Guidelines Compliance Program
Leadership Assign an independent owner, reporting to the Board
Develop values, culture and tone
Standards and Procedures Create a structured policy set and Code of Conduct
Exclude Prohibited Personnel Documented background checks of third parties, channel
partners and suppliers
Training and Communication Online and in-person training
Train third parties
Audit, Monitor and Report Develop a rotational audit plan, up to 2x per year
Enforcement and Discipline Reward and discipline employees
Response and Action Establish a corrective action process
Aggregate compliance and internal audit findings
4. Closing Comments
25
4. Closing Comments An Exercise for Your Organization
1. List the seven features that the Federal Sentencing Guidelines expect
within an organization‟s “Ethics and Compliance Program.”
2. List the features of your Ethics and Compliance Program.
3. List the actions that each department has taken to support your
“Ethics and Compliance Program.
4. Is your Internal Audit function aligned to your Strategic Objectives?
5. Have you benchmarked it against GAIN or other Companies?
6. Have you considered all three ranges of the IA spectrum?
26
Area Remarks Activities
Ethical and compliant behavior
• You can do everything right for 20 years and kill your reputation in 5 minutes .– Warren Buffet (not present)
• Never Hide what has occurred. You only have once chance to tell the truth; Failure to act with total transparency risks your entire brand. – Hyatt
Differentiate between „we are an ethical Company‟ and being able to provide it in a defined ethics program.
Culture and Ownership
• Employees like to work at a company that is consistent with its own values –General Electric
• A good compliance program is effective if you take action when someone does something right or wrong - UBS
• Measure ethics in executive MBOs –Google
• It is very easy for the CEO to set the tone, he/she only speaks to 5 people. The middle management layer is critical to changing a corporate culture. – Accenture
• How do we get the business to own compliance and ethics? First we spoon feed them, then we ram it down their throats –Microsoft
• Measure ethical conduct.
• Hold an annual Company awareness meeting. The first award should be on integrity and ethics.
• Middle layer should be
appointed and rewarded as drivers.
4. Closing Remarks Remarks from Best of Breed Companies