Today

Upward
Hacia arriba

Onward
Adelante

(1941)

Impact of Corporate Governance on

the Internal Audit Profession
Glenn E. Sumners, DBA, CIA, CFE

“Internal auditing is an endless journey towards an every-

changing destination.” Glenn E. Sumners
Dominican Republic
Punta Cana
2012
Presenter (presentador)
{Su foto}
Glenn E. Sumners
Director
Louisiana State University
Center for Internal Auditing
Glenn Sumners, DBA, CIA, CFE is on the faculty of Louisiana State
University where he is the director of the Louisiana State
University Center for Internal Auditing (LSUCIA). He was named
Educator of the Year in 1987 by the IIA and received the LCPA
Lifetime Achievement in Accounting Education Award in 1999. In
2006, Professor Sumners received the Bradford Cadmus
Memorial Award from the IIA. He is a member of the IIA Society
Emeritus. In 2012, he was inducted into the IIA American Hall of
Distinguished Audit Practitioners. Three LSUCIA students have
placed first in the international manuscript competition.
Eighteen students from the LSUCIA Program have won
international award for the highest score on the CIA exam. In
2012, The CIA Award for the highest student score was named
the Dr. Glenn E. Sumners Award.
He provides quality assurance reviews, consulting, and training
to internal audit groups and audit committees. He has made
over 1200 presentations in the last 25 years. He has been invited
to speak in 25 countries.
 Governance (gobierno)
Agenda (orden del día)
Adding Value: The expanding role of Internal Auditing (valor agregado)
•The Value Proposition (la prpuesta de valor)
•Addressing Governance (relación con el gobierno corporat)
• Infrastructure (infraestructura) Integration (Integración)
•Assessing Risk (evaluación de riesgos) (Borderless organizations)
(organizaciones sin fronteras)
• Internal (interno)
• External (externo) (Strategies) (Estrategias)
• Risk Threats (riesgos amenaza)
• Risk Opportunities (riesgos oportunidades)
Governance Agenda (gobierno
orden del día)
Adding Value: The expanding role of Internal Auditing (toward governance)
•Job enlargement
•Job satisfaction
•Job enrichment
•Addressing Governance (infrastructure and integration)
•Assessing Risk (broader perspective) (borderless organizations)
• Internal
• External (strategies)
•Enhancing Controls
• Control Activities
• Management Controls
• Plan (tactical and strategic) (planning committee)
• Organize (delegation of accountability)
• Staff (needed competencies outpacing competencies) (CFIA) (CBOK) (Surveys)
• Direct (policies and procedures) (control activities)
• Monitor (change management) (custodial managers)
• Environmental Controls

COSO – Tone at the Top (infrastructure) (integration) (permeation)

•Control Environment
 Agenda (orden del día)
• Enhancing Controls (mejorar los controles)
• Control Activities (actividades de control) (time allocation)
• Management Controls (controles de gestión)
• Plan (Tactical and Strategic) (Comité de Planificación))
• Organize (Delegation of Accountability) (organizar)
• Staff (I  K  W – RP) (BS and CS) (personal)
• Needed competencies outpacing competencies
• CFIA
• CBOK (Business Knowledge)
• Surveys (Encuestas) (Critical Thinking – Hours – Business)
• Direct (Policies and Procedures) (directo)
• Monitor (Oversight, Analytics, Change Management) (custodial
managers)
• Control Environment (Entorno de control interno))
• All components of COSO reside in the Control Environment)
• Virgin territory
COSO – Tone at the Top (infrastructure) (integration) (permeation)
(infraestructura) (integración) (penetración)
Internal Auditing: Adding Value
(Auditoria Internía: Agregando Valor)

(Mature) (Embryo) (Radar)

(Maduro) (Embrión)
Governance Integration
•GRC
• Opportunities
(Gobierno)
Risk • Threats
(Riesgos) Evaluation
Board •Check the box
Controls •Reality
External
(Controles)
Audit Committee
Entity •Charter
Control Environment
Process Internal Audit
Management Controls •Charter
Unit
Control Activities

Evolution of the Profession (evolución de la profesión)

Quality (calidad)
Question: Can you be in 100% compliance and go out of
business?
Governance (Gobierno
Corporativo)
Board (Junta) SOD
•Selection Process (Proceso de Seleccíon)
COB CEO
Audit Risk Compensation
Committee Committee Committee Sub.
(comité de (comité de (comité de
auditoría) riesgos) compensación)
•Stock options
•Bonus plans Obj.
• Counter-
CAE CRO productive
•Global •Salaries AAA
•Strategic • Up, up, up,
and away
(CRMA)

Issues (cuestiones):
•Accountability – Governance, Risks, and Controls (responsabilidad)
•King III
•Transparency (transparencia)
•Sustainability (sostenibilidad)

Personal Opinion (Opinión personal)::

The CEO and CFO should not be involved in selecting members of the Board, Audit Committee, Risk Committee,
or Compensation Committee
 Reporting (Reportaje)
Board (Junta) CEO
Audit Committee
(Comité de Auditoría)

Functional Proactive Review Administrative

(Funcional) (Administrativo)
• Primary Report •Resources
• Audit Plan • Office Space
• Overview of Administrative Best Business Crimes
• Budget
• Executive Session (Reunión Ejecutiva) Mr. Kozlowski had the
• Training
• Charter company’s (Tyco)
• Travel
• Performance Evaluation internal auditors report
• Staffing
• Promotions to the board through
• Hiring – Rotation - Termination himself, and ensured
they would not audit a
Tyco unit through which
the fraudulent loans
Internal Audit and other payments
(Auditoria Interna) were made.
• CAE
• Charter (Estatutos)
“The internal auditors should have an independent reporting line directly to the Audit Committee.” SAS #99
“Three principle factors contribute to independence and objectivity: the organizational positioning of the function, the corporate
stature of the chief internal auditor, and the reporting of the chief internal auditor to the audit committee.

For day-to-day operational purposes, the chief internal auditor should report administratively to a senior officer who is not
directly responsible for preparing the company’s financial statements. The commission encourages an administrative reporting
relationship in which the chief internal auditor reports directly to the CEO.” NCFFR (1987)
 Risk Management Process
(Proceso de Administractión de Riesgos)
(Integration and Linkage)
Limitations (limitaciones):
(Integració n y conexion) •Limited Oversight
Audit Committee (comité de auditoría) •Limited Knowledge
of Board of Directors •Limited Experience
(oversight) •Limited Accountability
•Technology
•Interconnectivity
CEO
(Responsibility)
Factors (factores):
•Chaos Theory
CRO • Prediction
(Execution) •Butterfly Effect
•Tipping Point
Audit • Organizations (5/9)
Risk Management (gestión de riesgos) • Ethics
Priority •Long-term Planning
•Integration

CAE Status (Estado):

Macro (Resource Allocation) •Check the box
•Reality (Realidad)
• Fraud Risk
• Analytics
Auditor in Charge (AIC)
Micro (Engagement Planning) The Risk Complexity Multiplier
What does CRMA really mean?
(El multiplicador de la complejidad de riesgo)
(Certified Risk Management Assurance)
10 x 100 x 1000
 Governance Integration

ERM Implementation (Endless Activity)

(Adapt to Change)
Need
• Globalization Risk Environment
• Technology • Oversight
• Information • Accountability
• Market Volatility • Ownership Continuous
• Interconnectivity • Monitor-Adjust Integration
• Staffing Process
• Rate of Change

Context Risk Gap Dynamic

Desired
Identify Management Analysis Process
ERM
Priority Status
Risks
•Strategic Size
•Operational Industry
•Financial Strategy
•Compliance Competition
Business
Governance Challenges: Plan
•Control Environment
•Internal Environment Integration Cycle
•Goals and Objectives •Challenge
•Tone at the Top •Change
Question (Pregunta)
What are the five primary reasons controls fail?
(Cuales son las 5 razones principales por las cuales los controles fallen?)
1.________________________________
2.________________________________
3.________________________________
4.________________________________
5.________________________________
Why? (Porqúe?)
Increase
Sugar 10 Times

“V O l l” = Milk
Eggs
9
12
Technically, Ken is innocent. Bacon 16
Stamps 15
Fraud ? Why
Internal Control – Failures
(Control Interno – Fracasos)
What are the five primary reasons controls fail?
1.Lack of integrity
2.Weak control environment
3.Inconsistent objectives
4.Poor communication (Up, Down, and Across)
5.Inability to understand and react to changing
conditions
Internal Control – Integrated Framework

Question:
How many of these relate to “Governance”?
 COSO Control (Addressing
Governance)
Challenge (desafío):
•Evolving from Control Activities to e
c

ns

rti ial
n
lia
the Control Environment

tio

po n c
ng
p

ra

Re ina
m

pe
o

F
C

O
Aggregate (agregado)

Activity 2
Activity 1
Monitoring
Entity (entidad)

Unit B
Info. & Communication

Unit A
Process (proceso) Control Activities

Risk Assessment
Unit (unidad)
Control Environment
(Entorno de Control)

“Management should periodically check the batteries in their moral compass.” GES
Audit Plan to Address
Governance
Review
• Audit Committee – Best Practices Approach
• Charter • Unit
• Checklist • Entity
• GAP Analysis
• Documentation

Mandatory Audits - Entity

• Employee Survey • Accruals
• ERM • Change
• Reserves (Step #1)
• Conflict of Interest
• Transformation Transactions
• Complaint Process
• Top-side Closing
• Executive Expense Report
• Revenue Recognition
• Analytical Audit • Compensation
• Ethics Audit
• Governance
Question: How much time does it take to do an entity level audit?
COSO Risk (Riesgo) TIPS

Focus:
•Internal Environment Objectives
(Objetivos)
•Strategies
•Integration
e

té ic
c

s
r a eg

Op os)
n

on

ng
lia

st t
gi

ati
(E tra

rti
p

er
m

po
S Co

Re
Internal Environment

Business Unit
(Componentes del control)
Control Components

Subsidiary
(Ambiente de Control)

Division
Objective Setting

Entity
Event Identification
Risk Assessment
Risk Response
Control Activities
Info. & Communication
Monitoring ERM – Conceptual Framework
Corporate Governance, Risk and
Controls

Rationalization
(Gobierno Corporativo, Riesgos y Controles)

(racionalización)
Opportunity
Monitoring

(oportunidad)
(monitoreo)

Pressure
Override
(controles)
Controls
Organization

(presión)
(Riesgos)

(anular)
Risks
Beneficial Audit Focus
Subjective
A

Job Specificity
R C
OR M
P O R
R C OR M P O R
AAA Objective R
C OR M P o R

COSO Risk Objectives COSO Components

• Control Environment
• Strategic
• Monitoring
• Operations • Information & Communication
• Compliance • Risk
• Financial • Control Activities

Question: What is the solution?

Audit plans from top down that parallel the business plan.
 Enterprise Risk Management Integrated
Framework
(gestió n del riesgo institucional del marco integrado)
(Strategies)
Linkage: (Estrategias) Uncertainty (Incertidumbre)
•Objectives
•Risk Risk Sources (Fuentes de riesgo)
Condition Changing Circumstances
•Strategies
(Condicion) (las circunstancias cambiantes )

Threats Opportunities Threats

(Amenazas) (Oportunidades) (Amenazas) Technology
(Tecnología)
Opportunities Threats Opportunities
External: Internal: (Oportunidades) (Amenazas) (Oportunidades) New Products
(Nuevos productos)
Uncontrollable Controllable Threats Opportunities Threats
(Amenazas) (Oportunidades) (Amenazas) International
Operations
 Strategies  Reporting (Operaciones
 Operations  Compliance Opportunities Threats Opportunities Internacionales)
(Oportunidades) (Amenazas) (Oportunidades)
Regulations
(Regulaciones)

Tactical Planning Strategic Planning

(la planificación táctica) (planificación estratégica)
Timely Reasonable
Transparent Assurance
Reporting
Internal Auditing
(Auditoría Interna)
Other Governance Challenges
for Board, Audit Committee, and CAE
• Technology (Tecnología) • Fraud (Fraude)
• Continuous Monitoring • Detection to Prevention
• Detrimental to Beneficial
• Globalization (Globalización)
• Risk Interconnectivity
• Analytics (Análisis)
• Staffing (Dotación de Personal) • Integration
• Business Knowledge • Monitoring Process
• Technology • Audit Process
• Risk • Embody
• Governance • Governance
• Control Environment
• CFIA
• CBOX
• Surveys
• Critical Thinking
• Hours of Preparation
• Who Studies
Preguntas y Respuestas

Questions & Answers

Informació n de contacto

Glenn E. Sumners, DBA, CIA, CFE

gsumners@hotmail.com
www.sumnersauditservices.org
225-445-4565
8222 Walden Road
Baton Rouge, LA 70808 USA
 Conclusiones

The primary challenge of the internal audit profession will

be fulfilling the prime directive to add value through
enhancing governance, risks, and controls.

These challenges will lead to the job enlargement and job

enrichment of the profession.