Improving Risk Assessments and Audit Operations

At companies where internal audit and risk processes are maturing, they are now honing their operations to become more efficient and effective.

It all starts with strong, open, trusting relationships that enable internal auditors to act less like cops and more like business advisers, John Barresi, vice president of internal audit and financial controls at jewelry maker Tiffany & Co, said last month at the Compliance Week 2011 annual conference. “We need open lines of communication to understand what's going on in the business,” he said. “We don't penalize the business when we find issues. An audit finding is not a ‘gotcha' event. We're trying to find improvements to processes.”

Barresi said Tiffany's internal audit function spends little time on the internal controls over financial reporting that the Sarbanes-Oxley Act brought to the fore in the 2000s; now the company's focus is on tailoring the internal audit function to address the specific risks of each business unit.

Tiffany has achieved that focus in part by leveraging data analytics, Barresi said. The company uses various IT tools to monitor transactions most suggestive of control issues, he explained; those are monitored on a regular basis to look for signs of trouble. “That has really reduced the amount of time we need to spend doing full-blown store audits,” he said. The $3.1 billion company has more than 230 stores in 20 countries, yet needed to perform only four full store audits in the most recent year.

Finding the right formula for staffing is also important, Barresi said. The average age of internal auditors entering the profession is falling, which means chief audit executives must retain their best people and give them good training to assure they can meet the demands for a more expert focus on risky issues. Tiffany's internal audit staff has become “top heavy” in terms of experience and expertise, according to Barresi. “As you move further down that risk pendulum, that level of experience is critical,” he said.

At Office Depot, Bob Brewer says his internal audit function leverages the corporate-wide enterprise risk management function to achieve greater efficiency. Brewer is chief audit executive and chief compliance officer for the $11 billion office supply business.

The company's ERM process already produces regular input from a cross-functional steering committee, an executive committee, and various subject-matter experts, who identify risks from every conceivable angle. The risk analysis produced via the ERM process provides an ideal planning platform for internal audit, Brewer said. In addition, the company's loss prevention process reports through Brewer's office, providing more centralization of risk information that's useful to the internal audit function.

Brewer also is pinning some hopes on co-sourcing much of the internal audit function at locations outside the United States. The co-sourcing model works particularly well in locations where English is not the primary language, he said.

By hiring outside help in those locations, the company can also look for more diverse subject-matter experts at the same time, Brewer said. That adds expertise in niche areas where the company may not have such talent in-house, he said. Although efficiency is one objective in pursuing such an approach, Brewer can't make any big claims about success just yet. “It's too new,” he said.

John Barresi (left), VP of internal audit and financial controls at Tiffany & Co., discussed why proper staffing is essential to effective audit operations. Looking on at right is Office Depot CCO Bob Brewer; Gary Hansen, VP of management audit at Walt Disney, sits at far right.

Gary Hansen, vice president of management audit at Walt Disney Co., said the company has successfully used a co-sourcing approach for more than a decade. Disney works with a Big 4 firm that identifies the right personnel to fill specific needs. It works well, Hansen said, because the accounting firm has successfully “cracked the code” in matching its talent pool with Disney's specific needs.

Hansen did, however, caution his fellow compliance officers to be specific about engagements when hiring expertise from outside the company to help with internal audit. “Be careful of consultant-speak,” he said. “When I pay the bill, you work for me, and you're going to audit.” Companies should beware that they're not being given services they didn't ask for, but they should also seek to learn as much from outside subject-matter experts as possible during the time they are engaged.

Hansen has another tactic for building efficiency into the internal audit process: He recruits “guest auditors” from throughout the Disney organization to assist with internal audit work, providing some cross-pollination of talent inside the company. “It's good for the guest auditor, it's good for our team, and it's good for the group being audited,” Hansen said. The guest auditor assignments tend to be coveted opportunities within Disney, he added.

Risk Assessments

To improve the assessment and monitoring of risk, the GAVI Alliance has baked the identification of risk into its key performance indicators for management, said Cees Klumper, director of internal audit for GAVI—a global alliance that promotes childhood vaccinations worldwide. “Audit surprises are a KPI,” he said. “If I identify a risk that wasn't on the radar of management, that's bad. I'm not supposed to identify risk.”

Rather, Klumper said, internal audit's role at GAVI is to challenge management's identification of and management of risks. That includes helping define the risk appetite, which can be a fine line to walk, Klumper said.

“We don't penalize the business when we find issues. An audit finding is not a 'gotcha' event. We're trying to find improvements to processes.”

—John Barresi,

Vice President of Internal Audit, Financial Controls,

Tiffany & Co.

Misuse of funds, for example, is an intolerable risk for GAVI, but one that is hard to define. Reducing a risk to zero is unrealistic, Klumper admitted, but putting a percentage figure on some acceptable risk level presents a separate risk of its own. “Any percentage risk of misuse of funds is a dollar figure,” he said. Such a figure could be misconstrued as some tolerated level of management mishandling the money, he said.

Michele Abraham, a corporate attorney in ethics and compliance at Timken Co., a $4 billion components maker, said her company assesses and monitors risk following an annual compliance process. Once risks are identified, they are rated according to their significance and likelihood of occurring, and then plotted on a heat meat to determine priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit monitoring plan, she said.

Timken strives to give employees plenty of training to guard against the most significant risks coming to pass, to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. That's a step the board of directors appreciates, Abraham said.

“We've gotten some positive feedback from the board,” she said. “They say it's easy to understand what we're doing. And it's valuable for the business because it provides a clear template to talk to the leadership team about how we're going to prevent risks from materializing.”