Internal Audit, Risk and Compliance
- The role of Internal Audit (IA) is changing. Whereas its traditional task has been to ensure compliance, it is now becoming more involved in top-level decision making, protecting the organization against risk and improving control systems.
Many organizations do not have the IA staff with sufficient knowledge and expertise to meet these challenges, and are left with a function that is not flexible enough to respond to the changing business and regulatory environment and increasing stakeholder demands. Yet achieving high quality IA will require substantial investment in people, resources and technology.
Why KPMG? – Helping clients manage risk
As a global leader in IA , KPMG's Advisory Services practice has a large team of experienced professionals, with e-commerce, fraud investigation, procurement, supply chain management and IT knowledge gained across a wide range of industry sectors.
Not only do we bring a structured, objective approach, we also aim to pass on our knowledge to the client’s own team, helping them to:
- Save the time and hassle of developing and in-house function.
- Save costs of recruiting new staff
- Comply with Sarbanes Oxley
- Our approach utilizes a number of proprietary tools and methodologies. We work closely with clients to clarify the role of IA, and align this with their strategic objectives, focusing on:
- Identifying and evaluating the risks associated with their main business objectives
- Helping to ensure that policies and procedures comply with the necessary standards of corporate governance
- By carrying out in-depth interviews, we’ll assess the overall effectiveness of the client’s IA function and identify and gaps in delivery.
We offer advice on partial or full outsourcing of the IA function.
Co-sourcing of internal audit
We would typically report to the head of IA and would either:
- Supplement an in-house team by working alongside them on specific projects, passing on our in-depth knowledge, or
- Take full responsibility for specific reviews on areas such as risk assessments, risk modes, treasury, information systems and procurement. We either use our own or the client’s IA methodology and technology.
- Outsourcing of internal audit
In this instance we report directly to the highest independent authority in the organization, typically the Board or Audit Committee Chairman:
- We would usually use our own IA methodology, supported by appropriate technology
- KPMG has a fully developed program for integrating in-house resources with our own. This approach will help ensure a smooth transition of resources, thus maintaining a high quality of customer service.
- The Approach
KPMG: acting as a vital management tool
KPMG's Advisory Services practice’s first step is to gain a thorough understanding of the clients business and strategy by interviewing relevant managers, after which we:
- Structure audit areas by processes
- Analyze process risks
- Create a long-term audit plan
- Develop detailed audit plans for individual business processes.
- We then carry out the audits, ensuring that our approach focused on the effectiveness of the company’s risk management processes and activities. Finally we present our findings and make a number of recommendations for improvement.
- Target clients
Internal Audit Services is targeted to the clients that;
- are facing a highly volatile business environment and looking to develop an IA function to monitor business processes and ensure these are properly controlled.
- would like to improve the existing IA function.
- SARBANES-OXLEY SECTION 404
Under Section 404 of the Sarbanes Oxley Act of 2002, a company’s management has to assess the effectiveness of the company’s internal control over financial reporting. To achieve this they will need to put together an overall control framework.
Creating a process for monitoring internal control, often across multiple business units and a broad range of systems, is a huge strain on resources, and CEO’s and CFO’s will be anxious not to leave any gaps in the financial reporting.
Why KPMG? - A smoother transition
We will assess how ready the organization is for 404 and identify the steps required to achieve full compliance. Our structured approach will help ensure consistency across the global operations; clients manage their internal control structure centrally. In getting ready for Section 404, KPMG has identified six main phases:
1-Plan and Scope the Evaluation: Establish internal control evaluation process into SOX scope. Determine significant control's processes, and locations/business units to be included into SOX scope. Define project approach, milestones, timeline and resources. Launch the project.
2-Document Controls: Document design of key controls in significant processes and classes of transactions for all significant locations and business units.
3-Evaluate Design and Operating Effectiveness: Evaluate design and operating effectiveness of internal control over financial reporting and document results of the evaluation.
4-Identify and Correct Deficiencies: Identify, accumulate, and evaluate control deficiencies in design and operating effectiveness. Communicate findings and correct (remediate) the control deficiencies.
5-Report on Internal Control Over Financial Reporting: Prepare management’s written assesment on the effectiveness of internal control over financial reporting.
6-Audit of Internal Control: Prepare for independent auditor to conduct the internal control over financial reporting.
We look into every aspect of a client’s processes, controls, resource needs and constraints, knowledge and training, communications and other requirements in each of the six areas of the processes explained above.
Project management will play a key role in implementing Section 404 and KPMG will take a thorough look to your capabilities and if necessary suggest changes or extra support.
The Compliance Journey
Of course, meeting initial regulatory requirements is just the beginning for clients. They’ll want to be sure that they’re managing compliance on an ongoing basis, and also to leverage the investment for the greater benefit of the business. Compliance should not be seen as merely a burden, but as a platform for adding value, making better–informed decisions and reducing risk.
Sustaining Compliance
Clients have to identify their approach to keep up compliance on an ongoing basis.
Internal Control over Financial Regulations (ICOFR) testing services help organizations test how well prepared they are for sustaining compliance.
Remediation Roadmap looks at trends in control deficiencies, and is a basis for improving controls.
CASE STUDY
Reviewing the internal control framework
The Issue
A global financial institution needed to satisfy Sarbanes-Oxley and asked KPMG's Advisory Services practice to help in reviewing and documenting its internal control structures and financial reporting procedures.
The Approach
This was a large, company-wide project, and would put a big strain on resources, so the client divided the task into two phases:
- In the first phase, we reviewed the Finance and Operations divisions, as well as areas considered to be higher risk, such as IT.
- In the second phase, we addressed Human Resources, Legal, Compliance and Corporate services, as well as other specific segments of the business.
KPMG gave advice to the clients’ Sarbanes –Oxley Steering Committee and the project management team running the program, and also worked closely with the external auditor to ensure that all activities were coordinated.
The Result – A clear picture
- The client received a full, objective assessment of how effectively it was controlling its financial reporting. Our review looked into both the design and the operating effectiveness of the group’s internal controls
- They were able to introduce a new global framework, including revised documentation standards
The client now has the assurance of a consistent and structured approach across its international operations.
- For further on KPMG's Advisory Services, please contact us.
Key Contact
İdil Gürdil
Partner
Head of Risk Management & Compliance
Tel: +90 212 317 74 00
e-mail Link
İdil Gürdil
Partner
Head of Risk Management & Compliance
Tel: +90 212 317 74 00
e-mail Link
© 2010 Akis Bağımsız Denetim ve Serbest Muhasebeci Mali Müşavirlik AŞ, the Turkish member firm of KPMG International, a Swiss cooperative. All rights reserved.
