Guide Pratiche - Generali

Auditing External Business Relationships

This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

When contemplating the internal audit activity's EBR responsibilities, consider the following:

• Organizations have multiple EBRs that satisfy a variety of business needs.
• Each relationship presents risks.
• It is management’s responsibility to manage these risks and realize the benefits.
• Internal auditing plays a key role in assisting management and validating management’s efforts.

Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.

Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.

The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.

By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ― the organization can receive the full benefits of the business relationship.

Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.

Formulating and Expressing Internal Audit Opinions

This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
Applicability

This may be applicable to and useful for:

• Chief Audit Executives (CAEs).
• Boards.
• Executive and operating management.
• Other assurance providers (OAPs).
• Other professional regulatory bodies.

Background

Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

Examples of macro and micro opinions include:

• An opinion on the organization’s overall system of internal control over financial reporting (macro).
• An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
• An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
• An opinion on an individual business process or activity within a single organization, department, or location (micro).
• An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
• An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions

Auditing Anti-Bribery and Anti-Corruption Programs

Increasing globalization, legal complexities, and the potential for serious financial and reputational harm have made the risks of bribery and corruption, and audits of anti-bribery and anti-corruption programs, top corporate issues. Auditing anti-bribery and anti-corruption programs requires a team of auditors with collective skills, knowledge, and expertise in compliance, fraud, investigations, regulatory affairs, IT, finance, culture, and ethics.On the global front, the U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are examples of strict legal regulations, each with far-reaching international implications. And evolving anti-bribery and anticorruption legislation in China, Hong Kong, India, and other countries (see page 17) is further complicating the matter. Private and public sector organizations are increasing awareness of bribery and corruption exposures and fighting back through international accords, regional conventions, best practice guides, and information on perceptions and instances of bribery and corruption.

Talent Management

Recruiting, motivating, and retaining great team members is recognized as one of 10 imperatives that will enable internal audit to drive success in a changing world.According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) study, internal audit departments need to cast their nets wider to attract, motivate, and retain team members who are able to understand and anticipate the rapidly changing business environment. Professional development also plays an important role, and internal auditors should share responsibility for their professional development with the internal audit activity.La Guida Pratica, scaricabile gratuitamente per tutti i soci AIIA, è acquistabile in formato elettronico per i non soci >>

Assessing the Risk Management Process

Around the world, risk management activities and initiatives are required and expected by regulators, rating agencies, and a host of other stakeholders in major industries including financial services, government, manufacturing, energy, health services, and more. However, risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.

Auditing Culture

The culture of an organization drives how it conducts business and executes its strategies. All organizations have a culture, whether intentionally created or not. Likely there are also subcultures within an organization, especially if multiple locations or campuses exist. Each department or location may have its own unique culture aside from the overarching organizational culture. Global cultural differences also affect the desired objective of an intentional organizational culture. Further, elements of an organization’s culture may be in a continuous state of flux.