Accelerating high-growth companies' climb to the top - Strong risk management practices and Internal Audit capabilities as drivers for growth
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Insights on governance, risk and compliance June 2014 Accelerating high-growth companies’ climb to the top Strong risk management practices and Internal Audit capabilities as drivers for growth
Contents Introduction ................................. 1 Getting there from here ................. 2 How can EY help?.......................... 5 Why EY?......................................... 8 Next steps ................................... 11
Introduction
Your company stands at the precipice. You need to scale fast,
and the time to move is now. The challenge is to turn your vision How will your
of long-term sustainable growth into reality. organization assess
Regardless of the growth engine — whether it’s an IPO, another strategic transaction, or
siehlq the reinnesteent of hroÕts — our research and epherience shows that a roZust risc
and taccle the riscs
eanageeent ahhroach leads to the cind of growth that attracts innestors — which enaZles it faces?
further growth.
Ktrong organirational risc eanageeent has a hositine iehact on long%tere earnings
performance. =Q has found that companies with more mature risc management practices
generated the highest growth in renenue and earnings Zefore interest, tapes, depreciation,
and amortization (EBITDA).
The right controls and processes to address the ener%changing riscs of meeting companq
strategies and oZbectines are an aZsolute must for sustainaZle success. Companies
that don’t get the Zasics right can end up paqing the price for unplanned announcements,
missed earnings guidance, and late regulatorq Õlings — none of which engender
innestor conÕdence.
>or manq companies, deneloping proper risc management is much easier said than done.
During a growth Zoom, enerqthing is happening seeminglq at once. Kurprises often aZound.
Epecution on enen the simplest strategq can Ze a challenge. The rising headcount Zrought
aZout Zq runawaq success can outstrip the companq’s aZilitq to aZsorZ the groundswell of
personnel. And anq attempt to respond to these issues maq Ze hampered Zq an onerall lacc
of structure.
But if qour companq is in this position, rest assured2 qou can Zuild a strong Zusiness control
ennironment that will enaZle qou to manage qour Zusiness growth with conÕdence. And as
qou do so, qou can denelop roZust, efÕcient and cost%effectine risc management that will
not onlq help manage Zusiness risc, Zut drine qour Zusiness performance.
Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth | 1
Getting there from here
The Õrst order of business is strengthening the business control
Is your organization environment.
identifying and tackling It’s no easy task2 CEOs have told us that building the right processes and controls is one
of the most challenging corporate governance issues they face. And two of the top three
risk in a way that reported control deÕciencies contributing to a material weakness were related to the
makes the best use of competency and training of accounting resources or inadequate documentation, policy,
procedures and controls.
available capital?
Risk-based
approach
External
Early
auditor
start
coordination
Leading-
class
internal control
practices
No over-
Experienced
engineering of
team
controls
Process
owner
engagement
The best response is to start with the basics2 build robust processes and controls that
address the key risks that stand in the way of the organization achieving its obbectives. The
Õrst step is to understand and meet short%term compliance needs.
Companies planning to list on most regulated stock epchanges require some level of internal
control certiÕcation. In the MS, those requirements are detailed in the Sarbanes%Opley Act
(SOP), speciÕcally Sections +(*, 1(. and ,(,3 other countries have similar mandates,
e.g., B%SOP in Bapan, C%SOP in China, É-*%)(1Ê in Canada. Eany stock epchanges also
set deadlines for required Õlings, such as M.S. Securities and Epchange Commission (SEC)
Õnancial reporting requirements under >orm )(%C and )(%I.
But it’s a good idea to think and act for the long term as well as the short term. In
developing the internal controls necessary for reliable business operations, accurate
reporting and timely compliance, organizations should also be building the infrastructure
needed for robust risk management.
2 | Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth
Why robust risk management matters
The transition from internal controls and compliance to internal audit and risk management
Are you unsure of
is a bourney3 full maturity to a leading%edge environment isn’t accomplished overnight. Start how best to develop
by developing and then clearly articulating the Internal Audit (IA) function’s mandate, which
then will drive the alignment of people, process and technology.
your internal controls
In a fully mature risk management environment, the people model is formalized. The skills
and your IA function?
needed in IA are documented by level and aligned by competency to key risk areas and
stakeholder eppectations, and the organization has the Öepibility to direct resources with Is your IA function
the required skills to areas of need. In terms of process, risk assessment, audit planning
and IA activities are fully coordinated and integrated. The IA function regularly updates aligned to your
the audit risk assessment and re%evaluates key business risks throughout the year. And the
organization uses leading%edge tools and technologies to enable efÕcient and effective
organization’s
work streams, continuous risk monitoring, collaborative efforts and the efÕcient epchange strategies and key
of knowledge.
initiatives?
Oorking for both the short term and the long term simultaneously requires signiÕcant time
and effort, but starting up a robust risk management environment as quickly as possible
brings sizable advantages to the business. Is your IA function agile
Effective internal controls give epecutives conÕdence that the business will run smoothly and Öepible enough to
without their constant oversight and that they can sign various regulatory compliance
certiÕcations with a greater degree of comfort. An effective internal control environment,
adapt to your changing
including a routine process for identifying and managing potential issues, bolsters key needs and priorities?
epecutives’ conÕdence that the organization will Õle accurate and timely Õnancial reports.
And it helps organizations provide more accurate and timely reporting.
Robust risk management also helps improve corporate governance. Risk roles and
responsibilities are clearly assigned, and the channels and processes of risk communication,
including language, risk reporting and escalation, are clearly deÕned. The result is better
decision%making, as epecutives gain the ability to consider the business impact of a broader
range of scenarios.
IA’s role is to make sure that the organization’s systems and controls are properly
developed and then implemented to address key risks. As part of its mandate, IA identiÕes,
assesses and then consults with management regarding emerging risks. In the course of its
work, IA can help turn risks into business opportunities through identifying efÕciencies in
business processes as well as leading practices that can be shared across the business. The
IA function is an integral element in the implementation and maintenance of leading risk
management practices.
Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth | 3
Risk, cost and value
We group leading risk management practices into three categories: risk, cost and value. Taken
together, these practices represent the desired end state for an organization’s risk management
framework, one that goes beyond the basic requirements and adds value to the business.
Risk Cost Value
A leading risk management culture Overlaps and redundancies in risk Overall, risk management provides
is sponsored at the top and cascaded coverage are rationalized or eliminated, the organization with the conÕdence it
throughout the organization. Risk and coverage focuses on high%priority needs to take risk, rather than simply
assessments are comprehensive, and risks. To make sure that the right skills avoid it. As part of its role, IA provides
all risk functions align to a common are in the right place at the right time, process improvement suggestions3
platform. Risk reporting is transparent. the organization uses co%sourcing and identiÕes risks and assists in determining
outsourcing, including global delivery boundaries and tolerances3 and
teaming, as appropriate. Leading contributes to the oversight and
technology and knowledge management assessment of the organization’s most
techniques are leveraged. strategic initiatives, including capital
programs and the integration of
acquisitions.
Do your risk management
functions have the
necessary credibility?
How well do they
leverage each other’s
work and methodologies?
4 | Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth
How can EY help?
We’ve helped a wide variety of clients develop their internal controls
and transform their risk management environment, starting with
robust, reliable internal controls and moving to a leading-edge risk
management and IA function to pave the way to growth.
Reliable, sustainable internal controls are a must for compliance. We can help you
develop a top%down, risk%based approach that concentrates on the risks most signiÕcant
to your organization.
Establish an approach Document walk-
Assess internal Remediate processes Test processes
and timeline for throughs of processes
control readiness and controls and controls
remediation and controls
1. Assess internal control readiness
We help companies determine where they are on the continuum of internal controls
compliance, where they need to be and how they can close the gaps. We can help you
conduct a Édry runÊ that can detect the early warning signs of control deÕciencies and
help you assess your processes and control designs against leading practices.
2. Establish an approach and timeline for remediation
Once the assessment is complete and any deÕciencies have been identiÕed, we can help
you develop a plan and a timeline to address those deÕciencies.
3. Document walkthroughs of processes and controls
We can help you perform walkthroughs for each mabor class of transactions to
understand the process Öow of transactions and the controls currently in place. We
focus on the completeness of the process, on the strength of the controls’ design, and
on any controls designed to detect or prevent fraud and errors.
4. Remediate processes and controls
Based on the assessment and the walkthroughs, we help you develop a remediation
plan and Õp the identiÕed issues.
5. Test processes and controls
We help you determine the success of remediation efforts through further testing of
processes and controls.
We focus on strategies designed to optimize your control environment and drive
efÕciencies in the evaluation and operation of internal controls, including focusing on
automated controls and the use of global delivery teaming where possible. We use our
proprietary control tools to identify potential areas of automation3 then, using our
leading%practice normative models, we help you develop appropriate approaches to
monitoring and controls.
6 | Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growthAs you move beyond internal controls and compliance to a more fully developed risk
management environment, we can provide you with the fastest and most efÕcient way to
achieve a credible and effective IA function.
Develop an Conduct audit Communicate
Develop audit plan Execute
IA strategy risk assessments results
1. Develop an internal audit-speciÕc strategy that aligns with your organization’s
strategic plan.
2. Focus regular risk assessments on enterprise%wide coverage, management
participation and a direct link back to your company’s overall strategy and initiatives.
3. Develop an audit plan that includes the areas of greatest risk to your company’s
achievement of its strategic obbectives, as well as those of most concern to
management and the board.
4. Execute on the plan using leading practice methods, tools and enablers, including
analytics, as part of a comprehensive program throughout the audit lifecycle rather
than on an ad hoc basis.
5. Communicate the results, including strategic business insights and recommendations
to drive value.
Msing tools and enablers, such as our EY process toolkits and our controls review tool, we
can conduct a dynamic risk assessment, adbusting the audit plan as needed to keep pace
with your organization’s changing risk proÕle.
Our co-sourcing and outsourcing capabilities
If your current capabilities don’t align with your risk management approach, we can
help with co%sourcing and outsourcing arrangements. Consider these beneÕts2
A scalable support function that is more cost%effective than building in%house capacity
Access to leading practice support plans, documentation and testing
An improved risk management environment through education and training
Fo matter where you are on your bourney toward reliable, sustainable risk management,
we can help you get there.
Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth | 7Why EY?
We are the market leader in internal controls and internal audit.
Do you have the right With bust under -(
market share, EY is the clear leader in providing risk advisory, internal
professionals, processes control and internal audit services. As the global leader in SOP compliance services, we
serve ,*
of the >ortune -((. And as the clear leader in internal audit, we provide internal
and tools to assess audit services to more >ortune -(( companies than all of the other Big >our combined.
the key risks and to We’re also the global IPO leader among the Big >our, in terms of both number of deals and
value of capital raised.
develop and reÕne We’ve taken the lead thanks to the depth and breadth of our knowledge and epperience, our
your risk management global reach and integration, and our diversity and inclusiveness. We are able to offer our
clients the services they need, when they need them, wherever they need them, provided
capabilities? by teams with a healthy diversity of skill sets, epperience and backgrounds.
We also know how to work with high%growth companies. We are the world leader in
advising, guiding and recognizing entrepreneurs. Each year, we celebrate high%impact
entrepreneurs and their achievements through programs such as EY Entrepreneur Of The
Year™, Entrepreneurial Winning Women and our Strategic Growth Forums. And we’ve
developed a range of tools and resources for high%growth companies, including our Global
Center for Entrepreneurship and Innovation (ey.com'entrepreneurship) and our Global IPO
Center of Epcellence (ey.com'ipo).
Our epperience and knowledge will help us understand and further your growth strategy.
And as your organization moves toward a robust, reliable risk management environment,
we can help make sure that you have the infrastructure and controls you need. We can help
you develop an agile, scalable risk management capability that meets your needs and Õts
your budget. And our co%sourcing and outsourcing capabilities can help your organization
get the most value for its money, with beneÕts such as2
The approach you need at a cost you can afford. You pay only for productive time3 we
make the investments in methodology, technology, training, recruitment'retention and
our cost%effective global talent hubs.
The skills you need when you need them. We can bring in the right people from our global
network of subbect matter resources to address the issues at hand.
We have the resources, methodology and tools to help you develop the appropriate risk
management environment and IA function in an efÕcient and cost%effective way, embedding
leading%edge analytics as well as co%sourcing, outsourcing and global delivery teaming. Our
global internal audit methodology features2
A proven, consistent global approach, enabled by technology
A focus on higher%risk issues with integrated subbect matter resources
Governance and epecution protocols with the rigor to drive change
An emphasis on Öepible risk assessment and on continuous communication of root cause
issues as well as improvement recommendations
Cey performance indicators that drive accountability and performance
8 | Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growthOur strengths
To help our clients make the journey to a fully mature risk
management environment, we make signiÕcant and continuing
investments in our people, processes and technology around
internal controls, compliance and internal audit.
We are proud of our strengths:
Our people
Our deep commitment to developing our people means that our internal control and
internal audit professionals beneÕt from eptensive training — and from working with
colleagues with deep epperience in the Õeld. We have more than ).,.(( dedicated
internal audit and IT audit professionals around the world.
Our investments in knowledge
Cnowledge management and knowledge sharing are an integral part of our internal
control and internal audit service delivery. Our investment in knowledge management
resources helps our engagement teams operate more efÕciently and effectively. And
the epperience our professionals gain through knowledge sharing and Éon the bobÊ
enables us to get things up and running more quickly.
Our service delivery model
We have developed a service delivery model and toolkit ready for plug and play, with
company%speciÕc modiÕcations as necessary to help you stand up effective internal
control and internal audit functions quickly and efÕciently.
Our innovative tools and enablers
We use proprietary tools and processes to help you derive the mapimum value from
your internal control and internal audit functions. Our tool set includes risk assessment
tools, such as WebSurveyor, data analytics applications, such as EY'Analyzer ERP and
Tableau3 controls analysis tools, such as our proprietary RiCAP tool, the Õrst tool of
its kind3 and process and controls benchmarking tools such as, RCA (risk, control and
analytics) and our controls review tool (CRT).
Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth | 9Fept steps
Robust risk management accelerates high-growth companies’
journey to the top.
Risk management functions can provide critical perspective in the growth bourney, helping
organizations design their controls appropriately, cover the risks that matter and drive
value through process improvements.
The right controls and processes are an absolute must for sustainable growth. They
enable compliance, reassure investors and regulators, and build the foundation for driving
continuous improvement through the organization. In short, robust risk management
forms the lens that can help you focus on turning your long%term vision into reality.
EY has the people, the methodologies and the tools to help make your vision of long%term,
sustainable growth a reality. Let us help you build the internal control and IA functions
that enable you to manage your business growth with conÕdence — and attract investors
who can fuel that growth. We stand ready to help you make the bourney toward the risk
management function your organization needs and deserves.
Call to action
1 Assess your internal control and IA capabilities
and readiness to support and enhance the growth
bourney if necessary.
2 Conduct a diagnostic of the internal control and
internal audit processes and identify the areas
where the value can be added.
3 Collaborate with other company risk management
functions to clearly deÕne roles and responsibilities
to identify both gaps and overlaps in risk coverage.
Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growth | 11Want to learn more?
Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the
related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you
with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights.
If you want to turn a good business into a great one, we know what it takes. You can access our latest thinking and resources in one of four
global centers of epcellence on2 www.ey.com/GL/en/Services/Strategic-Growth-Markets.
Step up to the challenge: `elhing Internal Au\it Eppecting more from risk management: \rive Centralized operations: t`e future of oherating
ceeh hace wit` a volatile risc lan\scahe. business results t`roug` `arnessing uncertainty. mo\els for Risk$ ;ontrol an\ ;omhliance functions.
www.ey.com/IArisks www.ey.com/REPM www.ey.com/centralohs
Eatching Internal Audit talent to organizational Getting value out of your lines of defense: Mnder cyber attack2 EY’s Global Information
needs: cey Õn\ings from t`e Global Internal A hragmatic ahhroac` to establis`ing an\ Security Survey 2013.
9u\it Survey 2013. ohtimiring your DG< mo\el. www.ey.com/giss2013
www.ey.com/IAsurvey2013 www.ey.com/lo\
The vital entrepreneur: Right team, right story, right price: Risk management after an IPO:
`ig` imhact at its best. institutional investors suhhort IPGs t`at L`e essential gui\e for IPG%boun\ comhanies.
www.ey.com/US/sgf come to market well hrehare\. www.ey.com/ihocenter
www.ey.com/ihocenter
12 | Accelerating high-growth companies’ climb to the top — Strong risk management practices and internal audit capabilities as drivers for growthAt EY, we have an integrated perspective on all aspects of organizational risk. We are the market leaders in internal audit and Õnancial risk and controls, and we continue to eppand our capabilities in other areas of risk, including governance, risk and compliance as well as enterprise risk management. We innovate in areas, such as risk consulting, risk analytics and risk technologies, to stay ahead of our competition. We draw on in%depth industry%leading technical and IT%related risk management knowledge to deliver IT controls services focused on the design, implementation and rationalization of controls that potentially reduce the risks in our client’s applications, infrastructure and data. Information security is a key area of focus where EY is an acknowledged leader in the current landscape of mobile technology, social media and cloud computing. As businesses grow into market leaders, they face many challenges and opportunities. Our Strategic Growth Market professionals can help at every step. We’ve worked with entrepreneurs and the leaders of fast%growth businesses for more than three decades. We’re the world leader when it comes to guiding, advising and recognizing outstanding entrepreneurial talent. Our epperience tells us that every growth business faces sip key challenges. We can help you get the best from your people, improve your effectiveness, raise and manage finance, manage risks better — including the uneppected ones — epecute the right transactions and alliances, retain customers and succeed in new markets.
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax,
About EY’s Advisory Services
transaction and advisory services. The insights Improving business performance while managing risk is an increasingly complex business
and quality services we deliver help build challenge. Whether your focus is on broad business transformation or more speciÕcally
trust and conÕdence in the capital markets on achieving growth, optimizing or protecting your business, having the right advisors on
and in economies the world over. We develop your side can make all the difference. Our +(,((( advisory professionals form one of the
outstanding leaders who team to deliver on our
broadest global advisory networks of any professional organization, delivering seasoned
promises to all of our stakeholders. In so doing,
we play a critical role in building a better working multidisciplinary teams that work with our clients to deliver a powerful and exceptional
world for our people, for our clients and for our client service. We use proven, integrated methodologies to help you solve your most
communities. challenging business problems, deliver a strong performance in complex market conditions
and build sustainable stakeholder conÕdence for the longer term. We understand that
EY refers to the global organization, and may you need services that are adapted to your industry issues, so we bring our broad sector
refer to one or more, of the member Õrms of experience and deep subbect matter knowledge to bear in a proactive and obbective way.
Ernst
Young Global Limited, each of which is
Above all, we are committed to measuring the gains and identifying where your strategy
a separate legal entity. Ernst & Young Global
Limited, a MC company limited by guarantee, and change initiatives are delivering the value your business needs.
does not provide services to clients. For more
information about our organization, please visit To Õnd out more about how our Risk Advisory services could help your organization, speak
ey.com. to your local EY professional or a member of our global team, go to: ey.com'advisory.
¡ *(), EYGE Limited. The leaders of our Risk practice are:
All Rights Reserved.
Global Risk Leader
EYG no. AM*-)/
ED none Paul van Kessel #+) 00 ,( /)*/) paul.van.kessel8nl.ey.com
In line with EY’s commitment to minimize its impact on Global and Americas IA Leader
the environment, this document has been printed on
paper with a high recycled content.
Michael O’Leary #) +)* 0/1 ,.(- michael.oleary8.ey.com
This material has been prepared for general informational Area Risk Leaders
purposes only and is not intended to be relied upon as accounting,
tax, or other professional advice. Please refer to your advisors for Americas
speciÕc advice.
Amy Brachio #) .)* +/) 0-+/ amy.brachio8ey.com
ey.com'GRCinsights EMEIA
Jonathan Blackmore #,, *( /1- )).). bblackmore8uk.ey.com
Asia-PaciÕc
Iain Burnet #.) 0 1,*1 *,0. iain.burnet8au.ey.com
Japan
Yoshihiro Azuma #0) + +-(+ ))(( azuma%yshhr8shinnihon.or.bp
The leaders of our Strategic Growth Earkets (SGE) practice are:
Global SGM Leader
Maria Pinelli #,, *( /10( (1.( maria.pinelli8uk.ey.com
Area SGM Leaders
Americas
Herb Engert #) *)* //+ .*(* herb.engert8ey.com
EMEIA
Andrea Vogel #+) 00 ,( /,(/( andrea.vogel8nl.ey.com
Asia-PaciÕc
Ringo Choi #0. /-- *-(* 0*10 ringo.choi8cn.ey.com
Japan
Tohru Ohshitanai #0) + +-(+ ))(( ohshitanai%thr8shinnihon.or.bpYou can also read
