www.pwc.com/india

The Journey Chief Audit Executives Round Table Conference

2009-10

Introduction

Background The journey of the round table The conference also aims to assist conferences began with discussions young and upcoming professionals in amongst a few Chief Audit Executives enhancing their knowledge through who were deliberating on the need to interactions with more experienced have a forum which would allow internal audit professionals. them to network with their peers on So far six round table conferences a regular basis. have been held and the following PwC offered to facilitate such themes were discussed: discussions in a structured manner • Positioning for Future Success: and the first roundtable conference Transforming Internal Audit came to life in October 2009. • Risking it All- A Case Study Objective • The Financial Fraud at Wipro The conference was envisioned to • Control Self Assessment bring together creative and forward • Emerging Risks thinking senior internal audit • Risk Assessment Process professionals and provide a forum for • PwC’s Global Internal Audit open exchange of ideas on diverse Survey 2010 issues . • Bridging the Gap Between Diverse Expectations of Various Stakeholders from the Internal Audit Function • Role of Internal Audit in Addressing Fraud Risk

The Journey 3 Positioning for Future Success Transforming Internal Audit

First Round Table Conference - 15 October 2009

An Overview Key Pointers In a globalised business community and The discussions highlighted key Some key practices deliberated in the with the state of the western economy aspects of how Internal Audit could forum were: on the brink of recession during the deliver in such challenging times. The later half of 2009, the fear of a trickle focus of these discussions was on How to realign audit coverage and down effect onto Indian businesses understanding how Internal Audit can deliver more value became a matter of grave concern. deliver more value & improved • Incorporating an accepted model of performance and at the same time value creation & performance, as a With all aspects of company operations reference point, for identifying risk. under pressure and management reduce internal audit costs. scrutiny, chief audit executives were • Identifying risks through an challenged to pay special attention to industry sector lens & the audit the value that their departments deliver impact associated with these risks. and the value that is recognized by their • Evaluating risk, based on its internal customers – typically the audit impact to enhance or reduce committee and management. shareholder value. • Creating an audit plan that is prioritized based on results of a value-oriented risk assessment.

4 PwC How to reduce cost • Explore opportunities to reduce audit cycle time by conducting more focused audits. • Focus and reduce fieldwork through better risk assessment and more focused transaction testing. • Streamlining reporting processes. Explore opportunities to standardise and automate reporting. • Explore areas where technology can streamline or enhance an audit process. • Use staffing models that adequately leverage skill-sets. • Leverage offshoring & outsourcing opportunities. The time is right for chief audit executives to re-examine strategy, optimize internal processes, and find ways to produce more value, but at a lower cost.

The Journey 5 Risking it All A Case Study

Second Round Table Conference - 27 November 2009

An Overview Key Pointers With the increasing complexities and To facilitate the discussion, a video Some of the key insights from the demands for better performance, was screened. This video has been discussion are indicated below: there seemed to be a growing trend of successfully presented at various Internal audit function needs to management frauds either to show conferences held by the PwC network better results or for personal gains. firms. take charge In an event of a fraud, the internal In these times, it was important to The video talked about a whistle audit function needs to step in and step back and look at the role of blower’s allegations around a fraud. It assist the management by conducting internal audit. It was also important to traced events beginning with the audit thorough investigations. If the need recognize that for many internal audit committee meeting, where the next arises, it needs to make use of functions, team members may not steps were deliberated, till the closing external/ appropriately skilled 3rd have experienced such a crisis of the issue with the stock exchange party resources. regulator. The video touched various aspects which play on the minds of Position of internal audit within an the audit committee while facing such organization allegations and how their decisions The video portrayed a disconcerting affect the company and the position of the internal audit function shareholders. showing that it held little credibility in the eyes of the audit committee. In all their discussions, internal audit function was not even consulted.

6 PwC Get to the bottom The stakeholders should tread carefully in fraudulent situations and should spend sufficient time in order to get assurance that all the wrong doings have been identified and rectified . The organization should ensure investors are duly informed on the developments of the investigations and the impending actions being taken to resolve the crisis. Set an example / Tone at the top It is imperative to act decisively ; The senior management needs to set to identify all the root causes as an example by coming down heavily well as the perpetrators and on all involved in the fraud to ensure that going forward, the employees eliminate both from the think twice before proceeding with organization. such malpractices. Policies and procedures Organizations need to have in place a whistle blower policy, a compliance office and strict code of conduct to discourage employees from adopting any unethical or fraudulent practices.

The Journey 7 The Financial Fraud at Wipro

Third Round Table Conference - 19 February 2009

An Overview Key Pointers In light of the news around the 4 The group, while debating, pointed Million dollar fraud at Wipro a couple out that often some basic control of days before the conference, the lapses can lead to severe frauds. All CAE’s wanted to exchange notes on agreed that it is therefore important the latest updates on the case. The for organizations to ensure that basic group deliberated on the following: controls are not compromised: • How an employee could manage to • Periodic job rotation, especially in carry out such an elaborate fraud all sensitive areas. for over 4 years and go unnoticed. • Strong Bank Reconciliation process. • What are some of the common • Segregation of Duties. pitfalls and control gaps that Internal Auditors should be • Tighten information security sensitive about. policies. • Periodic lifestyle check for key personnel.

8 PwC Control Self Assessment

Third Round Table Conference - 19 February 2009 An Overview “Control self Assessment” (CSA) is an important step towards improving the consciousness and culture in the Key Benefits organization. The group wanted to Key Pointers • Journey towards driving cultural deliberate the pros and cons of the Mr Amit Roy from NIIT and Mr changes. CSA process and also wanted to Harish Dua from SRF took the group • Empowerment of process owners know more about practical through the Control Self Assessment and improving control challenges in implementing and then process in place at their consciousness. driving this process. organizations. The group discussed the following: • Strong synergies which can make the audit process more efficient. Key Features • Buy in of process owners. • Risk based assessment. In the long run, the CSA program helps the • Prioritization in terms and impact. employees in becoming more mature in their • Need for digitization. understanding of internal controls, thereby • Real time dashboards. supporting organizational growth. • Audit of responses on a sample basis for ensuring correctness of self evaluations. • Penalties for incorrect responses.

The Journey 9 Emerging Risks

Third Round Table Conference - 19 February 2009

An Overview Characteristics Key Pointers CAE’s discussed the increased board • They impact multiple parties across The emerging risks ( across 5 room conversations around emerging geographic borders and industries / categories - mentioned below) risks. They wanted to deliberate on sectors. pointed out by World Economic what are the emerging risks and how • They may be low on probability but Forum 2010 were shared and they could be on a look out for those represent a very high impact. discussed in the cofnerence. risks in their business. • They may be beyond an • Economic Risks organizations direct control. • Geopolitical Risks • Mitigation requires collaboration • Environmental Risks across supply chain partners or • Technological Risks with peers. • Societal Risks Internal audit should be engaged with the leadership and the Board for driving a discussion on emerging risks and evaluating the impact that these may have on the business.

10 PwC An Overview With an increasingly complex and Risk Assessment global business environment, heightened governance and increasing Process stakeholder expectations, the need to proactively assess risks has become the fore front agenda for every management and board. Internal audit is often asked to play Fourth Round Table the role of a facilitator and spearhead Conference - the process of Enterprise -wide Risk Management(ERM). 25 May 2010 Mr. Kamal Hingorani from Bharti Airtel volunteered to lead the discussion and shared his insights into the process of Risk Management. • Prioritize risks on a 5 point scale of Key Pointers likelihood and impact. Knowing the risks • Use simple criteria for computing inherent in the Following good practices were shared the risk rating. Mathematical in the discussion: business as well as models are more prevalent in the • Get sponsorship from Board / senior Financial Services sector. being able to identify leadership for the ERM exercise. • Integrate the risk management emerging threats and • Ensure a high level of engagement process with the strategic business pro-actively with the leadership team. planning process. addressing them to • Go after the vital risks – Adopt a • Continuous monitoring and top-down approach beginning with reporting is key - Regularly monitor minimize loss or the organizational priorities/ the prioritized risks to ensure enhance stakeholder objectives appropriate mitigation measures are value is most • Set up a comprehensive risk being taken. management framework including • Set up incentive / recognition important in today’s risk identification, prioritizing, programs for employees who actively originations. mitigation, and monitoring contribute to the ERM process. processes.

The Journey 11 Global Internal Audit Survey 2010

Fourth Round Table Conference - 25 May 2010

An Overview Key Pointers The world in which internal audit Some of the themes of the discussion operates continues to change. In the revolved around: year 2009-10, while we moved from • How expectations from the function economic crisis to cautious optimism; are likely to change in the short- however, many of the fundamental term. causes of the recession have not been addressed. • What further adaptations Internal Audit functions are anticipating. The focus of the 6th Annual Global Internal Audit Survey conducted by • Internal Audit’s role in PwC was to enable internal audit organizational governance. functions to prepare themselves to • Using technology to drive quality handle such events. and efficiency.

12 PwC Change is inevitable Embarking on the change journey For meeting the growing expectations PwC shared its thought leadership The need for internal of stakeholders, the IA function is around 10 fundamental steps to audit to equip itself being forced to change. World over maximizing the value delivered by the IA functions are imbibing the internal audit: in meeting the following: • Understand stakeholder evolving expectations • Leverage the governance expectations and delivering value opportunity and play a larger role • Develop a strategic plan in driving the governance agenda. to the stakeholders • Leverage other risk & control has become a • Enhance scope and coverage within initiatives the internal audit plan. paramount priority. • Assess strategic risks • Integrate risk and compliance activities and create synergies. • Develop a flexible audit plan • Close the skills gap to meet the • Develop the right people expectations of being a business • Use technology and develop an advisor. infrastructure roadmap • Respond to cost pressures. • Obtain funding commitment • Use technology as an enabler. • Establish a relationship plan • Elevate the quality of Risk • Create a performance scorecard Assessment.

The Journey 13 Bridging the Gap Between Diverse Expectations of Various Stakeholders from the Internal Audit Function

Fifth Round Table Conference - 20 August 2010

An Overview Internal audit has to deal with a variety of stakeholders – Audit committee, senior management, operational management, statutory auditors and sometimes regulators. The expectations from each one of them can be often unique and divergent. With the limited budgets, resource and time available, the CAE’s decided to brainstorm on how to manage these divergent needs and arrive at some best practices that can help to bridge the gap between these diverse expectations.

14 PwC Key Pointers A few questions discussed amongst • Are you expected to participate in • Improving the position of internal the participants to enable a “implementation” or are you audit in the organization should be discussion were: considered as an internal a strong focus. The right reporting • Are you able to cover key risks consultant, giving advice? structure, private meetings with the within the audit plan every year? • How do you showcase the value C-suite and audit committee, being addition done during the year to part of strategic discussions, are all • How much does management vital. influence the audit coverage? your stakeholders? • Be transparent and involve process • Do you have sufficient bandwidth • Do you get objective feedback on the performance of the function owners in the decision making to deal with flexible needs that process. arise during the year? and areas of improvement? • Have the right skill sets within the • How do you balance your focus The following points emerged from the discussion: team - business, operations and between Value Enhancement and technical skills. It is a good practice Value Protection? • Increase communication with to use guest auditors from the • What are the skill sets needed to stakeholders and build strong business. working relationships. deliver value? Do you have access • Encourage rotation both inwards to the right skill sets? • Set the ground rules for better and outwards between the internal • How frequently do you get to expectation management. audit team and business. interact with the CEO? Are you a • Be an internal consultant and do not • Retain flexibility in the audit plan to part of strategy discussions along undertake responsibility for include special requests for “deep with senior management? implementation. dive” reviews based on current • How frequently do you get to • Lend your best resources for needs of business. interact with the Audit Committee? implementation, if implementation • Improve showcasing skills to better pressure is high. package reports and demonstrate value addition.

The Journey 15 Role of Internal Audit in Addressing Fraud Risk

Sixth Round Table Conference – December 10, 2010

An Overview As of December 2010, economic crime and fraud, remained one of the most problematic issues for Indian businesses. Given the nature of fraud and the cross-border implications, it was not surprising that enforcement of anti- fraud measures was increasingly global in its nature and regulators were cooperating with each other to prosecute perpetrators of fraud. Keeping this in mind, the forum wanted to discuss how internal audit could help in keeping a check on such activities and implement adequate safeguards against such events, for future.

16 PwC Key Pointers Some of the key points deliberated in Identifying and the forum were as follows: responding to • In most organizations, the “whistle blower” process is not yet a stable incidents of fraud or well established mechanism. continue to be a • While regular fraud risk challenge for even the assessments are a common practice most sophisticated used by organizations to identify key anti- fraud controls, however organizations. organizations need a much deeper understanding of these controls to be able to effectively combat fraud. • As a practice, any red flags which the management comes across must be brought to the knowledge of the IA team, so that they can look into the same and also look out for similar symptoms in the organization. • The tone at the top makes a lot of difference in such events. The management needs to be united and take strict action against perpetrators to set an example before others.

The Journey 17 List of Attendees in the Round Table Conferences

Attendees Group/ Organisation Attendees Group/ Organisation Mr. Amit Roy NIIT Mr. R.S. Dani Dabur India Mr. Anuj Mathur Uninor Mr. Raj K. Kapoor Jubilant Organosys Mr. Arvind Vats Jubilant Foodworks Mr. Ravi Mohan Bharti Infratel Mr. D.D. Goyal Maruti Mr. Sanjay Ahuja General Motors Mr. Dinesh K. Taneja VE Commercial Vehicles Mr. Sanjay Baweja Convergys Mr. Girraj Bansal Dabur India Mr. Sanjeev Singhal Spice Global Mr. Harish Dua SRF Mr. Sanjeev Sood Max New York Life Insurance Company Mr. Jagdish Kapoor Videocon Mobile services Ms. Shamini Ramalingam Bharti Airtel Mr. John Mathew Coca Cola Ms. Sheila Sarkar Nokia Siemens Networks Ms. Jyoti Ruparel Genpact Mr. Sunil Kumar Ranbaxy Mr. Kamal Hingorani Bharti Airtel Mr. Thiyagarajan Kumar Times of India Mr. Manoj Chigal Steria Ms. Tina Garewal DuPont Mr. N.G. Shanker Aditya Birla Mr. Vineet Singhal DCM Shriram Ms. Nupur Ray Chaudhuri Schneider Electric

18 PwC www.pwc.com/india

This report does not constitute professional advice. The information in this report has been obtained or derived from sources believed by PricewaterhouseCoopers Pvt. Ltd. (PwC PL) to be reliable but PwC PL does not represent that this information is accurate or complete. Any opinions or estimates contained in this report represent the judgment of PwC PL at this time and are subject to change without notice. Readers of this report are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this report. PwC PL neither accepts or assumes any responsibility or liability to any reader of this report in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

© 2011 PricewaterhouseCoopers Private Ltd. All rights reserved. “PwC” is the brand under which member firms of PricewaterhouseCoopers International Limited (PwCIL) operate and provide services. Together, these firms form the PwC network. Each firm in the network is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.

MS 140 - March 2011 The journey .indd Designed by: PwC Brand & Communications, India