STATE OF INTERNAL AUDIT 2013

Transcription

1 REUTERS / Baz Ratner STATE OF INTERNAL AUDIT 2013 November, 2013 Andreas Kallis / Sales Director, Southern Europe andreas.kallis@thomsonreuters.com Tel

2 INTRODUCTION: FACTS AND FIGURES 2013 survey had more than 1,100 respondents Respondents came from more than 76 countries Internal audit practitioners in firms across multiple sectors Internal audit departments ranging in size from less than five to global teams with departments with more than 100 auditors 2

3 NO LET UP FOR INTERNAL AUDIT FINANCIAL SERVICES LEADING THE REFORM WAY "We do want to see the internal audit profession taken seriously within the institutions that we regulate. We want it to have an appropriate profile and thereby bolster the standing of the professions, because it is important. Andrew Bailey, Deputy Governor for Prudential Regulation at the Bank of the England and Chief Executive Officer of the UK Prudential Regulation Authority, in an interview which appeared in Audit and Risk Magazine. 3

4 GLOBAL REFORM: CHANGING EXPECTATIONS Financial Stability Board sound practices benchmark for all internal audit functions Basel revised supervisory guidance Other Institute of Internal Auditors (Global, ECIIA, CIIA-UK), COSO Message = Internal Audit remit expected to expand to assess softer areas such as governance and culture 4

5 EXECUTIVE SUMMARY Regulatory guidance and industry best practice expects internal audit to take a higher-level view of risks and controls in a firm Process assurance and monitoring activities remain key areas of focus for internal audit functions Focus on corporate governance is down from last year Immature risk management processes in firms and insufficient input by internal audit functions Weaknesses in risk reporting to the board Insufficient communication with other risk and control functions Challenge to audit committees to reassess the activities of internal audit 5

6 INTERNAL AUDIT CHALLENGES IN

7 INTERNAL AUDIT CHALLENGES EXPECTED FOR BOARD 7

8 RISK ASSESSMENT Still poor levels of communication between internal audit and compliance Decline in results weekly interaction between compliance and internal audit down to 25% from 32% in 2012 and monthly interaction down to 18% from 27% in 2012 Continued focus needed to align risk, compliance, internal audit and legal Coherent risk reporting to board needs to be a priority 8

9 CORPORATE GOVERNANCE Key focus for policy makers Decline year on year In percent of firms reported being involved in monitoring the effectiveness of corporate governance Further 25 percent reported same in 2013 Only 29 percent of internal auditors made corporate governance a top three priority for the future 9

10 INTERACTION WITH EXTERNAL AUDIT External audit world to change Less reliance on internal audit Fewer co-sourced auditing arrangements 10

11 KEY CHALLENGES Changing expectations regulators, boards and audit committees Expansion of skill set to cover culture and corporate governance Greater alignment needed with other risk and control functions Improved reporting Need to do more (much more) with little change in resources 11

12 IIA Practice Guidance: in line with survey results It is common for organizations to have a number of separate groups performing different risk management, compliance, and assurance functions independently of one another. Without effective coordination and reporting, work can be duplicated or key risks may be missed or misjudged Some organizations do not have a formal risk management function and in this case the internal audit activity often provides risk management consulting services to the organization Taken from the IIA Practice Guide: Coordinating Risk Management & Assurance Internal audit should not give independent assurance on any part of the risk management framework for which it is responsible. Other suitably qualified parties should provide such assurance

13 Internal Audit s role in Risk Management Internal auditors should have a means of measuring the effectiveness of risk management in an organization. This can be achieved by the examination of criteria that reflect aspects of the risk management process. The criteria used must be relevant, reliable, understandable, and complete. The aggregate of the observations should allow the auditor to form a conclusion on the organization s level of risk management maturity. Taken from the IIA Practice Guide: Assessing the Adequacy of Risk Management Implementing effective risk management often takes several years. One of the key criteria that internal auditors should consider is whether there is a suitable framework in place to advance a corporate and systematic approach to risk management.

14 THE EVOLVING ROLE OF INTERNAL AUDIT FOR TURKISH ORGANISATIONS The recent financial crisis has reinforced the following: Internal Audit needs to remain focused on the evolving organization, Internal Audit needs to better demonstrate and communicate the value that they provide to the organization, Internal Audit s Independence and Objectivity needs to be balanced with the general need to collaborate with other Assurance Groups (e.g., Risk, Compliance), Stakeholder s expectations for the Internal Audit Department have increased, while the department has struggled to maintain both competencies and talent, The use of technology is not only part of the Institute of Internal Audit s International Professional Practices Framework (IPPF), but it is necessary for consistent review of process, risks, and controls, The Annual Internal Audit Plan needs to be continuously evaluated and re-prioritized to ensure that the most significant risks are reviewed timely and mitigated / managed appropriately, 14

15 WHERE CAN INTERNAL AUDITORS START? Assessment of Internal Audit by the Board of Directors and Executive Management, Ask whether they view Internal Audit as proactive or reactive, Ask about prior Internal Audit activities, Ask about perceptions and reputation of the Internal Audit Department, Ask for candid feedback, open commentary and less quantitative measures, Review the Internal Audit Charter to ensure alignment with the Board of Directors expectations, Gain a sufficient understanding of the Strategic Plan and Objectives with Executive Management, Review how the organization has responded to recent laws and regulations and whether it has altered the culture of the organization, 15

16 NEXT STEPS Review the Internal Audit Methodology to ensure: That it describes how the Internal Audit Risk Assessment is used to drive the Internal Audit Plan, That it articulates the rationale for the risk-based approach to the Internal Audit Plan, That it describes how the Internal Audit Plan continuously evolves to ensure coverage of the most significant risks, That Internal Audit personnel understand the expectations and rationale behind their Internal Audit activities, That it supports the entire Internal Audit process and touch-points with the business, 16

17 WHAT ELSE? How can Internal Audit leverage the work of other Assurance Groups? Receipt of the final report is not leverage Align perspectives of the organization, Legal Entities, Operating Units / Cost Centers, Annual Reports Financial Reporting, Management Reporting, Too often, each Assurance Group has used a differing vantage point and has not mapped back to others, 17

18 10 TIPS FOR INTERNAL AUDITORS 1 Share 10 Skill Set 2 Explore the Risks 9 Use connections Tips for Internal Auditors 3 - Discuss 8 Discuss with Regulator 4 Review Cultural Approach 7- Team Work 6 Measured Approach 5 Remit of IA 18