Mind the Gap Assuring Stakeholders of Internal Audit s Value. Anton van Wyk, CIA, QIAL, CRMA IIA Global Chairman 2014/2015

Transcription

1 1

2 Mind the Gap Assuring Stakeholders of Internal Audit s Value Anton van Wyk, CIA, QIAL, CRMA IIA Global Chairman 2014/2015 2

3 About the Speaker <Su foto> Anton van Wyk CIA, QIAL, CRMA, CD (SA) Global Chairman of the Board The Institute of Internal Auditors Global Chairman of the IIA Partner at PwC Leader of the African Risk Assurance practice Member of the King Committee on Governance Chairman of the South African Corporate Governance Network Nearly 30 years of experience in Internal Audit, Risk Management and Corporate Governance. IIA volunteer since

4 A period of rapid transformation As macro and market trends evolve rapidly, the business environment looks very different to a few years ago. Risks are increasing landscapes are changing Businesses have either gone through or are currently going through a business transformation Market & Macro forces creating the biggest challenges 77% Regulatory complexity 74% Data security and privacy 69% Cost pressures 4

5 Global Mega Trends Inter-related forces are causing the world to change at an ever-faster Technological pace. breakthroughs Demographic shifts Shifts in global economic power CAEs need to become hybrid leaders, planning for today while looking beyond the horizon at fast approaching and emerging risk and creating their audit plans of tomorrow. Climate change and resource scarcity Accelerating urbanisation 5

6 Changing business and risk landscape CAEs acknowledge the changing business and risk landscape and need to evolve their functions. Increase provision of value-added services and proactive advice for the business Need to start doing this soon to remain relevant Stakeholders expect internal audit to extend its traditional assurance provider role into a more proactive trusted advisor role Internal Audit is evolving from its current state to where it wants to be. This requires innovation and the ability to ask What should we do? not What can we do? 6

7 Mind the Gap key messages Coordinate efforts among all lines of defence Failure to do this exposes capability gaps in overall defence Need courage in challenging effectiveness of all lines of defence Must take action against sloppiness at first line assurance from management Imperative to understand the changing risk landscape - adapt think holistically about risk understand the inter related issues Agile and nimble in our ever changing global risk landscape Unpack societal and stakeholder profit demands Leap into the horizon scan future scenarios Courageously enter the fray Be independent judge objectively 7

8 Build trust Delivering Peace of Mind Broaden your thinking beyond traditional business areas. Considering other relationships where trust is required to help think of the potential outcome of our services and the wide range of information that is needed to make decisions. Owners Inspiring a movement of trust Review Employers Ratings Investors Analysis Who? Consumers Suppliers Regulators Governments Management Predictions Verification Opinions How? Advice Insights Measurement Strategy and plans Information Systems, processes and controls What? Contracts, promises and commitments Data Behaviours, cultures and values 8

9 Mind the Gap key messages Capitalise on our probing minds: Build Trust Deliver Peace of Mind Leverage business strategy discussions How the organisation will grow, meeting profit and societal demands How and when strategy is discussed who is involved Did the board help shape strategy Challenge assumptions about future opportunities and threats Foster greater organisational interaction around the changing risk landscape Coordinate plans to respond to this changing environment 9

10 Mind the Gap key messages Courageously hold a steady hand on activities, external and internal to the organisation Participate in complex discussions Confirm transparent information flows Assist in developing social media governance processes Connect with the CEO Leverage critical business developments 10

11 Mind the Gap key messages Be in tune with executive management and the audit committee Understand needs, interests and expectations have a game plan Place focus on risk complexity and unpredictability business model changes technological advances sustainability Provide value and impactful results through reporting The right information, succinctly Objectiveness 11

12 Leveraging data to provide direction Internal Audit organisations that transform in pace with the business are more advanced in their use of data analytics, including its wider application: Risk identification Audit planning Continuous auditing Continuous monitoring Fraud management Compliance monitoring of operational controls Risk analytics Vendor analysis Anti-money laundering 22% 42% 41% 38% 23% 48% 32% 35% 28% 33% 45% 66% 64% 76% 81% Most CAEs report they use analytics in some audits for audit execution but less than half use analytics for making scoping decisions and even less use analytics to complete their risk assessment. PwC s 2015 SOTP We currently use data analytics in this area We don't use data analytics in this area but plan to. 12

13 Mind the Gap key messages Balance dynamics Beware of dangerous blind spots Skill up Take a continuous improvement approach Collect, understand and interpret stakeholder expectations Improve quality of planning decision Introduce processes to govern stakeholder relationships Maintain permanent stakeholder dialogue Confirm what are the big agenda items 13

14 Mind the Gap key messages Consider if the organisation a likely target of cyber attacks privacy breaches Which are the organisation s high value assets, where they are and who protects them Integrated thinking and reporting Financial stability and s y Capacity and skill to respond Understand what type of corporate social responsibility reporting management provides both as mandated and voluntarily, and how management assures the information is reliable 14

15 Strengthen Audit committee relationship Expand IAs role in risk management oversight Increase information technology scope Define role internal audit should play to provide maximum value Confirm Audit Committee s support for internal audit is visible to management Audit committee charter adequately articulates the Committee s needs and expectations from the CAE review annually Discuss strengths and weaknesses of internal control & risk management systems Provide assurance with insight Define AC / CAE meeting schedule and agenda Highlight how effective IA is working with second line functions CAE needs to focus its attention to ensure success and personal effectiveness key to building trust and overcoming resistance 15

16 Perceived Value Focus on Value Align expectations Build capabilities Deliver quality Increase value Unrealised value Insight generator Trusted advisor Insight generator Providing value-added services and proactive strategic advice well beyond the execution of the audit plan Proactive role in suggesting meaningful improvements and providing integrated risk assurance Problem Solver Problem Solver Problem Solver Bringing analysis & perspective on root causes of issues identified to help business units take corrective action Assurance provider Assurance provider Assurance provider Assurance provider Delivering objective assurance of the effectiveness of an organisations internal controls Function/Role 16

17 Navigating the terrain Risk focus Internal Audit functions considered by stakeholders to be contributing significant value are involved in transformational initiatives up to twice as frequently as their peers and are performing far better at focusing on the critical risks and issues the company is facing. Auditing processes and controls for mitigating risk after risk occurrence (in response to risk occurrence) Auditing processes and controls for mitigating risk once they are in place, but before risk occurrence Identifying risk during the annual risk assessment process 24% 20% 9% 47% Providing a proactive perspective and recommendations on internal control before risk occurrence, compared with 19% of other internal audit functions 17

18 Risk and business alignment Organisations in which internal audit contributes significant value report their functions are better aligned with the company s risk management program Strong alignment results in: Less risk management fatigue among participants Far greater efficiency Much better visibility to the information produced by other lines of defense Better overall risk management for the enterprise. Areas of alignment Enterprise risk management Ethics and compliance Environmental Health & Safety Loss prevention PwC s 2015 SOTP 18

19 IT Oversight Introduction Directors want their organisation s strategy and IT risk mitigation better supported through improved IT understanding at the board level The IT confidence gap Most directors are between 60 and 70 majority of professional lives in pre-digital era Less than 1% of directors have been or are currently CIOs Highly technical jargon Board time is at a premium: majority of directors spend only 5% of their board hours on IT 60% of boards want to spend more time on IT Rapid pace of technological change IT can be a complicated and intimidating subject Directors want more information to better understand IT Lack of IT guidance for boards 19

20 Monitoring IT Internal audit s process Identify key IT metrics / budget Get regular updates on IT priorities IT resource bench strength Evaluate top IT risks / mitigation Prevention & detection Is social media commentary monitored IT system implementations IT outsourcing Level of IP The IT Oversight Framework Step 6 Monitoring Step 5 Risk Step 1 Assessment Step 2 Approach Step 3 Prioritisation Help conquer the IT confidence gap Step 4 Strategy 20

21 Internal Audit Performance and Value Metrics Measure involvement and value provided in all key initiatives and emerging risk areas Provide macro/horizontal views on key issues and areas of critical risk to the organisation Be a change agent in the organisation IA s influence in improving the overall control environment year on year Develop annual voice of the stakeholder survey Answer questions from the Board and Management Enhance the value of recommendations provided Facilitate cost savings and revenue enhancement based on internal audit recommendations and findings Internal audit must be aligned with the expectations of its stakeholders in order to strategically build the right capabilities and raise its performance and value. 21

22 Taking action CAEs Where are you headed? Do you have the right mindset to innovate and evolve your Internal Audit function? Is your function providing a proactive perspective on the changing risk landscape? Are you evolving your talent to address the most significant risks of your business? Are you being proactive in aligning with the second lines of defense? Are you providing better business insights through broad use of data? Do you have a strategic plan to remain relevant as your business changes? Stakeholders Is Internal Audit heading in the right direction? Have you shifted your mindset about Internal Audit to require more value? Are you enabling Internal Audit to bring value to the organization? Do you ask for a common view of risks across the lines of defense? Is the information you are getting from Internal Audit valuable in providing insights into business risk? Do you understand Internal Audit s strategic plan to keep pace with the business? 22

23 Credible, Connected, Competent, Communicate & Courage Achieving alignment of expectations and critical risks is a significant step towards internal audit improving its credibility, relevance and value to the business. Connect with the audit committee, confirm traditional coverage, like, financial controls and fraud and ethics propose increased coverage in less traditional areas Show competence in being able to tell the story and not just write it help solve problems through objective eyes. Communicate the value you bring to the organisation through the recommendations you provide and your involvement in emerging issues. Show courage, leveraging strategy, probing assumptions across the organisation in order to stay the course of alignment on expectations whilst delivering value. 23

24 CONTACT INFORMATION Anton van Wyk