10 Imperatives for Internal Audit

Transcription

1 The Auditing Roundtable's International Workshop 2015 The Future For Auditing Brussels, Belgium October 14-15, 2015 Driving Success in a Changing World: 10 Imperatives for Internal Audit Günther Meggeneder, Institute of Internal Auditors, Past Chairman of the Board

2 CBOK 2015 Practitioner Study CBOK is the Global Internal Audit Common Body of Knowledge: The global practitioner survey is the largest ongoing study of internal audit professionals in the world. More than 25 free reports about practitioners and the profession will be released from July 2015 to July Download free reports from the CBOK Resource Exchange at The IIA website at any time (

3 CBOK 2015 Practitioner Survey Practitioner Survey Results Survey completed April 1, ,518 usable survey responses Participation Levels 100% representation from IIA institutes Responses from 166 countries 23 languages

4 CBOK 2015 Practitioner Study 223 responses from Turkey!

5 CBOK 2015 Practitioner Study

6 1. Anticipate the Needs of Stakeholders The needs of stakeholders are constantly changing. Internal audit must improve communication channels with stakeholders. Formal and informal channels are important for building rapport.

7 Measure of Internal Audit Value Against Stakeholder Expectations Turkey only 20 %!

8 Action Points for Stakeholder Needs Establish and maintain communication channels with all key stakeholders. Involve them in audit planning. Ask stakeholders what they think about the value of your work.

9 2. Develop Forward-Looking Risk Management Practices Auditors must assess the likely impact of possible future events and their second- and third-order consequences. Historical audits are of limited value to stakeholders. It is crucial to harness the audit plan to the corporate strategy.

10 Internal Audit Aligned to Strategic Plan Fully or almost fully aligned 69 % Somewhat aligned 31 %

11 Action Points for Risk Management Understand the organization s strategic, business, legal, and compliance risks. Develop in-depth knowledge of the business. Develop high levels of competence in technology tools (Imperatives 6 and 7). Hire and train for the skill sets to meet the demand for their services (Imperatives 9 and 10).

12 3. Continually Advise the Board and Audit Committee Turkey 73 %

13 Action Points for Advising Communicate risks in the context of the business s goals and objectives. Provide an overall opinion on how the business is managing itself. Advise the audit committee on a regular basis of the issues it should be most concerned about. Give an overview of the control environment and whether it is improving or becoming ineffective.

14 4. Be Courageous Internal audit must have the courage to tell stakeholders the unvarnished truth, whether they want to hear it or not. The business has to know the audit function has teeth, says Robert Kella, senior vice president of internal audit for Emirates Group, Dubai, United Arab Emirates.

15 Internal Audit Under Pressure 26% 12% 62% Turkey

16 Questions to Consider About the Business Environment How well has internal audit communicated its role and mission? What is the status of internal audit in the organization? Does the culture of the business encourage or punish finding faults with the control environment?

17 5. Support the Business s Objectives More than half of survey respondents (57%) say their departments are fully or mostly aligned with their business s strategic objectives. How can misaligned audit departments unambiguously demonstrate the value they add to their organizations strategies? Internal auditors must align their work to their organizations strategic objectives.

18 Initial Steps to Support Business Objectives Develop performance measures for each area of the strategic plan. Link performance and pay to the plan. Educate internal auditors about the business. Internal auditors should acquire industry-specific certifications.

19 6. Identify, Monitor, and Deal with Emerging Technology Risks Technology risks are extremely difficult to manage because they are constantly evolving. Internal auditors need to respond proactively by helping organizations identify, monitor, and deal with such emerging IT risks and advising their boards on how best to do so.

20 Time Spent Auditing Cybersecurity and Social Media Risk Social Media 17 % / 63 % / 20 % Cybersecurity 5 % / 58 % / 37 %

21 Action Points for Technology Risks Start looking at IT risk from a high level, examining policies, project plans, and business issues. Network with peers and IIA special interest groups. Increase technical knowledge by investing in your own expertise. Increase IT skills within the team.

22 7. Enhance Audit Findings Through Greater Use of Data Analytics Internal auditors must continue to improve their data analysis skills and techniques to enhance audit findings. Such technologies enable internal auditors to improve efficiency and audit data-rich areas in more sophisticated ways.

23 Ways Data Mining Is Used Identification of possible frauds 49% Test of entire populations rather than sampling 47% Potential issues discovered through risk or control monitoring 47% Tests for regulatory compliance 38% Business improvement opportunities 32% 0% 10% 20% 30% 40% 50% 60%

24 Action Points for Data Analytics Create separate, but related, plans for internal audit s data analytics resource. Train management in data analysis skills. Team up with business lines to help internal audit move into a more independent, continuous monitoring role.

25 8. Go Beyond The IIA s Standards Turkey 17 % 63 % 20 %

26 Establish The IIA s Standards as the Framework for Quality Assessment Inform the audit committee about the value of the Standards. Establish a robust QAIP as required by the Standards. Perform an annual self-assessment to ensure conformance to the Standards and have an external quality review conducted at least every five years. Inform the audit committee of the external review and quality program results. Ensure that the audit team is certified; require certification for team members if they hold certain levels of responsibility.

27 Go Beyond the Standards to Deliver High-Value Activities Discuss what high-value internal audit activity means for the audit committee and executive management. Agree with the audit committee and executive management on specific activities internal audit can focus on to meet expectations for quality and value. Periodically report to the audit committee and executive management on internal audit s performance re: agreedupon specific expectations.

28 9. Invest in Yourself There has never been a better time to be an internal auditor. But internal audit departments often do not have well-developed staff training. 4 out of 10 respondents reported fewer than 40 hours of training per year.

29 Hours of Training Per Year 76% 24%

30 Training Program Elements Leadership skills Critical thinking skills General business competencies Business knowledge related to the industry Onboarding and orientation for new employees Global Turkey Internal audit skills 0% 10% 20% 30% 40% 50% 60% 70% 80%

31 10. Recruit, Motivate, and Retain Great Team Members Internal audit departments need to cast their recruitment nets wider. The internal audit profession of the future will be more evenly balanced between men and women. Training and development programs need to be aligned to the future needs of the business.

32 What Skills Are You Recruiting or Building Most in Your Department? Fraud auditing Business acumen Data mining and analytics Industry-specific knowledge IT (general) Risk management assurance Accounting Communication skills Analytical/Critical thinking 0% 10% 20% 30% 40% 50% 60% 70% Global Turkey

33 Action Points for Building Talent Recruit from a wider pool of candidates. Build formal audit rotation programs. Invest time in training. Link the audit process to the needs of the individual. Use bonuses to motivate and reward.

34 The 10 Imperatives Play a Leading Role 1. Anticipate the needs of stakeholders. 2. Develop forward-looking risk management practices. 3. Continually advise the board and audit committee. 4. Be courageous. Beat the Expectations Gap 5. Support the business s objectives. 6. Identify, monitor, and deal with emerging technology risks. 7. Enhance audit findings through greater use of data analytics. 8. Go beyond The IIA s Standards. Invest in Excellence 9. Invest in yourself. 10. Recruit, motivate, and retain great team members.

35 CBOK 2015: All products IIA International Conference Governance, Risk, and Control Conference South Africa Conference IIA Financial Services Exchange ECIIA Conference All Star Conference Southern Regional Conference ACIIA Conference IIA Midyear Committee Meetings Jul Aug Sept Oct Nov Dec Driving Success in a Changing World: 10 Imperatives for Internal Audit Auditing Technology Risks Use of Technology for Internal Audit Processes Financial Services Outlook Who Owns Risk? Internal Audit s Changing Role Combined Assurance and the Three Lines of Defense Measuring Internal Audit Value and Performance Public Sector Outlook Core Competency Levels for Internal Auditors Interacting with Audit Committees Fraud Risk: Detection and Prevention 8

36 CBOK 2015: What s Coming GAM Conference SoPac Conference Leadership Conference IIA International Conference Jan Feb Mar Apr May 2016 Jun The Skills Most Desired by IA Managers for Their Staffs Use of Third Parties by Internal Audit CAE Career Path Women in IA: Representation and Trends Maturity Levels for IA Dept. Around the World How to Evaluate and Motivate Your Staff Certifications Held by Internal Auditors Ethical Pressures Faced by Internal Auditors IIA Standards: Conformance and Trends Quality Assurance and Improvement Program Trends Integrated Reporting Organizational Governance: Internal Audit's Role 9

37 The Institute of Internal Auditors Günther Meggeneder, CIA Past Chairman of the Board