Role of Internal Audit

Transcription

1 Final Report: 2012 Executive Study on the Strategic Role of Internal Audit

2 Vonya Global: Executive Study on the Strategic Role of Internal Audit Final Report December 2012 Table of Contents Executive Summary... 3 Internal Audit and Assessing... 4 Internal Audit and the Ability to Assess... 9 Internal Audit and Compliance and Executive The Gap Conclusion... 17

3 SUMMARIZED STUDY DEMOGRAPHICS 2 18% 16% 14% 12% 1 8% 6% 4% 2% Responses by Company Type: Large Cap 27% Mid Cap 19% Small Cap 11% Private 24% Government / Not For Profit 18% Responses by Employee Type: Internal Auditor 68% Executive 21% Consultant 7% Retired 2% Board of Director 2% Average Time to Complete Study: 8 Minutes and 18 Seconds Time of Day for Participation (CST) 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 0:00 Executive Summary Vonya Global surveyed a cross section of Executives and from both public and private organizations in a variety of industries regarding the strategic role of Internal Audit. For the purposes of this study, Strategic Role is defined as Internal Audit s reponsibility for assessing Strategic Risk. We have defined the term Strategic Risk as internal or external contingencies that may prevent a company from meeting its strategic objectives. The survey questions were designed to first determine how Internal Audit is involved in the evaluation of strategic risk across the different types of organizations. Secondly, we asked whether respondents believed that there is value in having Internal Audit participate in evaluating strategic risk. Finally, we asked whether Internal Audit is equipped to do so effectively. This is the third study Vonya Global has conducted on the topic. Reponses from 2008, 2010, and 2012 are compared to provide benchmarks on the evolving role of Internal Audit. The survey was open for 6 weeks and available on line through the Vonya Global website ( Respondents volunteered their time and their responses were anonymous. Invitations to participate in the survey were sent through and a web announcement. An assumption going into the study was that Internal Audit plays a critical role in a organization s ability to meet its strategic objectives. The skills required to execute this responsibility have been developed through education, certification, and experience. Millions of dollars have been invested throughout the years to create tools and techniques to assist with this responsibility. There are associations, peer groups, training courses, conferences, symposia, and libraries established to further the Internal Audit profession. It is our opinion that the fundamentals of Internal Audit including all the resources listed above can be applied to audit and evaluate strategic risks and strategic initiatives. The study reveals is that this is not always the case. The capacity to serve in a strategic manner differs greatly from one organization to the next, as do the opinions on Internal Audit s role and expectations. Page 3

4 INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING Attribute Standards 1000 Purpose, Authority, and Responsibility The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval Independence and Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work Proficiency and Due Professional Care Engagements must be performed with proficiency and due professional care Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Performance Standards 2000 Managing the Internal Audit Activity The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement s objectives Communicating Results Internal auditors must communicate the results of engagements Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management Communicating the Acceptance of Risks When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. Source: The Institute of Internal Audit s Role in Assessing Strategic Risk What is the role of Internal Audit, and is that role understood and agreed upon throughout the organization? The Institute of defines Internal Audit s role as: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Source: The Institute of guidance/mandatoryguidance/pages/definition of Internal Auditing.aspx Each Internal Audit Department s role will be slightly customized to meet the needs of the organization it serves. Regardless of how the role is defined, Executive, the Audit Committee, and the Internal Audit department should all agree upon the role and objectives of Internal Audit and have similar expectations. Internal Audit is regarded as highly trusted and value adding function within the company. Chief Audit Executive is driving the annual Enterprise Risk process together with Executives and Top, participates in the Board of Directors monthly/quarterly meetings and reports to Audit Committee on the significant risks, control environment and flags any relevant points of concern. It is very important to understand the role of internal audit and its contribution, Sr. management is expected to involve the Chief Audit Executive in decision making for risk management and compliance purpose. Therefore, the first question we asked in the study was: Is there a shared understanding of the role of the Internal Auditor? Page 4

5 Shared Understanding of Role 85% of and 76% of say yes, there is a shared understanding of Internal Audit s role. In an ideal world this percentage would be 10 for both groups. The fact that it is not 10, as well as the gap in the opinions of and, signifies that there is room for improvement. While this is the case, the responses to this question have been consistent when compared to the previous two studies in 2008 and 2010, and the gap in percentages between Internal Audit and has also held constant (see charts in right margin). The shared definition of the role of Internal Audit is not only a common sense practice, it is a requirement. Failing to do so is in violation of the IIA Standards The Institute of (IIA) Standard 1010 addresses this specific issue and states: 10 8 Shared Understanding of Role The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. 4 2 Internal Audit is often an afterthought from Executive ; Internal Audit is invited to the table only after a problem has arisen and there is no firm opinion on who owns the issue. 9 85% 8 75% Shared Understanding of Role Internal Auditors At my company, there tends to be misunderstanding on what Internal Audit should be focused on. This is mainly due to a lack of understanding on what is meant by "internal controls" and how there can actually be more than one way to approach the evaluation of internal controls. 7 65% Page 5

6 Role Includes Assessing Shared Understanding of Role Should be Responsible Role Includes Assessing for Assessing Strategic Risks The next step in our study was to understand to what extent Internal Audit participates in the assessment of strategic risks. The positive responses in the current study show a dramatic upward spike reversing the downward trend seen in previous years. 87% of responded that their roles include the assessment of strategic risks as compared to 49% in 2010 and 58% in The trend in responses is also positive, however only 57% of responded that Internal Audit s role includes assessing strategic risks as compared to 42% in 2010 and 44% in Role Includes Assessing The dramatic spike may indicate a change in the role of Internal Audit; however the gap between Internal Audit and implies that the understanding of Internal Audit s role is not shared to the extent revealed in the previous section If there is a Risk function, then that role falls to them, with Internal Audit having a performance review role, where a risk function does not exist, the Internal Auditor should step up to the mark. Response 2 Internal Audit is not always involved in strategic risk, generally due to lack of knowledge/sensitivity. In many cases external audit is consulted or external consultants are used to assess this risk. Response Although this can be difficult depending on overall knowledge of the audit team. Many times the seniors do not have visibility to many strategic aspects of the company which can be a challenge to address. Response Page 6

7 10 8 Should be Responsible for Assessing Internal Audit should focus on the process and controls rather specific content (i.e., risks) unless directly impacted by/from Internal Audit. Content should be driven by the Chief Risk Officer and its team/functions. Response 4 2 Should Internal Audit be responsible for assessing strategic risks? While 87% of responded that they are responsible for assessing strategic risks, only 74% said that they should be. Similarly, 57% of responded that Internal Audit is responsible for assessing strategic risks, while only 47% agreed that this was appropriate. If the responses indicate an evolution in the role of Internal Audit, they may also signify a slight reluctance to accepting the change Should be Responsible for Assessing Strategic Risks Assessing Strategic Risks Creates Value If an Internal Audit group is not focused on strategic risks, they are not doing their job. Having said that, my company is private, so there is not a lot of public knowledge about strategic objectives. We try our best to ensure we are aligned with the objectives that are fairly well known Yes. Also as part of the COSO model (the ERM COSO model to be specific), strategic risk is part of the audit function Assessing Creates Value Evaluation of strategic risks is mainly part of the ERM process. However, I would say there is less focus on truly strategic audits, but more pure operational and financial reviews. Internal Audit s role is not to act as management and determine the strategic direction of the company. i.e. competitive risk when introducing a new product line. Our role is to ensure the company is aligned at a macro and micro level. Page 7

8 Assessing Strategic Risks Creates Value Role Includes Assessing Strategic Risks Risk, internal control, Governance, assurance & compliance are considered as integral part of Internal Audit. Is there value in having Internal Audit evaluate strategic risks? We found it interesting that while 89% of responded that there is value in having Internal Audit evaluate strategic risk, only 74% responded that Internal Audit should be responsible. Similarly, of responded that having Internal Audit evaluate strategic risk creates value, while only 47% thought Internal Audit should be responsible Executive Assessing Strategic Risks Creates Value Role Includes Assessing Strategic Risks Compared to 2008 and 2010, there is a downward trend in the perceived value of having Internal Audit responsible for the evaluation of strategic risk, and the gap between Internal Audit and has widened. Since almost all internal audits are backwards looking that is, they review what has been done rather than what will be done then I'd have to say they are not strategic. Even when conducting a review of strategic decision making, the emphasis is on what was done or past decisions. There may be project implementation teams in which Internal Audit gets to suggest control improvements that have a future impact, but these are not the primary mission of the department. Response 4 Gap between Executives and Not everything in a company can be "strategic" or the word loses all meaning. Audits, however important, have nothing to do with strategy per se; they don't decide who the customers are, what they want, or how the company will provide it. Response 2 Role Includes Assessing Should be Responsible for Assessing Assessing Creates Value Page 8

9 Role Includes Assessing Formal Risk Assessment Process Internal Audit Resources Available to Assess Is strategic risk included in the Risk Assessment? The study collected data on the capability of Internal Audit relative to the evaluation of strategic risks. If Internal Audit has a role in assessing strategic risks, it must first have the ability to do so. Since a fundamental discipline in Internal Audit is the risk assessment, survey participants were asked if Internal Audit had a risk assessment methodology that included strategic risk. 85% of responded that they have a formal risk assessment process which included strategic risks, while 67% of management agreed. By comparison, in the 2010 study 89% of and 5 of management agreed Role Includes Assessing Participates in Strategic Meetings Many have a too narrow view of the role of internal auditors, one that is 30 or so years out of date. Yes, the Internal Audit role does include evaluating compliance with various rules. However, for many companies, the Internal Audit serves as an internal consultant, working with unit managers to identify problems and find solutions for those problems. Whether that broader role is a "strategic function" depends upon your definition of strategic. Do attend strategic meetings? 10 8 Participates in Strategic Meetings A prerequisite to evaluating strategic risk is to understand the organizations strategic initiatives. One way to understand the strategic initiatives is to attend management meetings where strategic initiatives are discussed. 67% of in the study said they participate in strategic meetings compared to 43% of management who stated that they include Internal Audit in the strategic sessions. 4 2 Comparing Internal Audit s participation in strategic meetings by company type shows that Internal Auditor s in Mid Cap have the highest participation percentage, while Internal Auditor s at Small Cap have the lowest. Large Cap Mid Cap Small Cap Private NFP/Govt Page 9

10 Do have a specific methodology for the evaluating strategic risk? Role Methodology While 85% of responded that they have a formal risk assessment process which included strategic risks, only 63% of believe they have a specific methodology for evaluating strategic risks. Similarly, 67% of management stated that they believe Internal Audit includes strategic risk in the risk assessment, yet only 38% of management thought Internal Audit had a specific methodology for evaluating strategic risks. A review of the following charts reveals an increase in the strategic role of Internal Audit combined with a slight drop in the confidence in Internal Audit s risk assessment methodology Role Skills Internal Audit can be strategic if it is properly designed, staffed, and operated. They need to focus much more on enterprise risks, process analyses, operations, and planning actions to do so. Many have neither the inclination nor personnel to reach that point. Response I'd have to say no, Internal Audit is not strategic. But that doesn't mean it's unimportant there seems to be a misconception that important stuff is automatically strategic, but any chess player will tell you that you need a mix of strategy and tactics to succeed, neither is secondary to the other. Response Page 10

11 9 Role Do have the skills necessary to assess strategic risks? Time Only 55% of the in the study thought they had the skills while only 33% of management agreed I'd make this distinction: 1 Strategy is setting the direction, choosing the end goal and major points along the way, answering the question "why?" Tactics are the routes we choose to get to each of these goals, answering the question "how?" 9 Role Internal Audit references how we should be doing things rather than why, and as such is a tactical rather than strategic function. Response 8 7 Budget Do have the time allotted to allow for the assessment of strategic risk? of in the study believed they had the time available for assessing strategic risks and 2 said they had the budget to do so. This is in comparison to 33% of management respondents believing Internal Audit had the time available and 2 responded that Internal Audit had the budget Role Methodology Skills Time Budget Large Cap Mid Cap Small Cap Private NFP/Govt Strategic risk should be the responsibility of executive management. Internal Audit should insure that strategic risk is being evaluated and managed. Response Does Internal Audit have the financial resources (budget) to assess strategic risks? Responses to this question were nearly identical with roughly 2 of and 2 of management responded that they had the budget. With 8 out of 10 responses saying Internal Audit doesn t have the funds available to assess strategic risk is a large indicator of Internal Audit s capacity to assess strategic risk. Page 11

12 While Internal Audit should be responsible for assessing strategic risk, they typically do not have the skills, expertise, and exposure to adequately assess strategic risks. Response Based on the results of this phase of the study, it can be surmised that due to the perceived lack of methodology, skills, time, and budget the ability of Internal Audit to evaluate strategic risks is low. In comparison to previous years [as show below], the role of Internal Audit seems to have expanded as the perceived ability of Internal Audit to fulfill that role has decreased. We provide many value added services outside the compliance arena. Our operational audits and process innovation projects add value to the organization Role Methodology Skills Time Budget Executives Role Methodology Skills Time Budget Page 12

13 Internal Audit is Essential for Compliance Internal Audit and Compliance The study sought out to determine if Internal Audit could provide value in compliance initiatives while also providing value in strategic initiatives. 4 2 Internal audit should serve a function as independent assessor of compliance standards and good practice. Response Compliance and efficiency create value Essential for Compliance Value directly linked to Compliance Assessing Strategic Risks Creates Value Internal Audit is essential for providing assurance on compliance with policies and procedures and various regulations. Respondents in this study as well as the previous studies we have conducted agree. It is the one category where the responses have been consistent each year and where the gap between and has been minimal. Internal Audit should NOT serve in any strategic initiatives. Nor should their strategic importance increase. They serve a vital role as independent evaluators of regulatory guidelines and of internal policy. Response should be able to assess compliance with laws, regulations, policies and procedures. It is not (or should not be) a skill unique to Internal Audit. The majority of this study has been dedicated to evaluating Internal Audit s ability to add value to a company s strategic initiatives, the value Internal Audit provides relative to compliance is still the most important. While many disagree on the way the compliance role is defined, the value of that role is unquestioned. Here is an example of comments from two different internal auditors: Page 13

14 I disagree with the "essential" word, we (Internal Audit) are an important enabler but we're the third line of defense, to me "essential" means the first line of defense. Internal Audit is the first line of defense and focused on operational and fraud risks. While the role Internal Audit plays in compliance is critical, it doesn t mean it is mutually exclusive to having a strategic role as well. A risk based Internal Audit function will assess all significant risks and evaluate whether the company is effectively managing and controlling those risks. Page 14

15 Gap by Percentage and Executive The Gap The previous sections have discussed the individual questions; this section looks at the responses in aggregate. The difference in the opinions of and Executive on the strategic role of Internal Audit proved fairly large in multiple areas [see chart below]. The largest gaps identified were in the confidence in Internal Audit s methodology and skills, followed very closely by whether or not Internal Audit should be responsible for assessing strategic risks. 8 Gap Identified Between and Executives by Percentage Shared Understanding of Role Role Includes Assessing Should be Responsible for Assessing Assessing Creates Value Participates in Strategic Meetings Formal Risk Assessment Process Methodology Skills Time Budget Essential for Compliance Internal Audit would still exist without Compliance Value directly linked to Compliance Comparing the gap identified in this study to the study conducted in 2012, it appears as though the gap has increased in almost every category. My company has minimal regulatory requirements to comply with. Additionally, there are very few documented company policies. That is why I would say our focus is on risk management, control and governance. In the absence of regulatory requirements and internal policies that would compel specific behavior, we must take a common sense approach to internal controls. Page 15

16 The study concluded with the question: Internal Audit could add more value to the company if The following are some of the responses to this question. Internal Audit would add more value if it had the tools and techniques required to be effective in the current environment. Internal Audit must evolve to looking at the organization systemically (big picture or globally) not functionally (locally) Now Internal Audit includes Risk, Assurance and Compliance, which is a new role of Internal Audit. To get real benefits of internal audit Senior and the Board must consider them as a partner in decision making. Internal Audit would add more value if it were asked to participate in strategic forums; consulted before certain changes are made to the extent appropriate and feasible; asked to be more forward looking and strategically oriented. Internal Audit would add more value if it was consistently able to provide heads up on potential or emerging risks to prepare the management in advance managing the risk. Internal Audit would add more value if it further developed its risk assessment and planning process, and further embedded continuous monitoring procedures into routine control monitoring. In the end, value is determined by the audit committee and executive management, we will add more value if we continue to listen carefully to what they want and need and deliver on those needs with high quality execution, in addition, our ability to add more value is only limited by the quality of our staff, the better people we can attract and retain, the more value we'll deliver. Internal Audit would add more value if it was made a partner in strategy discussions, risk assessments and in annual planning. Internal Audit would add more value if it would be more active in helping management to streamline its vision and mission without impairing with the objectivity and independence needed in accordance with IIA IPPF. Page 16

17 Conclusion This report started out by introducing guidelines and standards prescribed by the Institute of, the unquestioned leader in certification, education and research for the Internal Audit professions. The IIA clearly states: The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. The responses in this study would indicate that this is not being met. Good communication on expectations for any role is essential and provides a foundation for performance. This holds true for any task, job, team, department, and business. A good quality assurance program within Internal Audit consistent with the expectations of the IIA would dramatically improve the gaps identified. Suggested Actions: 1. If you are an internal auditor and reading this, take this report and your charter and sit down with senior management and the audit committee. Candidly discuss the report and review your charter and expectations to determine if your role as currently defined is meeting expectations and adding value to your company. If not meeting expectations, redefine your role. 2. If you are a member of senior management or the board, request a copy of the Internal Audit Department Charter then request a meeting with the Internal Auditor. Candidly discuss this report and review the charter and the expectations you have of Internal Audit. Through this discussion you may find that there are opportunities for the company to gain additional value from the internal audit role. Page 17

18 This report is a publication of Vonya Global LLC; an international consulting firm specialized in enhancing corporate governance by providing internal audit, internal control and risk assurance services to a wide range of companies. Duplication without the expressed written consent of Vonya Global is strictly prohibited. For more information about Vonya Global please visit Page 18