Internal Audit The Future of Internal Auditing: Changing Internal Audit s Value Proposition October 12, 2010 Istanbul, Turkey Presented by: Naman Parekh Partner,
Agenda Background of the 2012 Study Key Trends Changing the Internal Audit Value Proposition Questions
Background of the 2012 Study In 2007, research objective was to identify forces and trends that will reshape Internal Audit over the next 5 years Areas of focus Impact of business trends on Internal Audit Composition and expectations of Stakeholders Internal Audit roles and responsibilities Internal Audit organization and structure Human resources practices Working practices Communications and reporting Internal Audit use and leverage of technology IT audit strategy 3
Background of the 2012 Study Methodology Methodology Survey of all Fortune 250 Chief Audit Executives Twenty-five additional surveys of other selected thought leaders, academics and stakeholders Direct interviews of 19 individuals representing a cross section of the survey population Respondents 72 survey responses from CAEs representing F250 companies (29%) 19 one-on-one interviews 4
Background of the 2012 Study Two emerging views Stay the Course Many respondents felt the fundamental mission and role of Internal Audit would remain largely unchanged over the next five years. Dynamic Change Other respondents, particularly those we interviewed, saw fundamental changes in the mission and role of internal audit by 2012. We refer to this as the Controlscentric view. Background of the 2012 Study We refer to this as the Risk-centric view. Certain macro trends were recognized by both groups as having significant impact on Internal Audit by 2012. 5
Background of the 2012 Study The Dynamic Change notion was advocated by one of the leaders of the Corporate Governance movement In the next five years your profession will be revolutionized... a compliance based approach (to internal audit) is something of the past. Mervyn King July 9, 2007 IIA International Conference Amsterdam, NL 6
Background of the 2012 Study Since the Internal Audit 2012 Study, we have published other Internal Audit whitepapers. An opportunity for transformation How Internal Audit helps contribute to shareholder value State of the Internal Audit profession studies 2008 Targeting key threats and changing expectations to deliver value 2009 Business upheaval: Internal Audit weighs its role amid the recession and evolving enterprise risks 2010 A future rich in opportunities Internal Audit must seize opportunities to enhance its relevancy 7
Key Trends Areas of greatest projected increases in internal audit s responsibility include: 1. Continuous auditing or monitoring 95% 2. Auditing the ERM process 77% 3. Auditing outsourced or off-shored operations 75% 4. Fraud detection 66% 5. Fraud risk assessments 66% 6. Auditing executive comp and disclosures 65% 7. Auditing operational efficiency/effectiveness 64% 8
Key Trends Key trends believes will reshape Internal Audit by 2012 Changes in risk management Globalization Technology will result in Changes in Internal Audit roles Organizational and talent management trends Through analysis of both survey and interview data, believes these broad trends will drive change in Internal Auditing by 2012 and beyond. 9
Key Trends Risk management, technology and globalization trends are changing internal audit s environment Internal audit must focus on adding true value to the business instead of just ensuring compliance with laws and regulations. Internal Audit must ask the questions What is the company trying to achieve? and What audits can help the company reach its goals? Chief Audit Executive, Information Services Industry Many Internal Audit functions have lost touch with what is most important to the business. Too many internal audit functions are following what the industry is doing, worrying they will be left behind. Chief Audit Executive, Aerospace and Defense Industry IA value propositions must evolve to keep pace with business needs 10
Changes in risk management
Changes in Risk Management Companies are beginning to look at more comprehensive and formal approaches to risk management More than half of internal audit respondents believe an annual planning process focused on risk assessment will be more important in 2012 Over 70 percent expect that either they or their company will conduct continuous or ongoing risk assessments 60 percent believe that continuous risk assessments will be leveraged in audit planning Interviews revealed a strong consensus that fraud risks will be more critical going forward 12
Changes in Risk Management Several forces are driving the adoption of Enterprise Risk Management Rating Agencies (S&P, Moody s) are evaluating risk management practices and capabilities NYSE listing requirements require the audit committee of the BOD to discuss guidelines and policies with respect to risk assessment and risk management SEC rules emphasize focus on risk management, including SOX 404 Federal Sentencing Guidelines now include formal compliance risk assessment Internal audit standards (IIA) require IA to evaluate risk management capabilities Pressure growing to disclose ERM information in MD&A COSO Enterprise Risk Management Framework 13
Changes in Risk Management Focus of ERM implementation depends on the company s objectives and sophistication Exploit Build Protect Shareholder value based focus Control Company Orientation Operational Strategic Basic Level of sophistication Highly sophisticated 14
Changes in Risk Management The orientation toward ERM is generally based on industry/ company attributes and objectives Orientation Governance & Control: Defensive approach focused on increasing the knowledge of, accountability for and communicating the company s key risks to minimize bad things happening to the company. Operational Improvement: Approach focused on improving the company s ability to manage risks at a lower cost, to take more risk at the same cost, to alter the company s risk profile or to align individual risk appetites. Strategic: Forward-looking approach focused on supporting performance management by incorporating ERM principles into processes that create the company s risk profile and drive organizational behavior Industry / Company Attributes Board-driven or defensive in nature Significant external shocks (e.g., environmental disaster, significant fraud, financial restatement) Heavily regulated industries (e.g., pharmaceuticals) Opportunistic in nature, seeking measurable benefits Challenging industry environments (e.g., automotive, commodity processors) Changing risk profile Seeking to optimize risk, return and growth Industries with more easily measurable risks (e.g., financial services, energy) Highly capital intensive Considering significant portfolio changes 15
Emerging information technology needs
Emerging Information Technology Needs IIA UK survey identified the following top technology risks Data quality risk Business systems risk (e.g. poor change control over an ERP system) Data security and privacy IT governance risk (e.g. lack of alignment between IT and the IT resilience & continuity IT project risk (e.g. failure to deliver benefits or within budget) 49% 59% 60% 63% 69% 79% 0% 20% 40% 60% 80% 100% 17
Emerging Information Technology Needs 2012 survey participants anticipate major changes in what they audit, how they audit, and the skills that will be needed 100% expect use of technology to increase IT capabilities expected to grow the most in importance: Privacy-related risks 60% Off-shored technology operations 60% Automated controls 60% ERP systems 53% Network security 51% Data warehouses 50% 18
Emerging Information Technology Needs Survey results: Skill sets that will be more important by 2012 1. Data mining & analysis 89% 2. Risk assessment 76% 3. Information technology 72% 4. Risk management 70% 5. Fraud detection 69% The ability to conduct data analysis is essential. Chief Audit Executive, Healthcare Industry Integrating technology and the finance skill set is becoming more and more important. Chief Audit Executive, Technology Industry Survey respondents indicating the skill set will be far more important or somewhat more important than today. Sarbanes-Oxley has developed an Internal Audit culture of staff believing they could stop thinking. Internal Audit needs to get back to having business conversations, be better prepared, and have an understanding of what is going on in the business. Chief Audit Executive, Consumer Products Industry 19
Emerging Information Technology Needs Participants anticipated deployment of IT audit strategies Increase IT skill level of general internal audit staff 76% Acquire more sophisticated IT tools to address IT risks 68% Increase use of third-party experts 60% More integration of IT audit resources into non-it teams 57% Deploy more higher level IT auditors 54% 20
Globalization requirements
Globalization Requirements Globalization Interviewees believe globalization will have a significant impact on internal audit over the next five years As more companies expand operations outside of their home country borders, internal auditors will face a myriad of challenges: Assessing risks in remote geographic locations Understanding control or cultural environments in remote or developing markets Obtaining staffing or resources to provide coverage When asked to describe Internal Audit organizational structure for global companies in 2012 Central function in home country 37% Core function in home country with satellite operations 54% Small operation in home country predominant outside 8% 22
Globalization Requirements Global Political Risk Key driver for global investments Key component of enterprise-wide risk assessments In its risk assessment, internal audit should evaluate political risk and its impact on: Corporate governance Regulatory compliance Operating performance Financial results 23
Globalization Requirements Global Political Risk - continued Internal Audit considerations: Monitor rapid economic growth Instability or deterioration Increasing levels of foreign investment Significant changes in governmental leadership Changes in regulations or trade agreements Social unrest, security issues A more mature technique is Political Risk Analysis (PRA) process firmly embedded in management s activities. 24
Changing the Internal Audit Value Proposition
Changing the Internal Audit Value Proposition As companies move toward entrprise risk management, Internal Audit must also evolve or risk a diminished value proposition 20 th Century Internal Audit Model Controls assurance based on cyclical or routine audit plans The Common Internal Audit Model in 2007 Controls assurance based on a risk-based internal audit plan The Risk-Centric Internal Audit Model Risk and control assurance based on the effectiveness of risk and control processes implemented by management If the view (among stakeholders) grows that all Internal Audit does is test controls, then resource levels will have to come down. Chief Audit Executive, Financial Services Industry Traditional internal auditing will probably diminish in value if the organization moves towards formal risk management. Senior Executive, Rating Agency 26
Changing Transforming the Internal internal Audit auditing Value Proposition While the case for change is compelling because the needs of organizations have changed dramatically Strategic risk is a key concern for Boards Globalization and the extended corporation are driving interdependence risk to higher levels Few robust techniques for overseeing risk Risks around financial controls and basic compliance are managed more effectively Significant variation in risk information provided to Boards Other stakeholders are also focused on strategic, organizational, and business risks Increasing pressures to reduce the cost of compliance Risk & Complexity Controls centric assurance Risk centric assurance Performance management centric assurance believes even a risk centric approach is not sufficient for today s environment Time 27
Changing Transforming the Internal internal Audit auditing Value Proposition Inefficient processes are also driving the need for transformational change Infrastructure Planning Fieldwork Reporting Quality Internal Audit Process Overview Stakeholder - Value Drivers 8 1 9 IA Charter and Mission Training Co-sourcing Methodology Procedures & Protocols Annual Risk Assessment Detailed Planning 5 Audit Reporting Client Satisfaction Annual Audit Plan 2 10 Individual Project Plan Audit Issue Tracking Periodic Assessments Strategic Plan & Reporting Structure Technology Special Projects Management / Executive Reporting IA Budget Administration & Travel 4 7 Detailed Controls Documentation Risk Assessment Updates Detailed Testing 6 7 Audit Committee Reporting Recruiting, Hir ing, Comp & Benefits Areas with significant opportunity for time and/or cost savings Areas with moderate opportunity for time and/or cost savings Areas with limited opportunity for time and/or cost savings 3 Audit Wrap-up Top 10 gaps common to many internal audit functions 1 2 3 4 5 6 7 8 Risk assessment typically not aligned with drivers of shareholder value Internal audit activities focus on low value activities and controls or replicates external audit procedures Financial and human resource limitations and constraints Use of technology tools is limited and they are not integrated Audits are planned with overly broad objectives and scope Routine audits do not fully leverage available data analytical tools Assignment process and travel requirements create significant process inefficiencies Communications (reports, etc) and ratings consume significant resources 9 Recommendations are not impactful 10 Process is weighted toward repetition vs. relevance 28
Changing Transforming the Internal internal Audit auditing Value Proposition s vision is a comprehensive approach to dramatically improve the value-to-cost ratio Value Toolkit Audit Lens Significantly more value Incorporating accepted models of value creation and performance as a reference point for identifying risk Evaluating risk based on its impact to promote or reduce shareholder value Identifying emerging risk through an industry sector lens and the associated risk and audit impact Creating an audit plan prioritized based on results of a value-oriented risk assessment 20% Less Cost Process Improvement & Technology Focusing audit services on significant risks and controls, and leveraging self assessment Reassessing the HR model to aligning skill sets with future audit focus and leveraging - off-shoring - outsourcing / co-sourcing to obtain needed skillsets Streamlining reporting processes; automating reporting and tracking Utilizing a range of technologies in the audit process for - data analysis and storage - risk assessment and monitoring - collaboration 29
Changing Transforming the Internal internal Audit auditing Value Proposition to a more value focused approach that still accommodates controls assurance requirements Value Toolkit Value creating processes & initiatives Resource allocation Enterprise risk assessment Value linkage Coverage driven by issues that directly impact shareholder value, with clear and explicit linkage to strategic issues of the organization Audit plan Follow up tracking Value based audits Cost effective controls assurance 30
Changing Transforming the Internal internal Audit auditing Value Proposition that can be targeted at value and / or cost improvements Value alignment Process & technology Strategic Initiatives Risk Management Performance Management Reporting Reporting Controls & Compliance Strategic Initiatives Risk Management Fieldwork Fieldwork Controls & Compliance Planning Planning Infrastructure Infrastructure "As Is" "To Be" "As Is" "To Be" 31
Changing Transforming the Internal internal Audit auditing Value Proposition Strategy maps are used to identify processes and initiatives that are critical to driving value in annual planning Maps can be constructed at the enterprise, business unit or functional levels 32
Changing Transforming the Internal internal Audit auditing Value Proposition Similarly, the balanced scorecard approach can be used to align audit project scope with process or functional strategies Illustration of alignment between shareholder value, strategies and audit focus at the audit scoping phase Strategy Execution Audit Resulting in a transformed audit that provides a basis for assessing the: Alignment of strategy, related objectives, and metrics and KPIs Achievement of targets Quality and integrity of critical data and reports Identification and management of significant risks Adequacy of processes and controls 33
Changing Transforming the Internal internal Audit auditing Value Proposition Resulting in a radically different end state Strategy Internal audit vision, goals and roadmap aligned with corporate strategy Metrics measure the success of the internal audit transformation People & Organization Deeper business acumen, client relationship, and data analysis skills Core staff transformed from financial auditors to business & controls analysts Offshore capabilities leveraged to reduce labor costs Innovation Blueprint Process Resources allocated based on risk to value Mix of continuous controls assurance and value based audits Streamlined reporting and communications Formalized relationship management activities Technology CAATs utilized for financial, controls and operational data and metrics Integrated audit platform and workflows Risk and controls dashboards with drilldown capabilities 34
Changing the Internal Audit Value Proposition Closing Comments Eight Key Attributes of an IA Function 1 2 3 4 5 Start with a plan Rethink risk assessment practices Fill the skills and capabilities gap Align with other assurance functions Focus on obtaining ROI from technology 35
Questions Contact Information E-mail: naman.parekh@us.pwc.com Phone: 206 398 3979 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, [insert legal name of the firm], its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2010 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to [insert legal name of the firm] which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.