TRENDS WWW.THEIIA.ORG/CAE
Internal Audit Budget & Staffing Projections Budget Staffing Remain the Same 55% 71% Increase 35% 25% Decrease 8% 3% Unsure 2% 1%
Moving Out of the Comfort Zone
58% 52% 71% 55%
Are We Too Comfortable?
Culture WWW.THEIIA.ORG/CAE
Lack of Support Can Be a Hurdle Has full support of the board to assess all levels 1% 5% 17% 34% 43% Has full support of the executive management to assess all levels 3% 13% 19% 38% 27% Has freedom to assess the entire organization & staff 2% 10% 12% 43% 33% 0% 20% 40% 60% 80% 100% Strongly Disagree Disagree Neither Agree Strongly Agree
Support Makes a Difference Has full support of the board to assess all levels 68% 89% Has full support of the executive management to assess all levels 56% 77% Has freedom to assess the entire organization & staff 68% 87% Do Not Audit Culture 0 0.2 0.4 0.6 0.8 1 Audit Culture
What About Reporting Lines? Report Administratively to the CEO Report Administratively to the CFO
Is Internal Audit Equipped? IA is able to identify & assess measures of culture 2% 12% 26% 50% 9% Strongly Disagree Disagree Neither Agree Strongly Agree 0% 20% 40% 60% 80% 100% IA is able to identify & assess measures of culture 45% 80% Do Not Audit Culture Audit Culture 0 0.2 0.4 0.6 0.8
Addressing a Toxic Culture Coordinate efforts with other governance functions 37% 43% 10% Raise as separate topic with board 29% 45% 17% Raise as separate topic with management 12% 40% 37% 10% Focus on culture in audit reports 24% 45% 20% Not effective Slightly effective Moderately effective Very effective Extremely effective
Culture Develop an approach to assess the critical elements Gather objective and subjective information about the organization s culture o use professional judgment to evaluate information that cannot be easily measured Build and use relationships
Use of Data WWW.THEIIA.ORG/CAE
Use of Data Some Risks Ethical or barely legal? Responsive or convenient? Complete or available? Causation or correlation? Comprehensive or cherry-picked?
Internal Audit Involvement in Evaluating Data Quality Very or Extreme Moderate Slight or Not at All
Confidence in Strategic Decisions Made Using Data Slight or Not at All Moderate Very or Extreme
Use of Data Know what is collected, how it is analyzed, and which decisions it supports Assess the risks Consider these risks in audit planning Make sure you have requisite skills
From Cybersecurity to Cyber Resiliency
Addressing Cyberattacks What is Effective?
Cybersecurity Cyber Resiliency
Addressing Cyberattacks in Business Continuity Plans Provide general procedures in response Provide clear, specific procedures in response Do not specify procedures in response
Internal Audit Effort Falls Short of Ideal Communicates to board & management level of risk & efforts to address 40% 69% Ensures communication & coordination among all parties regarding risk 33% 55% Works collaboratively with IT and others to build effective response 31% 56% Provides assurance over readiness and response 26% 63% 0 0.2 0.4 0.6 0.8 Ideal Actual
Why We Fall Short Lack of expertise in internal audit 52% Lack of communication or cooperation from IT Lack of understanding of Board as to criticality Lack of support from executive management Lack of communication or cooperation from departments other than IT 26% 23% 23% 19% 0 0.1 0.2 0.3 0.4 0.5 0.6
Cyber Resiliency Understand cybersecurity risk Consider all aspects of cyber resiliency in your organization: protection, monitoring, response and recovery Ensure internal audit has the skills to be engaged in these areas Discuss cyber resiliency preparedness with management and the audit committee
Valuing Interpersonal Skills
Interpersonal Skills are Critical Communication skills Analytical/critical thinking Business Acumen Industry-specific IT Accounting Risk management Data mining & analytics Cybersecurity Finance Fraud auditing Investigations Quality controls 98% 97% 83% 65% 44% 42% 40% 37% 28% 23% 21% 19% 9%
How Do We Ensure Internal Audit Has the Requisite Skills? Collaborates with others Organizes & expresses ideas clearly Listens actively Manages conflict effectively Balances diplomacy & assertiveness Uses research, intelligence, problem solving Recognizes own limitation and seeks advice Leads through influence, conviction, sensitivity Accounts for org politics Accounts for cultural aspects Recruiting 15% 14% 14% 13% 13% 14% 14% 15% 8% 10% Training 86% 86% 86% 86% 86% 85% 84% 84% 81% 79%
What Kind of Training? Accounts for culture Accounts for organization politics Balances diplomacy with assertiveness Collaborates with others Listens actively Uses research, intelligence, problem solving Leads through conviction, influence, sensitivity Organizes & expresses ideas clearly Recognizes own limitations & seeks advice Manages conflict effectively Classroom training for auditors Self-study On-the-job 41% 49% 48% 34% 38% 24% 40% 40% 54% 42% Classroom training for professionals Mentoring 48% 45% 40% 53% 44% 46% 42% 38% 36% 36%
How Effective is Our Training? Collaborates with others 34% 49% 13% Leads through influence, conviction, sensitivity Uses research, intelligence, problem solving Recognizes limitations and seeks advice Listens actively Accounts for culture Accounts for organization politics Balances diplomacy with assertiveness Organizes & expresses ideas clearly Manages conflict effectively 45% 49% 46% 49% 48% 47% 50% 50% 49% 40% 40% 42% 43% 39% 38% 37% 38% 38% Not effective Slightly effective Moderately effective Very effective Extremely effective
The Result Mediocrity Collaborates with others 23% 54% 18% Leads through influence, conviction, sensitivity Uses research, intelligence, problem solving Recognizes limitations and seeks advice Listens actively 43% 38% 41% 40% 39% 41% 41% 47% Accounts for culture Accounts for organization politics Balances diplomacy with assertiveness Organizes & expresses ideas clearly Manages conflict effectively 49% 44% 46% 49% 48% 31% 30% 37% 34% 33% Not effective Slightly effective Moderately effective Very effective Extremely effective
Is Something Askew? Rely on Training On-the-Job & Mentoring Training is Pretty Effective Less Than Half of Staff are Very Proficient
Interpersonal Skills Recruit for needed soft skills don t assume that accountants, engineers or IT professionals can easily learn these. Take a more disciplined/formal approach to training/mentoring. Consider branching out from informal training methods and seek new options for improving the effectiveness of training. Evaluate current job description and job postings to ensure they reflect the skills you truly need. Invest in yourself and your team
Parting Thoughts Identify known & emerging risk areas Facilitate & monitor effective risk management practices by operational management Identify appropriate risk management frameworks, practices & processes Consult on business process improvements Alert operational management to emerging issues & changing regulatory & risk scenarios Assurance on compliance with legal & regulatory requirements 85% 78% 78% 76% 74% 71% Source: CBOK Stakeholder Report: Relationships and Risk, Insights from Stakeholders in North America