CBOK 2015: THE TOP 7 SKILLS CAEs WANT Building the right mix of talent for your organisation This report is part of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study series. It is based on the results of more than 10,000 competency self-assessments from internal auditors around the world at all staff levels. This report discusses personal and technical skills Chief Audit Executives (CAEs) are recruiting in their audit departments. Based on the results of the CBOK 2015 Global Practitioner Survey, it provides insights on building the right mix of talent for the organisation. The 7 Skills CAEs Want (in order of priority) 3. Information technology (IT) (general) needed to assess business and IT processes and also to perform auditing tasks 4. Industry-specific knowledge used for assurance, consulting, and strategic reviews 5. Data mining and analytics used to improve efficiency and effectiveness of audit procedures Accounting and Risk Management Assurance The emphasis on these 2 skills appears to shift in importance to CAEs based on the organisation s level of risk management maturity and sophistication. As risk sophistication increases, the relative emphasis on developing accounting skills decreases and that of risk management assurance increases. n Mi Personal Skills - High in Demand Analytical/critical thinking (64%) and communication (51%) are the top skills most sought after by CAEs recruiting or building into their internal audit (IA) departments. These skills are essential as the profession moves toward an increasingly higher proportion of riskbased auditing and more advisory or consultative work. Technical Skills - Changing Priorities The next 5 skills that CAEs rank the highest are technical skills that are broadly needed for IA activities: 1. Accounting used to assess financial reporting controls 2. Risk management assurance used for risk-based auditing and to improve risk management Long-term flexi processes Globally for all CAEs surveyed, the relative need for accounting skills diminished compared to other technical skills as the maturity of the risk management process increased. IT and Data Analytics Skills to conduct data analytics will continue to increase and drive larger proportions of IA plans. Given the complexity of IT and data analytics skills (and the difficulty in recruiting for them), IA functions at smaller organisations often need to outsource these skills. On the other hand, larger IA functions are actively recruiting and developing IT and data analytics skills. Industry Knowledge Industry-specific knowledge is consistently needed regardless of the size of the IA functions. 1
f Regional Insights Recognising Differences Some interesting regional differences in the skills CAEs are recruiting for or building into their IA departments: 1. Analytical/critical thinking - this skill is in high demand globally. 2. Communication - this skill ranks particularly high in China, Taiwan & Hong Kong (66%), making it and East Asia the only regions where communication ranks higher than analytical/critical thinking. 3. Accounting the responses varies broadly across regions, with highs above 60% (Southeast Asia and China, Taiwan & Hong Kong) and lows approaching 30% (North America, Europe, and Pacific). 4. Risk management assurance this skill has the highest priority in Pacific (61%) and Sub-Saharan Africa (57%) and the lowest in North America (28%). 5. IT (General) rankings for this skill is fairly consistent across regions (36% to 47%), with the exception of China, Taiwan, & Hong Kong where it is rated significantly lower (21%). 6. Industry-specific knowledge this skill is most sought out in North America (43%) and Middle East & North Africa (41%) and least in demand in Sub- Saharan Africa (20%). 7. Data mining and analytics - North America places a much higher priority (48%) on data mining and analytics than other regions (around 30%). Talent Management Strategies The best way to recruit and build the skills needed by staff is to have a well-planned talent management strategy, which includes the following 4 elements: 1. Assessment of Needs The assessment of needs should look at skills compared to the organisation s current or future strategies and risks, not just compared to the existing audit plan. In theory the audit plan reflects those risks, but many IA groups do not cover strategic risks. Half of survey respondents describe their level of activity for strategy reviews as minimal or none. Organisational strategy and risks needs to be considered in all IA processes, including its talent management strategy (refer to IIA s Practice Guide on Talent Management ). Generational differences should also be taken into 1 consideration in talent management strategies (refer to CBOK report GREAT Ways to Motivate Your Staff ). 2. Recruiting Plan The relatively narrow recruiting of accounting, auditing, and finance majors can handicap an organisation s ability to bring in candidates with the top skills CAEs need. Differences of educational backgrounds between respondents is explored in the CBOK report Mapping your Career. The analysis shows that respondents with majors other than accounting, internal auditing, and finance, tend to have higher self-assessments for critical thinking and communication, than those with other majors. CAEs can improve their hiring choices by implementing behavioral interviews and being open-minded to applicants with diverse backgrounds. Behavioral interviews are a good way to improve the chances of identifying key talent with critical skill sets. Such interviews use questions that ask about experiences resembling real-life situations that a potential auditor will face. 3. Training and Development Programme If a candidate lacks technical or personal skills, the CAE should be able to fill in the gaps with development and training. However, survey results indicate this is an area that is not fully developed in many IA functions. Less than half of CAEs surveyed worldwide say that the training programme for internal auditors is structured and documented. The rest say their programmes are ad hoc or not developed. Of those functions with training programmes, only 30% include training on critical thinking skills as shown below. Elements included in IA Training Programmes 2
3. Training and Development Programme (cont d) In view of the difficulty in finding quality audit staff, CAEs must invest in the development programmes to enhance critical personal and technical skills and not depend on staff to fill the skills gap on their own. CAE leadership requires a mix of coaching and support for formal training. Rotational programmes are another way to expand audit staff abilities essentially stretching and building new skills in new areas. Rotating career auditors out to line assignments and accepting line staff into the IA function can help broaden business acumen, risk management assurance, and critical thinking. 4. Co-Sourcing and Outsourcing Co-sourcing or outsourcing may be the best choice to fill short-term skill gaps or long-term, highly specialised, limited-need skills. An average of 38% of respondents worldwide use third parties for some of their IA activities (refer to CBOK report Engaging Third Parties for Internal Audit Activities). On a global average, these organisations use third parties for 23% of their activity to: Provide specialty skills not available in the IA department Solve staff shortages Supplement staff on an ongoing basis Cover remote business locations Perform special projects Conclusion Analytical/critical thinking and communication are the 2 skills CAEs identified as critical. These are skills that improve with age and experience, but they can often be harder to teach than to hire. As such, behavioral interviewing and other forms of assessment should take precedence over technical skills assessment to ensure the long-term success of IA functions. In addition, CAEs need look at diverse academic backgrounds and experiences to find entrants to the profession who can deliver value from the start. Talent management plans are needed to balance recruiting with ongoing staff development and cosourcing/outsourcing strategies. Refer to: http://theiia.mkt5790.com/cbok_2015_top_skills_caes_want CBOK 2015: LIFELONG LEARNING FOR INTERNAL AUDITORS Certification and training levels worldwide This report discusses the Global Internal Audit Practitioner Survey on the value that internal auditors find in IA certification and continuing professional education (CPE) which enables them to keep abreast with the latest developments in the profession. 1. Certifications in internal Audit and Related Fields IA practitioners can enhance their performance by earning certifications, which in return, provides great benefits to their career growth. Below are the certifications and designations offer by the IIA: There is strong demand for CIAs in the labour market and it is supported by the fact that employers tend to pay 43% higher to those who have attained a professional certification, according to The IIA s 2015 Internal Audit Compensation Study conducted in North America. Internal Audit Certification Rates Globally, 43% of respondents have at least one IA certification. IA practitioners come from a wide variety of backgrounds. This has led many of them to acquire other non-internal audit certifications throughout their careers. For East Asia & Pacific region (including Malaysia), the CBOK 2015 practitioner survey shows that 63% of IA practitioners hold non-internal audit certification (which is on par with the global average of 60%), while 45% are holders of IA certifications. 3
Insights About Regional Differences Reasons for low certification rates: Economics - 3 regions with the lowest gross domestic product (GDP) per capita report the lowest levels of certification namely, South Asia (23%), Latin America & Caribbean (28%) and Sub- Saharan Africa (39%). Low levels of awareness about certifications and the profession as a whole. Language is viewed as a barrier that can hinder professionals from obtaining the CIA certification. 2. Type of Internal Audit Certifications Held CIA Being the primary IA certification, it is held by 30% of respondents globally. The highest percentage of CIAs are found in North America (43%) with East Asia & Pacific region coming in second at 33%. Other Internal Audit Certifications The second highest certification area is other national internal audit certifications, which encompasses non-iia credential related to internal audit, e.g. environmental, health and safety credentials (CPEA, CPSA). This rate is highest in Europe (14%). For East Asia & Pacific, it is 11% which is comparable to the global average of 10%. CRMA This certification is the most popular among the IIA specialty certification with a global average of 9%. This underlines the emphasis internal auditors around the world place on risk management and governance issues. East Asia & Pacific region is among the lowest, with 5% of total respondents holding this specialty certification. QIAL The QIAL qualification is the newest IIA designation, launched in July 2014. This qualification had already been earned by 1% of total respondents. The CBOK 2015 practitioner survey showed that a global average of 15% of total respondents hold at least one of the specialty certifications in internal auditing. East Asia & Pacific region falls under the second lowest of the percentage of practitioners holding specialty certification (9%). The CFSA certification focuses on the financial sector and is held by 5% of respondents in this sector. The CGAP certification is specifically for those in the public sector and certification rate is 8% of public sector respondents worldwide. In some countries, this certification is required for public sector auditors. The existence of specialty certification is not well known to some internal auditors and they need to be convinced of the benefits. In some regions, these certifications are not widely recognised, hence are not sought out by employers. 4. Learning Continues Over a Lifetime IA certification appears to be a natural part of lifetime learning within the profession. Certification steadily increases with age. 3. Specialty Certifications for the Financial Sector and the Public Sector IIA specialty certification is an option available for the internal audit professionals to differentiate themselves in the marketplace. 4
June 2016 Issue 05/16 Similarly, certification rates rise as an individual progresses through the ranks during his/her career. 5. Certifications Related to Accounting and IT Other than CIA and specialty certifications, accounting is the most commonly pursued by the internal auditors, followed by IT related certifications. Worldwide, 32% of respondents hold a certification related to accounting. For certification related to IT, the global average is 11%. 34% of the respondents from the East Asia & Pacific region (which includes Malaysia) hold a public accounting or other accounting certifications while 8% of the respondents from this region hold ITrelated certifications. 6. The Value of Ongoing Training Hours of Formal Training Per Year The majority of internal auditors report receiving at least 40 hours of formal training related to IA per year. 61% of respondents worldwide report that they obtained at least 40 hours of formal internal audit training during the previous year. East Asia & Pacific and Middle East & North Africa are the regions with the highest percentage of respondents reporting that they had not received a minimum of 40 hours of training during the previous year at 47% and 45% respectively. Impact of Certification on Training Certified professionals are more likely to acquire ongoing training than those who are not certified in internal auditing. 73% report to having received a minimum of 40 hours of training during the previous year. On the other hand, only 52% of those not certified completed the same amount of training. Barriers to Internal Audit Training The survey showed that the biggest barrier to obtaining internal audit training is COST. Thus, internal auditors must incur the costs of investing in their professional training. Conclusion Internal auditors around the world should invest in certification and continuing professional education as this lifelong learning will help them continue to add value to the organisation and remain relevant in the marketplace. Refer to: http://theiia.mkt5790.com/cbok_2015_lifelong_learning TONE AT THE TOP: UNLOCKING THE VALUE - HOW AUDIT COMMITTEES CAN LEVERAGE INTERNAL AUDIT The June 2016 issue explores the role of Audit Committee and Internal Audit and their relationship. Internal audit can enhance and protect organisational value by providing risk-based and objective assurance, advice and insight if it maintains a strong relationship with the Audit Committee. Communication is Key Audit Committees must constantly interact with the CAE to determine the risk areas where the internal audit activity can best serve the organisation. Internal audit activity could deliver credible insights to Management and the Board by consistently identifying the existing and emerging key risks of the organisation. 5
must have a strong and trusted internal audit function to serve the fast-moving organisation. 5 Attributes of an Extraordinary Audit Committee Chair: Courageously independent: Willing to challenge management and their assumptions. Professionally skeptical and intellectually curious: Asks important questions and examine linkages. Deeply experienced: Demonstrates industry, financial and business expertise. Approachable relationship builders: Values and fosters the important relationships that are required. Risk-centric strategists: Demonstrates a keen sense of mission and require better than average support. Equip Internal Audit with Necessary Resources The CAE must identify the resources required to fulfill the stakeholders expectations. In turn, the Audit Committee must hold the CAE accountable for properly staffing the function and should ensure the CAE has the budget to find the necessary talent and skills. Internal audit activity can deliver value to the stakeholders with an effective and open communication with the Audit Committee, proper staffing and business acumen to respond to changing risks. Unlock the Value: A Win-Win Relationship New risks driven by technology, economic instability, cybercrime, etc., are evolving faster than ever. As such, the scope of work for Audit Committees will change at a fast pace for the foreseeable future. Thus, the Audit Committee Refer to: https://na.theiia.org/periodicals/public%20documents/tat-june- 2016.pdf COSO ERM Framework Update: Exposure Period is Now Open The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has unveiled an update to its Enterprise Risk Management Integrated Framework and is seeking public comment on the proposal, from June 15 through Sept 30. The update, Enterprise Risk Management Aligning Risk with Strategy and Performance, is designed to address the needs of all organisations to improve their approach to managing new and existing risks as a way to help create, preserve, sustain, and realise value. Please visit www.erm.coso.org to download the document and submit your comment. 2016 FRAUD & CYBERSECURITY CONFERENCE - Find out more at www.iiamevents.com 6