Internal audit insights High impact areas of focus

Similar documents
Third Party Governance and Risk Management

Generating value within the Risk Ecosystem Risk powers performance

<IR>: how does it fit into the UK corporate reporting landscape?

Internal audit insights High impact areas of focus

Global mobility shared service centres That s the bottom line

Indirect Tax Conference Developing your Customs Function

Enabling our finance transformation Establishing a successful GPO model

February Audit Committee performance evaluation Self-assessment checklist

Understanding Family Business Unique business Unique challenges. January 2014

Stakeholders. Shareholders. Societal licence Shareholders Corporate governance. Viability. Corporate governance reform

Deloitte Shared Services, GBS & BPO Conference Indirect Tax: Delivering Best-in- Class Compliance in a GBS Environment

Capital Programmes Orchestrating Success

UK Indirect Tax Conference 2015 Power of data

Introduction to Environmental Impact Assessment for Masterplan Sites 25 April 2018

The Next Generation CFO Programme Knowing what s ahead CFO. The. Programme

Find your Deloitte Options for those leaving school

VAT elearning for HEIs Managing risk and cost through knowledge and awareness

Building an Insight Driven Organisation March 2017

Deloitte Shared Services, GBS & BPO Conference

Chris Hodge Financial Reporting Council Fifth Floor Aldwych House Aldwych London WC2B 4HN. 10 July

The enhanced auditor s report bulletin 2 A review of the latest auditor s reports

Skills Development in HR Shared Services Creating value via credible career pathways

RWE GBS HR Journey to efficient HR shared services operations

Annual Shared Services and BPO Conference 2013 Delivering value from your portal and tier 0 strategy. Aaron Alburey & Nico Orie

Decoding the future IT Risk Management. Disrupted. Exploring the future of IT risk management By Chris Recchia, Tom Bigham and Rob Dighton

Future of Retail Work A guide to transforming workforces in a digital age of disruption

Stakeholders. Shareholders. Societal licence Shareholders Corporate governance. Viability. Corporate governance reform

Risk Advisory Services Developing your organisation s governance for competitive advantage

Developing insightful management reporting Opportunities and challenges for CFOs

Results by proxy How Police and Crime Commissioners can commission effective public services

Connecting the parts Developing an integrated IDMP strategy

The Deloitte Talent in Banking Survey 2013 Switzerland in focus

Shared Services in mid-sized organisations What are the different routes to value creation?

A robust and systematic review.

Keep CALM and carry on Connected Asset Lifecycle Management

EY s response to Building the UK financial sector s operational resilience a BoE/FCA/PRA Discussion Paper

Risk adjusted forecasting and planning Navigating the new normal of increased volatility

Flex approaches to assignee packages

Assurance for growth 2015 planning priorities for internal audit in financial services. An Internal Audit viewpoint

Deloitte Shared Services Conference 2018 Extended lab 4: Internal controls managing risk in the age of digitalisation Ani Sen Gupta and Edward

Reducing fraud, bribery and corruption in your private business: 6 things you can do now

Rethink your ERP Strategy with S/4HANA. Deloitte Consulting Switzerland

Stakeholders. Shareholders. Societal licence Shareholders Corporate governance. Viability. Corporate governance reform

Deloitte Shared Services, GBS & BPO Conference Managing a Big Bang Transition to GBS: How to Create a Recipe for Success

Global Workforce Labs Designed to initiate and accelerate change. #GlobalWorkforce

Global Mobility Shared Service Centres That s the bottom line

Enterprise compliance Acting on today s risks to avoid tomorrow s crises

SAP S/4HANA Finance The Finance Labs The Art of the Possible

Making capital work Unlocking cash through cross-collaboration

Global Mobility Innovation Lab

INTEGRATED RISK BUSINESS CONTINUITY CYBER-SECURITY THE RESILIENCE FACTORS THAT DRIVE YOUR REPUTATION

Enabling Success for Health and Care Systems

Aspire with assurance Illuminating the audit of the future. Audit & Assurance

MANAGING RISK AT SUNCORP

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Foundations in a technology driven world 2016 EMEA Financial Services IT Risk Management Survey

Risk frameworks. Driving business strategy with effective risk frameworks

Stakeholders. Societal licence Shareholders Responsible business Transparency. Corporate governance Viability Company purpose

Strategic Moves Managing a Global Workforce

Purpose, place & profit in the family business A framework for dialogue and discussion

Breaking the risk barrier How Payment by Results can be embedded in public sector programmes

Terms of Reference. The Chairman of the Committee shall be appointed by the Board from among the independent non-executive directors.

EY Center for Board Matters. Leading practices for audit committees

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

The Value of Consulting Assuring Audit Committee & other Key Stakeholders of IA s Quality

Leading the profession. Our ethics code

Fraud, bribery and corruption Protecting reputation and value

Creating a Risk Intelligent Enterprise: Risk governance

Culture and behaviours Creating confidence in your biggest asset

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Risk Appetite Statement

Second time around Renewing your remuneration policy

Internal Audit Services. March 2017

Steve McKenna, Lloyds Bank

Deloitte Shared Services Conference 2018 Agile 101: delivering value using Agile Richard Barsby, Ashley Payne Rolls-Royce, Tom Bevan, Christina

Fraud Investigation & Dispute Services. Forensic analysis and global experience: the intelligent connection

Cairngorms National Park Authority

Internal audit in insurance: market issues and trends

EY Center for Board Matters Boards and internal audit

Boards and internal audit: Working together to strengthen risk management

Board Evaluation Is your Board ready for SREP governance reviews? Deloitte Malta Risk Advisory - Banking

Software Asset Management Reducing costs, mitigating risk, gaining control. Ninety years in the Middle East

The viability statement. Finding opportunities in the new regulatory challenge March 2015

Enterprise Risk Management (ERM): Gap Analysis for Kenya and the development of a niche service provider

RegTech, the future of banking beyond IT. In collaboration with

The Deloitte Talent in Insurance Survey 2015 Middle East in Focus

Next Generation CIO Programme. Session 1: Monday 19 th March Session 2: Monday 23 rd -24 th April London 1

Active Essex Risk Management Strategy

Leading lights 2018 Hot topics for IT Internal Audit in Financial Services. An Internal Audit viewpoint

Connected factory Digital solutions on the manufacturing floor

NEXT GENERATION CIO PROGRAMME SESSION 1: WED 22 FEB SESSION 2: THU 23 FRI 24 MAR LONDON

The Bribery Act What is bribery? What action should you take? The key offences

29/11/2017. Risk Management Policy

Risk Management and the Internal Audit profession Two sides of the same coin? 30 th September 2015

Our ethics code It starts with integrity

Information Governance Policy

ISACA San Francisco Chapter

RISK MANAGEMENT FRAMEWORK

Driving the Future of Finance Finance as a Strategic Advisor and Insight Provider, enabled by Technology

Risk Management Strategy

Transcription:

2014 Internal audit insights High impact areas of focus

To be truly effective, internal audit departments should ensure that their efforts are targeted at the key risks and issues facing their business a task made more difficult in an environment of increasing complexity, uncertainty and change. The following pages set out the ten high-impact areas of focus that we believe internal audit professionals should look to incorporate in their audit plans.

Internal Audit Analytics With large amounts of data available, it is becoming more important than ever for organisations to use analytics to address current and emerging risks quickly, drawing conclusions that can help decisionmakers take action more confidently and with deeper insight. The predictive capability of analytics can also help drive a more effective, risk-based audit by: determining which entities have greater risk and should receive more attention; improving efficiency and coverage; delivering more robust and effective analysis of key issues; providing more meaningful and actionable insights, and driving change within the organisation. Risk and Control Culture Companies, regulators and government bodies are realising the crucial role that risk and control culture plays in the way risks are managed. In the people, process and technology trinity of risk management infrastructure, it is the people who ultimately make process and technology work. How people manage risks largely depends on the culture prevailing within the organisation. Increasingly, boards and senior management are considering actions to foster a stronger risk and control culture within their organisation. Internal audit has a key role to play and should consider building a culture assessment framework and implementing internal audit activities to assess whether the prevailing risk and control culture and related processes, actions and tone from the top align with the organisation s values, ethics, risk strategy, appetite, tolerance and approach. Internal audit insights High impact areas of focus 1

Cyber Crime and Security Today s cyber criminals are increasingly adept at gaining undetected access and maintaining a persistent, low-profile, long-term presence within information technology environments. Meanwhile, many organisations may be leaving themselves vulnerable to cyber crime based on a false sense of security, perhaps even complacency, driven by non-agile security tools and processes. Threats posed by cyber crime have increased at a faster rate than many organisations can cope with. Whilst the reputational and financial impacts would be significant if a breach were to occur, industry regulators are increasingly citing cyber security as one of their top priorities, meaning organisations are also faced with regulatory risks. Internal audit must take a leading role to ensure a systematic and disciplined approach exists to evaluate and improve the effectiveness of cyber risk management and to ensure that appropriate cyber security capabilities are in place to protect against emerging cyber threats. Assurance Mapping A key role of the internal audit function is to provide comprehensive assurance over the key risks and mitigating activities throughout the organisation whilst minimising duplication from other assurance providers. This means having an understanding of the relevant second line risk management controls and assurance processes as well as the third line of defence assurance activity in place. To help drive a coordinated approach across the organisation, many internal audit departments view the preparation of an Assurance Map as an essential mechanism to communicate the layers of assurance to the organisation s governing bodies. This process involves mapping all assurance activities against identified key risks so that gaps and overlaps may be avoided; reducing the assurance burden on business processes and improving efficiency and focus across third line activities. 2

Crisis Management A crisis is a catastrophic event that can jeopardise the critical assets, reputation and/or financial standing of an organisation; it can be highly complex, unforeseen (but not always) and unpredictable. The ability of an organisation to manage a crisis can be attributed as much to the skills, knowledge and experience of its crisis team as it can to the adequacy of its crisis management plans. This can only come from regular practice, whether through scenario-based simulations or real events. Crisis readiness can directly help mitigate many key organisational risks such as business continuity, reputational risk and financial risk. As such, internal audit should evaluate their organisation s crisis readiness, including assessing whether the crisis team has the plans, tools and capabilities necessary to respond to an event that may threaten the future viability of the organisation. Anti-Bribery and Anti-Corruption Beyond the significant regulatory, legal and financial consequences of non-compliance with anti-corruption legislation, the reputational impact can also have severe and long-lasting effects. The Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act of 2010 are two such examples of regulations with an impact on a global scale. It is crucial that organisations have anti-corruption programmes in place which include: board oversight; written standards and policies; risk assessments; communications and training; monitoring and auditing; incident reporting; and corrective actions and discipline. Internal audit departments should review the design and effectiveness of their organisation s anti-corruption programme, providing independent assurance to management and the audit committee that key anti-corruption risks are managed to an acceptable level. Internal audit insights High impact areas of focus 3

Capital Project Reviews Many organisations continue to face challenges with capital projects running behind schedule and over budget. The importance of strong capital project governance and management is particularly evident in unstable economies, where costs and schedules are heavily scrutinised. Despite substantial sums of money being spent through various contractual agreements, the contracts underpinning these arrangements are often vague, misinterpreted, or inadequately monitored. To identify opportunities for cost recovery and to provide valuable insights and recommendations to improve processes and controls, internal audit functions should consider incorporating contract risk and compliance procedures into their activities. The most successful internal audit departments are using advanced tools and analytics across the end-to-end capital project life cycle to provide deeper insights and real-time monitoring of key risks. Sustainability As organisations strive to bring non-financial measures to the forefront of their sustainability decision-making processes, internal audit functions should also be aligning their focus with the overall enterprise environmental, social and governance activities. Those internal audit departments leading the way play a key role in evaluating their organisation s sustainability risks and opportunities within areas such as facility efficiency, supply chain management, employee motivation and retention, and risk management. To take advantage of these opportunities, internal audit departments should consider developing a measurable and defined internal audit programme which includes: measuring industry-specific environmental, social and governance key performance indicators; performing sustainability-related risk assessments, including process and control design, framework development and policy analysis; analysing current sustainability reporting within the industry, conducting gap analyses and recommending material topics for reporting; and performing internal audits of environmental and social data. 4

Joint Venture Governance When new Joint Venture (JV) entities are established, internal audit can play an important role in ensuring that management appropriately identifies and addresses the key risks. Key JV governance elements, such as strategy development and monitoring, risk governance, policy governance, capital planning and delegation of authority are just a few of the areas that require agreement between shareowners, each of whom may have different interests and perspectives. Internal audit should also consider JVs as part of their ongoing audit universe making sure the parent company has the appropriate monitoring controls in place to effectively govern the investment. The effectiveness of key risk management practices should also be evaluated, either through direct internal audits or meeting with the JV internal auditors. The impact of these findings should be considered in the context of its parent company and communicated, alongside any recommendations, at the parent company level. Data Privacy With the proposed EU regulation aiming to overhaul Europe s Data Protection legislation, organisations need to demonstrate that they are handling personal data appropriately. As regulations are set to become increasingly burdensome, with significant reputational damage and increased financial penalties for noncompliance, internal audit departments are acting to help their organisations avoid these risks. This may be through high-level privacy governance internal audit reviews, looking at how privacy is managed across the organisation, or deep-dive compliance audits, reviewing key business processes against the specific requirements of the Data Protection Act. In addition, internal audit teams may choose to carry out early reviews in this area to provide an initial indication of how prepared an organisation is for when the new legislation comes into force. Many of these issues are relevant across all industries; however, for a specific view on the hot topics facing internal audit functions within Financial Services, please visit www.deloitte.co.uk/fsinternalaudit2014 Internal audit insights High impact areas of focus 5

Contacts Peter Astley Internal Audit Lead Partner pastley@deloitte.co.uk +44 020 7303 5264 Mark FitzPatrick Internal Audit Lead Partner, Financial Services mfitzpatrick@deloitte.co.uk +44 020 7303 5167 For more information, please visit www.deloitte.co.uk/internalaudit Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/ about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. 2014 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Designed and produced by The Creative Studio at Deloitte, London. 32065A

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback