Post on 30-May-2020
WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
TRENDS
WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
Budget StaffingRemain the Same 55% 71%
Increase 35% 25%
Decrease 8% 3%Unsure 2% 1%
Internal Audit Budget & Staffing Projections
WWW.THEIIA.ORG/CAE
Moving Out of the Comfort Zone
WWW.THEIIA.ORG/CAE
55%71%
52%58%
WWW.THEIIA.ORG/CAE
Are We Too Comfortable?
WWW.THEIIA.ORG/CAE
Culture
WWW.THEIIA.ORG/CAE
Lack of Support Can Be a Hurdle
2%
3%
1%
10%
13%
5%
12%
19%
17%
43%
38%
34%
33%
27%
43%
0% 20% 40% 60% 80% 100%
Has freedom to assess the entireorganization & staff
Has full support of the executivemanagement to assess all levels
Has full support of the board toassess all levels
Strongly Disagree Disagree Neither Agree Strongly Agree
WWW.THEIIA.ORG/CAE
Support Makes a Difference
87%
77%
89%
68%
56%
68%
0 0.2 0.4 0.6 0.8 1
Has freedom to assess the entireorganization & staff
Has full support of the executivemanagement to assess all levels
Has full support of the board toassess all levels
Do Not Audit Culture Audit Culture
WWW.THEIIA.ORG/CAE
What About Reporting Lines?
Report Administratively to the CEO
Report Administratively to the CFO
WWW.THEIIA.ORG/CAE
Is Internal Audit Equipped?2%
12% 26% 50% 9%
0% 20% 40% 60% 80% 100%
IA is able to identify & assessmeasures of culture
Strongly Disagree Disagree Neither Agree Strongly Agree
80%
45%
0 0.2 0.4 0.6 0.8
IA is able to identify & assessmeasures of culture
Do Not Audit Culture Audit Culture
WWW.THEIIA.ORG/CAE
Addressing a Toxic Culture
24%
12%
45%
40%
29%
37%
20%
37%
45%
43%
10%
17%
10%
Focus on culture in audit reports
Raise as separate topic withmanagement
Raise as separate topic with board
Coordinate efforts with othergovernance functions
Not effective Slightly effective Moderately effectiveVery effective Extremely effective
WWW.THEIIA.ORG/CAE
Culture•Develop an approach to assess thecritical elements
•Gather objective and subjectiveinformation about the organization’scultureo use professional judgment to evaluate
information that cannot be easily measured•Build and use relationships
WWW.THEIIA.ORG/CAE
Use of Data
WWW.THEIIA.ORG/CAE
Use of Data – Some Risks• Ethical or barely legal?• Responsive or convenient?• Complete or available?• Causation or correlation?• Comprehensive or cherry-picked?
WWW.THEIIA.ORG/CAE
Internal Audit Involvement in Evaluating Data Quality
Very or Extreme
Moderate Slight or Not at All
WWW.THEIIA.ORG/CAE
Confidence in Strategic Decisions Made Using DataSlight or
Not at All
Moderate
Very or Extreme
WWW.THEIIA.ORG/CAE
Use of Data• Know what is collected, how it is
analyzed, and which decisions it supports
• Assess the risks• Consider these risks in audit planning• Make sure you have requisite skills
WWW.THEIIA.ORG/CAE
From Cybersecurity to Cyber Resiliency
WWW.THEIIA.ORG/CAE
Addressing Cyberattacks –What is Effective?
WWW.THEIIA.ORG/CAE
Cybersecurity
Cyber Resiliency
WWW.THEIIA.ORG/CAE
Addressing Cyberattacks in Business Continuity Plans
Provide general procedures in
response
Provide clear, specific procedures
in response
Do not specify procedures in
response
WWW.THEIIA.ORG/CAE
Internal Audit Effort Falls Short of Ideal
26%
31%
33%
40%
63%
56%
55%
69%
0 0.2 0.4 0.6 0.8
Provides assurance over readiness andresponse
Works collaboratively with IT and othersto build effective response
Ensures communication & coordinationamong all parties regarding risk
Communicates to board & managementlevel of risk & efforts to address
Ideal Actual
WWW.THEIIA.ORG/CAE
Why We Fall Short
19%
23%
23%
26%
52%
0 0.1 0.2 0.3 0.4 0.5 0.6
Lack of communication or cooperationfrom departments other than IT
Lack of support from executivemanagement
Lack of understanding of Board as tocriticality
Lack of communication or cooperationfrom IT
Lack of expertise in internal audit
WWW.THEIIA.ORG/CAE
Cyber Resiliency• Understand cybersecurity risk• Consider all aspects of cyber resiliency in your
organization: protection, monitoring, response andrecovery
• Ensure internal audit has the skills to be engaged inthese areas
• Discuss cyber resiliency preparedness withmanagement and the audit committee
WWW.THEIIA.ORG/CAE
Valuing Interpersonal Skills
WWW.THEIIA.ORG/CAE
Interpersonal Skills are Critical
9%19%21%23%
28%37%
40%42%44%
65%83%
97%98%
Quality controls
Investigations
Fraud auditing
Finance
Cybersecurity
Data mining & analytics
Risk management…
Accounting
IT
Industry-specific
Business Acumen
Analytical/critical thinking
Communication skills
WWW.THEIIA.ORG/CAE
How Do We Ensure Internal Audit Has the Requisite Skills?
79%
81%
84%
84%
85%
86%
86%
86%
86%
86%
10%
8%
15%
14%
14%
13%
13%
14%
14%
15%
Accounts for cultural aspects
Accounts for org politics
Leads through influence, conviction, sensitivity
Recognizes own limitation and seeks advice
Uses research, intelligence, problem solving
Balances diplomacy & assertiveness
Manages conflict effectively
Listens actively
Organizes & expresses ideas clearly
Collaborates with others
Recruiting Training
WWW.THEIIA.ORG/CAE
What Kind of Training?
42%54%
40%40%
24%38%
34%48%
49%41%
36%36%38%42%46%44%53%40%45%48%
Manages conflict effectively
Recognizes own limitations & seeks advice
Organizes & expresses ideas clearly
Leads through conviction, influence, sensitivity
Uses research, intelligence, problem solving
Listens actively
Collaborates with others
Balances diplomacy with assertiveness
Accounts for organization politics
Accounts for culture
Classroom training for auditors Classroom training for professionalsSelf-study MentoringOn-the-job
WWW.THEIIA.ORG/CAE
How Effective is Our Training?
49%
50%
50%
47%
48%
49%
46%
49%
45%
34%
38%
38%
37%
38%
39%
43%
42%
40%
40%
49% 13%
Manages conflict effectively
Organizes & expresses ideas clearly
Balances diplomacy with assertiveness
Accounts for organization politics
Accounts for culture
Listens actively
Recognizes limitations and seeks advice
Uses research, intelligence, problem solving
Leads through influence, conviction, sensitivity
Collaborates with others
Not effective Slightly effective Moderately effectiveVery effective Extremely effective
WWW.THEIIA.ORG/CAE
The Result Mediocrity
48%
49%
46%
44%
49%
40%
41%
38%
43%
23%
33%
34%
37%
30%
31%
47%
41%
41%
39%
54% 18%
Manages conflict effectively
Organizes & expresses ideas clearly
Balances diplomacy with assertiveness
Accounts for organization politics
Accounts for culture
Listens actively
Recognizes limitations and seeks advice
Uses research, intelligence, problem solving
Leads through influence, conviction, sensitivity
Collaborates with others
Not effective Slightly effective Moderately effectiveVery effective Extremely effective
WWW.THEIIA.ORG/CAE
Is Something Askew?Rely on Training
On-the-Job & Mentoring
Training is Pretty Effective
Less Than Half of Staff are Very Proficient
WWW.THEIIA.ORG/CAE
Interpersonal Skills• Recruit for needed soft skills – don’t assume that
accountants, engineers or IT professionals can easily learn these.
• Take a more disciplined/formal approach to training/mentoring.
• Consider branching out from informal training methods and seek new options for improving the effectiveness of training.
• Evaluate current job description and job postings to ensure they reflect the skills you truly need.
Invest in yourself and your team
WWW.THEIIA.ORG/CAE
Parting Thoughts
71%
74%
76%
78%
78%
85%
Assurance on compliance with legal & regulatoryrequirements
Alert operational management to emerging issues& changing regulatory & risk scenarios
Consult on business process improvements
Identify appropriate risk management frameworks,practices & processes
Facilitate & monitor effective risk managementpractices by operational management
Identify known & emerging risk areas
Source: CBOK Stakeholder Report: Relationships and Risk, Insights from Stakeholders in North America