Reaching Greater Heights: Are You Prepared for the Journey?
-
Upload
baldwin-walsh -
Category
Documents
-
view
221 -
download
0
description
Transcript of Reaching Greater Heights: Are You Prepared for the Journey?
Reaching Greater Heights: Are You Prepared for the
Journey?
Reaching Greater Heights: Are You Prepared for the Journey? 2013
State of the Internal AuditProfession Study April 18, 2013 Welcome
to our 2013 State of the Internal Audit Profession survey
presentationwe are glad you are able to join us today This is our
ninth annual survey and we are proud to be able to share the
insights we captured from over 1,700 surveys and through nearly 150
interviews of board members, senior executives and CAEs from over
64 countries representing 16 industries By show of hands, how many
of you participated in the survey? We appreciate you doing so thank
you. 2013 PricewaterhouseCoopers LLP. All rights reserved. With you
today Chris Lydon Internal Audit Director Valerie Caporuscio Data
Assurance Manager (330) April 2013 Agenda Introductions PwCs 2013
State of the Internal Audit Profession study Heart of the matter
Examining the issues The opportunity: defining greater heights The
path forward Data analytics discussion Questions and answers Today
well share with you an overview of the 2013 Study: scope, key
observations we made and, most importantly, key takeaways for you
and some strategies for you to consider as you determine how the
Study results impact you and your organization After some brief
highlights, our panel will discuss some of the main themes in
greater detail and provide some insights into what they are seeing
and how we can bring the recommendations and findings of the study
to life Wed like this to be an interactive discussion, so in
between panel questions, time permitting, we will be able to take
some audience questions as well April 2013 At a glance 9th Annual
State of the Internal Audit Profession Study
Second year where we explored the impact of InternalAudit from the
lens of a stakeholder Over 1700 respondents, Audit Committee
Chairs, Board,CEOs, and CFOs, participated including 630
executivestakeholders Over 140 personal executive interviews
conducted Focus areas included Stakeholders expectations of IA
Performance and value of IAs contribution IAs contributions in
emerging risk areas Characteristics of IA functions Set the stage
for the presentation / audience - 9th year of study. - First 7
years was through the lens of IA Last year included other
stakeholders and focused on their view This year we included
stakeholders, but broke out board members and management We had
over 1700 respondents, 630 stakeholders Over 140 interviews Walk
through the study Talk through key findings from study Dig into a
handful of the issues Talk about the opportunity, how some
functions are getting it right Talk about the path forward, how IA
can raise their game April 2013 2013 PricewaterhouseCoopers LLP.
All rights reserved.
Heart of the matter April 2013 2013 PricewaterhouseCoopers LLP. All
rights reserved. 2013 PricewaterhouseCoopers LLP. All rights
reserved.
Heart of the matter Stakeholders want more and internal audit can
deliver Internal audit continues to face challenges Stakeholders
are not aligned intheir views on internal auditsvalue and
performance Internal audits capabilities are not keeping up - what
was onceleading practices are now thenew floor Internal audit
continues tostruggle in maximizing itscontribution, especially in
lesstraditional areas Internalaudits performance is notkeeping up
with what wasonce leading is now the newfloor Key takeaways
Alignment must be achievedamongst stakeholders andCAEs on internal
audits rolein the organization, whatinternal audit value means
andwhere internal audit should befocused Internal audit must break
thecycle of inaction and improveits performance on eight
coreattributes Exciting time for IA. There is opportunity for IA to
rise. Critical time, risk of relevance issues as a profession.There
are many other risk functions (other lines of defense) that we see
stepping up, so if IA stagnates or doesnt improve, they will
struggle with relevance as management becomes more dependent upon
those functions NASDAQ requiring IA Fed is talking about elevating
IA Other regulators stepping up asking for greater relevance Boards
and management is asking for more. With opportunity comes challenge
study indicates there is a challenge Capabilities need to improve
to keep up, and to maintain pace with companies as they change.
There is an issue of alignment, boards and management can be better
aligned Ultimately, it is a challenge to IA to elevate our profile
and skills, but we also identified things management and boards can
be doing to aid in this process Our research has revealed internal
audit functions performing at a high level provide a distinctively
different level of service April 2013 2013 PricewaterhouseCoopers
LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All
rights reserved.
The new floor Introducing the new floor graphic introduced in last
years paper. Post Sarbanes IA was being asked to step out of core
financial and to do morethat IA be risk based and meet the
organization where it is.Because of this shift, the floor was
raised. Regardless of size or scope of functions, several years ago
we defined 8 attributes that IA needs to meet to deliver.Last year
we identified several other things that IA needs to do in addition
to those 8 attributes. Key messaging from this years study is that
this is still relevant and our research this year revealed that the
foundation may not be strong enough to raise to the new floor.
April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved.
2013 PricewaterhouseCoopers LLP. All rights reserved.
Examining the issues April 2013 2013 PricewaterhouseCoopers LLP.
All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights
reserved.
Examining the issues Our survey data revealed the circular nature
of the internal audit challenges The issues of
stakeholderalignment, a challengedcapability foundation and sub-
optimal internal auditcontribution are tightlyinterwoven Overall
themes This is a journey. There is a circular problem, each facet
of this feeds on the other. Alignment: This is fundamental, so IA
needs to drive to get the right alignment Contribution: without the
right capabilities and alignment, it is difficult to contribute
Capabilities: IA has greatest control over this, but getting the
right capabilities can be hampered if IA is not contributing and/or
they dont have proper alignment as they will struggle to add
resources. Detailed talking points In some respects I drew the
short straw here and get to talk about the data that points to
several gaps in the value & performance IA is delivering, but
we believe that by examining the stakeholders point of view offers
us an opportunity to take the actions needed to break the circular
challenges of stakeholder alignment, lagging IA capabilities and
limited contribution to the monitoring & management of risk. On
your screen now, you see that we have depicted these three
challenges (Alignment of stakeholders & IA, Capabilities and
Contribution) as a circular challenge because all three must be
working together to maximize internal audits value. We found that
stakeholders (BOD and Management) are not always aligned on their
view of IAs value to the organizations or their ability to deliver
across the 8 Core attributes.We know that when these two
stakeholder groups fail to share a common expectation of IA it
increases the challenge that IA functions to deliver value to the
organization.Lack of alignment among stakeholders and with IA is
one influencing factor of IAs abilities to attain and develop the
right talent and capabilities which will be able to deliver
value.Without the right capabilities, IA is challenged to
contribute to the organizations most critical risk areas and
perform well on the 8 core attributes.The circular nature of this
challenge is hard to break and candidly, can continue to feed off
of itself by default. Abhi is going to cover a little later, the
top 5% of IA functions who have broken out of the cyclical
challenge - demonstrating value to their stakeholders and are
providing a distinctly different level of service.But before we get
there, I am going to exam each of these issues. Internal audit must
break the cycle of inaction and increase its capabilities or risk
being marginalized in comparison to other risk functions April 2013
2013 PricewaterhouseCoopers LLP. All rights reserved. Examining the
issues Stakeholders are not aligned in their views on internal
audits value and performance Value At the most fundamentallevel,
stakeholders havesignificantly different viewsof internal audit
value Performance This years research confirms that strong
performance in the eight core attributes directly correlates to
greater value. Critical RisksStakeholders are not alignedon
critical risks facing theorganization which createschallenges for
internal auditin addressing those criticalrisks 79% of board
members see significant value, while only 44% of management do 56%
of the board ranks IA performance as strong, while 37% of
management do 60% of the board members believe risks are well
managed vs. 52% of management Overall themes: We expected
differences between stakeholders, however we did not expect this
big of a difference. Value this is a concerning gap.We expected a
gap, but not a 35% spread between the parties. Performance Overall,
both stakeholders dont view performance to be very strong.56% of
the board things performance is strong, while 37% of management
does.(CAE was in the middle for all but 2 of the attributes, but in
general were close) Managements low value perception and their
rating on performance correlate..BUT, the boards view of value when
compared to performance do not correlate nearly 80% see value, yet
56% think they are performing well.This gap of the boards views is
concerning, as it implies that they see value in performance which
is average at best. Risks Overall, the board was more concerned
about risks than management. Detailed talking points To kick of the
discussion though, lets start to the far right of this slide and
talk about alignment of stakeholders around those critical risks
that we explored last year as an aside, more information on risks
can be found both in the appendix to our paper as well as on our
website.Last year we found that the majority of organizations were
not comfortable with the overall risk management efforts within
their organizations AND that IA was not particularly well aligned
with the other risk functions. This year we continued to see risks
becoming more complex and while we saw a slight increase in how
well risks are perceived to be managed, in many instances the BOD
and management are not aligned on their views.With 60% of BODs and
52% of management believing risks are well managed. Combine with
40% of our CAE respondents telling us that they do NOT participate
in executive management meetings where business risks are discussed
there is bound to be confusion as to which risks are most critical
to the organization and thus which ones IA should focus on. In our
profession, we know that a common view of risks is the necessary
starting point for the journey of delivering value to your
organization so misalignment on this topic can result in a faulty
foundation from which to begin the journey of delivering greater
value. With this great potential for misalignment on critical
risks, it is no wonder that we also saw a vast disparity between
the BODs view on value and managements. 79% of BODs reported that
they are getting significant value from IA while only 44% of
management feel the same way.And while we had expected the BOD and
management view to be different because of the difference in the
roles each plays and the different nature of the interaction of IA
with the two groups - it was striking to see a 35 point margin
separating the two on the view of value. Because value is in the
eye of the beholder (or stakeholders in our survey), we sought to
understand stakeholder view point on performance in the 8 core
attributes that form the foundation of an effective IA function and
the new floor (as Jason discussed just a bit ago).56% of BODs only
37% of management stated that IAs performance was strong across
these attributes. ABHI - While not on your screen, it should also
be noted that CAEs didnt grade themselves much higher with only 48%
of CAEs believing that their organizations were delivering strongly
against these attributes as well. The big take away here is
revealed when you combine the value & performance results: When
you combine the BOD is receiving value from what appears to be an
average to below average performance perhaps indicating that they
may not be asking enough from their IA functions AND While
managements perception of value received & performance is more
closely aligned the extremely low scores serve as a wake up call to
the majority of IA functions that we are very likely not meeting
this group of stakeholders expectations for one reason or another.
The - So what - here clearly ties to Alison Levins quote that opens
our paper about every team member having a responsibility.Our
responsibility as IA practitioners is to take action and enable our
organizations to move in the right direction. Board members views
on value versus performance do not reconcile 79% see significant
value, yet only 56% view performance as strong a 23% difference
April 2013 Examining the issues Internal audit capabilities are not
keeping up
0% 20% 40% 60% 80% 100% Percent of stakeholders who say internal
audit is performing well or very well How well is internal audit
performing in each of the following areas? Promoting quality
improvement and innovation Leveraging technology (such as
automation, data and advanced analytics) Delivering cost-effective
services Delivering services with a service-oriented team Engaging
in and managing a relationship with stakeholders Aligning scope and
audit plan with stakeholder expectations Focusing on critical risks
and issues Obtaining, training and/or sourcing the right level of
talent for audit needs Overall Themes: Despite a lack of alignment
among stakeholders, their views on performance was not strong and
they did agree on 3 areas to rank IA the lowest The 3 areas which
received particularly low scores: Providing quality improvements
and innovation Use of technology (particularly data analytics)
Obtaining, training or sourcing the right level of talent These
three areas are 3 of the most fundamental attributes that IA needs
to deliver value. There is a growing trend in sourcing in the
technical areas where it is hard to get skills, we are also seeing
a similar level of assistance needed in emerging regulatory areas.
IA should focus here first and make sure these areas are solid. If
you think back to the circular challenge, this is one area where IA
has greater control over. At the end of the day, IA should be
auditing to the risk profile of the company, not to the
capabilities of the IA function. Technology discussion: - We are
seeing more data analytics use, but the results showed us there is
plenty of opportunity to make greater use. The data shows us that
over 80% see value in analytics and recognizes it is important to
the audit process and to add greater value.Yet only 31% are using
data analytics regularly and most everyone wants to and is planning
to extend their use, but 71% of those functions do not have a well
developed plan to do so. Detailed talking points Consistent with
prior years, we continue to see delivering the right capabilities
to be a challenge that faces most IA functions .On your screen now
you are seeing the response rate from all stakeholders that felt
their IA group was are performing at an average to above average
level.While our chart only shows the stakeholders point of view,
the CAEs point of view gathered did not differ significantly on any
of these capabilities indicating that CAEs are as aware of this
challenge as the BOD and Management.While many CAEs have indicated
that they have plans to address the challenge, they can not succeed
alone. While we gathered data on performance against all 8
attributes, lets focus in on 3 lowest scores as these represent the
greatest opportunity for improvement. Promoting quality improvement
& innovation- less than 40% of BODs & mgmt felt performance
was average to above average - with such a low grade on this
attribute it is no wonder why more than of management dont see
value in the function. Lets turn to leveraging technology where
again less than 40% see IA performing well.While there are a number
of components to technology from the AMS systems used to the
enhanced use of technology to be more efficient in the audit
planning - execution & reporting process; a key theme that came
to light from this years survey and interviews was the trend &
need to improve the use of data analytics in all aspects of the
audit effort.Co-presenter interject on Data Analytics In many
instances, the lack of resources (our next point) is the primary
challenge that IA functions are facing to make improvements in this
area. Obtaining, training &/or sourcing the right level of
talent for audit needs is the last attribute I want to highlight
that 44% of BOD & 28% of mgmt felt their IA functions were
performing well.That means - 72% of management does not believe
that IA is obtaining, training or sourcing the right talent.Our
survey and experience tell us that CAEs are aware of this challenge
and intend to source the talent needs through a variety of ways,
including sourcing talent through third party vendors such as PwC.
Areas of most significant need are: IT skills both general and
specific risk areas such as privacy & security as well as
compliance & regulatory risks to name a few. But the trend
toward sourcing subject matter expertise is not the only take away
here - there is a message to the stakeholders, that will require
IAs lead.With the majority of the audience are IA professionals,
you know that this challenge is not new So - the take away/ask of
you is to engage in a dialogue with your stakeholders on how to
obtain the right talent to serve the organization.The risk of
inaction in this area will result in IA functions that audit to
their capabilities instead of to the risk profile of your
organization. Further resulting in stakeholders not experiencing
the value that IA could be delivering. Transition to the last
challenge Contribution Our survey revealed promoting quality
improvement, leveraging technology and obtaining right talent as
three key focus areas April 2013 Better integration of technology
through data analytics
85% 81% 74% Analyticsare widelyviewed asimportant Data analytics
areimportant to improving thequantification of issues Data
analytics are importantto strengthening auditcoverage Data
analytics are importantto gaining a betterunderstanding of risks
71% 31% Yet fewhavestrongprograms And mostintend to,yet
lackawelldeveloped plan Duncan All respondents views this as
critical but only 31% are actually doing it and 71% dont even have
a plan yet. Data analytics are integratedinto the audit process and
usedregularly Plan to expand use of dataanalytics but do not have a
welldeveloped plan April 2013 2013 PricewaterhouseCoopers LLP. All
rights reserved.
Examining the issues Internal audit continues to struggle in
maximizing its contribution in areas outside of its traditional
focus Overall themes: A number of IA functions stepped out to focus
in emerging risk areas, but struggled to contribute. This chart
shows where stakeholders were least satisfied with IA.The highlight
here is that for 3 of the top 4 areas are actually areas where IA
significantly increased focused. Detailed talking points As we
conclude our journey of navigating the challenges IA faces to add
value we focus in on IAs contribution of helping the organizations
manage critical & emerging risks.Last year we identified a
number of critical risks facing organizations that were not in the
traditional financial control space - those risks included areas
such as Large programs and merger & acquisition and we
highlighted several leading practices in these areas.Based on this
years survey results, it appears that MANY IA functions increased
focus on these risks: 84% increase coverage of large programs, 50%
in the New Product Introduction area and 58% with M&A activity.
This trend is a clear demonstration that IA functions are desiring
and moving in the right direction however, the data also further
highlighted opportunity to improve our performance in these areas.
The chart on your screen now however, shows us that these areas
were also among the risk areas that Stakeholders had the greatest
level of dissatisfaction with IAs performance.Perhaps this was
because stakeholders were not aligned on what IA should be doing in
these areas or perhaps IA did not have the right capabilities to
move into these non-traditional audit areas.So ask yourself if you
are part of the majority of IA functions that moved into these risk
areas did you do so with the same resources & capabilities and
mindset that you have to focus on the more traditional risk areas?
Once again the data shows us that all three challenges (alignment,
capabilities and contribution) must be addressed to maximize IAs
value. Increased internal audit focus has not translated into
greater stakeholder satisfaction April 2013 2013
PricewaterhouseCoopers LLP. All rights reserved. 2013
PricewaterhouseCoopers LLP. All rights reserved.
The opportunity April 2013 2013 PricewaterhouseCoopers LLP. All
rights reserved. The opportunity - defining greater heights
Stronger foundational capabilities Integration with ERM and other
risk functions Coverage of emerging risk areas Higher level of
service Our survey identified a subset of organizations represented
by thetop 5% of the respondent base as high performing Overall
themes For IA to be relevant and add value, IA needs to take
actions.This year, we were able to profile high performing
functions (defined as those where stakeholders saw significant
value AND they viewed their risks as well managed).This resulted in
5% standing out. Four key characteristics that these functions had
which stood out Has stronger foundational capabilities (8
attributes) Achieve better integration with ERM and other risk
functions: see problems sooner, better aligned Have better coverage
of emerging risk areas Higher level of service: greater
participation in executive meetings, providing proactive advice,
trusted advisor, earning their seat at the table. Detailed talking
points As we conclude our journey of navigating the challenges IA
faces to add value we focus in on IAs contribution of helping the
organizations manage critical & emerging risks.Last year we
identified a number of critical risks facing organizations that
were not in the traditional financial control space - those risks
included areas such as Large programs and merger & acquisition
and we highlighted several leading practices in these areas.Based
on this years survey results, it appears that MANY IA functions
increased focus on these risks: 84% increase coverage of large
programs, 50% in the New Product Introduction area and 58% with
M&A activity. This trend is a clear demonstration that IA
functions are desiring and moving in the right direction however,
the data also further highlighted opportunity to improve our
performance in these areas. The chart on your screen now however,
shows us that these areas were also among the risk areas that
Stakeholders had the greatest level of dissatisfaction with IAs
performance.Perhaps this was because stakeholders were not aligned
on what IA should be doing in these areas or perhaps IA did not
have the right capabilities to move into these non-traditional
audit areas.So ask yourself if you are part of the majority of IA
functions that moved into these risk areas did you do so with the
same resources & capabilities and mindset that you have to
focus on the more traditional risk areas? Once again the data shows
us that all three challenges (alignment, capabilities and
contribution) must be addressed to maximize IAs value. The high
performing internal audit functions stood out from their peers in
their contribution and value to the organization April 2013 2013
PricewaterhouseCoopers LLP. All rights reserved. The opportunity
defining greater heights Profile of the top 5%
Percent of respondents who responded internal audit is performing
well Promoting quality improvement and innovation Leveraging
technology Delivering services with a service-oriented team
Engaging in and managing a relationship with stakeholders Aligning
scope and audit plan with stakeholder expectations Focusing on
critical risks and issues Obtaining, training and/or sourcing the
right level of talent for audit needs Delivering cost-effective
services 67% 61% 54% 91% 82% 84% 80% 86% 41% 34% 23% 57% 51% 47%
49% 58% Top 5% All others Overall themes This is the summary of the
8 attributes for the top 5% vs the others. Even the three areas
where IA struggled, this group far exceeded the others But you can
see that for those 3 areas, even the top performing functions
struggled. When we were able to step back and look at these
functions, they did things which are attainable to all IA
functions.These high performing functions go the fundamentals
right.They had a risk based approach.They adapted to the
organization.Once they met the foundation, they were then in a
position to be able to step up and deliver even greater value.
Detailed talking points The next slide here compares the survey
results for the top 5% vs the rest of the respondents with respect
their performance on the 8 core internal audit attributes. As you
can see from the slide, the performance of the top 5% internal
audit function far exceeds the performance of the rest of their
peers.In most cases, a differential of over 30 points. Even with
respect to the three attributes highlighted by Michelle a few
minutes ago as requiring most attention and focus, the performance
of the top 5% was significantly better than the performance of the
rest of the survey respondents. With strong performance on the 8
core attributes, these top 5% internal audit functions has built
credibility and bandwidth to keep pace with the greater risk
landscape and rising stakeholder expectations. The top internal
audit functions are demonstrating significantly stronger
foundational capabilities April 2013 The opportunity defining
greater heights Profile of the top 5%
0% 20% 40% 60% 80% 100% Percent of respondents who believe internal
audit is well aligned with risk Top 5% Others The Organization
works together across the various functional areas to create an
integrated view of risk IA creates an integrated view of risk
across the organization IA is well or extremely well coordinated
with other risk groups IA is involved in emerging risk areas IA is
well or extremely well coordinated with ERM Overall themes This
slide speaks to an important aspect of the top 5% - how well
aligned these high performing functions with other risk functions.
Alignment with ERM is one of the best areas for IA to have a point
of view which is aligned with management and then the board.
Detailed talking points This slide shows how well the top 5% of the
internal audit functions are performing in comparison to their
peers with respect to the enterprise risk coordination. As you can
see, the top 5% of the internal audit function are consistently
demonstrating behaviors and outperforming their peers with respect
to creating an integrated view of risk, coordinating with the ERM
and other risk groups.They are outperforming their peers with a
margin of approximately 25 points. The coordination with the ERM is
proving to be key catalyst for these high performing internal audit
function in achieving alignment with stakeholder expectations with
respect to top risks facing the organization. With respect to the
covering emerging risk issues, although the data suggests that more
work needs to be done to enhance the coverage of emerging risks,
the performance of the top 5% exceeds the performance of their
peers. The high performing internal audit functions have achieved
greater integration with ERM and other risk functions April 2013
The opportunity defining greater heights Profile of the top
5%
The top 5% internal audit functions are providing better coverage
of emerging risk areas and achieving stakeholder satisfaction
Commercial market shifts Economic uncertainty Disruptive
technologies Financial markets Data privacy Competition Energy and
commodity costs/prices Fraud and ethics Government spending and
taxation Large program risk Regulations and government policies New
product introductions Talent and labour Mergers, acquisitions and
JVs IT security/cyber security Reputation/brand 92% 90% 94% 71% 77%
64% 86% 55% 67% 56% 40% 53% 51% 65% 63% 52% 88% 74% 82% 89% 83% 37%
54% 43% 47% 66% 41% Top 5% All others Percent of respondents who
responded that each risk area is well managed Overall themes Again,
a clear indication of the top performing functions are contributing
to the organizations other risk profile. What is of interest is
that IA is contributing beyond traditional areas.They are focused
in risk areas beyond the traditional approachbut remember, it is
important to get the foundational attributes right before stepping
into emerging areas. Detailed talking points An effective internal
audit is a crucial element of coordinated three lines of defenses
and the coverage of critical and emerging risks by internal audit
has a direct correlation to how well these critical and emerging
risks are viewed as being managed within the organization. This
chart here compares the results of how the well these selected
critical and emerging risks are being viewed as managed at the top
5% vs the rest of the organization. Same theme continues, the
responses of the top 5% far outperforms the responses of their
peers, not only with respect to the traditional risk areas such as
fraud and ethics, financial markets, data privacy but also with
respect to the emerging risk areas such as new product
introductions, mergers and acquisitions, IT and cyber security,
talent and labor etc. All in all, we saw that the top 5% of the
internal audit functions are providing a significantly higher level
of service to the organization and they are doing so by going
beyond validating the known and providing proactive advice and
insight to management by effectively utilizing data analytics,
performing continuous monitoring and aligning resources to
according to the risk profile of the organization. April 2013 2013
PricewaterhouseCoopers LLP. All rights reserved.
The Opportunity defining greater heights Internal audit functions
fall across a spectrum of value delivery Overall theme Through our
interviews exploring how IA has achieved high performing, it was
clear there was a stepped progression for how IA elevates their
performance First and fundamental area is to be an assurance
provider.Get the basics right As a problem solver, IA is playing a
broader role with insights and root cause analysis to help
management solve problems Insight generator IA is now generating
new ideas for management to think about issues new ways and doing
so with specialized skills and deep understanding of their
business. Trusted advisor not only providing the three previous
areas, they are valued and sought out by management to weigh in on
risks.Not only providing insights on current issues, but providing
foresight on emerging issues.They engagement management in a more
proactive way and are engaged by management because they earned
(didnt ask for) a seat at the table. We saw in our data that those
who had moved up the chain, they earned their way up over time and
did so by building and maintaining a strong foundation.They
performed their core responsibilities well then moved up the chain
by earning their way up. IA also recognized they were part of a
broader risk management structure and aligned well with other
functions. We learned in our interviews that not everyone is
expected to be a trusted advisor.Some organizations value an
assurance provider.We also saw some functions who achieved trusted
advisor, but only in certain areas.So this framework can be applied
across a varying scope. But before ending up here, have a frank
dialog with stakeholders to ensure that this approach and where
people want IA is a purposeful decision, and not one by default or
lack of options. Detailed talking points So now that we have talked
about the characteristics of the top 5% internal audit functions,
the next obvious question is how do we get there. We explored that
question during our 140 one on one interviews with the CAEs and
stakeholders and based on their responses and through our own
experience at PwC, we have created the internal audit value
continuum showing four different value stages of the internal audit
functions to help map the chart for internal audit progression. Our
value continuum shows four different stages/or roles of internal
audit. Starting with the most fundamental role of internal audit as
the objective assurance provider, the problem solver build upon the
success of assurance provider by coordinating enterprise risk
functions, performing meaningful root cause analysis to help
management understand and solve specific issues. At the next stop
on value continuum, the insight generating internal audit
functions, take it a step further than the problem solver by
leveraging subject matter and industry expertise to provide deeper
perspectives.These internal audit functions across cut across the
functional and geographic boundaries and help management identify
trends and best practices and look at issues in an composite and
comprehensive manner. As a trusted advisor, the focus is not only
on providing insights to existing problems, but also on providing
foresight on future risks and issues.As a trusted advisor, the
internal audit function has the seat at the table and their
expertise is consistently requested and sought out by stakeholders
on issues and initiatives of organizational and strategic
importance. Our discussion with the stakeholders also clarified
that not all internal audit functions will be expected to trusted
advisor.Some internal audit functions may be expected to continue
play the role of the assurance provider and that is ok.We at PwC
firmly believe that there is value to be realized even from the
most traditional assurance activities.For example, An assurance
focused internal audit function can add tremendous value by
building and executing a risk based internal audit plan and
performing deeper root cause analysis to assist management in
developing remediation plans. However, it is extremely crucial for
the positioning and relevance of internal audit that both the CAEs
and the stakeholders engage in a frank discussion on what the role
of internal audit should be at their organization.Action is needed
on part of the audit committee, management and CAEs alike.Alignment
must be obtained on what the role of internal audit and the
expectations of internal audit should be clearly established.And IT
IS THE RESPONSIBILTIY OF THE CAE TO BEGIN THE DIALOGUE TO START
THAT DIALOGUE. If however, the internal audit function is expected
to play a broader role, it is important to recognize that this
transformation cannot be achieved overnight.A well thought out
strategy and plan is needed to move from its current positioning to
the desired positioning.And it all starts by excelling in your
current role and performing that extremely well.So get your
fundamental rights and be grounded in performance on 8 core
attributes before moving to the next stage of value continuum. In
the organizations where internal audit has earned the role of
trusted advisor, it has done so by first bringing the right people
and abilities to provide quality and value and as a result,
becoming more valued. In summary, I would like to stress that the
choice of what role your internal audit is expected to play should
be a conscious decision made by the Stakeholders and CAEs together
and not one made due to lack of options. IT REALLY IS A JOURNEY BUT
ONE THAT WE BELIEVE THAT EVERY INTERNAL AUDIT FUNCTION IN THE
PROCESS OF TRANSFORMATION MUST UNDERTAKE. And now, Jason will talk
to you about the key steps Audit Committee, Management and CAEs can
take to improve the relevance and value of the internal audit
functions. April 2013 2013 PricewaterhouseCoopers LLP. All rights
reserved. 2013 PricewaterhouseCoopers LLP. All rights
reserved.
The path forward April 2013 2013 PricewaterhouseCoopers LLP. All
rights reserved. Audit Committee: Ask More Management: Expect
More
The path forward Our survey identified need for urgent action on
part of stakeholders and CAEs alike Audit Committee: Ask More Ask
yourself if your expectations of internal audit are high enough Ask
if critical business risk coverage is aligned with your views on
risk Ask if internal audit has a strategic plan and resources to
deliver Ask if you are enabling internal audit to be what it should
be Management: Expect More Expect internal audit to perform at a
higher level and bring more value Expect internal audit to have a
stronger enterprise-wide risk assessment process Expect internal
audit to deliver value for the investment but recognize the need to
invest Expect a robust dialogue with internal audit and provide
candid feedback CAEs: Deliver More Deliver high quality on
foundational areas Deliver a strategic vision that aligns with
stakeholder expectations Deliver value for investment Deliver
proactively Overall theme Each stakeholder has a role to play.It is
not just IA, everyone plays a role in elevating internal audit.
Audit committee: Ask more Management: Expect more CAEs: Deliver
more Some functions may not read this paper or decide to take
action, so CAEs should go and seek this out and not wait for it to
happen.This is advisable to do before Audit committees and
management realize this on their own and come askingIA should get
prepared first. Detailed talking points See slide Final thought:
JFK quote There are risks and costs to a program of action, but
they are far less than the long-range risks and costs to
comfortable inaction. April 2013 2013 PricewaterhouseCoopers LLP.
All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights
reserved.
Recap Our survey data revealed the circular nature of the internal
audit challenges The issues of stakeholderalignment, a
challengedcapability foundation and sub- optimal internal
auditcontribution are tightlyinterwoven Overall themes This is a
journey. There is a circular problem, each facet of this feeds on
the other. Alignment: This is fundamental, so IA needs to drive to
get the right alignment Contribution: without the right
capabilities and alignment, it is difficult to contribute
Capabilities: IA has greatest control over this, but getting the
right capabilities can be hampered if IA is not contributing and/or
they dont have proper alignment as they will struggle to add
resources. Detailed talking points In some respects I drew the
short straw here and get to talk about the data that points to
several gaps in the value & performance IA is delivering, but
we believe that by examining the stakeholders point of view offers
us an opportunity to take the actions needed to break the circular
challenges of stakeholder alignment, lagging IA capabilities and
limited contribution to the monitoring & management of risk. On
your screen now, you see that we have depicted these three
challenges (Alignment of stakeholders & IA, Capabilities and
Contribution) as a circular challenge because all three must be
working together to maximize internal audits value. We found that
stakeholders (BOD and Management) are not always aligned on their
view of IAs value to the organizations or their ability to deliver
across the 8 Core attributes.We know that when these two
stakeholder groups fail to share a common expectation of IA it
increases the challenge that IA functions to deliver value to the
organization.Lack of alignment among stakeholders and with IA is
one influencing factor of IAs abilities to attain and develop the
right talent and capabilities which will be able to deliver
value.Without the right capabilities, IA is challenged to
contribute to the organizations most critical risk areas and
perform well on the 8 core attributes.The circular nature of this
challenge is hard to break and candidly, can continue to feed off
of itself by default. Abhi is going to cover a little later, the
top 5% of IA functions who have broken out of the cyclical
challenge - demonstrating value to their stakeholders and are
providing a distinctly different level of service.But before we get
there, I am going to exam each of these issues. Internal audit must
break the cycle of inaction and increase its capabilities or risk
being marginalized in comparison to other risk functions April 2013
2013 PricewaterhouseCoopers LLP. All rights reserved. Data
analytics discussion
April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved.
Better integration of technology through data analytics
85% 81% 74% Analyticsare widelyviewed asimportant Data analytics
areimportant to improving thequantification of issues Data
analytics are importantto strengthening auditcoverage Data
analytics are importantto gaining a betterunderstanding of risks
71% 31% Yet fewhavestrongprograms And mostintend to,yet
lackawelldeveloped plan Duncan All respondents views this as
critical but only 31% are actually doing it and 71% dont even have
a plan yet. Data analytics are integratedinto the audit process and
usedregularly Plan to expand use of dataanalytics but do not have a
welldeveloped plan April 2013 Drivers and value of analytics within
internal audit
The risks highlighted as a result of the financial crisis has
required organizations to develop adeeper understanding of the
businesses they manage.They cannot simply rely on existing
controlstructures.They must evaluate transactional activities for
patterns, trends and anomalousbehavior. Drivers Value What is
creating demand for analytics? Why is it so important for
organizations to get it right? Pressure on audit groups toaudit
closer to the business and a develop a deeper position on risk and
issues. Regulatory expectations to monitor business activities are
increasing. Data is growing exponentially, and the technologies to
analyze the data are maturing rapidly. Organizations are being
forced to do more with less. Competitive pressures are forcing
organizations to innovate. Deeper business understanding &
focus on risk Lower existing and future costs End-to-end testing
Increased population and control coverage Real-time evaluation of
controls and data integrity - facilitates what-if analysis Duncan
April 2013 Data Analytics Maturity Model
Fully Optimized Auditing There is a broad spectrum of technology
use in current data analytics programs Fully Optimized Technology
enables full integration into internal audit workflow Business
focused Routinely Leverage Core technical competenciesresident
within the department Results used for updating risk assessment
throughout the audit process Initial Stage Creation of data experts
to develop routine data analysis techniques No process for
incorporating into IA methodology IA focused Julio Ad-Hoc Analytics
Enhancing the use of technology can assist with improving the
efficiency of the Internal Audit department. Ad Hoc Analytics
Occasional, ad-hocdata analysis on certain audits April 2013
Building an effective program
Auditing Life Cycle Risk Assessment Analytics to compare like
metrics between audit entities to drive risk identification 1
Control and Outcomes Testing Analytics to test the operating and
evaluate risk outcomes and quantify findings 4 Issues Management
& Monitoring Analytics to re-test and monitor identified
issuesand trends 6 Enterprise view Analytics enables regular,
periodic reporting and accelerates on-going riskidentification and
assessment. Business view Analytics increases assurance through
improved population coverage and moreintelligent, risk-based sample
selection. 2 3 Audit Plan Analysis of audit plan and coverage
against risks and geographys and issues Audit Planning and Scoping
Risk analysis to confirm understandingand identify issues within
business operation Duncan/back to Jason for the panel Reporting
Analytics to present risk insights andarticulate audit findings 5
April 2013 Implementing a Strategy Where to Start?
Start small in Year 1, working your way towards a larger
dataanalytics or Continuous Auditing strategy by Year 3 Along the
path, evaluate: Resources Tools Training Move from manual use of
data analytics tools towards automatedscripting that can be used
across business units and time periods,creating efficiency and
repeatability Notes for Val: You have to start somewhere!It is ok
to start small and build your way to a larger, more strategic
program.Once you perform data analytics on even the smallest of IAS
engagements, you will see the immediate benefits, and be able to
garner more support and momentum to move forward. April 2013 Sample
Data Analytics Strategy
Year 1 Select an audit, and execute data analytics on one business
process where you will seeimmediate results, such as the
Purchase-to-Pay cycle Communicate benefits to stakeholders to gain
support and momentum Year 2 Expand data analytic know-how to
several other business processes Use data analytics to perform
scoping activities on individual audits Based on results of data
analysis, select high risk areas to focus on during audit Use data
analytics to support findings and quantify issues in the internal
audit report Year 3 Notes for Val: YEAR 1 Select a high-impact
business cycle that will gain stakeholders attention, such as the
Purchase-to-Pay cycle, where you will identify areas for
efficiencies/improvements (such as consolidating vendors to
negotiate volume discounts) and possible fraudulent activities
(such as payments to vendors having addresses that match employee
addresses). Benefits realized: - Increases audit efficiency -
Increases depth of understanding - useful for both scoping of an
engagement, as well as testing - Increases testing coverage (can
test 100% of the population) - Identifies key trends in data -
Provides statistical facts to support findings - Quantifies the
impact of audit issues - Detects areas of potential fraud - Enables
Continuous Controls Monitoring Improves technology &
information systems awareness YEAR 2 Now that you have seen some
benefits and gained some experience using data analytics in Year 1,
start to expand the usage of data analytics in Year 2.To do so, you
may need to add resources or provide additional training on the
tools used.Add new business processes, such as Order-to-Cash,
Inventory, and Payroll.Instead of just executing data analytics
during an engagement, start to use data analytics to plan and scope
an engagement.Prior to an internal audit, you could obtain data
files for several business processes and execute analytics, and
then based upon the results you could then select which areas to
focus on during fieldwork. You then can perform analytics during
the actual audit itself, and use the results to support and
quantify the audit issues in the audit report. YEAR 3 Val to tell
her example story here about implementing Continuous Auditing
program related to Journal Entries.Results were regularly used by
the Controllers. Implement the usage of repeatable data analytics
across business units and timeperiods to gain efficiencies Utilize
data analytics in the Risk Assessment process going forward Develop
a Continuous Auditing strategy going forward April 2013 29 Internal
Audit Process Framework As Is
ANNUAL Risk Assessment Audit Plan Fieldwork Technology is being
applied here (in audit management and data analysis), to speed
upaudit process Reporting Wrap-Up Process to utilize results for
next years Risk Assessment Utilize information from previous audits
for current audits (ad-hoc data analysis not leveraged project to
project). However, informal sharing ofinformation within group.
April 2013 Internal Audit Process Framework Future
A technology enabled approach to the internal auditframework allows
for more timely identification of andresponse to risks. TECHNOLOGY
ENABLED APPROACH ONGOING Risk Assessment Monitor key risks Changes
in KRIs indicating change in risk profile Audit Plan Monitor
results to change frequency/ scope of planned audits PERIODIC
Fieldwork Strategic Audit Reporting Report changes in trends to
management Continuous Audit Program Execute Automated Script
Exception Reporting Review Reports April 2013 31 Thank you for your
participation
The 2013 State of the Internal Audit Profession Study may
befoundat: us questions at: This document is for general
information purposes only and should not be used as a substitutefor
consultation with professional advisors. 2013
PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the
United Statesmember firm, and may sometimes refer to the PwC
network. Each member firm is a separatelegal entity. Please seefor
further details.