Reaching Greater Heights: Are You Prepared for the Journey?
Reaching Greater Heights: Are You Prepared for the Journey? 2013 State of the Internal AuditProfession Study April 18, 2013 Welcome to our 2013 State of the Internal Audit Profession survey presentationwe are glad you are able to join us today This is our ninth annual survey and we are proud to be able to share the insights we captured from over 1,700 surveys and through nearly 150 interviews of board members, senior executives and CAEs from over 64 countries representing 16 industries By show of hands, how many of you participated in the survey? We appreciate you doing so thank you. 2013 PricewaterhouseCoopers LLP. All rights reserved. With you today Chris Lydon Internal Audit Director Valerie Caporuscio Data Assurance Manager (330) April 2013 Agenda Introductions PwCs 2013 State of the Internal Audit Profession study Heart of the matter Examining the issues The opportunity: defining greater heights The path forward Data analytics discussion Questions and answers Today well share with you an overview of the 2013 Study: scope, key observations we made and, most importantly, key takeaways for you and some strategies for you to consider as you determine how the Study results impact you and your organization After some brief highlights, our panel will discuss some of the main themes in greater detail and provide some insights into what they are seeing and how we can bring the recommendations and findings of the study to life Wed like this to be an interactive discussion, so in between panel questions, time permitting, we will be able to take some audience questions as well April 2013 At a glance 9th Annual State of the Internal Audit Profession Study
Second year where we explored the impact of InternalAudit from the lens of a stakeholder Over 1700 respondents, Audit Committee Chairs, Board,CEOs, and CFOs, participated including 630 executivestakeholders Over 140 personal executive interviews conducted Focus areas included Stakeholders expectations of IA Performance and value of IAs contribution IAs contributions in emerging risk areas Characteristics of IA functions Set the stage for the presentation / audience - 9th year of study. - First 7 years was through the lens of IA Last year included other stakeholders and focused on their view This year we included stakeholders, but broke out board members and management We had over 1700 respondents, 630 stakeholders Over 140 interviews Walk through the study Talk through key findings from study Dig into a handful of the issues Talk about the opportunity, how some functions are getting it right Talk about the path forward, how IA can raise their game April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved.
Heart of the matter April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
Heart of the matter Stakeholders want more and internal audit can deliver Internal audit continues to face challenges Stakeholders are not aligned intheir views on internal auditsvalue and performance Internal audits capabilities are not keeping up - what was onceleading practices are now thenew floor Internal audit continues tostruggle in maximizing itscontribution, especially in lesstraditional areas Internalaudits performance is notkeeping up with what wasonce leading is now the newfloor Key takeaways Alignment must be achievedamongst stakeholders andCAEs on internal audits rolein the organization, whatinternal audit value means andwhere internal audit should befocused Internal audit must break thecycle of inaction and improveits performance on eight coreattributes Exciting time for IA. There is opportunity for IA to rise. Critical time, risk of relevance issues as a profession.There are many other risk functions (other lines of defense) that we see stepping up, so if IA stagnates or doesnt improve, they will struggle with relevance as management becomes more dependent upon those functions NASDAQ requiring IA Fed is talking about elevating IA Other regulators stepping up asking for greater relevance Boards and management is asking for more. With opportunity comes challenge study indicates there is a challenge Capabilities need to improve to keep up, and to maintain pace with companies as they change. There is an issue of alignment, boards and management can be better aligned Ultimately, it is a challenge to IA to elevate our profile and skills, but we also identified things management and boards can be doing to aid in this process Our research has revealed internal audit functions performing at a high level provide a distinctively different level of service April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
The new floor Introducing the new floor graphic introduced in last years paper. Post Sarbanes IA was being asked to step out of core financial and to do morethat IA be risk based and meet the organization where it is.Because of this shift, the floor was raised. Regardless of size or scope of functions, several years ago we defined 8 attributes that IA needs to meet to deliver.Last year we identified several other things that IA needs to do in addition to those 8 attributes. Key messaging from this years study is that this is still relevant and our research this year revealed that the foundation may not be strong enough to raise to the new floor. April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
Examining the issues April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
Examining the issues Our survey data revealed the circular nature of the internal audit challenges The issues of stakeholderalignment, a challengedcapability foundation and sub- optimal internal auditcontribution are tightlyinterwoven Overall themes This is a journey. There is a circular problem, each facet of this feeds on the other. Alignment: This is fundamental, so IA needs to drive to get the right alignment Contribution: without the right capabilities and alignment, it is difficult to contribute Capabilities: IA has greatest control over this, but getting the right capabilities can be hampered if IA is not contributing and/or they dont have proper alignment as they will struggle to add resources. Detailed talking points In some respects I drew the short straw here and get to talk about the data that points to several gaps in the value & performance IA is delivering, but we believe that by examining the stakeholders point of view offers us an opportunity to take the actions needed to break the circular challenges of stakeholder alignment, lagging IA capabilities and limited contribution to the monitoring & management of risk. On your screen now, you see that we have depicted these three challenges (Alignment of stakeholders & IA, Capabilities and Contribution) as a circular challenge because all three must be working together to maximize internal audits value. We found that stakeholders (BOD and Management) are not always aligned on their view of IAs value to the organizations or their ability to deliver across the 8 Core attributes.We know that when these two stakeholder groups fail to share a common expectation of IA it increases the challenge that IA functions to deliver value to the organization.Lack of alignment among stakeholders and with IA is one influencing factor of IAs abilities to attain and develop the right talent and capabilities which will be able to deliver value.Without the right capabilities, IA is challenged to contribute to the organizations most critical risk areas and perform well on the 8 core attributes.The circular nature of this challenge is hard to break and candidly, can continue to feed off of itself by default. Abhi is going to cover a little later, the top 5% of IA functions who have broken out of the cyclical challenge - demonstrating value to their stakeholders and are providing a distinctly different level of service.But before we get there, I am going to exam each of these issues. Internal audit must break the cycle of inaction and increase its capabilities or risk being marginalized in comparison to other risk functions April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. Examining the issues Stakeholders are not aligned in their views on internal audits value and performance Value At the most fundamentallevel, stakeholders havesignificantly different viewsof internal audit value Performance This years research confirms that strong performance in the eight core attributes directly correlates to greater value. Critical RisksStakeholders are not alignedon critical risks facing theorganization which createschallenges for internal auditin addressing those criticalrisks 79% of board members see significant value, while only 44% of management do 56% of the board ranks IA performance as strong, while 37% of management do 60% of the board members believe risks are well managed vs. 52% of management Overall themes: We expected differences between stakeholders, however we did not expect this big of a difference. Value this is a concerning gap.We expected a gap, but not a 35% spread between the parties. Performance Overall, both stakeholders dont view performance to be very strong.56% of the board things performance is strong, while 37% of management does.(CAE was in the middle for all but 2 of the attributes, but in general were close) Managements low value perception and their rating on performance correlate..BUT, the boards view of value when compared to performance do not correlate nearly 80% see value, yet 56% think they are performing well.This gap of the boards views is concerning, as it implies that they see value in performance which is average at best. Risks Overall, the board was more concerned about risks than management. Detailed talking points To kick of the discussion though, lets start to the far right of this slide and talk about alignment of stakeholders around those critical risks that we explored last year as an aside, more information on risks can be found both in the appendix to our paper as well as on our website.Last year we found that the majority of organizations were not comfortable with the overall risk management efforts within their organizations AND that IA was not particularly well aligned with the other risk functions. This year we continued to see risks becoming more complex and while we saw a slight increase in how well risks are perceived to be managed, in many instances the BOD and management are not aligned on their views.With 60% of BODs and 52% of management believing risks are well managed. Combine with 40% of our CAE respondents telling us that they do NOT participate in executive management meetings where business risks are discussed there is bound to be confusion as to which risks are most critical to the organization and thus which ones IA should focus on. In our profession, we know that a common view of risks is the necessary starting point for the journey of delivering value to your organization so misalignment on this topic can result in a faulty foundation from which to begin the journey of delivering greater value. With this great potential for misalignment on critical risks, it is no wonder that we also saw a vast disparity between the BODs view on value and managements. 79% of BODs reported that they are getting significant value from IA while only 44% of management feel the same way.And while we had expected the BOD and management view to be different because of the difference in the roles each plays and the different nature of the interaction of IA with the two groups - it was striking to see a 35 point margin separating the two on the view of value. Because value is in the eye of the beholder (or stakeholders in our survey), we sought to understand stakeholder view point on performance in the 8 core attributes that form the foundation of an effective IA function and the new floor (as Jason discussed just a bit ago).56% of BODs only 37% of management stated that IAs performance was strong across these attributes. ABHI - While not on your screen, it should also be noted that CAEs didnt grade themselves much higher with only 48% of CAEs believing that their organizations were delivering strongly against these attributes as well. The big take away here is revealed when you combine the value & performance results: When you combine the BOD is receiving value from what appears to be an average to below average performance perhaps indicating that they may not be asking enough from their IA functions AND While managements perception of value received & performance is more closely aligned the extremely low scores serve as a wake up call to the majority of IA functions that we are very likely not meeting this group of stakeholders expectations for one reason or another. The - So what - here clearly ties to Alison Levins quote that opens our paper about every team member having a responsibility.Our responsibility as IA practitioners is to take action and enable our organizations to move in the right direction. Board members views on value versus performance do not reconcile 79% see significant value, yet only 56% view performance as strong a 23% difference April 2013 Examining the issues Internal audit capabilities are not keeping up
0% 20% 40% 60% 80% 100% Percent of stakeholders who say internal audit is performing well or very well How well is internal audit performing in each of the following areas? Promoting quality improvement and innovation Leveraging technology (such as automation, data and advanced analytics) Delivering cost-effective services Delivering services with a service-oriented team Engaging in and managing a relationship with stakeholders Aligning scope and audit plan with stakeholder expectations Focusing on critical risks and issues Obtaining, training and/or sourcing the right level of talent for audit needs Overall Themes: Despite a lack of alignment among stakeholders, their views on performance was not strong and they did agree on 3 areas to rank IA the lowest The 3 areas which received particularly low scores: Providing quality improvements and innovation Use of technology (particularly data analytics) Obtaining, training or sourcing the right level of talent These three areas are 3 of the most fundamental attributes that IA needs to deliver value. There is a growing trend in sourcing in the technical areas where it is hard to get skills, we are also seeing a similar level of assistance needed in emerging regulatory areas. IA should focus here first and make sure these areas are solid. If you think back to the circular challenge, this is one area where IA has greater control over. At the end of the day, IA should be auditing to the risk profile of the company, not to the capabilities of the IA function. Technology discussion: - We are seeing more data analytics use, but the results showed us there is plenty of opportunity to make greater use. The data shows us that over 80% see value in analytics and recognizes it is important to the audit process and to add greater value.Yet only 31% are using data analytics regularly and most everyone wants to and is planning to extend their use, but 71% of those functions do not have a well developed plan to do so. Detailed talking points Consistent with prior years, we continue to see delivering the right capabilities to be a challenge that faces most IA functions .On your screen now you are seeing the response rate from all stakeholders that felt their IA group was are performing at an average to above average level.While our chart only shows the stakeholders point of view, the CAEs point of view gathered did not differ significantly on any of these capabilities indicating that CAEs are as aware of this challenge as the BOD and Management.While many CAEs have indicated that they have plans to address the challenge, they can not succeed alone. While we gathered data on performance against all 8 attributes, lets focus in on 3 lowest scores as these represent the greatest opportunity for improvement. Promoting quality improvement & innovation- less than 40% of BODs & mgmt felt performance was average to above average - with such a low grade on this attribute it is no wonder why more than of management dont see value in the function. Lets turn to leveraging technology where again less than 40% see IA performing well.While there are a number of components to technology from the AMS systems used to the enhanced use of technology to be more efficient in the audit planning - execution & reporting process; a key theme that came to light from this years survey and interviews was the trend & need to improve the use of data analytics in all aspects of the audit effort.Co-presenter interject on Data Analytics In many instances, the lack of resources (our next point) is the primary challenge that IA functions are facing to make improvements in this area. Obtaining, training &/or sourcing the right level of talent for audit needs is the last attribute I want to highlight that 44% of BOD & 28% of mgmt felt their IA functions were performing well.That means - 72% of management does not believe that IA is obtaining, training or sourcing the right talent.Our survey and experience tell us that CAEs are aware of this challenge and intend to source the talent needs through a variety of ways, including sourcing talent through third party vendors such as PwC. Areas of most significant need are: IT skills both general and specific risk areas such as privacy & security as well as compliance & regulatory risks to name a few. But the trend toward sourcing subject matter expertise is not the only take away here - there is a message to the stakeholders, that will require IAs lead.With the majority of the audience are IA professionals, you know that this challenge is not new So - the take away/ask of you is to engage in a dialogue with your stakeholders on how to obtain the right talent to serve the organization.The risk of inaction in this area will result in IA functions that audit to their capabilities instead of to the risk profile of your organization. Further resulting in stakeholders not experiencing the value that IA could be delivering. Transition to the last challenge Contribution Our survey revealed promoting quality improvement, leveraging technology and obtaining right talent as three key focus areas April 2013 Better integration of technology through data analytics
85% 81% 74% Analyticsare widelyviewed asimportant Data analytics areimportant to improving thequantification of issues Data analytics are importantto strengthening auditcoverage Data analytics are importantto gaining a betterunderstanding of risks 71% 31% Yet fewhavestrongprograms And mostintend to,yet lackawelldeveloped plan Duncan All respondents views this as critical but only 31% are actually doing it and 71% dont even have a plan yet. Data analytics are integratedinto the audit process and usedregularly Plan to expand use of dataanalytics but do not have a welldeveloped plan April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved.
Examining the issues Internal audit continues to struggle in maximizing its contribution in areas outside of its traditional focus Overall themes: A number of IA functions stepped out to focus in emerging risk areas, but struggled to contribute. This chart shows where stakeholders were least satisfied with IA.The highlight here is that for 3 of the top 4 areas are actually areas where IA significantly increased focused. Detailed talking points As we conclude our journey of navigating the challenges IA faces to add value we focus in on IAs contribution of helping the organizations manage critical & emerging risks.Last year we identified a number of critical risks facing organizations that were not in the traditional financial control space - those risks included areas such as Large programs and merger & acquisition and we highlighted several leading practices in these areas.Based on this years survey results, it appears that MANY IA functions increased focus on these risks: 84% increase coverage of large programs, 50% in the New Product Introduction area and 58% with M&A activity. This trend is a clear demonstration that IA functions are desiring and moving in the right direction however, the data also further highlighted opportunity to improve our performance in these areas. The chart on your screen now however, shows us that these areas were also among the risk areas that Stakeholders had the greatest level of dissatisfaction with IAs performance.Perhaps this was because stakeholders were not aligned on what IA should be doing in these areas or perhaps IA did not have the right capabilities to move into these non-traditional audit areas.So ask yourself if you are part of the majority of IA functions that moved into these risk areas did you do so with the same resources & capabilities and mindset that you have to focus on the more traditional risk areas? Once again the data shows us that all three challenges (alignment, capabilities and contribution) must be addressed to maximize IAs value. Increased internal audit focus has not translated into greater stakeholder satisfaction April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
The opportunity April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. The opportunity - defining greater heights
Stronger foundational capabilities Integration with ERM and other risk functions Coverage of emerging risk areas Higher level of service Our survey identified a subset of organizations represented by thetop 5% of the respondent base as high performing Overall themes For IA to be relevant and add value, IA needs to take actions.This year, we were able to profile high performing functions (defined as those where stakeholders saw significant value AND they viewed their risks as well managed).This resulted in 5% standing out. Four key characteristics that these functions had which stood out Has stronger foundational capabilities (8 attributes) Achieve better integration with ERM and other risk functions: see problems sooner, better aligned Have better coverage of emerging risk areas Higher level of service: greater participation in executive meetings, providing proactive advice, trusted advisor, earning their seat at the table. Detailed talking points As we conclude our journey of navigating the challenges IA faces to add value we focus in on IAs contribution of helping the organizations manage critical & emerging risks.Last year we identified a number of critical risks facing organizations that were not in the traditional financial control space - those risks included areas such as Large programs and merger & acquisition and we highlighted several leading practices in these areas.Based on this years survey results, it appears that MANY IA functions increased focus on these risks: 84% increase coverage of large programs, 50% in the New Product Introduction area and 58% with M&A activity. This trend is a clear demonstration that IA functions are desiring and moving in the right direction however, the data also further highlighted opportunity to improve our performance in these areas. The chart on your screen now however, shows us that these areas were also among the risk areas that Stakeholders had the greatest level of dissatisfaction with IAs performance.Perhaps this was because stakeholders were not aligned on what IA should be doing in these areas or perhaps IA did not have the right capabilities to move into these non-traditional audit areas.So ask yourself if you are part of the majority of IA functions that moved into these risk areas did you do so with the same resources & capabilities and mindset that you have to focus on the more traditional risk areas? Once again the data shows us that all three challenges (alignment, capabilities and contribution) must be addressed to maximize IAs value. The high performing internal audit functions stood out from their peers in their contribution and value to the organization April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. The opportunity defining greater heights Profile of the top 5%
Percent of respondents who responded internal audit is performing well Promoting quality improvement and innovation Leveraging technology Delivering services with a service-oriented team Engaging in and managing a relationship with stakeholders Aligning scope and audit plan with stakeholder expectations Focusing on critical risks and issues Obtaining, training and/or sourcing the right level of talent for audit needs Delivering cost-effective services 67% 61% 54% 91% 82% 84% 80% 86% 41% 34% 23% 57% 51% 47% 49% 58% Top 5% All others Overall themes This is the summary of the 8 attributes for the top 5% vs the others. Even the three areas where IA struggled, this group far exceeded the others But you can see that for those 3 areas, even the top performing functions struggled. When we were able to step back and look at these functions, they did things which are attainable to all IA functions.These high performing functions go the fundamentals right.They had a risk based approach.They adapted to the organization.Once they met the foundation, they were then in a position to be able to step up and deliver even greater value. Detailed talking points The next slide here compares the survey results for the top 5% vs the rest of the respondents with respect their performance on the 8 core internal audit attributes. As you can see from the slide, the performance of the top 5% internal audit function far exceeds the performance of the rest of their peers.In most cases, a differential of over 30 points. Even with respect to the three attributes highlighted by Michelle a few minutes ago as requiring most attention and focus, the performance of the top 5% was significantly better than the performance of the rest of the survey respondents. With strong performance on the 8 core attributes, these top 5% internal audit functions has built credibility and bandwidth to keep pace with the greater risk landscape and rising stakeholder expectations. The top internal audit functions are demonstrating significantly stronger foundational capabilities April 2013 The opportunity defining greater heights Profile of the top 5%
0% 20% 40% 60% 80% 100% Percent of respondents who believe internal audit is well aligned with risk Top 5% Others The Organization works together across the various functional areas to create an integrated view of risk IA creates an integrated view of risk across the organization IA is well or extremely well coordinated with other risk groups IA is involved in emerging risk areas IA is well or extremely well coordinated with ERM Overall themes This slide speaks to an important aspect of the top 5% - how well aligned these high performing functions with other risk functions. Alignment with ERM is one of the best areas for IA to have a point of view which is aligned with management and then the board. Detailed talking points This slide shows how well the top 5% of the internal audit functions are performing in comparison to their peers with respect to the enterprise risk coordination. As you can see, the top 5% of the internal audit function are consistently demonstrating behaviors and outperforming their peers with respect to creating an integrated view of risk, coordinating with the ERM and other risk groups.They are outperforming their peers with a margin of approximately 25 points. The coordination with the ERM is proving to be key catalyst for these high performing internal audit function in achieving alignment with stakeholder expectations with respect to top risks facing the organization. With respect to the covering emerging risk issues, although the data suggests that more work needs to be done to enhance the coverage of emerging risks, the performance of the top 5% exceeds the performance of their peers. The high performing internal audit functions have achieved greater integration with ERM and other risk functions April 2013 The opportunity defining greater heights Profile of the top 5%
The top 5% internal audit functions are providing better coverage of emerging risk areas and achieving stakeholder satisfaction Commercial market shifts Economic uncertainty Disruptive technologies Financial markets Data privacy Competition Energy and commodity costs/prices Fraud and ethics Government spending and taxation Large program risk Regulations and government policies New product introductions Talent and labour Mergers, acquisitions and JVs IT security/cyber security Reputation/brand 92% 90% 94% 71% 77% 64% 86% 55% 67% 56% 40% 53% 51% 65% 63% 52% 88% 74% 82% 89% 83% 37% 54% 43% 47% 66% 41% Top 5% All others Percent of respondents who responded that each risk area is well managed Overall themes Again, a clear indication of the top performing functions are contributing to the organizations other risk profile. What is of interest is that IA is contributing beyond traditional areas.They are focused in risk areas beyond the traditional approachbut remember, it is important to get the foundational attributes right before stepping into emerging areas. Detailed talking points An effective internal audit is a crucial element of coordinated three lines of defenses and the coverage of critical and emerging risks by internal audit has a direct correlation to how well these critical and emerging risks are viewed as being managed within the organization. This chart here compares the results of how the well these selected critical and emerging risks are being viewed as managed at the top 5% vs the rest of the organization. Same theme continues, the responses of the top 5% far outperforms the responses of their peers, not only with respect to the traditional risk areas such as fraud and ethics, financial markets, data privacy but also with respect to the emerging risk areas such as new product introductions, mergers and acquisitions, IT and cyber security, talent and labor etc. All in all, we saw that the top 5% of the internal audit functions are providing a significantly higher level of service to the organization and they are doing so by going beyond validating the known and providing proactive advice and insight to management by effectively utilizing data analytics, performing continuous monitoring and aligning resources to according to the risk profile of the organization. April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved.
The Opportunity defining greater heights Internal audit functions fall across a spectrum of value delivery Overall theme Through our interviews exploring how IA has achieved high performing, it was clear there was a stepped progression for how IA elevates their performance First and fundamental area is to be an assurance provider.Get the basics right As a problem solver, IA is playing a broader role with insights and root cause analysis to help management solve problems Insight generator IA is now generating new ideas for management to think about issues new ways and doing so with specialized skills and deep understanding of their business. Trusted advisor not only providing the three previous areas, they are valued and sought out by management to weigh in on risks.Not only providing insights on current issues, but providing foresight on emerging issues.They engagement management in a more proactive way and are engaged by management because they earned (didnt ask for) a seat at the table. We saw in our data that those who had moved up the chain, they earned their way up over time and did so by building and maintaining a strong foundation.They performed their core responsibilities well then moved up the chain by earning their way up. IA also recognized they were part of a broader risk management structure and aligned well with other functions. We learned in our interviews that not everyone is expected to be a trusted advisor.Some organizations value an assurance provider.We also saw some functions who achieved trusted advisor, but only in certain areas.So this framework can be applied across a varying scope. But before ending up here, have a frank dialog with stakeholders to ensure that this approach and where people want IA is a purposeful decision, and not one by default or lack of options. Detailed talking points So now that we have talked about the characteristics of the top 5% internal audit functions, the next obvious question is how do we get there. We explored that question during our 140 one on one interviews with the CAEs and stakeholders and based on their responses and through our own experience at PwC, we have created the internal audit value continuum showing four different value stages of the internal audit functions to help map the chart for internal audit progression. Our value continuum shows four different stages/or roles of internal audit. Starting with the most fundamental role of internal audit as the objective assurance provider, the problem solver build upon the success of assurance provider by coordinating enterprise risk functions, performing meaningful root cause analysis to help management understand and solve specific issues. At the next stop on value continuum, the insight generating internal audit functions, take it a step further than the problem solver by leveraging subject matter and industry expertise to provide deeper perspectives.These internal audit functions across cut across the functional and geographic boundaries and help management identify trends and best practices and look at issues in an composite and comprehensive manner. As a trusted advisor, the focus is not only on providing insights to existing problems, but also on providing foresight on future risks and issues.As a trusted advisor, the internal audit function has the seat at the table and their expertise is consistently requested and sought out by stakeholders on issues and initiatives of organizational and strategic importance. Our discussion with the stakeholders also clarified that not all internal audit functions will be expected to trusted advisor.Some internal audit functions may be expected to continue play the role of the assurance provider and that is ok.We at PwC firmly believe that there is value to be realized even from the most traditional assurance activities.For example, An assurance focused internal audit function can add tremendous value by building and executing a risk based internal audit plan and performing deeper root cause analysis to assist management in developing remediation plans. However, it is extremely crucial for the positioning and relevance of internal audit that both the CAEs and the stakeholders engage in a frank discussion on what the role of internal audit should be at their organization.Action is needed on part of the audit committee, management and CAEs alike.Alignment must be obtained on what the role of internal audit and the expectations of internal audit should be clearly established.And IT IS THE RESPONSIBILTIY OF THE CAE TO BEGIN THE DIALOGUE TO START THAT DIALOGUE. If however, the internal audit function is expected to play a broader role, it is important to recognize that this transformation cannot be achieved overnight.A well thought out strategy and plan is needed to move from its current positioning to the desired positioning.And it all starts by excelling in your current role and performing that extremely well.So get your fundamental rights and be grounded in performance on 8 core attributes before moving to the next stage of value continuum. In the organizations where internal audit has earned the role of trusted advisor, it has done so by first bringing the right people and abilities to provide quality and value and as a result, becoming more valued. In summary, I would like to stress that the choice of what role your internal audit is expected to play should be a conscious decision made by the Stakeholders and CAEs together and not one made due to lack of options. IT REALLY IS A JOURNEY BUT ONE THAT WE BELIEVE THAT EVERY INTERNAL AUDIT FUNCTION IN THE PROCESS OF TRANSFORMATION MUST UNDERTAKE. And now, Jason will talk to you about the key steps Audit Committee, Management and CAEs can take to improve the relevance and value of the internal audit functions. April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
The path forward April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. Audit Committee: Ask More Management: Expect More
The path forward Our survey identified need for urgent action on part of stakeholders and CAEs alike Audit Committee: Ask More Ask yourself if your expectations of internal audit are high enough Ask if critical business risk coverage is aligned with your views on risk Ask if internal audit has a strategic plan and resources to deliver Ask if you are enabling internal audit to be what it should be Management: Expect More Expect internal audit to perform at a higher level and bring more value Expect internal audit to have a stronger enterprise-wide risk assessment process Expect internal audit to deliver value for the investment but recognize the need to invest Expect a robust dialogue with internal audit and provide candid feedback CAEs: Deliver More Deliver high quality on foundational areas Deliver a strategic vision that aligns with stakeholder expectations Deliver value for investment Deliver proactively Overall theme Each stakeholder has a role to play.It is not just IA, everyone plays a role in elevating internal audit. Audit committee: Ask more Management: Expect more CAEs: Deliver more Some functions may not read this paper or decide to take action, so CAEs should go and seek this out and not wait for it to happen.This is advisable to do before Audit committees and management realize this on their own and come askingIA should get prepared first. Detailed talking points See slide Final thought: JFK quote There are risks and costs to a program of action, but they are far less than the long-range risks and costs to comfortable inaction. April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. 2013 PricewaterhouseCoopers LLP. All rights reserved.
Recap Our survey data revealed the circular nature of the internal audit challenges The issues of stakeholderalignment, a challengedcapability foundation and sub- optimal internal auditcontribution are tightlyinterwoven Overall themes This is a journey. There is a circular problem, each facet of this feeds on the other. Alignment: This is fundamental, so IA needs to drive to get the right alignment Contribution: without the right capabilities and alignment, it is difficult to contribute Capabilities: IA has greatest control over this, but getting the right capabilities can be hampered if IA is not contributing and/or they dont have proper alignment as they will struggle to add resources. Detailed talking points In some respects I drew the short straw here and get to talk about the data that points to several gaps in the value & performance IA is delivering, but we believe that by examining the stakeholders point of view offers us an opportunity to take the actions needed to break the circular challenges of stakeholder alignment, lagging IA capabilities and limited contribution to the monitoring & management of risk. On your screen now, you see that we have depicted these three challenges (Alignment of stakeholders & IA, Capabilities and Contribution) as a circular challenge because all three must be working together to maximize internal audits value. We found that stakeholders (BOD and Management) are not always aligned on their view of IAs value to the organizations or their ability to deliver across the 8 Core attributes.We know that when these two stakeholder groups fail to share a common expectation of IA it increases the challenge that IA functions to deliver value to the organization.Lack of alignment among stakeholders and with IA is one influencing factor of IAs abilities to attain and develop the right talent and capabilities which will be able to deliver value.Without the right capabilities, IA is challenged to contribute to the organizations most critical risk areas and perform well on the 8 core attributes.The circular nature of this challenge is hard to break and candidly, can continue to feed off of itself by default. Abhi is going to cover a little later, the top 5% of IA functions who have broken out of the cyclical challenge - demonstrating value to their stakeholders and are providing a distinctly different level of service.But before we get there, I am going to exam each of these issues. Internal audit must break the cycle of inaction and increase its capabilities or risk being marginalized in comparison to other risk functions April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. Data analytics discussion
April 2013 2013 PricewaterhouseCoopers LLP. All rights reserved. Better integration of technology through data analytics
85% 81% 74% Analyticsare widelyviewed asimportant Data analytics areimportant to improving thequantification of issues Data analytics are importantto strengthening auditcoverage Data analytics are importantto gaining a betterunderstanding of risks 71% 31% Yet fewhavestrongprograms And mostintend to,yet lackawelldeveloped plan Duncan All respondents views this as critical but only 31% are actually doing it and 71% dont even have a plan yet. Data analytics are integratedinto the audit process and usedregularly Plan to expand use of dataanalytics but do not have a welldeveloped plan April 2013 Drivers and value of analytics within internal audit
The risks highlighted as a result of the financial crisis has required organizations to develop adeeper understanding of the businesses they manage.They cannot simply rely on existing controlstructures.They must evaluate transactional activities for patterns, trends and anomalousbehavior. Drivers Value What is creating demand for analytics? Why is it so important for organizations to get it right? Pressure on audit groups toaudit closer to the business and a develop a deeper position on risk and issues. Regulatory expectations to monitor business activities are increasing. Data is growing exponentially, and the technologies to analyze the data are maturing rapidly. Organizations are being forced to do more with less. Competitive pressures are forcing organizations to innovate. Deeper business understanding & focus on risk Lower existing and future costs End-to-end testing Increased population and control coverage Real-time evaluation of controls and data integrity - facilitates what-if analysis Duncan April 2013 Data Analytics Maturity Model
Fully Optimized Auditing There is a broad spectrum of technology use in current data analytics programs Fully Optimized Technology enables full integration into internal audit workflow Business focused Routinely Leverage Core technical competenciesresident within the department Results used for updating risk assessment throughout the audit process Initial Stage Creation of data experts to develop routine data analysis techniques No process for incorporating into IA methodology IA focused Julio Ad-Hoc Analytics Enhancing the use of technology can assist with improving the efficiency of the Internal Audit department. Ad Hoc Analytics Occasional, ad-hocdata analysis on certain audits April 2013 Building an effective program
Auditing Life Cycle Risk Assessment Analytics to compare like metrics between audit entities to drive risk identification 1 Control and Outcomes Testing Analytics to test the operating and evaluate risk outcomes and quantify findings 4 Issues Management & Monitoring Analytics to re-test and monitor identified issuesand trends 6 Enterprise view Analytics enables regular, periodic reporting and accelerates on-going riskidentification and assessment. Business view Analytics increases assurance through improved population coverage and moreintelligent, risk-based sample selection. 2 3 Audit Plan Analysis of audit plan and coverage against risks and geographys and issues Audit Planning and Scoping Risk analysis to confirm understandingand identify issues within business operation Duncan/back to Jason for the panel Reporting Analytics to present risk insights andarticulate audit findings 5 April 2013 Implementing a Strategy Where to Start?
Start small in Year 1, working your way towards a larger dataanalytics or Continuous Auditing strategy by Year 3 Along the path, evaluate: Resources Tools Training Move from manual use of data analytics tools towards automatedscripting that can be used across business units and time periods,creating efficiency and repeatability Notes for Val: You have to start somewhere!It is ok to start small and build your way to a larger, more strategic program.Once you perform data analytics on even the smallest of IAS engagements, you will see the immediate benefits, and be able to garner more support and momentum to move forward. April 2013 Sample Data Analytics Strategy
Year 1 Select an audit, and execute data analytics on one business process where you will seeimmediate results, such as the Purchase-to-Pay cycle Communicate benefits to stakeholders to gain support and momentum Year 2 Expand data analytic know-how to several other business processes Use data analytics to perform scoping activities on individual audits Based on results of data analysis, select high risk areas to focus on during audit Use data analytics to support findings and quantify issues in the internal audit report Year 3 Notes for Val: YEAR 1 Select a high-impact business cycle that will gain stakeholders attention, such as the Purchase-to-Pay cycle, where you will identify areas for efficiencies/improvements (such as consolidating vendors to negotiate volume discounts) and possible fraudulent activities (such as payments to vendors having addresses that match employee addresses). Benefits realized: - Increases audit efficiency - Increases depth of understanding - useful for both scoping of an engagement, as well as testing - Increases testing coverage (can test 100% of the population) - Identifies key trends in data - Provides statistical facts to support findings - Quantifies the impact of audit issues - Detects areas of potential fraud - Enables Continuous Controls Monitoring Improves technology & information systems awareness YEAR 2 Now that you have seen some benefits and gained some experience using data analytics in Year 1, start to expand the usage of data analytics in Year 2.To do so, you may need to add resources or provide additional training on the tools used.Add new business processes, such as Order-to-Cash, Inventory, and Payroll.Instead of just executing data analytics during an engagement, start to use data analytics to plan and scope an engagement.Prior to an internal audit, you could obtain data files for several business processes and execute analytics, and then based upon the results you could then select which areas to focus on during fieldwork. You then can perform analytics during the actual audit itself, and use the results to support and quantify the audit issues in the audit report. YEAR 3 Val to tell her example story here about implementing Continuous Auditing program related to Journal Entries.Results were regularly used by the Controllers. Implement the usage of repeatable data analytics across business units and timeperiods to gain efficiencies Utilize data analytics in the Risk Assessment process going forward Develop a Continuous Auditing strategy going forward April 2013 29 Internal Audit Process Framework As Is
ANNUAL Risk Assessment Audit Plan Fieldwork Technology is being applied here (in audit management and data analysis), to speed upaudit process Reporting Wrap-Up Process to utilize results for next years Risk Assessment Utilize information from previous audits for current audits (ad-hoc data analysis not leveraged project to project). However, informal sharing ofinformation within group. April 2013 Internal Audit Process Framework Future
A technology enabled approach to the internal auditframework allows for more timely identification of andresponse to risks. TECHNOLOGY ENABLED APPROACH ONGOING Risk Assessment Monitor key risks Changes in KRIs indicating change in risk profile Audit Plan Monitor results to change frequency/ scope of planned audits PERIODIC Fieldwork Strategic Audit Reporting Report changes in trends to management Continuous Audit Program Execute Automated Script Exception Reporting Review Reports April 2013 31 Thank you for your participation
The 2013 State of the Internal Audit Profession Study may befoundat: us questions at: This document is for general information purposes only and should not be used as a substitutefor consultation with professional advisors. 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United Statesmember firm, and may sometimes refer to the PwC network. Each member firm is a separatelegal entity. Please seefor further details.