IIA Ethiopia Training 08 September 2018 Addis Ababa Presenter IIA Global Chairman 20122013 ECIIA President 20102011 IIA UK and Ireland President 20052006 ID: 760556
Download Presentation The PPT/PDF document "Adding Value to your Organisation" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Adding Value to your Organisation
IIA
Ethiopia Training
08 September 2018
Addis Ababa
Slide2Presenter
IIA Global Chairman – 2012-2013
ECIIA President 2010-2011IIA UK and Ireland President 2005-2006 ------------------------------------------------------Holder of the CIA, CMIIA, CRMA, QIAL qualifications ------------------------------------------------------32 years experience in Internal Audit 27 years at managerial level -------------------------------------------------------IA Project Expert for the EC and the OECD
Experience in the Public and Private sectors, including spells as:
VP Capability & Head of the Centre of Internal Audit Excellence - Huawei
Head of Internal Audit for a number of Health organisations in the UK
Head of Internal Audit for the UN Special Tribunal for the Lebanon
Head of Internal Audit for the UN War Crimes Tribunal for Bosnia Herzegovina
Project Manager for EC funded projects in Poland, Romania, Turkey
Project Manager for Development Agency funded projects in Kenya, South Africa and Botswana
Project Expert for EC/OECD funded projects in Croatia, Kosovo, Serbia, Hungary, Latvia, Estonia, Lithuania, Czech Republic, Macedonia
Slide3Agenda
Internal Audit’s purpose
Business Process Risk & Internal Audit
Risk Based Internal Audit
Qualified Personnel
Audits to Consider
Conclusion
Slide4Internal Audit’s Purpose
Slide5The profession had been around for a number of years.
Largely seen for a long time as a sub-set of accounting.
On 23 September 1941 in New York City a number of Internal Auditors gathered at the Williams Club and the Institute of Internal Auditors was founded.
This was the first emphasis that Internal Audit was a profession in its own right.
Slide6Risk has always been part of the Internal Audit process
Initially the Internal Audit process was based around a systems approach, which identified the Control Objectives for a system, and Internal Audit assessed the functioning of controls to assist in achieving those objectives.
RBIA
focused Internal Audit’s attention on risk to the business (i.e. Business risks) and how these risks can be prevented or their impact negated.
Slide7Organisational Roles defined
The Three Lines of Defence
- the key to risk responsibilities in an organisation
Slide8Risk & Control Responsibilities
Understanding the Three Lines of Defence is fundamental to understanding the governance oversight role
The First Line
, that is operational management, which has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
The Second Line
, that is activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation.
The Third Line
, An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an organisation’s risk landscape.
Slide9Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.
1
st
line:
Business Management
2nd line:Risk Mgt / Compliance / Others
3rd line:Risk Based Internal Audit
External Audit and the Regulators are the Referee and Linesman
Slide10Internal Audit’s role defined
The Internal Audit definition
Internal auditing is an independent, objective
assurance and consulting
activity designed to add value and i
mprove
an organisation’s operations.
It helps an organisation accomplish its
objectives
by bringing a
systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management,
control and governance
processes
Slide11The International Professional Practices Framework
Slide12The International Professional Practices Framework cont..
International Standards for the Professional Practice of Internal Auditing
The purpose of the Standards is to:
Guide adherence with the mandatory elements of the International Professional Practices Framework.
Provide a framework for performing and promoting a broad range of value-added internal auditing services.
Establish the basis for the evaluation of internal audit performance.
Foster improved organizational processes and operations.
The Standards are a set of principles-based, mandatory requirements consisting of:
Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.
Interpretations clarifying terms or concepts within the Standards.
Slide13The International Professional Practices Framework cont..
The Standards comprise two main categories:
Attribute and Performance Standards.
Attribute Standards
address the attributes of organisations and individuals performing internal auditing.
Performance Standards
describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.
Attribute and Performance Standards apply to all internal audit services.
Slide14Adding Value?
IPPF
definition, from Glossary
Add Value
The internal audit activity adds value to the organisation (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes
Slide15Business Process & Risk
Slide16Business Processes
Business Processes are usually divided into 3 different spheres:
Operating Processes -
these will differ dependent upon the organisation
Support Processes -
these generally will be standard (HR, Finance etc)
Project Processes –
will be similar around the two areas of Operate and Deliver
Operate – design, construct and use
Deliver - design and construct only
Slide17Business Processes cont..
Essentially every organisation will have the following Business areas:
Manage Human ResourcesManage Financial Strategy – Loans, Transfer Procing, FOREX etcManage Financial Services – Payroll, Income, Expenditure etcManage Information & Technology ResourcesManage Physical ResourcesManage Corporate OrganisationManage Legal Affairs – Contracts, Compliance with Laws etcManage External RelationshipsManage Internal Audit
Support
Operating
Manage Production
Manage Supply Chain
Manage DeliveryManage Stock
Projects
Manage Project Operate 1
Manage Project Operate 2
Manage Project Delivery 1
Manage Project Delivery 2
Slide18The Process of Getting to Work
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Walk to work station
Slide19Business Process & Internal Audit
Why is this important to Internal Auditors
To understand risk and control you need to understand the process by which objectives are to be achieved.
The scenario of how you get to work can change, certain things can be done at a different stage of the process. For example, if you use your car when do you fill with petrol?
What you will do is to find the most efficient, effective way in which to achieve your objective.
This is exactly the same for a business; the process must reflect the most efficient and effective way of achieving the objective.
The auditor is then in a position to evaluate the business process not only to ensure that risks are being managed but also that the process is the best it could be.
Slide20Understanding the Business
Requires the Internal Auditor to ensure that they understand what processes are undertaken and for what objective.
Slide21Types of Risk
Inherent risk
(sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact
Residual risk
(sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective
Slide22The Scenario - Getting to work
Risk in everyday life
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Walk to work station
Slide23What can go wrong?
Remember Risk is an occurrence which will prevent you from achieving your desired objective
What are the Risks, the Barriers, to prevent the objective being achieved
Slide24What can go wrong
Night before, set the alarm clock
Slide25What can go wrong
Night before, set the alarm clock
Get up when the alarm goes off
Slide26What can go wrong
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Slide27What can go wrong
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Slide28What can go wrong
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Walk to work station
Slide29What can go wrong
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Walk to work station
Slide30Risk Management
Slide31COSO ERM FRAMEWORK
Slide32COSO Enterprise Risk Management Framework cont..
Types of Objectives of an organisation
Components of Enterprise Risk Management
Business structure of an organisation
Slide33Enterprise risk management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Enterprise Risk Management Definition
Slide34Risk Management includes identifying and assessing risks and then responding to them in a timely and appropriate manner.Remember that the resources available for managing risks are finite and so the aim of risk management is to achieve an optimum response to risk, prioritised in accordance with an evaluation of the risks.It is a process that should be used throughout the organisation.
Enterprise Risk Management
Slide35Attempts to ANTICIPATE the risks and put actions in place to try and stop them happeningAttempts to make the control specifically designed to deal with the specific risks in that organisation and proportionate to the significance of the riskIs proactive rather than reactiveIs about making sure the important risks are managed, in the best way, at the right timeIs about making sure time, effort and resources are not wasted on the things that are unimportant or unlikely to happen
Enterprise Risk Management cont..
Slide36ERM allows the important risks for the organisation to be identified.It ensures that these risks are known to everyone and that there is therefore consistency about risk within the organisationIt therefore provides valuable input to the Internal Audit risk assessment
Enterprise Risk Management cont..
Slide37Enterprise Risk Management cont..
There are numerous Risk Management Standards around the world, the most commonly accepted ones being:
ISO 31000
COSO
ERM
IRM
/Alarm/
AIRMIC
2002 - A Risk Management Standard
AS/NZS Standard AS 4360 Risk management (AS/NZS 4360:2004)
Slide38Types of Risk
Inherent risk
(sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact
Residual risk
(sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective
Slide39Risk Impact and Likelihood
HIGH MEDIUM LOW
Impact
LOW
MEDIUM HIGH
Likelihood
Risk is usually measured in terms of likelihood and Impact
Slide40Treatment of Risk
Once Risk has been identified, then how should the organisation respond? Much will depend on the Risk Appetite of the Organisation, i.e. how much risk are they prepared to take, remembering that much risk can also be a business opportunity
Tolerate
– this is the risk appetite
Treat
- Establish an effective internal control regime
Transfer
– Let someone else take the risk, the best example being Insurance
Terminate
– Do not do this
Slide41Risk and Process
Can only effectively treat risk if you have an understanding of the Business Process.
This allows you to identify the likelihood of the risk occurring and the impact that it will have if it occurs.
This gives you the opportunity to correctly identify the action to take and, in the case of Tolerate and Treat, identify the appropriate internal controls
Slide42Often Risk Management and Risk Based Internal Audit get talked about as though they are the same thing THEY ARE NOTRisk Management is an operational activity and for Internal Audit to be effective it has to be independent of operations.There are however things that Internal Audit can do in respect of Risk Management
Enterprise Risk Management & Internal Audit
Slide43Internal Audit’s role
Slide44Internal Control and Internal Audit
Slide45Internal Controls
This is the last part of the approach to effective organisations
Identification of Organisational Objectives
Establishment of Business Processes
Risks to achieving Organisational Objectives
Internal Controls
Achievement of Organisational Objectives
Slide46Internal Controls
This is the last part of the approach to effective organisations
Identification of Organisational Objectives
Establishment of Business Processes
Risks to achieving Organisational Objectives
Internal Controls
Achievement of Organisational Objectives
Each of these areas are Management Responsibility
Slide47Internal Controls
Internal Control is the mechanism that organisations use to control/negate risk so that they can achieve their objectives.
It is important to understand that everyone in the organisation has responsibility for the effective operation of internal control, albeit at different levels.
Essentially the phrases “internal control” and “management control” are interchangeable.
Slide48Internal Control Frameworks
Slide49Internal Control Frameworks cont..
COSO
the major framework
Slide50Internal Control Responsibility
Internal Control is the responsibility of everyone in the organisation
Management
Has the primary responsibility for the system of internal control
The CEO
He/she sets the ethical tone of the organisation.
In smaller organisations has an impact on all staff
In larger organisations impact is limited to senior management
The Board
Provides direction and ultimately has the responsibility
Everyone
Front line personnel have responsibility for putting internal controls in place and monitoring their effectiveness.
Slide51Risk Based Internal Audit
Slide52Hindsight
Insight
Foresight
Is to move Internal Audit through the developmental stages
The Key Aim of a Risk Based Internal Audit Approach
Slide53Risk Based Internal Audit Approach
Identify & understand Business Processes
Identify & understand established controls
Identify & understand Risks in the Business
Provides Objectives
Provides Risks
Provides Controls
Provide a report linking the effectiveness of controls against identified risks and providing insight into whether the Business Process is effective, efficient and economic.
Evaluates operation of controls and if any control is missing
AUDIT
Slide54Risk Based Internal Audit – 4 Stages
Slide55Risk Based Internal Audit Approach
Opportunities for INSIGHT(some examples)
Are the Business Processes “fit for purpose”:
Will the process achieve the objective?
Does the process provide effectiveness, efficiency and economy?
Could the process be improved?
Is the internal control environment providing sufficient comfort that risks are being controlled?
Is the risk appetite understood and consistent through the organisation?
Is the risk identification and assessment process robust and consistent over the organisation?
Is there too much control?
Slide56Risk Based Internal Audit Planning
Risk Assessment
IIA Standard 2010 Planning states “The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals”.
Important words
Risk based plan
Consistent with organisation's goals.
Slide57Vast majority say they use risk-based methodologies when planningBut do they?But, emerging risks present a challengeHow do you know about them?
Risk Based Internal Audit Planning cont..
Figures from 2017 Pulse of Internal Audit – IIA Inc
Slide58So do you truly have a Risk Based Audit Approach?
If you never carry out a risk assessment ?
If you only carry out a risk assessment once a year?- With the frequency of technology change is this sufficient?
NO
NOT REALLY
If you never update the IA Plan?
NO
Risk Based Internal Audit Planning cont..
Slide59Risk Based Internal Audit Planning cont..
Steps you can take to build your Plan (obviously this will depend on your risk maturity):Consult with Senior Management and confirm what they see as the key risks,Review the Risk Register,Corroborate the above risks, independently,Prioritise the risks, Enterprise wide,Determine the Business Processes largely responsible for mitigating the risks,
Using a transparent process, prioritise the business processes by risk,
This provides the baseline for the Internal Audit plan.
It then needs to be matched against available resources
Slide60Risk Based Internal Audit Planning cont..
The Plan is usually prepared annually in advance of the fiscal year commencement.Many organisations now however operate a rolling planning process, having a continuing risk assessment leading to a planning process that is more dynamic. Has an annual formal risk exercise but work on a 3 month firm plan and a next three months draft plan, which can change. Has annual formal risk exercise but then a changeable plan which is worked out in liaison with the business units and the changing risk priorities
Slide61Risk Based Internal Audit Planning cont..
To be effective, it is suggested that an annual formal risk exercise is necessary but because of the changing risk situation that this is reviewed on a three to four monthly basis.
It is also appropriate for the Internal Audit Plan to be flexible around the 6 month period in order to reflect changing emphasis for audit as a result of the changing risk situation.
Rischard Chambers, CEO and President of the Global IIA says
“Internal Audit has to be able to audit at the speed of risk”
Slide62Risk Based Internal Audit Engagements
Lets audit the journey to work
Night before, set the alarm clock
Get up when the alarm goes off
Have breakfast
Get transport to workplace, either train, bus or car
Walk to work station
Slide63Risk Based Internal Audit Engagements cont..
Night before, set the alarm clock
Process step 1
Objective
To wake at the correct time
Risks
Alarm fails to sound
Controls
If battery powered, battery checked
If electric, plugged in
If manual, fully wound
For all, alarm mechanism checked that it is set for correct time
Slide64Risk Based Internal Audit Engagements cont..
Get up when the alarm goes off
Objective
To ensure that you leave on timeRisksYou fail to get upControlsAlarm Clock has repeat mechanism
Process step 2
Slide65Risk Based Internal Audit Engagements cont..
Have breakfast
Objective
To ensure that you are fit to attend workRisksYou do not have breakfast foods availableControlsRegular checks of food stocks in houseRegular shopping trips
Process step 3
Slide66Risk Based Internal Audit Engagements cont..
Get transport to workplace, either train, bus or car
Process step 4
Objective
To ensure you are at work on time
Risks
Miss the bus or train
Car fails to start
Controls
Ensure that times of trains/buses are known
Regularly service car
Ensure that car has sufficient fuel
Slide67Risk Based Internal Audit Engagements cont..
Walk to work station
Process step 5
Objective
To arrive on time
Risks
Get lost
Fall over
Controls
Make sure you are aware of time
Ensure you know the location you require
Slide68The Risk Based Internal Audit Approach
Planning the Engagement
From
Management determine the objectives of the Business Process
Using the Business Process Map determine the key risks to achieving the Business Objective.
Consider findings from previous audits, if exists.
Identify the key controls that will negate the impact of the risk.
At this stage identify both existing controls and potential controls that are missing.
Establish at this stage your preliminary evaluation which will prioritise your testing
Design your testing
Slide69Testing the Robustness of the Process
Testing
Remember that Management do not want to just know that things are going wrong but they want to know why things have gone wrong and what needs to be done to correct it.
Remember INSIGHT
To be able to correct things we need to know why they went wrong
So we need to ask the
5 Whys
Why did it go wrong?
Why did that happen?
What was the reason that happened?
Why did that happen?
Why did it occur?
Slide70Testing Reveals the Root Cause of Failure
To provide Value to Management you need to identify the root cause(s) – there may be more than one
Slide71The Findings
Management do not want to be told the symptoms – i.e. the problem
They want to be told the solution.
To do this the internal auditor needs to identify the underlying cause – that cannot be seen.
Identifying the root cause means adopting a questioning nature, and to continue questioning until you are satisfied there is nothing more.
Once you get there, you can tackle the underlying problem and your recommendations will provide real value.
Slide72Reiterating the basic control requirements will not improve the Internal Control environment. The recommendation needs to tackle the reasons why control was circumvented, to prevent it happening in the future.Identify the root cause of the control breakdown and then suggest how it can be fixed.
Risk Based Internal Audit Findings
Slide73The Risk Based Internal Audit Evaluation
In order to compile an objective evaluation of the audit area, it is preferable to have all the records of the assignment in one place.
This can be done on a Form RICE (Risk and Internal Control Evaluation).
Using this form, in either WORD or EXCEL, allows the evaluation to be updated as it occurred and provides a continuing assessment of the audit.
Slide74Risk Based Internal Audit Results Record
Slide75Qualified Personnel
Slide76Value in Qualification
Internal audit is a complex and fast evolving field
Qualification shows both Employer and Auditee that you have the necessary knowledge and expertise to undertake the work
Professional qualification gives auditors the confidence to succeed
The qualifications are recognised internationally.
Slide77Adding Value?
Encourage Qualification
Have systems in place to recognise and reward professional and educational qualifications that provide a basis for the employee to understand the ethos behind the profession. Studies have shown that qualification has a positive effect on fraud deterrence as well as its positive impact on the competence of the employee
Slide78Which Qualification
Certified Internal Auditor is a globally-recognised qualification that provides a firm foundation for a career in internal auditing. When you study the CIA you’ll learn about internal audit theory and the core frameworks, including the International Standards, and how to plan and perform an internal audit engagement. You will also be introduced to the concepts of internal control, risk, governance and technology.
Becoming a CIA will:
Demonstrate your proficiency and professionalism
Distinguish you from your peers
Develop your knowledge of best practices in the industry
Lay a foundation for continued improvement and advancement
Slide79Audits to Consider
Slide80Common Areas of Audit
Top Areas of Focus
RateCEO1. Financial-related22%2. Operational17%3. Compliance/Regulatory16%4. IT and Cybersecurity16%5. Risk Management6%6. Governance and Culture4%
Source: 2018 North America Pulse of Internal Audit: The Internal Audit Transformation Imperative IIA Audit Executive Center © 2018 The Institute of Internal Auditors
Survey carried out in the US so
SARBOX
scores highly
Slide81Global Findings for Audit Areas
Slide82Major Differences
Differences from North America to GlobalCompliance and Regulatory remains about the same (16% to 15%)Sarbanes Oxley reduces from 14% to 5%Operational falls from 17% to 14%Financial Audit remains about the same (9% to 8%)ERM coverage increases from 6% to 10%Fraud Investigation increases from 5% to 7%Equal on Cyber Security (7%) and IT Audit (9%)Governance & Culture increases from 4% to 6%Sustainability & non-financial reporting audit is listed separately in Global
Globally almost 30% of the Audit Plan covers Operational and Regulatory Audits,
In North America, the figure is 33% with another 14% spent on
SarBox
work
Slide83Slide84So what to Audit
Then Culture needs to be audited
If an Organisation relies upon its Strategy to determine the path to meeting its objectives
If Culture eats Strategy for Breakfast
If Internal Audit’s role is to ensure that the mechanisms are in place for the organisation to meet its objectives
Slide85Culture – The Outsourcing Firm
Slide86Carillion
Slide87The costs of a Toxic Culture
Slide88Culture – The Banking Firm
Wells Fargo - Bank employees opened millions of credit-card accounts customers hadn’t approved in order to hit profit targets
As of October 1, 2016 the bank eliminated product sales goals for its retail banking team. It also appointed a new community banking chief,
and
fired about 5,300 employees connected to the scandal,
SALES TARGETS DRIVING THE WRONG BEHAVIOUR
Slide89You knew there was a problem, and when you were asked about it, you lied. This is about personal responsibility. Wells Fargo cheated millions of people for years..…Mr. Sloan, you say you've been making changes at Wells Fargo for 30 years, but you enabled this fake account scam, you got rich off it, and then you tried to cover it up. At best, you are incompetent. At worst, you are complicit. Either way, you should be fired.
Senator Warren’s comments to the Wells Fargo CEO
Toxic Culture – Political Fallout
Slide90Toxic Culture – Legal Fallout
Slide91Adding Value – Audit Culture
CEOs and CFOs See Culture As CriticalOver 90% believe culture is important 92% believe improving their culture would improve value of the companyOver 50% believe culture influences:ProductivityCreativityProfitabilityFirm value and growth ratesYet, only 15% believe their corporate culture is where it needs to be
Source: “Corporate Culture: Evidence from the Field,” Graham, Harvey, Popadak, and Rajgopal; Duke University, 2015
Slide92What is audited in Culture
Control Systems
Stories and Symbols
Organisation Structure
Processes
Ritual and Routines
Power Structures
The Cultural Paradigm
We have to learn to audit the culture of the company using the areas making up the Paradigm
Slide93The Fourth Industrial Revolution bringing Digital disruption
The Speed of Business Change
Slide94Non Technology Business Change
Excluding Technology we have
Policy, the free trade policy after World War II, and the current potential for a Trade War between the USA and China
Demographics, such as baby booms or ageing populations
More Females working, more educated population and more people being educated, speed of communication from telegraph to text.
Slide95Change means that Internal Audit have to:Keep in touch with changes in the businessHave the skills to appreciate the changes happeningAdapt Internal Audit processes to respond to changesEmploy innovative internal audit methods
Business Change means IA change
Slide96At the moment your alarm clock and Coffee machine rely upon input from you, to set the time and to turn them on or to set them for an automatic turn on.
In the future ……
Life is changing through Technology
Slide97Audit the various Technology Risks
Ensure that Internal Audit has a role in Cloud Computing
Internal Audit should examine:The Cloud strategyEvaluation of VendorsImplementation of the ModelVendor monitoringSecurity
Audit Planning and Scheduling
Audit Universe and Risk Assessment
Fully Integrated, end-to-end audit management system
Audit Management
Recommendations and Follow-Up
Questionnaires
Reporting
Embrace technology to make the Internal Audit process more efficient, using an Audit Management System to monitor every aspect of the audit process
Internal Audit is changing through technology
Slide98Source: Protiviti’s 2018 Internal Audit Capabilities and Needs Survey
Use Data AnalyticsThe results indicate that, similar to our prior year results, a majority of analytics functions are at a relatively immature state. While many internal audit functions are making some progress in growing their analytic capabilities, there is more work to do.
Technology Allows more Effective Testing
Slide99Internal Audit’s response to Technology change?
“The real pitfall for Internal Audit is if they don’t stay current on new technologies then they won’t have a seat at the table and be perceived to be adding value; they need to stay current (not be experts) to stay relevant.”
Alvin Bledsoe, Audit Committee Chair,
SunCoke
Energy
PWC 2018 State of the Internal Audit Profession Study
Slide100The Internet of Things
The Internet of Things (IOT) will change dramatically the way that we live.
But provides more and more opportunities for security lapses
Slide101Increasing Technology brings new risks
Slide102Slide103Cyber Security
Number 3 Risk.
Our organisation may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage the brand
Source.
Executive perspectives of Top Risks 2018Protiviti & North Carolina State University’s ERM Initiative
This has been a consistently rated risk over the past three years
Slide104The Three Lines of Defence in a Cyber Context
Source.
At the junction of Corporate Governance and Cyber SecurityFERMA & ECIIA - 2017
Re-visualising the 3 Lines of Defence within a Digital context
Slide105Adding Value in the field of Cyber Security
As the third line of defence, Internal Audit is responsible for providing an objective and independent assurance that the first and second lines of defence are functioning as designed, and looks at the overall coherence and consistency of the information security programme of the organisation. It should provide at least an annual health check to the Board on the state of that programme.
Source.
At the junction of Corporate Governance and Cyber Security
FERMA
&
ECIIA
- 2017
Slide106Internal Audit can only do so much
However, IA can only add value if they are listened to and action is taken
Slide107Cyber Security - Phising
Audit the defences against Phishing
This email, personalised to someone in the Financial department had an attachment, allegedly the invoice.
However if you clicked on the attachment you released malware that infected your computer.I have received a number of these over the last year.
Response is through User Education including simulated Phishing emails
This email address does not tie in to the sender being a bank
Slide108Look for Guidance
Audit Smart Devices in the same way that you used to audit Computers
Slide109Slide110Agility
Source:
2018 Pulse of North American Internal Audit IIA
To respond to the Changes and the pace at which they occur, Internal Audit must be Agile, ready to embrace new techniques and practices at the earliest opportunity
Slide111What Does Agility mean?
“Agile focuses on continuous improvement, scope flexibility, team input, and delivering essential products, whether applied to software development or audits. This involves close collaboration across audits and function members, auditee collaboration (whilst maintaining independence), and responding to changing requirements during audits and the delivery of audit plans.”
Source:
Risk in Focus: Hot Topics for Internal Audit 2018
R
eport issued by the European Confederation of Institutes of Internal Auditing:
Slide112Adding Value by an Agile Audit
The
IIA
recommends:
Change in mindset
Prepare to quickly refocus on disruptive risks & opportunities
Prioritise work on what matters most
Create teams with the right blend of skills
Coordinate with other resources in the organisation
Slide113Conclusion
To be future proof Internal Audit needs processes in place to tackle the changing environment
T
echnology – be aware of technology treats and harness technology to provide an improved customer service
A
gile – be able to react quickly to changing circumstances
C
ulture – audit Culture
K
nowledge – be knowledgeable about business processes, risks, profitability and internal control
L
istening – listen to what your customers want, learn and, if appropriate, deliver
E
xpectations – understand what your customers expectations are and resolve differences between expectation and delivery
Slide114Thank You
Phil Tarling
Internal Audit Consultant
Tel: +441329282155
Mob: +447802656986
Email: Phil.tarling@outlook.com
http://www.tarlingassurancerisk.co.uk
.