Adding Value to your Organisation - PowerPoint Presentation

Slide1

Adding Value to your Organisation

IIA

Ethiopia Training

08 September 2018

Addis Ababa

Slide2

Presenter

IIA Global Chairman – 2012-2013

ECIIA President 2010-2011IIA UK and Ireland President 2005-2006 ------------------------------------------------------Holder of the CIA, CMIIA, CRMA, QIAL qualifications ------------------------------------------------------32 years experience in Internal Audit 27 years at managerial level -------------------------------------------------------IA Project Expert for the EC and the OECD

Experience in the Public and Private sectors, including spells as:

VP Capability & Head of the Centre of Internal Audit Excellence - Huawei

Head of Internal Audit for a number of Health organisations in the UK

Head of Internal Audit for the UN Special Tribunal for the Lebanon

Head of Internal Audit for the UN War Crimes Tribunal for Bosnia Herzegovina

Project Manager for EC funded projects in Poland, Romania, Turkey

Project Manager for Development Agency funded projects in Kenya, South Africa and Botswana

Project Expert for EC/OECD funded projects in Croatia, Kosovo, Serbia, Hungary, Latvia, Estonia, Lithuania, Czech Republic, Macedonia

Slide3

Agenda

Internal Audit’s purpose

Business Process Risk & Internal Audit

Risk Based Internal Audit

Qualified Personnel

Audits to Consider

Conclusion

Slide4

Internal Audit’s Purpose

Slide5

The profession had been around for a number of years.

Largely seen for a long time as a sub-set of accounting.

On 23 September 1941 in New York City a number of Internal Auditors gathered at the Williams Club and the Institute of Internal Auditors was founded.

This was the first emphasis that Internal Audit was a profession in its own right.

Slide6

Risk has always been part of the Internal Audit process

Initially the Internal Audit process was based around a systems approach, which identified the Control Objectives for a system, and Internal Audit assessed the functioning of controls to assist in achieving those objectives.

RBIA

focused Internal Audit’s attention on risk to the business (i.e. Business risks) and how these risks can be prevented or their impact negated.

Slide7

Organisational Roles defined

The Three Lines of Defence

- the key to risk responsibilities in an organisation

Slide8

Risk & Control Responsibilities

Understanding the Three Lines of Defence is fundamental to understanding the governance oversight role

The First Line

, that is operational management, which has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.

The Second Line

, that is activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation.

The Third Line

, An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an organisation’s risk landscape.

Slide9

Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation.

1

st

line:

Business Management

2nd line:Risk Mgt / Compliance / Others

3rd line:Risk Based Internal Audit

External Audit and the Regulators are the Referee and Linesman

Slide10

Internal Audit’s role defined

The Internal Audit definition

Internal auditing is an independent, objective

assurance and consulting

activity designed to add value and i

mprove

an organisation’s operations.

It helps an organisation accomplish its

objectives

by bringing a

systematic, disciplined approach

to evaluate and improve the effectiveness of

risk management,

control and governance

processes

Slide11

The International Professional Practices Framework

Slide12

The International Professional Practices Framework cont..

International Standards for the Professional Practice of Internal Auditing

The purpose of the Standards is to:

Guide adherence with the mandatory elements of the International Professional Practices Framework.

Provide a framework for performing and promoting a broad range of value-added internal auditing services.

Establish the basis for the evaluation of internal audit performance.

Foster improved organizational processes and operations.

The Standards are a set of principles-based, mandatory requirements consisting of:

Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels.

Interpretations clarifying terms or concepts within the Standards.

Slide13

The International Professional Practices Framework cont..

The Standards comprise two main categories:

Attribute and Performance Standards.

Attribute Standards

address the attributes of organisations and individuals performing internal auditing.

Performance Standards

describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured.

Attribute and Performance Standards apply to all internal audit services.

Slide14

Adding Value?

IPPF

definition, from Glossary

Add Value

The internal audit activity adds value to the organisation (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes

Slide15

Business Process & Risk

Slide16

Business Processes

Business Processes are usually divided into 3 different spheres:

Operating Processes -

these will differ dependent upon the organisation

Support Processes -

these generally will be standard (HR, Finance etc)

Project Processes –

will be similar around the two areas of Operate and Deliver

Operate – design, construct and use

Deliver - design and construct only

Slide17

Business Processes cont..

Essentially every organisation will have the following Business areas:

Manage Human ResourcesManage Financial Strategy – Loans, Transfer Procing, FOREX etcManage Financial Services – Payroll, Income, Expenditure etcManage Information & Technology ResourcesManage Physical ResourcesManage Corporate OrganisationManage Legal Affairs – Contracts, Compliance with Laws etcManage External RelationshipsManage Internal Audit

Support

Operating

Manage Production

Manage Supply Chain

Manage DeliveryManage Stock

Projects

Manage Project Operate 1

Manage Project Operate 2

Manage Project Delivery 1

Manage Project Delivery 2

Slide18

The Process of Getting to Work

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Walk to work station

Slide19

Business Process & Internal Audit

Why is this important to Internal Auditors

To understand risk and control you need to understand the process by which objectives are to be achieved.

The scenario of how you get to work can change, certain things can be done at a different stage of the process. For example, if you use your car when do you fill with petrol?

What you will do is to find the most efficient, effective way in which to achieve your objective.

This is exactly the same for a business; the process must reflect the most efficient and effective way of achieving the objective.

The auditor is then in a position to evaluate the business process not only to ensure that risks are being managed but also that the process is the best it could be.

Slide20

Understanding the Business

Requires the Internal Auditor to ensure that they understand what processes are undertaken and for what objective.

Slide21

Types of Risk

Inherent risk

(sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact

Residual risk

(sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective

Slide22

The Scenario - Getting to work

Risk in everyday life

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Walk to work station

Slide23

What can go wrong?

Remember Risk is an occurrence which will prevent you from achieving your desired objective

What are the Risks, the Barriers, to prevent the objective being achieved

Slide24

What can go wrong

Night before, set the alarm clock

Slide25

What can go wrong

Night before, set the alarm clock

Get up when the alarm goes off

Slide26

What can go wrong

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Slide27

What can go wrong

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Slide28

What can go wrong

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Walk to work station

Slide29

What can go wrong

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Walk to work station

Slide30

Risk Management

Slide31

COSO ERM FRAMEWORK

Slide32

COSO Enterprise Risk Management Framework cont..

Types of Objectives of an organisation

Components of Enterprise Risk Management

Business structure of an organisation

Slide33

Enterprise risk management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Enterprise Risk Management Definition

Slide34

Risk Management includes identifying and assessing risks and then responding to them in a timely and appropriate manner.Remember that the resources available for managing risks are finite and so the aim of risk management is to achieve an optimum response to risk, prioritised in accordance with an evaluation of the risks.It is a process that should be used throughout the organisation.

Enterprise Risk Management

Slide35

Attempts to ANTICIPATE the risks and put actions in place to try and stop them happeningAttempts to make the control specifically designed to deal with the specific risks in that organisation and proportionate to the significance of the riskIs proactive rather than reactiveIs about making sure the important risks are managed, in the best way, at the right timeIs about making sure time, effort and resources are not wasted on the things that are unimportant or unlikely to happen

Enterprise Risk Management cont..

Slide36

ERM allows the important risks for the organisation to be identified.It ensures that these risks are known to everyone and that there is therefore consistency about risk within the organisationIt therefore provides valuable input to the Internal Audit risk assessment

Enterprise Risk Management cont..

Slide37

Enterprise Risk Management cont..

There are numerous Risk Management Standards around the world, the most commonly accepted ones being:

ISO 31000

COSO

ERM

IRM

/Alarm/

AIRMIC

2002 - A Risk Management Standard

AS/NZS Standard AS 4360 Risk management (AS/NZS 4360:2004) 

Slide38

Types of Risk

Inherent risk

(sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact

Residual risk

(sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective

Slide39

Risk Impact and Likelihood

HIGH MEDIUM LOW

Impact

LOW

MEDIUM HIGH

Likelihood

Risk is usually measured in terms of likelihood and Impact

Slide40

Treatment of Risk

Once Risk has been identified, then how should the organisation respond? Much will depend on the Risk Appetite of the Organisation, i.e. how much risk are they prepared to take, remembering that much risk can also be a business opportunity

Tolerate

– this is the risk appetite

Treat

- Establish an effective internal control regime

Transfer

– Let someone else take the risk, the best example being Insurance

Terminate

– Do not do this

Slide41

Risk and Process

Can only effectively treat risk if you have an understanding of the Business Process.

This allows you to identify the likelihood of the risk occurring and the impact that it will have if it occurs.

This gives you the opportunity to correctly identify the action to take and, in the case of Tolerate and Treat, identify the appropriate internal controls

Slide42

Often Risk Management and Risk Based Internal Audit get talked about as though they are the same thing THEY ARE NOTRisk Management is an operational activity and for Internal Audit to be effective it has to be independent of operations.There are however things that Internal Audit can do in respect of Risk Management

Enterprise Risk Management & Internal Audit

Slide43

Internal Audit’s role

Slide44

Internal Control and Internal Audit

Slide45

Internal Controls

This is the last part of the approach to effective organisations

Identification of Organisational Objectives

Establishment of Business Processes

Risks to achieving Organisational Objectives

Internal Controls

Achievement of Organisational Objectives

Slide46

Internal Controls

This is the last part of the approach to effective organisations

Identification of Organisational Objectives

Establishment of Business Processes

Risks to achieving Organisational Objectives

Internal Controls

Achievement of Organisational Objectives

Each of these areas are Management Responsibility

Slide47

Internal Controls

Internal Control is the mechanism that organisations use to control/negate risk so that they can achieve their objectives.

It is important to understand that everyone in the organisation has responsibility for the effective operation of internal control, albeit at different levels.

Essentially the phrases “internal control” and “management control” are interchangeable.

Slide48

Internal Control Frameworks

Slide49

Internal Control Frameworks cont..

COSO

the major framework

Slide50

Internal Control Responsibility

Internal Control is the responsibility of everyone in the organisation

Management

Has the primary responsibility for the system of internal control

The CEO

He/she sets the ethical tone of the organisation.

In smaller organisations has an impact on all staff

In larger organisations impact is limited to senior management

The Board

Provides direction and ultimately has the responsibility

Everyone

Front line personnel have responsibility for putting internal controls in place and monitoring their effectiveness.

Slide51

Risk Based Internal Audit

Slide52

Hindsight

Insight

Foresight

Is to move Internal Audit through the developmental stages

The Key Aim of a Risk Based Internal Audit Approach

Slide53

Risk Based Internal Audit Approach

Identify & understand Business Processes

Identify & understand established controls

Identify & understand Risks in the Business

Provides Objectives

Provides Risks

Provides Controls

Provide a report linking the effectiveness of controls against identified risks and providing insight into whether the Business Process is effective, efficient and economic.

Evaluates operation of controls and if any control is missing

AUDIT

Slide54

Risk Based Internal Audit – 4 Stages

Slide55

Risk Based Internal Audit Approach

Opportunities for INSIGHT(some examples)

Are the Business Processes “fit for purpose”:

Will the process achieve the objective?

Does the process provide effectiveness, efficiency and economy?

Could the process be improved?

Is the internal control environment providing sufficient comfort that risks are being controlled?

Is the risk appetite understood and consistent through the organisation?

Is the risk identification and assessment process robust and consistent over the organisation?

Is there too much control?

Slide56

Risk Based Internal Audit Planning

Risk Assessment

IIA Standard 2010 Planning states “The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals”.

Important words

Risk based plan

Consistent with organisation's goals.

Slide57

Vast majority say they use risk-based methodologies when planningBut do they?But, emerging risks present a challengeHow do you know about them?

Risk Based Internal Audit Planning cont..

Figures from 2017 Pulse of Internal Audit – IIA Inc

Slide58

So do you truly have a Risk Based Audit Approach?

If you never carry out a risk assessment ?

If you only carry out a risk assessment once a year?- With the frequency of technology change is this sufficient?

NO

NOT REALLY

If you never update the IA Plan?

NO

Risk Based Internal Audit Planning cont..

Slide59

Risk Based Internal Audit Planning cont..

Steps you can take to build your Plan (obviously this will depend on your risk maturity):Consult with Senior Management and confirm what they see as the key risks,Review the Risk Register,Corroborate the above risks, independently,Prioritise the risks, Enterprise wide,Determine the Business Processes largely responsible for mitigating the risks,

Using a transparent process, prioritise the business processes by risk,

This provides the baseline for the Internal Audit plan.

It then needs to be matched against available resources

Slide60

Risk Based Internal Audit Planning cont..

The Plan is usually prepared annually in advance of the fiscal year commencement.Many organisations now however operate a rolling planning process, having a continuing risk assessment leading to a planning process that is more dynamic. Has an annual formal risk exercise but work on a 3 month firm plan and a next three months draft plan, which can change. Has annual formal risk exercise but then a changeable plan which is worked out in liaison with the business units and the changing risk priorities

Slide61

Risk Based Internal Audit Planning cont..

To be effective, it is suggested that an annual formal risk exercise is necessary but because of the changing risk situation that this is reviewed on a three to four monthly basis.

It is also appropriate for the Internal Audit Plan to be flexible around the 6 month period in order to reflect changing emphasis for audit as a result of the changing risk situation.

Rischard Chambers, CEO and President of the Global IIA says

“Internal Audit has to be able to audit at the speed of risk”

Slide62

Risk Based Internal Audit Engagements

Lets audit the journey to work

Night before, set the alarm clock

Get up when the alarm goes off

Have breakfast

Get transport to workplace, either train, bus or car

Walk to work station

Slide63

Risk Based Internal Audit Engagements cont..

Night before, set the alarm clock

Process step 1

Objective

To wake at the correct time

Risks

Alarm fails to sound

Controls

If battery powered, battery checked

If electric, plugged in

If manual, fully wound

For all, alarm mechanism checked that it is set for correct time

Slide64

Risk Based Internal Audit Engagements cont..

Get up when the alarm goes off

Objective

To ensure that you leave on timeRisksYou fail to get upControlsAlarm Clock has repeat mechanism

Process step 2

Slide65

Risk Based Internal Audit Engagements cont..

Have breakfast

Objective

To ensure that you are fit to attend workRisksYou do not have breakfast foods availableControlsRegular checks of food stocks in houseRegular shopping trips

Process step 3

Slide66

Risk Based Internal Audit Engagements cont..

Get transport to workplace, either train, bus or car

Process step 4

Objective

To ensure you are at work on time

Risks

Miss the bus or train

Car fails to start

Controls

Ensure that times of trains/buses are known

Regularly service car

Ensure that car has sufficient fuel

Slide67

Risk Based Internal Audit Engagements cont..

Walk to work station

Process step 5

Objective

To arrive on time

Risks

Get lost

Fall over

Controls

Make sure you are aware of time

Ensure you know the location you require

Slide68

The Risk Based Internal Audit Approach

Planning the Engagement

From

Management determine the objectives of the Business Process

Using the Business Process Map determine the key risks to achieving the Business Objective.

Consider findings from previous audits, if exists.

Identify the key controls that will negate the impact of the risk.

At this stage identify both existing controls and potential controls that are missing.

Establish at this stage your preliminary evaluation which will prioritise your testing

Design your testing

Slide69

Testing the Robustness of the Process

Testing

Remember that Management do not want to just know that things are going wrong but they want to know why things have gone wrong and what needs to be done to correct it.

Remember INSIGHT

To be able to correct things we need to know why they went wrong

So we need to ask the

5 Whys

Why did it go wrong?

Why did that happen?

What was the reason that happened?

Why did that happen?

Why did it occur?

Slide70

Testing Reveals the Root Cause of Failure

To provide Value to Management you need to identify the root cause(s) – there may be more than one

Slide71

The Findings

Management do not want to be told the symptoms – i.e. the problem

They want to be told the solution.

To do this the internal auditor needs to identify the underlying cause – that cannot be seen.

Identifying the root cause means adopting a questioning nature, and to continue questioning until you are satisfied there is nothing more.

Once you get there, you can tackle the underlying problem and your recommendations will provide real value.

Slide72

Reiterating the basic control requirements will not improve the Internal Control environment. The recommendation needs to tackle the reasons why control was circumvented, to prevent it happening in the future.Identify the root cause of the control breakdown and then suggest how it can be fixed.

Risk Based Internal Audit Findings

Slide73

The Risk Based Internal Audit Evaluation

In order to compile an objective evaluation of the audit area, it is preferable to have all the records of the assignment in one place.

This can be done on a Form RICE (Risk and Internal Control Evaluation).

Using this form, in either WORD or EXCEL, allows the evaluation to be updated as it occurred and provides a continuing assessment of the audit.

Slide74

Risk Based Internal Audit Results Record

Slide75

Qualified Personnel

Slide76

Value in Qualification

Internal audit is a complex and fast evolving field

Qualification shows both Employer and Auditee that you have the necessary knowledge and expertise to undertake the work

Professional qualification gives auditors the confidence to succeed

The qualifications are recognised internationally.

Slide77

Adding Value?

Encourage Qualification

Have systems in place to recognise and reward professional and educational qualifications that provide a basis for the employee to understand the ethos behind the profession. Studies have shown that qualification has a positive effect on fraud deterrence as well as its positive impact on the competence of the employee

Slide78

Which Qualification

Certified Internal Auditor is a globally-recognised qualification that provides a firm foundation for a career in internal auditing. When you study the CIA you’ll learn about internal audit theory and the core frameworks, including the International Standards, and how to plan and perform an internal audit engagement. You will also be introduced to the concepts of internal control, risk, governance and technology.

Becoming a CIA will:

Demonstrate your proficiency and professionalism

Distinguish you from your peers

Develop your knowledge of best practices in the industry

Lay a foundation for continued improvement and advancement

Slide79

Audits to Consider

Slide80

Common Areas of Audit

Top Areas of Focus

RateCEO1. Financial-related22%2. Operational17%3. Compliance/Regulatory16%4. IT and Cybersecurity16%5. Risk Management6%6. Governance and Culture4%

Source: 2018 North America Pulse of Internal Audit: The Internal Audit Transformation Imperative IIA Audit Executive Center © 2018 The Institute of Internal Auditors

Survey carried out in the US so

SARBOX

scores highly

Slide81

Global Findings for Audit Areas

Slide82

Major Differences

Differences from North America to GlobalCompliance and Regulatory remains about the same (16% to 15%)Sarbanes Oxley reduces from 14% to 5%Operational falls from 17% to 14%Financial Audit remains about the same (9% to 8%)ERM coverage increases from 6% to 10%Fraud Investigation increases from 5% to 7%Equal on Cyber Security (7%) and IT Audit (9%)Governance & Culture increases from 4% to 6%Sustainability & non-financial reporting audit is listed separately in Global

Globally almost 30% of the Audit Plan covers Operational and Regulatory Audits,

In North America, the figure is 33% with another 14% spent on

SarBox

work

Slide83

Slide84

So what to Audit

Then Culture needs to be audited

If an Organisation relies upon its Strategy to determine the path to meeting its objectives

If Culture eats Strategy for Breakfast

If Internal Audit’s role is to ensure that the mechanisms are in place for the organisation to meet its objectives

Slide85

Culture – The Outsourcing Firm

Slide86

Carillion

Slide87

The costs of a Toxic Culture

Slide88

Culture – The Banking Firm

Wells Fargo - Bank employees opened millions of credit-card accounts customers hadn’t approved in order to hit profit targets

As of October 1, 2016 the bank eliminated product sales goals for its retail banking team. It also appointed a new community banking chief,

and

fired about 5,300 employees connected to the scandal,

SALES TARGETS DRIVING THE WRONG BEHAVIOUR

Slide89

You knew there was a problem, and when you were asked about it, you lied. This is about personal responsibility. Wells Fargo cheated millions of people for years..…Mr. Sloan, you say you've been making changes at Wells Fargo for 30 years, but you enabled this fake account scam, you got rich off it, and then you tried to cover it up. At best, you are incompetent. At worst, you are complicit. Either way, you should be fired.

Senator Warren’s comments to the Wells Fargo CEO

Toxic Culture – Political Fallout

Slide90

Toxic Culture – Legal Fallout

Slide91

Adding Value – Audit Culture

CEOs and CFOs See Culture As CriticalOver 90% believe culture is important 92% believe improving their culture would improve value of the companyOver 50% believe culture influences:ProductivityCreativityProfitabilityFirm value and growth ratesYet, only 15% believe their corporate culture is where it needs to be

Source: “Corporate Culture: Evidence from the Field,” Graham, Harvey, Popadak, and Rajgopal; Duke University, 2015

Slide92

What is audited in Culture

Control Systems

Stories and Symbols

Organisation Structure

Processes

Ritual and Routines

Power Structures

The Cultural Paradigm

We have to learn to audit the culture of the company using the areas making up the Paradigm

Slide93

The Fourth Industrial Revolution bringing Digital disruption

The Speed of Business Change

Slide94

Non Technology Business Change

Excluding Technology we have

Policy, the free trade policy after World War II, and the current potential for a Trade War between the USA and China

Demographics, such as baby booms or ageing populations

More Females working, more educated population and more people being educated, speed of communication from telegraph to text.

Slide95

Change means that Internal Audit have to:Keep in touch with changes in the businessHave the skills to appreciate the changes happeningAdapt Internal Audit processes to respond to changesEmploy innovative internal audit methods

Business Change means IA change

Slide96

At the moment your alarm clock and Coffee machine rely upon input from you, to set the time and to turn them on or to set them for an automatic turn on.

In the future ……

Life is changing through Technology

Slide97

Audit the various Technology Risks

Ensure that Internal Audit has a role in Cloud Computing

Internal Audit should examine:The Cloud strategyEvaluation of VendorsImplementation of the ModelVendor monitoringSecurity

Audit Planning and Scheduling

Audit Universe and Risk Assessment

Fully Integrated, end-to-end audit management system

Audit Management

Recommendations and Follow-Up

Questionnaires

Reporting

Embrace technology to make the Internal Audit process more efficient, using an Audit Management System to monitor every aspect of the audit process

Internal Audit is changing through technology

Slide98

Source: Protiviti’s 2018 Internal Audit Capabilities and Needs Survey

Use Data AnalyticsThe results indicate that, similar to our prior year results, a majority of analytics functions are at a relatively immature state. While many internal audit functions are making some progress in growing their analytic capabilities, there is more work to do.

Technology Allows more Effective Testing

Slide99

Internal Audit’s response to Technology change?

“The real pitfall for Internal Audit is if they don’t stay current on new technologies then they won’t have a seat at the table and be perceived to be adding value; they need to stay current (not be experts) to stay relevant.”

Alvin Bledsoe, Audit Committee Chair,

SunCoke

Energy

PWC 2018 State of the Internal Audit Profession Study

Slide100

The Internet of Things

The Internet of Things (IOT) will change dramatically the way that we live.

But provides more and more opportunities for security lapses

Slide101

Increasing Technology brings new risks

Slide102

Slide103

Cyber Security

Number 3 Risk.

Our organisation may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage the brand

Source.

Executive perspectives of Top Risks 2018Protiviti & North Carolina State University’s ERM Initiative

This has been a consistently rated risk over the past three years

Slide104

The Three Lines of Defence in a Cyber Context

Source.

At the junction of Corporate Governance and Cyber SecurityFERMA & ECIIA - 2017

Re-visualising the 3 Lines of Defence within a Digital context

Slide105

Adding Value in the field of Cyber Security

As the third line of defence, Internal Audit is responsible for providing an objective and independent assurance that the first and second lines of defence are functioning as designed, and looks at the overall coherence and consistency of the information security programme of the organisation. It should provide at least an annual health check to the Board on the state of that programme.

Source.

At the junction of Corporate Governance and Cyber Security

FERMA

&

ECIIA

- 2017

Slide106

Internal Audit can only do so much

However, IA can only add value if they are listened to and action is taken

Slide107

Cyber Security - Phising

Audit the defences against Phishing

This email, personalised to someone in the Financial department had an attachment, allegedly the invoice.

However if you clicked on the attachment you released malware that infected your computer.I have received a number of these over the last year.

Response is through User Education including simulated Phishing emails

This email address does not tie in to the sender being a bank

Slide108

Look for Guidance

Audit Smart Devices in the same way that you used to audit Computers

Slide109

Slide110

Agility

Source:

2018 Pulse of North American Internal Audit IIA

To respond to the Changes and the pace at which they occur, Internal Audit must be Agile, ready to embrace new techniques and practices at the earliest opportunity

Slide111

What Does Agility mean?

“Agile focuses on continuous improvement, scope flexibility, team input, and delivering essential products, whether applied to software development or audits. This involves close collaboration across audits and function members, auditee collaboration (whilst maintaining independence), and responding to changing requirements during audits and the delivery of audit plans.”

Source:

Risk in Focus: Hot Topics for Internal Audit 2018

R

eport issued by the European Confederation of Institutes of Internal Auditing:

Slide112

Adding Value by an Agile Audit

The

IIA

recommends:

Change in mindset

Prepare to quickly refocus on disruptive risks & opportunities

Prioritise work on what matters most

Create teams with the right blend of skills

Coordinate with other resources in the organisation

Slide113

Conclusion

To be future proof Internal Audit needs processes in place to tackle the changing environment

T

echnology – be aware of technology treats and harness technology to provide an improved customer service

A

gile – be able to react quickly to changing circumstances

C

ulture – audit Culture

K

nowledge – be knowledgeable about business processes, risks, profitability and internal control

L

istening – listen to what your customers want, learn and, if appropriate, deliver

E

xpectations – understand what your customers expectations are and resolve differences between expectation and delivery

Slide114

Thank You

Phil Tarling

Internal Audit Consultant

Tel: +441329282155

Mob: +447802656986

Email: Phil.tarling@outlook.com

http://www.tarlingassurancerisk.co.uk

.