‘Mind the Gap’ - IIA Congres/2015/Presentaties/IIA_Congres_2015... · and need to evolve their...
Transcript of ‘Mind the Gap’ - IIA Congres/2015/Presentaties/IIA_Congres_2015... · and need to evolve their...
1
2
‘Mind the Gap’Assuring Stakeholders of
Internal Audit’s Value
Anton van Wyk, CIA, QIAL, CRMA
IIA Global Chairman
2014/2015
About the Speaker
• Global Chairman of the IIA
• Partner at PwC – Leader of the
African Risk Assurance practice
• Member of the King Committee on
Governance
• Chairman of the South African
Corporate Governance Network
• Nearly 30 years of experience in
Internal Audit, Risk Management and
Corporate Governance.
• IIA volunteer since 1987
3
Anton van Wyk
CIA, QIAL, CRMA, CD (SA)
Global Chairman of the Board
The Institute of Internal Auditors
<Su foto>
A period of rapid transformation
As macro and market trends evolve rapidly, the business
environment looks very different to a few years ago.
• Risks are increasing – landscapes are changing
• Businesses have either gone through or are currently going
through a business transformation
4
Market & Macro forces creating the biggest challenges
77%
Regulatory
complexity
74%
Data security
and privacy
69%
Cost
pressures
Global Mega Trends
5
Inter-related forces are causing the world to change at an ever-faster pace.
Demographic shifts
Accelerating urbanisation
Climatechange and
resource scarcity
Shifts inglobal
economic power
Technological breakthroughs
CAEs need to become hybrid leaders, planning for today while
looking beyond the horizon at fast approaching and emerging
risk and creating their audit plans of tomorrow.
Changing business and risk
landscape
CAEs acknowledge the changing business and risk landscape
and need to evolve their functions.
• Increase provision of value-added services and
proactive advice for the business
• Need to start doing this soon to remain relevant
• Stakeholders expect internal audit to extend its traditional
assurance provider role into a more proactive trusted
advisor role
6
Internal Audit is evolving from its current state to where it wants to be. This requires innovation and the ability to ask What should we do? not What can we do?
Mind the Gap – key messages
• Coordinate efforts among all lines of defence
– Failure to do this exposes capability gaps in overall defence
– Need courage in challenging effectiveness of all lines of defence
– Must take action against ‘sloppiness’ at first line
• assurance from management
– Imperative to understand the changing risk landscape - adapt
• think holistically about risk – understand the inter related
issues
• Agile and nimble in our ever changing global risk landscape
– Unpack societal and stakeholder profit demands
– Leap into the horizon – scan future scenarios
• Courageously enter the fray
– Be independent – judge objectively
7
Build trust – ‘Delivering Peace of
Mind’
8
Broaden your thinking beyond traditional business areas.
Considering other relationships where trust is required to help think of the potential outcome of our services and the wide range of ‘information’ that is needed to make decisions.
Review
Analysis
Verification
Opinions
How?
Advice
Insights
Measurement
Ratings Predictions
Who?
Consumers
Suppliers
Regulators
Governments
Owners
Employers
Investors
Management
Strategy and plans
Information
Systems, processes and controls
What?
Contracts, promises and commitments
Data
Behaviours, cultures and values
Inspiring a movement
of trust
Mind the Gap – key messages
• Capitalise on our probing minds: ‘Build Trust – Deliver Peace of
Mind’
– Leverage business strategy discussions
– How the organisation will grow, meeting profit and societal
demands
– How and when strategy is discussed – who is involved
– Did the board help shape strategy
– Challenge assumptions about future opportunities and
threats
• Foster greater organisational interaction around the changing
risk landscape
– Coordinate plans to respond to this changing environment
9
Mind the Gap – key messages
• Courageously hold a steady hand on activities, external
and internal to the organisation
– Participate in complex discussions
– Confirm transparent information flows
– Assist in developing social media governance
processes
• Connect with the CEO
– Leverage critical business developments
10
Mind the Gap – key messages
• Be in tune with executive management and the audit
committee
– Understand needs, interests and expectations – have a
game plan
– Place focus on
• risk complexity and unpredictability
• business model changes
• technological advances
• sustainability
• Provide value and impactful results through reporting
– The right information, succinctly
– Objectiveness
11
Leveraging data to provide directionInternal Audit organisations that transform in pace with the business are more
advanced in their use of data analytics, including its wider application:
• Risk identification
• Audit planning
• Continuous auditing
• Continuous monitoring
12PwC’s 2015 SOTP
Most CAEs report they use analytics in some audits for audit execution but less than half use analytics for making scoping decisions and even less use analytics to complete their risk assessment. 22%
38%
41%
42%
48%
23%
28%
35%
32%
33%
Anti-money laundering
Vendor analysis
Risk analytics
Compliance monitoring ofoperational controls
Fraud management
We currently use data analytics in this area
We don't use data analytics in this area but plan to.
81%
64%
76%
66%
45%
Mind the Gap – key messages
• Balance dynamics
– Beware of dangerous blind spots
– Skill up
– Take a continuous improvement approach
• Collect, understand and interpret stakeholder
expectations
– Improve quality of planning decision
– Introduce processes to govern stakeholder
relationships
– Maintain permanent stakeholder dialogue
– Confirm what are the ‘big agenda’ items
13
Mind the Gap – key messages
• Consider if the organisation a likely target of
– cyber attacks
– privacy breaches
• Which are the organisation’s high value assets, where they are and
who protects them
• Integrated thinking and reporting
– Financial stability and s y
– Capacity and skill to respond
– Understand what type of corporate social responsibility
reporting management provides
– both as mandated and voluntarily, and
– how management assures the information is reliable
14
Strengthen Audit committee relationship
• Expand IAs role in risk management oversight
• Increase information technology scope
• Define role internal audit should play to provide maximum value
• Confirm Audit Committee’s support for internal audit is visible to
management
• Audit committee charter adequately articulates the Committee’s
– needs and expectations from the CAE – review annually
• Discuss strengths and weaknesses of internal control & risk
management systems
• Provide assurance with insight
• Define AC / CAE meeting schedule and agenda
• Highlight how effective IA is working with “second line” functions
• CAE needs to focus its attention to ensure success and personal
effectiveness
– key to building trust and overcoming resistance
15
Focus on Value
16
Assurance
provider
Assurance
provider
Assurance
provider
Assurance
provider
Problem
Solver
Problem
Solver
Problem
Solver
Insight
generator
Insight
generator
Trusted
advisor
Unrealised value
Align
expectations
Build
capabilities
Deliver quality
Increase value
Proactive role in suggesting meaningful
improvements and providing integrated
risk assurance
Bringing analysis & perspective on root
causes of issues identified to help
business units take corrective action
Delivering objective assurance of the
effectiveness of an organisations’
internal controls
Function/Role
Pe
rce
ive
d V
alu
e
Providing value-added
services and proactive
strategic advice well beyond
the execution of the audit plan
Navigating the terrain – Risk focus• Internal Audit functions considered by stakeholders to be contributing significant
value are involved in transformational initiatives up to twice as frequently as
their peers and are performing far better at focusing on the critical risks and
issues the company is facing.
17
Providing a
proactive
perspective and
recommendations
on internal control
before risk
occurrence,
compared with
19% of other
internal audit
functions
20%
24%
9% 47%
Auditing processes and
controls for mitigating risk
after risk occurrence
(in response to risk
occurrence)
Auditing processes and
controls for mitigating risk
once they are in place, but
before risk occurrence
Identifying risk during the
annual risk assessment
process
Risk and business alignment
Strong alignment results in:
• Less risk management fatigue among
participants
• Far greater efficiency
• Much better visibility to the information
produced by other lines of defense
• Better overall risk management for the
enterprise.
18
Organisations in which internal audit contributes significant value
report their functions are better aligned with the company’s risk
management program
Areas of alignment
• Enterprise risk management
• Ethics and compliance
• Environmental Health & Safety
• Loss prevention
PwC’s 2015 SOTP
IT Oversight ─ Introduction
The “IT confidence gap”
Most directors are between 60 and 70 —majority of
professional lives in pre-digital era
Rapid pace of technological
change
Less than 1% of directors have
been or are currently CIOs
IT can be a complicated and
intimidating subject
Highly technical jargon
Directors want more information
to better understand IT
Board time is at a premium: majority of directors spend only 5% of their
board hours on IT
Lack of IT guidance for
boards
60% of boards want to spend
more time on IT
19
Directors want their organisation’ s strategy and IT risk mitigation better supported through improved IT understanding at the board level
Monitoring IT – Internal audit’s process
• Identify key IT metrics / budget
• Get regular updates on IT
priorities
• IT resource bench strength
• Evaluate top IT risks / mitigation
• Prevention & detection
• Is social media commentary
monitored
• IT system implementations
• IT outsourcing
• Level of IP
20
The “IT Oversight Framework”
Help conquer the “IT confidence gap”
Step 1
Assessment
Step 2
Approach
Step 3
Prioritisation
Step 4
Strategy
Step 5
Risk
Step 6
Monitoring
• Measure involvement and value provided in all key initiatives and emerging
risk areas
• Provide macro/horizontal views on key issues and areas of critical risk to
the organisation
• Be a “change agent” in the organisation – IA’s influence in improving the
overall control environment year on year
• Develop annual “voice of the stakeholder” survey
• Answer questions from the Board and Management
• Enhance the value of recommendations provided
• Facilitate cost savings and revenue enhancement based on internal audit
recommendations and findings
Internal Audit – Performance and
Value Metrics
21
Internal audit must be aligned with the expectations of its stakeholders in order
to strategically build the right capabilities and raise its performance and value.
Taking action
22
CAEs
Where are you headed?
• Do you have the right mindset to
innovate and evolve your Internal
Audit function?
• Is your function providing a
proactive perspective on the
changing risk landscape?
• Are you evolving your talent to
address the most significant risks
of your business?
• Are you being proactive in
aligning with the second lines of
defense?
• Are you providing better business
insights through broad use of
data?
• Do you have a strategic plan to
remain relevant as your business
changes?
Stakeholders
Is Internal Audit heading in the right
direction?
• Have you shifted your mindset
about Internal Audit to require
more value?
• Are you enabling Internal Audit to
bring value to the organization?
• Do you ask for a common view of
risks across the lines of defense?
• Is the information you are getting
from Internal Audit valuable in
providing insights into business
risk?
• Do you understand Internal
Audit’s strategic plan to keep
pace with the business?
Achieving alignment of expectations and critical risks is a significant step towards
internal audit improving its credibility, relevance and value to the business.
Connect with the audit committee, confirm traditional coverage, like, financial controls
and fraud and ethics – propose increased coverage in less traditional areas
Communicate the value you bring to the organisation through the recommendations
you provide and your involvement in emerging issues.
Show courage, leveraging strategy, probing assumptions across the organisation in
order to stay the course of alignment on expectations whilst delivering value.
Show competence in being able to tell the story and not just write it – help solve
problems through objective eyes.
Credible, Connected, Competent,
Communicate & Courage
23