Leading business advisers. Head of Internal Audit Survey 2014 Capturing insight

Transcription

1 Leading business advisers Head of Internal Audit Survey 2014 Capturing insight

2 Contents Executive summary Key observations About the survey Key findings Section 1: Purpose and position - Roles of internal audit and keys risks and challenges Section 2: Process - Methodologies of internal audit Section 3: Performance - Reporting Section 4: People - Resources About Deloitte Internal Audit

3 Executive summary I m delighted to present the inaugural Deloitte Head of Internal Audit Survey. The survey spans a number of industries including financial services, consumer business and the public sector. Our objective in carrying out this survey is to capture the key issues and challenges currently facing Heads of Internal Audit. In recent years we have seen increased demands placed on our profession by various stakeholders and many functions have seen operational changes to their remits and roles. One of the biggest risks facing organisations is compliance with regulation and government policies. This risk is compounded by the number of regulatory and legislative changes being introduced both locally and internationally. The second most significant risk is reputation and brand. We are all very aware of the time and effort it takes to develop a positive reputation and brand, and how quickly this can be lost by actions or inactions. As internal auditors we need to ask ourselves whether our internal audit plans and scoping plans consider brand and reputation. As a profession we are always asked who audits internal audit?. Interestingly, less than 30% of respondents conduct an independent quality assurance review at least every three years. Throughout our survey a number of key themes were also highlighted including the extra demands on internal audit functions in terms of increased reporting requirements; additional risks such as IT security; and expanded roles such as risk advisory are evident from the responses; all against the backdrop of resourcing issues. When working with our clients in assessing internal audit functions we take a focused approach across five key areas (the five Ps): 1. Purpose 2. Position 3. Process 4. Performance 5. People We have aligned the results of the survey against these areas and summarised the key observations. We hope you find this report both helpful and insightful in benchmarking your function and that it assists you in developing in order to meet increasing demands. David Kinsella, Partner, Enterprise Risk Services, Deloitte 3

4 Key observations % 61% 61% of respondents rated regulation and government policy as being one of the top five risks facing their organisation. over 30% 74% of respondents noted an increase in stakeholder expectations. Over 30% of respondents do not complete an independent assessment of their IA function, yet 95% state that their methodology is consistent with IIA standards. 95% 4

5 % 66% of respondents currently use external providers to supplement their own resources via outsourcing, co-sourcing, and utilisation of subject matter experts. 54% of respondents revealed that their IA function have roles in BAU and advisory activities, a number that we would perceive as being relatively low. 66% 54% 76% of respondents have identified the need for additional skills. 5

6 Key observations Purpose and position The survey highlights the increased expectations on the scope of internal audit, along with increased communication with the business. The positioning of internal audit and the associated reporting lines have always been areas of diversity, and the survey re-affirms this, although there are indications that the sector in which you operate plays a key role in determining reporting lines. However, as the primary responsibility is to the audit committee/ Board the challenge is to ensure independence is not impinged. Process It is encouraging to see that 97% of respondents have, and follow, a formal methodology which most believe is consistent with the IIA standards. However, this is contradicted somewhat by the level of entities conducting quality assurance reviews. The question of rating the overall report is an issue we face with clients all the time. As a profession, internal auditors seem to have accepted the value of this approach, which is consistent with the survey findings. One of the key challenges is working with other internal assurance providers within the organisation to develop a consistent rating system in order to assist the stakeholders i.e. is a high risk in an internal audit report/risk assessment consistent with the risk function s definition. Performance Self-assessment and informal feedback are useful tools in assessing performance; however, the value of an independent review cannot be underestimated in helping benchmark against standards and best practice. People With increasing demands, it is not surprising that the need for additional and new skillsets is a common theme with respondents. One of the key challenges is maximising very specific skillsets and hence why the vast majority of respondents are utilising service providers for access to specialist skills when needed. Overall assessment: The findings of our survey highlight the significant challenges faced in terms of expanding roles, emergence of new risks, greater stakeholder scrutiny and resourcing pressures. As organisations and industries develop and change, the internal audit function must also develop in terms of skillsets, approaches, and utilisation of tools to ensure it adequately serves audit committees/boards, and other stakeholders. At Deloitte, we are committed to supporting Heads of Internal Audit and internal audit professionals keep up to date with the latest developments facing their profession, so please visit for our latest insights and thought leadership. 6

7 About the survey We conducted this survey in late 2013 in order to reveal insights and observations of internal audit practices in Ireland. Participants were from a range of different sized companies, operating across financial services, consumer and technology business and the public sector. Whilst each sector has unique attributes, many of the issues and challenges facing the profession are consistent as demonstrated throughout the survey. Figure (i) Primary sector of the organisation surveyed These sectors are made of respondents from various different industries being: 31% 45% Financial services Consumer and technology business Public sector Financial services Banking Insurance Stockbroking Fund industry Consumer and technology business Technology Consumer business Manufacturing Public sector Government department Regulatory body Commercial state body Government agency Other 24% 7

8 Section 1: Purpose and position In this section, we assess how the internal audit function is perceived and their positioning within their organisation. We asked internal auditors if their role has changed and what their level of communication and input is within the business. Respondents to this survey provided a clear message stating that internal audit has featured far more prominently in entities over the past three years. With 74% of respondents confirming that expectations of internal audit have changed over the past three years, this is very much in correlation with the 63% who reveal that their scope has widened. Figure 1 In your opinion, have stakeholder expectations of internal audit in your organisation changed over the past three years? Figure 2 Has the scope of your internal audit function widened to incorporate additional processes /risks e.g. IT security in recent years? 26% 37% 63% 74% 8

9 The majority of respondents highlighted that they are performing multiple functions as part of their role, with 92% performing process reviews, 78% performing controls development, and over 81% acting as a risk management adviser to the business. In addition, 34% of respondents have further responsibilities including advisory, compliance, and corporate governance roles. Alongside this, with respect to business advisory and business as usual (BAU) activities, 54% of respondents said that their internal audit function plays a role in business advisory and business as usual activities, including providing their services in terms of process changes and change programmes, independent advice, due diligence, and development of processes/policies. One of the challenges many internal audit functions face is balancing the need for independence and supporting the business, hence the absence of a clear indicator. Figure 3 In your opinion, what are the key roles that your IA function performs? Figure 4 Does your internal audit function have any role in business as usual or advisory activities? Process reviews 92.1% 46% Controls development Risk management adviser 78.9% 81.6% 54% Other 34.2%

10 A large majority (70%) of respondents have highlighted an increase in the frequency of communications with the business in recent years. This suggests a dramatic increase in embedding a risk culture within organisations, and is also representative of the ever-evolving increase in regulation. 73% of respondents have increased face to face contact with the business, conveying an increased reliance on and involvement of internal audit in both a risk advisory and a business partnering capacity. In addition, these results correlate with those outlined by respondents as their role as a trusted adviser to the business. One of the key focuses for Heads of Internal Audit is the risk profile of the organisation. In this section we focus on where they see continuous improvement requirements for their businesses, including the current position of risks, challenges facing the respective organisations and an assessment of how these risks are being managed. The risk most organisations felt they needed to mitigate against, with 61% ranking this as a top five risk, is regulation and government policies. This is to be expected, with a huge shift in focus towards increased regulation being apparent in most industries in the last five years. It should also be noted that this risk was just as prevalent in responses from those organisations in the nonfinancial services sectors, as those in the financial services sector. Interestingly, reputation and brand is seen as the next biggest area of focus, with 58% of respondents highlighting this as a top five risk. The significant efforts that go into developing and promoting brands means that this result is not a surprise. The challenge facing all internal auditors irrespective of your industry is are you considering this risk? Figure 5 - Have the nature and frequency of communications with the business changed in recent years? Figure 6 - Rank the following risks in order of priority for your organisation 30% 0% 70% 5% 22% 73% Data protection and security Talent and labour Economic uncertainty 39% 42% 53% 61% 58% Regulation and government policies Reputation and brand 10 More frequent Less frequent Same frequency More frequent Less frequent Same frequency

11 Following on from the identification of what are envisaged as the top five key risks for organisations, it is intriguing to note that between 31% and 61% of respondents believe that the way these risks are being managed by their organisations is poor or requires some improvement. While economic uncertainty, regulation and government policies are mainly beyond the control of organisations, it is interesting to note that only 39% and 49% of respondents believe that the risks posed by talent and labour and data protection and security to their businesses respectively, are being well managed. Considering the importance of reputation and brand being highlighted by respondents, it is alarming that only 49% of respondents see data protection as being well managed. Over half of respondents believe that the management of these top five risks has improved over the past three years. The lack of measurable improvement in risk management as noted in figure 8, has led to these risks not being well managed in some organisations. It is of some concern that 6% of those surveyed believe that the management of data protection and security has declined over the course of the last three years, which may be as a result of the increase in cybercrime activity and emerging technologies. The 2013 Deloitte Ireland Information Security and Cybercrime Survey explores this issue in more detail, and can be found at ie/en/pages/about-deloitte/articles/cybercrime.html An interesting insight into the position of internal audit across the various industries is the diversity in reporting lines for heads of internal audit. These range from reporting directly to the CEO, CFO, company secretary, global heads of internal audit, and other levels below the CEO. In addition, some respondents noted that they only report directly to the audit committee. This diverse nature of reporting lines highlights the differing positions internal audit hold, depending on the type of organisation, and the industry in which they sit. Figure 7 - In order to assess how well critical risks are managed in your organisation, please indicate for each of the top five risks how well you consider them to be managed by your organisation. Figure 8 - Please indicate if the management of each of these top five risks has improved, disimproved, or stayed the same over the past three years. t well managed Requires improvement Well managed Improved Stayed the same Disimproved Reputation and brand Regulation and government policies Economic uncertainty Talent and labour Data protection and security 0% 32% 68% 0% 31% 69% 4% 48% 48% 3% 58% 39% 4% 46% 49% Reputation and brand Regulation and government policies Economic uncertainty Talent and labour Data protection and security 56% 41% 3% 61% 39% 0% 60% 40% 0% 51% 37% 11% 76% 18% 6%

12 Section 2: Process This section focuses on the delivery and processes carried out by internal audit functions within the organisations surveyed. This includes insights on the approach taken by the internal audit functions, and the measures taken to ensure that their functions are operating efficiently and effectively, and in line with best practice. In addition, we review reporting by internal audit, and how this is structured and relayed to the business. In terms of how internal audit functions operate, 97% of respondents confirmed that they operate via a specific methodology, with 95% of respondents further endorsing that their methodology is consistent with the IIA standards. Figure 9 - Is a formal methodology followed for all audit assignments? Figure 10 Is your methodology consistent with IIA international standards? 3% 5% 97% 95% 12

13 The results show that 87% of internal audit functions surveyed operate a grading scale for internal audit reports. 76% of internal audit functions are assigning an overall rating to their internal audit reports. This is consistent with what we see in terms of the level of assurance being sought from audit committees and other stakeholders. For the other 24%, this raises the question of how do they convey those conclusions to the audit committee. The results highlight that audit committees are both requesting and receiving greater visibility of both the risk profile, and the performance of the business in certain areas. In keeping with the survey findings, it suggests that there is a greater focus on risk culture in organisations than in previous years. However, these results yield the question as to how organisations who do not grade their internal audit issues, or internal audit reports, are able to emphasise the severity of issues and requirements for change to their respective audit committees. Figure 11 Do you operate a grading scale for internal audit reporting issues? Figure 12 - Is each internal audit report given an overall rating? issues? 13% 24% 76% 87% 13

14 Section 3: Performance This area of the survey provides insights into the performance of internal audit, including how they conduct their internal audit plan and reviews, and how the overall internal audit function itself is subjected to review. In the previous section on process, we noted that 97% of respondents confirmed that they operate via a specific methodology, with 95% of respondents further endorsing that their methodology is consistent with the IIA standards. However, we can see from the results outlined here that only 67% of those surveyed verified that their methodology included a quality assurance (QA) process. The IIA standards require a quality assurance and improvement programme that provides for an evaluation of activity against these standards. The standards require both internal and external assessments, with an external assessment at least once every five years. Only 70% of those surveyed comply with this requirement, with almost 14% stating they have never conducted an independent assessment. Figure 13 Does your methodology include a QA process? Figure 14 How often is an independent review of your internal audit function conducted? Annually 13.9% 33% 67% Every 1-3 years Every 4-5 years Less frequently Never 13.9% 41.7% 16.7% 13.9% 14

15 Section 4: People The background and skills of team members and the current and future anticipated needs of internal audit functions within the various organisations are highlighted in this section. The issue of staff retention and the use of service providers is also captured. It is evident that although 76% of Heads of Internal Audit surveyed agree that they have future skills needs, only 24% of respondents have recruited specialist staff in the last three years. These required skills relate mainly to IT audit, IT security and data management. Other skills gaps noted include credit, reinsurance, and actuarial SMEs within the financial services sector. The requirement for additional specialist staff is no surprise, considering both the increased focus on regulation and data protection and security as key risks facing the business, combined with the increased role of internal audit as an adviser/risk manager to the business. Figure 15 In the face of changing requirements has your internal audit unit recruited any specialist staff e.g. IT audit specialists/credit specialists/model experts? Figure 16 Have you identified any future skills needs? last 6 months last 6-12 months 1-3 years 10.5% 2.6% 10.5% 21.1% 24% 76% 15

16 In addition, over half of respondents acknowledge that they have experienced difficulties in identifying and recruiting appropriate resources. The key obstacles outlined by respondents related to restrictions on hiring, lack of required experience/skills of candidates, lack of adequate funding, and issues relating to languages and geographical locations. To compound these findings, 25% of respondents have encountered difficulties relating to staff retention, in some cases due to lack of opportunity within the organisation. A number of organisations have begun to invest in their people to address both issues of retention and skills. In terms of qualifications held by internal audit staff members in organisations surveyed, professional accountancy qualifications are held in the majority. Figure 17 Have you experienced problems identifying and recruiting appropriate resources? Figure 18 Have you experienced problems retaining staff? 25% 42% 58% 75% 16

17 The trend of hiring professional accountants continues with 76% of respondents indicating that their staff hold an accountancy qualification. A further 42% of functions have employed staff with qualifications achieved through the IIA. In addition, 40% of respondents stated that they employ staff with other qualifications, mainly in areas such as CISA and other IT qualifications. In relation to problems in completing internal audit plans, 66% of respondents stated that they would engage external service providers to address these gaps, with a further 29% stating that they would recruit staff if such a situation rose. Interestingly, 29% of respondents said they would defer audits in order to address these issues, which may relate to budgeting and recruitment restrictions as identified in some of our other findings. In correlation with the above findings, 66% of those surveyed are already receiving support from external service providers, either on long-term or job-by-job engagements. Figure 19 What type of qualifications do your staff hold? Figure 20 If gaps are highlighted in your ability to complete your internal audit plan, how do you plan to deal with it? Figure 21 Do you currently have any arrangements with outsource providers for the provision of internal audit resources? 76.3% 42.1% 39.5% 28.9% 28.9% 65.8% 34% 32% Long-term on-going arrangement Job by job arrangement 34% Professional accountancy qualifications IIA Other Defer audits Recruit staff Utilise external service providers (i.e. outsource/ co-source) 17

18 About Deloitte Internal Audit: We are the leading provider of internal audit and risk advisory services in Ireland. Our dedicated team of over 100 professionals includes: Qualified accountants Qualified internal auditors IT security and forensics experts IT auditors Regulatory and compliance professionals Qualified solicitors In addition, our practice includes: Actuaries Data analytics specialists Financial model specialists who support our service delivery across all sectors 18

19 The findings of our survey highlight the significant challenges faced in terms of expanding roles, emergence of new risks, greater stakeholder scrutiny, and resourcing pressures. David Kinsella, Partner, Enterprise Risk Services, Deloitte 19

20 For more information on the Heads of Internal Audit Survey please contact: David Kinsella Partner T: E: davkinsella@deloitte.ie Colm McDonnell Partner T: E: cmcdonnell@deloitte.ie Gerard Lyons Partner T: E: glyons@deloitte.ie For more details please contact: Dublin Deloitte & Touche Deloitte & Touche House Earlsfort Terrace Dublin 2 T: F: Cork Deloitte & Touche.6 Lapp s Quay Cork T: F: Limerick Deloitte & Touche Deloitte & Touche House Charlotte Quay Limerick T: F: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing s affiliates (collectively the Deloitte Network ) are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication Deloitte & Touche. All rights reserved