Namibia Internal Audit Survey

Namibia Internal Audit Survey October 2014 www.kpmg.com/na

1 Foreword KPMG in Namibia is proud to have conducted the first Internal Audit survey featuring only Namibian entities. This study aims to obtain an overview of how key stakeholders within Namibian organisations perceive internal audit and its benefits. This survey, which included organisations across 10 sectors, captures the essence of Internal Audit in the Namibian landscape. In this report we combine the perceptions and views of Audit Committee Chairpersons, Heads of Internal Audit Functions, Chief Executive Officers and Chief Financial Officers with respect to the effectiveness, value proposition and challenges faced by Internal Audit Functions in Namibia. We hope that you find this a valuable and insightful read. We thank all the respondents who participated in the survey and look forward to receiving your comments on this publication.. Contact us Robert Araeb Advisory Partner T: +264 61 387 551 E: robertaraeb@kpmg.com Rajesh Rajgopal Advisory Senior Manager T: +264 61 387 575 E: rrajgopal@kpmg.com Phillip Soroseb Advisory Manager T: +264 61 387 500 E: psoroseb@kpmg.com www.kpmg.com/na

2 CONTENTS 01 Overview 02 Participant Profile 03 Positioning 04 People 05 Process 06 Appendix: Methodology 07 KPMG Namibia Advisory Services

OVERVIEW KPMG s Namibia Internal Audit survey is focused upon the Positioning, People and Processes followed during the audit.

4 Overview Our survey was divided into the following three categories with emphasis on the areas mentioned below. Business view Interaction with business Self-view Other uses of Internal Audit Positioning People Planning Process Follow-up Skills Resources Internal Audit team s value add to business Fieldwork Reporting

5 Overview Glimpse of results Some of the challenges and issues raised in this Internal Audit Function study have the potential to limit the benefits of audit that an organisation foregoes Positioning Although some limitations have been noted, the survey revealed that there is generally an appreciation for the internal audit function and the benefits it adds to the organisation. Organisations surveyed generally had risk based internal audit plans in place and the audits are executed on a timely basis. Even though the majority of the internal audit functions surveyed performed internal audits in accordance with their internal audit methodology, most organisations did not have a formal quality assessment review carried out for their function. Most internal audit functions make a good impact on business through clear and timely communications. There is an understanding that risk management does not form part of the internal audit mandate. However, there are some practical implementation challenges associated with that. Less than half of the internal audit functions surveyed carry out their own forensic investigations. The majority of them are however not adequately qualified or have the necessary experience in the forensic field. Process People Most of the respondents felt that their internal audit functions had the appropriate expertise and technical proficiency to carry out their mandate. In-house internal audit functions surveyed use external third party consultants to compliment their resources as and when needed. The respondents encouraged cross transfers between internal audit and other business units to enhance better understanding of business processes and controls. Half of the respondents considered the Head of the internal audit function to be approachable and provided various reasons to that effect. Some respondents felt that the Head of internal audit lacked the necessary weightiness at an executive level. From the participants surveyed, the majority were of the opinion that internal audits are planned and executed effectively, although some have expressed concerns over the untimely completion and reporting of internal audit findings. Even though some of the respondents surveyed indicated that their internal audit functions provide recommendations that address business risks, various reasons were also given as to why certain recommendations were not being implemented. In their responses, most internal audit functions continuously seek feedback from business with regards to possible areas of improvement.

PARTICIPANT PROFILE The survey was rolled out to Chief Executive Officer/Managing Director, Internal Audit/Compliance Head and Audit Committee Members belonging to various institutions in several industries

7 Demographics of Participants Respondents by Sector 27% of participants belong to the banking and financial services sector. Sector The majority of the participants consists of Internal Audit/Compliance Heads and Audit Committee members. Type of internal Audit Designation Co-sourced and In-house are the most prominent types of audits for the Banking and Financial sector, whereas, out-sourced audit being the most popular in Educational Institutions and Energy and Natural Resources.

POSITIONING

9 Positioning: Self View Which one of the following best describes how YOU regard Internal Audit? 65% of participants believe internal audit to be an important part of the control environment Benefits of Internal Audit for YOU It strengthens the internal controls by pointing out to management where we need to improve, strengths to build on and threats to be on the look out for. How would you rank your current Internal Audit department or service provider? The Audit committee members are the most satisfied with their Internal audit department or service provider, while Chief Executive Officers/Managing Directors are the least satisfied with it. More than 1/3rd of the participants feel that their current internal audit department or service provider needs improvement. Improvement needs by Department or service provider

10 Positioning: Self View (cont.) Do you have an Internal Audit methodology which is in line with Internal Auditing Standards? Is the internal audit methodology consistently applied on all internal audit projects? IA methodology applied in line with IA standards Quality Assurance Review on IA methodology applied No 57% Yes 43% 98% of the respondents believe that they have an Internal Audit methodology which is in line with Internal Auditing Standards. However more than half (57%) of the organisations have not performed an external quality assurance review in order to verify compliance to the said standards. In the last audit year, has the approved audit plan been completed? If No, what were the main reason for non-completion of the audit plan? Yes 64% No 36% 64% Lack of management buy-in/co-operation 6% Unplanned special audits during the period 11% Lack of skills 1% Lack of resources 18% Of the respondents belonging to organisations where the approved audit plan was not completed, half of them feel that it is lack of resources that has caused the non-completion. The second most important reason being unplanned special audits during the period. However, lack of skills does not have a major impact on the audit plans, as these are being compensated through the use of external service providers where needed. of the respondent organizations were able to complete their approved audit plans in the last fiscal year.

11 Positioning: Self View (cont.) How frequently does the Head of Internal Audit communicate with the Chairperson of the Audit Committee? 44% of participants agree that their Head of Internal Audit communicates with the Chairperson of the Audit Committee, before and after the audit. Frequency of Communication to the Chairperson of Audit Committee Monthly, 26% Once a year, 27% Never, 3% Before and after every audit, 44% 93% of the respondents believe that their organisations follow a risk based internal audit plan, which is in line the risks faced by the organisation. More than half of these respondents are industry leaders in the financial services and energy and natural resources sectors. 84% of the organisations feel that their Internal Audit function adequately incorporates fraud risks in the execution of Internal Audit. However less than half (43%) of the organisations went through an external quality assurance review in the last 5 years. Is the Internal Audit plan risk based? Does your Internal Audit function adequately incorporate fraud risks in the execution of Internal Audit? Does your Internal Audit collaborate effectively with external audit? Has your Internal Audit function been subject to an external quality assurance review in the past 5 years?

12 Positioning: Business view Business Impact of Internal Audit Internal Audit has credibility within the organisation. 53% 32% 9% 6% Internal Audit strikes a good balance between being an integral part of the business whilst maintaining an objective approach. 59% 30% 9% 2% The work undertaken by Internal Audit focuses on the key risks and controls in the business. 61% 32% 5% 2% Internal Audits work has a positive impact on the control environment at the organisation. 71% 23% 4% 2% Is your Internal Audit function connected to the reality of your business and are the internal auditors able to effectively challenge issues related to all facets of the organisation? 35% 38% 9% 18% If you had to cut costs, would internal audit feature in your top 3 avenues? 3% 6% 16% 75% Internal Audits structure is appropriately aligned to the structure of the business. 53% 27% 11% 7% 2% 0% 20% 40% 60% 80% 100% Agree Tend to Agree Tend to Disagree Disagree Don t Know Only 53% of the respondents feel that the internal audit function has credibility within their organisation. The majority (67%) of this group are mainly Chief Executive Officers/Managing Directors and Chief Financial Officers. 61% believe that the internal audit function focuses on key risks and controls and 71% feel that it has a positive impact on the control environment. From the respondents, 25% felt strongly that internal audit activities could be cut as a means of saving costs.

13 Positioning: Business view (cont.) The survey has revealed that the majority of internal audit functions have not fully transitioned from value preservation to value addition. 77% of participants feel that their internal audit function has helped save less than 1% of turnover. Cost savings through Internal Audit 77% Less than 1% of turnover 17% 6% Between 2% and 5% of turnover More than 5% of turnover

14 Positioning: Interaction with business Interaction with business Internal Audit communicates with the business in a clear, effective and timely manner. 49% 36% 11% 4% Internal Audit has appropriate representation at key governance fora, e.g. key project and committee meetings. 61% 23% 10% 4% 2% Internal Audit interacts effectively with other control functions such as Risk Management and Compliance. 62% 23% 11% 2% 2% 0% 20% 40% 60% 80% 100% Agree Tend to Agree Tend to Disagree Disagree Don t Know Communication is ad-hoc. IA only approaches business when an audit is to be conducted. No formal continuous discussions are held with the auditees to understand business and to guage potential risk that the business might face. Nearly half of the respondents believe that internal audit communicates in a clear effective and timely manner. 11% tend to disagree that internal audit has appropriate representation at the key governance fora. Also, an equal number of respondents do not feel that the internal audit function interacts well with the control functions such as, risk management and compliance. Difference in Roles and Responsibilities of Internal audit and risk management 98% of participants can easily distinguish between the roles and responsibilities of internal audit and risk management No Yes Most of the respondents are very clear about the distinction between roles and responsibilities of Internal Audit and Risk management. However the respondents cited the practical difficulty in implementing the same due to resource constraints.

15 Positioning: Other use of Internal Audit Does your Internal Audit department conduct forensic investigations? Does the team conducting the forensic investigation have the right qualification/experience? No 54% Yes 46% No 21% Yes 25% 46% of participants responded that their internal audit department conducts forensic investigations. However only 25% of the respondents, whose teams conduct such investigations, have the necessary qualification or experience.

PEOPLE

17 People: Skills People skills of internal audit team Internal Audit staff have appropriate expertise/technical proficiency to carry out their role. 53% 35% 12% 0% 0% Internal Audit staff have a sound understanding of the business strategy and the major risks associated with the strategy. 43% 50% 7% 0% 0% Internal Audit contains an appropriate mix of individuals who have sufficient gravitas and are in a position to challenge the business on various matters. 30% 43% 23% 4% 0% Appropriate and relevant subject matter experts are used to conduct audits; either by leveraging current expertise in the team, using guest auditors from elsewhere in the business, or through buying in specialist services from third party firms on an 'as needed' basis. 45% 33% 15% 5% 2% Agree Tend to Agree Tend to Disagree Disagree Don t Know 13% of the survey participants feel that their internal audit staff do not have the appropriate expertise needed to carry out their role, which is a cause of concern, as this may impact the audit results. From the respondents, only 45% agree that they have relevant subject matter experts to conduct the same. Only 30% of the respondents felt strongly that the Head of Internal Audit has the necessary authority and influence to critically challenge business at an executive level.

18 People: Resource Internal Audit has sufficient resources to conduct its assignments, e.g. are there enough internal auditors in the team to cover the workload? 55% Disagree 18% Agree 33% of the respondents feel that the resources available are sufficient for conducting assignments (agree and tend to agree). Tend to Disagree 27% Tend to Agree 22% Agree Tend to Agree Tend to Disagree Disagree Don t Know

19 People: Internal Audit team value add to business Is it a valuable opportunity for staff from other business areas to work for shortmedium periods in Internal Audit? 77% Disagree 13% Don't Know 3% Agree 33% Tend to Disagree 7% of the respondents support short-term secondments to the Internal Audit function. It is a good strategy to expose staff from various business functions to the Internal Audit function and will help to strengthen the business functions and entrench a culture of compliance and controls. Tend to Agree 44% Agree Tend to Agree Tend to Disagree Disagree Don t Know How would you describe your recent interaction with the Head of Internal Audit? 50% of the participants described the Head of Internal Audit as supportive and approachable. Over 21% described the Head of Internal Audit as helpful.

PROCESS

21 Process: Planning Planning of Internal Audit Adequate notice is provided by Internal Audit for any planned audits. 66% 26% 8% Internal Audit is forward-looking in its risk assessment process. 53% 43% 2% 2% Internal Audit is aware of the external environment (including regulatory developments) when planning for audits. 61% 26% 11% 2% Internal Audit focuses on the major business risks when carrying out its activities. 53% 33% 11% 3% The purpose and scope of Internal Audits are communicated clearly. 65% 22% 9% 4% Internal Audit tries to accommodate business needs regarding timing of audits. 61% 32% 7% 0% 20% 40% 60% 80% 100% Agree Tend to Agree Tend to Disagree Disagree Don t Know 92% of the respondents agree or tend to agree to the fact that enough notice period is given prior to an audit. However, 11% of the respondents feel that the internal audit is not aware of the external regulatory environment, when at the planning stage and does not focus on the major business risks.

22 Process: Fieldwork Do you have Clarity about Internal Audit s Approach and Methodology? 87% Limitations on audit resources in terms of time per project limits the scope (breath & depth) that can be applied on some internal audit projects. of the participants feel that the audits are undertaken with the right level of detail, in terms of the breadth and depth of coverage. Audits are too much focused on finance issues and not enough on the core business issues. Process Planning of Internal Audit Audits are undertaken at the right level of detail, with appropriate: 1) breadth and 2) depth of coverage. 38% 50% 12% 62% 31% 5% 2% Audits are undertaken in an organized manner, with minimal disruption to business as usual activities. 73% 20% 7% Audits are performed with professionalism and integrity. 43% 41% 13% 3% Audits are performed in accordance with the agreed timetable. 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% Agree Tend to Agree Tend to Disagree Disagree Don t Know Only 13% of the respondents feel that the Internal Audits are not performed in accordance with the agreed timetable.

23 Process: Reporting Reporting of Internal Audit Audit findings are precise and presented in an objective way. 53% 41% 6% Audit recommendations are relevant, thereby being controls focused whilst taking wider business and commercial issues into account. 41% 47% 9% 3% Internal Audit keeps you informed of audit progress and findings such that no surprises arise when Internal Audit reports are issued. 44% 41% 12% 3% Audit findings are agreed with you prior to reports being finalised. 59% 18% 6% 15% 2% Actions arising from audits are discussed in detail with the business so it is clear what needs to be addressed and why. 71% 20% 9% Internal Audit issues audit reports on a timely basis. 43% 28% 23% 4% 2% Internal Audit produces reports which identify both root causes and implication/impact of issues. 63% 28% 7% 2% Major issues raised by Internal Audit have led to additional/wider investigations by management. 42% 44% 5% 5% 4% 0% 20% 40% 60% 80% 100% Agree Tend to Agree Tend to Disagree Disagree Don t Know More than 90% of the organisations agree or tend to agree that Internal Audit produces reports which identify both root causes and implication/impact of issues. However 23% of the respondents felt that the internal audit reports are not produced on a timely basis. This has a direct impact in terms of the relevance of audit findings.

24 Process: Reporting (cont.) Non-implementation of Internal audit recommendations Not a business case 33% Not meaningful 33% Don't address the risk 34% Not meaningful Not a business case Don t address the risk Not practical Too expensive to implement Where participants indicated that their management do not act upon the Internal Audit recommendations, the above reasons were provided. Do you agree to actions and their associated due dates after careful consideration around what needs to be done and whether this is possible within the given timeframes. Does your Internal Audit provide at least annually a written assessment of the overall effectiveness of the system of internal controls and risk management to the Board? Yes No

25 Process: Follow-up Follow-ups from management s perspective Do you understand the importance of implementing Internal Audit recommendations in accordance with the agreed due dates. Is your business area on target in respect of addressing Internal Audit action points in accordance with agreed due dates? Has Internal Audit asked for feedback? If so, have you provided it? Yes No The above questions were only posed to the respondents that form part of the management group. The implementation of the internal audit recommendations is very important, as is evident by the overwhelming response.

26 Appendix Methodology The findings and insights reflected in this report are based on an online survey conducted by KPMG. The qualitative data gathered from the online survey captures insights into the current internal audit landscape in Namibia. Participants included Chief Executive Officers/Managing Directors, Internal Audit/Compliance Heads, and Audit Committee Members from over 30 organizations. The online survey captured tangible information from participants in several categories: Positioning People Process Based on data obtained from the online survey, results were analysed and used in understanding the common perception that the stakeholders have about internal audit and the benefits derived there from.

27 KPMG in Africa and Namibia KPMG is well represented across the African continent. Our offices in Africa are integrated and managed as one practice across the continent. Individual countries retain their legal independence and local Partner ownership. KPMG s objective is to provide consistent, high-quality services to multinational, regional and local clients and to enhance the product offering in previously under-serviced markets. Our extensive network of practices enables us to ensure that our clients have access to a blend of professionals who are well versed with local conditions, giving them access to skilled resources, no matter where they are in Africa. KPMG in Namibia is the oldest firm of chartered accountants and business consultants in Namibia, having been established in 1947. It operated under the name P J Malherbe & Co until 1991, when it became part of the international firm of KPMG. The Namibian practice of KPMG is partnered by Robert Grant, Robert Araeb and Valens Mugabo. KPMG in Namibia provides expert Audit, Advisory and Tax services and is the most transformed audit and consulting firm in Namibia. KPMG Namibia is the PMR.Africa Diamond Arrow award winner for Best Audit / Accounting Firm for 3 consecutive years, from 2012 2014.

28 KPMG Namibia s Advisory Services KPMG helps organisations create sustainable business value and manage risk by optimising their financial and operational structures. We offer industry-specific financial, transactional, and technical experience in areas including management consulting, risk consulting, and transactions and restructuring to help enhance the organisation s financial performance and reporting, regulatory compliance, and business value creation. KPMG s Advisory Services Risk Consulting services Transactions & Restructuring services Internal Audit, Risk & Compliance Services Forensic IT Advisory Financial Risk Management Accounting Advisory Services Sustainability Corporate Finance Restructuring Services Transaction Services Corporate Recovery Management Consulting services Strategy & Operations Business Performance Services Financial Management People & Change IT Advisory

29 KPMG is a global network of professional firms providing Audit, Tax and Advisory services. We operate in 155 countries and have more than 155,000 people working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such. 2014 KPMG Advisory Services (Namibia) (Pty) Ltd, a Namibian company and member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative ( KPMG International ).