Add to collection(s) Add to saved
  1. Business
  2. Finance

Head of Internal Audit Survey 2014 Capturing insight Leading business advisers

advertisement 
Head of Internal Audit
Survey 2014
Capturing insight
Leading business advisers
Contents
Executive summary .................…………………………….….......... 3
Key observations …………………….........................……….…..... 4
About the survey …………………………….….............................. 7
Key findings
Section 1: Purpose and position - Roles of internal
audit and keys risks and challenges .….........................8
Section 2: Process - Methodologies of internal audit .…................12
Section 3: Performance - Reporting .…........................................14
Section 4: People - Resources .…................................................ 15
About Deloitte Internal Audit .…...................................................18
Executive summary
“
I’m delighted to present the inaugural Deloitte Head of Internal Audit Survey. The
survey spans a number of industries including financial services, consumer business
and the public sector.
Our objective in carrying out this survey is to capture the key issues and challenges
currently facing Heads of Internal Audit. In recent years we have seen increased
demands placed on our profession by various stakeholders and many functions
have seen operational changes to their remits and roles.
One of the biggest risks facing organisations is compliance with regulation and
government policies. This risk is compounded by the number of regulatory and
legislative changes being introduced both locally and internationally.
The second most significant risk is reputation and brand. We are all very aware of
the time and effort it takes to develop a positive reputation and brand, and how
quickly this can be lost by actions or inactions. As internal auditors we need to
ask ourselves whether our internal audit plans and scoping plans consider brand
and reputation. As a profession we are always asked “who audits internal audit?”.
Interestingly, less than 30% of respondents conduct an independent quality
assurance review at least every three years.
When working with our clients in assessing internal audit functions we take a
focused approach across five key areas (the five Ps):
1. Purpose
2. Position
3. Process
4. Performance
5. People
We have aligned the results of the survey against these areas and summarised the
key observations.
We hope you find this report both helpful and insightful in benchmarking your
function and that it assists you in developing in order to meet increasing demands.
David Kinsella,
Partner, Enterprise Risk Services, Deloitte
Throughout our survey a number of key themes were also highlighted including
the extra demands on internal audit functions in terms of increased reporting
requirements; additional risks such as IT security; and expanded roles such as risk
advisory are evident from the responses; all against the backdrop of resourcing
issues.
3
Key observations
1
2
74%
74% of
respondents
noted an
increase in
stakeholder
expectations.
4
61%
3
61% of respondents
rated regulation and
government policy
as being one of the
top five risks facing
their organisation.
over
30%
Over 30% of respondents
do not complete an
independent assessment
of their IA function, yet
95% state that their
methodology is consistent
with IIA standards.
95%
4
5
76%
66% of respondents currently use
external providers to supplement
their own resources via outsourcing,
co-sourcing, and utilisation of
subject matter experts.
66%
6
54% of respondents
revealed that their IA
function have roles in
BAU and advisory
activities, a number
that we would perceive
as being relatively low.
54%
76% of respondents
have identified
the need for
additional skills.
5
Key observations
Purpose and position
The survey highlights the increased expectations on
the scope of internal audit, along with increased
communication with the business.
The positioning of internal audit and the associated
reporting lines have always been areas of diversity,
and the survey re-affirms this, although there are
indications that the sector in which you operate plays
a key role in determining reporting lines. However, as
the primary responsibility is to the audit committee/
Board the challenge is to ensure independence is not
impinged.
Process
It is encouraging to see that 97% of respondents
have, and follow, a formal methodology which most
believe is consistent with the IIA standards. However,
this is contradicted somewhat by the level of entities
conducting quality assurance reviews.
The question of rating the overall report is an issue
we face with clients all the time. As a profession,
internal auditors seem to have accepted the value
of this approach, which is consistent with the survey
findings. One of the key challenges is working
with other internal assurance providers within the
organisation to develop a consistent rating system in
order to assist the stakeholders i.e. is a high risk in an
internal audit report/risk assessment consistent with
the risk function’s definition.
6
Performance
Self-assessment and informal feedback are useful
tools in assessing performance; however, the value
of an independent review cannot be underestimated
in helping benchmark against standards and best
practice.
People
With increasing demands, it is not surprising that the
need for additional and new skillsets is a common
theme with respondents. One of the key challenges
is maximising very specific skillsets and hence why
the vast majority of respondents are utilising service
providers for access to specialist skills when needed.
Overall assessment:
The findings of our survey highlight the significant challenges faced in terms of expanding
roles, emergence of new risks, greater stakeholder scrutiny and resourcing pressures.
As organisations and industries develop and change, the internal audit function must also
develop in terms of skillsets, approaches, and utilisation of tools to ensure it adequately
serves audit committees/boards, and other stakeholders.
At Deloitte, we are committed to supporting Heads of Internal Audit and internal audit
professionals keep up to date with the latest developments facing their profession, so
please visit www.deloitte.com/ie/internalauditsurvey for our latest insights and thought
leadership.
About the survey
We conducted this survey in late 2013 in order to reveal insights and observations of internal audit
practices in Ireland. Participants were from a range of different sized companies, operating across
financial services, consumer and technology business and the public sector.
Whilst each sector has unique attributes, many of the issues and challenges facing the profession are
consistent as demonstrated throughout the survey.
Figure (i) – Primary sector of the organisation surveyed
Figure (i) – Primary sector of the organisation surveyed
These sectors are made of respondents from various different industries being:
Financial services
Banking
31%
45%
Financial services
Insurance
Consumer and technology business
Stockbroking
Public sector
Fund industry
Consumer and
technology business
Technology
Consumer business
Manufacturing
Public sector
Government department
Regulatory body
Commercial state body
Government agency
Other
24%
7
Section 1: Purpose and position
In this section, we assess how the internal audit function is perceived and
their positioning within their organisation. We asked internal auditors if
their role has changed and what their level of communication and input is
within the business.
Respondents to this survey provided a clear message stating that internal
audit has featured far more prominently in entities over the past three years.
With 74% of respondents confirming that expectations of internal audit have
changed over the past three years, this is very much in correlation with the
63% who reveal that their scope has widened.
Figure 1 – In your opinion, have stakeholder expectations ofFigure
IA in your
2 – Has the scope of your IA function widened to incorporate
Figure 2 additional
– Has the scope
of your internal
widened
processes
/risksaudit
e.g.function
IT security
intorecent years?
Figure organisation
1 – In your opinion,
have stakeholder
expectations
of internal
changed
over the
past 3 years?
audit in your organisation changed over the past three years?
incorporate additional processes /risks e.g. IT security in recent years?
26%
37%
Yes
No
74%
8
Yes
63%
No
The majority of respondents highlighted that they are performing multiple
functions as part of their role, with 92% performing process reviews,
78% performing controls development, and over 81% acting as a risk
management adviser to the business. In addition, 34% of respondents
have further responsibilities including advisory, compliance, and corporate
governance roles.
Alongside this, with respect to business advisory and business as usual
(BAU) activities, 54% of respondents said that their internal audit function
plays a role in business advisory and business as usual activities, including
providing their services in terms of process changes and change programmes,
independent advice, due diligence, and development of processes/policies.
One of the challenges many internal audit functions face is balancing the
need for independence and supporting the business, hence the absence of a
clear indicator.
Figure 4 – Does your IA function have any role in BAU or advisory
Figure 3 – In your opinion, what are the key roles that your IA function
performs?
Figure 4 – Does your internal audit function have any role in business as
activities?
usual or advisory activities?
Figure 3 – In your opinion, what are the key roles that your IA function
performs?
92.1%
78.9%
81.6%
34.2%
Process reviews
Controls development
Risk management adviser
Other
46%
Yes
54%
No
9
0
20
40
60
80
100
A large majority (70%) of respondents have highlighted an increase in
the frequency of communications with the business in recent years.
This suggests a dramatic increase in embedding a risk culture within
organisations, and is also representative of the ever-evolving increase in
regulation. 73% of respondents have increased face to face contact with
the business, conveying an increased reliance on and involvement of
internal audit in both a risk advisory and a business partnering capacity. In
addition, these results correlate with those outlined by respondents as their
role as a trusted adviser to the business.
The risk most organisations felt they needed to mitigate against, with 61%
ranking this as a top five risk, is regulation and government policies. This is to
be expected, with a huge shift in focus towards increased regulation being
apparent in most industries in the last five years. It should also be noted that
this risk was just as prevalent in responses from those organisations in the nonfinancial services sectors, as those in the financial services sector.
Interestingly, reputation and brand is seen as the next biggest area of focus,
with 58% of respondents highlighting this as a top five risk. The significant
efforts that go into developing and promoting brands means that this result
is not a surprise. The challenge facing all internal auditors irrespective of your
industry is are you considering this risk?
One of the key focuses for Heads of Internal Audit is the risk profile of
the organisation. In this section we focus on where they see continuous
improvement requirements for their businesses, including the current
position of risks, challenges facing the respective organisations and an
Figure 5of -how
Have
nature
and frequency of communications
assessment
these the
risks are
being managed.
Figurewith
6 – the
Rank the following risks in order of priority for your organisation
business changed in recent years?
Figure 5 - Have the nature and frequency of communications with the
business changed in recent years?
39%
42%
53%
61%
58%
Data protection and security
22%
30%
Figure 6 - Rank the following risks in order of priority for your
organisation
Talent and labour
5%
0%
70%
73%
Economic uncertainty
Regulation and government policies
Same
frequency
Less
frequent
More
frequent
Same
frequency
Less
frequent
10
More
frequent
Reputation and brand
0
20
40
60
80
100
Following on from the identification of what are envisaged as the top five
key risks for organisations, it is intriguing to note that between 31% and
61% of respondents believe that the way these risks are being managed by
their organisations is poor or requires some improvement. While economic
uncertainty, regulation and government policies are mainly beyond the
control of organisations, it is interesting to note that only 39% and 49%
of respondents believe that the risks posed by talent and labour and data
protection and security to their businesses respectively, are being well
managed. Considering the importance of reputation and brand being
highlighted by respondents, it is alarming that only 49% of respondents see
data protection as being well managed.
not being well managed in some organisations. It is of some concern that 6%
of those surveyed believe that the management of data protection and security
has declined over the course of the last three years, which may be as a result
of the increase in cybercrime activity and emerging technologies. The 2013
Deloitte Ireland Information Security and Cybercrime Survey explores this issue
in more detail, and can be found at http://www2.deloitte.com/content/www/
ie/en/pages/about-deloitte/articles/cybercrime.html
Over half of respondents believe that the management of these top five
risks has improved over the past three years. The lack of measurable
improvement in risk management as noted in figure 8, has led to these risks
An interesting insight into the position of internal audit across the various
industries is the diversity in reporting lines for heads of internal audit. These
range from reporting directly to the CEO, CFO, company secretary, global
heads of internal audit, and other levels below the CEO. In addition, some
respondents noted that they only report directly to the audit committee. This
diverse nature of reporting lines highlights the differing positions internal audit
hold, depending on the type of organisation, and the industry in which they sit.
Figure 7 - In order to assess how well critical risks are managed in
your organisation, please indicate for each of the top five risks how
Figure
7 –consider
In orderthem
to assess
well critical
risksorganisation.
are managed in your
well
you
to behow
managed
by your
Figure 8 - Please indicate if the management of each of these top five
risks has improved, disimproved, or stayed the same over the past three
years.
Figure 8 - Please indicate if the management of each of these top 5 risks has
organisation, please indicate for each of the top 5 risks how well you consider improved/ disimproved/ stayed the same or N/A over the past 3 years.
them to be managed by your organisation
Not well managed
Reputation and brand
Regulation and government policies
Economic uncertainty
Talent and labour
Data protection and security
0% 32%
0% 31%
4%
48%
3%
58%
4%
46%
0
20
Requires improvement
40
Well managed
68%
69%
48%
39%
49%
60
80
Reputation and brand
Regulation and government policies
Economic uncertainty
Talent and labour
Data protection and security
100
Stayed the same
Improved
0
56%
61%
60%
51%
76%
20
40
60
Disimproved
41% 3%
0%
39%
0%
40%
37%
11%
18% 6%
80
100
11
Section 2: Process
This section focuses on the delivery and processes carried out by internal
audit functions within the organisations surveyed. This includes insights on
the approach taken by the internal audit functions, and the measures taken
to ensure that their functions are operating efficiently and effectively, and
in line with best practice. In addition, we review reporting by internal audit,
and how this is structured and relayed to the business.
In terms of how internal audit functions operate, 97% of respondents
confirmed that they operate via a specific methodology, with 95% of
respondents further endorsing that their methodology is consistent with
the IIA standards.
Figure 9 - Is a formal methodology followed for all audit assignments?
Figure 10 – Is your methodology consistent with IIA International
Figure standards?
10 – Is your methodology consistent with IIA international
Figure 9 - Is a formal methodology followed for all audit assignments?
standards?
3%
5%
97%
12
Yes
Yes
No
No
95%
The results show that 87% of internal audit functions surveyed operate
a grading scale for internal audit reports. 76% of internal audit functions
are assigning an overall rating to their internal audit reports. This is
consistent with what we see in terms of the level of assurance being
sought from audit committees and other stakeholders. For the other 24%,
this raises the question of how do they convey those conclusions to the
audit committee.
Figure 11 – Do you operate a grading scale for internal audit reporting
issues?
Figure 11 – If yes, does this include a QA process?
13%
The results highlight that audit committees are both requesting and receiving
greater visibility of both the risk profile, and the performance of the business
in certain areas. In keeping with the survey findings, it suggests that there is a
greater focus on risk culture in organisations than in previous years. However,
these results yield the question as to how organisations who do not grade
their internal audit issues, or internal audit reports, are able to emphasise
the severity of issues and requirements for change to their respective audit
committees.
Figure 12 - Is each internal audit report given an overall rating?
Figure 12 – Do you operate a grading scale for internal audit reporting
issues?
24%
Yes
Yes
No
No
76%
87%
13
Section 3: Performance
This area of the survey provides insights into the performance of internal
audit, including how they conduct their internal audit plan and reviews, and
how the overall internal audit function itself is subjected to review.
In the previous section on process, we noted that 97% of respondents
confirmed that they operate via a specific methodology, with 95% of
respondents further endorsing that their methodology is consistent with the
IIA standards. However, we can see from the results outlined here that only
67% of those surveyed verified that their methodology included a quality
assurance (QA) process.
The IIA standards require a quality assurance and improvement programme
that provides for an evaluation of activity against these standards. The
standards require both internal and external assessments, with an external
assessment at least once every five years. Only 70% of those surveyed comply
with this requirement, with almost 14% stating they have never conducted an
independent assessment.
Figure 13 - Is each IA report given an overall rating?
Figure
Figure 13 – Does your methodology include a QA process?
14 – How often is an independent review of your IA function
conducted? e.g. IIA standards?
Figure 14 – How often is an independent review of your internal audit
function conducted?
13.9%
13.9%
41.7%
16.7%
13.9%
Annually
33%
Every 1-3 years
Yes
No
67%
Every 4-5 years
Less frequently
Never
14
0
20
40
60
80
100
Section 4: People
The background and skills of team members and the current and
future anticipated needs of internal audit functions within the various
organisations are highlighted in this section. The issue of staff retention and
the use of service providers is also captured.
It is evident that although 76% of Heads of Internal Audit surveyed agree
that they have future skills needs, only 24% of respondents have recruited
specialist staff in the last three years. These required skills relate mainly to
IT audit, IT security and data management. Other skills gaps noted include
credit, reinsurance, and actuarial SMEs within the financial services sector. The
requirement for additional specialist staff is no surprise, considering both the
increased focus on regulation and data protection and security as key risks
facing the business, combined with the increased role of internal audit as an
adviser/risk manager to the business.
igure 15 – In the face of changing requirements has
your
unityourecruited
Figure
16 –IAHave
identified any future skills needs?
Figure
15
–
In
the
face
of
changing
requirements
has
your
internal
Figure
16
–
Have
you
identified
any future skills needs?
any specialist
staff e.g. IT audit specialists/Credit specialists/Model experts?
audit unit recruited any specialist staff e.g. IT audit specialists/credit
specialists/model experts?
10.5%
2.6%
10.5%
21.1%
Yes – last 6 months
Yes – last 6-12 months
Yes – 1-3 years
No
24%
Yes
No
76%
15
0
20
40
60
80
100
In addition, over half of respondents acknowledge that they have
experienced difficulties in identifying and recruiting appropriate resources.
The key obstacles outlined by respondents related to restrictions on hiring,
lack of required experience/skills of candidates, lack of adequate funding,
and issues relating to languages and geographical locations. To compound
these findings, 25% of respondents have encountered difficulties relating
to staff retention, in some cases due to lack of opportunity within the
organisation.
A number of organisations have begun to invest in their people to address
both issues of retention and skills. In terms of qualifications held by internal
audit staff members in organisations surveyed, professional accountancy
qualifications are held in the majority.
Figure 17 – Have you experienced problems identifying & recruiting
Figure 18 – Have you experienced problems retaining staff?
Figure 17 – Have you experienced problems identifying and recruiting
appropriate resources?
appropriate resources?
Figure 18 – Have you experienced problems retaining staff?
25%
42%
58%
Yes
Yes
No
No
75%
16
In relation to problems in completing internal audit plans,
66% of respondents stated that they would engage external
service providers to address these gaps, with a further 29%
stating that they would recruit staff if such a situation rose.
Interestingly, 29% of respondents said they would defer
audits in order to address these issues, which may relate to
budgeting and recruitment restrictions as identified in some
The trend of hiring professional accountants continues
with 76% of respondents indicating that their staff hold an
accountancy qualification.
A further 42% of functions have employed staff with
qualifications achieved through the IIA. In addition, 40%
of respondents stated that they employ staff with other
qualifications, mainly in areas such as CISA and other IT
qualifications.
of our other findings. In correlation with the above findings,
66% of those surveyed are already receiving support from
external service providers, either on long-term or job-by-job
engagements.
FigureFigure
19 19– –What
of qualifications
doFigure
your
staff
hold?
What typetype
of qualifications
do your staff hold?
– If
gaps are
highlighted
in your ability in
to your ability
Figure 21 to
– Docomplete
you currently have
any arrangements
Figure
20
–20 If
gaps
are
highlighted
your
internal with
complete your internal audit plan, how do you plan to
outsource providers for the provision of internal audit
audit plan,
do you plan to deal with it?resources?
deal withhow
it?
Figure 21 – Do you currently have any arrangements with outsourc
providers for the provision of internal audit resources?
100
100
80
76.3%
80
60
60
42.1% 39.5%
40
40
28.9%
32%
34%
Long-term on-going
arrangement
Job by job
arrangement
28.9%
No
20
20
0
65.8%
0
Professional
accountancy
qualifications
IIA
Other
34%
Defer
audits
Recruit
staff
Utilise external
service providers
(i.e. outsource/
co-source)
17
About Deloitte Internal Audit:
“
We are the leading provider of internal audit and risk advisory services in Ireland.
Our dedicated team of over 100 professionals includes:
• Qualified accountants
• Qualified internal auditors
• IT security and forensics experts
• IT auditors
• Regulatory and compliance professionals
• Qualified solicitors
In addition, our practice includes:
• Actuaries
18
• Data analytics specialists
• Financial model specialists who support our service delivery across all sectors
The findings of our survey highlight the
significant challenges faced in terms
of expanding roles, emergence of new
risks, greater stakeholder scrutiny, and
resourcing pressures.
David Kinsella, Partner, Enterprise Risk Services, Deloitte
19
For more information on the
Heads of Internal Audit Survey
please contact:
David Kinsella
Partner
T: +353 1 417 2529
E: davkinsella@deloitte.ie
Colm McDonnell
Partner
T: +353 1 417 2348
E: cmcdonnell@deloitte.ie
Gerard Lyons
Partner
T: +353 61 43 5501
E: glyons@deloitte.ie
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in
more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges.
Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte
Touche Tohmatsu Verein, any of their member firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this publication, rendering accounting,
business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a
basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should
consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
© 2014 Deloitte & Touche. All rights reserved
For more details please contact:
Dublin
Deloitte & Touche
Deloitte & Touche House
Earlsfort Terrace
Dublin 2
T: +353 1 417 2200
F: +353 1 417 2300
Cork
Deloitte & Touche
No.6 Lapp’s Quay
Cork
T: +353 21 490 7000
F: +353 21 490 7001
Limerick
Deloitte & Touche
Deloitte & Touche House
Charlotte Quay
Limerick
T: +353 61 435500
F: +353 61 418310
www.deloitte.com/ie
Related documents
Position: Audit Intern
Position: Audit Intern
(2) Represents the annual subscription for access to the Deloitte
(2) Represents the annual subscription for access to the Deloitte
Marketing Plan Rubric
Marketing Plan Rubric
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
Download
advertisement