IIA Annual Survey Governance and Risk Report 2013
Tuesday 5th November 2013
WELCOME TO THE WEBINAR
• The audio for this webcast will be
broadcast via your PC speakers –
you do not need to dial in.
• If you are unable to use your PC
speakers please click on the Request
icon on the WebEx tool bar to
receive teleconference information.
• Please submit your questions
in the Q&A window. If viewing
in full screen mode, please click
the icon in the floating participant
panel tray. We will address as many
questions as time permits at the end
of the presentation.
THOMSON REUTERS GRC
WEBINAR PRESENTERS
Papiya Chatterjee, Senior Policy Officer
Papiya has over 10 years’ experience in research and policy analysis and has worked in a
wide range of policy areas in Parliament, the National Audit Office and more recently
regulation. She also has a background in both value for money and external audit.
David Lyscom, Policy Director
David has been the IIA Policy Director since August 2012. He had a long career in the
Diplomatic Service where he specialised in economic and financial policy issues. He was UK
Ambassador to the OECD from 2004 to 2008.
Susannah Hammond, Senior Regulatory Intelligence Expert
Susannah joined the regulatory affairs team at Thomson Reuters from the GE Capital Bank
where she was head of compliance. Susannah has more than 20 years’ wide-ranging
experience in international and UK financial services. A qualified chartered accountant, more
recently Susannah was head of international regulatory risk for the Halifax Group and
became head of retail regulatory risk for HBOS plc upon Halifax’s merger with Bank of
Scotland.
IIA Annual Survey Governance and Risk Report 2013
First ever annual policy survey of IIA heads of internal audit (HIA)
conducted in July / August 2013.
The purpose - to collect factual data on the profession, including its
position in organisations, and the services it provides; and to find
out HIAs’ views on risk management issues and the skills and
competencies internal audit needs to function effectively.
Of the 642 HIAs sent the survey 307 responded - 48 per cent broadly representative in terms of sector, location of work and
gender.
IIA Annual Survey Results 1
Risk Management
In your view, what is the level of your organisation's risk maturity?
IIA Annual Survey 2
Resource priorities
Areas where respondents spend most of their time according to
their audit plans
100%
90%
Percentage of respondents
80%
70%
60%
50%
40%
All sectors
30%
Financial services
20%
10%
0%
Public sector
Private sector (non FS)
IIA Annual Survey 3
Whistleblowing and Fraud
Which of the following additional services does internal audit provide
your board/board committee? (tick all that apply)
0%
Percentage of respondents
10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Conduct confidential investigations, such as fraud
Provide views on the performance of management in relation
to controls or the adequacy of corrective actions
Offer concrete proposals on improving internal controls
Provide an annual opinion on the adequacy of the
organisation’s system of internal controls
Act as a channel for whistleblowing
Conduct governance reviews
Manage co-sourcing of internal audit functions
Provide input on the evaluation of the external auditor’s
performance
Contribute to the induction and/or CPD of board members
Advise the board / committee on reports or information from
external parties, such as regulators
All sectors
Financial services sector
Private sector (non-FS)
Public sector
IIA Annual Survey Results 4
Risk Focus of Audit Resources
Areas of risk where internal audit spends most of its time
IIA Annual Survey Results 5
Reporting lines.
Functional reporting line (to whom are you ultimately accountable?)
IIA Annual Survey Results 6
Overseeing internal audit.
Who has ultimate responsibility for approving your
IIA Annual Survey Results 7
Audit
Committee
responsible
for:
Appointment
All sectors
Financial
services
Public sector
Private
sector (non
FS)
59%
76%
38%
75%
Audit Charter
77%
86%
68%
76%
Audit Plan
85%
91%
85%
85%
Executive
management
responsible
for:
Budget
All sectors
Financial
services
Public sector
Private
sector (non
FS)
50%
31%
62%
51%
Remuneration
69%
48%
82%
70%
Appraisal
79%
71%
86%
78%
IIA Annual Survey Results 8
Quality assurance
How frequently is your internal audit function externally assessed to
judge compliance with IIA Standards?
6%
20%
15%
Annually
Every 2-3 years
Every 4-5 years
12%
Over 5 years
Never
47%
IIA Annual Survey Results 8
Auditing culture
Top areas of expected internal audit budget and staff increases over the next year
IIA Annual Survey Results 9
Internal audit competencies
Top competencies internal audit needs now and in five years’ time
Thomson Reuters GRC
State of Internal Audit 2013
2013 survey
• Surveyed more than 1100 internal audit
practitioners in February & March 2013
• 76 countries
• IA departments of all sizes from less than 5 to more
than 100
17
Current Focus – top 3 areas
18
Future Focus – top 3 areas
19
In your opinion how mature is your
organisations risk management function?
9%
11%
We do not have a formal program or
resources
19%
In the development stage
Immature
41%
20%
Implemented, but requires additional
work and resources
Robust and embedded framework
and resources in place
20
How much reliance do external auditors place
on the work of internal audit?
6%
14%
None
28%
Some - in key areas or locations
52%
Extensive - significant reliance
placed with additional external
audit assurance
Full reliance placed on all internal
audit work
21
Key challenges for internal audit in year ahead
22
IA view of challenges for their boards
2013
2012
Corporate strategy
43%
52%
Strategic level risk management
37%
47%
Legal and regulatory risk
31%
38%
Corporate governance
30%
35%
IT security and risk
28%
28%
Monitoring
19%
n/a
Global expansion
17%
15%
Capital and liquidity
16%
n/a
Assurance on internal control processes
15%
13%
Fraud and corruption
Follow up on implementation of remedial
action
12%
8%
11%
n/a
Process level risk management
8%
10%
Customer outcome
8%
n/a
Other
2%
n/a
23
Comparisons
•
Risk maturity
•
•
Thomson Reuters: 50% reported that their organisation’s risk management function
was non-existent, in development or immature.
• The IIA: 45% of organisations reported that they felt the level of risk maturity within
their organisation was at the early stages of implementation, in development or nonexistent.
Skills and competencies
•
Both surveys show the wide range of skills that internal auditors need which span
both technical and business skills. Thomson Reuters commented that internal
auditors may need additional training particularly in qualitative areas such as culture
and corporate governance.
Further materials
• IIA Governance and Risk Report 2013
http://www.iia.org.uk/policy/governance-and-risk-report-2013/
• State of Internal Audit 2013
http://accelus.thomsonreuters.com/sites/default/files/GRC00311.pd
• Effective Internal Audit in the Financial Services Sector
http://www.iia.org.uk/policy/financial-services-initiative/
• Culture, Corporate Governance and the Internal Auditor
http://accelus.thomsonreuters.com/sites/default/files/GRC00075.pdf