Audit Quality: Optimizing the

Internal Audit Function

Joyce Vassiliou, CIA, CRMA, CCSA

Vice President of Governance

The Institute of Internal Auditors, Inc.

Joyce.Vassiliou@theiia.org

EEI Utility

Internal Auditing Conference

August 22 – 24, 2016

Loews Hotel

Atlanta, Georgia

About the IIA

We are the internal audit profession’s most widely recognized

- Advocate

- Educator

- Provider of:

- Standards

- Guidance

- Certifications

The Global IIA in 2016

185,000+

MEMBERS

170

COUNTRIES &

TERRITORIES

100+

INSTITUTES

159

CHAPTERS

Expectations of Internal Audit

Sustainable

Add value

3rd Line of

Defense

Part of control

environment

Continuously

improve

Independent

Objective

Identify Risks

Evaluate controlsA respected

advisor

Insightful

Qualified

Good communicator

Understand

the business

Align with company strategy

Think outside the box

Exceed

expectations

Proactive Future

focused

Competent

Effective and

Efficient

Promotes positive

change

Agenda

• Overview of Content

• Optimization: Linking Risks & Audit

Coverage

• Measuring Effectiveness: Quality and

Improvement Program

• Communicating Results: Know Your

Stakeholders

Surveys & Demographics

Pulse of Internal Audit370 completed Surveys

• October 2014

• 7th consecutive year

• 63% Public/Private

companies

• 84% CAEs and Directors

(311 responses)

• 92% internal audit managers

or above

311 Responses From CAEs and

Directors

CBOK12,570 completed the survey

• Q1 2015

• Conducted every five years

• 32% CAEs and Directors/Sr. Managers (4,043 responses)

• 28% North American participants

• 878 CAEs and Directors/Sr. Managers from North America

878 Responses From CAEs and Directors/Sr. Managers in North America

Sources: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center conducted in

collaboration with the 2015 Common Body of Knowledge Study, © 2015 The IIA and The IIA Research

Foundation. All rights reserved. No part of this data may be copied, reproduced or otherwise

disseminated without explicit permission from The IIA.

Key Themes: Pulse of Internal Audit

• Assessing Emerging and Evolving Risks is a Key Priority

• Linking Risks and Audit Coverage Remains an Enduring Challenge

• The Profession is Facing a New Talent Shortage

• Emphasis on Quality Assurance is Lagging ←

Common Body of Knowledge (CBOK)

Visit www.theiia.org/CBOK to learn about the free resources

made available through CBOK.

OPTIMIZATION: LINKING RISKS &

AUDIT COVERAGE

Linking Risks and Audit Coverage:The Paradox of “Structural Expectations”

• Stakeholders often expect base level of

coverage:

• Financial risks

• Regulatory risks

• Compliance risks

• Once base is addressed:

• Operating risks

• IT risks

• Only then, is there interest in strategic and

business risks

• The paradox:

• Base level coverage often provides

the lowest perceived value

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©

2015 The IIA Research Foundation

Where are you spending your time?

Source: CBOK 2015 Global Internal Audit Practitioner Survey, Q49: What percentage of your audit

plan is made up of the following categories? North American utilities, CAEs only. n= 25.

24%

12%

12%

11%

10%

10%

7%

5%

3%

2%

2%

2%

1%

0% 5% 10% 15% 20% 25%

Operational

Information technology (IT)

Sarbanes-Oxley testing or support

Strategic business risks

Risk management assurance/effectiveness

Compliance/regulatory

General financial

Corporate governance

Third-party relationships

Fraud not covered in other audits

Cost/expense reduction or containment

Other (in particular, requests, training, etc.)

Crisis management

North American Utilities, 2015

Comparison: Utility Industry vs Global

8%

24%

29%

Utilities

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©

2015 The IIA Research Foundation

Linking Risks and Audit Coverage

Conceptually: In Practice:

Risk Resources

Audit Coverage Audit Coverage

Source: The Pulse of Internal Audit survey: © 2015 The IIA Audit Executive Center.

Optimizing “TIPS”

• Develop an audit plan based on the “real risks”

• Identify areas in where resources and expertise gaps exist

• Formulate strategies for addressing gaps

• Have candid conversations with management and the audit committee regarding:

• Resource shortfalls

• Expertise gaps

• Risks that may fall victim

• A plan of action

• Develop a long-term strategy for addressing gaps

• Don’t let the “tail wag the dog”

“Disclosing the

gaps in risk

coverage and

discussing the

resources needed

to address the gaps

is essential.”

- Joe Steakley, CAE

of HCA

MEASURING EFFECTIVENESS:

QUALITY AND IMPROVEMENT

PROGRAM

What is effective?

• Merriam-Webster: producing a result that

is wanted: having an intended effect of a

law, rule, etc.: in use

• The measure should correspond to the

desired outcome

Measure Effectiveness?

• What are some desired outcomes of your

stakeholders as related to internal audit?

• What are your desired outcomes as the

leader of internal audit?

• What methods/tools are you using?

Purpose of a QAIP

• Alignment with company strategy and

enterprise risk management

• Adherence to Audit Committee

requirements

• Promote on-going quality improvement of

internal audit

• Ensure compliance with IIA Standards*

Four Pillars of Internal Audit Quality

IA Governance(1000, 1100, 1300)

Code of Ethics &

The Definition of

Internal Audit

IA Staff (1200)

IA Management (2000, 2100,

2600 & 2450) IA Process (2200, 2300,

2400 & 2500)

Conformance with the Standards?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

1000 – Purpose, Authority, and Responsibility

1100 – Independence and Objectivity

1130 – Impairment to Independence or Objectivity

1200 – Proficiency and Due Professional Care

1300 – Quality Assurance and Improvement Program

2000 – Managing the Internal Audit Activity

2100 – Nature of Work

2200 – Engagement Planning

2300 – Performing the Engagement

2400 – Communicating Results

2500 – Monitoring Progress

2600 – Communicating the Acceptance of Risks

North America Manufacturing North America Global Average

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©

2015 The IIA Research Foundation

Yet – Emphasis on Formal Quality

Assurance/Improvement is Lagging

Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body

of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part

of this data may be copied, reproduced or otherwise disseminated without explicit permission from

The IIA. Note: 1.3% indicated “other” as a response to this question.

Where are you in your QAIP?

31%

44%

20%

4%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Nonexistent or ad hoc

In the process of development

Well defined, including external qualityreview

Well defined, including external qualityreview and a formal link to continuous

improvement and staff training activities

Source: The CBOK 2015 Global Internal Audit Practitioner survey: : ©

2015 The IIA Research Foundation

Measuring Effectiveness: Audit

Processes

Analyze Your Audit Plan, consider:

• Percentage tied to the Risk Assessment

• Percentage tied to Strategic Initiatives

• Percentage of “ad hoc” management requests

Follow up of management’s action plan:

• Is it timely?

• Is it effective?

• Does it address the risk?

Measuring Effectiveness: People

COMPETENCY SKILL SET

1 Analytical/Critical Thinking

2 Communication Skills

3 Data Mining and Analytics

4 Industry-specific Knowledge

5 IT (general)

6 Business Acumen

7 Accounting

8 Risk Management Assurance

Measuring Effectiveness: Technology

• Automated work papers

• Data Analytics/Data Mining

• Computer Automated Assisted Techniques

(CAATs)

COMMUNICATING RESULTS: KNOW

YOUR STAKEHOLDERS

Communicate, Communicate,

Communicate

There is not a “One Size Fits All”

There are certain required communication –

as stated in the Standards

Internal Audit’s activity’s plans and resources

requirements

Results of engagements

Communicating the Acceptance of Risks

Content and Techniques

• Engagement Level

– Basics: Executive Summary, Scope, Risks,

Observations, Recommendations

– Beyond basics: Risk ratings (inherent,

residual)

• Internal Audit Management level

– Basics: Audit plan, resource needs

– Beyond basics: Pervasive risk concerns, risks

not covered in plan

Other Examples

• What are you communicating beyond the

basics?

• How are you communicating/frequency?

Effective Communication Traits

• Align communication with stakeholders

need / want to know

• Keep it simple

• Find the format that resonates with the

culture and stakeholders (collectively)

• Build trust

• Listen to all the cues

Going Beyond the Required

Communication – Moving up the ladder

• Analytics – are you sharing this data and assisting the organization?

• IA Team – are you a supplier of talent to the organization?

• Are you asked to be part of an initiative – i.e. to sit on a Steering Committee?

• Is Management’s requests for audits and special reviews increasing?

PARTING THOUGHTS:

THE INTERNAL AUDIT JOURNEY

Successful Practices for IA

• Strategic: Strategic internal audit plan

• Talent: Build, acquire or recruit right talent to meet needs of organization.

• Trends: Report pervasive trends across audit reports.

• Combined Assurance: Coordination with other assurance groups within organization and demonstrate how IA results impact overall risk profile

Parting Thoughts: The Journey

Continues

Questions?

The Institute of Internal Auditors

Joyce Vassiliou, CIA, CRMA, CCSA

Vice President, Goverance

joyce.Vassiliou@theiia.org

Source: The Pulse of Internal Audit Survey Conducted in collaboration with the 2015 Common Body

of Knowledge Study, © 2015 The IIA and The IIA Research Foundation. All rights reserved. No part

of this data may be copied, reproduced or otherwise disseminated without explicit permission from

The IIA. Note: 1.3% indicated “other” as a response to this question.