www.pwc.com reaching greater heights: are you prepared for the journey? 2013 state of the internal...

www.pwc.com

Reaching Greater Heights: Are You Prepared for the Journey?

2013 State of the Internal Audit Profession Study

April 18, 2013

© 2013 PricewaterhouseCoopers LLP. All rights reserved.

PwC 2© 2013 PricewaterhouseCoopers LLP. All rights reserved.

With you today

Chris LydonInternal Audit Director314 276 [email protected]

Valerie CaporuscioData Assurance Manager(330) [email protected]

April 2013

PwC © 2013 PricewaterhouseCoopers LLP. All rights reserved.

Agenda

• Introductions

• PwC’s 2013 State of the Internal Audit Profession study

- Heart of the matter

- Examining the issues

- The opportunity: defining greater heights

- The path forward

• Data analytics discussion

• Questions and answers

3April 2013


At a glance

• 9th Annual State of the Internal Audit Profession Study

• Second year where we explored the impact of Internal Audit from the lens of a stakeholder

• Over 1700 respondents, Audit Committee Chairs, Board, CEOs, and CFOs, participated including 630 executive stakeholders

• Over 140 personal executive interviews conducted

• Focus areas included

- Stakeholder’s expectations of IA

- Performance and value of IA’s contribution

- IA’s contributions in emerging risk areas

- Characteristics of IA functions

4April 2013

PwC 5

Heart of the matter

April 2013© 2013 PricewaterhouseCoopers LLP. All rights reserved.

PwC

Heart of the matterStakeholders want more and internal audit can deliver

Key takeaways• Alignment must be

achieved amongst stakeholders and CAEs on internal audit’s role in the organization, what internal audit value means and where internal audit should be focused

• Internal audit must break the cycle of inaction and improve its performance on eight core attributes

Internal audit continues to face challenges• Stakeholders are not

aligned in their views on internal audit’s value and performance

• Internal audit’s capabilities are not keeping up - what was once leading practices are now the new floor

• Internal audit continues to struggle in maximizing its contribution, especially in less traditional areas Internal audit’s performance is not keeping up with – what was once leading is now the new floor

Our research has revealed internal audit functions performing at a high level provide a distinctively different

level of service

6April 2013


PwC 7

The new floor


PwC 8

Examining the issues


PwC 9

Examining the issues

April 2013

The issues of stakeholder alignment, a challenged capability foundation and sub-optimal internal audit contribution are tightly interwoven

Internal audit must break the cycle of inaction and increase its capabilities or risk being marginalized in comparison to

other risk functions

Our survey data revealed the circular nature of the internal audit challenges



Examining the issuesStakeholders are not aligned in their views on internal audit’s value and performance

Value At the most fundamental level, stakeholders have significantly different views of internal audit value

PerformanceThis year’s research confirms that strong performance in the eight core attributes directly correlates to greater value.

Critical RisksStakeholders are not aligned on critical risks facing the organization which creates challenges for internal audit in addressing those critical risks

79% of board members see significant value, while only 44% of management do

56% of the board ranks IA performance as strong, while 37% of management do

60% of the board members believe risks are well managed vs. 52% of management

Board members’ views on value versus performance do not reconcile – 79% see significant value, yet only 56% view

performance as strong – a 23% difference

10April 2013


Examining the issuesInternal audit capabilities are not keeping up

April 2013

Our survey revealed promoting quality improvement, leveraging technology and obtaining right talent as three key

focus areas

0% 20% 40% 60% 80% 100%

Percent of stakeholders who say internal audit is performing well or very well

How well is internal audit performing in each of the following areas?

Promoting quality improvement and innovation

Leveraging technology (such as automation, data and advanced analytics)

Delivering cost-effective services

Delivering services with a service-oriented team

Engaging in and managing a relationship with stakeholders

Aligning scope and audit plan with stakeholder expectations

Focusing on critical risks and issues

Obtaining, training and/or sourcing the right level of talent for audit needs


Better integration of technology through data analytics

April 2013

Analytics are widely viewed as important

Yet few have strong programs

And most intend to, yet lack a well developed plan

81% 85% 74%

Data analytics are important to improving the quantification of issues

Data analytics are important to strengthening audit coverage

Data analytics are important to gaining a better understanding of risks

31%

Data analytics are integrated into the audit process and used regularly

71%

Plan to expand use of data analytics but do not have a well developed plan

PwC 13

Examining the issuesInternal audit continues to struggle in maximizing its contribution in areas outside of its traditional focus

April 2013

Increased internal audit focus has not translated into greater stakeholder satisfaction


PwC 14

The opportunity


PwC 15

The opportunity - defining greater heights

April 2013

Stronger foundational capabilities

Integration with ERM and other risk functions

Coverage of emerging risk areas

Higher level of service

Our survey identified a subset of organizations represented by the top 5% of the respondent base as “high performing”

The high performing internal audit functions stood out from their peers in their contribution and value to the organization



April 2013

The opportunity – defining greater heightsProfile of the top 5%

The top internal audit functions are demonstrating significantly stronger foundational capabilities

Percent of respondents who responded internal audit is performing well

Promoting quality improvement and innovation

Leveraging technology

Delivering services with a service-oriented team

Engaging in and managing a relationship with stakeholders

Aligning scope and audit plan with stakeholder expectations

Focusing on critical risks and issues

Obtaining, training and/or sourcing the right level of talent for audit needs

Delivering cost-effective services

67%

61%

54%

91%

82%

84%

80%

86%

41%

34%

23%

57%

51%

47%

49%

58%

Top 5% All others


April 2013

The high performing internal audit functions have achieved greater integration with ERM and other risk functions


0% 20% 40% 60% 80% 100%

Percent of respondents who believe internal audit is well aligned with risk

Top 5%

Others

The Organization works together across the various functional areas to create an integrated view of risk

IA creates an integrated view of risk across the organization

IA is well or extremely well coordinated with other risk groups

IA is involved in emerging risk areas

IA is well or extremely well coordinated with ERM



April 2013

The top 5% internal audit functions are providing better coverage of emerging risk areas and achieving stakeholder

satisfaction

Commercial market shifts

Economic uncertainty

Disruptive technologies

Financial markets

Data privacy

Competition

Energy and commodity costs/prices

Fraud and ethics

Government spending and taxation

Large program risk

Regulations and government policies

New product introductions

Talent and labour

Mergers, acquisitions and JVs

IT security/cyber security

Reputation/brand

92%

90%

94%

71%

77%

64%

86%

92%

55%

67%

56%

40%

53%

51%

65%

63%

52%

88%

77%

74%

82%

89%

92%

83%

37%

54%

43%

47%

51%

55%

66%

41%

Top 5% All othersTop 5% All others

Percent of respondents who responded that each risk area is well managed

PwC 19

The Opportunity – defining greater heightsInternal audit functions fall across a spectrum of value delivery


PwC 20

The path forward


PwC 21

The path forwardOur survey identified need for urgent action on part of stakeholders and CAEs alike

April 2013

Audit Committee: Ask More

• Ask yourself if your expectations of internal audit are high enough

• Ask if critical business risk coverage is aligned with your views on risk

• Ask if internal audit has a strategic plan and resources to deliver

• Ask if you are enabling internal audit to be what it should be

Management: Expect More

• Expect internal audit to perform at a higher level and bring more value

• Expect internal audit to have a stronger enterprise-wide risk assessment process

• Expect internal audit to deliver value for the investment but recognize the need to invest

• Expect a robust dialogue with internal audit and provide candid feedback

CAEs: Deliver More

• Deliver high quality on foundational areas

• Deliver a strategic vision that aligns with stakeholder expectations

• Deliver value for investment

• Deliver proactively


PwC 22

Recap

April 2013

The issues of stakeholder alignment, a challenged capability foundation and sub-optimal internal audit contribution are tightly interwoven

Internal audit must break the cycle of inaction and increase its capabilities or risk being marginalized in comparison to

other risk functions

Our survey data revealed the circular nature of the internal audit challenges


PwC 23

Data analytics discussion



Better integration of technology through data analytics

April 2013

Analytics are widely viewed as important

Yet few have strong programs

And most intend to, yet lack a well developed plan

81% 85% 74%

Data analytics are important to improving the quantification of issues

Data analytics are important to strengthening audit coverage

Data analytics are important to gaining a better understanding of risks

31%

Data analytics are integrated into the audit process and used regularly

71%

Plan to expand use of data analytics but do not have a well developed plan


Drivers and value of analytics within internal auditThe risks highlighted as a result of the financial crisis has required organizations to develop a deeper understanding of the businesses they manage. They cannot simply rely on existing control structures. They must evaluate transactional activities for patterns, trends and anomalous behavior.

Drivers Value

What is creating demand for analytics?Why is it so important for organizations to get it right?

• Pressure on audit groups to audit closer to the business and a develop a deeper position on risk and issues.

• Regulatory expectations to monitor business activities are increasing.

• Data is growing exponentially, and the technologies to analyze the data are maturing rapidly.

• Organizations are being forced to do more with less.

• Competitive pressures are forcing organizations to innovate.

• Deeper business understanding & focus on risk

• Lower existing and future costs

• End-to-end testing

• Increased population and control coverage

• Real-time evaluation of controls and data integrity - facilitates “what-if” analysis

25April 2013


Data Analytics Maturity Model

26April 2013

Ad Hoc Analytics• Occasional, ad-hoc data

analysis on certain audits

Routinely Leverage• Core technical

competencies resident within the department

• Results used for updating risk assessment throughout the audit processInitial Stage

• Creation of data experts to develop routine data analysis techniques

• No process for incorporating into IA methodology

• IA focused

Fully Optimized• Technology enables full

integration into internal audit workflow

• Business focused

There is a broad spectrum of technology use in current data analytics programs

Enhancing the use of technology can assist with improving the efficiency of the Internal Audit department.

Ad-Hoc A

nalytics

Fully O

ptimize

d Auditing


April 2013

Building an effective program

Auditing Life Cycle

Risk AssessmentAnalytics to compare like metrics between audit entities to drive risk identification

1

Control and Outcomes TestingAnalytics to test the operating and evaluate risk outcomes and quantify findings

4

Issues Management & MonitoringAnalytics to re-test and monitor identified issues and trends

6

Enterprise viewAnalytics enables regular, periodic reporting and accelerates on-going risk identification and assessment.

Business viewAnalytics increases assurance through improved population coverage and more intelligent, risk-based sample selection.

Audit PlanAnalysis of audit plan and coverage against risks and geography’s and issues

2

ReportingAnalytics to present risk insights and articulate audit findings

5

Audit Planning and ScopingRisk analysis to confirm understanding and identify issues within business operation

3


Implementing a Strategy – Where to Start?

• Start small in Year 1, working your way towards a larger data analytics or Continuous Auditing strategy by Year 3

• Along the path, evaluate:

- Resources

- Tools

- Training

• Move from manual use of data analytics tools towards automated scripting that can be used across business units and time periods, creating efficiency and repeatability

28April 2013


Sample Data Analytics Strategy

• Expand data analytic know-how to several other business processes

• Use data analytics to perform scoping activities on individual audits

• Based on results of data analysis, select high risk areas to focus on during audit

• Use data analytics to support findings and quantify issues in the internal audit report

• Implement the usage of repeatable data analytics across business units and time periods to gain efficiencies

• Utilize data analytics in the Risk Assessment process going forward

• Develop a Continuous Auditing strategy going forward

Year 1

Year 2

Year 3

29

• Select an audit, and execute data analytics on one business process where you will see immediate results, such as the Purchase-to-Pay cycle

• Communicate benefits to stakeholders to gain support and momentum

April 2013


Internal Audit Process Framework – As Is

30

ANNUAL Risk

AssessmentAudit Plan

FieldworkTechnology is being

applied here (in audit management and data analysis), to speed up audit

process…

Reporting Wrap-Up

Process to utilize results for next year’s Risk Assessment

Utilize information from previous audits for current audits (ad-hoc data analysis not leveraged project to project). However, informal sharing of

information within group.

April 2013


Internal Audit Process Framework – Future

A technology enabled approach to the internal audit framework allows for more timely identification of and response to risks.

TECHNOLOGY ENABLED APPROACHONGOING Risk

Assessment•Monitor key risks•Changes in KRIs indicating change in risk profile

Audit Plan•Monitor results to change frequency/ scope of planned audits

Reporting•Report changes in trends to management

PERIODIC Fieldwork

Strategic Audit

Continuous Audit

Program

ExecuteAutomated

Script

ExceptionReporting

ReviewReports

31April 2013

Thank you for your participation

This document is for general information purposes only and should not be used as a substitute for consultation with professional advisors.

© 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

The 2013 State of the Internal Audit Profession Study may be found at:www.pwc.com/us/2013internalauditstudy

E-mail us questions at: [email protected]

mailto:[email protected]

www.pwc.com reaching greater heights: are you prepared for the journey? 2013 state of the internal...

Documents