WWW . THEIIA . ORG / CAE
WWW . THEIIA . ORG / CAE TRENDS
WWW . THEIIA . ORG / CAE
WWW . THEIIA . ORG / CAE
WWW . THEIIA . ORG / CAE Internal Audit Budget & Staffing Projections Budget Staffing Remain the Same 55% 71% Increase 35% 25% Decrease 8% 3% Unsure 2% 1%
WWW . THEIIA . ORG / CAE Moving Out of the Comfort Zone
WWW . THEIIA . ORG / CAE 58% 52% 71% 55%
WWW . THEIIA . ORG / CAE Are We Too Comfortable?
WWW . THEIIA . ORG / CAE Culture
WWW . THEIIA . ORG / CAE Lack of Support Can Be a Hurdle 1% Has full support of the board to 17% 34% 43% assess all levels 5% 3% Has full support of the executive 13% 19% 38% 27% management to assess all levels 2% Has freedom to assess the entire 43% 12% 33% 10% organization & staff 0% 20% 40% 60% 80% 100% Strongly Disagree Disagree Neither Agree Strongly Agree
WWW . THEIIA . ORG / CAE Support Makes a Difference Has full support of the board to 68% assess all levels 89% Has full support of the executive 56% management to assess all levels 77% Has freedom to assess the entire 68% organization & staff 87% 0 0.2 0.4 0.6 0.8 1 Do Not Audit Culture Audit Culture
WWW . THEIIA . ORG / CAE What About Reporting Lines? Report Administratively to the CEO Report Administratively to the CFO
WWW . THEIIA . ORG / CAE Is Internal Audit Equipped? 2% IA is able to identify & assess 12% 26% 50% 9% measures of culture Strongly Disagree Disagree Neither Agree Strongly Agree 0% 20% 40% 60% 80% 100% 45% IA is able to identify & assess measures of culture 80% 0 0.2 0.4 0.6 0.8 Do Not Audit Culture Audit Culture
WWW . THEIIA . ORG / CAE Addressing a Toxic Culture Coordinate efforts with other 10% 37% 43% governance functions Raise as separate topic with board 29% 45% 17% Raise as separate topic with 10% 12% 40% 37% management Focus on culture in audit reports 24% 45% 20% Not effective Slightly effective Moderately effective Very effective Extremely effective
WWW . THEIIA . ORG / CAE Culture •Develop an approach to assess the critical elements •Gather objective and subjective information about the organization’s culture o use professional judgment to evaluate information that cannot be easily measured •Build and use relationships
WWW . THEIIA . ORG / CAE Use of Data
WWW . THEIIA . ORG / CAE Use of Data – Some Risks • Ethical or barely legal? • Responsive or convenient? • Complete or available? • Causation or correlation? • Comprehensive or cherry-picked?
WWW . THEIIA . ORG / CAE Internal Audit Involvement in Evaluating Data Quality Very or Moderate Slight or Extreme Not at All
WWW . THEIIA . ORG / CAE Confidence in Strategic Decisions Made Using Data Slight or Not at All Moderate Very or Extreme
WWW . THEIIA . ORG / CAE Use of Data • Know what is collected, how it is analyzed, and which decisions it supports • Assess the risks • Consider these risks in audit planning • Make sure you have requisite skills
WWW . THEIIA . ORG / CAE From Cybersecurity to Cyber Resiliency
WWW . THEIIA . ORG / CAE Addressing Cyberattacks – What is Effective?
WWW . THEIIA . ORG / CAE Cybersecurity Cyber Resiliency
WWW . THEIIA . ORG / CAE Addressing Cyberattacks in Business Continuity Plans Provide general Provide clear, Do not specify specific procedures procedures in procedures in response in response response
WWW . THEIIA . ORG / CAE Internal Audit Effort Falls Short of Ideal Communicates to board & management 69% level of risk & efforts to address 40% Ensures communication & coordination 55% among all parties regarding risk 33% Works collaboratively with IT and others 56% to build effective response 31% Provides assurance over readiness and 63% response 26% 0 0.2 0.4 0.6 0.8 Ideal Actual
WWW . THEIIA . ORG / CAE Why We Fall Short Lack of expertise in internal audit 52% Lack of communication or cooperation 26% from IT Lack of understanding of Board as to 23% criticality Lack of support from executive 23% management Lack of communication or cooperation 19% from departments other than IT 0 0.1 0.2 0.3 0.4 0.5 0.6
WWW . THEIIA . ORG / CAE Cyber Resiliency • Understand cybersecurity risk • Consider all aspects of cyber resiliency in your organization: protection, monitoring, response and recovery • Ensure internal audit has the skills to be engaged in these areas • Discuss cyber resiliency preparedness with management and the audit committee
WWW . THEIIA . ORG / CAE Valuing Interpersonal Skills
WWW . THEIIA . ORG / CAE Interpersonal Skills are Critical Communication skills 98% Analytical/critical thinking 97% Business Acumen 83% 65% Industry-specific IT 44% Accounting 42% Risk management… 40% Data mining & analytics 37% Cybersecurity 28% Finance 23% Fraud auditing 21% 19% Investigations Quality controls 9%
WWW . THEIIA . ORG / CAE How Do We Ensure Internal Audit Has the Requisite Skills? 15% Collaborates with others 86% 14% Organizes & expresses ideas clearly 86% 14% Listens actively 86% 13% Manages conflict effectively 86% 13% Balances diplomacy & assertiveness 86% 14% Uses research, intelligence, problem solving 85% 14% Recognizes own limitation and seeks advice 84% 15% Leads through influence, conviction, sensitivity 84% 8% Accounts for org politics 81% 10% Accounts for cultural aspects 79% Recruiting Training
WWW . THEIIA . ORG / CAE What Kind of Training? Accounts for culture 41% 48% Accounts for organization politics 49% 45% Balances diplomacy with assertiveness 48% 40% Collaborates with others 34% 53% Listens actively 38% 44% Uses research, intelligence, problem solving 24% 46% Leads through conviction, influence, sensitivity 40% 42% Organizes & expresses ideas clearly 40% 38% Recognizes own limitations & seeks advice 54% 36% Manages conflict effectively 42% 36% Classroom training for auditors Classroom training for professionals Self-study Mentoring On-the-job
WWW . THEIIA . ORG / CAE How Effective is Our Training? Collaborates with others 34% 49% 13% Leads through influence, conviction, sensitivity 45% 40% Uses research, intelligence, problem solving 49% 40% Recognizes limitations and seeks advice 46% 42% Listens actively 49% 43% Accounts for culture 48% 39% Accounts for organization politics 47% 38% Balances diplomacy with assertiveness 50% 37% Organizes & expresses ideas clearly 50% 38% Manages conflict effectively 49% 38% Not effective Slightly effective Moderately effective Very effective Extremely effective
WWW . THEIIA . ORG / CAE The Result Mediocrity Collaborates with others 23% 54% 18% Leads through influence, conviction, sensitivity 43% 39% Uses research, intelligence, problem solving 38% 41% Recognizes limitations and seeks advice 41% 41% Listens actively 40% 47% Accounts for culture 49% 31% Accounts for organization politics 44% 30% Balances diplomacy with assertiveness 46% 37% Organizes & expresses ideas clearly 49% 34% Manages conflict effectively 48% 33% Not effective Slightly effective Moderately effective Very effective Extremely effective
WWW . THEIIA . ORG / CAE Is Something Askew? Rely on Training On-the-Job & Mentoring Training is Pretty Effective Less Than Half of Staff are Very Proficient
WWW . THEIIA . ORG / CAE Interpersonal Skills • Recruit for needed soft skills – don’t assume that accountants, engineers or IT professionals can easily learn these. • Take a more disciplined/formal approach to training/mentoring. • Consider branching out from informal training methods and seek new options for improving the effectiveness of training. • Evaluate current job description and job postings to ensure they reflect the skills you truly need. Invest in yourself and your team
WWW . THEIIA . ORG / CAE Parting Thoughts Identify known & emerging risk areas 85% Facilitate & monitor effective risk management 78% practices by operational management Identify appropriate risk management frameworks, 78% practices & processes Consult on business process improvements 76% Alert operational management to emerging issues 74% & changing regulatory & risk scenarios Assurance on compliance with legal & regulatory 71% requirements Source: CBOK Stakeholder Report: Relationships and Risk, Insights from Stakeholders in North America
Recommend
More recommend