TRENDS WWW . THEIIA . ORG / CAE WWW . THEIIA . ORG / CAE WWW . THEIIA - - PowerPoint PPT Presentation

WWW.THEIIA.ORG/CAE

WWW.THEIIA.ORG/CAE

TRENDS

WWW.THEIIA.ORG/CAE

WWW.THEIIA.ORG/CAE

WWW.THEIIA.ORG/CAE

Budget Staffing Remain the Same 55% 71% Increase 35% 25% Decrease 8% 3% Unsure 2% 1% Internal Audit Budget & Staffing Projections

WWW.THEIIA.ORG/CAE

Moving Out of the Comfort Zone

WWW.THEIIA.ORG/CAE

55% 71% 52% 58%

WWW.THEIIA.ORG/CAE

Are We Too Comfortable?

WWW.THEIIA.ORG/CAE

Culture

WWW.THEIIA.ORG/CAE

Lack of Support Can Be a Hurdle

2% 3% 1% 10% 13% 5% 12% 19% 17% 43% 38% 34% 33% 27% 43%

0% 20% 40% 60% 80% 100%

Has freedom to assess the entire

• rganization & staff

Has full support of the executive management to assess all levels Has full support of the board to assess all levels Strongly Disagree Disagree Neither Agree Strongly Agree

WWW.THEIIA.ORG/CAE

Support Makes a Difference

87% 77% 89% 68% 56% 68%

0.2 0.4 0.6 0.8 1

Has freedom to assess the entire

• rganization & staff

Has full support of the executive management to assess all levels Has full support of the board to assess all levels Do Not Audit Culture Audit Culture

WWW.THEIIA.ORG/CAE

What About Reporting Lines?

Report Administratively to the CEO Report Administratively to the CFO

WWW.THEIIA.ORG/CAE

Is Internal Audit Equipped?

2% 12% 26% 50% 9%

0% 20% 40% 60% 80% 100%

IA is able to identify & assess measures of culture Strongly Disagree Disagree Neither Agree Strongly Agree

80% 45%

0.2 0.4 0.6 0.8

IA is able to identify & assess measures of culture Do Not Audit Culture Audit Culture

WWW.THEIIA.ORG/CAE

Addressing a Toxic Culture

24% 12% 45% 40% 29% 37% 20% 37% 45% 43% 10% 17% 10%

Focus on culture in audit reports Raise as separate topic with management Raise as separate topic with board Coordinate efforts with other governance functions

Not effective Slightly effective Moderately effective Very effective Extremely effective

WWW.THEIIA.ORG/CAE

Culture

• Develop an approach to assess the

critical elements

• Gather objective and subjective

information about the organization’s culture

• use professional judgment to evaluate

information that cannot be easily measured

• Build and use relationships

WWW.THEIIA.ORG/CAE

Use of Data

WWW.THEIIA.ORG/CAE

Use of Data – Some Risks

• Ethical or barely legal?
• Responsive or convenient?
• Complete or available?
• Causation or correlation?
• Comprehensive or cherry-picked?

WWW.THEIIA.ORG/CAE

Internal Audit Involvement in Evaluating Data Quality

Very or Extreme Moderate Slight or Not at All

WWW.THEIIA.ORG/CAE

Confidence in Strategic Decisions Made Using Data

Slight or Not at All Moderate Very or Extreme

WWW.THEIIA.ORG/CAE

Use of Data

• Know what is collected, how it is

analyzed, and which decisions it supports

• Assess the risks
• Consider these risks in audit planning
• Make sure you have requisite skills

WWW.THEIIA.ORG/CAE

From Cybersecurity to Cyber Resiliency

WWW.THEIIA.ORG/CAE

Addressing Cyberattacks – What is Effective?

WWW.THEIIA.ORG/CAE

Cybersecurity

Cyber Resiliency

WWW.THEIIA.ORG/CAE

Addressing Cyberattacks in Business Continuity Plans

Provide general procedures in response Provide clear, specific procedures in response Do not specify procedures in response

WWW.THEIIA.ORG/CAE

Internal Audit Effort Falls Short of Ideal

26% 31% 33% 40% 63% 56% 55% 69%

0.2 0.4 0.6 0.8

Provides assurance over readiness and response Works collaboratively with IT and others to build effective response Ensures communication & coordination among all parties regarding risk Communicates to board & management level of risk & efforts to address Ideal Actual

WWW.THEIIA.ORG/CAE

Why We Fall Short

19% 23% 23% 26% 52%

0.1 0.2 0.3 0.4 0.5 0.6

Lack of communication or cooperation from departments other than IT Lack of support from executive management Lack of understanding of Board as to criticality Lack of communication or cooperation from IT Lack of expertise in internal audit

WWW.THEIIA.ORG/CAE

Cyber Resiliency

• Understand cybersecurity risk
• Consider all aspects of cyber resiliency in your
• rganization: protection, monitoring, response and

recovery

• Ensure internal audit has the skills to be engaged in

these areas

• Discuss cyber resiliency preparedness with

management and the audit committee

WWW.THEIIA.ORG/CAE

Valuing Interpersonal Skills

WWW.THEIIA.ORG/CAE

Interpersonal Skills are Critical

9% 19% 21% 23% 28% 37% 40% 42% 44% 65% 83% 97% 98%

Quality controls Investigations Fraud auditing Finance Cybersecurity Data mining & analytics Risk management… Accounting IT Industry-specific Business Acumen Analytical/critical thinking Communication skills

WWW.THEIIA.ORG/CAE

How Do We Ensure Internal Audit Has the Requisite Skills?

79% 81% 84% 84% 85% 86% 86% 86% 86% 86% 10% 8% 15% 14% 14% 13% 13% 14% 14% 15%

Accounts for cultural aspects Accounts for org politics Leads through influence, conviction, sensitivity Recognizes own limitation and seeks advice Uses research, intelligence, problem solving Balances diplomacy & assertiveness Manages conflict effectively Listens actively Organizes & expresses ideas clearly Collaborates with others

Recruiting Training

WWW.THEIIA.ORG/CAE

What Kind of Training?

42% 54% 40% 40% 24% 38% 34% 48% 49% 41% 36% 36% 38% 42% 46% 44% 53% 40% 45% 48%

Manages conflict effectively Recognizes own limitations & seeks advice Organizes & expresses ideas clearly Leads through conviction, influence, sensitivity Uses research, intelligence, problem solving Listens actively Collaborates with others Balances diplomacy with assertiveness Accounts for organization politics Accounts for culture Classroom training for auditors Classroom training for professionals Self-study Mentoring On-the-job

WWW.THEIIA.ORG/CAE

How Effective is Our Training?

49% 50% 50% 47% 48% 49% 46% 49% 45% 34% 38% 38% 37% 38% 39% 43% 42% 40% 40% 49% 13%

Manages conflict effectively Organizes & expresses ideas clearly Balances diplomacy with assertiveness Accounts for organization politics Accounts for culture Listens actively Recognizes limitations and seeks advice Uses research, intelligence, problem solving Leads through influence, conviction, sensitivity Collaborates with others Not effective Slightly effective Moderately effective Very effective Extremely effective

WWW.THEIIA.ORG/CAE

The Result  Mediocrity

48% 49% 46% 44% 49% 40% 41% 38% 43% 23% 33% 34% 37% 30% 31% 47% 41% 41% 39% 54% 18%

Manages conflict effectively Organizes & expresses ideas clearly Balances diplomacy with assertiveness Accounts for organization politics Accounts for culture Listens actively Recognizes limitations and seeks advice Uses research, intelligence, problem solving Leads through influence, conviction, sensitivity Collaborates with others Not effective Slightly effective Moderately effective Very effective Extremely effective

WWW.THEIIA.ORG/CAE

Is Something Askew?

Rely on Training On-the-Job & Mentoring

Training is Pretty Effective Less Than Half of Staff are Very Proficient

WWW.THEIIA.ORG/CAE

Interpersonal Skills

• Recruit for needed soft skills – don’t assume that

accountants, engineers or IT professionals can easily learn these.

• Take a more disciplined/formal approach to

training/mentoring.

• Consider branching out from informal training methods

and seek new options for improving the effectiveness

• f training.
• Evaluate current job description and job postings to

ensure they reflect the skills you truly need. Invest in yourself and your team

WWW.THEIIA.ORG/CAE

Parting Thoughts

71% 74% 76% 78% 78% 85%

Assurance on compliance with legal & regulatory requirements Alert operational management to emerging issues & changing regulatory & risk scenarios Consult on business process improvements Identify appropriate risk management frameworks, practices & processes Facilitate & monitor effective risk management practices by operational management Identify known & emerging risk areas

Source: CBOK Stakeholder Report: Relationships and Risk, Insights from Stakeholders in North America