Internal Audit: Making Sure Your Own Defenses Are … · on the internal audit function’s compliance with professional standards. • This could imply that those charged with governance

Copyright © 2013 Deloitte Development LLC. All rights reserved. 1

Internal Audit: Making Sure Your Own Defenses Are Not Your Weakest

Donna Epps Partner, Forensic and Dispute Services and Service Line Leader, Anti-Fraud Consulting Deloitte Financial Advisory Services LLP Sandy Pundmann Partner, Deloitte & Touche LLP

1


•  Our analysis found that self-reported full compliance with the standards was remarkably similar for all types of entities.

•  This suggests that the additional corporate governance and oversight that is required by an entity being a public company has little or no observable impact on the internal audit function’s compliance with professional standards.

•  This could imply that those charged with governance either are not aware of the issue of noncompliance or do not consider compliance important.

New Deloitte analysis of noncompliance

Claimed full compliance with IIA Standards by entity type

Public sector/government 52% Not-for-profit/nongovernmental 48% Publicly traded company 48% Privately held company 45%

Source: Deloitte analysis of IIA 2010 Global Internal Audit Survey data


38%

26%

36% 36%

49% 47%

63%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Overall $0.5 billion or less

$0.5 - $1 billion $1 - $5 billion $5 - $15 billion $15 - $25 billion $26 billion or more

Source: Deloitte analysis of IIA 2010 Global Internal Audit Survey data

New Deloitte analysis of noncompliance (continued) Public company CAE-reported compliance with IIA Standard AS 1300, Quality Assurance and Improvement Program, by revenue/budget (USD)


•  Compliance with AS 1300 is reportedly only 26 percent for public companies with revenues of $0.5 billion or less, therefore compliance with IIA Standards at those public companies may be as low as 26 percent.

•  The major reasons given by CAEs for noncompliance are assertions that: The standards are not appropriate for small entities  ـ The standards require greater IA resources than are available  ـ .Compliance is not supported by management or the board  ـ

•  The rate of compliance for entities with revenue or budgets over US$26 billion, where the first two reasons should not apply, is still only 60 percent.

•  The core issue appears to be insufficient management and board support for their IA function to comply with the self-described “essential,” “mandatory,” and “basic requirements” set out in the IIA’s Standards.

New Deloitte analysis of noncompliance (continued)


Ask the head of internal audit: •  Has IA had an external quality assurance and risk-based assessment in the

past five years? What were the results? •  Is the IA function in full compliance with all IIA Standards? •  If applicable, what are the reasons for noncompliance, when was the board

informed of the noncompliance, and is there a formal plan to become compliant?

•  If there is noncompliance, consult your entity’s legal adviser to understand potential legal and regulatory exposures that may arise. Identify potential reputational and other business risks, too.

•  If there is noncompliance with IIA Standards, and hence also noncompliance with the IIA’s Code of Ethics by the chief audit executive, discuss the potential risks and the impact on the “tone from the top” that such noncompliance may create.

Recommendations


•  Commission an independent strategic assessment of the IA function to identify other actions to help align it with your entity’s risks and obtain value from it.

•  Work with your head of internal audit, CEO, and those charged with governance to consider any appropriate changes to bring your entity’s IA function promptly into full compliance with all IIA Standards and to align its activities strategically.

Recommendations (continued)


Internal audit maturity and value continuum

Attribute Basic High-Value

Org

aniz

atio

n/

Peop

le

Competency Financial Financial and Operational Financial, Operational, and Strategic

Governance No Involvement Limited Involvement Internal Audit as Adviser/Facilitator

Charter/Role Financial Controls and Compliance with Policy/ Procedures

Financial Controls and Operational Effectiveness

Business Controls and Risk Adviser

Proc

esse

s/

Met

hodo

logi

es Risk Focus Financial and

Compliance Financial, Compliance, and Operational

Enterprise Risks (Strategic, Operational, Financial, and Regulatory Risk)

Methods Sarbanes-Oxley Controls and Compliance Checklists

Process and Controls Internal Audit Programs

Risk Intelligence Frameworks

Reports Financial and Compliance Issues

Process and Operational Improvements

Proactive Risk and Trends Analysis and Dynamic Reporting

Stak

ehol

der/

Tech

nolo

gy

Style Corporate Police/Reporter Consultative Trusted Adviser

Perspective Historical/Reactive Current Proactive/Future

Technology Basic Project Management and Administrative Systems

Data Analysis and Continuous Auditing/Monitoring


The value of internal audit Modern internal audit functions play a vital role in creating and preserving value to meet the changing needs of the organization

Not just compliance Provide greater scru/ny of emerging risk areas, adding value to the business and insight to management.

Adds value up front Increased involvement in strategic projects, advising on risk management up front.

Greater focus on untradi6onal risk areas Incorporates untradi/onal risk areas in opera/ons, finance, security , privacy, and technology risk management.

Infuses data analy6cs and technology Seamless use of data analy/cs, visualiza/on, and other leading prac/ces in security and technology.

•  The NYSE requires listed companies to have an internal audit func/on.

•  NASDAQ proposed a new rule to the SEC requiring that all listed companies have internal audit departments.

Market Requirements


Value proposition of internal auditing for key stakeholders What should you expect from your internal audit department?

Governing bodies and senior management rely on internal auditing for objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes.

Internal auditing provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice and counsel.

Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes.

Risk Control

Governance

Assurance

Integrity

Objectivity

Analyses Assessments

Catalyst

Insight

Accountability Independence


The evolution of internal audit – strategist and adviser/facilitator

Risk focus

Rotational (Financial and Compliance)

Governance

No Involvement

Role

Assurance on Compliance with Policies/Procedures

Responsibility

External Assessment

Risk focus

Enterprise Risks Governance

IA as Adviser/Facilitator

Role

Enterprise Risk Advisory

Responsibility

Consultative Approach

The IA function is moving to higher maturity levels.


•  Is the internal audit department properly funded and as cost-effective as possible? Does it have the resources it needs to meet expectations?

•  Is internal audit responsive to the needs of today’s environment? •  Is internal audit cognizant of new laws, regulations, and best practices? •  Are internal audit personnel experts in their field and can they proactively

consult on internal controls and risk management? •  Is the internal audit process designed to identify whether the organization is

controlling those areas that are important to control and not just what is easy to control?

• Have the audit committee, senior management, and the CAE reconciled their expectations for internal audit?

Questions for the CFO to consider


•  Is internal audit focused on the right risks areas? • How does internal audit relate to, and interact with, other risk management-

related functions, such as legal, security, environmental health and safety, loss prevention, quality and risk management, compliance, and credit risk? Are there duplications of effort or gaps between internal audit and these groups?

• Has management reached a supportable conclusion as to whether internal audit complies with IIA Standards?

•  Is the internal audit department viewed as objective and competent by management and the independent auditors?

•  Is internal audit properly positioned in the company and have the full support of management?

Questions for the CFO to consider (continued)

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2013 Deloitte Development LLC. All rights reserved.

Documents

Internal Audit: Making Sure Your Own Defenses Are … · on the internal audit function’s compliance with professional standards. • This could imply that those charged with governance