Leading Internal Audit Practices and Emerging Risks€¦ · 7. Pace of technology change (e.g. emerging technologies, mobile, social media, data analytics, cloud computing) 8. Possible

Sean Winekauf

Leading Internal Audit Practices and Emerging Risks

September 14, 2015

© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Leading Practices


Setting the Stage


Caveats

– Practices of high-impact departments

– Not all are present in the same department

– Not all will fit with your IA department or your company

– There are others out there


Assumptions

– CAE reports to the Audit Committee

– IA is more than compliance- and financial-focused

– Audit plan is risk-based, not simply rotational in nature

– IA “building blocks” are present –respected department, consistent methodology, timely reporting, etc.


Leading Practices – Positioning


Positioning

Internal Audit Strategy– Documented multi-year plan highlighting

key departmental focus areas and initiatives

– Aligned with strategies and initiatives of the company

– IA is proactively treated as a business partner


Positioning

Integrated Assurance / Risk Convergence– Enterprise risk assessment drives IA

resource allocation

– Combined assurance – one consistent view

– IA has role in driving integrated view


Positioning

Knowledge Sharing– IA has unique perspective

– Sharing external insights on industry and emerging risks

– Sharing best practices within the company


Positioning

Other “Positioning” Leading Practices– CAE and direct reports have strong

relationships across senior management

– Others?


Leading Practices – People


People

PMO within Internal Audit– Dedicated resource(s)

– Facilitate project management, planning, reporting, issue tracking, quality reviews and Internal Audit KPI monitoring

– More common in regulated industries, but gaining traction


People

IT Audit Complement– IT Audit being led by full-time senior

leader

– IT auditors make up 25-50% of staff coverage

– Integrated auditing is the default


People

Offshoring– Cost effective resources

– Efficient coverage of routine- and non-routine tasks

– Frees up audit staff for more challenging audits and consulting projects


People

Use of Subject Matter Professionals– Often deployed when IA reviews First

Line of Defense

– Helps ensure IA remains relevant

– Helps provide desired assurance to Audit Committee and the Board


People

Other “People” Leading Practices– Guest auditor & rotation programs

– Talent placement – into and out of IA

– Auditor involvement in IA improvement initiatives

– “Centers of Excellence”

– Others?


Leading Practices – Process


Process

Leveraging Technology– Impacting all phases of audit cycle

– Business partnering to define data analytics objectives

– Increased use of GRC platforms


Process

Dynamic / Continuous Risk Assessment– Nimble audit planning

– Enhanced focus on strategic initiatives and issues

– Multi-year projects with interval reporting


Process

Management Control Awareness Ratings– Considered in planning phase of audits

– Reporting contains visibility

– IA contributes to management’s performance assessment


Process

Other “Process” Leading Practices– Organizational ownership of IA findings

– Continuous benchmarking

GAIN, Corporate Executive Board, etc.

– Others?


Leading Practice Recap


IIA Framework

Mission of Internal Audit

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight

Core Principles:

1. Demonstrates integrity

2. Demonstrates competence and due professional care

3. Is objective and free from undue influence (independent)

4. Aligns with the strategies, objectives and risks of the organization

5. Is appropriately positioned and adequately resourced

6. Demonstrates quality and continuous improvement

7. Communicates effectively

8. Provides risk-based assurance

9. Is insightful, proactive, and future focused

10. Promotes organizational improvementSource: Institute of Internal Auditors


Emerging Risks


Emerging Risk

Talent Management –• Generational Gap

• Knowledge Gap / Single Point of Failure

• Talent Retention

Regulations / Compliance• New regulations

• Different interpretations

• Public Opinion

Innovation / Business Model• Millennial buying habits

• Delivery Models

• Organizational Fatigue

Technology• Cybersecurity

• Pace of change


2015 Global Audit Committee Survey

Top Challenges and Concerns1. Uncertainty and volatility (Economic, Regulatory, Political)2. Government regulation / impact of public policy initiatives3. Legal / regulatory compliance4. Operational risk / control environment5. Talent management and development6. Growth and innovation (or lack of innovation)7. Pace of technology change (e.g. emerging technologies, mobile, social

media, data analytics, cloud computing)8. Possible disruption to the business model9. Cybersecurity – including data privacy and protection of intellectual

property10.Global systemic risk (pandemic, social unrest, geopolitical instability …)

Source: KPMG’s Audit Committee Institute


Conclusion

What should your internal audit department look like?


The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Sean Winekauf, DirectorKPMG, ERM / [email protected]

mailto:[email protected]

Documents

Leading Internal Audit Practices and Emerging Risks€¦ · 7. Pace of technology change (e.g. emerging technologies, mobile, social media, data analytics, cloud computing) 8. Possible