9/29/2016

1

Douglas J Anderson CIA, CRMA

Managing Director – CAE Solutions, IIA

Where Are We Now,

Where Are We Going,

and

How Will We Get There?

Agenda

• How Are We Viewed?

• Moving Forward

• How Can We Be Successful?

2

9/29/2016

2

How Are We

Viewed?

CBOK Study

13Languages

Global Interviews

100+

Countries

23

Global Surveys

1,124The purpose of the Common Body

of Knowledge (CBOK) 2015

stakeholder study is to gain a better

understanding of global

stakeholders’ expectations with

regard to Internal Audit’s purpose,

function and performance.

4

9/29/2016

3

CBOK Study Participants

Board members 34%

CEO 15%CFO 18%

Other C Suite 33%

5

Foundational Elements

More than

80%...

• Assess areas or topics that are significant

• Keep up to date with changes in the

business

• Sufficiently communicate audit plans

6

9/29/2016

4

Criteria to Evaluate Internal Audit

More than

70%…

• Quality of audit work/reliable results

• Usefulness of recommendations made

• Timely communication of risks

7

Should Be More Active Role in Connection With

Assessing Strategic Risk?

Yes58%No

24%

Unsure18%

8

9/29/2016

5

86%

76%

48% 48%

74%69%

53% 53%

0%

20%

40%

60%

80%

100%

Focusing on strategicrisks during audit

projects

Evaluating andcommunicating key

risks

Evaluating execution ofstrategic initiatives

Assessing reliability ofmetrics used to monitor

strategic initiatives

Board C-Suite

How

9

Beyond Assurance, What Should Be in Scope

71%

74%

76%

78%

78%

85%

60% 65% 70% 75% 80% 85% 90%

Assurance on compliance with legal and regulatoryrequirements

Alert operational management to emerging issuesand changing regulatory and risk scenarios

Consult on business process improvements

Identify appropriate risk management frameworks,practices and processes

Facilitate and monitor effective risk managementpractices by operational management

Identify known and emerging risk areas

10

9/29/2016

6

Assurance vs. Advisory

“Prime responsibility is around providing assurance on

the risks and controls… Business requests are

accepted, however, only if these do not compromise the

plan or the independence of IA”

Balance varies due to• Maturity and location• Competence of internal

auditMany assume “both” 11

Board Member from France

“The organization must be able to call upon internal audit

and benefit from its expertise without denaturing its

‘soul.’

In certain consulting engagements, there is a risk of

internal audit becoming a ‘low cost’ subcontractor.

Just because you are dealing with a reliable and

trustworthy person, it doesn’t mean that his expertise

should be diverted and exploited at will.”

12

9/29/2016

7

Moving

Forward

“Culture is the self-sustaining pattern of

behavior that determines how things are done.”Katzenbach, Oelschlegel, and Thomas

14

9/29/2016

8

Culture Is Increasingly the Culprit in

Organizational Debacles

44%

24%15%

3Fired

Demoted

Rules vs Character

“Corporate scandals of recent years have clearly

shown that the plethora of laws of the past century

have not eliminated the less savory side of human

behavior. Rules cannot substitute for character.”

Alan Greenspan

U.S. Federal Reserve Chairman

Chicago Tribune, 17 April 2004

16

9/29/2016

9

What Are We Doing?

• More than half of CAEs see

organizational culture as high risk

• But, 58 percent say

organizational culture is not

audited

Sources: IIA Financial Services Audit Center poll; IIA Audit Executive Center poll; North American Pulse of Internal Audit, 2016

Is Internal Audit Equipped?

2%

12% 26% 50% 9%IA is able to identify &

assess measures of culture

Strongly Dissgree Disagree Neither Agree Strongly Agree

80%

45%IA is able to identify &assess measures of

culture

Do Not Audit Culture Audit Culture18

9/29/2016

10

To Address a Toxic Culture, CAEs Recommend:

24%

12%

45%

40%

29%

37%

20%

37%

45%

43%

10%

17%

10%

Focus on culture in audit reports

Raise as separate topic withmanagement

Raise as separate topic with board

Coordinate efforts with othergovernance functions

Not effective Slightly effective Moderately effective Very effective Extremely effective

19

Culture

• Develop an approach to assess the critical

elements

• Gather objective and subjective information

about the organization’s culture

ouse professional judgment to evaluate

information that cannot be easily measured

• Build and use relationships

20

9/29/2016

11

Big Data

Risks of Using Data:

• Accuracy of data

• Ethical or barely legal?

• Responsive or convenient?

• Complete or available?

• Causation or correlation?

• Comprehensive or cherry-picked?21

Internal Audit Involvement in Evaluating

Data Quality

Very or

Extreme

Moderate Slight or

Not at All

22

9/29/2016

12

CAE Confidence in Strategic Decisions

Made Using Data

Slight or Not at All

Moderate

Very or Extreme

23

Use of Data

• Know what is collected, how it is analyzed, and

which decisions it supports

• Assess the risks

• Consider these risks in audit planning

• Make sure you have requisite skills

24

9/29/2016

13

Risk

Management

Theory or

Reality?

25

The possibility that events will occur and

affect the achievement of strategy and

business objectivesRisk

The culture, capabilities, and practices,

integrated with strategy and execution, that

organizations rely on to manage risk in

creating, preserving, and realizing value

Enterprise

Risk

Management

9/29/2016

14

COSO ERM

27

ISO 31000

28

9/29/2016

15

Measuring Risk

• Prioritization

– Adaptability

– Complexity

– Velocity

– Persistence

– Recovery

29

• Amount: Impact and Likelihood

Lik

elih

oo

d

Impact

Risk

• Risk is an inherent aspect of internal audit

• Digest the revisions to COSO ERM and

ISO 31000

• Become a “master” of risk theory and practical

application

30

9/29/2016

16

Non-Financial Reporting

• Non-GAAP measures

• Sustainability/integrated reporting

• Executive pay

• MD&A – CEO’s letter

• ??

31

How

9/29/2016

17

Internal Audit Structure

33

The Modern Internal Auditor

34

9/29/2016

18

No one wants to be the cop

35

Closing Thoughts

• We have a critical role to fill in an organizational

• Focus on what your stakeholders needs from you

• It’s all about risk

• The right attributes and attitudes are critical

36

9/29/2016

19

The Institute of Internal Auditors

Douglas J Anderson

Managing Director – CAE Solutions

doug.anderson@theiia.org

uestions ???

37