Adding Value to your Organisation IIA Ethiopia Training

Adding Value to your Organisation IIA Ethiopia Training 08 September 2018 Addis Ababa

Presenter IIA Global Chairman – 2012 -2013 ECIIA President 2010 -2011 IIA UK and Ireland President 2005 -2006 ---------------------------Holder of the CIA, CMIIA, CRMA, QIAL qualifications ---------------------------32 years experience in Internal Audit 27 years at managerial level ---------------------------IA Project Expert for the EC and the OECD Experience in the Public and Private sectors, including spells as: • VP Capability & Head of the Centre of Internal Audit Excellence - Huawei • Head of Internal Audit for a number of Health organisations in the UK • Head of Internal Audit for the UN Special Tribunal for the Lebanon • Head of Internal Audit for the UN War Crimes Tribunal for Bosnia Herzegovina • Project Manager for EC funded projects in Poland, Romania, Turkey • Project Manager for Development Agency funded projects in Kenya, South Africa and Botswana • Project Expert for EC/OECD funded projects in Croatia, Kosovo, Serbia, Hungary, Latvia, Estonia, Lithuania, Czech Republic, Macedonia

Agenda 1. 2. 3. 4. 5. 6. Internal Audit’s purpose Business Process Risk & Internal Audit Risk Based Internal Audit Qualified Personnel Audits to Consider Conclusion

Internal Audit’s Purpose

The profession had been around for a number of years. Largely seen for a long time as a sub-set of accounting. On 23 September 1941 in New York City a number of Internal Auditors gathered at the Williams Club and the Institute of Internal Auditors was founded. This was the first emphasis that Internal Audit was a profession in its own right.

Risk has always been part of the Internal Audit process Initially the Internal Audit process was based around a systems approach, which identified the Control Objectives for a system, and Internal Audit assessed the functioning of controls to assist in achieving those objectives. RBIA focused Internal Audit’s attention on risk to the business (i. e. Business risks) and how these risks can be prevented or their impact negated.

Organisational Roles defined The Three Lines of Defence - the key to risk responsibilities in an organisation

Risk & Control Responsibilities Understanding the Three Lines of Defence is fundamental to understanding the governance oversight role The First Line, that is operational management, which has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks. The Second Line, that is activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation. The Third Line, An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an organisation’s risk landscape.

Football managers often say that for the goalkeeper to miss a save, 10 other players must have missed it before him. This third line role likens internal audit to that of a goalkeeper in a football match. When the ball is lost in midfield (first line) and the defence (second line) fails to pick up the opposition’s attack, it is left to the goalkeeper (third line) to save the day. There is a reasonable expectation that internal audit will identify the weaknesses in both first and second lines and failure to do so may lead to significant loss to the organisation. 1 st line: Business Management 2 nd line: Risk Mgt / Compliance / Others 3 rd line: Risk Based Internal Audit External Audit and the Regulators are the Referee and Linesman

Internal Audit’s role defined The Internal Audit definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes

The International Professional Practices Framework

The International Professional Practices Framework cont. . International Standards for the Professional Practice of Internal Auditing The purpose of the Standards is to: 1. Guide adherence with the mandatory elements of the International Professional Practices Framework. 2. Provide a framework for performing and promoting a broad range of value-added internal auditing services. 3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations. The Standards are a set of principles-based, mandatory requirements consisting of: 1. Statements of core requirements for the professional practice of internal auditing and for evaluating the effectiveness of performance that are internationally applicable at organizational and individual levels. 2. Interpretations clarifying terms or concepts within the Standards.

The International Professional Practices Framework cont. . The Standards comprise two main categories: Attribute and Performance Standards. Attribute Standards address the attributes of organisations and individuals performing internal auditing. Performance Standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. Attribute and Performance Standards apply to all internal audit services.

Adding Value? IPPF definition, from Glossary Add Value The internal audit activity adds value to the organisation (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management, and control processes

Business Process & Risk

Business Processes are usually divided into 3 different spheres: • Operating Processes - these will differ dependent upon the organisation • Support Processes - these generally will be standard (HR, Finance etc) • Project Processes –will be similar around the two areas of Operate and Deliver Operate – design, construct and use Deliver - design and construct only

Business Processes cont. . Essentially every organisation will have the following Business areas: Support Operating Projects Manage Human Resources Manage Financial Strategy – Loans, Transfer Procing, FOREX etc Manage Financial Services – Payroll, Income, Expenditure etc Manage Information & Technology Resources Manage Physical Resources Manage Corporate Organisation Manage Legal Affairs – Contracts, Compliance with Laws etc Manage External Relationships Manage Internal Audit Manage Production Manage Supply Chain Manage Delivery Manage Stock Manage Project Operate 1 Manage Project Operate 2 Manage Project Delivery 1 Manage Project Delivery 2

The Process of Getting to Work Night before, set the alarm clock Get up when the alarm goes off Walk to work station Have breakfast Get transport to workplace, either train, bus or car

Business Process & Internal Audit Why is this important to Internal Auditors To understand risk and control you need to understand the process by which objectives are to be achieved. The scenario of how you get to work can change, certain things can be done at a different stage of the process. For example, if you use your car when do you fill with petrol? What you will do is to find the most efficient, effective way in which to achieve your objective. This is exactly the same for a business; the process must reflect the most efficient and effective way of achieving the objective. The auditor is then in a position to evaluate the business process not only to ensure that risks are being managed but also that the process is the best it could be.

Understanding the Business Requires the Internal Auditor to ensure that they understand what processes are undertaken and for what objective.

Types of Risk Inherent risk (sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact Residual risk (sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective

Risk in everyday life The Scenario - Getting to work Night before, set the alarm clock Get up when the alarm goes off Walk to work station Have breakfast Get transport to workplace, either train, bus or car

What can go wrong? Remember Risk is an occurrence which will prevent you from achieving your desired objective What are the Risks, the Barriers, to prevent the objective being achieved

What can go wrong Night before, set the alarm clock

What can go wrong Night before, set the alarm clock Get up when the alarm goes off

What can go wrong Night before, set the alarm clock Get up when the alarm goes off Have breakfast

What can go wrong Night before, set the alarm clock Get up when the alarm goes off Have breakfast Get transport to workplace, either train, bus or car

What can go wrong Night before, set the alarm clock Get up when the alarm goes off Walk to work station Have breakfast Get transport to workplace, either train, bus or car

What can go wrong Night before, set the alarm clock Get up when the alarm goes off Walk to work station Have breakfast Get transport to workplace, either train, bus or car

Risk Management

COSO ERM FRAMEWORK

COSO Enterprise Risk Management Framework cont. . Types of Objectives of an organisation Components of Enterprise Risk Management Business structure of an organisation

Enterprise Risk Management Definition Enterprise risk management is a process, effected by an entity’s board of directors, managers and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Enterprise Risk Management includes identifying and assessing risks and then responding to them in a timely and appropriate manner. Remember that the resources available for managing risks are finite and so the aim of risk management is to achieve an optimum response to risk, prioritised in accordance with an evaluation of the risks. It is a process that should be used throughout the organisation.

Enterprise Risk Management cont. . Attempts to ANTICIPATE the risks and put actions in place to try and stop them happening Attempts to make the control specifically designed to deal with the specific risks in that organisation and proportionate to the significance of the risk Is proactive rather than reactive Is about making sure the important risks are managed, in the best way, at the right time Is about making sure time, effort and resources are not wasted on the things that are unimportant or unlikely to happen

Enterprise Risk Management cont. . ERM allows the important risks for the organisation to be identified. It ensures that these risks are known to everyone and that there is therefore consistency about risk within the organisation It therefore provides valuable input to the Internal Audit risk assessment

Enterprise Risk Management cont. . There are numerous Risk Management Standards around the world, the most commonly accepted ones being: • ISO 31000 • COSO ERM • IRM/Alarm/AIRMIC 2002 - A Risk Management Standard • AS/NZS Standard AS 4360 Risk management (AS/NZS 4360: 2004)

Types of Risk Inherent risk (sometimes called gross risk) is the risk that naturally exists before any action is taken to mitigate it. It is the product of likelihood (or probability) and impact Residual risk (sometimes called net risk) – the risk that inevitably remains after mitigation and making the assumption that the mitigating actions are effective

Risk Impact and Likelihood Impact Risk is usually measured in terms of likelihood and Impact HIGH MEDIUM LOW Likelihood LOW MEDIUM HIGH

Treatment of Risk Once Risk has been identified, then how should the organisation respond? Much will depend on the Risk Appetite of the Organisation, i. e. how much risk are they prepared to take, remembering that much risk can also be a business opportunity Tolerate – this is the risk appetite Treat - Establish an effective internal control regime Transfer – Let someone else take the risk, the best example being Insurance Terminate – Do not do this

Risk and Process Can only effectively treat risk if you have an understanding of the Business Process. This allows you to identify the likelihood of the risk occurring and the impact that it will have if it occurs. This gives you the opportunity to correctly identify the action to take and, in the case of Tolerate and Treat, identify the appropriate internal controls

Enterprise Risk Management & Internal Audit Often Risk Management and Risk Based Internal Audit get talked about as though they are the same thing THEY ARE NOT Risk Management is an operational activity and for Internal Audit to be effective it has to be independent of operations. There are however things that Internal Audit can do in respect of Risk Management

Internal Audit’s role

Internal Control and Internal Audit

Internal Controls This is the last part of the approach to effective organisations Identification of Organisational Objectives Establishment of Business Processes Risks to achieving Organisational Objectives Internal Controls Achievement of Organisational Objectives

Internal Controls This is the last part of the approach to effective organisations Identification of Organisational Objectives n e m e g a n Ma o p s t Re Establishment of Business Processes Ea e h t f ch o e r a s Risks to achieving a e r se a Organisational Objectives Internal Controls Achievement of Organisational Objectives y t i l i nsib

Internal Controls Internal Control is the mechanism that organisations use to control/negate risk so that they can achieve their objectives. It is important to understand that everyone in the organisation has responsibility for the effective operation of internal control, albeit at different levels. Essentially the phrases “internal control” and “management control” are interchangeable.

Internal Control Frameworks

Internal Control Frameworks cont. . COSO the major framework

Internal Control Responsibility Internal Control is the responsibility of everyone in the organisation Management Has the primary responsibility for the system of internal control The CEO He/she sets the ethical tone of the organisation. In smaller organisations has an impact on all staff In larger organisations impact is limited to senior management The Board Provides direction and ultimately has the responsibility Everyone Front line personnel have responsibility for putting internal controls in place and monitoring their effectiveness.

Risk Based Internal Audit

The Key Aim of a Risk Based Internal Audit Approach Foresight Insight Hindsight Is to move Internal Audit through the developmental stages

Risk Based Internal Audit Approach Identify & understand Business Processes Provides Objectives Identify & understand Risks in the Business Provide a report linking the effectiveness of controls against identified risks and providing insight into whether the Business Process is effective, efficient and economic. Provides Risks Identify & understand established controls Evaluates operation of controls and if any control is missing Provides Controls AUDIT

Risk Based Internal Audit – 4 Stages

Risk Based Internal Audit Approach 1. Are the Business Processes “fit for purpose”: 1. Will the process achieve the objective? 2. Does the process provide effectiveness, efficiency and economy? 3. Could the process be improved? Opportunities for INSIGHT (some examples) 2. Is the internal control environment providing sufficient comfort that risks are being controlled? 3. Is the risk appetite understood and consistent through the organisation? 4. Is the risk identification and assessment process robust and consistent over the organisation? 5. Is there too much control?

Risk Based Internal Audit Planning Risk Assessment IIA Standard 2010 Planning states “The Chief Audit Executive must establish a riskbased plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals”. Important words Risk based plan Consistent with organisation's goals.

Risk Based Internal Audit Planning cont. . Vast majority say they use risk-based methodologies when planning But do they? But, emerging risks present a challenge How do you know about them? Figures from 2017 Pulse of Internal Audit – IIA Inc

Risk Based Internal Audit Planning cont. . So do you truly have a Risk Based Audit Approach? If you never carry out a risk assessment ? If you only carry out a risk assessment once a year? - With the frequency of technology change is this sufficient? If you never update the IA Plan? NO NOT REALLY NO

Risk Based Internal Audit Planning cont. . Steps you can take to build your Plan (obviously this will depend on your risk maturity): 1. 2. 3. 4. 5. Consult with Senior Management and confirm what they see as the key risks, Review the Risk Register, Corroborate the above risks, independently, Prioritise the risks, Enterprise wide, Determine the Business Processes largely responsible for mitigating the risks, Using a transparent process, prioritise the business processes by risk, This provides the baseline for the Internal Audit plan. It then needs to be matched against available resources

Risk Based Internal Audit Planning cont. . The Plan is usually prepared annually in advance of the fiscal year commencement. Many organisations now however operate a rolling planning process, having a continuing risk assessment leading to a planning process that is more dynamic. Has an annual formal risk exercise but work on a 3 month firm plan and a next three months draft plan, which can change. Has annual formal risk exercise but then a changeable plan which is worked out in liaison with the business units and the changing risk priorities

Risk Based Internal Audit Planning cont. . To be effective, it is suggested that an annual formal risk exercise is necessary but because of the changing risk situation that this is reviewed on a three to four monthly basis. It is also appropriate for the Internal Audit Plan to be flexible around the 6 month period in order to reflect changing emphasis for audit as a result of the changing risk situation. Rischard Chambers, CEO and President of the Global IIA says “Internal Audit has to be able to audit at the speed of risk”

Risk Based Internal Audit Engagements Lets audit the journey to work Night before, set the alarm clock Get up when the alarm goes off Walk to work station Have breakfast Get transport to workplace, either train, bus or car

Risk Based Internal Audit Engagements cont. . Process step 1 Objective To wake at the correct time Risks Alarm fails to sound Night before, set the alarm clock Controls If battery powered, battery checked If electric, plugged in If manual, fully wound For all, alarm mechanism checked that it is set for correct time

Risk Based Internal Audit Engagements cont. . Process step 2 Objective To ensure that you leave on time Risks You fail to get up Get up when the alarm goes off Controls Alarm Clock has repeat mechanism

Risk Based Internal Audit Engagements cont. . Process step 3 Objective To ensure that you are fit to attend work Risks You do not have breakfast foods available Have breakfast Controls Regular checks of food stocks in house Regular shopping trips

Risk Based Internal Audit Engagements cont. . Process step 4 Objective To ensure you are at work on time Risks Miss the bus or train Car fails to start Get transport to workplace, either train, bus or car Controls Ensure that times of trains/buses are known Regularly service car Ensure that car has sufficient fuel

Risk Based Internal Audit Engagements cont. . Process step 5 Objective To arrive on time Risks Walk to work station Get lost Fall over Controls Make sure you are aware of time Ensure you know the location you require

Planning the Engagement • From Management determine the objectives of the Business Process • Using the Business Process Map determine the key risks to achieving the Business Objective. The Risk Based Internal Audit Approach • Consider findings from previous audits, if exists. • Identify the key controls that will negate the impact of the risk. • At this stage identify both existing controls and potential controls that are missing. • Establish at this stage your preliminary evaluation which will prioritise your testing • Design your testing

Testing the Robustness of the Process Testing Remember that Management do not want to just know that things are going wrong but they want to know why things have gone wrong and what needs to be done to correct it. Remember INSIGHT To be able to correct things we need to know why they went wrong So we need to ask the 5 Whys Why did it go wrong? Why did that happen? What was the reason that happened? Why did that happen? Why did it occur?

Testing Reveals the Root Cause of Failure To provide Value to Management you need to identify the root cause(s) – there may be more than one

The Findings Management do not want to be told the symptoms – i. e. the problem They want to be told the solution. To do this the internal auditor needs to identify the underlying cause – that cannot be seen. Identifying the root cause means adopting a questioning nature, and to continue questioning until you are satisfied there is nothing more. Once you get there, you can tackle the underlying problem and your recommendations will provide real value.

Risk Based Internal Audit Findings Reiterating the basic control requirements will not improve the Internal Control environment. The recommendation needs to tackle the reasons why control was circumvented, to prevent it happening in the future. Identify the root cause of the control breakdown and then suggest how it can be fixed.

The Risk Based Internal Audit Evaluation In order to compile an objective evaluation of the audit area, it is preferable to have all the records of the assignment in one place. This can be done on a Form RICE (Risk and Internal Control Evaluation). Using this form, in either WORD or EXCEL, allows the evaluation to be updated as it occurred and provides a continuing assessment of the audit.

Risk Based Internal Audit Results Record

Qualified Personnel

Value in Qualification Internal audit is a complex and fast evolving field Qualification shows both Employer and Auditee that you have the necessary knowledge and expertise to undertake the work Professional qualification gives auditors the confidence to succeed The qualifications are recognised internationally.

Adding Value? Encourage Qualification Have systems in place to recognise and reward professional and educational qualifications that provide a basis for the employee to understand the ethos behind the profession. Studies have shown that qualification has a positive effect on fraud deterrence as well as its positive impact on the competence of the employee

Which Qualification Certified Internal Auditor is a globally-recognised qualification that provides a firm foundation for a career in internal auditing. When you study the CIA you’ll learn about internal audit theory and the core frameworks, including the International Standards, and how to plan and perform an internal audit engagement. You will also be introduced to the concepts of internal control, risk, governance and technology. Becoming a CIA will: • Demonstrate your proficiency and professionalism • Distinguish you from your peers • Develop your knowledge of best practices in the industry • Lay a foundation for continued improvement and advancement

Audits to Consider

Common Areas of Audit Top Areas of Focus Rate 1. Financial-related 22% 2. Operational 17% 3. Compliance/Regulatory 16% 4. IT and Cybersecurity 16% 5. Risk Management 6% 6. Governance and Culture 4% Survey carried out in the US so SARBOX scores highly Source: 2018 North America Pulse of Internal Audit: The Internal Audit Transformation Imperative IIA Audit Executive Center © 2018 The Institute of Internal Auditors CEO

Global Findings for Audit Areas 4% 3% 3% 3% 15% 5% 6% 14% 6% 6% 10% 7% 9% 9% Compliance/regulatory (not related to financial reporting) Operational (not included elsewhere) Enterprise risk management programs and related processes Financial areas other than financial reporting IT (not covered in other choices) Cyber (prevention and/or recovery) Fraud identification and investigation (not covered in other audits) Cost/expense reduction or containment Governance and culture Financial reporting (including Sarbanes-Oxley testing) Management of third-party relationships Sustainability or other nonfinancial reporting Support for external audit Other risk category not listed

Major Differences from North America to Global • • • Compliance and Regulatory remains about the same (16% to 15%) Sarbanes Oxley reduces from 14% to 5% Operational falls from 17% to 14% Financial Audit remains about the same (9% to 8%) ERM coverage increases from 6% to 10% Fraud Investigation increases from 5% to 7% Equal on Cyber Security (7%) and IT Audit (9%) Governance & Culture increases from 4% to 6% Sustainability & non-financial reporting audit is listed separately in Globally almost 30% of the Audit Plan covers Operational and Regulatory Audits, In North America, the figure is 33% with another 14% spent on Sar. Box work

So what to Audit If an Organisation relies upon its Strategy to determine the path to meeting its objectives If Culture eats Strategy for Breakfast If Internal Audit’s role is to ensure that the mechanisms are in place for the organisation to meet its objectives Then Culture needs to be audited

Culture – The Outsourcing Firm

Carillion

The costs of a Toxic Culture

Culture – The Banking Firm SALES TARGETS DRIVING THE WRONG BEHAVIOUR Wells Fargo - Bank employees opened millions of credit-card accounts customers hadn’t approved in order to hit profit targets As of October 1, 2016 the bank eliminated product sales goals for its retail banking team. It also appointed a new community banking chief, and fired about 5, 300 employees connected to the scandal,

Toxic Culture – Political Fallout You knew there was a problem, and when you were asked about it, you lied. This is about personal responsibility. Wells Fargo cheated millions of people for years. . …Mr. Sloan, you say you've been making changes at Wells Fargo for 30 years, but you enabled this fake account scam, you got rich off it, and then you tried to cover it up. At best, you are incompetent. At worst, you are complicit. Either way, you should be fired. Senator Warren’s comments to the Wells Fargo CEO

Toxic Culture – Legal Fallout

Adding Value – Audit Culture CEOs and CFOs See Culture As Critical • Over 90% believe culture is important • 92% believe improving their culture would improve value of the company • Over 50% believe culture influences: • • Productivity Creativity Profitability Firm value and growth rates • Yet, only 15% believe their corporate culture is where it needs to be Source: “Corporate Culture: Evidence from the Field, ” Graham, Harvey, Popadak, and Rajgopal; Duke University, 2015

What is audited in Culture Control Systems Organisati on Structure Stories and Symbols The Cultural Paradigm Ritual and Routines Process es Power Structure s We have to learn to audit the culture of the company using the areas making up the Paradigm

The Speed of Business Change The Fourth Industrial Revolution bringing Digital disruption

Non Technology Business Change Excluding Technology we have • Policy, the free trade policy after World War II, and the current potential for a Trade War between the USA and China • Demographics, such as baby booms or ageing populations • More Females working, more educated population and more people being educated, speed of communication from telegraph to text.

Business Change means IA change Change means that Internal Audit have to: • Keep in touch with changes in the business • Have the skills to appreciate the changes happening • Adapt Internal Audit processes to respond to changes • Employ innovative internal audit methods

Life is changing through Technology At the moment your alarm clock and Coffee machine rely upon input from you, to set the time and to turn them on or to set them for an automatic turn on. In the future ……

Internal Audit is changing through technology Audit the various Technology Risks Ensure that Internal Audit has a role in Cloud Computing Internal Audit should examine: 1. The Cloud strategy 2. Evaluation of Vendors 3. Implementation of the Model 4. Vendor monitoring 5. Security Fully Integrated, end-to-end audit management system Audit Universe and Risk Assessment Audit Planning and Scheduling Audit Management Reporting Recommendatio Questionnaires ns and Follow. Up Embrace technology to make the Internal Audit process more efficient, using an Audit Management System to monitor every aspect of the audit process

Technology Allows more Effective Testing Use Data Analytics The results indicate that, similar to our prior year results, a majority of analytics functions are at a relatively immature state. While many internal audit functions are making some progress in growing their analytic capabilities, there is more work to do. Source: Protiviti’s 2018 Internal Audit Capabilities and Needs Survey

Internal Audit’s response to Technology change? “The real pitfall for Internal Audit is if they don’t stay current on new technologies then they won’t have a seat at the table and be perceived to be adding value; they need to stay current (not be experts) to stay relevant. ” Alvin Bledsoe, Audit Committee Chair, Sun. Coke Energy PWC 2018 State of the Internal Audit Profession Study

The Internet of Things (IOT) will change dramatically the way that we live. But provides more and more opportunities for security lapses

Increasing Technology brings new risks

Cyber Security Number 3 Risk. Our organisation may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage the brand This has been a consistently rated risk over the past three years Source. Executive perspectives of Top Risks 2018 Protiviti & North Carolina State University’s ERM Initiative

The Three Lines of Defence in a Cyber Context Re-visualising the 3 Lines of Defence within a Digital context Source. At the junction of Corporate Governance and Cyber Security FERMA & ECIIA - 2017

Adding Value in the field of Cyber Security As the third line of defence, Internal Audit is responsible for providing an objective and independent assurance that the first and second lines of defence are functioning as designed, and looks at the overall coherence and consistency of the information security programme of the organisation. It should provide at least an annual health check to the Board on the state of that programme. Source. At the junction of Corporate Governance and Cyber Security FERMA & ECIIA - 2017

Internal Audit can only do so much However, IA can only add value if they are listened to and action is taken

Cyber Security - Phising Audit the defences against Phishing Response is through User Education including simulated Phishing emails This email address does not tie in to the sender being a bank This email, personalised to someone in the Financial department had an attachment, allegedly the invoice. However if you clicked on the attachment you released malware that infected your computer. I have received a number of these over the last year.

Look for Guidance Audit Smart Devices in the same way that you used to audit Computers

Agility To respond to the Changes and the pace at which they occur, Internal Audit must be Agile, ready to embrace new techniques and practices at the earliest opportunity Source: 2018 Pulse of North American Internal Audit IIA

What Does Agility mean? “Agile focuses on continuous improvement, scope flexibility, team input, and delivering essential products, whether applied to software development or audits. This involves close collaboration across audits and function members, auditee collaboration (whilst maintaining independence), and responding to changing requirements during audits and the delivery of audit plans. ” Source: Risk in Focus: Hot Topics for Internal Audit 2018 Report issued by the European Confederation of Institutes of Internal Auditing:

Adding Value by an Agile Audit The IIA recommends: 1. Change in mindset 2. Prepare to quickly refocus on disruptive risks & opportunities 3. Prioritise work on what matters most 4. Create teams with the right blend of skills 5. Coordinate with other resources in the organisation

Conclusion Technology – be aware of technology treats and harness technology to provide an improved customer service To be future proof Internal Audit needs processes in place to tackle the changing environment Agile – be able to react quickly to changing circumstances Culture – audit Culture Knowledge – be knowledgeable about business processes, risks, profitability and internal control Listening – listen to what your customers want, learn and, if appropriate, deliver Expectations – understand what your customers expectations are and resolve differences between expectation and delivery

Thank You Phil Tarling Internal Audit Consultant Tel: +441329282155 Mob: +447802656986 Email: Phil. tarling@outlook. com http: //www. tarlingassurancerisk. co. uk.