Competing priorities Are CAE and audit committee priorities

Competing priorities Are CAE and audit committee priorities in sync? 2015 IIA Raleigh-Durham District Conference © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd

Competing priorities 2015 Governance, Risk and Compliance Survey • Grant Thornton’s fifth annual survey of more than 540 chief audit executives (CAEs) and audit committee members from U. S. organizations across industries • The survey was administered online from November to December 2014 © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 2

Competing priorities What's your priority? CAEs: 1. Compliance risks 2. Operational risks 3. Financial risks 4. Strategic risks Audit committees: 1. Financial risks 2. Compliance risks 3. Operational risks 4. Strategic risks © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 3

Competing priorities Better alignment through optimization • Through compliance optimization, internal auditors can free up limited resources to meet both audit committee and CAE objectives • The path to optimizing compliance activities requires a mix of strategies, tactics and tools that allow internal audit to get the most out of compliance activities, which, in turn, enable a focus on more value-added activities. Suggested actions for CAEs to take include: 1. 2. 3. 4. 5. Leverage control testing in a "one-to-many" approach Use GRC technology and data analytics for efficiencies Implement the 2013 COSO Framework Strive for an enterprise-wide view of risks and controls Understand the Three Lines of Defense model © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 4

Competing priorities Leverage control testing in a "one-to-many" approach • Although only 44% have found ways to leverage control-testing results to satisfy multiple compliance requirements, • 86% said they can potentially apply one-to-many principles to up to 50% of their control testing, • and 14% said they can potentially apply the principles to up to 75% of their testing. © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 5

Competing priorities Use GRC technology and data analytics for efficiencies • 32% of CAEs believe they’re effectively leveraging GRC technology • 73% of CAEs are not using a GRC tool • 53% of CAEs are not using data analytics © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 6

Competing priorities Implement the 2013 COSO Framework Many are missing out on the potential benefits of COSO: have no plans to transition in the next 12 months don't know if they will but 84% of public companies surveyed have transitioned or are in the process © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 7

Competing priorities Strive for an enterprise-wide view of risks and controls The top three steps CAEs and audit committees are taking to enhance risk management: Increased focus on risk management Better analytics and risk-modeling Integrating with operations and business strategy © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 8

Competing priorities Understand the Three Lines of Defense model With senior management and audit committees collectively accountable for governance structures, the Three Lines of Defense model advanced by The Institute of Internal Auditors delineates more specific responsibility: FIRST LINE SECOND LINE THIRD LINE Operational management Risk management and compliance functions Internal audit © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 9

Competing priorities 2015 Governance, Risk and Compliance Survey The ability to reach alignment between CAEs and audit committees — and to be in a position to add real value to the organization — is dependent on getting the most out of compliance activities. © 2014 Grant Thornton LLP | All rights reserved | U. S. member firm of Grant Thornton International Ltd 10