Driving Success in a Changing World 10 Imperatives

Driving Success in a Changing World: 10 Imperatives for Internal Audit By Larry Harrington and Arthur Piper Available free of charge: www. theiia. org/goto/CBOK

CBOK 2015 Practitioner Study • CBOK is the Global Internal Audit Common Body of Knowledge: – The global practitioner survey is the largest ongoing study of internal audit professionals in the world. – More than 25 free reports about practitioners and the profession will be released from July 2015 to July 2016. – Download free reports from the CBOK Resource Exchange at The IIA website at any time (www. theiia. org/goto/CBOK).

CBOK 2015 Practitioner Survey • Practitioner Survey Results – Survey completed April 1, 2015 – 14, 518 usable survey responses • Participation Levels – 100% representation from IIA institutes – Responses from 166 countries – 23 languages

CBOK 2015 Practitioner Study

CBOK 2015 Practitioner Study Age was obtained from 12, 780 respondents; Organization Type was obtained from 13, 032 respondents; Gender was obtained from 14, 357 respondents; Staff Level was obtained from 12, 716 respondents.

Section 1: Play a Leading Role 1. Anticipate the needs of stakeholders. 2. Develop forward-looking risk management practices. 3. Continually advise the board and audit committee. 4. Be courageous.

1. Anticipate the Needs of Stakeholders • The needs of stakeholders are constantly changing. • Internal audit must improve communication channels with stakeholders. • Formal and informal channels are important for building rapport.

Measure of Internal Audit Value Against Stakeholder Expectations

Action Points for Stakeholder Needs • Establish and maintain communication channels with all key stakeholders. • Involve them in audit planning. • Ask stakeholders what they think about the value of your work.

2. Develop Forward-Looking Risk Management Practices • Auditors must assess the likely impact of possible future events and their second- and third-order consequences. • Historical audits are of limited value to stakeholders. • It is crucial to harness the audit plan to the corporate strategy.

Internal Audit Aligned to Strategic Plan

Action Points for Risk Management • Understand the organization’s strategic, business, legal, and compliance risks. • Develop in-depth knowledge of the business. • Develop high levels of competence in technology tools (Imperatives 6 and 7). • Hire and train for the skill sets to meet the demand for their services (Imperatives 9 and 10).

3. Continually Advise the Board and Audit Committee

Action Points for Advising • Communicate risks in the context of the business’s goals and objectives. • Provide an overall opinion on how the business is managing itself. • Advise the audit committee on a regular basis of the issues it should be most concerned about. • Give an overview of the control environment and whether it is improving or becoming ineffective.

4. Be Courageous • Internal audit must have the courage to tell stakeholders the unvarnished truth, whether they want to hear it or not. • “The business has to know the audit function has teeth, ” says Robert Kella, senior vice president of internal audit for Emirates Group, Dubai, United Arab Emirates.

Internal Audit Under Pressure

Questions to Consider About the Business Environment • How well has internal audit communicated its role and mission? • What is the status of internal audit in the organization? • Does the culture of the business encourage or punish finding faults with the control environment?

Section 2: Beat the Expectations Gap 5. Support the business’s objectives. 6. Identify, monitor, and deal with emerging technology risks. 7. Enhance audit findings through greater use of data analytics. 8. Go beyond The IIA’s Standards.

5. Support the Business’s Objectives • More than half of survey respondents (57%) say their departments are fully or mostly aligned with their business’s strategic objectives. • How can misaligned audit departments unambiguously demonstrate the value they add to their organizations’ strategies? • Internal auditors must align their work to their organizations’ strategic objectives.

Initial Steps to Support Business Objectives • Develop performance measures for each area of the strategic plan. • Link performance and pay to the plan. • Educate internal auditors about the business. • Internal auditors should acquire industry-specific certifications.

6. Identify, Monitor, and Deal with Emerging Technology Risks • Technology risks are extremely difficult to manage because they are constantly evolving. • Internal auditors need to respond proactively by helping organizations identify, monitor, and deal with such emerging IT risks and advising their boards on how best to do so.

Time Spent Auditing Cybersecurity and Social Media Risk

Action Points for Technology Risks • Start looking at IT risk from a high level, examining policies, project plans, and business issues. • Network with peers and IIA special interest groups. • Increase technical knowledge by investing in your own expertise. • Increase IT skills within the team.

7. Enhance Audit Findings Through Greater Use of Data Analytics • Internal auditors must continue to improve their data analysis skills and techniques to enhance audit findings. • Such technologies enable internal auditors to improve efficiency and audit data-rich areas in more sophisticated ways.

Ways Data Mining Is Used Identification of possible frauds 49% Test of entire populations rather than sampling 47% Potential issues discovered through risk or control monitoring 47% Tests for regulatory compliance 38% Business improvement opportunities 32% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55%

Action Points for Data Analytics • Create separate, but related, plans for internal audit’s data analytics resource. • Train management in data analysis skills. • Team up with business lines to help internal audit move into a more independent, continuous monitoring role.

8. Go Beyond The IIA’s Standards

Establish The IIA’s Standards as the Framework for Quality Assessment • Inform the audit committee about the value of the Standards. • Establish a robust QAIP as required by the Standards. • Perform an annual self-assessment to ensure conformance to the Standards and have an external quality review conducted at least every five years. • Inform the audit committee of the external review and quality program results. • Ensure that the audit team is certified; require certification for team members if they hold certain levels of responsibility.

Go Beyond the Standards to Deliver High-Value Activities • Discuss what “high-value internal audit activity” means for the audit committee and executive management. • Agree with the audit committee and executive management on specific activities internal audit can focus on to meet expectations for quality and value. • Periodically report to the audit committee and executive management on internal audit’s performance re: agreedupon specific expectations.

So far…. Internal auditors need to play a leading role to conquer the expectations gap: • Communicate effectively. • Align with strategic objectives. • Understand the business. • Deliver quality.

Section 3: Invest in Excellence 9. Invest in yourself. 10. Recruit, motivate, and retain great team members.

9. Invest in Yourself • There has never been a better time to be an internal auditor. • But internal audit departments often do not have well-developed staff training. • 4 out of 10 respondents reported fewer than 40 hours of training per year.

Hours of Training Per Year

Training Program Elements

10. Recruit, Motivate, and Retain Great Team Members • Internal audit departments need to cast their recruitment nets wider. • The internal audit profession of the future will be more evenly balanced between men and women. • Training and development programs need to be aligned to the future needs of the business.

What Skills Are You Recruiting or Building Most in Your Department? Analytical/critical thinking 64% Communication skills 52% Accounting 43% Risk management assurance 42% IT (general) 38% Industry-specific knowledge 35% Data mining and analytics 31% Business acumen 27% 0% 10% 20% 30% 40% 50% 60% 70%

Action Points for Building Talent • Recruit from a wider pool of candidates. • Build formal audit rotation programs. • Invest time in training. • Link the audit process to the needs of the individual. • Use bonuses to motivate and reward.

The 10 Imperatives Play a Leading Role 1. Anticipate the needs of stakeholders. 2. Develop forward-looking risk management practices. 3. Continually advise the board and audit committee. 4. Be courageous. Beat the Expectations Gap 5. Support the business’s objectives. 6. Identify, monitor, and deal with emerging technology risks. 7. Enhance audit findings through greater use of data analytics. 8. Go beyond The IIA’s Standards. Invest in Excellence 9. Invest in yourself. 10. Recruit, motivate, and retain great team members.

CBOK 2015: What’s Coming IIA International Conference Governance, Risk, and Control Conference South Africa Conference IIA Financial Services Exchange ECIIA Conference All Star Conference Southern Regional Conference ACIIA Conference Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Driving Success in a Changing World: 10 Imperatives for Internal Auditing Technology Risks Financial Services Outlook Who Owns Risk? Measuring Internal Audit’s Internal Audit Changing Role Value and Performance Combined Assurance and Public Sector the Three Lines Outlook of Defense Use of Technology for Internal Audit Processes Fraud Risk: Detection and Prevention 8 Nov. 2015 IIA Midyear Committee Meetings Dec. 2015 Core Competency Levels for Internal Auditors Interacting with Audit Committees

CBOK 2015: What’s Coming GAM Conference So. Pac Conference Leadership Conference IIA International Conference Jan. 2016 Feb. 2016 Mar. 2016 Apr. 2016 May 2016 Jun. 2016 The Skills Most Desired by IA Managers for Their Staffs CAE Career Path Maturity Levels for IA Dept. Around the World Certifications Held by Internal Auditors IIA Standards: Conformance and Trends Integrated Reporting Ethical Pressures Faced by Internal Auditors Quality Assurance and Improvement Program Trends Use of Third Parties by Internal Audit 9 Women in IA: Representation and Trends How to Evaluate and Motivate Your Staff Organizational Governance: Internal Audit's Role

YOUR DONATION DOLLARS AT WORK FREE thanks to generous contributions from individuals, organizations, and IIA chapters and institutes around the world. Download your FREE copy today at the CBOK Resource Exchange. www. theiia. org/goto/CBOK This report was generously sponsored by

About The IIA Research Foundation CBOK is administered through The IIA Research Foundation (IIARF), which has provided groundbreaking research for the internal audit profession for the past four decades. Through initiatives that explore current issues, emerging trends, and future needs, The IIARF has been a driving force behind the evolution and advancement of the profession. For more information, visit: www. theiia. org/Research

Copyright and Disclaimer • The IIARF publishes this document for information and educational purposes only. IIARF does not provide legal or accounting advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. • Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. For permission to reproduce or quote, please contact research@theiia. org.