Final Executive Study Strategic Role Internal Audit · 2013-01-11 · Internal Audit and Assessing Strategic Risks ..... 4 Internal Audit and the Ability to Assess Strategic Risks

Final Report: 2012 Executive Study on the Strategic Role of Internal Audit

Vonya Global: Executive Study on the Strategic Role of Internal Audit Final Report December 2012 Table of Contents Executive Summary .......................................................................................................................... 3

Internal Audit and Assessing Strategic Risks .................................................................................... 4

Internal Audit and the Ability to Assess Strategic Risks .................................................................... 9

Internal Audit and Compliance ....................................................................................................... 13

Internal Auditors and Executive Management – The Gap .............................................................. 14

Conclusion ...................................................................................................................................... 17

Page | 3 The Strategic Role of Internal Audit © Copyright 2012 – Vonya Global LLC – All rights reserved

ExecutiveSummary

Vonya Global surveyed a cross‐section of Executives and Internal Auditors from both public and private organizations in a variety of industries regarding the strategic role of Internal Audit. For the purposes of this study, “Strategic Role” is defined as Internal Audit’s reponsibility for assessing “Strategic Risk.” We have defined the term “Strategic Risk” as internal or external contingencies that may prevent a company from meeting its strategic objectives. The survey questions were designed to first determine how Internal Audit is involved in the evaluation of strategic risk across the different types of organizations. Secondly, we asked whether respondents believed that there is value in having Internal Audit participate in evaluating strategic risk. Finally, we asked whether Internal Audit is equipped to do so effectively.

This is the third study Vonya Global has conducted on the topic. Reponses from 2008, 2010, and 2012 are compared to provide benchmarks on the evolving role of Internal Audit. The survey was open for 6 weeks and available on‐line through the Vonya Global website (www.vonyaglobal.com). Respondents volunteered their time and their responses were anonymous. Invitations to participate in the survey were sent through email and a web announcement.

An assumption going into the study was that Internal Audit plays a critical role in a organization’s ability to meet its strategic objectives. The skills required to execute this responsibility have been developed through education, certification, and experience. Millions of dollars have been invested throughout the years to create tools and techniques to assist Internal Auditors with this responsibility. There are associations, peer groups, training courses, conferences, symposia, and libraries established to further the Internal Audit profession. It is our opinion that the fundamentals of Internal Audit including all the resources listed above can be applied to audit and evaluate strategic risks and strategic initiatives.

The study reveals is that this is not always the case. The capacity to serve in a strategic manner differs greatly from one organization to the next, as do the opinions on Internal Audit’s role and expectations.

SUMMARIZED STUDY DEMOGRAPHICS

Responses by Company Type:

Large Cap 27% Mid Cap 19% Small Cap 11% Private 24% Government / Not‐For‐Profit 18%

Responses by Employee Type: Internal Auditor 68% Executive Management 21% Consultant 7% Retired 2% Board of Director 2%

Average Time to Complete Study:

8 Minutes and 18 Seconds

Time of Day for Participation (CST)

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

1:00

2:00

3:00

4:00

5:00

6:00

7:00

8:00

9:00

10:00

11:00

12:00

13:00

14:00

15:00

16:00

17:00

18:00

19:00

20:00

21:00

22:00

23:00

0:00


InternalAudit’sRoleinAssessingStrategicRisk

What is the role of Internal Audit, and is that role understood and agreed upon throughout the organization? The Institute of Internal Auditors defines Internal Audit’s role as:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Source: The Institute of Internal Auditors ‐ https://na.theiia.org/standards‐guidance/mandatory‐guidance/Pages/Definition‐of‐Internal‐Auditing.aspx

Each Internal Audit Department’s role will be slightly customized to meet the needs of the organization it serves. Regardless of how the role is defined, Executive Management, the Audit Committee, and the Internal Audit department should all agree upon the role and objectives of Internal Audit and have similar expectations.

“Internal Audit is regarded as highly trusted and value adding function within the company. Chief Audit Executive is driving the annual Enterprise Risk Management process together with Executives and Top Management, participates in the Board of Directors monthly/quarterly meetings and reports to Audit Committee on the significant risks, control environment and flags any relevant points of concern.”

‐Internal Auditor Response “It is very important to understand the role of internal audit and its contribution, Sr. management is expected to involve the Chief Audit Executive in decision making for risk management and compliance purpose.”

‐Internal Auditor Response

Therefore, the first question we asked in the study was: “Is there a shared understanding of the role of the Internal Auditor?”

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

Attribute Standards 1000 – Purpose, Authority, and Responsibility – The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. 1100 – Independence and Objectivity – The internal audit activity must be independent, and internal auditors must be objective in performing their work. 1200 – Proficiency and Due Professional Care – Engagements must be performed with proficiency and due professional care. 1300 – Quality Assurance and Improvement Program – The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Performance Standards 2000 – Managing the Internal Audit Activity – The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. 2100 – Nature of Work – The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2200 – Engagement Planning – Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. 2300 – Performing the Engagement – Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives. 2400 – Communicating Results – Internal auditors must communicate the results of engagements. 2500 – Monitoring Progress – The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 2600 – Communicating the Acceptance of Risks – When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

Source: The Institute of Internal Auditors http://www.theiia.org


0%

20%

40%

60%

80%

100%

Internal Auditors Management

Shared Understanding of Role

60%

65%

70%

75%

80%

85%

90%

2008 2010 2012

Shared Understanding of RoleInternal Auditors

Management

0%

20%

40%

60%

80%

100%



200820102012

85% of Internal Auditors and 76% of Management say yes, there is a shared understanding of Internal Audit’s role. In an ideal world this percentage would be 100% for both groups. The fact that it is not 100%, as well as the gap in the opinions of Internal Auditors and Management, signifies that there is room for improvement. While this is the case, the responses to this question have been consistent when compared to the previous two studies in 2008 and 2010, and the gap in percentages between Internal Audit and Management has also held constant (see charts in right margin). The shared definition of the role of Internal Audit is not only a common sense practice, it is a requirement. Failing to do so is in violation of the IIA Standards The Institute of Internal Auditors (IIA) Standard 1010 addresses this specific issue and states:

The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board.

“Internal Audit is often an afterthought from Executive Management; Internal Audit is invited to the table only after a problem has arisen and there is no firm opinion on who owns the issue.”

‐Internal Auditor Response “At my company, there tends to be misunderstanding on what Internal Audit should be focused on. This is mainly due to a lack of understanding on what is meant by "internal controls" and how there can actually be more than one way to approach the evaluation of internal controls.”



0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%



Role Includes Assessing Strategic Risks

0%

20%

40%

60%

80%

100%



200820102012

The next step in our study was to understand to what extent Internal Audit participates in the assessment of strategic risks. The positive responses in the current study show a dramatic upward spike reversing the downward trend seen in previous years. 87% of Internal Auditors responded that their roles include the assessment of strategic risks as compared to 49% in 2010 and 58% in 2008. The trend in Management responses is also positive, however only 57% of Management responded that Internal Audit’s role includes assessing strategic risks as compared to 42% in 2010 and 44% in 2008. The dramatic spike may indicate a change in the role of Internal Audit; however the gap between Internal Audit and Management implies that the understanding of Internal Audit’s role is not shared to the extent revealed in the previous section.

“If there is a Risk function, then that role falls to them, with Internal Audit having a performance review role, where a risk function does not exist, the Internal Auditor should step up to the mark.”

‐Management Response “Internal Audit is not always involved in strategic risk, generally due to lack of knowledge/sensitivity. In many cases external audit is consulted or external consultants are used to assess this risk.”

‐Management Response

“Although this can be difficult depending on overall knowledge of the audit team. Many times the seniors do not have visibility to many strategic aspects of the company which can be a challenge to address.”


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%



Should be Responsible for Assessing Strategic Risks


0%

20%

40%

60%

80%

100%



2010

2012

0%

20%

40%

60%

80%

100%


Assessing Strategic Risks Creates Value

200820102012

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Should be Responsible for Assessing Strategic RisksAssessing Strategic Risks Creates Value

“Internal Audit should focus on the process and controls rather specific content (i.e., risks) unless directly impacted by/from Internal Audit. Content should be driven by the Chief Risk Officer and its team/functions.”


Should Internal Audit be responsible for assessing strategic risks? While 87% of Internal Auditors responded that they are responsible for assessing strategic risks, only 74% said that they should be. Similarly, 57% of Management responded that Internal Audit is responsible for assessing strategic risks, while only 47% agreed that this was appropriate. If the responses indicate an evolution in the role of Internal Audit, they may also signify a slight reluctance to accepting the change.

“If an Internal Audit group is not focused on strategic risks, they are not doing their job. Having said that, my company is private, so there is not a lot of public knowledge about strategic objectives. We try our best to ensure we are aligned with the objectives that are fairly well known.”

‐Internal Auditor Response “Yes. Also as part of the COSO model (the ERM COSO model to be specific), strategic risk is part of the audit function.”

‐Internal Auditor Response “Evaluation of strategic risks is mainly part of the ERM process. However, I would say there is less focus on truly strategic audits, but more pure operational and financial reviews.”

‐Internal Auditor Response “Internal Audit’s role is not to act as management and determine the strategic direction of the company. i.e. ‐ competitive risk when introducing a new product line. Our role is to ensure the company is aligned at a macro and micro level.”



0%10%20%30%40%50%60%70%80%90%

100%

2008 2010 2012

Internal Auditors



0%10%20%30%40%50%60%70%80%90%

100%

2008 2010 2012

Executive Management



2010

20120%

20%

40%

60%

Role Includes Assessing

Strategic RisksShould be

Responsible for Assessing

Strategic Risks


Gap between Executives and Internal Auditors

“Risk Management, internal control, Governance, assurance & compliance are considered as integral part of Internal Audit.”

‐Internal Auditor Response Is there value in having Internal Audit evaluate strategic risks? We found it interesting that while 89% of Internal Auditors responded that there is value in having Internal Audit evaluate strategic risk, only 74% responded that Internal Audit should be responsible. Similarly, 60% of Management responded that having Internal Audit evaluate strategic risk creates value, while only 47% thought Internal Audit should be responsible. Compared to 2008 and 2010, there is a downward trend in the perceived value of having Internal Audit responsible for the evaluation of strategic risk, and the gap between Internal Audit and Management has widened.

“Since almost all internal audits are backwards‐looking ‐‐ that is, they review what has been done rather than what will be done ‐‐ then I'd have to say they are not strategic. Even when conducting a review of strategic decision making, the emphasis is on what was done or past decisions. There may be project implementation teams in which Internal Audit gets to suggest control improvements that have a future impact, but these are not the primary mission of the department.”


“Not everything in a company can be "strategic" or the word loses all meaning. Audits, however important, have nothing to do with strategy per se; they don't decide who the customers are, what they want, or how the company will provide it.”



0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%



Participates in Strategic Meetings

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%



Formal Risk Assessment Process

0%

20%

40%

60%

80%

100%

Large Cap Mid Cap Small Cap Private NFP/Govt


InternalAuditResourcesAvailabletoAssessStrategicRisks

Is strategic risk included in the Risk Assessment? The study collected data on the capability of Internal Audit relative to the evaluation of strategic risks. If Internal Audit has a role in assessing strategic risks, it must first have the ability to do so. Since a fundamental discipline in Internal Audit is the risk assessment, survey participants were asked if Internal Audit had a risk assessment methodology that included strategic risk. 85% of Internal Auditors responded that they have a formal risk assessment process which included strategic risks, while 67% of management agreed. By comparison, in the 2010 study 89% of Internal Auditors and 50% of management agreed.

“Many have a too narrow view of the role of internal auditors, one that is 30 or so years out of date. Yes, the Internal Audit role does include evaluating compliance with various rules. However, for many companies, the Internal Audit serves as an internal consultant, working with unit managers to identify problems and find solutions for those problems. Whether that broader role is a "strategic function" depends upon your definition of strategic.”


Do Internal Auditors attend strategic meetings? A prerequisite to evaluating strategic risk is to understand the organizations strategic initiatives. One way to understand the strategic initiatives is to attend management meetings where strategic initiatives are discussed. 67% of Internal Auditors in the study said they participate in strategic meetings compared to 43% of management who stated that they include Internal Audit in the strategic sessions. Comparing Internal Audit’s participation in strategic meetings by company type shows that Internal Auditor’s in Mid Cap have the highest participation percentage, while Internal Auditor’s at Small Cap have the lowest.


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%


Role

Skills

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%


Role

Methodology

Do Internal Auditors have a specific methodology for the evaluating strategic risk? While 85% of Internal Auditors responded that they have a formal risk assessment process which included strategic risks, only 63% of Internal Auditors believe they have a specific methodology for evaluating strategic risks. Similarly, 67% of management stated that they believe Internal Audit includes strategic risk in the risk assessment, yet only 38% of management thought Internal Audit had a specific methodology for evaluating strategic risks. A review of the following charts reveals an increase in the strategic role of Internal Audit combined with a slight drop in the confidence in Internal Audit’s risk assessment methodology.

“Internal Audit can be strategic if it is properly designed, staffed, and operated. They need to focus much more on enterprise risks, process analyses, operations, and planning actions to do so. Many have neither the inclination nor personnel to reach that point.”


“I'd have to say no, Internal Audit is not strategic. But that doesn't mean it's unimportant ‐ there seems to be a misconception that important stuff is automatically strategic, but any chess player will tell you that you need a mix of strategy and tactics to succeed, neither is secondary to the other.”



0%

10%

20%

30%

40%

50%

60%

70%

80%

90%


Role

Time

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%


Role

Budget

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Large Cap Mid Cap Small Cap Private NFP/Govt

Role Methodology Skills Time Budget

Do Internal Auditors have the skills necessary to assess strategic risks? Only 55% of the Internal Auditors in the study thought they had the skills while only 33% of management agreed.

“I'd make this distinction: Strategy is setting the direction, choosing the end goal and major points along

the way, answering the question "why?" Tactics are the routes we choose to get to each of these goals, answering the

question "how?" Internal Audit references how we should be doing things rather than why, and as such is a tactical rather than strategic function.”

‐Management Response Do Internal Auditors have the time allotted to allow for the assessment of strategic risk? 30% of Internal Auditors in the study believed they had the time available for assessing strategic risks and 20% said they had the budget to do so. This is in comparison to 33% of management respondents believing Internal Audit had the time available and 20% responded that Internal Audit had the budget.

“Strategic risk should be the responsibility of executive management. Internal Audit should insure that strategic risk is being evaluated and managed.”


Does Internal Audit have the financial resources (budget) to assess strategic risks? Responses to this question were nearly identical with roughly 20% of Internal Auditors and 20% of management responded that they had the budget. With 8 out of 10 responses saying Internal Audit doesn’t have the funds available to assess strategic risk is a large indicator of Internal Audit’s capacity to assess strategic risk.


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2008 2010 2012

Internal Auditors

Role

Methodology

Skills

Time

Budget

0%

10%

20%

30%

40%

50%

60%

70%

80%

2008 2010 2012

Executives

Role

Methodology

Skills

Time

Budget

“While Internal Audit should be responsible for assessing strategic risk, they typically do not have the skills, expertise, and exposure to adequately assess strategic risks.”

‐Management Response Based on the results of this phase of the study, it can be surmised that due to the perceived lack of methodology, skills, time, and budget the ability of Internal Audit to evaluate strategic risks is low. In comparison to previous years [as show below], the role of Internal Audit seems to have expanded as the perceived ability of Internal Audit to fulfill that role has decreased.

“We provide many value added services outside the compliance arena. Our operational audits and process innovation projects add value to the organization.”



0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Essential for Compliance

Value directly linked to Compliance


0%

20%

40%

60%

80%

100%


Internal Audit is Essential for Compliance

2010

2012

InternalAuditandCompliance

The study sought out to determine if Internal Audit could provide value in compliance initiatives while also providing value in strategic initiatives.

“Internal audit should serve a function as independent assessor of compliance standards and good practice.”

‐Management Response “Compliance and efficiency create value.”

‐Internal Auditor Response Internal Audit is essential for providing assurance on compliance with policies and procedures and various regulations. Respondents in this study as well as the previous studies we have conducted agree. It is the one category where the responses have been consistent each year and where the gap between Internal Auditors and Management has been minimal.

“Internal Audit should NOT serve in any strategic initiatives. Nor should their strategic importance increase. They serve a vital role as independent evaluators of regulatory guidelines and of internal policy.”

‐Management Response “Management should be able to assess compliance with laws, regulations, policies and procedures. It is not (or should not be) a skill unique to Internal Audit.”


The majority of this study has been dedicated to evaluating Internal Audit’s ability to add value to a company’s strategic initiatives, the value Internal Audit provides relative to compliance is still the most important. While many disagree on the way the compliance role is defined, the value of that role is unquestioned. Here is an example of comments from two different internal auditors:


“I disagree with the "essential" word, we(Internal Audit) are an important enabler but

we're the third line of defense, to me "essential" means the first line of defense.”

“Internal Audit is the first line of defense and focused on operational and fraud

risks.”

While the role Internal Audit plays in compliance is critical, it doesn’t mean it is mutually exclusive to having a strategic role as well. A risk‐based Internal Audit function will assess all significant risks and evaluate whether the company is effectively managing and controlling those risks.


0%

20%

40%

60%

80%

100%

Gap by Percentage2010

2012

InternalAuditorsandExecutiveManagement–TheGap

The previous sections have discussed the individual questions; this section looks at the responses in aggregate. The difference in the opinions of Internal Auditors and Executive Management on the strategic role of Internal Audit proved fairly large in multiple areas [see chart below]. The largest gaps identified were in the confidence in Internal Audit’s methodology and skills, followed very closely by whether or not Internal Audit should be responsible for assessing strategic risks.

Comparing the gap identified in this study to the study conducted in 2012, it appears as though the gap has increased in almost every category.

“My company has minimal regulatory requirements to comply with. Additionally, there are very few documented company policies. That is why I would say our focus is on risk management, control and governance. In the absence of regulatory requirements and internal policies that would compel specific behavior, we must take a common sense approach to internal controls.


0%

10%

20%

30%

40%

50%

60%

70%

80%

Shared Understanding

of Role

Role Includes Assessing

Strategic Risks




Formal Risk Assessment Process

Methodology Skills Time Budget Essential for Compliance

Internal Audit would still

exist without Compliance

Value directly linked to

Compliance

Gap Identified Between Internal Auditors and Executives by Percentage


The study concluded with the question: “Internal Audit could add more value to the company if…” The following are some of the responses to this question. “Internal Audit would add more value if it had the tools and techniques required to be effective in the current environment. Internal Audit must evolve to looking at the organization systemically (big picture or globally) not functionally (locally)” “Now Internal Audit includes Risk Management, Assurance and Compliance, which is a new role of Internal Audit. To get real benefits of internal audit Senior Management and the Board must consider them as a partner in decision making.” “Internal Audit would add more value if it were asked to participate in strategic forums; consulted before certain changes are made to the extent appropriate and feasible; asked to be more forward‐looking and strategically‐oriented.” “Internal Audit would add more value if it was consistently able to provide heads‐up on potential or emerging risks to prepare the management in advance managing the risk.” “Internal Audit would add more value if it further developed its’ risk assessment and planning process, and further embedded continuous monitoring procedures into routine control monitoring.” “In the end, value is determined by the audit committee and executive management, we will add more value if we continue to listen carefully to what they want and need and deliver on those needs with high quality execution, in addition, our ability to add more value is only limited by the quality of our staff, the better people we can attract and retain, the more value we'll deliver.” “Internal Audit would add more value if it was made a partner in strategy discussions, risk assessments and in annual planning.” “Internal Audit would add more value if it would be more active in helping management to streamline its vision and mission without impairing with the objectivity and independence needed in accordance with IIA IPPF.”


Conclusion

This report started out by introducing guidelines and standards prescribed by the Institute of Internal Auditors, the unquestioned leader in certification, education and research for the Internal Audit professions. The IIA clearly states: The chief audit executive should discuss the Definition of Internal Auditing, the Code of Ethics, and the Standards with senior management and the board. The responses in this study would indicate that this is not being met. Good communication on expectations for any role is essential and provides a foundation for performance. This holds true for any task, job, team, department, and business. A good quality assurance program within Internal Audit consistent with the expectations of the IIA would dramatically improve the gaps identified. Suggested Actions:

1. If you are an internal auditor and reading this, take this report and your charter and sit down with senior management and the audit committee. Candidly discuss the report and review your charter and expectations to determine if your role as currently defined is meeting expectations and adding value to your company. If not meeting expectations, redefine your role.

2. If you are a member of senior management or the board, request a copy of the Internal

Audit Department Charter then request a meeting with the Internal Auditor. Candidly discuss this report and review the charter and the expectations you have of Internal Audit. Through this discussion you may find that there are opportunities for the company to gain additional value from the internal audit role.


This report is a publication of Vonya Global LLC; an international consulting firm specialized in enhancing corporate governance by providing internal audit, internal control and risk assurance services to a wide range of companies. Duplication without the expressed written consent of Vonya Global is strictly prohibited. For more information about Vonya Global please visit www.vonyaglobal.com.

Documents

Final Executive Study Strategic Role Internal Audit · 2013-01-11 · Internal Audit and Assessing Strategic Risks ..... 4 Internal Audit and the Ability to Assess Strategic Risks