Upload
dinhcong
View
218
Download
2
Embed Size (px)
Citation preview
Section or Chapter title
© Ernst & Young. All rights reserved.
Confidential & Proprietary. Internal Audit Benchmarking Program 2016 1
Nordic Internal AuditBenchmarking programDenmark, Finland, Norway, Sweden2016
Page 2 Internal Audit Benchmarking Program 2016
Contents
Introduction 3
Background 4
Respondent insights 5
EY’s methodological approach 6
Summary of results 7
Executive summary 8
Top ratings by Nordic country 18
Detailed survey results 21
Right direction 22
Right competencies 25
Right enablers 32
Section or Chapter title
© Ernst & Young. All rights reserved.
Confidential & Proprietary. Internal Audit Benchmarking Program 2016
Introduction
3Page 3
Page 4 Internal Audit Benchmarking Program 2016
Background
The world continues to change
► Volatile markets and financial instability continue to plague global economies, while the pace of technological change iscontinuously picking up speed. Organizations need flexibility to balance in the changing environment. Internal Audit functions haveto foresee emerging threats and adopt their assessment procedures and audit plans in order to be able to provide input and insighton these threats or risks.
► With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more, renderingdamage to the organization and its brand. Companies may not be able to control when information security incidents occur, butthey can control how they respond to them. Expanding detection capabilities is a good place to start for Internal Audit functions.
► Applying up-to-date digital tools and technologies in daily audit routine increases possibility to detect cybercrime or potential weakareas. Internal Audit functions can support organizations with the establishment of a security operations center, focused onsecuring and enabling the business as well as protecting sensitive information.
► More and more, robotics is replacing traditional operations. In line with the increased connectivity and Internet of Things (IoT), newrules and regulations are being introduced. Internal Audit functions should bulk up on domain expertise and skills in their teams tomeet these challenges.
► Consumers, investors and regulators are demanding greater visibility in everything that an organization does. Respectively,organizations need their Internal Audit function to take on a much larger role within the organization and serve as a subject matterspecialist to business management around strategic initiatives, challenges and changes in the organization.
2014
2016
Page 5 Internal Audit Benchmarking Program 2016
10%
27%
12%10%10%
31%
> 15 billion
10-14,9 billion
7-9,9 billion
5-6,9 billion
3-4,9 billion
1-2,9 billion
< 1 billion
Respondents to the Nordic Internal Audit Benchmarking survey 2016
► In February and May 2016, EY conducted a survey, undertaking qualitative interviews to gain insight into the internal audit practicesadopted by Nordic-based organizations. The majority of the respondents are Chief Audit Executives in diverse industrial companies.
Demographics of survey participants:
Annual revenue (EUR)
EmployeesIndustry
51respondents
18
6
8
Respondents
19
86%
8%
2%4%
CAE
Head ofInternal Control
Other
CFO
8%4%
25%
24%
14%
25%
> 100 000
50 000-99 999
25 000 - 49 999
10 000 - 24 999
5 000 - 9 999
<5 000
Industrial products 22%
Real estate 10%
Transportation 10%
Automotive 8%
Consumerproducts 8%
Power and utilities 8%
Retail andwholesale 6%
Telecommunication 6%
Other 22%
Page 6 Internal Audit Benchmarking Program 2016
EY’s methodological approach to Internal Audit Operating Framework
Using our extensive knowledge, we have designed a framework to describe leading practices in internal audit. Each of the framework elements were considered in ourassessment of the survey results. Our methodology is based on the three main strategies illustrated below:
Aligning Internal Audit’s purpose and mandatewith the expectations of the Audit Committee,executive management and otherstakeholders
Acquiring the people, competencies andexperience to achieve Internal Audit’sobjectives
Establishing appropriateinfrastructure to facilitate theachievement of Internal Audit’sobjectives
Right competence
Right direction
Right tools
Internal auditmethodologyand delivery
Operations andreporting
Stakeholderrelationship
management
Team andorganization
structure
Tools andtechnology
Knowledgemanagement
Quality andrisk
assurance
Purpose andmandate
People andskills
development
Section or Chapter title
© Ernst & Young. All rights reserved.
Confidential & Proprietary.
Summary of results
7Page 7
Page 8 Internal Audit Benchmarking Program 2016
Executive summary
► Internal Audit functions are aiming to take on the role of strategic advisor through increasing their focus on bothoperational and strategic risks connected to the organizations business objectives.
► Internal Audit is paying increased attention to emerging risks, e.g., related to cybersecurity.► There is a general focus on monitoring and supervision activities in industrial companies, e.g., compliance
functions are becoming more common, executive management gets more involved in the internal audit planningprocesses, etc.
Internal Audit is expected to beat the forefront of newchallenges in the changingenvironment
► Internal Audit functions are implementing flexible sourcing models (guest auditors, co-sourcing, outsourcing, etc.)to improve the efficiency of audit execution and manage competence gaps.
► As the organization's strategic objectives, risk environment and market and regulatory landscape evolve, the skillsand experience of the audit function must respond accordingly.
► Some areas have experienced a high rotation of Internal Audit executives in the past two years. This highlights achallenge for Internal Audit functions and may impact the ability to attract and retain people with solid businessunderstanding and auditing experience.
To align with the changingmandate and new focus areas,access to domain expertise isof utmost importance
► Nordic Internal Audit functions possess insufficient in-house data analytics competence, which is partiallycompensated by either outsourcing or co-sourcing.
► As demand for value-adding activities increases, Nordic Internal Audit functions face additional requests toimprove risk coverage and services without increasing their budgets.
► Increased industry scrutiny of supervisory boards and executive managers pushes internal auditors to performdeep-dive reviews of audited areas, and to assess risk exposures more critically.
Putting technology and robustaudit software within the reachof every auditor is crucial toimprove efficiency andeffectiveness
Dire
ctio
nC
ompe
tenc
eTo
ols
Page 9 Internal Audit Benchmarking Program 2016
Internal Audit retains the role of strategic advisor
► Operational audits and compliance and financial reporting remain top audit tasks for the Nordic Internal Audit functions. Eventhough operational audits are identified as one of the top tasks, 35% of respondents considered operational risks as “less important” or“least important” in the risk assessment. A high focus on compliance is highlighted by the risk and competency ratings; compliance risksare one of the highest-rated risks, as 51% of those surveyed state that compliance represents the “most important” or “important” risk. Itis also rated as the fourth most necessary key competence. A key factor driving this development could be the increase in compliancefunctions, from 50% in 2014 to 76% in 2016.
► Internal Audit departments will continue to focus on operational and strategic risks in the next two years. However, the declinewitnessed from 2014 levels may possibly be due to prior implementation. Compliance and financial reporting risks are expected torise in importance over the next years compared to 2014.
► In response to the changing requirements for the third line of defense, Internal Audit has become more involved in the organization’srisk assessment procedures by supporting the management with professional input.
A clear understanding of theownership of risk and controlprocesses across the companyallows for greater clarity in therole of Internal Audit. Thisunderstanding helps InternalAudit deliver its mandate tosupport the board and executivemanagement in protecting theassets, reputation andsustainability of the company.
Allocation of available time by the InternalAudit function
Primary mandate of focus for Internal Auditin the next 2 years
Involvement of Internal Audit in supporting themanagement in identifying, assessing andconsolidating risks
64%of respondents supportthe management withprofessional input,compared to the 52%in 2014
37%
36%
20%
19%
Operational audits
Compliance and financial reporting
2016 2014
Increased focus on operational risks
Increased focus on strategic risks
Increased focus on compliance andfinancial reporting risks
2016 2014
54%
40%
35%
63%
58%
21%
Movement versus 2014
Page 10 Internal Audit Benchmarking Program 2016
Technology and emerging market risks affect Internal Audit focus
► Internal Audit functions are expected to be in the forefront of new, potential challenges in thechanging environment. In particular, cybersecurity is a top emerging risk that companiesface today, having been ranked third in 2014.
► Internal Audit functions are increasingly performing separate emerging risk assessmentscompared to 2014 (19% vs. 10%). However, two thirds of companies surveyed are yet to carryone out.
► The threat of so called cyber-physical incidents is becoming increasingly severe as industrialcompanies are becoming more and more connected. Cyber threats increase with everyadditional technology connection and socially embedded system.
► Even though cybersecurity and major shifts in technology feature among the top 5 emergingrisks, technology as a competence is rated relatively low with relatively low improvementneeds. This could indicate that Internal Audit functions are not preparing their capabilities soas to respond to the expected, serious risks.
Companies need a common cybersecurity strategy to support operating effectiveness,safety, reliability standards, business transformation and financial controls compliance. Inthis regard, effective cooperation between the Internal Audit, operational technology andinformation technology functions is required.
Internal Audit functions perform separateemerging risk assessments
19%of companiesundertake separateemerging riskassessments withintheir Internal Auditfunctions
Top 5 emerging risks that organizationsmonitor
Cybersecurity
Other risks when operating in emergingmarkets
Regulations around data privacy
Strategic transactions in emergingmarkets
Major shifts in technology
1
234
5
2016 2014
60%
47%
43%
32%
28%
35%
58%
26%
40%
35%
Developments compared to 2014
Page 11 Internal Audit Benchmarking Program 2016
Domain expertise will drive the Internal Audit function
► Nordic Internal Audit functions are mainly composed of small-sized teams with experienced staff and low turnover. This setuporiginates from the Nordic, trust-based culture and long-term employee-employer relationships.
► However, the high rotation of Internal Audit executives in some areas during the past two years highlights a potential challenge forInternal Audit functions to attract and retain people with solid business understanding and auditing experience.
► In-depth business knowledge is seen as one of the most important competence areas, and also as an area where furtherimprovement is needed. However, Internal Audit functions demonstrate a low level of internal recruitments.
► The low staff turnover and large number of auditors with more than 10 years of experience highlights a potential challenge: InternalAudit functions might not be able to address the competency improvement needs through new recruitments and will have totrain internally instead. However, internal training might prove to be a challenge as well since training budgets are low.
► In order to manage staffing and competence gaps, general internal audit co-sourcing, fraud investigations and technical skills(e.g. data analytics) remain top outsourcing areas.
► Specific process competence and the knowledge of local legislation and regulation are becoming increasingly outsourced.
Leading Internal Auditfunctions use a mixedsourcing strategy, usinginternal specialists, guestauditor programs, rotationprograms and partnershipswith external professionalservices firms to ensureaccess to specialist skills,benchmarking, localcoverage and resourceflexibility.
43%
27%
18%
12% less than 5 auditors
6-9 auditors
10-14 auditors
more than 15 auditors
Internal Audit function size
13% 15% 24%48%12% 21%
19%
48%
< 3 years 3-6 years 7-10 years > 10 years
2016 2014
Internal auditors’ level of experienceInternal Audit function turnover
28%
20%15%
37%> 15%
10-14%
5-9%
< 5%
Page 12 Internal Audit Benchmarking Program 2016
84%
82%
68%
56%
30%
22%
18%
23%
89%
95%
61%
68%
16%
Executive Management
Audit Committee
ERM and/or Internal Controlfunctions
Line Management
Other
Not applicable
Board of Directors
2016 2014
Nordic Internal Audit functions meet new stakeholders
► Over the last two years, strict regulation and industry risk exposures have led to the increased establishment ofcompliance and risk management functions in Nordic organizations.
► This development indicates an increased importance of the second line of defense, creating a potential challenge forInternal Audit in terms of how to effectively leverage the work performed by their second line of defense. Also, acompetition for resources might ensue.
► Executive management’s and the Board of Directors’ involvement in the internal audit planning process hasincreased significantly, which is a key enabler for Internal Audit to focus more on the areas and topics that are importantfor the success of the business. This is evidenced by the fact that a larger number of audit reports now have a high orcritical grading compared to 2014.
► With regards to increasing cybersecurity risks, Internal Audit should assess whether such risks are reported to theboard adequately, and consider the Chief Information Security Officer and Chief Security Officer as key stakeholders.
Effective audit function structures must facilitate a close relationship betweenthe management and key stakeholders in the wider organization. This entailsclear accountability at senior levels of the Internal Audit function for owning therelationships with key divisional, regional and risk leaders within theorganization, in addition to executive management and boards.
Companies with a Risk Management Function/ Internal Control Function/Compliance Function
Yes, formally led by head of function or equivalent Yes, led by someone else (E.g., CFO) No
Stakeholders involved in the planning process
Page 13 Internal Audit Benchmarking Program 2016
Competence-wise, a “risk-based audit plan” must be supported by a risk-based resourcing model
► Internal control, operational audit and in-depth knowledge of thecompany’s business remain the most important competencies forInternal Audit.
► Data analytics as an Internal Audit competence remain a top priorityfor improvement. Industrial companies recognize the advantages ofdata analytics as they can improve fraud recovery, generate expensesavings and bring about process improvement opportunities.
► Ongoing organizational transformations and turbulent environmentshave led to the re-prioritization of Internal Audit competencies thatneed improvement. Change management, relationship acumen andfraud investigation as competencies for improvement havereplaced written communication and technology since 2014.
► Nordic Internal Audit functions do not see the definition ofcompetencies nor training requirements for Internal Audit staff as apriority.
Industrial companies haveconsensus on the need for morespecialist and expert skills.Capabilities like data analytics,modelling, CAAT tools, cyber andcompliance and regulatory-relatedexpertise are key for auditors.Internal Audit leaders perform in-depth analyses on where gaps exist,in both competencies and thenumber of employees. A capabilitydevelopment model is then defined:“Move”, “Develop” or “Buy” for eachcompetency gap.
Internal Audit competencies
Top 3 important Internal Audit competencies
Internal control
Operational audit
In-depth knowledge of the company’sbusiness
1
2
3
2016 2014
70%
66%
62%
81%
74%
76%
Movement compared to 2014
Top 3 Internal Audit competencies for improvement
31%
36%
55%
Technology
Writtencommunication
Data analytics
2014
26%
28%
40%
Relationshipacumen
Changemanagement
Data analytics
2016
13%
17%
19%
21%
26%
26%
28%
28%
30%
30%
32%
32%
32%
34%
36%
38%
38%
45%
47%
62%
66%
70%
13%
28%
13%
15%
6%
21%
15%
23%
4%17%
26%
13%
17%
26%
40%
6%19%
6%19%
19%
6%
9%
Advisory or consulting experience
Change management
Technology
Project management
Deep industry knowledge
Other
Business strategy
Leadership and teamwork
Process improvement
Presentation and facilitation
Fraud investigation
Verbal communication
Written communication
Relationship acumen
Data analytics
Financial audit and accounting
Internal audit risk assessment
Analytical skills
Compliance/regulatory
In-depth knowledge of the company’s business
Operational audit
Internal control
Most important Improvement needs
Page 14 Internal Audit Benchmarking Program 2016
85%of Internal Audit functions
reports are graded asMedium or High in 2016
compared to 59% in 2014.
Nordic Internal Audit functions are becoming more critical in their assessments
► Internal Audit functions are moving the balance of their audit planning towards a more “top-down” approach, explicitly aligning the activity of the Internal Audit function with the key risksfaced by the organization.
► The main areas considered in the Internal Audit risk assessments cover operational,strategic, cybersecurity and compliance risks.
► During the last two years, increased industry scrutiny by supervisory boards and executivemanagers has resulted in internal auditors performing deep-dive reviews of processes andaudited areas, and assessing risk exposures more critically. This has dramatically increasedthe number of Internal Audit reports with a “high” grading.
► Internal Audit uses the number of recommendations implemented according to plan asone of the key performance measures. This makes a difference when recommendationshave a higher tendency to be closed within the set deadlines, which adds value to thebusiness.
► An increase in the recommendations managed within set deadlines (i.e., by making this a keymeasure for Internal Audit) can also be detected.
► A trend in many larger audit functions is the introduction of a secondary rating for auditreports. This approach supplements the traditional audit rating with a secondary rating for theadequacy of management’s approach to risk and control.
Audit plans are focusing more on recognizing potential root causes of multiple issuesand risks across the company, having greater impact on the company as a whole.
Risks considered in the risk assessment
5%
10%
11%
15%
17%
18%
18%
18%
19%
23%
30%
38%
28%
26%
23%
34%
27%
21%
34%
33%
22%
25%
23%
44%
32%
28%
10%
25%
28%
16%
28%
35%
10%
31%
10%
18%
21%
29%
28%
28%
24%
17%
13%
18%
3%
8%
13%
13%
10%
2%
5%
8%
3%
7%
17%
Industry risk
Fraud risk
Regulatory risk
Reputational risk
Compliance risk
Financial risk
IT risk
Cybersecurity risk
Strategic risk
Financial reporting risk
Operational risk
most important important medium less important least important
Page 15 Internal Audit Benchmarking Program 2016
Nordic Internal Audit functions need to employ robust audit software throughoutthe audit lifecycle
► Nordic Internal Audit functions demonstrate low leverage levelsof data analytics, which is partially compensated throughoutsourcing to third party providers.
► A significant increase has been noted in organisations leveragingdata analytics in more than 50% of audits, indicating thatanalytics is an efficient tool once effectively established.
► In-house data analytics competence is not developed to asophisticated level (conclusion drawn from the EY data analyticssurvey and data analytics competence gap).
► A data-driven approach is becoming essential to drive efficiency,quality and insight from the audit activity.
The Internal Audit analytics maturity model
Big data is fundamentally changing the way the enterprise operates. Organizationshave identified analytics as an efficient tool for testing outcomes, supplementingcontrols testing and other traditional audit techniques.
15%
4%
4%
13%
17%
47%
5%
2%
12%
14%
17%
50%
> 50%
40-49%
30-39%
20-29%
10-19%
< 10%
Extent to which organizations are leveraging data analytics
2016 2014
Page 16 Internal Audit Benchmarking Program 2016
5%7%12%
38%
26%
10%
2% 4%
10%
25%21%19%
0%
21%
> 3 million2-2.9 million1-1.9 million500 000-999 999
300 000-499 999
< 300 000Don't havea separatebudget for
internalaudit
Efficiency and effectiveness of Nordic Internal Audit functions is questioned bythe stakeholders
► Followed by competitive cost pressure, stakeholders expect increased assurance with the means ofthe same budget.
► Influenced by the increased demand on the function’s output and new emerging risks, Internal Auditleaders foresee significant improvement opportunities within the function pertaining to thereporting process to stakeholders, efficiency and effectiveness as well as risk awareness in thebusiness.
► External auditors exhibit limited reliance on Internal Audit functions in their work. The number ofInternal Audit functions that do not coordinate with external auditors has significantly increasedcompared to 2014. To ensure effective use of Internal Audit resources, both functions have tocoordinate.
Achieving the maximum value from the Internal Audit function requires significantinvestments in people, knowledge, technology and methodology over a sustainedperiod of time.
Budget allocation of Internal Audit functions (EUR)
2016
2014
67%
60%
50%
55%
55%
38%
33%
40%
24%
60%
60%
57%
57%
48%
45%
40%
40%
Improve the reporting process to relevant stakeholders
Improve efficiency and effectiveness of the Internal Audit function
Support in improving risk awareness in the business
Improve the internal audit risk assessment and planningprocedures
Increased leverage of audit technology tools
Improve the overall skills and personnel in the Internal Auditfunction
Improve stakeholder management
Enhance risk coverage of key risks
Other
Internal Audit improvement opportunities
15%
70%
15% significant reliance
limited reliance
no reliance
Reliance of external auditors on the work of internalauditors
2016
2014
Page 17 Internal Audit Benchmarking Program 2016
Further readingExplore our insights on governance, risk and compliance at: ey.com/GRCinsights
Can privacy reallybe protectedanymore?Privacy trends 2016
February 2016
Using cyber analytics tohelp you get on top ofcybercrimeThird-generation securityoperations centers
November 2015
Accelerating high-growthcompanies’ climb to the topStrong risk managementpractices and internal auditcapabilities as drivers forgrowth
August 2014
Metrics matterHow Internal Audit canhelp organizations assessperformancemeasurement
March 2015
How do you find the criminalsbefore they committhe cybercrime?A closer look at cyber threatintelligence
March 2016
There’s no rewardwithout risk: GRCsurvey 2015Looking at risk differently
August 2015
Predicting project risksimproves successHow predictive analyticsprovides the insight to unlockthe value of your programinvestments
July 2015
Harnessing the powerof dataHow Internal Audit canembed data analyticsand drive more value
November 2014
Section or Chapter title
© Ernst & Young. All rights reserved.
Confidential & Proprietary. Internal Audit Benchmarking Program 2016
Top ratings by Nordiccountry
18Page 18
Page 19 Internal Audit Benchmarking Program 2016
Breakdown by Nordic countryTop ratings
Rating
Key tasks 1. Operational audits2. Compliance and financial
reporting3. Other
1. Operational audits2. Strategic audits3. Education and administration
1. Operational audits2. Strategic audits3. Compliance and financial reporting
1. Operational audits2. Compliance and financial
reporting3. Planning
Top input for riskassessments
1. Enterprise resourcemanagement
2. Interviews with topmanagement
1. Interviews with topmanagement
1. Interviews with top management 1. Interviews with top management
Primary mandate forInternal Audit in thenext 2 years
No changes Increased focus on strategic andoperational risks
Increased focus on strategic risks Increased focus on operational risks
Top emerging risks 1. Social media2. Cybersecurity3. Strategic transactions in
emerging markets and otherrisks when operating inemerging markets
1. Cybersecurity2. Climate change and
sustainability3. Strategic transactions in
emerging markets; major shiftsin technology; regulationaround data privacy; economicstability
1. Other risks when operating inemerging markets
2. Cybersecurity3. Strategic transactions in emerging
markets; major shifts in technology;regulation around data privacy;economic stability
1. Cybersecurity2. Regulation around data privacy3. Other risks when operating in
emerging markets
One-on-one meetingsbetween the AuditCommittee chairmanand head of InternalAudit
1. Quarterly 1. Quarterly or annually 1. Semi-annually 1. Quarterly
Page 20 Internal Audit Benchmarking Program 2016
Breakdown by Nordic countryTop ratings
Rating
Key outsourcedInternal Audit areas
1. Cultural challenges; specificprocess competence
2. General internal audit co-sourcing; assistance withinternal audit planning;sector competence
3. Fraud investigations;specific technical skills;knowledge of local laws andregulations
1. General internal audit co-sourcing
2. Specific technical skills3. Specific process competence
1. Coverage of international locations2. General internal audit co-sourcing;
fraud investigations; specifictechnical skills
3. Knowledge of local laws andregulations
1. Fraud investigations2. General internal audit co-
sourcing3. Coverage of international
locations; specific technical skills;knowledge of local laws andregulations
Most importantcompetency areas
1. Internal control2. Operational audit3. Relationship acumen; in-
depth knowledge of thecompany’s business
1. Written communication; in-depth knowledge of thecompany’s business
2. Internal control; data analytics;analytical skills; deep industryknowledge; verbalcommunication
3. Project management
1. Internal control; operational audit;data Analytics; business strategy
2. Relationship acumen; in-depthknowledge of the company’sbusiness; deep industry knowledge;Internal Audit risk assessment; fraudinvestigation; presentation andfacilitation
1. Operational audit2. In-depth knowledge of the
company’s business and Internalcontrol
3. Analytical skills
Top competencyareas that needimprovement
1. Change management;leadership and teamwork;relationship acumen
2. Data analytics and projectmanagement
3. Fraud investigations andInternal Audit riskassessment
1. Data analytics 1. Data analytics2. Presentation and facilitation;
business strategy; in-depthknowledge of the company’sbusiness; fraud investigation;compliance and regulatory
1. Data analytics2. Written communication; fraud
investigation; compliance andregulatory
3. Verbal communication;presentation and facilitation;advisory or consulting experience
Section or Chapter title
© Ernst & Young. All rights reserved.
Confidential & Proprietary.
Detailed survey results
21Page 21
Page 22 Internal Audit Benchmarking Program 2016
Rightdirection
Page 23 Internal Audit Benchmarking Program 2016
20%
37%
9%
5%
7%
6%
6%
4%
6%
19%
36%
10%
7%
9%
6%
5%
6%
2%
Compliance and financial reporting
Operational audits
Strategic audits
Advisory engagements
Planning
Education/admin
Fraud investigations
Excused leave
Other
2016
2014
Purpose and mandateInternal Audit role and responsibilities framework
► Operational audits, compliance and financial reporting remain the top audit tasks in 2016. Overall, task allocation has not deviated from 2014 results.► The responsibilities of Nordic Internal Audit functions are primarily defined by policies, guidelines, roles and responsibilities. Fewer than one fifth of Internal Audit functions
have no framework that defines their responsibilities, accounting for a 6% decrease compared to 2014.► Almost two thirds of Internal Audit functions support management with professional input to identify, assess and consolidate risks, and 4% of the Internal Audit functions
perform all of the activities themselves. Less than 20% do not participate in risk assessment.
How is the available time for the Internal Auditfunction allocated between the following tasks?
Is there a framework in place where the responsibilities ofInternal Audit and other risk and controls functions arewell-defined?
How involved is Internal Audit in supportingmanagement to identify, assess and consolidaterisks?
60%
60%
11%
15%
19%
19%
64%
48%
12%
21%
0%
0%
Yes, policies and guidelines
Yes, roles and responsibilities
Yes, other
No
Don't know
Not applicable
2016
2014
4%
64%
7%
19%
6%
2%
52%
10%
29%
7%
Perform all activities to identify, assess andconsolidate the risk assessment
Support management with professional input
There is no separate risk assessmentperformed by management
Not involved in the risk assessment
Other2016
2014
Page 24 Internal Audit Benchmarking Program 2016
10%
10%
80%
14%
19%
67%
No, but plan on doing so in the next two years
Yes
No
2016
2014
Purpose and mandateEmerging risks and primary focus in the next years
Do you currently complete a separate emerging risk assessment within Internal Audit?
What are the top emerging risks that your organization is monitoring?
How do you anticipate Internal Audit involvement in the risk assessment to change in the nextthree years?
54%
40%
38%
35%
21%
63%
58%
5%
21%
12%
Increased focus on operational risks
Increased focus on strategic risks
No changes
Increased focus on compliance and financial reporting risks
Other
2016
2014
What will be the primary mandate or focus for internal auditors in the next twoyears?
60%
47%
43%
32%
28%
23%
21%
19%
4%
11%
35%
58%
26%
40%
35%
23%
33%
5%
0%
7%
Cyber security
Other risks in when operating in emerging markets
Regulations around data privacy
Strategic transactions in emerging markets
Major shifts in technology
Climate change and sustainability
Economic stability
Social media
Sovereign risk
Other
2016
2014
32%
62%
0% 6%
55%43%
0% 2%
Increase Stay the same Decrease Don’t know
2016
2014
► Cybersecurity is seen as the top emerging risk in 2016, having been ranked joint third in 2014. Dataprivacy, ranked third as an emerging risk, has increased significantly compared to 2014. Thisdevelopment is driven by the new European Union regulation.
► Technology is ranked low in the most important competence section and had also relatively lowimprovement needs. This is somewhat unexpected as cyber security presents a top emerging risk.
► An increased focus on operational and strategic risks remain high in importance for Internal Auditfunctions. However, a potential shift towards compliance and financial reporting risks is emerging.
► Internal Audit functions are performing more separate emerging risk assessments compared to2014, yet most companies do not perform them.
► Nearly two thirds of Internal Audit leaders believe that Internal Audit’s involvement in riskassessments will not change in the next three years.
► The developments since 2014 may indicate that Internal Audit functions have delivered on theirexpectations relating to focus areas and the risk assessment process.
Page 25 Internal Audit Benchmarking Program 2016
Rightcompetence
Page 26 Internal Audit Benchmarking Program 2016
21%
10%
19%
50%
36%
9%
12%
43%
>75%
50-74%
25-49%
< 25%
20162014
7%
4%
17%
20%
15%37%
7%
14%
12%
12%
12%43%
> 25%
20-24%
15-19%
10-14%
5-9%
0-5%
2016
2014
13% 15% 24%48%12% 21% 19%
48%
< 3 years 3-6 years 7-10 years > 10 years
2014 2016
Team and organization structureInternal Audit staff – composition and employment
► Compared to 2014 survey results, the number offunctions of less than 9 employees has decreasedsignificantly, while functions with 10−14 and 20−29employees have increased.
► Nearly half of Nordic Internal Audit functions are self-organized and only 1 in 20 are organized by businessunit (vs. 1in 7 in 2014).
► Almost 50% of Internal Audit staff have more than 10years of experience. Since 2014, the share of internalauditors with 3−6 years of experience has increased by6%, while those with 7−10 years of experience has fallenby 5%.
► In half of the surveyed companies, less than 25% ofInternal Auditors are recruited internally in 2016 and thegeneral trend of internal recruiting is downward.
► Nordic Internal Audit functions exhibit low turnover rates,where half of the respondents have less than 10%turnover, and more than one third have less than 5%turnover rate.
► The majority of Internal Audit functions have no specificprogram for internal recruiting. However, the guestauditor program has become increasingly popular since2014, used by more than 1 in 4 Nordic Internal Auditfunctions.
What is the current size of the Internal Audit functionwithin your organization? (Number of employees basedon in-house and co-sourced resources)
How is your Internal Audit function structured?
Please estimate the distribution of experience amongyour Internal Auditors
What is your approximate annual staff turnover ratewithin Internal Audit?
To what extent is your Internal Audit staff recruitedinternally?
For which programs do you have to identify and recruitemployees within your organization to the Internal Auditfunction?
4%20%
22%
11%43%
14%
16%
20%
14%36%
Organized by business unitOrganized by geography
Organized by competencyHybridOther
20162014
63%
27%
10%
8%
25%
75%
13%
8%
2%
2%
No specific program
Guest Auditor program
Staff rotation
Internship
Other20162014
43%27% 18%
2% 5% 5% 0%
55%31%
5% 2% 2% 5% 0%
<5 5-9 10-14 15-19 20-29 30-39 > 40
20162014
Page 27 Internal Audit Benchmarking Program 2016
54%64%
54%
100%
48%51%62% 67%
51%44%
SouthAmerica
NorthAmerica
Asia Africa Europé Oceania
20162014
Team and organization structureAdministrative reporting and geography
► Internal Audit leaders havemultiple administrative reportinglines, primarily to the CFO andCEO.
► Audit Committee meetings areusually held more than 4 times peryear. In nearly half of all cases(47%), Internal Audit leaders havequarterly one-on-one meetingswith the Audit CommitteeChairman, while 13% have nomeetings at all.
► Participating companies operate inmultiple continents around theworld, where 68% operate in morethan one continent and 40%operate in all continents.
To whom does the head of Internal Audit report administratively?How many Audit Committee meetings are held per year?
How often does the Audit Committee chairman have one-on-one meetings with the head of Internal Audit?
Monthly; 3%
Quarterly; 47%
Semi-annually; 13%
Annually; 24%
No meetings; 13%
In which of the following geographical areas does yourcompany operate?
52%
27%
13%
0%
0%
0%
8%
55%
33%
5%
0%
0%
0%
7%
> 5
4
3
2
1
0
Not applicable20162014
51%
41%
33%
24%
8%
8%
2%
CFO
CEO
Other
The Board
Audit committee
General/Legal Council
Executive Management 2016
Page 28 Internal Audit Benchmarking Program 2016
► The leading outsourcing areas remain general internal audit co-sourcing, fraud investigations andspecific technical skills (e.g., data analytics). Furthermore, specific process competence andknowledge of local laws and regulations have increased as an outsourcing area compared to 2014,which corresponds with the main rationale behind outsourcing: to manage competence gaps.
► In 2016, 1 in 5 Internal Audit functions do not use third party providers at all, and almost two thirdssource less than 25% of their internal audit activities from third party providers (whereas less thanhalf did so in 2014). This could be influenced by decreasing Internal Audit budgets.
► The majority of respondents do not expect any changes to their Internal Audit outsourcing over thenext three years.
8%
2%
6%
63%
21%
7%
9%
19%
49%
16%
75-100%
50-74%
25-49%
<25%
We do not use third-party provider to assist withinternal audit activities
2016 2014
Team and organization structureInternal Audit outsourcing
Please specify the areas within which you use third party provider(s) forInternal Audit purposes?
Do you source all or part of your internal auditactivities from a third party provider?
How do you think that your use of sourcing from third party provider(s)will evolve over the next three years?
What is the rationale behind sourcing froma third-party provider?
73%
21%
6%
58%
33%
9%
Staying the same over the next three years
Increasing over the next three years
Decreasing over the next three years20162014
55%
45%
45%
42%
37%
34%
24%
24%
24%
18%
5%
24%
53%
56%
65%
35%
24%
41%
29%
24%
6%
6%
9%
0%
General internal audit co-sourcing
Fraud investigations
Specific technical skills (e.g. data analytics)
Specific process competence
Knowledge of local laws and regulations
Coverage of international locations
Compliance and internal control testing
Sector competence
Cultural challenges
Assistance with the internal audit planning
Assistance with the internal audit risk assessment
Other
2016
2014
66%
34%
32%
50%
24%
74%
26%38%
38%
6%
To manage competence gaps
To manage short term resource restraints
To have a flexible internal audit operating model
To be able to leverage on third-party providers’ enablers and methodology
Other2016 2014
Page 29 Internal Audit Benchmarking Program 2016
84%
82%
68%
56%
30%
22%
18%
23%
89%
95%
61%
68%
16%
0%
Executive Management
Audit Committee
ERM and/or Internal Control functions
Line Management
Other
Not applicable
Board of Directors
2016 2014
59%40%
62% 50%28% 26%
17%
10%
23%24%
21% 24%
24%50%
15% 26%51% 50%
2 0 1 6 2 0 1 4 2 0 1 6 2 0 1 4 2 0 1 6 2 0 1 4
C O M P L IA N C E R I S K MA N A G E ME N T IN T E R N A L C O N T R O L
No Yes, led by someone else (for example CFO) Yes, formally led by Head of function or equivalent
Stakeholder relationship managementReliance and coordination
► The majority of Nordic Internal Audit functions operate in companies where complianceand risk management functions are established and led by a function Head, while 51%have no internal control function. Since 2014, the presence of compliance functions hasincreased by 26%.
► The key stakeholders involved in the internal audit planning process are executivemanagement, Audit Committee and risk management or internal control functions. TheBoard of Directors is also increasingly involved (18%), having had no involvement in2014.
► In the majority of cases (two thirds), external auditors exhibit limited reliance on InternalAudit functions in their work. Similarly, 25% of Internal Audit functions do not coordinatewith external auditors in 2016 (only 1 in 11 did so in 2014), while the overwhelmingmajority, 4 in 5, cooperate on scoping and audit plans.
Which stakeholders are involved in the internal audit planning process?
Does your company have a risk management, internal control orcompliance function?
To what extent does your external auditor rely on the work of the Internal Audit function?
How does your Internal Audit function coordinate with external auditors?
79%33%
33%
25%
29%
81%
31%
43%
7%
17%
We share/discuss scoping and audit plans
We discuss scoping of engagements that have been partly covered…
We have different forums in which we communicate
We don’t coordinate
Other
2016
2014
17%
68%
15%
15%
70%
15%
Significant reliance
Limited reliance
No reliance
20162014
Page 30 Internal Audit Benchmarking Program 2016
People and skills developmentInternal Audit competencies and education
► Internal control, operational audit and in-depth knowledge of the company’s business are seen asthe most important competencies. Data analytics, change management, relationship acumen andfraud investigation are considered to need the most improvement.
► Nearly half (9 in 22) of the competencies have major improvement needs (+19%). However, only19% of the Internal Audit functions have well-defined competencies and training requirements.
► Half of the Internal Audit functions are in progress, or have partially defined, competencies andtraining requirements for Internal Audit staff, while 1 in 3 have not defined them at all.
► More than half of the auditors have between 25−47 training hours per year, while one third ofauditors have less than 25 hours. In 2016, only 12% have more than 50 hours of training. Almost60% of Internal Audit functions have an education budget of less than 10 000 EUR.
Select the competency areas that you believe are the most important withinthe Internal Audit function and the competency areas where you seeimprovement needs within your Internal Audit function
Does the Internal Audit function have well-defined competencies and training requirements forits auditors by rank?
Yes; 19%
No; 31%
Partly/In progress;48%
2016Yes; 24%
No; 29%
Partly/In progress;33%
2014
How much do you spend on education andtraining of the Internal Audit function? (EUR)
How many training hours does each auditorhave per year?
0%
2%
37%
61%
2%
5%
34%
59%
>100 000
50 000 - 99 999
10 000 - 49 999
< 10 000
2016 20140%
2%0%
15%52%
31%
4%
2%
4%
6%56%
28%
None
> 100
75-99
50-74
25-49
< 25
2016 2014
13%
17%
19%
21%
26%
26%
28%
28%
30%
30%
32%
32%
32%
34%
36%
38%
38%
45%
47%
62%
66%
70%
13%
28%
13%
15%
6%
21%
15%
23%
4%17%
26%
13%
17%
26%
40%6%
19%
6%
19%
19%
6%
9%
Advisory or consulting experience
Change management
Technology
Project management
Deep industry knowledge
Other
Business strategy
Leadership and teamwork
Process improvement
Presentation and facilitation
Fraud investigation
Verbal communication
Written communication
Relationship acumen
Data analytics
Financial audit and accounting
Internal audit risk assessment
Analytical skills
Compliance/regulatory
In-depth knowledge of the company’s business
Operational audit
Internal control
Most important Improvement needs
Page 31 Internal Audit Benchmarking Program 2016
70%62% 66%
32%45% 38% 32%
47%38%
30% 30% 32%28%
34% 36%21% 28% 26%
19% 13% 17%26%
81% 76% 74%
55% 52% 48% 45%40%
38%36% 36% 33% 31%
29% 29% 26% 26% 24%19% 17%
12%0%
2016 2014
40%28% 26% 26% 23% 21% 19% 19% 19% 17% 17% 15%
15% 13% 13% 13% 9% 6% 6% 6% 6% 4%
55%
21%10%
24%
7%0%
26% 21% 26%36%
21%14%
19% 21%31%
0%
14% 19% 19% 17% 14%21%
People and skills developmentInternal Audit competencies and education
The most important Internal Audit competencies
Select the competencies that you believe are the most important within the Internal Audit function and the competency areas where you see improvement needs within your Internal Auditfunction.
Internal Audit competencies that need improvement
Page 32 Internal Audit Benchmarking Program 2016
Right tools
Page 33 Internal Audit Benchmarking Program 2016
Internal Audit methodology and deliveryInternal Audit risk assessment
► Almost all Internal Audit functions perform an Internal Audit risk assessment, obtaining input frominterviews with top and line management and from enterprise risk management, primarily. Actingas input-providers has become more frequent since 2014 for these three functions.
► Internal Audit risk assessment provides the following risk categorization:
► There is little consensus regarding the importance of the risks identified by Internal Audit leaders.For example, 30% assess operational risk as the most important while 17% have the oppositeopinion. What types of risks are considered in your Internal Audit risk assessments?
Do you perform an Internal Audit risk assessment to serve as a basis for theInternal Audit plan?
How do you get input to the Internal Audit risk assessment session?
Top 3 important risks* Top 3 medium risks Top 3 minor risks**Operational risk Fraud risk Compliance riskStrategic risk Financial reporting risk Operational riskCybersecurity risk Regulatory risk Industry risk
Priority Risk Individual risk ratingMost important Operational risk 30%Important Industry risk 38%Medium importance Fraud risk 44%Less important Industry risk 31%Least important Operational risk 17%
* Note that these results have been obtained by adding the percentages for the risks considered ”Most important” and ”Important”** Note that these results have been obtained by adding the percentages for the risks considered ”Less important” and ”Least important”
86%
14%
89%
11%
Yes
No
2016
2014
93%
79%
74%
69%
50%
12%
29%
75%
55%
68%
55%
34%
9%
16%
Interviews with top management
Enterprise Risk Management (ERM)
Interviews with line management
Interviews with external auditors
Interviews with Audit Committee
Interviews with Board of Directors
Other
2016
2014
5%
10%
11%
15%
17%
18%
18%
18%
19%
23%
30%
38%
28%
26%
23%
34%
27%
21%
34%
33%
22%
25%
23%
44%
32%
28%
10%
25%
28%
16%
28%
35%
10%
31%
10%
18%
21%
29%
28%
28%
24%
17%
13%
18%
3%
8%
13%
13%
10%
2%
5%
8%
3%
7%
17%
Industry risk
Fraud risk
Regulatory risk
Reputational risk
Compliance risk
Financial risk
IT risk
Cybersecurity risk
Strategic risk
Financial reporting risk
Operational risk
most important important medium less important least important
Page 34 Internal Audit Benchmarking Program 2016
6%
17%
22%
55%
Yes, we have done external quality assuarancereview within last 5 years and are rated as ‘Partially
Conforms’
Yes, we have done external quality assuarancereview within last 5 years and are rated as
‘Generally Conforms’
No, and we don't plan to become certified
No, but we apply relevant parts of the IIA standards
Internal Audit methodology and deliveryInternal Audit value and performance compliance
► The main instruments to measure the value provided to the organization by InternalAudit are:
• satisfaction surveys• the number of implemented recommendations according to plan• control and process improvement measures
► Approximately 1 in 5 of Internal Audit functions are subject to external qualityassurance and are rated as ‘generally conforms’ or ‘partially conforms’ with IIAstandards. The majority (55%) of respondents do are not certified, but rather applythe relevant parts of the IIA standards in their work. Roughly one fifth do not plan tobecome certified according to the IIA standards.
How does Internal Audit measure the value provided to the organization?
Do you comply with the IIA standards?
5%
2%
20%
14%
14%
25%
36%
52%
3%
10%
13%
15%
21%
26%
51%
64%
Other
Cost savings and/or revenue enhancements
Not measured
Compliance with internal and external standards (e.g.IIA)
Support of key business initiatives
Control and process improvement measures
Number of implemented recommendations according toplan
Satisfaction surveys
2016 2014
Page 35 Internal Audit Benchmarking Program 2016
Tools and technologyData analytics
► Internal Audit functions have increased their leverage of data analytics compared to 2014, in particular among functions that use analytics to a wider extent. 15% usesanalytics in more than 50% of audits, which reflects a large increase from 2014. In addition, 50% state that they have increased their use of data analytics. However, nearlyhalf of the functions leverage less than 10% on data analytics, which is a slight decline from 2014.
► Looking into the future, data analytics is expected to become even more important as 81% of the respondents state that leveraging data analytics will increase over the nextthree years. Data analytics is also considered as one of the ten most important competencies for Internal Audit functions. 40% of respondents also state that data analyticsis a competence area that requires improvement.
To what extent does your Internal Audit functioncurrently leverage data analytics (e.g. the ACL tool)in relation to the total number of audits per year?
How has leverage of data analytics changed in the last 24months?
How do you anticipate leverage of data analyticsto change in the next three years?
81%
15%
2%
2%
60%
24%
0%
16%
Increase
Stay the same
Decrease
Don’t know
2016
2014
50%
40%
2%
8%
60%
38%
0%
2%
Increased
Stayed the same
Decreased
Don’t know
2016
2014
15%
4%
4%
13%
17%
47%
5%
2%
12%
14%
17%
50%
> 50%
40-49%
30-39%
20-29%
10-19%
< 10%
2016
2014
Page 36 Internal Audit Benchmarking Program 2016
58%
31%
33%
22%
35%
22%
9%
15%
24%
11%
19%
21%
Planning
Fieldwork
Wrap upand reporting
2016
Less than 5 days 5-9 days 10-14 days More than 15 days
Operations and reportingPerformance indicators
► The number of audits per year varies widely between the Internal Audit functions. Most companies perform 10 to19 or 50 to 99 audits per year.
► On average, audits have a total duration of 5 to 6 weeks.► The most common duration for planning is less than 5 days, for fieldwork 5 to 9 days, and for wrap-up and
reporting less than 5 days.► Despite an increase in the number of reports with high gradings, the average number of days from closing meeting
date to issue of final report has decreased, indicating that Internal Audit functions are becoming more effective inthe reporting process.
What is the average duration of individual audits for each of the following phases?What is the average number of days from closingmeeting date to issue of final report?
How many audits are performed per year?
> 100; 10%
50-99; 21%
40-49; 6%
30-39; 15%20-29; 15%
10-19; 21%
<10; 12%
30%
29%
17%
19%
5%
28%
15%
19%
21%
17%
> 20 days
15-19 days
10-14 days
5-9 days
< 5 days20162014
27%
31%
51%
29%
31%
27%
27%
17%
10%
17%
21%
12%
Wrap upand reporting
Fieldwork
Planning
2014
Page 37 Internal Audit Benchmarking Program 2016
To what extent are reported findings managedwithin set deadline?
Operations and reportingPerformance indicators
► Survey results indicate successful management within set deadlines. 52% of the respondents have indicated thatmore than 80% of reported findings are managed within the given deadline. This is an improvement from the 44%reported in 2014, and may indicate that Internal Audit’s standing has improved.
► Similarly, the severe grading of Internal Audit reports has increased in 2016 compared to 2014. 85% of InternalAudit reports are graded as ‘medium’ or ‘high’ in 2016 (59% in 2014), whereas Internal Audit reports graded as‘high’ or ‘critical’ has more than doubled compared to 2014.
► The number of ad-hoc requests varies between Internal Audit functions from 1 to 25 for both additional audits andinvestigations with up to 50 requests for analysis per year. In combination, 1 in 3 Internal Audit functions arerequested to improve risk coverage and services using the same budget (a 13% increase from 2014).
► The large increase in requests for additional services (with the same or lower budget) could indicate thatstakeholders see potential for improvements in both Internal Audit efficiency and effectiveness.
What is the approximate distribution of grading asa result of different audits?
52%
44%
4%
0%
35%
48%
12%
5%
> 80%
50-79%
25-49%
< 25%2016 2014
32%
50%
18%
15%
45%
40%
Low (minor)
Medium (major)
High (critical)
2016 2014
How many ad hoc requests are executed beyond the originalInternal Audit plan per year?
Is your Internal Audit function being asked to improverisk coverage and/or services?
6%
31%
6%
54%
3%
16%
19%
2%
58%
5%
Yes, with an increased budget
Yes, at the same budget
Yes, with a lower budget
No
Don’t know
2016 2014
Additional audits;36%
Investigation; 32%
Analysis; 20%
Other ; 12%
Ad hoc requests max avg minAdditional audits 25 6 1
Investigation 25 7 1
Analysis 50 9 1
Other 20 12 2
Page 38 Internal Audit Benchmarking Program 2016
Quality and risk assuranceOpportunities and challenges
► The changing trend from 2014 to 2016 indicates that budgets for Internal Audit functions are in the increase, as is the size of the function teams. This implies an opportunityto deliver more value and assurance to the business. 25% of Internal Audit functions have a budget from 1 to 1,9 million EUR, representing an increase of 13% from 2014.The number of functions with a budget below 1 million EUR has gone down significantly in the last two years.
► Internal Audit functions are making progress. Comparing to the results from 2014, the amount of audits completed on time has increased significantly from 55% to 79%. Inaddition, a high percentage of audits completed within budget has seen a marked increase from the 2014 levels, increasing from 79% to 89%.
► Almost all (88%) of Internal Audit leaders think that there are opportunities to improve their Internal Audit function. They identify most significant focus areas in reporting torelevant stakeholders, efficiency and effectiveness, and risk awareness in the business (as seen on page 39).
► Our previous findings (see page 39) identified the current challenges Internal Audit functions are facing as: 1) attracting individuals with the right business knowledge toensure IA adds value 2) managing a diverse and decentralized business and 3) managing the interaction with the second line of defense.
What percentage of audits is completed on time? What is the current budget of your Internal Auditfunction?
79%
13%
6%
2%
55%
20%
18%
7%
> 75%
50-74%
25-49%
< 25%2016 2014
89%
9%
0%
2%
79%
15%
3%
3%
> 75%
50-74%
25-49%
< 25%2016 2014
What percentage of audits is completed withinbudget?
5%7%12%
38%
26%
10%
2% 4%
10%
25%
21%19%
0%
21%
> 3 million2-2.9million
1-1.9million
500 000-999 999
300 000-499 999
< 300 000Don't havea separatebudget for
internalaudit
Page 39 Internal Audit Benchmarking Program 2016
Quality and risk assuranceOpportunities and challenges
In which of the following areas do you see opportunities to improve your InternalAudit function?
Do you believe that there are opportunities to improve your Internal Auditfunction?
88%
12%
91%
9%
Yes
No
2016
2014
67%
60%
50%
55%
55%
38%
33%
40%
24%
60%
60%
57%
57%
48%
45%
40%
40%
0%
Improve the reporting process to relevant stakeholders
Improve efficiency and effectiveness of the Internal Audit function
Support in improving risk awareness in the business
Improve the internal audit risk assessment and planningprocedures
Increased leverage of audit technology tools
Improve the overall skills and personnel in the Internal Auditfunction
Improve stakeholder management
Enhance risk coverage of key risks
Other2016 2014
Describe the overall challenges that your Internal Audit function faces or provide other commentsthat you believe are relevant for this study
► “Attracting people with solid business understanding to judge the business risks andrecommend improvements in a pragmatic manner”.
► “Our organization is very diverse and geographically spread out. Senior management doesnot set a goal of achieving a homogeneous culture either. As such, much of our work consistsof figuring out how the individual businesses operate and finding the correct communicationsapproach with the local management. It is not difficult per se, but it does mean that we arequite reliant on personal connections in discovering new risks and agreeing remediationmeasures with the managers. So we try to keep staff turnover minimal because every leavertakes the opportunity to easily and informally approach senior staff”.
► “We have more of a compliance audit primarily on the project level and then self-evaluation inthe line of the operational and finance processes”.
► “Top management and the board (Audit Committees) have a significant knowledge gap onassurance functions (e.g. Internal Audit and Compliance) and respectively do not provide fullsupport. This causes passive approach coming from "top down".”
► “Bring truly meaningful insights to the business and not mainly "housekeeping" (which, ofcourse, is important as well)”.
► “To leverage our knowledge and make it known to wider part of the organization. Being a verydecentralized company, each business unit operates separately and implementing commontools and policies is challenging and by that also auditing”.
► “Staying relevant in an increasingly dynamic and fast changing business environment as wellas handling the companies transformation agenda”.
► “Who actually directs our work: AC, Board or Executive Management? What are theconsequences for the daily work of IA? The increased role of the second line of defense. Howis co-operation organized and presented to both the business and the Board and AC”?
► “How to keep adding value to the organization? How to keep clear lines between the third andsecond line of defense? How to handle pressure from second line as an assurance provider”?
► “The Internal Audit function is undergoing a transformation to serve the Group and to becomemore professional. It’s a challenge to manage this journey and reach the goals”.
40
Contact details:Henrik LindTel: +46 31 63 77 04Mobile: +46 705 83 77 04Email: [email protected]
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For more information aboutour organization, please visit ey.com.
© 2016 EYGM LimitedAll rights reserved