Nordic Internal Audit Benchmarking program - dif.fi · PDF fileAnnual revenue (EUR) Industry ... 19 86% 8% 2% 4% CAE Head of Internal Control Other CFO ... Specific process competence

Section or Chapter title

© Ernst & Young. All rights reserved.

Confidential & Proprietary. Internal Audit Benchmarking Program 2016 1

Nordic Internal AuditBenchmarking programDenmark, Finland, Norway, Sweden2016

Page 2 Internal Audit Benchmarking Program 2016

Contents

Introduction 3

Background 4

Respondent insights 5

EY’s methodological approach 6

Summary of results 7

Executive summary 8

Top ratings by Nordic country 18

Detailed survey results 21

Right direction 22

Right competencies 25

Right enablers 32



Confidential & Proprietary. Internal Audit Benchmarking Program 2016

Introduction

3Page 3


Background

The world continues to change

► Volatile markets and financial instability continue to plague global economies, while the pace of technological change iscontinuously picking up speed. Organizations need flexibility to balance in the changing environment. Internal Audit functions haveto foresee emerging threats and adopt their assessment procedures and audit plans in order to be able to provide input and insighton these threats or risks.

► With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more, renderingdamage to the organization and its brand. Companies may not be able to control when information security incidents occur, butthey can control how they respond to them. Expanding detection capabilities is a good place to start for Internal Audit functions.

► Applying up-to-date digital tools and technologies in daily audit routine increases possibility to detect cybercrime or potential weakareas. Internal Audit functions can support organizations with the establishment of a security operations center, focused onsecuring and enabling the business as well as protecting sensitive information.

► More and more, robotics is replacing traditional operations. In line with the increased connectivity and Internet of Things (IoT), newrules and regulations are being introduced. Internal Audit functions should bulk up on domain expertise and skills in their teams tomeet these challenges.

► Consumers, investors and regulators are demanding greater visibility in everything that an organization does. Respectively,organizations need their Internal Audit function to take on a much larger role within the organization and serve as a subject matterspecialist to business management around strategic initiatives, challenges and changes in the organization.

2014

2016


10%

27%

12%10%10%

31%

> 15 billion

10-14,9 billion

7-9,9 billion

5-6,9 billion

3-4,9 billion

1-2,9 billion

< 1 billion

Respondents to the Nordic Internal Audit Benchmarking survey 2016

► In February and May 2016, EY conducted a survey, undertaking qualitative interviews to gain insight into the internal audit practicesadopted by Nordic-based organizations. The majority of the respondents are Chief Audit Executives in diverse industrial companies.

Demographics of survey participants:

Annual revenue (EUR)

EmployeesIndustry

51respondents

18

6

8

Respondents

19

86%

8%

2%4%

CAE

Head ofInternal Control

Other

CFO

8%4%

25%

24%

14%

25%

> 100 000

50 000-99 999

25 000 - 49 999

10 000 - 24 999

5 000 - 9 999

<5 000

Industrial products 22%

Real estate 10%

Transportation 10%

Automotive 8%

Consumerproducts 8%

Power and utilities 8%

Retail andwholesale 6%

Telecommunication 6%

Other 22%


EY’s methodological approach to Internal Audit Operating Framework

Using our extensive knowledge, we have designed a framework to describe leading practices in internal audit. Each of the framework elements were considered in ourassessment of the survey results. Our methodology is based on the three main strategies illustrated below:

Aligning Internal Audit’s purpose and mandatewith the expectations of the Audit Committee,executive management and otherstakeholders

Acquiring the people, competencies andexperience to achieve Internal Audit’sobjectives

Establishing appropriateinfrastructure to facilitate theachievement of Internal Audit’sobjectives

Right competence

Right direction

Right tools

Internal auditmethodologyand delivery

Operations andreporting

Stakeholderrelationship

management

Team andorganization

structure

Tools andtechnology

Knowledgemanagement

Quality andrisk

assurance

Purpose andmandate

People andskills

development



Confidential & Proprietary.

Summary of results

7Page 7


Executive summary

► Internal Audit functions are aiming to take on the role of strategic advisor through increasing their focus on bothoperational and strategic risks connected to the organizations business objectives.

► Internal Audit is paying increased attention to emerging risks, e.g., related to cybersecurity.► There is a general focus on monitoring and supervision activities in industrial companies, e.g., compliance

functions are becoming more common, executive management gets more involved in the internal audit planningprocesses, etc.

Internal Audit is expected to beat the forefront of newchallenges in the changingenvironment

► Internal Audit functions are implementing flexible sourcing models (guest auditors, co-sourcing, outsourcing, etc.)to improve the efficiency of audit execution and manage competence gaps.

► As the organization's strategic objectives, risk environment and market and regulatory landscape evolve, the skillsand experience of the audit function must respond accordingly.

► Some areas have experienced a high rotation of Internal Audit executives in the past two years. This highlights achallenge for Internal Audit functions and may impact the ability to attract and retain people with solid businessunderstanding and auditing experience.

To align with the changingmandate and new focus areas,access to domain expertise isof utmost importance

► Nordic Internal Audit functions possess insufficient in-house data analytics competence, which is partiallycompensated by either outsourcing or co-sourcing.

► As demand for value-adding activities increases, Nordic Internal Audit functions face additional requests toimprove risk coverage and services without increasing their budgets.

► Increased industry scrutiny of supervisory boards and executive managers pushes internal auditors to performdeep-dive reviews of audited areas, and to assess risk exposures more critically.

Putting technology and robustaudit software within the reachof every auditor is crucial toimprove efficiency andeffectiveness

Dire

ctio

nC

ompe

tenc

eTo

ols


Internal Audit retains the role of strategic advisor

► Operational audits and compliance and financial reporting remain top audit tasks for the Nordic Internal Audit functions. Eventhough operational audits are identified as one of the top tasks, 35% of respondents considered operational risks as “less important” or“least important” in the risk assessment. A high focus on compliance is highlighted by the risk and competency ratings; compliance risksare one of the highest-rated risks, as 51% of those surveyed state that compliance represents the “most important” or “important” risk. Itis also rated as the fourth most necessary key competence. A key factor driving this development could be the increase in compliancefunctions, from 50% in 2014 to 76% in 2016.

► Internal Audit departments will continue to focus on operational and strategic risks in the next two years. However, the declinewitnessed from 2014 levels may possibly be due to prior implementation. Compliance and financial reporting risks are expected torise in importance over the next years compared to 2014.

► In response to the changing requirements for the third line of defense, Internal Audit has become more involved in the organization’srisk assessment procedures by supporting the management with professional input.

A clear understanding of theownership of risk and controlprocesses across the companyallows for greater clarity in therole of Internal Audit. Thisunderstanding helps InternalAudit deliver its mandate tosupport the board and executivemanagement in protecting theassets, reputation andsustainability of the company.

Allocation of available time by the InternalAudit function

Primary mandate of focus for Internal Auditin the next 2 years

Involvement of Internal Audit in supporting themanagement in identifying, assessing andconsolidating risks

64%of respondents supportthe management withprofessional input,compared to the 52%in 2014

37%

36%

20%

19%

Operational audits

Compliance and financial reporting

2016 2014

Increased focus on operational risks

Increased focus on strategic risks

Increased focus on compliance andfinancial reporting risks

2016 2014

54%

40%

35%

63%

58%

21%

Movement versus 2014


Technology and emerging market risks affect Internal Audit focus

► Internal Audit functions are expected to be in the forefront of new, potential challenges in thechanging environment. In particular, cybersecurity is a top emerging risk that companiesface today, having been ranked third in 2014.

► Internal Audit functions are increasingly performing separate emerging risk assessmentscompared to 2014 (19% vs. 10%). However, two thirds of companies surveyed are yet to carryone out.

► The threat of so called cyber-physical incidents is becoming increasingly severe as industrialcompanies are becoming more and more connected. Cyber threats increase with everyadditional technology connection and socially embedded system.

► Even though cybersecurity and major shifts in technology feature among the top 5 emergingrisks, technology as a competence is rated relatively low with relatively low improvementneeds. This could indicate that Internal Audit functions are not preparing their capabilities soas to respond to the expected, serious risks.

Companies need a common cybersecurity strategy to support operating effectiveness,safety, reliability standards, business transformation and financial controls compliance. Inthis regard, effective cooperation between the Internal Audit, operational technology andinformation technology functions is required.

Internal Audit functions perform separateemerging risk assessments

19%of companiesundertake separateemerging riskassessments withintheir Internal Auditfunctions

Top 5 emerging risks that organizationsmonitor

Cybersecurity

Other risks when operating in emergingmarkets

Regulations around data privacy

Strategic transactions in emergingmarkets

Major shifts in technology

1

234

5

2016 2014

60%

47%

43%

32%

28%

35%

58%

26%

40%

35%

Developments compared to 2014


Domain expertise will drive the Internal Audit function

► Nordic Internal Audit functions are mainly composed of small-sized teams with experienced staff and low turnover. This setuporiginates from the Nordic, trust-based culture and long-term employee-employer relationships.

► However, the high rotation of Internal Audit executives in some areas during the past two years highlights a potential challenge forInternal Audit functions to attract and retain people with solid business understanding and auditing experience.

► In-depth business knowledge is seen as one of the most important competence areas, and also as an area where furtherimprovement is needed. However, Internal Audit functions demonstrate a low level of internal recruitments.

► The low staff turnover and large number of auditors with more than 10 years of experience highlights a potential challenge: InternalAudit functions might not be able to address the competency improvement needs through new recruitments and will have totrain internally instead. However, internal training might prove to be a challenge as well since training budgets are low.

► In order to manage staffing and competence gaps, general internal audit co-sourcing, fraud investigations and technical skills(e.g. data analytics) remain top outsourcing areas.

► Specific process competence and the knowledge of local legislation and regulation are becoming increasingly outsourced.

Leading Internal Auditfunctions use a mixedsourcing strategy, usinginternal specialists, guestauditor programs, rotationprograms and partnershipswith external professionalservices firms to ensureaccess to specialist skills,benchmarking, localcoverage and resourceflexibility.

43%

27%

18%

12% less than 5 auditors

6-9 auditors

10-14 auditors

more than 15 auditors

Internal Audit function size

13% 15% 24%48%12% 21%

19%

48%

< 3 years 3-6 years 7-10 years > 10 years

2016 2014

Internal auditors’ level of experienceInternal Audit function turnover

28%

20%15%

37%> 15%

10-14%

5-9%

< 5%


84%

82%

68%

56%

30%

22%

18%

23%

89%

95%

61%

68%

16%

Executive Management

Audit Committee

ERM and/or Internal Controlfunctions

Line Management

Other

Not applicable

Board of Directors

2016 2014

Nordic Internal Audit functions meet new stakeholders

► Over the last two years, strict regulation and industry risk exposures have led to the increased establishment ofcompliance and risk management functions in Nordic organizations.

► This development indicates an increased importance of the second line of defense, creating a potential challenge forInternal Audit in terms of how to effectively leverage the work performed by their second line of defense. Also, acompetition for resources might ensue.

► Executive management’s and the Board of Directors’ involvement in the internal audit planning process hasincreased significantly, which is a key enabler for Internal Audit to focus more on the areas and topics that are importantfor the success of the business. This is evidenced by the fact that a larger number of audit reports now have a high orcritical grading compared to 2014.

► With regards to increasing cybersecurity risks, Internal Audit should assess whether such risks are reported to theboard adequately, and consider the Chief Information Security Officer and Chief Security Officer as key stakeholders.

Effective audit function structures must facilitate a close relationship betweenthe management and key stakeholders in the wider organization. This entailsclear accountability at senior levels of the Internal Audit function for owning therelationships with key divisional, regional and risk leaders within theorganization, in addition to executive management and boards.

Companies with a Risk Management Function/ Internal Control Function/Compliance Function

Yes, formally led by head of function or equivalent Yes, led by someone else (E.g., CFO) No

Stakeholders involved in the planning process


Competence-wise, a “risk-based audit plan” must be supported by a risk-based resourcing model

► Internal control, operational audit and in-depth knowledge of thecompany’s business remain the most important competencies forInternal Audit.

► Data analytics as an Internal Audit competence remain a top priorityfor improvement. Industrial companies recognize the advantages ofdata analytics as they can improve fraud recovery, generate expensesavings and bring about process improvement opportunities.

► Ongoing organizational transformations and turbulent environmentshave led to the re-prioritization of Internal Audit competencies thatneed improvement. Change management, relationship acumen andfraud investigation as competencies for improvement havereplaced written communication and technology since 2014.

► Nordic Internal Audit functions do not see the definition ofcompetencies nor training requirements for Internal Audit staff as apriority.

Industrial companies haveconsensus on the need for morespecialist and expert skills.Capabilities like data analytics,modelling, CAAT tools, cyber andcompliance and regulatory-relatedexpertise are key for auditors.Internal Audit leaders perform in-depth analyses on where gaps exist,in both competencies and thenumber of employees. A capabilitydevelopment model is then defined:“Move”, “Develop” or “Buy” for eachcompetency gap.

Internal Audit competencies

Top 3 important Internal Audit competencies

Internal control

Operational audit

In-depth knowledge of the company’sbusiness

1

2

3

2016 2014

70%

66%

62%

81%

74%

76%

Movement compared to 2014

Top 3 Internal Audit competencies for improvement

31%

36%

55%

Technology

Writtencommunication

Data analytics

2014

26%

28%

40%

Relationshipacumen

Changemanagement

Data analytics

2016

13%

17%

19%

21%

26%

26%

28%

28%

30%

30%

32%

32%

32%

34%

36%

38%

38%

45%

47%

62%

66%

70%

13%

28%

13%

15%

6%

21%

15%

23%

4%17%

26%

13%

17%

26%

40%

6%19%

6%19%

19%

6%

9%

Advisory or consulting experience

Change management

Technology

Project management

Deep industry knowledge

Other

Business strategy

Leadership and teamwork

Process improvement

Presentation and facilitation

Fraud investigation

Verbal communication

Written communication

Relationship acumen

Data analytics

Financial audit and accounting

Internal audit risk assessment

Analytical skills

Compliance/regulatory

In-depth knowledge of the company’s business

Operational audit

Internal control

Most important Improvement needs


85%of Internal Audit functions

reports are graded asMedium or High in 2016

compared to 59% in 2014.

Nordic Internal Audit functions are becoming more critical in their assessments

► Internal Audit functions are moving the balance of their audit planning towards a more “top-down” approach, explicitly aligning the activity of the Internal Audit function with the key risksfaced by the organization.

► The main areas considered in the Internal Audit risk assessments cover operational,strategic, cybersecurity and compliance risks.

► During the last two years, increased industry scrutiny by supervisory boards and executivemanagers has resulted in internal auditors performing deep-dive reviews of processes andaudited areas, and assessing risk exposures more critically. This has dramatically increasedthe number of Internal Audit reports with a “high” grading.

► Internal Audit uses the number of recommendations implemented according to plan asone of the key performance measures. This makes a difference when recommendationshave a higher tendency to be closed within the set deadlines, which adds value to thebusiness.

► An increase in the recommendations managed within set deadlines (i.e., by making this a keymeasure for Internal Audit) can also be detected.

► A trend in many larger audit functions is the introduction of a secondary rating for auditreports. This approach supplements the traditional audit rating with a secondary rating for theadequacy of management’s approach to risk and control.

Audit plans are focusing more on recognizing potential root causes of multiple issuesand risks across the company, having greater impact on the company as a whole.

Risks considered in the risk assessment

5%

10%

11%

15%

17%

18%

18%

18%

19%

23%

30%

38%

28%

26%

23%

34%

27%

21%

34%

33%

22%

25%

23%

44%

32%

28%

10%

25%

28%

16%

28%

35%

10%

31%

10%

18%

21%

29%

28%

28%

24%

17%

13%

18%

3%

8%

13%

13%

10%

2%

5%

8%

3%

7%

17%

Industry risk

Fraud risk

Regulatory risk

Reputational risk

Compliance risk

Financial risk

IT risk

Cybersecurity risk

Strategic risk

Financial reporting risk

Operational risk

most important important medium less important least important


Nordic Internal Audit functions need to employ robust audit software throughoutthe audit lifecycle

► Nordic Internal Audit functions demonstrate low leverage levelsof data analytics, which is partially compensated throughoutsourcing to third party providers.

► A significant increase has been noted in organisations leveragingdata analytics in more than 50% of audits, indicating thatanalytics is an efficient tool once effectively established.

► In-house data analytics competence is not developed to asophisticated level (conclusion drawn from the EY data analyticssurvey and data analytics competence gap).

► A data-driven approach is becoming essential to drive efficiency,quality and insight from the audit activity.

The Internal Audit analytics maturity model

Big data is fundamentally changing the way the enterprise operates. Organizationshave identified analytics as an efficient tool for testing outcomes, supplementingcontrols testing and other traditional audit techniques.

15%

4%

4%

13%

17%

47%

5%

2%

12%

14%

17%

50%

> 50%

40-49%

30-39%

20-29%

10-19%

< 10%

Extent to which organizations are leveraging data analytics

2016 2014


5%7%12%

38%

26%

10%

2% 4%

10%

25%21%19%

0%

21%

> 3 million2-2.9 million1-1.9 million500 000-999 999

300 000-499 999

< 300 000Don't havea separatebudget for

internalaudit

Efficiency and effectiveness of Nordic Internal Audit functions is questioned bythe stakeholders

► Followed by competitive cost pressure, stakeholders expect increased assurance with the means ofthe same budget.

► Influenced by the increased demand on the function’s output and new emerging risks, Internal Auditleaders foresee significant improvement opportunities within the function pertaining to thereporting process to stakeholders, efficiency and effectiveness as well as risk awareness in thebusiness.

► External auditors exhibit limited reliance on Internal Audit functions in their work. The number ofInternal Audit functions that do not coordinate with external auditors has significantly increasedcompared to 2014. To ensure effective use of Internal Audit resources, both functions have tocoordinate.

Achieving the maximum value from the Internal Audit function requires significantinvestments in people, knowledge, technology and methodology over a sustainedperiod of time.

Budget allocation of Internal Audit functions (EUR)

2016

2014

67%

60%

50%

55%

55%

38%

33%

40%

24%

60%

60%

57%

57%

48%

45%

40%

40%

Improve the reporting process to relevant stakeholders

Improve efficiency and effectiveness of the Internal Audit function

Support in improving risk awareness in the business

Improve the internal audit risk assessment and planningprocedures

Increased leverage of audit technology tools

Improve the overall skills and personnel in the Internal Auditfunction

Improve stakeholder management

Enhance risk coverage of key risks

Other

Internal Audit improvement opportunities

15%

70%

15% significant reliance

limited reliance

no reliance

Reliance of external auditors on the work of internalauditors

2016

2014


Further readingExplore our insights on governance, risk and compliance at: ey.com/GRCinsights

Can privacy reallybe protectedanymore?Privacy trends 2016

February 2016

Using cyber analytics tohelp you get on top ofcybercrimeThird-generation securityoperations centers

November 2015

Accelerating high-growthcompanies’ climb to the topStrong risk managementpractices and internal auditcapabilities as drivers forgrowth

August 2014

Metrics matterHow Internal Audit canhelp organizations assessperformancemeasurement

March 2015

How do you find the criminalsbefore they committhe cybercrime?A closer look at cyber threatintelligence

March 2016

There’s no rewardwithout risk: GRCsurvey 2015Looking at risk differently

August 2015

Predicting project risksimproves successHow predictive analyticsprovides the insight to unlockthe value of your programinvestments

July 2015

Harnessing the powerof dataHow Internal Audit canembed data analyticsand drive more value

November 2014



Confidential & Proprietary. Internal Audit Benchmarking Program 2016

Top ratings by Nordiccountry

18Page 18


Breakdown by Nordic countryTop ratings

Rating

Key tasks 1. Operational audits2. Compliance and financial

reporting3. Other

1. Operational audits2. Strategic audits3. Education and administration

1. Operational audits2. Strategic audits3. Compliance and financial reporting

1. Operational audits2. Compliance and financial

reporting3. Planning

Top input for riskassessments

1. Enterprise resourcemanagement

2. Interviews with topmanagement

1. Interviews with topmanagement

1. Interviews with top management 1. Interviews with top management

Primary mandate forInternal Audit in thenext 2 years

No changes Increased focus on strategic andoperational risks

Increased focus on strategic risks Increased focus on operational risks

Top emerging risks 1. Social media2. Cybersecurity3. Strategic transactions in

emerging markets and otherrisks when operating inemerging markets

1. Cybersecurity2. Climate change and

sustainability3. Strategic transactions in

emerging markets; major shiftsin technology; regulationaround data privacy; economicstability

1. Other risks when operating inemerging markets

2. Cybersecurity3. Strategic transactions in emerging

markets; major shifts in technology;regulation around data privacy;economic stability

1. Cybersecurity2. Regulation around data privacy3. Other risks when operating in

emerging markets

One-on-one meetingsbetween the AuditCommittee chairmanand head of InternalAudit

1. Quarterly 1. Quarterly or annually 1. Semi-annually 1. Quarterly


Breakdown by Nordic countryTop ratings

Rating

Key outsourcedInternal Audit areas

1. Cultural challenges; specificprocess competence

2. General internal audit co-sourcing; assistance withinternal audit planning;sector competence

3. Fraud investigations;specific technical skills;knowledge of local laws andregulations

1. General internal audit co-sourcing

2. Specific technical skills3. Specific process competence

1. Coverage of international locations2. General internal audit co-sourcing;

fraud investigations; specifictechnical skills

3. Knowledge of local laws andregulations

1. Fraud investigations2. General internal audit co-

sourcing3. Coverage of international

locations; specific technical skills;knowledge of local laws andregulations

Most importantcompetency areas

1. Internal control2. Operational audit3. Relationship acumen; in-

depth knowledge of thecompany’s business

1. Written communication; in-depth knowledge of thecompany’s business

2. Internal control; data analytics;analytical skills; deep industryknowledge; verbalcommunication

3. Project management

1. Internal control; operational audit;data Analytics; business strategy

2. Relationship acumen; in-depthknowledge of the company’sbusiness; deep industry knowledge;Internal Audit risk assessment; fraudinvestigation; presentation andfacilitation

1. Operational audit2. In-depth knowledge of the

company’s business and Internalcontrol

3. Analytical skills

Top competencyareas that needimprovement

1. Change management;leadership and teamwork;relationship acumen

2. Data analytics and projectmanagement

3. Fraud investigations andInternal Audit riskassessment

1. Data analytics 1. Data analytics2. Presentation and facilitation;

business strategy; in-depthknowledge of the company’sbusiness; fraud investigation;compliance and regulatory

1. Data analytics2. Written communication; fraud

investigation; compliance andregulatory

3. Verbal communication;presentation and facilitation;advisory or consulting experience



Confidential & Proprietary.

Detailed survey results

21Page 21


Rightdirection


20%

37%

9%

5%

7%

6%

6%

4%

6%

19%

36%

10%

7%

9%

6%

5%

6%

2%

Compliance and financial reporting

Operational audits

Strategic audits

Advisory engagements

Planning

Education/admin

Fraud investigations

Excused leave

Other

2016

2014

Purpose and mandateInternal Audit role and responsibilities framework

► Operational audits, compliance and financial reporting remain the top audit tasks in 2016. Overall, task allocation has not deviated from 2014 results.► The responsibilities of Nordic Internal Audit functions are primarily defined by policies, guidelines, roles and responsibilities. Fewer than one fifth of Internal Audit functions

have no framework that defines their responsibilities, accounting for a 6% decrease compared to 2014.► Almost two thirds of Internal Audit functions support management with professional input to identify, assess and consolidate risks, and 4% of the Internal Audit functions

perform all of the activities themselves. Less than 20% do not participate in risk assessment.

How is the available time for the Internal Auditfunction allocated between the following tasks?

Is there a framework in place where the responsibilities ofInternal Audit and other risk and controls functions arewell-defined?

How involved is Internal Audit in supportingmanagement to identify, assess and consolidaterisks?

60%

60%

11%

15%

19%

19%

64%

48%

12%

21%

0%

0%

Yes, policies and guidelines

Yes, roles and responsibilities

Yes, other

No

Don't know

Not applicable

2016

2014

4%

64%

7%

19%

6%

2%

52%

10%

29%

7%

Perform all activities to identify, assess andconsolidate the risk assessment

Support management with professional input

There is no separate risk assessmentperformed by management

Not involved in the risk assessment

Other2016

2014


10%

10%

80%

14%

19%

67%

No, but plan on doing so in the next two years

Yes

No

2016

2014

Purpose and mandateEmerging risks and primary focus in the next years

Do you currently complete a separate emerging risk assessment within Internal Audit?

What are the top emerging risks that your organization is monitoring?

How do you anticipate Internal Audit involvement in the risk assessment to change in the nextthree years?

54%

40%

38%

35%

21%

63%

58%

5%

21%

12%

Increased focus on operational risks

Increased focus on strategic risks

No changes

Increased focus on compliance and financial reporting risks

Other

2016

2014

What will be the primary mandate or focus for internal auditors in the next twoyears?

60%

47%

43%

32%

28%

23%

21%

19%

4%

11%

35%

58%

26%

40%

35%

23%

33%

5%

0%

7%

Cyber security

Other risks in when operating in emerging markets

Regulations around data privacy

Strategic transactions in emerging markets

Major shifts in technology

Climate change and sustainability

Economic stability

Social media

Sovereign risk

Other

2016

2014

32%

62%

0% 6%

55%43%

0% 2%

Increase Stay the same Decrease Don’t know

2016

2014

► Cybersecurity is seen as the top emerging risk in 2016, having been ranked joint third in 2014. Dataprivacy, ranked third as an emerging risk, has increased significantly compared to 2014. Thisdevelopment is driven by the new European Union regulation.

► Technology is ranked low in the most important competence section and had also relatively lowimprovement needs. This is somewhat unexpected as cyber security presents a top emerging risk.

► An increased focus on operational and strategic risks remain high in importance for Internal Auditfunctions. However, a potential shift towards compliance and financial reporting risks is emerging.

► Internal Audit functions are performing more separate emerging risk assessments compared to2014, yet most companies do not perform them.

► Nearly two thirds of Internal Audit leaders believe that Internal Audit’s involvement in riskassessments will not change in the next three years.

► The developments since 2014 may indicate that Internal Audit functions have delivered on theirexpectations relating to focus areas and the risk assessment process.


Rightcompetence


21%

10%

19%

50%

36%

9%

12%

43%

>75%

50-74%

25-49%

< 25%

20162014

7%

4%

17%

20%

15%37%

7%

14%

12%

12%

12%43%

> 25%

20-24%

15-19%

10-14%

5-9%

0-5%

2016

2014

13% 15% 24%48%12% 21% 19%

48%

< 3 years 3-6 years 7-10 years > 10 years

2014 2016

Team and organization structureInternal Audit staff – composition and employment

► Compared to 2014 survey results, the number offunctions of less than 9 employees has decreasedsignificantly, while functions with 10−14 and 20−29employees have increased.

► Nearly half of Nordic Internal Audit functions are self-organized and only 1 in 20 are organized by businessunit (vs. 1in 7 in 2014).

► Almost 50% of Internal Audit staff have more than 10years of experience. Since 2014, the share of internalauditors with 3−6 years of experience has increased by6%, while those with 7−10 years of experience has fallenby 5%.

► In half of the surveyed companies, less than 25% ofInternal Auditors are recruited internally in 2016 and thegeneral trend of internal recruiting is downward.

► Nordic Internal Audit functions exhibit low turnover rates,where half of the respondents have less than 10%turnover, and more than one third have less than 5%turnover rate.

► The majority of Internal Audit functions have no specificprogram for internal recruiting. However, the guestauditor program has become increasingly popular since2014, used by more than 1 in 4 Nordic Internal Auditfunctions.

What is the current size of the Internal Audit functionwithin your organization? (Number of employees basedon in-house and co-sourced resources)

How is your Internal Audit function structured?

Please estimate the distribution of experience amongyour Internal Auditors

What is your approximate annual staff turnover ratewithin Internal Audit?

To what extent is your Internal Audit staff recruitedinternally?

For which programs do you have to identify and recruitemployees within your organization to the Internal Auditfunction?

4%20%

22%

11%43%

14%

16%

20%

14%36%

Organized by business unitOrganized by geography

Organized by competencyHybridOther

20162014

63%

27%

10%

8%

25%

75%

13%

8%

2%

2%

No specific program

Guest Auditor program

Staff rotation

Internship

Other20162014

43%27% 18%

2% 5% 5% 0%

55%31%

5% 2% 2% 5% 0%

<5 5-9 10-14 15-19 20-29 30-39 > 40

20162014


54%64%

54%

100%

48%51%62% 67%

51%44%

SouthAmerica

NorthAmerica

Asia Africa Europé Oceania

20162014

Team and organization structureAdministrative reporting and geography

► Internal Audit leaders havemultiple administrative reportinglines, primarily to the CFO andCEO.

► Audit Committee meetings areusually held more than 4 times peryear. In nearly half of all cases(47%), Internal Audit leaders havequarterly one-on-one meetingswith the Audit CommitteeChairman, while 13% have nomeetings at all.

► Participating companies operate inmultiple continents around theworld, where 68% operate in morethan one continent and 40%operate in all continents.

To whom does the head of Internal Audit report administratively?How many Audit Committee meetings are held per year?

How often does the Audit Committee chairman have one-on-one meetings with the head of Internal Audit?

Monthly; 3%

Quarterly; 47%

Semi-annually; 13%

Annually; 24%

No meetings; 13%

In which of the following geographical areas does yourcompany operate?

52%

27%

13%

0%

0%

0%

8%

55%

33%

5%

0%

0%

0%

7%

> 5

4

3

2

1

0

Not applicable20162014

51%

41%

33%

24%

8%

8%

2%

CFO

CEO

Other

The Board

Audit committee

General/Legal Council

Executive Management 2016


► The leading outsourcing areas remain general internal audit co-sourcing, fraud investigations andspecific technical skills (e.g., data analytics). Furthermore, specific process competence andknowledge of local laws and regulations have increased as an outsourcing area compared to 2014,which corresponds with the main rationale behind outsourcing: to manage competence gaps.

► In 2016, 1 in 5 Internal Audit functions do not use third party providers at all, and almost two thirdssource less than 25% of their internal audit activities from third party providers (whereas less thanhalf did so in 2014). This could be influenced by decreasing Internal Audit budgets.

► The majority of respondents do not expect any changes to their Internal Audit outsourcing over thenext three years.

8%

2%

6%

63%

21%

7%

9%

19%

49%

16%

75-100%

50-74%

25-49%

<25%

We do not use third-party provider to assist withinternal audit activities

2016 2014

Team and organization structureInternal Audit outsourcing

Please specify the areas within which you use third party provider(s) forInternal Audit purposes?

Do you source all or part of your internal auditactivities from a third party provider?

How do you think that your use of sourcing from third party provider(s)will evolve over the next three years?

What is the rationale behind sourcing froma third-party provider?

73%

21%

6%

58%

33%

9%

Staying the same over the next three years

Increasing over the next three years

Decreasing over the next three years20162014

55%

45%

45%

42%

37%

34%

24%

24%

24%

18%

5%

24%

53%

56%

65%

35%

24%

41%

29%

24%

6%

6%

9%

0%

General internal audit co-sourcing

Fraud investigations

Specific technical skills (e.g. data analytics)

Specific process competence

Knowledge of local laws and regulations

Coverage of international locations

Compliance and internal control testing

Sector competence

Cultural challenges

Assistance with the internal audit planning

Assistance with the internal audit risk assessment

Other

2016

2014

66%

34%

32%

50%

24%

74%

26%38%

38%

6%

To manage competence gaps

To manage short term resource restraints

To have a flexible internal audit operating model

To be able to leverage on third-party providers’ enablers and methodology

Other2016 2014


84%

82%

68%

56%

30%

22%

18%

23%

89%

95%

61%

68%

16%

0%

Executive Management

Audit Committee

ERM and/or Internal Control functions

Line Management

Other

Not applicable

Board of Directors

2016 2014

59%40%

62% 50%28% 26%

17%

10%

23%24%

21% 24%

24%50%

15% 26%51% 50%

2 0 1 6 2 0 1 4 2 0 1 6 2 0 1 4 2 0 1 6 2 0 1 4

C O M P L IA N C E R I S K MA N A G E ME N T IN T E R N A L C O N T R O L

No Yes, led by someone else (for example CFO) Yes, formally led by Head of function or equivalent

Stakeholder relationship managementReliance and coordination

► The majority of Nordic Internal Audit functions operate in companies where complianceand risk management functions are established and led by a function Head, while 51%have no internal control function. Since 2014, the presence of compliance functions hasincreased by 26%.

► The key stakeholders involved in the internal audit planning process are executivemanagement, Audit Committee and risk management or internal control functions. TheBoard of Directors is also increasingly involved (18%), having had no involvement in2014.

► In the majority of cases (two thirds), external auditors exhibit limited reliance on InternalAudit functions in their work. Similarly, 25% of Internal Audit functions do not coordinatewith external auditors in 2016 (only 1 in 11 did so in 2014), while the overwhelmingmajority, 4 in 5, cooperate on scoping and audit plans.

Which stakeholders are involved in the internal audit planning process?

Does your company have a risk management, internal control orcompliance function?

To what extent does your external auditor rely on the work of the Internal Audit function?

How does your Internal Audit function coordinate with external auditors?

79%33%

33%

25%

29%

81%

31%

43%

7%

17%

We share/discuss scoping and audit plans

We discuss scoping of engagements that have been partly covered…

We have different forums in which we communicate

We don’t coordinate

Other

2016

2014

17%

68%

15%

15%

70%

15%

Significant reliance

Limited reliance

No reliance

20162014


People and skills developmentInternal Audit competencies and education

► Internal control, operational audit and in-depth knowledge of the company’s business are seen asthe most important competencies. Data analytics, change management, relationship acumen andfraud investigation are considered to need the most improvement.

► Nearly half (9 in 22) of the competencies have major improvement needs (+19%). However, only19% of the Internal Audit functions have well-defined competencies and training requirements.

► Half of the Internal Audit functions are in progress, or have partially defined, competencies andtraining requirements for Internal Audit staff, while 1 in 3 have not defined them at all.

► More than half of the auditors have between 25−47 training hours per year, while one third ofauditors have less than 25 hours. In 2016, only 12% have more than 50 hours of training. Almost60% of Internal Audit functions have an education budget of less than 10 000 EUR.

Select the competency areas that you believe are the most important withinthe Internal Audit function and the competency areas where you seeimprovement needs within your Internal Audit function

Does the Internal Audit function have well-defined competencies and training requirements forits auditors by rank?

Yes; 19%

No; 31%

Partly/In progress;48%

2016Yes; 24%

No; 29%

Partly/In progress;33%

2014

How much do you spend on education andtraining of the Internal Audit function? (EUR)

How many training hours does each auditorhave per year?

0%

2%

37%

61%

2%

5%

34%

59%

>100 000

50 000 - 99 999

10 000 - 49 999

< 10 000

2016 20140%

2%0%

15%52%

31%

4%

2%

4%

6%56%

28%

None

> 100

75-99

50-74

25-49

< 25

2016 2014

13%

17%

19%

21%

26%

26%

28%

28%

30%

30%

32%

32%

32%

34%

36%

38%

38%

45%

47%

62%

66%

70%

13%

28%

13%

15%

6%

21%

15%

23%

4%17%

26%

13%

17%

26%

40%6%

19%

6%

19%

19%

6%

9%

Advisory or consulting experience

Change management

Technology

Project management

Deep industry knowledge

Other

Business strategy

Leadership and teamwork

Process improvement

Presentation and facilitation

Fraud investigation

Verbal communication

Written communication

Relationship acumen

Data analytics

Financial audit and accounting

Internal audit risk assessment

Analytical skills

Compliance/regulatory

In-depth knowledge of the company’s business

Operational audit

Internal control

Most important Improvement needs


70%62% 66%

32%45% 38% 32%

47%38%

30% 30% 32%28%

34% 36%21% 28% 26%

19% 13% 17%26%

81% 76% 74%

55% 52% 48% 45%40%

38%36% 36% 33% 31%

29% 29% 26% 26% 24%19% 17%

12%0%

2016 2014

40%28% 26% 26% 23% 21% 19% 19% 19% 17% 17% 15%

15% 13% 13% 13% 9% 6% 6% 6% 6% 4%

55%

21%10%

24%

7%0%

26% 21% 26%36%

21%14%

19% 21%31%

0%

14% 19% 19% 17% 14%21%

People and skills developmentInternal Audit competencies and education

The most important Internal Audit competencies

Select the competencies that you believe are the most important within the Internal Audit function and the competency areas where you see improvement needs within your Internal Auditfunction.

Internal Audit competencies that need improvement


Right tools


Internal Audit methodology and deliveryInternal Audit risk assessment

► Almost all Internal Audit functions perform an Internal Audit risk assessment, obtaining input frominterviews with top and line management and from enterprise risk management, primarily. Actingas input-providers has become more frequent since 2014 for these three functions.

► Internal Audit risk assessment provides the following risk categorization:

► There is little consensus regarding the importance of the risks identified by Internal Audit leaders.For example, 30% assess operational risk as the most important while 17% have the oppositeopinion. What types of risks are considered in your Internal Audit risk assessments?

Do you perform an Internal Audit risk assessment to serve as a basis for theInternal Audit plan?

How do you get input to the Internal Audit risk assessment session?

Top 3 important risks* Top 3 medium risks Top 3 minor risks**Operational risk Fraud risk Compliance riskStrategic risk Financial reporting risk Operational riskCybersecurity risk Regulatory risk Industry risk

Priority Risk Individual risk ratingMost important Operational risk 30%Important Industry risk 38%Medium importance Fraud risk 44%Less important Industry risk 31%Least important Operational risk 17%

* Note that these results have been obtained by adding the percentages for the risks considered ”Most important” and ”Important”** Note that these results have been obtained by adding the percentages for the risks considered ”Less important” and ”Least important”

86%

14%

89%

11%

Yes

No

2016

2014

93%

79%

74%

69%

50%

12%

29%

75%

55%

68%

55%

34%

9%

16%

Interviews with top management

Enterprise Risk Management (ERM)

Interviews with line management

Interviews with external auditors

Interviews with Audit Committee

Interviews with Board of Directors

Other

2016

2014

5%

10%

11%

15%

17%

18%

18%

18%

19%

23%

30%

38%

28%

26%

23%

34%

27%

21%

34%

33%

22%

25%

23%

44%

32%

28%

10%

25%

28%

16%

28%

35%

10%

31%

10%

18%

21%

29%

28%

28%

24%

17%

13%

18%

3%

8%

13%

13%

10%

2%

5%

8%

3%

7%

17%

Industry risk

Fraud risk

Regulatory risk

Reputational risk

Compliance risk

Financial risk

IT risk

Cybersecurity risk

Strategic risk

Financial reporting risk

Operational risk

most important important medium less important least important


6%

17%

22%

55%

Yes, we have done external quality assuarancereview within last 5 years and are rated as ‘Partially

Conforms’

Yes, we have done external quality assuarancereview within last 5 years and are rated as

‘Generally Conforms’

No, and we don't plan to become certified

No, but we apply relevant parts of the IIA standards

Internal Audit methodology and deliveryInternal Audit value and performance compliance

► The main instruments to measure the value provided to the organization by InternalAudit are:

• satisfaction surveys• the number of implemented recommendations according to plan• control and process improvement measures

► Approximately 1 in 5 of Internal Audit functions are subject to external qualityassurance and are rated as ‘generally conforms’ or ‘partially conforms’ with IIAstandards. The majority (55%) of respondents do are not certified, but rather applythe relevant parts of the IIA standards in their work. Roughly one fifth do not plan tobecome certified according to the IIA standards.

How does Internal Audit measure the value provided to the organization?

Do you comply with the IIA standards?

5%

2%

20%

14%

14%

25%

36%

52%

3%

10%

13%

15%

21%

26%

51%

64%

Other

Cost savings and/or revenue enhancements

Not measured

Compliance with internal and external standards (e.g.IIA)

Support of key business initiatives

Control and process improvement measures

Number of implemented recommendations according toplan

Satisfaction surveys

2016 2014


Tools and technologyData analytics

► Internal Audit functions have increased their leverage of data analytics compared to 2014, in particular among functions that use analytics to a wider extent. 15% usesanalytics in more than 50% of audits, which reflects a large increase from 2014. In addition, 50% state that they have increased their use of data analytics. However, nearlyhalf of the functions leverage less than 10% on data analytics, which is a slight decline from 2014.

► Looking into the future, data analytics is expected to become even more important as 81% of the respondents state that leveraging data analytics will increase over the nextthree years. Data analytics is also considered as one of the ten most important competencies for Internal Audit functions. 40% of respondents also state that data analyticsis a competence area that requires improvement.

To what extent does your Internal Audit functioncurrently leverage data analytics (e.g. the ACL tool)in relation to the total number of audits per year?

How has leverage of data analytics changed in the last 24months?

How do you anticipate leverage of data analyticsto change in the next three years?

81%

15%

2%

2%

60%

24%

0%

16%

Increase

Stay the same

Decrease

Don’t know

2016

2014

50%

40%

2%

8%

60%

38%

0%

2%

Increased

Stayed the same

Decreased

Don’t know

2016

2014

15%

4%

4%

13%

17%

47%

5%

2%

12%

14%

17%

50%

> 50%

40-49%

30-39%

20-29%

10-19%

< 10%

2016

2014


58%

31%

33%

22%

35%

22%

9%

15%

24%

11%

19%

21%

Planning

Fieldwork

Wrap upand reporting

2016

Less than 5 days 5-9 days 10-14 days More than 15 days

Operations and reportingPerformance indicators

► The number of audits per year varies widely between the Internal Audit functions. Most companies perform 10 to19 or 50 to 99 audits per year.

► On average, audits have a total duration of 5 to 6 weeks.► The most common duration for planning is less than 5 days, for fieldwork 5 to 9 days, and for wrap-up and

reporting less than 5 days.► Despite an increase in the number of reports with high gradings, the average number of days from closing meeting

date to issue of final report has decreased, indicating that Internal Audit functions are becoming more effective inthe reporting process.

What is the average duration of individual audits for each of the following phases?What is the average number of days from closingmeeting date to issue of final report?

How many audits are performed per year?

> 100; 10%

50-99; 21%

40-49; 6%

30-39; 15%20-29; 15%

10-19; 21%

<10; 12%

30%

29%

17%

19%

5%

28%

15%

19%

21%

17%

> 20 days

15-19 days

10-14 days

5-9 days

< 5 days20162014

27%

31%

51%

29%

31%

27%

27%

17%

10%

17%

21%

12%

Wrap upand reporting

Fieldwork

Planning

2014


To what extent are reported findings managedwithin set deadline?

Operations and reportingPerformance indicators

► Survey results indicate successful management within set deadlines. 52% of the respondents have indicated thatmore than 80% of reported findings are managed within the given deadline. This is an improvement from the 44%reported in 2014, and may indicate that Internal Audit’s standing has improved.

► Similarly, the severe grading of Internal Audit reports has increased in 2016 compared to 2014. 85% of InternalAudit reports are graded as ‘medium’ or ‘high’ in 2016 (59% in 2014), whereas Internal Audit reports graded as‘high’ or ‘critical’ has more than doubled compared to 2014.

► The number of ad-hoc requests varies between Internal Audit functions from 1 to 25 for both additional audits andinvestigations with up to 50 requests for analysis per year. In combination, 1 in 3 Internal Audit functions arerequested to improve risk coverage and services using the same budget (a 13% increase from 2014).

► The large increase in requests for additional services (with the same or lower budget) could indicate thatstakeholders see potential for improvements in both Internal Audit efficiency and effectiveness.

What is the approximate distribution of grading asa result of different audits?

52%

44%

4%

0%

35%

48%

12%

5%

> 80%

50-79%

25-49%

< 25%2016 2014

32%

50%

18%

15%

45%

40%

Low (minor)

Medium (major)

High (critical)

2016 2014

How many ad hoc requests are executed beyond the originalInternal Audit plan per year?

Is your Internal Audit function being asked to improverisk coverage and/or services?

6%

31%

6%

54%

3%

16%

19%

2%

58%

5%

Yes, with an increased budget

Yes, at the same budget

Yes, with a lower budget

No

Don’t know

2016 2014

Additional audits;36%

Investigation; 32%

Analysis; 20%

Other ; 12%

Ad hoc requests max avg minAdditional audits 25 6 1

Investigation 25 7 1

Analysis 50 9 1

Other 20 12 2


Quality and risk assuranceOpportunities and challenges

► The changing trend from 2014 to 2016 indicates that budgets for Internal Audit functions are in the increase, as is the size of the function teams. This implies an opportunityto deliver more value and assurance to the business. 25% of Internal Audit functions have a budget from 1 to 1,9 million EUR, representing an increase of 13% from 2014.The number of functions with a budget below 1 million EUR has gone down significantly in the last two years.

► Internal Audit functions are making progress. Comparing to the results from 2014, the amount of audits completed on time has increased significantly from 55% to 79%. Inaddition, a high percentage of audits completed within budget has seen a marked increase from the 2014 levels, increasing from 79% to 89%.

► Almost all (88%) of Internal Audit leaders think that there are opportunities to improve their Internal Audit function. They identify most significant focus areas in reporting torelevant stakeholders, efficiency and effectiveness, and risk awareness in the business (as seen on page 39).

► Our previous findings (see page 39) identified the current challenges Internal Audit functions are facing as: 1) attracting individuals with the right business knowledge toensure IA adds value 2) managing a diverse and decentralized business and 3) managing the interaction with the second line of defense.

What percentage of audits is completed on time? What is the current budget of your Internal Auditfunction?

79%

13%

6%

2%

55%

20%

18%

7%

> 75%

50-74%

25-49%

< 25%2016 2014

89%

9%

0%

2%

79%

15%

3%

3%

> 75%

50-74%

25-49%

< 25%2016 2014

What percentage of audits is completed withinbudget?

5%7%12%

38%

26%

10%

2% 4%

10%

25%

21%19%

0%

21%

> 3 million2-2.9million

1-1.9million

500 000-999 999

300 000-499 999

< 300 000Don't havea separatebudget for

internalaudit


Quality and risk assuranceOpportunities and challenges

In which of the following areas do you see opportunities to improve your InternalAudit function?

Do you believe that there are opportunities to improve your Internal Auditfunction?

88%

12%

91%

9%

Yes

No

2016

2014

67%

60%

50%

55%

55%

38%

33%

40%

24%

60%

60%

57%

57%

48%

45%

40%

40%

0%

Improve the reporting process to relevant stakeholders

Improve efficiency and effectiveness of the Internal Audit function

Support in improving risk awareness in the business

Improve the internal audit risk assessment and planningprocedures

Increased leverage of audit technology tools

Improve the overall skills and personnel in the Internal Auditfunction

Improve stakeholder management

Enhance risk coverage of key risks

Other2016 2014

Describe the overall challenges that your Internal Audit function faces or provide other commentsthat you believe are relevant for this study

► “Attracting people with solid business understanding to judge the business risks andrecommend improvements in a pragmatic manner”.

► “Our organization is very diverse and geographically spread out. Senior management doesnot set a goal of achieving a homogeneous culture either. As such, much of our work consistsof figuring out how the individual businesses operate and finding the correct communicationsapproach with the local management. It is not difficult per se, but it does mean that we arequite reliant on personal connections in discovering new risks and agreeing remediationmeasures with the managers. So we try to keep staff turnover minimal because every leavertakes the opportunity to easily and informally approach senior staff”.

► “We have more of a compliance audit primarily on the project level and then self-evaluation inthe line of the operational and finance processes”.

► “Top management and the board (Audit Committees) have a significant knowledge gap onassurance functions (e.g. Internal Audit and Compliance) and respectively do not provide fullsupport. This causes passive approach coming from "top down".”

► “Bring truly meaningful insights to the business and not mainly "housekeeping" (which, ofcourse, is important as well)”.

► “To leverage our knowledge and make it known to wider part of the organization. Being a verydecentralized company, each business unit operates separately and implementing commontools and policies is challenging and by that also auditing”.

► “Staying relevant in an increasingly dynamic and fast changing business environment as wellas handling the companies transformation agenda”.

► “Who actually directs our work: AC, Board or Executive Management? What are theconsequences for the daily work of IA? The increased role of the second line of defense. Howis co-operation organized and presented to both the business and the Board and AC”?

► “How to keep adding value to the organization? How to keep clear lines between the third andsecond line of defense? How to handle pressure from second line as an assurance provider”?

► “The Internal Audit function is undergoing a transformation to serve the Group and to becomemore professional. It’s a challenge to manage this journey and reach the goals”.

40

Contact details:Henrik LindTel: +46 31 63 77 04Mobile: +46 705 83 77 04Email: [email protected]

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services.The insights and quality services we deliver help build trust and confidencein the capital markets and in economies the world over. We developoutstanding leaders who team to deliver on our promises to all of ourstakeholders. In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of themember firms of Ernst & Young Global Limited, each of which is a separatelegal entity. Ernst & Young Global Limited, a UK company limited byguarantee, does not provide services to clients. For more information aboutour organization, please visit ey.com.

© 2016 EYGM LimitedAll rights reserved

Documents

Nordic Internal Audit Benchmarking program - dif.fi · PDF fileAnnual revenue (EUR) Industry ... 19 86% 8% 2% 4% CAE Head of Internal Control Other CFO ... Specific process competence