Leading business advisers

Head of Internal Audit Survey 2014Capturing insight

“Contents

Executive summary .................…………………………….….......... 3

Key observations …………………….........................……….…..... 4

About the survey …………………………….….............................. 7

Key findings

Section 1: Purpose and position - Roles of internal audit and keys risks and challenges .…......................... 8

Section 2: Process - Methodologies of internal audit .…................ 12

Section 3: Performance - Reporting .…........................................ 14

Section 4: People - Resources .…................................................ 15

About Deloitte Internal Audit .…................................................... 18

3

Executive summary

“I’m delighted to present the inaugural Deloitte Head of Internal Audit Survey. The survey spans a number of industries including financial services, consumer business and the public sector.

Our objective in carrying out this survey is to capture the key issues and challenges currently facing Heads of Internal Audit. In recent years we have seen increased demands placed on our profession by various stakeholders and many functions have seen operational changes to their remits and roles.

One of the biggest risks facing organisations is compliance with regulation and government policies. This risk is compounded by the number of regulatory and legislative changes being introduced both locally and internationally.

The second most significant risk is reputation and brand. We are all very aware of the time and effort it takes to develop a positive reputation and brand, and how quickly this can be lost by actions or inactions. As internal auditors we need to ask ourselves whether our internal audit plans and scoping plans consider brand and reputation. As a profession we are always asked “who audits internal audit?”. Interestingly, less than 30% of respondents conduct an independent quality assurance review at least every three years.

Throughout our survey a number of key themes were also highlighted including the extra demands on internal audit functions in terms of increased reporting requirements; additional risks such as IT security; and expanded roles such as risk advisory are evident from the responses; all against the backdrop of resourcing issues.

When working with our clients in assessing internal audit functions we take a focused approach across five key areas (the five Ps):

1. Purpose

2. Position

3. Process

4. Performance

5. People

We have aligned the results of the survey against these areas and summarised the key observations.

We hope you find this report both helpful and insightful in benchmarking your function and that it assists you in developing in order to meet increasing demands.

David Kinsella, Partner, Enterprise Risk Services, Deloitte

4

74%

74% of respondents noted an increase in stakeholder expectations.

61%61% of respondents rated regulation and government policy as being one of the top �ve risks facing their organisation.

over30%

95%

Over 30% of respondents do not complete an independent assessment of their IA function, yet 95% state that their methodology is consistent with IIA standards.

1 2 3

Key observations

5

76% of respondents have identi�ed the need for additional skills.

76%

66% of respondents currently use external providers to supplement their own resources via outsourcing, co-sourcing, and utilisation of subject matter experts.

66%54%

54% of respondents revealed that their IA function have roles in BAU and advisory activities, a number that we would perceive as being relatively low.

4 5 6

6

Key observations

Purpose and position The survey highlights the increased expectations on the scope of internal audit, along with increased communication with the business.

The positioning of internal audit and the associated reporting lines have always been areas of diversity, and the survey re-affirms this, although there are indications that the sector in which you operate plays a key role in determining reporting lines. However, as the primary responsibility is to the audit committee/Board the challenge is to ensure independence is not impinged.

Process It is encouraging to see that 97% of respondents have, and follow, a formal methodology which most believe is consistent with the IIA standards. However, this is contradicted somewhat by the level of entities conducting quality assurance reviews. The question of rating the overall report is an issue we face with clients all the time. As a profession, internal auditors seem to have accepted the value of this approach, which is consistent with the survey findings. One of the key challenges is working with other internal assurance providers within the organisation to develop a consistent rating system in order to assist the stakeholders i.e. is a high risk in an internal audit report/risk assessment consistent with the risk function’s definition.

Performance Self-assessment and informal feedback are useful tools in assessing performance; however, the value of an independent review cannot be underestimated in helping benchmark against standards and best practice.

People With increasing demands, it is not surprising that the need for additional and new skillsets is a common theme with respondents. One of the key challenges is maximising very specific skillsets and hence why the vast majority of respondents are utilising service providers for access to specialist skills when needed.

Overall assessment:The findings of our survey highlight the significant challenges faced in terms of expanding roles, emergence of new risks, greater stakeholder scrutiny and resourcing pressures.

As organisations and industries develop and change, the internal audit function must also develop in terms of skillsets, approaches, and utilisation of tools to ensure it adequately serves audit committees/boards, and other stakeholders.

At Deloitte, we are committed to supporting Heads of Internal Audit and internal audit professionals keep up to date with the latest developments facing their profession, so please visit www.deloitte.com/ie/internalauditsurvey for our latest insights and thought leadership.

7

About the survey

Figure (i) – Primary sector of the organisation surveyed

We conducted this survey in late 2013 in order to reveal insights and observations of internal audit practices in Ireland. Participants were from a range of different sized companies, operating across financial services, consumer and technology business and the public sector.

Whilst each sector has unique attributes, many of the issues and challenges facing the profession are consistent as demonstrated throughout the survey.

Financial services

Consumer and technology business

Public sector

45%

31%

24%

Figure (i) – Primary sector of the organisation surveyed

Financial services

Banking

Insurance

Stockbroking

Fund industry

Other

Consumer and technology business

Technology

Consumer business

Manufacturing

Public sector

Government department

Regulatory body

Commercial state body

Government agency

These sectors are made of respondents from various different industries being:

8

Figure 1 – In your opinion, have stakeholder expectations of internal audit in your organisation changed over the past three years?

Figure 2 – Has the scope of your internal audit function widened to incorporate additional processes /risks e.g. IT security in recent years?

Yes

No

74%

26%

Figure 1 – In your opinion, have stakeholder expectations of IA in your organisation changed over the past 3 years?

Figure 2 – Has the scope of your IA function widened to incorporate additional processes /risks e.g. IT security in recent years?

Yes

No63%

37%

In this section, we assess how the internal audit function is perceived and their positioning within their organisation. We asked internal auditors if their role has changed and what their level of communication and input is within the business.

Section 1: Purpose and position

Respondents to this survey provided a clear message stating that internal audit has featured far more prominently in entities over the past three years. With 74% of respondents confirming that expectations of internal audit have changed over the past three years, this is very much in correlation with the 63% who reveal that their scope has widened.

9

Figure 3 – In your opinion, what are the key roles that your IA function performs?

Figure 4 – Does your internal audit function have any role in business as usual or advisory activities?

0 20 40 60 80 100

92.1%

78.9%

81.6%

34.2%

Process reviews

Controls development

Risk management adviser

Other

Figure 3 – In your opinion, what are the key roles that your IA function performs?

Figure 4 – Does your IA function have any role in BAU or advisory activities?

Yes

No54%

46%

The majority of respondents highlighted that they are performing multiple functions as part of their role, with 92% performing process reviews, 78% performing controls development, and over 81% acting as a risk management adviser to the business. In addition, 34% of respondents have further responsibilities including advisory, compliance, and corporate governance roles.

Alongside this, with respect to business advisory and business as usual (BAU) activities, 54% of respondents said that their internal audit function plays a role in business advisory and business as usual activities, including providing their services in terms of process changes and change programmes, independent advice, due diligence, and development of processes/policies.

One of the challenges many internal audit functions face is balancing the need for independence and supporting the business, hence the absence of a clear indicator.

10

The risk most organisations felt they needed to mitigate against, with 61% ranking this as a top five risk, is regulation and government policies. This is to be expected, with a huge shift in focus towards increased regulation being apparent in most industries in the last five years. It should also be noted that this risk was just as prevalent in responses from those organisations in the non-financial services sectors, as those in the financial services sector. Interestingly, reputation and brand is seen as the next biggest area of focus, with 58% of respondents highlighting this as a top five risk. The significant efforts that go into developing and promoting brands means that this result is not a surprise. The challenge facing all internal auditors irrespective of your industry is are you considering this risk?

Figure 5 - Have the nature and frequency of communications with the business changed in recent years?

Figure 6 - Rank the following risks in order of priority for your organisation

Figure 5 - Have the nature and frequency of communications with the business changed in recent years?

30%30%

0%

73%70%

22%

5%

Mor

e fr

eque

nt

Less

fr

eque

nt

Sam

e fr

eque

ncy

Mor

e fr

eque

nt

Less

fr

eque

nt

Sam

e fr

eque

ncy

0 20 40 60 80 100

39%

42%

53%

61%

58%

Data protection and security

Talent and labour

Economic uncertainty

Regulation and government policies

Reputation and brand

Figure 6 – Rank the following risks in order of priority for your organisation

A large majority (70%) of respondents have highlighted an increase in the frequency of communications with the business in recent years. This suggests a dramatic increase in embedding a risk culture within organisations, and is also representative of the ever-evolving increase in regulation. 73% of respondents have increased face to face contact with the business, conveying an increased reliance on and involvement of internal audit in both a risk advisory and a business partnering capacity. In addition, these results correlate with those outlined by respondents as their role as a trusted adviser to the business.

One of the key focuses for Heads of Internal Audit is the risk profile of the organisation. In this section we focus on where they see continuous improvement requirements for their businesses, including the current position of risks, challenges facing the respective organisations and an assessment of how these risks are being managed.

11

not being well managed in some organisations. It is of some concern that 6% of those surveyed believe that the management of data protection and security has declined over the course of the last three years, which may be as a result of the increase in cybercrime activity and emerging technologies. The 2013 Deloitte Ireland Information Security and Cybercrime Survey explores this issue in more detail, and can be found at http://www2.deloitte.com/content/www/ie/en/pages/about-deloitte/articles/cybercrime.html

An interesting insight into the position of internal audit across the various industries is the diversity in reporting lines for heads of internal audit. These range from reporting directly to the CEO, CFO, company secretary, global heads of internal audit, and other levels below the CEO. In addition, some respondents noted that they only report directly to the audit committee. This diverse nature of reporting lines highlights the differing positions internal audit hold, depending on the type of organisation, and the industry in which they sit.

Figure 7 - In order to assess how well critical risks are managed in your organisation, please indicate for each of the top five risks how well you consider them to be managed by your organisation.

Figure 8 - Please indicate if the management of each of these top five risks has improved, disimproved, or stayed the same over the past three years.

0 20 40 60 80 100

Reputation and brand

Regulation and government policies

Economic uncertainty

Talent and labour

Data protection and security

68%32%0%

0% 69%31%

4% 48% 48%

3% 58% 39%

4% 46% 49%

Figure 7 – In order to assess how well critical risks are managed in your organisation, please indicate for each of the top 5 risks how well you consider them to be managed by your organisation

Not well managed Requires improvement Well managed

0 20 40 60 80 100

Reputation and brand

Improved

Regulation and government policies

Economic uncertainty

Talent and labour

Data protection and security

41%56%

0%

0%

39%61%

60% 40%

11%51% 37%

6%76% 18%

3%

Stayed the same Disimproved

Figure 8 - Please indicate if the management of each of these top 5 risks has improved/ disimproved/ stayed the same or N/A over the past 3 years.

Following on from the identification of what are envisaged as the top five key risks for organisations, it is intriguing to note that between 31% and 61% of respondents believe that the way these risks are being managed by their organisations is poor or requires some improvement. While economic uncertainty, regulation and government policies are mainly beyond the control of organisations, it is interesting to note that only 39% and 49% of respondents believe that the risks posed by talent and labour and data protection and security to their businesses respectively, are being well managed. Considering the importance of reputation and brand being highlighted by respondents, it is alarming that only 49% of respondents see data protection as being well managed.

Over half of respondents believe that the management of these top five risks has improved over the past three years. The lack of measurable improvement in risk management as noted in figure 8, has led to these risks

12

Figure 9 - Is a formal methodology followed for all audit assignments? Figure 10 – Is your methodology consistent with IIA international standards?

Figure 9 - Is a formal methodology followed for all audit assignments?

Yes

No

97%

3%

Figure 10 – Is your methodology consistent with IIA International standards?

Yes

No

95%

5%

Section 2: Process

This section focuses on the delivery and processes carried out by internal audit functions within the organisations surveyed. This includes insights on the approach taken by the internal audit functions, and the measures taken to ensure that their functions are operating efficiently and effectively, and in line with best practice. In addition, we review reporting by internal audit, and how this is structured and relayed to the business.

In terms of how internal audit functions operate, 97% of respondents confirmed that they operate via a specific methodology, with 95% of respondents further endorsing that their methodology is consistent with the IIA standards.

13

Figure 11 – Do you operate a grading scale for internal audit reporting issues?

Figure 12 - Is each internal audit report given an overall rating?

Figure 11 – If yes, does this include a QA process?

Yes

No

87%

13%

Figure 12 – Do you operate a grading scale for internal audit reporting issues?

Yes

No

76%

24%

The results show that 87% of internal audit functions surveyed operate a grading scale for internal audit reports. 76% of internal audit functions are assigning an overall rating to their internal audit reports. This is consistent with what we see in terms of the level of assurance being sought from audit committees and other stakeholders. For the other 24%, this raises the question of how do they convey those conclusions to the audit committee.

The results highlight that audit committees are both requesting and receiving greater visibility of both the risk profile, and the performance of the business in certain areas. In keeping with the survey findings, it suggests that there is a greater focus on risk culture in organisations than in previous years. However, these results yield the question as to how organisations who do not grade their internal audit issues, or internal audit reports, are able to emphasise the severity of issues and requirements for change to their respective audit committees.

14

Figure 13 – Does your methodology include a QA process? Figure 14 – How often is an independent review of your internal audit function conducted?

Figure 13 - Is each IA report given an overall rating?

Yes

No

67%

33%

0 20 40 60 80 100

13.9%

13.9%

41.7%

16.7%

13.9%

Annually

Every 1-3 years

Every 4-5 years

Less frequently

Never

Figure 14 – How often is an independent review of your IA function conducted? e.g. IIA standards?

Section 3: Performance

This area of the survey provides insights into the performance of internal audit, including how they conduct their internal audit plan and reviews, and how the overall internal audit function itself is subjected to review.

In the previous section on process, we noted that 97% of respondents confirmed that they operate via a specific methodology, with 95% of respondents further endorsing that their methodology is consistent with the IIA standards. However, we can see from the results outlined here that only 67% of those surveyed verified that their methodology included a quality assurance (QA) process.

The IIA standards require a quality assurance and improvement programme that provides for an evaluation of activity against these standards. The standards require both internal and external assessments, with an external assessment at least once every five years. Only 70% of those surveyed comply with this requirement, with almost 14% stating they have never conducted an independent assessment.

15

Figure 15 – In the face of changing requirements has your internal audit unit recruited any specialist staff e.g. IT audit specialists/credit specialists/model experts?

Figure 16 – Have you identified any future skills needs?

0 20 40 60 80 100

10.5%

2.6%

10.5%

21.1%

Yes – last 6 months

Yes – last 6-12 months

Yes – 1-3 years

No

Figure 15 – In the face of changing requirements has your IA unit recruited any specialist staff e.g. IT audit specialists/Credit specialists/Model experts?

Figure 16 – Have you identified any future skills needs?

Yes

No

76%

24%

Section 4: People

The background and skills of team members and the current and future anticipated needs of internal audit functions within the various organisations are highlighted in this section. The issue of staff retention and the use of service providers is also captured.

It is evident that although 76% of Heads of Internal Audit surveyed agree that they have future skills needs, only 24% of respondents have recruited specialist staff in the last three years. These required skills relate mainly to IT audit, IT security and data management. Other skills gaps noted include credit, reinsurance, and actuarial SMEs within the financial services sector. The requirement for additional specialist staff is no surprise, considering both the increased focus on regulation and data protection and security as key risks facing the business, combined with the increased role of internal audit as an adviser/risk manager to the business.

16

Figure 17 – Have you experienced problems identifying and recruiting appropriate resources?

Figure 18 – Have you experienced problems retaining staff?Figure 17 – Have you experienced problems identifying & recruiting appropriate resources?

Yes

No58%

42%

Figure 18 – Have you experienced problems retaining staff?

Yes

No

25%

75%

In addition, over half of respondents acknowledge that they have experienced difficulties in identifying and recruiting appropriate resources. The key obstacles outlined by respondents related to restrictions on hiring, lack of required experience/skills of candidates, lack of adequate funding, and issues relating to languages and geographical locations. To compound these findings, 25% of respondents have encountered difficulties relating to staff retention, in some cases due to lack of opportunity within the organisation.

A number of organisations have begun to invest in their people to address both issues of retention and skills. In terms of qualifications held by internal audit staff members in organisations surveyed, professional accountancy qualifications are held in the majority.

17

Figure 19 – What type of qualifications do your staff hold? Figure 20 – If gaps are highlighted in your ability to complete your internal audit plan, how do you plan to deal with it?

76.3%

42.1% 39.5%

Professional accountancy qualifications

IIA Other

Figure 19 – What type of qualifications do your staff hold?

0

20

40

60

80

100

28.9% 28.9%

65.8%

0

20

40

60

80

100

Defer audits

Recruitstaff

Utilise external service providers

(i.e. outsource/co-source)

Figure 20 – If gaps are highlighted in your ability to complete your internal audit plan, how do you plan to deal with it?

Figure 21 – Do you currently have any arrangements with outsource providers for the provision of internal audit resources?

Long-term on-going arrangement

Job by job arrangement

No

Figure 21 – Do you currently have any arrangements with outsource providers for the provision of internal audit resources?

32%34%

34%

The trend of hiring professional accountants continues with 76% of respondents indicating that their staff hold an accountancy qualification.

A further 42% of functions have employed staff with qualifications achieved through the IIA. In addition, 40% of respondents stated that they employ staff with other qualifications, mainly in areas such as CISA and other IT qualifications.

In relation to problems in completing internal audit plans, 66% of respondents stated that they would engage external service providers to address these gaps, with a further 29% stating that they would recruit staff if such a situation rose. Interestingly, 29% of respondents said they would defer audits in order to address these issues, which may relate to budgeting and recruitment restrictions as identified in some

of our other findings. In correlation with the above findings, 66% of those surveyed are already receiving support from external service providers, either on long-term or job-by-job engagements.

18

We are the leading provider of internal audit and risk advisory services in Ireland. Our dedicated team of over 100 professionals includes:

• Qualified accountants

• Qualified internal auditors

• IT security and forensics experts

• IT auditors

• Regulatory and compliance professionals

• Qualified solicitors

In addition, our practice includes:

• Actuaries

• Data analytics specialists

• Financial model specialists who support our service delivery across all sectors

“About Deloitte Internal Audit:

19

The findings of our survey highlight the significant challenges faced in terms of expanding roles, emergence of new risks, greater stakeholder scrutiny, and resourcing pressures.

David Kinsella, Partner, Enterprise Risk Services, Deloitte

For more information on the Heads of Internal Audit Survey please contact:

David KinsellaPartner

T: +353 1 417 2529

E: davkinsella@deloitte.ie

Colm McDonnellPartner

T: +353 1 417 2348

E: cmcdonnell@deloitte.ie

Gerard LyonsPartner

T: +353 61 43 5501

E: glyons@deloitte.ie

For more details please contact:

DublinDeloitte & ToucheDeloitte & Touche HouseEarlsfort TerraceDublin 2T: +353 1 417 2200F: +353 1 417 2300

CorkDeloitte & ToucheNo.6 Lapp’s QuayCorkT: +353 21 490 7000F: +353 21 490 7001

LimerickDeloitte & ToucheDeloitte & Touche HouseCharlotte QuayLimerickT: +353 61 435500F: +353 61 418310

www.deloitte.com/ieDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ie/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing’s affiliates (collectively the “Deloitte Network”) are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. © 2014 Deloitte & Touche. All rights reserved