The future strategic role of internal audit Key findings from the

The future strategic role
of internal audit
Key findings from the
Global internal audit survey 2013 and
Consumer products benchmark 2014
Enter
Contents
IA trends within the Consumer Products & Retail (CP&R) sector
1
mandate
1. Expanding internal audit’s mandate
4
2. Increasing the scope
scope
7
requirements
3. Increasing competency requirements
11
composition
4. Evolving internal audit function composition
15
Conclusion
Conclusion
18
Appendix
Appendix
19
>
>
IA trends within the Consumer Products &
Retail (CP&R) sector
With technology and the world economy changing at an accelerating pace, organizations
need to adapt swiftly and efficiently. Many businesses face increasing levels of risk due
to expanding operations in emerging markets and developing countries. Meanwhile,
regulatory requirements are escalating and the intertwined forces of globalization and
advances in technology are creating new opportunities, but also new risks. This volatility
and velocity have had a profound impact on the new demands within the Internal Audit
(IA) function. Corporate leaders are expecting Internal Audit to improve visibility and
provide strategic insights that can deliver lasting value for the organization. Satisfying
these growing expectations implies there must be a transformation of the Internal Audit
function, particularly the securing of appropriate new skills and competencies.
In the summer of 2014, EY conducted qualitative interviews with key executives in
Internal Audit of major CP&R companies to complete the IA picture drawn by our 2013
IA global survey. The focus still set on Internal Audit’s shifting mandate within the
organization. We were particularly interested in how CP&R internal audit functions
were addressing the skills and competency requirements necessary to fulfill a broader
mandate reaching beyond compliance activities, to include finding the right balance
between assurance and advisory, sharing business insights with stakeholders and
serving as a strategic advisor to the organization. More than 500 chief audit executives
(CAEs) participated, spanning 20 industries and the majority of the organizations have
global revenues of $250 million or more. This article highlights the responses given by
the consumer products and retail (CPR&R) industry and compares them to the global
responses.
The results of the survey and interviews show that while assurance and compliance are
still the foundation of internal audit, companies are demanding more business insights
and market recommendations. Today 23% of CPR respondents say that Internal Audit
plays a truly strategic role. However, over the next two years, 60% indicate that being a
strategic advisor will become their primary mandate.
1
>
>
Q: What is the primary mandate or focus of Internal Audit this year and in
the next two years?
To provide Compliance, Business Insights, and Strategic Advice
All sectors
CP&R
36%
23%
15%
Last Year
Next 2 years
69%
To provide Compliance and Business Insights
All sectors
37%
CP&R
30%
46%
Last Year
Next 2 years
20%
To provide only Compliance
All sectors
CP&R
2
27%
55%
31%
Last Year
Next 2 years
11%
>
>
Becoming strategic advisors-Closing the transformation gap
In order for IA to become a strategic and valued advisor to executive management
and their boards of directors, the function has to transform and overcome the current
enablement and competency gaps which will allow for enhanced performance.
Competency gap
Transformation
gap
Enablement
Strategic and
valued advisor
Business insights
Control and
compliance
Non-negotiable
Business relevance
Critical areas
The drivers behind the transformation gap relate mostly to the strategic skills and
experience that the IA staff will have to develop. Internal Audit functions need to focus
on four areas to close this transformation gap and be ready to fulfill its new
expanded mandate.
1
•
Expanding IA
mandate
•
•
•
Broadening stakeholder environment
Balancing assurance and advisory
Providing business insights
Becoming a strategic advisor
2
Increasing
the scope
Emerging
risks
Emerging
market risks
Technology
Thematic
audits
3
Increasing
competency
requirements
Technology
Risk management
Process improvement
Critical thinking
Data analytics
Verbal communication
Business strategy
Relationship management
Industry knowledge
4
Evolving IA
function
compositions
3
Interns
Core audit skills
(includes IT)
Guest auditor
Auditor rotation
Co/outsourcing
>
>
1
Expanding internal
audit’s mandate
4
>
>
Expanding internal audit’s
mandate
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
•
•
Providing assurance and steadfastly adhering to regulatory compliance requirements such as
the Sarbanes-Oxley Act (SOX) or Foreign Corrupt Practices Act (FCPA) remain core elements
of the internal audit mandate. However, the challenge for IA functions shifting towards the new
mandate is to maintain its compliance role while increasing its ability to act as a
strategic advisor.
Finding the right balance between assurance and advisory is unique to each organization
and its strategic objectives. Inputs to this balance include audit committee and management
expectations on the one side and business initiatives on the other.
52% of respondents state that advisory reviews comprise 25% or more of the audit.
Assurance
Internal
Audit
mandate
Advisory
Broadening stakeholder environment
Core
Technology
Critical thinking Emerging
Business strategy
Emerging
Thematic
auditTechnology
skills
Guest market
Auditor
Co/
• Balancing assurance
and advisory
Risk
management
Data analytics
Relationship anagement
Interns
risks
audits
(includes
auditor
rotation
outsourcing
risks Industry knowledge
business insights
Process improvement• Providing
Verbal communication
IT)
Internal audit mandate
Becoming a strategic advisor
Strategic advisor
Audit skills + business knowledge
+ critical and strategic thinking
Business insight
Audit skills + additional
business knowledge +
additional critical thinking
Non-negotiable
compliance
Basic audit skills, IT,
baseline critical thinking
The general trend is that advisory activities are comprising more and more of the audit plan.
However, the results from the CP&R industry reveal that the percentage of advisory activities
performed by IA departments decreased last year. In 2012 all IA departments performed some
advisory work, nowadays 3% report to fully focus on assurance activities. Also last year, 24%
of all consumer product companies reported that at least half of their work was advisory, this
percentage has dropped to just 9% in 2013.
It is important to note that this balance will teeter between assurance and advisory audits as the
organization’s risk tolerance or strategic goals change.
At the base of the spectrum, Internal Audit focuses entirely on compliance. At the top end,
Internal Audit plays both a strong role in compliance activities and acts as a strategic advisor to
the business.
5
>
>
Expanding internal audit’s
mandate
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
•
Broadening stakeholder environment
Core
Technology
Critical thinking Emerging
Business strategy
Emerging
Thematic
auditTechnology
skills
Guest market
Auditor
Co/
• Balancing assurance
and advisory
Risk
management
Data analytics
Relationship anagement
Interns
risks
audits
(includes
auditor
rotation
outsourcing
risks Industry knowledge
business insights
Process improvement• Providing
Verbal communication
IT)
•
Becoming a strategic advisor
Q. IA Advisory vs. Assurance activities in the CP&R sector
50% >
25-50%
5-25%
None
24%
9%
41%
46%
2012
2013
35%
43%
3%
The reason for this change towards assurance within CP&R is not clear, however one thing is;
companies in the CP&R industry that invest in developing their advisory capabilities will find
themselves leading the pack and could gain a significant competitive advantage.
6
>
>
2
Increasing the
scope
7
>
>
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Increasing the scope
Today, IA must be more vigilant and diligent than ever before. The changing environment is
creating new risks at an increasing speed. The reality is that a control environment that is strong
today can be compromised tomorrow. Technology is advancing fast and new common policies
such as “bring your own device” come with new risks. A flexible and dynamic risk assessment
and internal audit plan, which were once aspirations, are now imperatives. Organizations are
increasingly asking for more and calling for their IA function to advise and proactively monitor
emerging risks.
Currently, 23% of all respondents say they are heavily involved in identifying, assessing and
monitoring emerging risks. Within the next two years 49% expect to become heavily involved.
Q: How involved is IA in identifying, assessing and monitoring emerging risks
today? Will this change in the next 2 years?
Q: Do you currently perform a separate emerging risk assessment?
CP&R
Global
25%
Yes
26%
40%
47%
28%
34%
No
No, but plan on doing in
the next two years
Top emerging risks at a glance
Heavily involved
Somewhat involved
Not involved
23%
49%
51%
2013
46%
26%
Next 2 years
Addressing emerging risks ensure that companies can prepare for future changes in the
business environment. Based on our global survey results, the top global concern is economic
stability (53.8%) followed by cyber security (51.7%), major shifts in technology (48.2%),
strategic transactions in global locations and regulations around data privacy. For CP&R in
particular, strategic transactions in global locations (49%), followed by the risk in economic
stability and cyber security (46%) is at the top of the agenda. This reflects the dynamics of the
CP&R sector in which M&A deals are often in the news and many of their partners, subsidiaries
and affiliates operate in emerging markets.
6%
Furthermore, nearly half (47%) of all respondents say they currently complete a separate
emerging risk assessment and that number is expected to increase to 72% in the next two years.
The trend is the same within CP&R, 40% currently perform an emerging risk assessment and
65% plan to implement it within the next two years.
8
>
>
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Increasing the scope
Q. What are the top emerging risks that your organization is tracking/monitoring?
54%
46%
Economic stability
Major shift in technology
37%
Regulations around data privacy
39%
43%
Risks in third-world countries/emerging markets
36%
43%
Sovereign risk
23%
23%
16%
20%
15%
17%
Not involved
CP&R
8%
11%
All sectors
CP&R
Top CP&R
emerging
risks
All respondents ranked cyber security, major shifts in technology, regulations around data
privacy and social media among their top emerging risks. However, only 25% of all respondents
say they are heavily involved in addressing IT risks. The rapid evolution of technology is creating
a number of risks as it raises the potential to completely change the business landscape across
all industries.
9
All sectors
62%
32%
29%
Competitor innovation
65%
Somewhat involved
35%
40%
Customer preferences
Climate change and sustainability
25%
48%
44%
49%
Strategic transactions in global locations
25%
Heavily involved
52%
46%
Cyber security
Social media
Q. How involved are you in addressing IT risks?
Addressing emerging market risks is also important, especially for the CP&R industry which is
increasingly seeing more of their revenue originate from emerging markets. These new markets
present huge opportunities for organizations seeking to expand; however, they also bring new
and complex business risks, including local regulations and compliance requirements, different
business practices and cultures, complex tax codes, infrastructure maturity and workforce
management. In the same line, internal audit departments within CP&R companies are
increasing their activity in emerging markets.
>
>
Increasing the scope
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Q: CP&R IA activity mature vs. emerging markets?
IA activity in Mature vs. Emerging Markets
More active in
Emerging Markets
35%
65%
Less active in
Emerging Markets
In order for IA functions to stay current with changing regulations and technology and address
the exponential increase in emerging risks, IA needs more resources — with the right skills and
competencies.
10
>
>
3
Increasing competency
requirements
11
>
>
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Increasing competency
requirements
Internal Audit functions must evaluate their current competencies and determine how to
address the requirements of an expanded mandate and scope. One way to provide broader
coverage of risks is through the use of data analytics (DA). Data analytics is a powerful tool
with the potential to significantly increase the effectiveness of an internal audit department.
It enables IA to improve the overall risk assessment by increasing the speed and effectiveness
of data analysis. With smart data analytics IA can test 100% of the sample, expedite fraud
detection, quantify the root cause of issues, and ultimately provide stronger recommendations.
Implementing these techniques into an IA team also shifts the mentality from compliance to
business insight and strategy, aligning the function with the new mandate.
Q: Does IA leverage Data Analytics?
Yes, throughout the entire process
(risk, assessment/identification of
risks, testing, and continuous monitoring)
11%
All sectors
11%
CP&R
33%
Yes, moderately (testing and a little
continuous monitoring/auditing)
37%
Q. In what percentage of audits are you utilizing data analytics?
Greater than 50%
8%
9%
40-50%
8%
9%
20-30%
CP&R
20%
6%
8%
11%
35%
29%
9%
Although data analytics is not a new concept Internal Audit is still struggling to integrate DA into
their core operations. Only 11% of CP&R companies reported using DA throughout the audit life
cycle — from risk assessment and identification to testing and continuous auditing. The majority
of CP&R companies (40%) only use data analytics for testing, if they use it at all.
12
No
40%
25%
19%
10-20%
Less than 10%
All sectors
16%
30-40%
46%
Yes, but limited use (mainly testing)
“The general view is that we need to perform the audit. Sometimes we don’t
have [a] specific expertise. For example, specific compliance rules or IT general
control systems. In these situations we received the services from the Big Four
that can support us to perform in a better way the project audit.”
Silvio de Girolamo,
Chief Internal Auditor & Sustainability, Autogrill Group
>
>
Increasing competency
requirements
We asked our respondents in the global survey which skills they believe are most important for
their Internal Audit staff to possess, their top five skills were all compliance-focused: financial
audit and accounting; internal controls; operational audit; compliance and regulatory; and risk
management. This is understandable as the core service provided by IA is still
compliance driven.
Q: Where do CP&R compliance functions in IA sit in relation to legal activities e.g.,
fraud, bribery, business conduct?
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
When asked which skills you lack, the top skills mentioned by companies are mostly strategic –
focused; including data analytics, fraud prevention/detection, risk management and
business strategy
Q. Which skills do you consider important for IA and which ones do you lack?
Financial audit & accounting
Internal control
28.57%
20.00%
Compliance/regulatory
28.57%
20.00%
Operational audit
IA legal responsibility
31.43%
22.86%
Fraud prevention/detection
28.57%
22.86%
Deep industry experience
11.43%
8.57%
Written communication
No legal activities.
Only compliance
65% of respondents have a separate department that manages the legal activities. Although,
35% say that their IA department conducts some legal activities alongside the compliance
function, fraud prevention/detection is one of the key skills more often lacking within an internal
audit department.
20.00%
14.29%
22.86%
11.43%
5.71%
2.86%
Advisory or consulting experience
5.71%
Change management
8.57%
11.43%
Project management
Technology
5.71%
25.71%
14.29%
28.57%
14.29%
14.29%
17.14%
11.43%
Other (please specify)
2.86%
Important
13
20.00%
11.43%
Relationship acumen
Presentation & facilitation
8.57%
14.29%
8.57%
Critical/analytical thinking
Leadership & teamwork
17.14%
22.86%
Process improvement
Verbal communication
8.57%
31.43%
Business strategy
Mix of legal and
compliance activities
20.00%
20.00%
Risk Management
In-depth knowledge of the Company’s...
65%
14.29%
34.29%
Data analytics
35%
5.71%
62.86%
Lacking
Top strategic skills lacking
>
>
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Increasing competency
requirements
Our survey indicates that one quarter of CP&R companies believe that their IA department does
not have the necessary skills in-house to meet the new mandate expectations. In order for
internal audit departments to fill the competency gap and increase their growing advising
capabilities many rely on internal knowledge rotation or third-parties to supplement the
resource gaps and staffing shortages.
Q. Do you believe that the in-house IA staff has the right skills to fulfill IA’s
mandate over the next one-two years?
79%
Yes
74%
All sectors
CP&R
20%
No
25%
If IA functions want to achieve their planned increase in advisory capabilities and monitoring of
emerging risks within the next two years, they need to obtain additional resources and find the
right skills required to successfully achieve that goal.
14
>
>
4
Evolving internal audit
function composition
15
>
>
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Evolving internal audit
function composition
IA needs to complement their traditional skills set with new talents adapted to the requirements
of an expanded mandate and scope. The function can turn to internal resources to find new
talent or partner with external parties to obtain the skills that cannot be found in-house.
Internally
According to the global survey, companies believe the most important skills for accomplishing
the audit plan are within their core internal audit team. This comes as no surprise; companies
want their full-time IA employees to be the main source of knowledge and expertise when
executing an audit plan. Additionally, two of the top sourcing strategies focus on developing
skills internally: Rotational personnel and Guest auditor programs.
Q. What is the most important source of skills for accomplishing the audit plan on
a scale of 1 to 5, with 5 being the most important?
Consumer Products & Retail Sector
4.3
3rd party
3.7
Rotational program
Interns
16
A rotational program enables companies to leverage existing specialized skills available outside
of the internal audit department and at the same time increasing the awareness of the auditor
role. The structure of a rotational program varies from company to company; the majority of
consumer product companies (60%) take an informal approach to rotation with business and
finance departments while the rest of industries tend to adopt a slightly more formal approach.
The average length of rotation is between two and four years. After the core IA team, rotational
programs are the second most important internal source of talent according to the survey.
Q. What is the structure of your staff rotational program?
49%
50%
Formal program for rotations to/from the
business/finance
34%
30%
Formal program for rotations to/from
finance only
Core IA
Guest auditors
Rotational Program
3.2
3
43%
Informal approach to rotations to/from
the business/finance
60%
Informal approach for rotations to/from
finance only 0%
Other (please specify)
1%
0%
Don't know
1%
0%
All sectors
CP&R
18%
2.9
>
>
Evolving internal audit
function composition
Guest Auditor
A guest auditor program gives an employee from outside the internal audit function the chance
to work on a short-term internal audit project. This approach facilitates knowledge sharing and
allows the guest auditor to acts as a subject-matter expert during the project.
Leveraging resources within the organization through guest auditor or staff rotation programs is
a great way to foster relationships and broaden understanding of Internal Audit’s role within the
business. Additionally, Internal Audit can gain business insights from these resources that might
not otherwise have been provided.
1
2
3
4
Expanding IA Increasing Increasing competency Evolving IA function
mandate
the scope
requirements
compositions
Q. Do you use third parties?
Yes, we outsource all of it
Yes, we co-source more than 75% of it
4%
2%
11%
11%
18%
20%
Yes, we co-source 50-75% of it
Externally
Partnering with a third party can be an efficient way of fulfilling the skill gap of an in-house
audit department. It can be difficult for Internal Audit to identify or develop the necessary
proficiencies and skills overnight. Co-sourcing and outsourcing have historically been
controversial options for the internal audit function; however in the past few years attitudes
have shifted considerably. In our 2012 survey, 68% of respondents suggested that they cosourced or outsourced some or all of their internal audit capabilities. In 2013 that number has
increased to 82% as internal audit is realizing that third party resources can work alongside
in-house resources to gain greater synergies. According to responses in the consumer products
survey the second most important source of skills/capability in accomplishing the audit plan
comes from a third party. Utilizing experienced auditors can provide a high level of operating
unit knowledge and offer additional skills such as advisory and/or data analytic capabilities
instantly. The sooner a company incorporates advisory skills such as data analytics into their
audit plan, the greater the competitive advantage they will have.
A third-party provider can offer:
20%
Yes, we co-source 25-49% of it
Yes, we co-source less than 25% of it
No, we don't co-source any of our Internal
Audit capabilities
28%
24%
14%
All sectors
20%
22%
CP&R
In order to satisfy the new demand for skilled talent, companies should consider the option of
co-souring or outsourcing part of their IA function. A third-party provider can cost-effectively
help build a business case, develop an improvement plan, and accelerate the timeline of the
Internal Audit transformation. It is one way to rapidly obtain key skills and build a more robust
Internal Audit function.
1. Organization-specific, sector-specific and international experience
2. A fresh perspective and a wealth of experience gained from having helped other clients
transform their Internal Audit functions
3. Highly skilled talent who receive ongoing training to stay current on leading practices
4. An array of technology solutions and audit tools that can be customized to meet specific
Internal Audit needs.
17
>
>
Conclusion
The current speed of change within the business environment and the expectations
projected on the internal audit function are forcing companies from all sectors to adapt
to thrive. Internal Audit functions must be part of the transformation, their mandate
needs to evolve to balance advisory and compliance tasks to continue adding value to the
business in every industry.
The opportunity for CP&R Internal Audit to maximize its relevance and increase its value
to the organization is real and should be taken advantage of. There is no doubt that a
well-run Internal Audit function is a critical component of any organization. Each internal
audit department within CP&R needs to have the right blend of assurance and advisory
focus to align to the strategic priorities of the company. While the pace of change may
vary, a degree of transformation is a necessity for Internal Audit functions to remain
relevant and effective. The key is to source the needed skills and competencies that will
fill transformation gap and support the new mandate. Developing in-house programs
is a valid option to complete the skill set of the in-house audit department, however,
partnering with a third party is increasingly growing as the chosen way selected by
companies struggling to find the right skills or who wish to make use of the new skills
immediately.
The challenge is significant but so is the payoff — the IA function that successfully adapts
to today’s rapidly changing world will become a trusted advisor to an organization poised
for growth.
18
>
>
Appendix
IA Methodology
Q: What is your protocol for expanding the scope of an audit should your
findings arise?
Scope expanding protocol
Follow methodology
30%
40%
Excalation protocol
30%
No protocol
30% of all respondents expand scope following the guidance included in their audit
methodology. On a more specific level, 30% indicated to have an escalation protocol
in place, escalating findings towards responsible IA personnel and communicating to
management. At last, the majority (40%) indicated not to have any protocols in place to
expand the scope of an audit.
19
>
>
Appendix
IA Methodology
Q: Do you trace the % of audit scope expansion within your audits?
Audit scope expansion tracker
100%
Yes
No
No respondents measure or track the impact of scope expansions within an audit. Among
the responses, some mentioned that although no they had no formal way of measuring
the impact of the scope expansion, that this is reviewed during their audit QA
review process.
20
>
>
Appendix
Reporting
Q: Do your audit reports include recommendations to management?
Audit recommendations to management
14%
Yes
86%
No
The majority (86%) of respondents include recommendations to management into their
audit reports. The audit reports often consist of elaborated risk descriptions including
root causes and specific recommendations to mitigate the risk.
Recommendations are translated into action plans by management and incorporated in
the final report.
21
>
>
Appendix
Reporting
Q: Does IA include action plans in your audit reports to management?
Management action plans
100%
Yes
No
Including management action plans in the audit report is an extended practice, 100% of
the CP&R respondents include action plans in their reports.
22
>
>
Appendix
Reporting
Q: Do you include leading practices performed by the auditee in your audit
reports? And how are these shared elsewhere in the business?
Inclusion of best practices
Yes
14%
43%
No
43%
Other
14% of the respondents include best practices in their audit reports. 43% indicate that
they share best practices through other means, such as on an informal/verbal basis.
Some maintain good practice databases to which the business has access. The remaining
43% indicate not to leverage insights on good practices via Internal Audit.
23
>
>
Appendix
Reporting
Q: Do you rate your report’s overall? What rating criteria are used?
Report rating
100%
Yes
No
All of the respondents rate their overall audit results. The following are examples of
rating systems:
• ‘Not rated, Deficient, Marginally deficient or Satisfactory’
• ‘Score from one to three’
• ‘Five box rating system‘
24
>
>
Appendix
Reporting
Q: Do you rate individual issues? What rating criteria are used?
Individual issue rating
50%
50%
Yes
No
50% of the respondents apply individual issue ratings such as:
• Red, amber or green
• Critical/non-critical
• High, Medium or Low
25
>
>
Appendix
Quality
Q: What measures do you use to determine the quality and value of the
internal audit work to the business?
The majority of companies measure the quality of their internal audit work by ensuring
that the audit deliverables are reviewed during the engagement. The review is typically
performed on an engagement level and includes feedback procedures. Other methods of
evaluating quality include surveys with the client, budget expectations, timeliness, and
fraud detection.
Q: How are quality procedures followed to ensure IA’s performance is of the
highest, consistent quality?
The top tool to ensure quality procedures is to carry out a Quality Assurance review
of the Internal Audit function. The performance of the department is then tested and
reviewed against e.g. the documented audit methodology of the company and/or the IIA
standards. QA reviews are embedded within the ongoing audit process of the majority of
companies which can include in-country visits, annual team Quality Self-Assessments,
and deep dive in-country QAs.
Structure
Q: How is the IA function structured?
The majority of CP&R companies counts with both global and local internal audit
resources. This organizational structure leverages the knowledge of the local operations
whilst maintaining the global standards. Local resources remain important for CP&R
companies as 69% of their audit plan is still based on local audits. A small portion of
companies are in the midst of decentralizing their IA structure, giving the regional and
local teams more independence, this is often accompanied by the outsourcing of certain
audit tasks to a third party partner.
26
>
>
Appendix
Scope
Q: What is your planning approach?
While every company has its own method of planning, almost all companies report
using a risk-based approach to build their audit plan. Management requests are also an
important part of the planning process while still taking into account the compliance
requirements defined by the regulations impacting the organization.
Q: What is the number of audits performed annually?
Number of audits performed annually
0-100
43%
20%
60%
100-200
More than 200
The amount of audits conducted each year and the split between global and local audits
performed. The number of audits performed per year ranges from 60 to 350. This large
difference is partly related to the size of the company, but also to the size and structure
of the IA department.
27
>
>
Appendix
Scope
Q: What is the split between local and global audits?
Global vs. local audits
31%
Local audits
69%
Global audits
The split of locally performed audits versus globally performed audits shows a preference
for performing local audits, 69% of the audit plan relates to local audits while 31% are
global audits covering more than one location.
28
>
>
Want to learn
more?
Accelerating high growth companies’
climb to the top.
www.ey.com/IAriskmanagement
Overcoming compliance fatigue: EY’s
13th Global Fraud Survey.
www.ey.com/fraudsurvey
Expecting more from risk
management: drive business results
through harnessing uncertainty.
www.ey.com/REPM
Under cyber attack: EY’s Global
Information Security Survey 2013.
www.ey.com/giss2013
Using data analytics to enhance
compliance with corporate social
media policy.
www.ey.com/SManalytics
Bring your own device: Security
and risk considerations for you
mobile device program.
www.ey.com.boyd
Insights on governance, risk and compliance is
an ongoing series of thought leadership reports
focused on IT and other business risks and the many
related challenges and opportunities. These timely
and topical publications are designed to help you
understand the issues and provide you with valuable
insights about our perspective.
Please visit our Insights on governance, risk and
compliance series at www.ey.com/GRCinsights.
29
>
>
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and
for our communities.
EY refers to the global organization, and may refer to one or more, of
the member firms of Ernst & Young Global Limited, each of which is
a separate legal entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
About EY’s Advisory Services
Improving business performance while managing risk is an increasingly complex business challenge. Whether your focus is on broad business
transformation or, more specifically, on achieving growth or optimizing or protecting your business, having the right advisors on your side can
make all the difference. Our 30,000 advisory professionals form one of the broadest global advisory networks of any professional organization,
delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and exceptional client service. We use proven,
integrated methodologies to help you solve your most challenging business problems, deliver a strong performance in complex market
conditions and build sustainable stakeholder confidence for the longer term. We understand that you need services that are adapted to your
industry issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all,
we are committed to measuring the gains and identifying where your strategy and change initiatives are delivering the value your
business needs.
To find out more about how our Risk Advisory services could help your organization, speak to one of our local EY professional or a member of
our global team, go to: ey.com/advisory
This news release has been issued by EYGM Limited, a member of the
global EY organization that also does not provide any services
to clients.
Global Internal Audit Leadership
© 2014 EYGM Limited.
All Rights Reserved.
Area leadership
This material has been prepared for general informational purposes only and is
not intended to be relied upon as accounting, tax, or other professional advice.
Please refer to your advisors for specific advice.
ey.com
Jonathan Blackmore
EMEIA
+27 11 772 3023
Jonathan.Blackmore@za.ey.com
Tonny Dekker
EMEIA–BeNe
+31 88 4072920
Tonny.Dekker@nl.ey.com
Will Weerts
Netherlands
+31 88 4078817
Will.Weerts@nl.ey.com
EMEIA-BENE
>