Who Owns Risk? A Look at Internal Audit’s Changing Role Paul J. Sobel CIA, QIAL, CRMA Available free of charge: www.theiia.org/goto/CBOK The IIARF encourages those who are presenting this slideshow to download the full report from The IIA Research Foundation and make it available to their audience.
CBOK 2015 Practitioner Study CBOK is the Global Internal Audit Common Body of Knowledge: The global practitioner survey is the largest ongoing study of internal audit professionals in the world. More than 25 free reports about practitioners and the profession will be released from July 2015 to July 2016. Download free reports from the CBOK Resource Exchange at The IIA website at any time (www.theiia.org/goto/CBOK).
CBOK 2015 Practitioner Survey Practitioner Survey Results Survey completed April 1, 2015 14,518 usable survey responses Participation Levels 100% representation from IIA institutes Responses from 166 countries 23 languages
CBOK 2015 Practitioner Study Global Regions are based on World Bank Categories. Percentages are the percentage of total survey responses from that region compared to all survey responses. North America: 19% Latin America & Caribbean: 14% Middle East & North Africa: 8% Sub-Saharan Africa: 6% Europe & Central Asia: 23% South Asia: 5% East Asia & Pacific: 25%
CBOK 2015 Practitioner Study The speaker does not necessarily need to say this, but it’s important to remember that each pie chart is based only on those who answered that particular question (in other words, not all 14,518 survey respondents provided an answer to every question.) Below are the specific number of responses for each question shown on the slide. Age was obtained from 12,780 respondents; Organization Type was obtained from 13,032 respondents; Gender was obtained from 14,357 respondents; Staff Level was obtained from 12,716 respondents. Age was obtained from 12,780 respondents; Organization Type was obtained from 13,032 respondents; Gender was obtained from 14,357 respondents; Staff Level was obtained from 12,716 respondents.
Who Owns Risk? Helps internal auditors understand the global practices around risk. Focuses on: Trends in Risk Management Internal Audit’s Positioning in Risk Management Internal Audit’s Risk Management Responsibilities Risk Approaches and Competencies
1. Trends in Risk Management More than half (53%) of responding CAEs believe formal risk management processes are in place in their organizations. Formal risk management increased after the global financial crisis, but the growth may be slowing down. There are differences among regions, industries, and company sizes.
Risk Management Practices Among Regions
Key Actions for CAEs Be advocates for the advancement of formal risk management processes, regardless of industry. Seek opportunities to help expedite the implementation of formal risk management, and sustain it when it is already in place.
2. Internal Audit’s Positioning in Risk Management Internal audit and ERM are separate in 80% of the organizations. There may be some blurring between the second and third lines of defense. Regional, industry, and size differences are also seen with this question.
Organizations with Internal Audit and ERM Separate by Industry
Key Action for CAEs Work with management and other internal assurance providers to ensure clarity of roles within the three lines of defense.
3. Internal Audit’s Risk Management Responsibilities Almost half provide assurance on risk management as a whole. However, there are gaps between the percentage of companies with formal risk management and those providing assurance. 12% of audit plans are devoted to risk management assurance/effectiveness. Combined assurance is still not common.
Gap Between Formal Risk Management and Assurance by Region
Gap Between Risk Management Assurance and Combined Assurance by Region
Key Actions for CAEs Strive to provide assurance on risk management as a whole, not just on individual risks. When providing risk management assurance, ensure the criteria for such assurance are well understood. When conducting a risk-based audit, link the scope and results to specific business risks.
Key Actions for CAEs Continue to increase the percentage of the audit plan focused on risk management. Explore ways to integrate assurance with other internal assurance providers; combined and integrated assurance can be more effective and efficient.
4. Risk Approaches and Competencies CAEs place more importance on risk management assurance/effectiveness than management. Risk assessment should be: Leveraged across assurance functions Updated at the “speed of risk” Maintained in appropriate technology
Risk Assessments
Additional Insights The two greatest inputs to audit plans are a risk-based methodology and requests from management. 82% consider their risk proficiency to be competent, advanced, or expert: Most of the novice and trained respondents were at the staff level. Risk proficiency varies somewhat by region and less so by industry.
Risk Proficiency Self-Assessments
Key Actions for CAEs Periodically discuss with management the key risk areas to ensure internal audit’s focus aligns with that of management. Work with risk-related functions to ensure appropriate leveraging and reliance on risk assessment efforts by all such functions. Update the risk assessment at the speed of risk, not based on the turning of a calendar page.
Key Actions for CAEs While requests from management should typically be considered for an audit plan, be cautious to ensure such requests do not divert valuable internal audit resources from higher- risk areas. Continue to grow internal audit capabilities around risk to ensure internal audit functions can meet the changing stakeholder expectations of the future in a world that increasingly becomes more complex and risky.
Summary Internal audit has and will continue to play an important role with risk. Increases in regulation have fueled some advances in formal risk management. Internal audit appears to be keeping up with these advances. However, paying attention to the Key Actions will help internal audit remain relevant around risk.
CBOK 2015 Releases Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Nov. 2015 IIA International Conference Governance, Risk, and Control Conference South Africa Conference IIA Financial Services Exchange ECIIA Conference All Star Conference Southern Regional Conference ACIIA Conference IIA Midyear Committee Meetings Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Nov. 2015 Dec. 2015 Driving Success in a Changing World: 10 Imperatives for Internal Audit Navigating Technology’s Top 10 Risks: Internal Audit’s Role Staying a Step Ahead: Internal Audit’s Use of Technology A Global View of Financial Services Audits: Challenges, Opportunities, and the Future Who Owns Risk? A Look at Internal Audit’s Changing Role Combined Assurance: One Language, One Voice, One View Responding to Fraud: Exploring Where Internal Auditing Stands Auditing the Public Sector: Managing Expectations, Delivering Results Measuring Internal Audit Value and Performance Core Competency Levels for Internal Auditors Please share information about the publication of upcoming CBOK reports and where to go for the free download.
CBOK 2016 Releases GAM Conference SoPac Conference Leadership Conference IIA International Conference Jan. 2016 Feb. 2016 Mar. 2016 Apr. 2016 May 2016 Jun. 2016 The Skills Most Desired by IA Managers for Their Staffs Use of Third Parties by Internal Audit Interacting with Audit Committees CAE Career Path Women in IA: Representation and Trends Maturity Levels for IA Dept. Around the World How to Evaluate and Motivate Your Staff Certifications Held by Internal Auditors Ethical Pressures Faced by Internal Auditors IIA Standards: Conformance and Trends Quality Assurance and Improvement Program Trends Integrated Reporting Organizational Governance: Internal Audit's Role Additional reports that will be available for a free download..
YOUR DONATION DOLLARS AT WORK FREE thanks to generous contributions from individuals, organizations, IIA chapters, and IIA institutes around the world. Download your FREE copy today at the CBOK Resource Exchange. www.theiia.org/goto/CBOK The IIARF encourages those who are presenting this slideshow to download the full report from The IIA Research Foundation and make it available to their audience.
About The IIA Research Foundation CBOK is administered through The IIA Research Foundation (IIARF), which has provided groundbreaking research for the internal audit profession for nearly four decades. Through initiatives that explore current issues, emerging trends, and future needs, The IIARF has been a driving force behind the evolution and advancement of the profession. For more information, visit: www.theiia.org/Research
Copyright and Disclaimer The IIARF publishes this document for information and educational purposes only. IIARF does not provide legal or accounting advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF). All rights reserved. For permission to reproduce or quote, please contact research@theiia.org.