WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
TRENDS
WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
WWW.THEIIA.ORG/CAE
Internal Audit Budget & Staffing Projections
Budget
55%
Staffing
71%
Increase
35%
25%
Decrease
8%
3%
Unsure
2%
1%
Remain the Same
WWW.THEIIA.ORG/CAE
Moving Out of the Comfort Zone
WWW.THEIIA.ORG/CAE
58%
52%
71%
55%
WWW.THEIIA.ORG/CAE
Are We Too Comfortable?
WWW.THEIIA.ORG/CAE
Culture
WWW.THEIIA.ORG/CAE
Lack of Support Can Be a Hurdle
Has full support of the board to
assess all levels
Has full support of the executive
management to assess all levels
Has freedom to assess the entire
organization & staff
1%
17%
43%
5%
3%
13%
19%
38%
27%
2%
10% 12%
0%
Strongly Disagree
34%
Disagree
20%
Neither
43%
40%
Agree
60%
33%
80%
Strongly Agree
100%
WWW.THEIIA.ORG/CAE
Support Makes a Difference
Has full support of the board to
assess all levels
68%
89%
Has full support of the executive
management to assess all levels
56%
77%
Has freedom to assess the entire
organization & staff
68%
87%
0
Do Not Audit Culture
0.2
0.4
0.6
Audit Culture
0.8
1
WWW.THEIIA.ORG/CAE
What About Reporting Lines?
Report Administratively
to the CEO
Report Administratively
to the CFO
WWW.THEIIA.ORG/CAE
Is Internal Audit Equipped?
2%
IA is able to identify & assess
measures of culture
Strongly Disagree
12%
Disagree
0%
26%
Neither
20%
Agree
40%
9%
Strongly Agree
60%
80%
100%
45%
IA is able to identify & assess
measures of culture
0
Do Not Audit Culture
50%
80%
0.2
Audit 0.4
Culture
0.6
0.8
WWW.THEIIA.ORG/CAE
Addressing a Toxic Culture
Coordinate efforts with other
governance functions
Raise as separate topic with board
Raise as separate topic with
management
Focus on culture in audit reports
Not effective
Very effective
43% 10%
37%
29%
12%
45%
37% 10%
40%
24%
Slightly effective
Extremely effective
17%
45%
Moderately effective
20%
WWW.THEIIA.ORG/CAE
Culture
•Develop an approach to assess the
critical elements
•Gather objective and subjective
information about the organization’s
culture
o use professional judgment to evaluate
information that cannot be easily measured
•Build and use relationships
WWW.THEIIA.ORG/CAE
Use of Data
WWW.THEIIA.ORG/CAE
Use of Data – Some Risks
•
•
•
•
•
Ethical or barely legal?
Responsive or convenient?
Complete or available?
Causation or correlation?
Comprehensive or cherry-picked?
WWW.THEIIA.ORG/CAE
Internal Audit Involvement in
Evaluating Data Quality
Very or
Extreme
Moderate
Slight or
Not at All
WWW.THEIIA.ORG/CAE
Confidence in Strategic
Decisions Made Using Data
Slight or
Not at All
Moderate
Very or
Extreme
WWW.THEIIA.ORG/CAE
Use of Data
• Know what is collected, how it is
analyzed, and which decisions it
supports
• Assess the risks
• Consider these risks in audit planning
• Make sure you have requisite skills
WWW.THEIIA.ORG/CAE
From Cybersecurity to Cyber
Resiliency
WWW.THEIIA.ORG/CAE
Addressing Cyberattacks –
What is Effective?
WWW.THEIIA.ORG/CAE
Cybersecurity
Cyber Resiliency
WWW.THEIIA.ORG/CAE
Addressing Cyberattacks in
Business Continuity Plans
Provide general
procedures in
response
Provide clear,
specific procedures
in response
Do not specify
procedures in
response
WWW.THEIIA.ORG/CAE
Internal Audit Effort Falls Short of Ideal
Communicates to board & management
level of risk & efforts to address
69%
40%
Ensures communication & coordination
among all parties regarding risk
55%
33%
Works collaboratively with IT and others
to build effective response
56%
31%
Provides assurance over readiness and
response
63%
26%
0
Ideal
0.2
Actual
0.4
0.6
0.8
WWW.THEIIA.ORG/CAE
Why We Fall Short
Lack of expertise in internal audit
52%
Lack of communication or cooperation
from IT
26%
Lack of understanding of Board as to
criticality
23%
Lack of support from executive
management
23%
Lack of communication or cooperation
from departments other than IT
19%
0
0.1
0.2
0.3
0.4
0.5
0.6
WWW.THEIIA.ORG/CAE
Cyber Resiliency
• Understand cybersecurity risk
• Consider all aspects of cyber resiliency in your
organization: protection, monitoring, response and
recovery
• Ensure internal audit has the skills to be engaged in
these areas
• Discuss cyber resiliency preparedness with
management and the audit committee
WWW.THEIIA.ORG/CAE
Valuing Interpersonal Skills
WWW.THEIIA.ORG/CAE
Interpersonal Skills are Critical
98%
Communication skills
97%
Analytical/critical thinking
Business Acumen
83%
65%
Industry-specific
IT
44%
42%
Accounting
Risk management…
40%
37%
Data mining & analytics
28%
Cybersecurity
Finance
23%
21%
Fraud auditing
Investigations
Quality controls
19%
9%
WWW.THEIIA.ORG/CAE
How Do We Ensure Internal Audit
Has the Requisite Skills?
Collaborates with others
15%
Organizes & expresses ideas clearly
14%
Listens actively
14%
Manages conflict effectively
13%
Balances diplomacy & assertiveness
13%
Uses research, intelligence, problem solving
14%
Recognizes own limitation and seeks advice
14%
Leads through influence, conviction, sensitivity
15%
Accounts for org politics
Accounts for cultural aspects
Recruiting
8%
86%
86%
86%
86%
86%
85%
84%
84%
81%
10%
Training
79%
WWW.THEIIA.ORG/CAE
What Kind of Training?
Accounts for culture
Accounts for organization politics
41%
49%
48%
Balances diplomacy with assertiveness
Collaborates with others
48%
34%
45%
40%
53%
Listens actively
38%
44%
Uses research, intelligence, problem solving
24%
46%
Leads through conviction, influence, sensitivity
Organizes & expresses ideas clearly
40%
40%
42%
38%
Recognizes own limitations & seeks advice
54%
36%
Manages conflict effectively
42%
36%
Classroom training for auditors
Self-study
On-the-job
Classroom training for professionals
Mentoring
WWW.THEIIA.ORG/CAE
How Effective is Our Training?
Collaborates with others
34%
49% 13%
45%
40%
Uses research, intelligence, problem solving
49%
40%
Recognizes limitations and seeks advice
46%
42%
Listens actively
49%
43%
Accounts for culture
48%
39%
Accounts for organization politics
47%
38%
Leads through influence, conviction, sensitivity
Balances diplomacy with assertiveness
50%
37%
Organizes & expresses ideas clearly
50%
38%
Manages conflict effectively
49%
38%
Not effective
Very effective
Slightly effective
Extremely effective
Moderately effective
WWW.THEIIA.ORG/CAE
The Result  Mediocrity
Collaborates with others
23%
Leads through influence, conviction, sensitivity
Uses research, intelligence, problem solving
Recognizes limitations and seeks advice
Listens actively
54%
43%
39%
38%
41%
41%
41%
40%
47%
Accounts for culture
49%
Accounts for organization politics
44%
Balances diplomacy with assertiveness
46%
Organizes & expresses ideas clearly
49%
Manages conflict effectively
Not effective
Very effective
Slightly effective
Extremely effective
18%
48%
Moderately effective
31%
30%
37%
34%
33%
WWW.THEIIA.ORG/CAE
Is Something Askew?
Rely on Training
On-the-Job & Mentoring
Training is Pretty Effective
Less Than Half of Staff are
Very Proficient
WWW.THEIIA.ORG/CAE
Interpersonal Skills
• Recruit for needed soft skills – don’t assume that
accountants, engineers or IT professionals can easily
learn these.
• Take a more disciplined/formal approach to
training/mentoring.
• Consider branching out from informal training methods
and seek new options for improving the effectiveness
of training.
• Evaluate current job description and job postings to
ensure they reflect the skills you truly need.
Invest in yourself and your team
WWW.THEIIA.ORG/CAE
Parting Thoughts
85%
Identify known & emerging risk areas
Facilitate & monitor effective risk management
practices by operational management
78%
Identify appropriate risk management frameworks,
practices & processes
78%
Consult on business process improvements
Alert operational management to emerging issues
& changing regulatory & risk scenarios
Assurance on compliance with legal & regulatory
requirements
Source: CBOK Stakeholder Report: Relationships and
Risk, Insights from Stakeholders in North America
76%
74%
71%
WWW.THEIIA.ORG/CAE
Questions