Governance and risk report 2014 Internal audit’s perspective on the management of risk

Governance and risk report 2014

Internal audit’s perspective on the management of risk

iia annual survey

This is the report of our second annual survey of Heads of Internal Audit (HIA)

in membership of the Chartered Institute of Internal Auditors.

What stood out to us in this year’s survey was the improvement shown from last year in the HIA’s functional reporting line to the audit committee chair which has jumped from 68% to 82%

in the private sector and from 64% to 73% across all sectors.

The report sets out factual data on the profession and provides insight on:

• The risk maturity of organisations

• Internal audit’s focus on top risks

• Whether the internal audit function is correctly

positioned with the authority, influence and oversight to be fully effective

• Competencies internal audit needs to function effectively now and in the future

Of the 670 HIAs who were sent the survey we received responses from 247 – an impressive 37 per cent. The survey participants broadly reflect the population who were sent the survey in terms of sector, location of work and gender.

We would welcome your reactions to the report and please feel free to contact the policy team at policy@iia.org.uk

dr ian peters Chief Executive October 2014

contents

4 Section 1 –

The management of risk

11 Section 2 – Skills and competencies 13 Section 3 –

Relationships and accountability 17 Section 4 –

Internal audit provision 19 Annex/Survey

methodology

Our latest report suggests that we are beginning to see the impact of internal audit codes and guidance, such as the IIA Financial Services Code, particularly in the areas of internal audit’s relationships with audit committees and accessibility to senior management and the board.

The marked increase in the number of heads of internal audit reporting to the chair of the audit committee, across all sectors but particularly in the private sector, is functionally key to helping internal audit increase its effectiveness. Internal audit’s positioning within the organisation is of crucial importance to enable it to have access to key decision makers and information which enable it to understand the nature and scope of risks to the business in a much more holistic way (See section 3).

We are also seeing that internal audit is increasing its focus on critical risks to the business, including operations, risk management effectiveness, and corporate governance (See section 1).

As expectations of internal audit continue to rise across all sectors it is clear that the skill set of practitioners needs to broaden, with an increase in business and commercial acumen, which is particularly anticipated in the public sector, so they join the dots to understand the interrelationship between risk and an organisation’s strategy and the competitive environment it operates in (see section 2).

executive summary

section 1 – the management of risk

Maturity of the risk management function

Risk maturity is a crucial factor in enhancing internal audit’s ability to give the board a realistic picture of how well key risks across the organisation are being managed. Not all private sector organisations need to be highly risk mature, but the question is do boards fully understand and control risk?

There was little change from last year with 57%

of respondents reporting that they felt the level of risk maturity in their organisation was risk managed or risk enabled. The level of risk maturity has not advanced at the pace we would expect given the attention that has been paid to risk maturity after the financial crisis of 2007/8.

Although there is an apparent increase in risk aware against a decline in risk defined between this year and last year the changes are not statistically significant as they fall within the margin of error.

chart 1: risk maturity

The level of risk maturity is similar across most sectors with just over 55% who consider their organisations to be risk managed or risk enabled but in the financial services (FS) sector this figure is 66%. Risk appetite is a key factor in maturity. Risk management, incorporating risk appetite, will only be effective with commitment from the organisation’s leaders. In the case of the public sector, Lord Browne captured this sentiment in his third annual report to Parliament as the Government’s Lead Non-Executive Director saying, “There should be explicit discussion of risk tolerance at board level to identify how much project risk a department is prepared to absorb. This is not happening at present, which means that departments are either taking on too much risk, or taking on risk without fully understanding its implications”¹.

the roles that internal audit performs in relation to risk management

This year’s results were very similar to last year in terms of the roles internal audit performs in relation to risk management. Again this year, just under one- fifth of respondents said that they were involved in implementing risk management procedures. Some 10% in the FS sector are involved in implementing risk management procedures and this tallies with the proportion who have responsibility for both risk management and internal audit in the sector.

Surprisingly there is no correlation between this figure and the size of the organisation. We would expect this 10% to reduce further over time to be in line with the recommendations included in codes and guidance such as the Basel Committee on Banking Supervision², the Financial Conduct Authority’s policy statement on effective corporate governance³ and the IIA Financial Services Code⁴ which recommend that internal audit should be independent of the risk management function.

1 The Government’s Lead Non-Executive’s Annual Report – Financial Year 2013-14, June 2014

2 The internal audit function in banks, Basel Committee on Banking Supervision, June 2012

3 Financial Services Authority Policy Statement 10/15, Effective Corporate Governance, as published on the FCA website https://

www.fca.org.uk/static/pubs/policy/ps10_15.pdf

4 Effective Internal Audit in the Financial Services Sector, Chartered Institute of Internal Auditors, July 2013

in your view, what is the level of your organisation’s risk maturity?

Risk Naive – no formal plans for risk management Risk Aware – consulting & planning to implement

risk management

Risk Defined – early stages of implementation Risk Managed – established risk management with

planned extension/development

Risk Enabled – fully established & effective risk culture at all levels

Percentage of respondents

0%

10%

20%

30%

40%

50%

60%

2013 2014

chart 2: roles internal audit performs in relation to risk management by sector

internal audit and areas of risk

Chart 3 shows the areas where HIAs spend their time against the principal risks facing their organisations.

At first glance some of the bigger risks seem to be receiving less focus from internal audit, for example reputation and brand, talent and skills, competition, economic uncertainty and government economic policy. Internal audit may be spending less time in these areas but the time they are spending is likely to be proportionate to the nature of the risk.

HIAs are focusing on areas such as operations, effectiveness of risk management, and corporate governance. The authors of KPMG’s global audit

committee survey⁵ recommended that audit

committee chairs should consider the need to refine internal audit’s role potentially to focus more time on key areas of risk and the adequacy of the company’s risk management processes generally. The report’s authors also suggest that audit committee chairs should recognise that internal audit is most effective when it is focused on the critical risks to the business, including key operational risks and related controls—

not just compliance and financial reporting risks.

5 2014 Global Audit Committee Survey, KPMG Audit Committee Institute, 2014

What roles does internal audit perform in your organisation in relation to risk management?

(tick all that apply)

All sectors Financial services Public sector

Private sector (non-FS) Giving assurance that risk management

processes are well designed and working

Giving assurance on the management of

‘key’ risks, including the effectiveness of the controls and other responses to them

Giving assurance on the reporting of risk

Advising and promoting best practice on the identification & evaluation of risks

Implementing risk management procedures

Percentage of respondents

0% 20% 40% 60% 80% 100%

chart 3: top areas of risk – time spent vs. risks facing the organisation

As one would expect some of the top risks that the internal auditors perceive are facing the organisation coincide with the top risks that are perceived by audit committee chairs⁶:

6 2014 Global Audit Committee Survey, KPMG Audit Committee Institute, 2014

7 HSBC chairman Douglas Flint warns of ‘danger’ in staff becoming risk- averse, Financial Times, 4 August 2014

8 Risk culture must change to protect financial system, Financial Times, 7 August 2014

top risks Hias

perceive organisation is facing

top risks audit committee chairs perceive organisation is facing

Operational Government

regulation/impact of public policy initiatives Regulatory change Economic and political

uncertainty Economic uncertainty Operational IT projects Legal/regulatory

compliance Adequacy and

effectiveness of risk management

Talent management and development

Chart 4 shows the sector breakdown of risk areas where internal audit spends its time. It is notable that regulatory change is an area taking up disproportionate amounts of time in the FS sector. Douglas Flint, Chairman of HSBC, voiced his concerns that risk taking was being hampered by regulation. He warned of a “growing danger”

that employees are becoming too risk-averse because they fear punishment for mistakes⁷. On the other hand, William Rhodes, President and Chief Executive of William R Rhodes Global Advisors, argued that financial firms are increasing risk taking in their search for yield. He added, “This is often not being done prudently; the key causes of past financial crises are being forgotten at many financial institutions. Senior managers and boards at such institutions need to put more emphasis on risk management and risk culture; some may not do so”⁸. please choose the top five areas of risk on which internal audit currently spends most time /

effort; and the top five risks facing the organisation

Operational Adequacy and effectiveness of risk management

Financial reporting and control process Corporate governance – process and structure IT projects Data privacy and security

Regulatory change Fraud Outsourcing / supply Business continuity Ethics and culture Reputation and brand Mergers, acquisitions, and JVs

Product innovation Talent and skills Economic uncertainty Government economic policy Access to finance Environmental and climate change risks

Competition Social media

0% 10% 20% 30% 40% 50% 60% 70% 80%

Percentage of respondents

Top risks where internal audit spend most time Top risks facing the

organisation

Perhaps IIA Global’s⁹ stance encompasses the happy medium “risk culture should be about creating an environment where undertaking risk on behalf of the institution is done consistent with the management of risk within tolerance levels approved by the board and senior management”. This point has been echoed by Professor Mike Power, LSE, who believes that we need to ensure that the risk culture debate does not result in an organisation becoming more risk averse¹⁰.

culture and risk culture

Another area that stands out is the relatively small proportion of HIAs (14%) that chose ethics and culture in their top five risks in all sectors, although in answer to another question 25% say that they conduct ethics audits as an additional service to the board/board committee. The board and senior executives need independent assurance to understand the true risk culture of the organisation,

comparing what is expected in relation to risk appetite to what is actually happening. Internal audit has an important role in highlighting the specific elements of the real risk culture and the root causes of any variations to provide a meaningful insight to the people leading the organisation.

There are a number of reasons why ethics and culture may not be considered as a top risk:

• It is still early days and may be included in future audit plans

• Boards are not prioritising it or are going elsewhere for assurance

• Where boards are prioritising this area then it could be that HIAs believe it is adequately controlled as a discrete area of risk

• Cultural aspects are now better integrated within all audits across all areas of risk

chart 4: top areas of risk – time spent by sector

9 IIA Global’s response to the Financial Stability Board’s proposals for supervising financial institutions on risk culture.

10 Risk Culture in Financial Organisations, Centre for Analysis of Risk and Regulation, London School of Economics, Mike Power, Simon Ashby, Tommaso Palermo, November 2013.

please choose the top five areas of risk on which internal audit currently spends most time / effort

Operational Adequacy and effectiveness of risk management Financial reporting and control process Corporate governance – process and structure IT projects Data privacy and security Regulatory change Fraud Outsourcing / supply Business continuity Ethics and culture Reputation and brand Mergers, acquisitions, and JVs Product innovation Talent and skills Economic uncertainty Government economic policy Access to finance Environmental and climate change risks Competition Social media

Percentage of respondents All sectors

Financial services Public sector

Private sector (non-FS) 90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

While risk culture is an issue that affects all sectors perhaps we would expect to see the FS sector leading the way in the future. As noted by the authors of a report by the London School of Economics on risk culture¹¹, even though the culture of any organisation can affect its risk-taking and control decisions in both positive and negative ways, it is the culture in FS sector organisations which have the ability to affect the economic health of nations in a much more significant way than any other sector.

Even where risk management is quite mature there may well be a difference between the “espoused”

risk culture and actual risk taking. Either in terms of taking too much risk outside defined parameters or not taking any risk at all and failing to grasp

opportunities. Likewise the risk appetite understood (or not understood) by different levels of managers and employees will reflect the risk culture and also inform it.

We do recognise that the issues surrounding the audit of culture including risk culture are difficult. In a report we published earlier in 2014¹², a key finding was that auditing culture is seen as the most difficult area of the Code, Effective Internal Audit in the Financial Services

Sector, with around one-third of respondents saying it poses significant challenges. The IIA has published technical guidance¹³ and examples of organisations¹⁴ which have started to audit culture with a view to helping the profession to move into this complex area.

Chart 5 shows perceptions of risk are changing over time. Many of the categories outlined are interconnected around the concept of organisational change management. The interrelationship between the categories may explain why some categories appear to be lower down on the list than expected both now and in the future e.g. some respondents may not have singled out social media as a key risk as they may have included it within the reputation and brand category and chosen that to encapsulate both.

Regulatory change is a high-ranking risk both now and in the future, which is what we would expect given the pace of change and the impact on organisations’

reputations. IT projects are ranked as a lower risk in the future, whereas data privacy and security is seen as an ongoing risk. The lower prioritisation of IT projects in the future may be as a result of organisations hoping that they will learn and improve over time.

11 Risk Culture in Financial Organisations, Centre for Analysis of Risk and Regulation, London School of Economics, Mike Power, Simon Ashby, Tommaso Palermo, November 2013.

12 Embedding Effective Internal Audit in the Financial Services Sector – A progress report, Chartered Institute of Internal Auditors supported by Protiviti, March 2014

13 Technical guidance on culture and the role of internal audit available to members on the IIA website

14 Culture and the role of internal audit – looking below the surface, Chartered Institute of Internal Auditors, June 2014

chart 5: top risks now vs. top risks in five years’ time

What are the top five risks currently facing the organisation against the top five risks facing the organisation in five years’ time?

Percentage of respondents Operational Regulatory change Economic uncertainty IT projects Risk management effectiveness Data privacy and security Reputation and brand Competition Corporate governance – process and structure Talent and skills Government economic policy Financial reporting and control process Product innovation Outsourcing / supply Mergers, acquisitions, and JVs Business continuity Ethics and culture Fraud Access to finance Environmental and climate change risks Social media 0%

10%

20%

30%

40%

50%

Top risks now Top risks in

five years

0% 20% 40% 60% 80% 100%

services that internal audit provides to boards and board committees

Chart 6 shows that the top ten risk-related and additional services that internal audit provides to boards and board committees is very similar to last year. Most areas show slight increases from last

year with the provision of input on the evaluation of the external auditor’s performance showing as the area of biggest increase. This is likely to be as a result of the introduction of external auditor rotation in 2012¹⁵. This is a positive development as internal auditors can apply their knowledge of risk and control frameworks to evaluate the overall performance of the external auditors to inform the audit committee’s own assessment.

15 In 2012, the Financial Reporting Council (FRC) introduced new rules requiring companies to tender their auditing requirements every 10 years on a ‘comply or explain’ basis, meaning that they do not need to do so if they can provide an explanation to the regulators.

chart 6: provision of services in addition to risk-related roles

Which of the following services in addition to risk-related roles does internal audit provide your board / board committee? (tick all that apply)

Percentage of respondents

Conduct confidential investigations, such as fraud Provide views on the performance of management in relation to controls or the adequacy of corrective actions

Offer concrete proposals on improving internal controls Provide an annual opinion on the adequacy of the

organisation’s system of internal controls Conduct governance reviews

Act as a channel for whistleblowing

Manage co-sourcing of internal audit functions Provide input on the evaluation of the external

auditor’s performance Advise the board / committee on reports or information

from external parties, such as regulators Contribute to the induction and/or CPD of board members

All sectors 2013 All sectors 2014

Chart 7 shows the variation across the sectors in services provided in addition to risk-related roles.

This variation is particularly stark when comparing the public sector with other sectors. There are considerable sectoral differences particularly in the areas of managing the co-sourcing of internal audit functions; and acting as a channel for whistleblowing.

The lower levels acting as a channel for whistleblowing in the FS sector is understandable given that the three lines of defence model is applied more rigidly in this sector and therefore HIAs would be seen to be performing a management role and they would not then be able to provide assurance to the board on the effectiveness of whistleblowing policies and procedures.

chart 7: additional services to risk-related roles by sector

Which of the following services in addition to risk-related roles does internal audit provide your board/

board committee? (tick all that apply)

Percentage of respondents

Conduct confidential investigations, such as fraud Provide views on the performance of management in relation to controls or the adequacy of corrective actions

Offer concrete proposals on improving internal controls Provide an annual opinion on the adequacy of the

organisation’s system of internal controls Conduct governance reviews Act as a channel for whistleblowing Manage co-sourcing of internal audit functions Provide input on the evaluation of the external

auditor’s performance Advise the board / committee on reports or information

from external parties, such as regulators Contribute to the induction and/or CPD of board members Conduct ethics audits Monitor board/committee activities to ensure the committee’s charter responsibilities are accomplished

Undertake social and sustainability audits Provide secretariat services to the audit committee

Financial services Public sector

Private sector (non-FS) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Chart 8 shows that the skills internal audit needs now have not changed much from last year. Communication skills are still at the top and other soft skills are also ranked highly.

This need for such skills is echoed by a number of other surveys of internal auditors. The IIA Global survey¹⁶ found that 36% of Chief Audit Executives (CAEs) recruit for industry-specific knowledge

section 2 – skills and competencies

chart 8: top competencies internal audit needs now – 2013 and 2014

and business acumen. Analytical thinking and communication skills are also highly desired.

In their annual internal audit survey Thomson Reuters¹⁷ noted that there is a clear direction of travel with internal auditors starting to move out of their traditional comfort zone and into the more qualitative worlds of culture and corporate governance.

16 The pulse of the profession – Enhancing value through collaboration, IIA Global, June 2014

17 State of Internal Audit Survey 2014 – Adapting to Complex Challenges?, Thomson Reuters, July 2014

please choose the top five competencies internal audit needs now – comparison to last year Percentage of respondents

Communication skills Problem identification and solution skills Knowledge of industry, regulatory, and standards changes Business/commercial acumen Conflict resolution/negotiation skills IT/ICT frameworks, tools, and techniques Change management skills Ability to promote value of internal audit Organisational skills Accountancy frameworks, tools, techniques

Cultural fluency and foreign language skills

Top competencies internal audit needs now 2013

Top competencies internal audit needs now 2014

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

0%

10%

20%

30%

40%

50%

60%

70%

Chart 9 shows the variance between last year and this year regarding the skills internal audit said it needed in five years’ time. A higher proportion ranked the need for business/commercial acumen; people management skills; and communication as top skills needed in the future whereas a lower proportion ranked change management skills in their top five.

The increase in the need for business/commercial acumen is particularly significant in the public sector where it rises from 27% now to 39% in 5 years’

time. This reflects the drive to commercialise how government works which has been highlighted in Lord Browne’s latest annual report where he

highlights the need for departments to become more business like to reflect “the changing role of government, which has increasingly become a commissioning body, buying and managing a range of complex services and commercial relationships”¹⁸. PwC emphasised the point about business/commercial acumen in their annual internal audit survey¹⁹ saying that if internal audit think their job starts with the balance sheet they are wrong and that internal audit needs to start with the business objectives and show that they understand them in order to be aligned to the critical risks of the organisation.

chart 9: top competencies internal audit needs in five years’ time – 2013 and 2014

18 The Government’s Lead Non-Executive’s Annual Report – Financial Year 2013-14, June 2014

19 2014 state of the internal audit profession study – Higher performance by design: a blueprint for change, PricewaterhouseCoopers, March 2014

please choose the top five competencies internal audit needs in five years’ time – comparison to last year

Percentage of respondents Change management skills IT/ICT frameworks, tools, and techniques Knowledge of industry, regulatory, and standards changes Business/commercial acumen Communication skills Problem identification and solution skills Ability to promote value of internal audit Conflict resolution/negotiation skills People management skills Organisational skills Accountancy frameworks, tools, techniques Cultural fluency and foreign language skills

Top competencies internal audit needs in five years’ time 2013 Top competencies internal audit needs in five years’ time 2014

overseeing the internal audit function

When we look at responsibility for overseeing the internal audit function chart 10 shows the results are very similar to last year.

The high level of executive responsibility for budgets, remuneration and appraisals is still of concern this year as the board/audit committee should oversee the internal audit function to ensure that internal audit’s independence and objectivity from the executive is preserved and enhanced.

chart 11: executive management responsibility – by sector

section 3 – relationships and accountability

chart 10: oversight of the internal audit function

Who has ultimate responsibility for approving your:

Percentage of respondents Executive

management (e.g. CEO/CFO) Other board

committee Audit committee Board

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Audit charter 2013 Audit charter 2014 Audit plan 2013 Audit plan 2014 Budget 2013 Budget 2014 Appointment 2013 Appointment 2014 Remuneration 2013 Remuneration 2014 Appraisal 2013 Appraisal 2014

Private sector (non-FS) Public sector

Financial services All sectors

executive management responsible for:

Appraisal

Remuneration

Budget

Percentage of respondents

0% 20% 40% 60% 80% 100%

The table shows audit committee and executive management responsibility broken down by sector. The FS sector is leading the way with much lower proportions for executive management responsibility for budgets, remuneration and appraisal. Improvements have been made on last year in the FS sector with a much lower proportion of respondents, 50% this year down from 70% last year, saying the executive is responsible for appraisal.

Functional reporting lines

The functional reporting line to the chair of the audit committee is key to enhancing the effectiveness of internal audit as it creates the foundations for the independence and objectivity of the internal audit function. Functional reporting lines to the audit committee chair are showing a significant increase from 64% last year to 73% this year.

chart 12: Functional reporting line

executive management responsible for:

all sectors Financial services public sector private sector (non-Fs)

Budget 53% 33% 64% 56%

Remuneration 69% 42% 82% 76%

Appraisal 75% 50% 90% 81%

audit committee

responsible for: all sectors Financial services public sector private sector (non-Fs)

Appointment 54% 77% 22% 62%

Audit Charter 78% 82% 76% 79%

Audit Plan 85% 92% 76% 88%

Chart 13 shows that the FS sector is in the lead in this area at 84%, an increase of 4% from last year.

We saw the biggest jump from last year in the private sector (non-FS) with those reporting to the audit committee chair rising from 68% to 82%.

Having an independent reporting line to the chair of the audit committee is one of the key recommendations in the Financial Services Code²⁰ and is equally applicable to private sector more generally. As a result there will be encouragement from boards, external auditors, regulators, advisors, investors and the wider media for companies to adopt such practices under the guise of ‘good corporate governance’. Perhaps too, as the expectations of internal audit grow, HIAs will themselves be looking for strong independent support for their role i.e. to have a functional reporting line to the chair of the audit committee.

20 Effective Internal Audit in the Financial Services Sector, Chartered Institute of Internal Auditors, July 2013

Functional reporting line (to whom are you ultimately accountable?)

Board chairman Chair of the audit

committee Chair of other board committee

CEO CFO Other

Percentage of respondents 0% 20% 40% 60% 80%

2013 2014

administrative reporting lines

As we found last year, around three quarters of our respondents said that they report administratively to the CEO or CFO. There are no statistically significant changes in the proportions reporting to the CEO, which has increased from 30% last year to 36% this year, and to the CFO which has decreased from 45% last year to 40% this year.

Reporting administratively to the most senior person in the executive reflects the increasing stature and role of internal audit within the organisation.

relationships and access

We asked respondents at which level they sit in their organisation’s hierarchy. Across all sectors only 35%

sit at Executive Committee level. In the FS sector this figure is 56% which is up from 45% last year. Perhaps this increase is partly as a result of the effect of the introduction of the Financial Services Code²¹ which says that the HIA should be at a senior enough level within the organisation (normally expected to be at the executive committee or equivalent) to give them the appropriate standing, access and authority to challenge the Executive. This chimes with research we carried out earlier this year²² about embedding effective internal audit in the FS sector which showed that only around one in six respondents said it will be difficult to ensure that the HIA has the appropriate standing called for in the Code i.e. at Ex Co level.

Similar to last year nearly all (95%) say they regularly attend meetings of the audit committee. While those who reported regularly attending board meetings rose from 12% to 18% the increase is not statistically significant. These proportions were roughly similar when we drilled down to the sector level. In research we carried out earlier this year about building an effective internal audit function in the FS sector²³ respondents told us that attendance at executive committee meetings by the HIA can be valuable in supporting unrestricted scope and access and allowing internal audit to play its enhanced role in supporting the challenge of strategic decisions.

As we found last year a very high proportion of respondents (95%) have access when required to meeting in private with their audit committee chair.

We are surprised by the relatively low proportions who have access in private to the chair of the board.

Ultimately we would expect that all HIAs would have access to meet in private with those listed on the vertical axis of chart 14 (if applicable).

chart 13: Functional reporting line to the audit committee by sector – 2013 and 2014

21 Effective Internal Audit in the Financial Services Sector, Chartered Institute of Internal Auditors, July 2013

22 Embedding Effective Internal Audit in the Financial Services Sector – A progress report, Chartered Institute of Internal Auditors supported by Protiviti, March 2014

23 Building effective internal audit – putting the pieces together, Chartered Institute of Internal Auditors supported by EY, September 2014

Percentage of respondents

20%

30%

40%

50%

60%

70%

80%

90%

2013 2014

All sectors Financial services Public sector Private sector (non-FS)

This year for the first time we asked about meeting in private with the regulator and the external auditor. Nearly 90% of our respondents can meet in private with the external auditors which perhaps shows that internal and external audit are working smartly together. Across all sectors only 30% of respondents can meet in in private with the regulator. This figure may reflect the fact that some sectors/industries are more heavily regulated than others and the nature of the relationship with the regulator varies between industries and may

not necessitate meetings in private. However in the FS sector nearly 60% of HIAs can meet in private with their regulator. Again we would expect this figure to be 100%. The FCA sees internal audit as a vital player in assisting the board and executive to make effective decisions, and in alerting the board to potential conduct and reputational risks.

Where the FCA believes a firm has a robust internal audit function it will look to place greater reliance on its findings and use it to undertake reviews.

chart 14: access to private meetings by sector

You have access when required to meet in private with (You may tick more than one box)

Percentage of respondents Chair of the board

Chair of the audit committee

Chair of the risk committee

CEO

External audit

The regulator

Other non-executives (please specify)

All sectors Financial services Public sector Private sector (non-FS)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

resources

The budget changes show the same direction of travel as last year but are more pronounced this year. In the coming year the FS sector will see the biggest net increase in budgets.

chart 15: internal audit budget changes in the next year by sector

The public sector on balance is still expecting budget decreases but not by as much as last year. Chart 16 shows that local government is again bearing the brunt where 37% net (39% last year) i.e. the difference between those experiencing budget increases and those experiencing budget decreases are facing overall decreases. This compares with 16% net (18%

last year) across the public sector as a whole.

The budget decreases in local government mean that there is a significant risk that some internal audit functions will get to a point where they no longer have the resources to do the work necessary to give a robust annual opinion. This in turn puts the objectives of the organisation at risk. We were told by some of our HIAs in local government that more councils are pushed to deliver only what they must statutorily and no more in order to make the cuts, and that the level of cuts varies widely between different councils.

According to the Office for Budget Responsibility²⁴ spending on day-to-day public services, which are bearing the brunt of the cuts, is set to fall to its lowest as a share of GDP since 1938. Real public services spending per person will, however, be much higher than in 1938, albeit the lowest in more than a decade.

section 4 – internal audit provision

chart 16: internal audit budget changes – public sector breakdown

co-sourcing

For all sectors top areas of co-sourcing, by a great margin, were: data privacy & security; and IT projects. There is little change in the proportion of those who pursue co-sourcing between this year and last year as the difference of 3% is not statistically significant. Around 70% of private sector (non-FS) and 56% of public sector internal audit functions pursue co-sourcing which has changed little from last year. The only sector where the proportion has increased significantly is the FS sector which has increased from 77% to 85%.

chart 17: proportion of internal audit work that is outsourced/co-sourced

24 Crisis and consolidation in the public finances, Working Paper no.7, Office for Budget Responsibility, September 2014

in the next year will you be changing your internal audit budget?

0%

10%

20%

30%

40%

50%

60%

70%

Percentage of respondents All sectors Financial services Public sector Private sector (non-FS)

Budget increase No change Budget decrease

in the next year will you be changing your internal audit budget – 2014?

0% 20% 40% 60% 80%

Percentage of respondents Local

government Central government

Rest of public sector

Budget decrease No change Budget increase

What proportion of your internal audit work is outsourced/co-sourced?

0% 10% 20% 30% 40%

Percentage of respondents 0%

<10%

10-25%

26-50%

51-75%

>75%

100%

(full outsourcing)

All sectors 2013 All sectors 2014

Frequency of eQa

Across all sectors around the proportions of those who have their internal audit activity externally assessed (EQA) were broadly similar to last year but there was a slight decrease in those who have an EQA at least every five years from 68% to 63%. The proportion of those reporting that they have never had an EQA rose from 20% last year to 28% this year.

In the FS sector, 75% have an EQA at least every five years. 17% of respondents in this sector report that they have never had one.

This year we asked whether the EQA was external or an internal assessment that had been externally validated; as expected the levels of internal assessment were much higher in public sector at 47% as against 20-30% in the other sectors.

chart 18: Frequency of external quality assessments

How frequently is your internal audit function externally assessed to judge compliance with iia Global standards?

6%

14%

43%

9%

28%

Annually Every 2-3 years Every 4-5 years Over 5 years Never

data analysis

Of the 670 HIAs who were sent the survey we received responses from 247 – a response rate of 37 per cent.

The survey questionnaire contained pre-coded single and multiple response questions. We used Excel to analyse the quantitative data.

• Percentages quoted represent “valid

percentages” i.e. they exclude non-responses.

• Percentages may not always add to 100 due to rounding.

• Where questions allowed more than one response only (i.e. where they can tick all that apply or rank their top choices) percentages generally add up to more than 100 per cent.

Much of the difference between each year may be due to the margin of error in the sample selected.

The margin of error for this survey = 6.2%

demographics

We compared the background information for those who took part with that of the population who were sent the survey. This showed that the backgrounds of those who responded were broadly representative of the population of HIAs who were sent the survey, in terms of sector, location of work and gender.

• Those in financial services (banks, building societies, insurance and other financial services) represent 30% of our survey population and 27% of our survey participants.

• Those in the public sector (education, central government, local government, health and other public sector) represent 27% of our survey population and 29% of our survey participants.

• Those in the private sector (non-financial

services) represent 40% of our survey population and 41% of our survey participants.

annex a – survey methodology

about the chartered institute of internal auditors

First established in 1948, we obtained our Royal Charter in 2010. We are the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland.

We have approximately 8,000 members in all sectors of the economy including private companies, government departments, utilities, voluntary sector organisations, local authorities and public service organisations such as the National Health Service.

Members of the Chartered Institute of Internal Auditors are part of a global network of 180,000 members in 190 countries. All members across the globe work to the same International Standards and Code of Ethics.

Over 2,000 members of the institute are Chartered Internal Auditors and have earned the designation CMIIA. 800 of our members hold the position of head of internal audit and most FTSE 100 companies are represented amongst the Institute’s membership.

www.iia.org.uk

Chartered Institute of Internal Auditors 13 Abbeville Mews 88 Clapham Park Road London SW4 7BX tel 020 7498 0101 fax 020 7978 2492 email info@iia.org.uk

© October 2014