Leading Practices of an Internal

Audit Function
Where insights lead

Deloitte Risk Advisory | June 2015

Transforming internal audit
Deloitte Risk Advisory understands that you seek to refresh the vision for the Internal Audit (IA)
function and exploring what other leading internal audit departments are doing and how they Internal Audit…
drive value. We are pleased to share our perspective on the role and value of internal audit.
Some considerations include: Respected leadership
Direct board access and a “seat
• What are other leading IA departments focused on? at the table” with executives
• What are they responsible for? How are they positioned? Structured? Resourced? Not just compliance
• How are they resourced? Where and how they attract, retain, and develop talent? Greater scrutiny of emerging risk
areas, add value to the business
• How do they execute their responsibilities? Tools? Capabilities? and bring insight to management
• How are they evaluated? Add value up front
Increased involvement in
strategic projects and advise on
Performance
risk management up front
and communication
• Quality assurance
• Key Performance
Greater focus on risk areas
Indicators and monitoring Scope includes non-traditional
• Relationship management
• Change management
risk areas in operations,
• Reporting finance, security, privacy and
technology risk management
People and knowledge Process and Tools Talent expertise and
• Resource management • Risk assessment development
• Performance management and planning
• Training and competence • Audit execution
Expertise in subject matter areas
• Communication and • Issue follow-up and fosters leadership
knowledge management • Technology and tools development
Optimize process and
Purpose and remit Position and organisation
technology
• Governance Framework • Authority and reporting lines Seamless use of data analytics,
• Assurance framework • Organisational structure
• Audit charter - objectives, scope and • Internal profile and impact on business
visualization and other leading
responsibilities practices in security and
technology

1 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Striking the right balance for internal audit

Leading IA functions strike the right balance between broad value for the organization together with their fiduciary responsibility under
their audit charter. IA plays a fundamentally key and correlated role in corporate risk and assurance governance. We like to view this
function through the Institute of Internal Auditors’ (IIA) Three Lines of Defense Model, making it clearer how this function interacts with
each other and with key stakeholders.

Governing bodies and senior management are the primary stakeholders served by the “lines” and are best positioned to help ensure
that the Three Lines of Defense model is reflected in the organization’s risk management and control processes. IA is able to provide
comprehensive assurance based on the highest level of independence and objectivity within the organization, including areas of
governance, risk management, and internal controls. Deloitte Advisory then seeks to bring innovation and leading practices throughout
how IA executes on these responsibilities.

Board of Directors/Audit Committee

CEO/Senior Management

First Line of Defense Second Line of Defense Third Line of Defense

Operational Management

Supervisory Authority
Risk Management

External Audit
Internal Control

Internal Audit
Compliance

Others

Source: Institute of Internal Auditors: The Three Lines of Defense in Effective Risk Management and Control

2 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Internal audit maturity model

Understanding the maturity of an IA function helps identify areas of improvement and can help the department enhance its value to the
organization. It also helps better align expectations with key stakeholders.

Basic High value

Focus on the past; retrospective Focus on present—survey Future—help the wounded, map the
Perspective
look on what happened battlefield, shoot wounded minefield
Trusted advisor (auditing and
Style Corporate police Fact finder/Father knows best
consulting)
Rotational/Based on history Risk-based audit plan (Operational, Enterprise risk-focused audit plan
Planning/risk focus
(Financial and compliance risks) compliance and financial risks) (Full spectrum of risks)
Existence of Chief Audit
Not likely IA Director CAE/Member of “C”suite
Executive (CAE)

Reporting lines CFO/COO CEO Audit Committee Chair

Compliance to policies and Assurance on internal control

Objective and mandate Business risk assurance
procedures systems and compliance
Independence and
Hopefully Generally Absolutely
objectivity

SoX ownership Owns Participates Validates

Consulting to improve IT
IT Auditing Ill-defined GCCs, security, applications
infrastructure
Fraud prevention and
Generally not addressed Reactive Proactive
detection

Risk Management Limited assessment Thorough assessment ERM Champion

Governance No involvement Limited involvement IA as advisor/facilitator

Automated workpapers and use of Advanced use of CAATs and

Technology Limited
CAATs for data analysis continuous assurance approach
Proactive risk management
Results Small findings Assurance on key audit units
contribution/Dynamic reporting

3 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Focusing over the horizon
Leading IA functions proactively engage in key topical areas and high impact areas of focus.

Governance Fraud & Ethics Risk

• Changing the relationship between audit • Reporting status of fraud investigations • Converging risk management,
committees and CAEs and monitoring hotlines compliance, and IA

• Improving audit committee performance • Auditing for broad areas of ethical • Assessing risk associated with complex
concern and ethics program financial instruments, complex accounting
• Internal audit reporting structure with and regulatory, and compliance matters
executive-level accountability and • Working relationships between in-house relevant to industry
presence legal counsel, security, compliance, HR,
• Reporting and communicating risk
and internal audit departments
• Internal audit metrics, accountability, and assessment results
performance improvement • Taking an enterprise compliance • Assessing reputational and brand risk
approach
• Auditing the management compliance • Assessing cyber risk and threats
process • Managing the cost of compliance
• Monitoring extended enterprise risks

Technology Talent Finance & Compliance

• Applying data analytics throughout all • Considering varied and emerging talent • Assessing risks associated with business
aspects of the internal audit process models combinations
• Evaluating the basics and evolving IT • Attracting and retaining the right talent in • Performing post-acquisition audits
areas including identity management, IA (e.g., management development, • Auditing the due diligence process
social media risks, emerging technology, rotations, guest auditors, operational
cyber risk (cyber intelligence and experience liaisons) • Value-add audits beyond Sarbanes-
warfare), ShadowIT, mobile security, etc. Oxley; balance of financial, process, IT,
• Committing to a highly competent team and operational auditing
• Protecting customer data and supporting professional and
leadership development • Collaborating between internal and
• Planning for business continuity and crisis external auditors
management • Managing flexibility
• Navigating the regulatory landscape
• Mentoring and performance

4 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Leading practice considerations
While there is no “one size fits all” model for IA, leading IA functions consider leading practices in positioning the department for
success within the company culture. Key stakeholder engagement and input on the vision and model for IA can contribute to
success. Examples include:

Purpose Position People Process Performance

• Clearly defined charter with • Supports the “third line of • Recruitment model that • Deploys a consistent and • Measures IA
aligned accountability and defense” model with considers varied talent efficient execution contribution based on
responsibility objective reporting to the sources, models, and career KPIs linked to value
• Embeds use of technology
Board paths
• IA plans are linked to throughout the audit process • Links IA results and
strategic Company • Earns a “seat at the table” • Balance of competencies (e.g., data analytics, audit findings to impact on
priorities with executive leadership and responsive/flexible finding workflow, dynamic Company priorities
and has strong internal resource model (technical, reporting)
• Facilitates knowledge • Engages stakeholders
brand business, IT, subject matter
sharing and transfer of • Uses judgment and in IA feedback
resources, etc.)
successful practices • CAE, VP, or IA Director considers materiality and
• Self-employs quality
across the business position considered as a • Supports a leadership business impacts when
processes with a focus
successor for other development talent model planning and evaluating and
• IA audit universe considers on continuous
executive roles (e.g., rotational, guest auditor prioritizing exceptions
a value-added, risk-based improvement
program, business liaison
scope • Serves a trusted business • Delivers reports that are
model) • Supports ongoing
advisor for management viewed as fair, consistent,
• Scope aligned with attest continuous
and the Audit Committee • Knowledge of the timely, and with valued
audit and other related improvement of IA
professional standards for business insight
stakeholders for optimum • Management actively activity through self-
the profession, IIA,
reliance and coverage consults with IA on risk and • Collaborates with the assessment and
certifications
control matters business in developing periodic external
• Plan considers a blend of
• Compensation strategy and practical, sustainable reviews
varied audit types • IA exudes a standard of
recognition program to solutions to audit findings
professionalism and trust • Faciliates ongoing
• Plan considers a broad attract and retain top talent
• Employs diligent follow-up collaboration and
and balanced scope of risk • Partners well with other
• Team that effectively applies and tracking of audit results communication with
and control matters (e.g. Company risk and control
judgment and soft skills and finding remediation management, C-suite,
finance, operations, areas and leverages
and the board
compliance, regulatory, IT, learning • Talent programs that • Reports next-generation
fraud, management supports leadership executive and Board
requests) development, mentoring and reporting
training

5 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Appendix
Information technology audits

Leading IA functions delivery on a wide-spectrum of IT IA domains to be more relevant, forward thinking, and emerging risk focused.

Characteristics of services

Advanced

Emerging
Core
Audit client value

Complexity of technology

Subject matter expert

requirement
BCM and DRP Value Social Media

Resource cost

Advanced
Staffing opportunity

Compliance risk oriented

Strategic risk oriented

Current portion of IT IA plan

= High = Medium = Low

7 Copyright © 2015 Deloitte Development LLC. All rights reserved.

Embedding analytics capability

Leading IA functions embed analytics throughout the audit lifecycle.

Develop Risk Model & Audit Execute Audit Project Work

Design Audit Program Deliver Results and Insights
Plan Plan

Predictive Risk Modelling Data Visualization & Profiling Continuous & Remote Auditing Dashboards & Data Visualization

Key Benefits

 Evolve from a traditional, static  Risk-based auditing  100% coverage  Fact-based audit findings and
annual audit plan to a more dynamic quantification of exposures reduces
plan driven by the continuous audit  Insight and foresight driven  Increased efficiency and debate with the business
results effectiveness, while reducing the
 Utilize inductive unsupervised time needed for fieldwork  Data anomalies and trends provide
 Knowing when and where to focus techniques meaningful and actionable insights
into emerging risks
 A better risk radar  Shift from cyclical or episodic
reviews with limited focus to
 Using analytics to support audit
 Enhanced resource allocation continuous, broader audit
coverage enhances creditability of
coverage
 Leverage an “early warning system” report

 Ability to leverage analytics already  Execute more timely quantitative

used by the business and qualitative risk-related
decisions

Data Analytics Output and Results

Identify new and emerging risk Improve stakeholder confidence Increase audit quality Deliver insights and value

“Top-performing companies are three times more likely than lower performers to be
sophisticated users of analytics and are two times more likely to say that their
8 analytics use is a competitive differentiator” Source: Sloan Management School / MIT Copyright © 2015 Deloitte Development LLC. All rights reserved.
Overview of the Deloitte Advisory Internal Audit practice
Our Deloitte Advisory practice includes more than 13,000 professionals in the U.S., with access to another 18,000 globally in over
150 countries through the Deloitte Touche Tohmatsu Limited network of member firms

US IA practice: Global, 24x7 delivery adding to internal

audit productivity and cycle time:
• Dedicated IA practice for over 30 years
• Off-shore integrated delivery model to
• Approximately 360 US internal audit clients
enable our Deloitte US India team to
• Over 700 dedicated US IA professionals efficiently collaborate with our teams
• Support an industry proficiency program with approximately • Deloitte India houses more than 19,000
70% of our internal audit professionals certified in industry professionals, including 107 dedicated
• More than 1,300 global professionals hold IIA memberships and internal audit resources
IIA leadership positions at the local, national, and global level • These professionals receive the same
• All of our Deloitte internal audit professionals manager and training as and must adhere to the
above are certified in a relevant professional certification (CIA, same ethics, integrity, compliance and
CPA, CISA, CISSP, etc.) with over 600 professionals globally security requirements as our U.S.
certified as CIAs professionals

• Deloitte Advisory is one of a select few organizations that participate as a Principal Partner, the highest level in the IIA’s
Partnership Program. This program provides an excellent opportunity for our professionals to continue their active support and
development of the profession by offering the IIA and its chapters the tools, techniques, concepts, and philosophies that build and
enhance internal auditing.
• We are proud to be the leading sponsor of the IIA’s Internal Auditing Education Partnership (IAEP) program, which was developed
to respond to the growing interest in internal audit education at institutions of higher learning. This key initiative assists universities
and colleges with establishing effective internal audit programs.
• Deloitte Advisory is the exclusive provider of the IIA’s IT Audit, Fraud, IFRS and XBRL training and seminar
curriculum. As a result, we provide learning opportunities to IIA members across the profession.
• Two of our professionals have held the highest position within the IIA, International Chairman of the Board -
- we are the only Big Four organization to have had even one Board Chairman, much less two.
• Deloitte Advisory is a sponsor of the IIA Research Foundation. One of our professionals sits on the board.
• Deloitte Advisory complies with the applicable International Standards for the Professional Practice of Internal Auditing as issued
by the IIA.
9 Copyright © 2015 Deloitte Development LLC. All rights reserved.
Internal Audit and risk-based thought leadership

A sample of Deloitte Advisory’s Internal Audit and Risk thoughtware:

• Cloud Computing - the Role of Internal Audit in the Digital Enterprise
• Can Internal Audit be a command center for risk?
• Internal Audit outsourcing: Meeting the evolving demands of the organization
• Internal Audit: Be a Key Player in the Risk Management Process
• Internal Audit Analytics: Casting a wider net for improved Internal Audit effectiveness
• Key questions for audit committees to ask about Internal Audit
• Adding Insight to Audit: Transforming Internal Audit through data analytics
• Predictive Project Analytics: Will your project be successful?
• Reining in project risk: Predictive project analytics
• The digital grapevine: Social media and the role of Internal Audit
• Internal Audit insights: High impact areas of focus

For more information, visit: http://www2.deloitte.com/us/en/pages/risk/topics/internal-audit.html

10 Copyright © 2015 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and Deloitte Advisory is not, by means of this presentation, rendering accounting,
business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such
professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

Copyright © 2015 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited