Internrevisjonsstudien 2017: En sammenligning av internrevisjonsfunksjoner i Norge, Norden og resten av verden IIA Norge årskonferanse 2018 Bergen, 29.05.2018 Ellen Brataas, Generalsekretær IIA Norge, Helene Raa Bamrud, partner Deloitte, Erik Andersson, director Deloitte
Om Deloitte 263 900 Antall ansatte Globalt 20 000 Innen Risk Advisory «Deloitte named the undisputed worldwide leader in Risk Consulting by IDC» $38,8 Bn Omsetning i US$ 1380 Ansatte i Norge 70 Innen Risk Advisory 2
Bakgrunn Deloitte s Global Chief Audit Executive Research Survey gjennomført i 2018. CAE Nordic Survey Respondents Totalt antall respondenter 83, hvorav 35 % norske 29 % av respondentene fra finans, 25 % fra offentlig sektor og 11% fra energibransjen. 29 18 15 11 10 Resultater er presentert per land dersom det er signifikante forskjeller mellom landene, ellers er resultatene presentert samlet. Financial services (24) Energy & resources (8) Public sector (21) Other (15) Consumer business (9) Life sciences & health care (3) Technology, media & telecomms (3) www.deloitte.com/globalcaesurvey 3
Strategiske prioriteringer Mindre forskjeller mellom landene Prioriteringer i Norge (rangert): Øke implementering av analysemetoder 1. Implementing Internal Audit analytics 2. Better integrating with the organization s second line of defense functions 54% 49% (61% Global) (42% Global) Denmark Finland Iceland Norway Sweden DE FI IS NO SE 55% 73% 60% 48% 44% 45% 47% 50% 45% 61% Bedre integrering med andre forsvarslinje Øke samarbeid med forretningen Styrke kompetanse i internrevisjonen Forbedre kvaliteten 3. Enhancing partnerships with the business 43% (51% Global) DE FI IS NO SE 27% 30% 38% 50% 82% Økt bruk av analyse er en hovedprioritering både globalt og i alle de nordiske landene. De nordiske respondentene identifiserte de samme topp 5 prioriteringene som ble identifisert globalt, men rangeringen er noe ulik. 4. Enhancing the quality of Internal Audit 5. Strengthening the Internal Audit function s talent pipeline 39% 37% (45% Global) (51% Global) DE FI IS NO SE DE FI IS NO SE 45% 33% 60% 34% 33% 27% 40% 40% 38% 39% 4
Internrevisjonens innflytelse i organisasjonen 4% NO - Little to no impact and influence 60% PARTIAL - Some impact and influence 36% YES - Strong impact and influence Q1. Does Internal Audit have strong impact and influence in the organisation? 5
Internrevisjonens anseelse i organisasjonen 6% NEUTRALLY 6% SOMEWHAT NEGATIVELY 33% VERY POSITIVELY 55% SOMEWHAT POSITIVELY Q2. How Internal Audit function is perceived in the organisation? 6
Internrevisjonens hovedutfordring er å sikre relevant kompetanse og ferdigheter Global 37% 29% 23% 27% 26% 17% 16% 20% 13% 18% The IA function is missing key skills and/or talent that are needed The budget is not sufficient We are limited in terms of the advisory activities we perform The scope of IA s activities are too narrow in terms of the assurance activities that are undertaken My position within the organization and my reporting relationship does not give me the appropriate visibility and/or authority Q3. What are the key challenges your organization s Internal Audit function faces in making more of an impact within your organization? (Select all that apply) 7
Mest ettertraktet kompetanse for internrevisjonen Taking a closer look at the talent gap, competencies and designations that are most sought out in the are: 49% 42% 33% 17% 17% Analytics expertise or experience Certified Internal Auditor (CIA) Certified information technology auditor (e.g. CISA or equivalent) Expertise or experience with specific regulations Qualified accountant (CPA or equivalent) Q4. Currently, which competencies and/or designations are most sought out by your organization s Internal Audit function? (Select all that apply) 8
Svært få internrevisjonsteam har dedikerte ressurser innen dataanalyse Denmark Finland Iceland Norway Sweden 70% 60% 50% 40% 30% 20% 10% 0% Our team includes dedicated data scientists or equivalent Our team includes dedicated team members with strong backgrounds in both IT/analytics and Internal Audit We do not have dedicated analytics team members; we utilize resource(s) from our broader Internal Audit team who have an aptitude for analytics We do not have analytics capabilities within Internal Audit We use external service providers to provide analytics capabilities Not sure Q5. Which of the following describe(s) the capabilities of your Internal Audit function s analytics team? (Select all that apply) 9
Bruk av dataanalyse i internrevisjon Norden Globalt Norden Globalt Norden Globalt 64% 65% Gjennomføring (fieldwork) 29% 23% Teste effektivitet av kontroller 11% 26% Kontinuerlig monitorering 41% 46% Avklaring og begrensning ved scoping av oppdraget 12% Rapportering 18% 11% Kontinuerlig risiko vurderinger 18% 29% Årlig planlegging 31% 12% 14% Bruker ikke analyse 4% Annet 3% 10
Rådgivningstjenester vil sannsynligvis øke fremover Current services Global Changes expected in Internal Audit function s services over the coming 3-5 years Mostly assurance with some advisory 71% 64% Proportion of advisory services will increase 54% 59% Relatively even balance between assurance and advisory Only assurance 17% 8% 21% 10% Proportion of assurance services will increase No change 7% 17% 13% 17% Mostly advisory with some assurance 4% 3% Not Sure 22% 11% Q7. What types of services does your organization s Internal Audit function currently provide? (Select one) Q8. To what extent do you believe the nature of your Internal Audit function s services will change over the coming 3-5 years? (Select one) 11
Cyber risiko er ikke systematisk vurdert Percentage of organizations in which Internal Audit has conducted a cyberfocused risk assessment to assess the organization s potential cyber exposures Percentage of Internal Audit plan that is related to cyber risk in 18% More than 10% 48% Global 51% 33% Between 5-9% 45% 50% 55% 56% 31% Less than 5% 27% 18% None Denmark Finland Iceland Norway Sweden Q9. Approximately what percentage of your Internal Audit Plan is related to cyber risk? (Select one) 12
Trender som vil kunne innovere internrevisjonsfunksjonen de neste 3-5 årene Global Data analytics Integrating assurance Internal Audit adopting an agile approach Cognitive technologies/rpa New operating models across the three lines of defense Predictive analytics Risk anticipation Not sure Visualization Internal Audit auditing agile approaches within the organization New talent models Reporting formats No innovation expected Other 4% 5% 4% 5% 3% 2% 3% 2% 2% 2% 1% 1% 1% 2% 1% 8% 8% 8% 8% 7% 7% 13% 13% 15% 14% 13% 22% 22% Q10. What do you believe will be the key innovative development impacting internal audit over the coming 3-5 years? (Select one) 13
Deloitte AS and Deloitte Advokatfirma AS are the Norwegian affiliates of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. Please see www.deloitte.no for a more detailed description of DTTL and its member firms. Deloitte Norway conducts business through two legally separate and independent limited liability companies; Deloitte AS, providing audit, consulting, financial advisory and risk management services, and Deloitte Advokatfirma AS, providing tax and legal services. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the "Deloitte Network") is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.