Promoting and Supporting Effective Organizational Governance:

Internal Audit’s Role

Sridhar Ramamoorti,
Ph.D., CIA, CFSA, CGAP,
CRMA
and
Alan Siegfried, CIA,
CISA, CPA, CRMA, CCSA

Available free of charge at:

www.theiia.org/goto/CBOK
CBOK 2015 Practitioner Study
• CBOK is the Global Internal Audit Common Body of
Knowledge:

– The global practitioner survey is the largest ongoing

study of internal audit professionals in the world.

– More than 25 free reports about practitioners and the

profession will be released from July 2015 to July
2016.

– Download free reports from the CBOK Resource

Exchange at The IIA website at any time
(www.theiia.org/goto/CBOK).
CBOK 2015 Practitioner Survey

• Practitioner Survey Results

– Survey completed April 1, 2015
– 14,518 usable survey responses

• Participation Levels
– 100% representation from IIA institutes
– Responses from 166 countries
– 23 languages
CBOK 2015 Practitioner Study
 CBOK 2015 Practitioner Study

Age was obtained from 12,780 respondents; Organization Type was obtained
from 13,032 respondents; Gender was obtained from 14,357 respondents; and
Staff Level was obtained from 12,716 respondents.
 Executive Summary
Recent governance crises have increased the need for Internal Audit’s
involvement and review of governance practices and policies.

• Definition: Includes review of governances process

• Critical Role: Internal Audit’s critical role in promoting and
supporting effective Organizational Governance
• Internal Audit Positioning and Credibility: Internal Audit’s
position, stature, and credibility (e.g., functional and administrative
reporting lines) to empower/enable them to become a value-added
contributor within the organization’s governance structure
• Internal Audit’s Role: Assurance and Advisory services in
organizational governance
• Auditing Culture: Key enabler and driver
• Competencies: Internal audit skill sets and competencies
• Wrap up: Insights, Future Trends, and Strategy
• Concluding Remarks
 Organization of Report

Post Enron, the Wall Street financial crisis and global

governance failures have prompted the question:
Where was internal auditing in all this?

Hence, our report is organized as follows:

• How can internal audit address governance?
• What do stakeholders want?
• What is internal audit delivering?
• What does it mean to audit culture?
• How can internal audit overcome barriers?
 Key Components of Governance
Oversight
Stakeholders

Ethical Values
Governance “Umbrella”
Board of Directors

Organizational Alignment

Risk Management Assurance

Senior Management
Internal External

Risk Owners

9
 Three Lines of Defense
• All three lines of defense
should exist—strongest
when separate, and clearly
defined.
• When blended approach
exists, apply safeguards:
• Report to AC directly.
• Ensure effective AC
and board monitoring,
and governance
oversight.
• Communicate and
document potential
risks of combining
lines.
• Consider an executive
to whom all internal
assurance groups
report directly.
Internal Audit: Position/Stature/Credibility within
the Organization’s Governance Structure
• Seventy-five percent of participants indicated that the chief audit
executive (CAE) in their organization reported administratively
to either the chief executive officer (CEO)/president, or the audit
committee/board of directors.
– 48% report to CEO or equivalent
– 12% report to audit committee
– 15% report to board of directors

• Seventy-two percent of participants indicated that the CAE

reported functionally to either the audit committee (or
equivalent), or the board of directors.
– 54% report to audit committee or equivalent
– 18% report to board of directors
 What do Stakeholders Want?
• Demand side for Governance and Strategic
Performance audits:
Board cares more about governance failure risk
(value preservation orientation).
Executive management cares more about
strategy/performance risk (value creation
orientation).

• The majority of CAEs (57%) report that their board

or equivalent supports internal audit reviews of
governance policies. This perception was fairly
consistent across regions with a high of 65% and a
low of 52%.

15
 Key Findings from 2015 CBOK Survey

• Only 4 out of 10 say that a governance code is

in place at their organization.
• More than 6 out of 10 say that their
organizations have a long-term strategic plan
in place.
• About 27% say that internal audit conducts
extensive reviews of organizational
governance.
• Only 16% say that internal audit conducts
extensive reviews of organizational strategy.
 What is Internal Audit Delivering?

• Globally, an average of 70% of internal audit reports provide moderate to

extensive activities related to the review of governance policies and
procedures.
 Compliance with the King Governance Code mandated in South Africa so that there
are high levels of internal audit activity
 Existence of:
 Hard Controls (Tangible, Relatively Easy Measurement)
 Soft Controls (Intangible, Difficult-to-Measure)

• North American internal audit reveals the lowest level of governance

reviews!
 CAEs perform governance audits through the “little bites” strategy.
 Some internal audit functions may not be mature enough to perform these audits.
 If governance risk is perceived low, then risk-based audits would justify only a little
effort being devoted to this area.

22
What can Internal Audit Bring to the Table?
 Provide independent, objective assessments on:

 The appropriateness of the organization's governance structure and

process
 The operating effectiveness of entity-level controls and specific
governance activities

 Act as catalysts for change by:

 Advising or advocating improvements to enhance the organization's

governance structure and processes
 Providing assurance on the governance processes within an
organization
 Facilitating governance best practices

26
Potential Internal Audit Governance Involvement
• Participate in cross-functional ‘what if’ discussions to reconsider governance
risks and identify action plans.

• Help design ‘how to’ improve governance processes to better address risks.

• Redirect audit resources to reassess highest risk areas:

 M&A activity in 2015—exceeded $5 trillion—underscored the importance of
governance reviews
 Risk assessment and risk management/monitoring practices
 Complex decision models—relying on information—the relevance of “information
integrity risk”
 Culture, Strategy, IT governance
 Fraud risk management and loss prevention
 Extended enterprise reviews

• Internal audit review of organizational governance (assurance and advisory

engagements).

27
 Internal Audit Governance-Related Activities

 Governance Assurance Engagements

 Information integrity: relevant, reliable, and timely information for
strategic decision making
 Assuring information integrity of decision-relevant inputs, thus allowing
board/executive management use of information with confidence
 Typically in “little bites” (the “nudge” approach)

 Governance Consulting/Advisory Services

 Providing decision context, interpretation, and insight
 Conducting comprehensive, enterprise-wide reviews to improve
governance structures and processes
 Educating the board and facilitating governance best practices (e.g.,
board self-evaluation)

28
 Internal Audit Skill Sets
• Need ability to identify and assess hard
and soft measures of organizational
culture

• Need to combine subjective and

objective information

• Need confidence in relying on qualitative

factors or intuition
 Auditing Culture
Culture—“the way we do things around here” (Bower)—embeds many
intangibles (e.g., soft controls) that pose audit challenges.
• Management and board competence, philosophy, and style
• Mutual trust and openness
• Strong leadership and powerful vision
• High performance and quality expectations
• Shared values and understandings
• High ethical standards

Strategies for Addressing Culture

• Communicate with senior executives about their views of governance
culture.
• Develop trust with the audit committee that allows subjective judgments.
• Find a champion who supports auditing organizational culture.
• Define roles of what internal audit can realistically do to help improve
organizational governance.
• Consider incorporating governance audit into internal audit charter.

31
 Good Strategy is not Enough!

“Culture eats
strategy for
breakfast.”

Peter Drucker
Lack of Support Can Be a Hurdle
 Culture-Driven Governance Challenges
A Risk-based Approach
 Availability of resources with relevant subject matter expertise,
industry knowledge, leading practices, and tools and technology
 Fear that potential fraud risks are not being addressed

Better Overall Process

 Higher expectations from management and AC time/resource
constraints on Internal Audit

Better Risk Management Leadership

 Getting the right input from top management and the board
 Enhancing top management/board risk management capabilities

Better Knowledge of Limitations

 AC’s and management’s level of understanding of the Internal Audit
function

35
 Internal Audit Governance
Responsibilities—TODAY
 Seeking to understand stakeholder expectations, and
evaluating effectiveness in meeting those expectations

 Developing appropriate internal audit soft skills to add value

to the organizational governance process

 Developing and demonstrating strong communication skills

to effectively convey findings and recommendations

 Embracing and executing a balanced, risk-based audit plan

 Providing leadership on issues of corporate governance, risk

management, internal control, compliance, financial
reporting, and fraud

 Willing to challenge status quo, and operating as change

agents

36
 Internal Audit Governance
Responsibilities—FUTURE
Internal auditors who step up and effectively address the
challenges can demonstrate their positive contributions.

They will:
• Be recognized as effective leaders, and continue to elevate
their stature and reputation in the workplace

• Likely get additional challenges as their role continues to

grow in importance

To Be Successful: Strive for improvement through innovative

techniques and practices (e.g., using leading indicators of risk
and performance, key risk indicators [KRIs] and KPIs),
professionalism, continual development, and dedication to the
profession.
 …Final Internal Audit Thoughts
Stakeholders will look to us to focus on compliance and governance improvement,
with more emphasis on governance improvement.

Strategic and Value

Advisor
Investment in Internal Audit

Business Insight
Monitor Control and
Compliance • Strategy-driven
• Data-driven approach approach
• Focus on control and • Focus on key initiatives
• Risk-driven approach
process effectiveness • Industry expertise
• Leverage automated
• Leverage KRIs and KPIs • Process and controls
controls and data
analysis • Leverage benchmarks optimization
• Expanded risk coverage • Share leading practices • Operational auditing
(internal and external) • Functional expertise
• Efficient monitoring
• Leveraging ICFR, • Data modeling
compliance and fraud
Foresight
Insight
Hindsight

Value to Organization

38
 Author Information
Dr. Sridhar Ramamoorti Alan Siegfried
Managing Director, Current Board/Audit Committee
Quetzal GRC, LLC member, Managing Director
and Quetzal GRC, LLC, and
School of Accountancy faculty, Accounting and Information
Michael J. Coles Assurance faculty, Robert H. Smith
College of Business, School of Business, Univ. of MD.
Kennesaw State University. Former CAE of several international
organizations and Big Four partner.
470.578.2675 (o)
630.347.9172 (c) 410.570.5400 (c)

Email: Email:
sri.ramamoorti@gmail.com siegfal@gmail.com
 CBOK 2015 Releases
Governance, Risk, and Southern Regional
IIA International IIA Financial Conference IIA Midyear
Control Conference Services Exchange All Star Conference
Conference Committee Meetings
South Africa Conference ACIIA Conference
ECIIA Conference

Jul. 2015 Aug. 2015 Sept. 2015 Oct. 2015 Nov. 2015 Dec. 2015
Driving Success Navigating A Global View Who Owns Risk? Auditing the Delivering the
in a Changing Technology’s Top of Financial A Look at Public Sector: Promise:
World: 10 10 Risks: Internal Services Internal Audit’s Managing Measuring
Imperatives for Audit’s Role Audits: Changing Role Expectations, Internal Audit
Internal Audit Challenges, Delivering Value and
Staying a Step Opportunities, Combined Results Performance
Ahead: Internal and the Future Assurance: One
Audit’s Use of Language, One Mapping Your
Technology Voice, One View Career:
Competencies
Responding to Necessary for
Fraud: Exploring Internal Audit
Where Internal Excellence
Auditing Stands
 CBOK 2016 Releases
GAM Conference Leadership IIA International
SoPac Conference Conference Conference

Jan. 2016 Feb. 2016 Mar. 2016 Apr. 2016 May 2016 Jun. 2016
CAE Career Path: GREAT Ways Regional IIA Standards: Promoting and
Engaging Third Characteristics to Motivate Reflections: Conformance Supporting
Parties for and Your Staff Africa and Trends Effective
Internal Audit Competencies of Organizational
Activities: Today’s Internal Maturity Levels The Top 7 Skills Quality Governance:
Strategies for Audit Leaders for Internal CAEs Want: Assurance and
Successful Audit Building the Improvement Bench marking
Relationships Departments Right Mix of Program Trends Internal Audit
Around the Talent for Your Maturity
Interacting with World Organization
Audit Women in IA:
Committees: Lifelong Representation
The Way Learning for and Trends
Forward for Internal
Internal Audit Auditors: Ethical
Certification and Pressures
Training Levels Faced by
Worldwide Internal Auditors
YOUR DONATION DOLLARS AT WORK
This presentation is FREE, thanks
to the generous contributions from
individuals, organizations, IIA
chapters, and IIA institutes around
the world.

Download your FREE

copy today at the
CBOK Resource Exchange.

www.theiia.org/goto/CBOK

This report was generously

sponsored by:

Larry Harrington, CIA, QIAL, CRMA,

2015-2016 Chairman
IIA Global Board of Directors
 About The IIA Research
Foundation
CBOK is administered through The IIA Research
Foundation (IIARF), which has provided groundbreaking
research for the internal audit profession for the past four
decades. Through initiatives that explore current issues,
emerging trends, and future needs, The IIARF has been a
driving force behind the evolution and advancement of the
profession.

For more information, visit:

www.theiia.org/Research
 Copyright and Disclaimer
• The IIARF publishes this document for information and
educational purposes only. The IIARF does not provide
legal or accounting advice, and makes no warranty as to
any legal or accounting results through its publication of
this document. When legal or accounting issues arise,
professional assistance should be sought and retained.

• Copyright © 2015 by The Institute of Internal Auditors

Research Foundation (IIARF). All rights reserved. For
permission to reproduce or quote, please contact
research@theiia.org.