Date post: | 30-May-2018 |
Category: |
Documents |
Upload: | varunonscribd |
View: | 222 times |
Download: | 0 times |
of 38
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
1/38
TheEvolvingFaceofInternalAudit
inIndiaItsRole,KeyChallengesandtheWayForward
GOVERNANCE, RISK AND COMPLIANCE SERVICES
ADVISORY
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
2/38
BetweenAprilandJune2009,KPMGinIndiaandBSEjointly
surveyed225seniorexecutivesofIndiancompaniesofwhich
approximately75percentwerelistedcompanies,large
corporatesandMNCs.Throughthissurvey,weaimedto
understandtheprofileoftheInternalAudit(IA)functionwithin
organizationsandgatherfactsontheinternalauditpractices
thatarefollowed.
FortysixpercentoftherespondentsbelongedtotheC-level
categoryorvicepresidentInternalAudit,andtheother54
percenthadvastresponsibilitiesforfinance,riskorgeneral
managementwithintheorganizations.
Wearegratefultoalltherespondentsfortheirvaluabletime
andinsights.
Aboutthesurvey
54%CFO,
HeadAccounts&Finance,
ComplianceOfficer,etc.
23%ManagingDirector
16%ChiefExecutiveOfficer
7%VicePresidentInternalAudit
Respondentprofile
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
3/38
InternalAuditinIndiahas
evolvedsignificantlyinthe
lastfewyearsatapace
fasterthanonewouldhave
expected.Withanincreased
spotlightongood
governancepractices,the
profileofIAcanonlyget
higher.HowgearedIA
functionsaretomeetthe
scaledupexpectationsof
thevariousstakeholders
requiressomeintrospection.
-NikhilJain,IA-Head,
GlaxoSmithKlineConsumerHealthcareLtd,
India.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
4/38
Foreword
Toeffectivelydevelopandexecutecorporatestrategy,riskandcontrolsmanagement
needtobedeeplyembeddedinthecorporateculture.TheroleoftheInternalAudit
(IA)functioninanorganizationistoprovideeffectiveandindependentassuranceto
theboardonhowkeybusinessrisksaremanagedandstrategiesareimplemented.
IAsupportstheboardindischargingitsoversightresponsibilitiesrelatingtostrategy
implementation,internalcontrolsandfinancialreporting.
Corporatefrauds,governancefailures,regulatoryscrutinyandglobalizationhaveall
contributedtoanincreasedfocusontheIAfunctionandtheroleitplays.Thereis
considerablere-thinkingonIAsroleintermsofhowitcansuccessfullymakethe
transitionfromvaluepreservationtovaluecreation.
ThishasledtoaparadigmshiftinexpectationsfromIAtodaycomparedtowhatthey
wereafewyearsago.
What is IA expected to deliver today?
Implementationofariskbasedapproachtoassuranceincludinganindependent
evaluationofmanagementsriskassessmentandmanagementprocesses
Assuranceonavarietyofcriticalrisksthatarecrucialtoachievingcorporategoals
Processimprovementrecommendationsthatwillpavethewayforsimple,
standardizedandsustainableprocesseswithreducedpotentialforerrors
Rightskillstoaddvalue
Perspectivesonindustrybestpractices
Adoptionofappropriatequalitystandards.
Takingthefirststeptowardsthis,organizationsarenowattemptingtoclarifyand
definetheroleofinternalauditintheorganization.Tofacilitateorganizationsindoing
so,KPMGinIndiaandBSEconductedthissurveywhichfocusesonassessingthe
currentstateofIAinorganizationsandpavingthewayforward.
InternalAudit
shouldstay
aheadofthe
businessand
notfollowit
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
5/38
ThissurveyaimstounderstandtheprofileofinternalauditfunctioninIndiaIncusing
KPMGsconceptualframeworkforIAwhichisbasedonthethreedrivingprinciplesof
IAssuccess,i.e.positioning,peopleandprocesses.
Wehopeyouwillfindthisreportbeneficialinsupportingyourowndrivetoembeda
cultureofexcellenceinriskandcontrolsmanagementandinunlockingthepotential
ofvalueprotectionandenhancementinyourorganization.
Neville. M. Dumasia
ExecutiveDirectorandHead
Governance,RiskandComplianceServices
KPMGinIndia
Madhu Kannan
ManagingDirector&CEO
BombayStockExchangeLtd.
Positioning IsIAstrategicallypositionedwithinthebusinesstoenableittocontributetobusinessperformance?
People DoesIAhavetherightstaffingstrategytodeliverontheagreedobjectives?
Processes DotheIAprocessesenableittoachieveobjectivesandisthedepartmentresponsivetochangingbusinessneeds?
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
6/38
ExecutiveSummary
Key Survey Findings:
IA Priorities are becoming broad based and getting clearly articulated
ThereisnowgreaterclarityaroundIArolesandresponsibilities.Whiletheassessmentofinternalcontrol
systemsandreportingdeficienciescontinuestobeIAsnumberonepriority,IAactivitiesarebecoming
morebroadbasedtoincluderiskassurance,fraudriskandbusinessprocessimprovementsthereby
indicatingthatIAismovingupthevaluechain.
2
5
7
9
12
15
More is expected of IA in the sphere of fraud risk; however, IA needs to overcome some
real challenges in meeting this expectation
RecenteventsincorporateIndiahaveputthespotlightonfraudrisk.AuditcommitteeexpectationsfromIA
aregrowingintheareaoffraudriskassessmentandmonitoring.Shortageofspecialistskills,lowlevelof
skillsandconfidenceintheuseoftechnologyandanalyticsandtherelativelackofindependenceforIAare
thefactorsimpedingIAeffectivenessinfraudriskmonitoring.
IAs independence and stature in the organization needs to grow
AmajorityofIAheadsarereportingtomanagement.WithIArolesbecomingbroadbased,IAsreportingrelationshipanditscommunicationwiththeBoard/auditcommitteeneedstoimproveinordertoprovideit
withtheindependenceitneeds.
IA funding is not impacted by recessionary trends
AmajorityoftheIndiancompaniesbelievethatthecurrentfinancialcrisishasnothadamajorimpactonIA
fundinganditsactivities.
IA talent management continues to cause concerns especially when it relates to areas
requiring specialist skills
IAstaffingandskillsetsareproficientingeneralauditingandtraditionaloversightareassuchasfinancial
reporting.Inareasrequiringspecialistskills,talentacquisitionandretentionposesasignificantchallenge.
There is a significant gap between IA plans and their execution
Completionofauditplanisachallengewithatleast25percentoftherespondentscompletinglessthan80
percentoftheauditplanoverthepasttwoyears.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
7/38
Careful consideration of IA sourcing parameters is critical to enhancing IA capabilities
Sourcingparametersthattakeaccountofstakeholderexpectations,theorganizationalcultureandtherisk
profileneedtobeclearlyidentifiedtoovercomeIAchallengesrelatingtoappropriateriskcoverage,
adequacyofspecializedskillsandIAplanexecution
17
20
24
26
29
IA Risk Assessments are not holistic enough and they often lack the organizational buy-in
ThereisstillsomewaytogoinmakingIAplansriskbased.EvenwhereIAfunctionsdohavearisk-based
plan,IAneedstoovercomethechallengeofaligningitsriskassessmentswiththeenterprise-wideviewof
risks.
Embedding controls consciousness within the business is still evolving in India Inc
ManyorganizationshavedeployedIAasthefirstlineofdefenseintestingtheeffectivenessofinternal
controlstherebyindicatingthatembeddingofriskmanagementandinternalcontrolsystemsarestill
evolvinginanumberofIndiancompanies.
Practices followed to assess IA performance and quality lack consistency and need to be
formalized
AstructuredapproachtomeasuringandsustainingIAqualityislacking.Asignificantmajoritydonot
undertakeanexternalqualityassessmentoftheirIAfunctionatperiodicintervals.
Indian companies with a global footprint are not entirely satisfied with their coverage of
internal operations
Clearlythereisscopeforenhancingcoverageofinternationaloperationsknowledgeoflocallawsand
regulationsandemergingriskissuesposeoneofthebiggestchallengeincoverageofinternational
operations.
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
8/38
Positioning
TheprofileofpresentdayIAcoverageis
expanding.Thecanvashasbroadenedtoincludea
mixofcomplianceandadvisoryservices.Therole
ofinternalauditisbeingdrivenbythe
expectationsofnumerousstakeholders
comprisingtheCEO,auditcommittee,executive
managementandexternalauditors.Itisimportant
thattheCEO,headofIAandtheauditcommittee
haveacommonsharedvisionforIAthatiswell
communicatedandclearlyunderstoodbyall
stakeholdersconcerned.
ArunMehra,IA-Head,WMIndiaTechnical&ConsultingServices(P)Ltd
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
9/38
ThereisnowgreaterclarityaroundIArolesandresponsibilities.Whileassessmentof
internalcontrolsystemsandreportingdeficienciescontinuestobeIAsnumberone
priority,IAactivitiesarebecomingmorebroadbasedtoincluderiskassurance,fraud
riskandbusinessprocessimprovements.ThisindicatesthatIAismovingupthevalue
chain.
Amajorityoftherespondents(72percent)(seeFigure1)haveanIAcharterindicatingthatthereisclarityaroundthestructureandmandateforIA.Withinthe
IAcharters,thereissufficientcoverageofIAsmission,objectives,expectationsof
andaccesstoauditcommittees,independence,natureandscopeofwork,
communicationandreporting.However,theresultsindicatethatthereneedsto
begreaterclarityaroundIAsperformanceassessmentprocessesandthe
escalationprotocolsitadoptstoreportissuesandconcerns(seeFigure2).
Notsurprisingly,surveyresultsindicatethatevaluationandreportingof
deficienciesininternalcontrolscontinuestodominateIAagendas.Additionally,
evaluationandreportingonkeybusinessrisksandmonitoringfraudriskarealso
emergingaskeyprioritiesforIAfunctions.IAfunctionsarealsoincreasingly
focusingonprocessandcontrolimprovements,sharingofbestpracticesand
revenueenhancement/costreductionrecommendationswhichisindicativeofthe
factthatIAfunctionsarenotonlycompliancedrivenbutalsofocusingonvalue
creation(seeFigure3).
Positioning
IAPriorities
No
28%
Yes
72%
Existence of IA charter
Figure 1
KPMGinIndiaandBSE'sInternalAuditSurvey2009
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
10/38
81%
81%
66%
48%
89%
76%
82%
61%
55%
53%
41%
6%
0% 25% 50% 75% 100%
Mission, purpose, and objectives
Access to books and records
Access to the audit committee and C level executives
Escalation protocols
Scope and nature of internal audit work
Independence and objectivity
Communication and reporting
Expectations of the audit committee
Expectations of executive management
Alignment with other risk management functions
Performance assessment
Other
80%
92%
62%
62%
72%
65%
60%
31%
54%
49%
57%
41%
20%
8%
17%
7%
33%
36%
25%
35%
38%
52%
36%
41%
39%
49%
54%
38%
3%
1%
5%
2%
3%
1%
2%
17%
11%
10%
4%
9%
26%
54%
0% 25% 50% 75% 100%
Evaluating and reporting of key risks in business
Evaluating and reporting of deficiencies in internal controls
Evaluating & reporting on risk assessment & management process
Input into development of action plans for identified deficiencies
Monitoring fraud risk
Monitoring resolution of identified deficiencies
Suggesting improvements in internal controls
Support of the external audit process
Performing testing related to the Internal Control Regulation
Sharing of leading practices across the business
Suggesting improvement in process design and operation
Suggesting opportunities for cost reduction or increasing revenues
Development of people for leadership positions
Other
Very Important Somewhat Important Not Important
Major components of IA charter
Activities ranked for importance in meeting expectations and mandate for internal audit
Figure 2
Figure 3
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
3
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
11/38
Originallydevelopedasameansofassisting
organizationswithsafeguardingcorporateassetsand
enforcingcorporatepoliciestopreservebusiness
value,IAisexpandingtonowalsofocusonactivities
thathelptheorganizationcreatebusinessvalue.
InternalAudithasbecomeahighlysophisticated
functionvirtuallyabusinessuntoitself.
Figure 4TheComplianceJourney,KPMGInternational,2004
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
12/38
RecenteventsincorporateIndiahaveputthespotlightonfraudrisk.Audit
committeesareexpectingmorefromIAintheareaoffraudriskassessmentand
monitoring.However,ashortageofspecialistskills,lowlevelofskillsandconfidence
intheuseoftechnologyandanalyticsandtherelativelackofindependenceforIAare
factorsimpedingIAeffectivenessinfraudriskmonitoring.
Overhalfoftherespondents(56percent)(seeFigure5)indicatedthatIAhastheprimaryresponsibilityforfraudriskassessmentandmonitoring.Itisalso
somewhatdisconcertingthat41percentofthesurveyrespondentshave
indicatedthatIAeitherdoesnotfocusonfraudriskorIAconductsinvestigations
concerningfraudsonlyifrequiredbythemanagement
IncreasedexpectationsofIAinrespectoffraudriskassessmentandmonitoring
emphasizestheneedforgreaterindependencetoIA.IAindependenceisvitalto
developtheconfidencethatIAwillreportsuspiciousseniormanagement
activitiestotheboardand/ortheauditcommittee
ResponsesacrossvariousmodelsofIAfunctions(in-house,co-sourcedand
outsourced)regardingtheuseoftechnologyindicatesthatthereisscopeto
improveauditefficienciesbythedeploymentoftechnologyandanalyticsinthe
auditprocess.Amajority(over60percent)ratedtheircapabilityintheuseof
technologyandanalyticstoberangingfromaveragetopoor(seeFigure6)
Thereisagrowingrealizationthatdataminingtoolsareeffectiveinpreventingor
detectingfraudsinorganizations.However,organizationsaregenerallyslowin
usingdataminingandanalyticstodetecttrendsandpatternswhichcouldyield
thempotentialredflags.Thisisinlargepartattributabletotheshortageof
adequateskillsinthisareawithintheIAfunction.
Positioning
IAfocusonfraudrisk
monitoring
5
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
13/38
Point of View
Continuous Auditing and Continuous Monitoring
TransformingIAandManagementMonitoringtocreatevalue
Theeconomiccrisisclearlydemonstratesthatchangesareoftenfastanddramatic,andthatthereisarealneedformanagementanddirectorstounderstandthevelocityofriskthespeedatwhichanemergingriskcanbemanifestedandhaveacatastrophic
impactonthebusiness.Inthisenvironment,management
shouldassessthecompanyscriticalalignments(strategy,
goals,risks,incentives,performancemeasuresandinternal
controls)onaregular,frequentbasis;annualorsemi-annual
assessmentsmaynotbeadequate.Manyhavebegunto
advancetheireffortsbyimplementingContinuousAuditing
(CA)andContinuousMonitoring(CM)disciplinesaroundtheir
organizationalprocesses,transactions,systems,and
controls.Leveragingproactive,technology-basedapplications
tomanageperformanceandkeyareasofriskandcontrolhasbecomeapracticalandnecessaryalternativetomeetthe
growingneedsoftheorganization.Together,CAandCMoffer
abroadrangeofbenefitsthatcanhelporganizationsadd
valueandimprovebusinessperformance.CA/CMcandeliver
regularinsightintothestatusofcontrolsandtransactions
acrosstheglobalenterprise,enhancingriskandcontroloversightcapabilitythroughmonitoringanddetection.
30% 54% 16%
35% 46% 19%
35% 43% 22%
0% 20% 40% 60% 80% 100%
Outsourced
Co-sourced
Inhouse
Very Good Average Poor
Use of technology / analytics in IA
Figure 6
13%
56%
28%
4%
0% 25% 50% 75%
Internal Audit department does not focus on
fraud risk
Internal Audit department is responsible for
regular assessment and monitoring of fraud risk
Internal audit department only conducts
investigations concerning frauds if
mandated by management
Others
The relationship between IA and fraud risk
Figure 5
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
14/38
ResponsestothesurveyindicatesthatamajorityofIAheadsarereportingto
management.WithIArolesbecomingincreasinglybroadbased,IAsreporting
relationshipanditscommunicationwiththeboard/auditcommitteeneedsto
improveinordertoprovideitwiththeindependenceitneeds.
Lessthanhalfofthesurveyrespondents(47percent)(seeFigure7)saidthatthe
ChiefAuditExecutives(CAE)shouldreporttotheAuditCommittee,therebyindicating
thatinmanyIndiancompanies,managementplaysakeyroleinoversightofthe
InternalAuditfunction.
TheInstituteofInternalAuditors(IIA)recommendsthattheCAEshouldfunctionally
reporttotheauditcommitteeandadministrativelytotheCEO*.
Whom should IA report to? the two schools of thought
OpinionsaredividedintermsofwhomIAshouldreporttointheorganization.There
arethosewhostatethatIAshouldreporttothebusinessheads(CEO,CFO,etc.)
withadottedlinetothechairoftheAuditCommittee.Othersareoftheopinionthat
IAshouldbemadeaccountablesolelytothechairoftheAuditCommittee.The
justificationforthelatteristhatIAsresponsibilitieshaveincreasedmanifoldand
henceIAneedsgreaterindependencetodischargeitsresponsibilities.Thereisalso
theviewthatmanyoftheareasinwhichIAprovidesassurance,fallwithintheCFO's
remit.ReportingtotheCFOcouldcompromiseIAsabilitytoobjectivelyreporton
seniormanagementactivitiestotheauditcommittee.Onewaytoovercomethis
problemisbyhavingtheCAEreporttotheCEO.
Point of View
Enhancing Independence of IA
TheheadofIAshouldhaveclearauthoritytocommunicatedirectlyandontheirinitiativetotheboardandmembersoftheAudit
Committee(AC).Forinstance,headofIAshouldmeetprivatelywiththeboard/ACwithoutthepresenceofmanagement.This
shouldreinforcetheindependenceanddirectnatureofthereportingrelationship
ThereportinglineshouldfacilitateopenanddirectcommunicationswiththeCEO,theseniorexecutivegroupandlinemanagement
Theboard/ACshouldhavethefinalauthoritytoreviewandapprovetheannualauditplan
Theboard/ACshouldalsoreviewtheperformanceoftheheadofIAandtheoverallinternalauditfunctionatleastonceayear,
andapprovethecompensationlevelsforheadofIA.
(*Source:InternalauditsroleineffectivecorporategovernanceKPMGinAustralia;IIAPracticeAdvisory1110-2:ChiefAuditExecutiveReportingLines,December2002)
Positioning
IAsindependence
7
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
15/38
ThosewhoareinfavorofIAreportingtothebusiness,statethatIAismerelyan
extensionofthebusiness,anditistaskedwiththeresponsibilityofmonitoringadequate
checksandbalancesoverbusinessactivities.MakingIA'sreportingprocessindependent
fromthebusinesscouldalsoresultinIAbeingconsideredasanoutsiderandtherefore
notbeingproperlyengagedbythebusinessinprocessandcontrolimprovement
initiatives.Besidestheabove,thereisalsothequestionastowhetherauditcommittees
areequippedtohandletheadditionalresponsibilitiesassociatedwiththeoversightofIA
(i.e.whetheranon-executivedirectorshouldbeaccountableforanexecutivefunction
unlessthereisanexecutivelayerinbetween)
GiventheprosandconsassociatedwithbothschoolsofthoughtandregardlessofIAs
reporting,IAsaccessibilitytotheauditcommitteeandcreatingtherightclimateforopen
andtransparentcommunicationbetweentheCAEandthechairoftheauditcommittee
isextremelyimportant.Inthiscontext,privatesessionsorexecutivesessionswhichare
facetofacemeetingsbetweentheauditcommitteechair
andtheCAE,supportedbyproperagendas,executive
summariesanddetailedfindingsreportareinvogue.Ata
minimum,executivesessionstakeplacepriortoeachaudit
committeemeeting.ThesemeetingsprovideboththeCAE
andtheauditcommitteechairwithanopportunitytoshare
eachothersconcernsandviewsonwhatisgoingoninthe
business.Inbetweenformalsessions,CAEsshouldalso
havetheflexibilityofraisingissuesinformallywiththeaudit
committeechairifthereisareallyburningissuethatsimply
cannotwaituntilthenextformalmeeting.
47%
18%17%
2%
17%
0%
25%
50%
75%
Audit Committee Chief Executive
Officer
Chief Financial
Officer
Legal / General
Counsel or Chief
Risk Officer
Other
Figure 7
Who should the Chief Audit Executive report to?
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
16/38
AmajorityoftheIndiancompaniesbelievethatthecurrentfinancialcrisishasnothad
amajorimpactonIAfundinganditsactivities.
Eightythreepercentoftherespondentshaveindicatedthattheircurrentbudgetsand
workforceareadequateinrelationtotheirrequirementsforIAcoverageand
executionoftheIAplan(seeFigure8).
Positioning
IAfunding
Yes, 83% No, 17%
0% 25% 50% 75% 100%
Figure 8
Is the budget and workforce available to IA sufficient
in providing adequate coverage?
9
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
17/38
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
18/38
People
Withitsincreasedfocusonvaluecreation,internal
auditwillneedtoacquirenewskillsbytrainingand
hiringnewtalent,orsourcingfromoutsideservice
providers.Newskillsthatmayberequiredinclude
strategicoperationalknowledge(supplychain,
sharedservicesoroutsourcing),cross-cultural
trainingforglobalorganizations,knowledgeof
emergingmarkets,riskmanagementand
evaluation,dataanalytics,fraud,andmore.
MichaelJ.Nolan,HeadIARCS,KPMGInUS
EdwardF.Smith,KPMGsAuditCommitteeInstitute
Source:FindingNewValueinInternalAudit,2008
11
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
19/38
IAstaffingandskillsetsareproficientingeneralauditingandtraditionaloversight
areassuchasfinancialreporting.Inareasrequiringspecialistskills,talentacquisition
andretentionposeasignificantchallenge.
IAskillsetsareconsideredverygoodtogoodinareassuchasfinancialreporting
andaccounting,internalauditstandards,operationalauditing,legalandregulatory
complianceandprocessimprovement.Incomplexandspecialistareassuchas
businesscontinuity,jointventure/licensing,environmental/sustainability,
engineeringandmergerandacquisitiontransactions,IAskillsetsrangefrom
averagetopoor(seeFigure10).TherelativeabsenceofIT,forensicspecialistsand
engineersisachallengethatIAfunctionsneedtoovercome.
LackofdefinedcompetencymodelsandlearningmapsforIAprofessionalsis
citedasthemainchallengeintermsofdevelopingIAskillsets.Thisindicatesthat
organizationsneedtoworktowardsmappingskillsrequiredtodelivereffectiveIA
engagementstotheskillsthatarepresentinthefunctionanddevelopa
frameworkforenhancingandre-toolingIAskillsets.Inadequateallocationoftime
toIAtraining,qualityofIAtrainingprogramsandabsenceofdefinedcareer
progressionareallcitedbyrespondentsastheotherreasonsforIAsinabilityto
developandretainspecialistskills(seeFigure11).
Sixtyninepercentofthesurveyrespondentsindicatedthattheydidnothavea
formalprogramtorotateprofessionalsinthebusinessthroughtheIAfunction
(seeFigure9).ThishighlightsthatthereisaneedtopositionIAjobsmore
positivelywithinorganizationsandIAcareerpathsneedtobeintegratedwiththe
widerorganizationalpeopleprocessesinordertoenhanceIAscompatibility,both
technicallyandculturally.
People
IAtalentmanagement
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
20/38
No
69%
Yes
31%
Wherequalityisgood/verygood
1Financialreportingand
accounting
2Compliancewithinternalaudit
standards
3 Operationalauditing
4Legalandregulatory
compliance
5 Processimprovement
Wherequalityisaverage
1 Informationsystems
2Useoftechnologyand
analytics
3Fraudpreventionand
detection
4 Enterpriseriskmanagement
5 Distribution/supplychain
Wherequalityispoor
1 JointVenture/Licensing
2 Environmental/Sustainability
3 Engineering
4Mergersandacquisitions
transactions
5 Businesscontinuityplanning
Quality of experience and technical skills in the Internal Audit function to provide coverage of
risk areas requiring specialist skills
Key challenges in developing the skills of your existing Internal Audit function?
Lack of defined competency models and learning maps 39%
34%
31%
25%
7%
24%
0% 25% 50%
Lack of appropriate training materials / programs
Lack of time to dedicate to training
Lack of defined career progression
Other
Not applicable
Figure 9
Figure 10
Figure 11
Existence of a formal program to rotate professionals
in the business through Internal Audit
13
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
21/38
Point of View
Overcoming the people challenge
ToattracttalentedpeopleinIA,thefirstthingthatneedstohappenistohaveastrongleaderatthehelm.
QualitiesthatanIAleadershouldpossess: Heorsheshouldbesomeonewhoisindependentminded,hasstronginter-personalskills,agoodunderstandingofbusiness
needsandtheabilitytobuildrelationshipsbothwithinandoutsidethefunction
ManyorganizationsarenowlookingtoCAEcandidateswhohavehandledseniorpositionsinbusinesseitherwithinoroutside
theorganization
PeopleskillsareconsideredveryimportantinthecontextoftheCAEbeingabletoattractgoodpeopleandalsobeingableto
developrelationsandwintheconfidenceofstakeholders.
GiventheimportanceoftheIAfunction,boththeauditcommitteechairmanandCEOshouldbeinvolvedintheselectionofthe
CAE.
Attracting the best people to IA some key aspects to consider BecauseIAjobsareconsideredresponsibilityoriented,itisimportanttoeffectivelycommunicateIAsimportanceandposition
IAjobsasopportunitiestogainanin-depthunderstandingofkeyorganizationalrisksandprocesses
CAEsshouldtakeapersonalinterestingroomingandmotivatingtalentedpeopleinIA.Enhancingskillsetsthroughperiodic
formalandinformaltrainingisakeystepthatCAEswillneedtogetinvolvedwith
AuditcommitteechairsintheWestareengagingwiththeirCAEstodiscussaboutIAskills,trainingprograms,careerdevelopment
andsuccessionplanning.ThesearemeasuresthatarebeingusedbytheauditcommitteestoevaluatetheperformanceoftheCAE
IAjobsshouldbepositionedasavitalstepincareerprogression.Overthelongerterm,IAsroleinsuccessionplanningwithin
theorganisationisimportanti.e.IAshoulddemonstratethatithashelpedgroomanddevelopbusinessleaders.
StaffrotationprogramsinvolvingrotationofbusinessmangerstotheIAfunctioncanplayanimportantroleinmeetingsomeofthe
challengesrelatingtodevelopmentofskills.Suchprogramsofferdualbenefitssuchas:
BusinessmanagershelpincreasetheIAfunctionsoverallknowledgeofbusinessoperations
Businessmanagersdevelopaholisticunderstandingoforganizationalprocessesandemergingrisksandshouldalsobeableto
applyIAdisciplinesaroundrisksandcontrolstobusinessoperations.
Todoathoroughjob,theteamshouldinclude
engineersandeconomistsapartfromthe
financialexperts
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
22/38
Completionofauditplanisachallengewithatleast25percentoftherespondents
completinglessthan80percentofthetheirauditplanoverthepasttwoyears.
IAfunctionsthathaveaco-sourcedmodelaregenerallybetteratexecutingover80
percentoftheauditplanascomparedtothosethathaveanoutsourced/in-house
model(seeFigure13).Areasonforthisisthataco-sourcedmodelcombinestheskill
setsofanoutsourcedproviderwiththeknowledgeofoperationsandcompany
processesofanin-houseIAfunction.AmongstthoseIAfunctionsthathavean
outsourcedmodel,surveyrespondentshaveindicatedthattimeandproject
managementarethekeychallengestocompletingtheauditplan.However,amongst
thoseIAfunctionsthathaveaco-sourced/in-housemodel,assignmentofresources
toprojectsnotpartoftheIAplanwascitedasthemainchallengeincompletingthe
auditplan(seeFigure14).Factorssuchasinadequatesupportfromauditeefunctions
andauditeenon-readinessarestillbeingcitedasconcernsbythesurveyrespondents
incompletingtheauditplan.ThisreinforcestheneedforbetterindependenceforIA
andfrequentinteractionsbetweentheCAEandCEO/boardandauditcommittee
chairshouldhelpalleviateinovercomingthesechallenges.
People
ExecutionoftheIAplan
27%
33%
22%
8%
4% 4%2%
26% 26%
18%
15%
7%
3%5%
0%
10%
20%
30%
40%
100% 90-99% 80-89% 70-79% 60-69% 50-59% Less than 50%
Prior Year % Two Years Ago %
Extent of audit plan completion over the past two years
Figure 12
15
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
23/38
32%
46%
22%
27%
52%
22%
0%
10%
20%
30%
40%
50%
60%
Outsourced Model Co-sourced Model Inhouse Model
Prior Year % Two Years Ago %
33%
23%
26%
28%
17%
15%
49%
44%
46%
50%
42%
41%
18%
34%
28%
22%
41%
45%
0% 25% 50% 75% 100%
Allocation of IA resources to projects not in IA plan
Workforce below the required levels
Difficulties in obtaining specialised skills
Issues related to managing time and IA projects
Inadequate support from auditee functions
Auditee non-readiness
Very Challenging Somewhat Challenging Minimal Challenge
Extent of audit plan completion over the past two years
Nature and degree of key challenges faced in completing the audit plan
Figure 13
Figure 14
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
24/38
Sourcingparametersthattakeaccountofstakeholderexpectations,theorganizational
cultureandtheriskprofileneedtobeclearlyidentifiedtoovercomeIAchallenges
relatingtoappropriateriskcoverage,adequacyofspecializedskillsandIAplan
execution.
Whilecompliance/regulatoryaspectsareexpectedtocontinuetooccupyIA
resourcesandpriorities,overthenextonetotwoyears,processimprovements
andfraudrisksarealsoareaswhichareexpectedtovieforIAresources(see
Figure15).TheAuditCommitteeJourneysurvey(Nov08-Feb09)conducted
jointlybyKPMGsAuditCommitteeInstitute(ACI)andtheNationalAssociationof
CorporateDirectors(NACD),whichincludedauditcommitteemembersfrom
Indiancompanieshashighlightedthatauditcommitteemembersareleast
confidentabouthowthecompanyisaddressingITrisk,fraudriskandother
significantrisksfacingthebusiness,andthe
waytheyaremonitored.Thefindingsofthis
globalsurveyalsoconfirmthatthereare
issuesaroundtheadequacyofspecialist
skillsincomplexareas.
Theneedforoperationalandtechnical
skillswithinIAcoupledwiththe
challengesfacedincompletingtheaudit
plansexplainswhyanoverwhelming
77percentofthesurveyrespondents
saidthattheyusedthirdpartyservice
providersforstaffingtheIAfunction
(seeFigure16).While30percentof
respondentshadcompletelyoutsourced
theirIAfunctions,anequalnumberhad
hiredexternalpartiesforobtaining
accesstospecializedITskillsandfor
achievingcompliancerequirements
(Clause49).
35%
38%
51%
40%
8%
57%
72%
22%
83%
4%
0% 30% 60% 90%
Major programs risk (IT,
construction, etc.)
Contract risk
Information security
IT risk
Mergers and acquisition risk
Fraud
Process Improvement
Tax risk
Compliance / Regulatory
Other
People
Sourcingchallenges
Allocation of IA time and resources over the next 1-2 years
Figure 15
17
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
25/38
Point of View
The changing IA landscape and its impact on sourcing?
Withpressuremountingtodelivermoreandinordertocometotermswithskill
gaps,internalauditisundoubtedlyatacrossroadsinitsevolution.
Theever-growingneedforspecialistresourcesmeansthatIAqualifiesasaprime
candidateforstrategicsourcing.Inaneconomicslowdown,whencost,efficiency,
andflexibilityareparamountcompaniesareincreasinglysourcingfunctionsoutside
theircorecompetenciesasawayofreducingcosts,freeingupcapital,achieving
greaterflexibilitytorespondtorapidlychangingbusinessconditions,andenhancing
theirabilitytofocusonwhattheydowell.
Inadditiontogainingaccesstostrategicskillsandhelpingmanagecosts,IAsourcing
arrangementsalsooffercompaniesaccesstoglobalresources,leading
methodologiesandpractices.
Itistypicallynotsoeasyfororganizationstoenterintotherightsourcing
arrangement.Executivesshouldbesuretocompletetheassessmentphasebeforemovingtotheselectionphase.Thefollowingaspectsshouldbeconsideredwhile
assessingtheprovidersofIA:
Accesstoresourceswiththerightspecializedskills
Culturalcompatibility
InternalAuditsourcingexperienceinsame/similarindustry
Knowledgesharingcapabilitiesrelatedtointernalauditandriskmanagement
Globalreachtothecountries/regionsthatalignwiththeorganization
Yes
77%
No
23%
AchievingleadingIA
capabilitiesrequiresa
significantlevelof
investmentinskilled
resources,methods,training,careerpaths
andtechnical
infrastructure.
Maintainingthose
capabilitiesrequiresa
sustainedlevelof
investmentinboth
goodandchallengingeconomictimes
Use of third-party service providers
by the IA function
Figure 16
1
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
26/38
Processes
Traditionally,IAinIndiawasasupplementtostatutory
audit,veryoftenpreemptingthetestsandchecksthey
wouldperformtohelpensureintegrityoffinancial
reporting.Howeveroverthepastdecade,thefocushas
broadenedtoincludeinternalcontrolsoveroperational
andsupportprocesseswhichmaynothaveany
implicationonfinancialreporting.Maturecompanieshave
beguntoadopta
risk-basedapproach,whereintheeffortoftheIAfunction
isfocusedonthemoresignificantandprobablerisks.
InternalAuditshouldbecapableofanticipatingemerging
risks,andtakingtheinitiativetoadjustauditplansand
activitiesaschangesinthebusiness,thecontrol
environment,andtheeconomicenvironmentoccur.
19
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
27/38
ThereisstillsomewaytogoinmakingIAplansriskbased.EvenwhereIAfunctions
dohavearisk-basedplan,IAneedstoovercomethechallengeofaligningitsrisk
assessmentswiththeenterprise-wideviewofrisks.
OnewouldhaveexpectedavastmajorityofIndiancompaniestohaveadopteda
riskapproachtoIA.However,32percentofsurveyrespondentsindicatedthat
theirIAfunctionsdonotperformariskassessment(seeFigure17).Thisindicates
thatthereisstillsomewaytogoinmakingIAplansriskbased.
Insomeways,thesurveyresultsactuallymirrortheviewsthatcametothefore
duringKPMGspolloncorporategovernanceinIndia(Dec08-Jan09)andthe
globalauditcommitteemembersurvey(TheAuditCommitteeJourney,Nov08-
Feb09)whichhighlightedthatthequalityofriskmanagementisakeyconcern.
Mostboardsarestrugglingtounderstandtheadequacyofmanagementsrisk
managementprocesses,thelinkageofstrategiestorisksandtheirorganizations
processestoidentifyandrespondtoemergingrisks.Thisisreflectedbythefact
thatstrategicrisksarecoveredinonly46percentofIAriskassessments(see
Figure20).
ManyIndiancompanieshaveimplementedriskmanagementandinternalcontrol
systemsinresponsetothemandatoryrequirementsunderClause49(Amended)
oftheSEBIlistingagreement.Itisprobablytruethatinanumberofcases,risk
assessmentsarecarriedoutwithacompliancemindset.InanumberofIndian
companies,thefrequencyofriskassessmentisannualandIAoftendrivesthe
riskassessmentprocessacrosstheorganization.DespiteIAriskassessments
seekingactivemanagementparticipationandhavinganenterprise-widecoverage,
62percentoftherespondentshaveindicatedthatIAriskassessmentsareonlysomewhatalignedtotheenterprisewideviewofrisks(seeFigure18).Thismis-
alignmentmaybeattributedtothefactthatriskthinkingisyettobefully
embeddedintheorganizationalprocessesleadingtoalackofclarityaroundrisk
ownership.IAlackingsufficientexperienceandknowledgeofkeybusinessrisks
hasfurthercontributedtothismis-alignment.
Processes
IAriskassessments
Veryoftenrisk
managementis
viewedasasenior
managementor
internalauditdomainandthisiswherethe
problemlies.The
challengeliesin
embeddingrisk
thinkingwithinthe
rankandfileofthe
organization
2
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
28/38
8%
54%
38%
Well aligned and strong interaction with proactive sharing of risk and control information
Somewhat aligned and some interaction and sharing of risk and control information on request
Not aligned and limited interaction with no sharing of risk and control information
85%
53%
68%
65%
23%
0% 30% 60% 90%
Enterprise-wide coverage
Input from other risk management
functions
Active participation by executive
management
Active participation by business unit
management
Active participation by external audit
46%
81%87%
90%
18%
0%
25%
50%
75%
100%
Strategic Financial
Reporting
Operational Compliance Others
Yes
68%
No
32%
Formal risk assessment performed
by the IA department
Extent of alignment of IA risk assessment with enterprise
wide view of risk
Figure 17
Participation in the risk assessment process Nature of risks covered by IAs risk assessment
Figure 19
Figure 20
Figure 18
21
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
29/38
Point of View
Is IA prepared for a paradigm shift in its objective?
Expectations from IA are changing
AuditcommitteesarenolongersatisfiedifIAmerelyprovidesassuranceonthe
effectivenessofinternalcontrolsbasedonanannualauditplanandriskassessment.
AuditcommitteestodayexpectIAfunctionstoevaluatetheeffectivenessofthe
enterprisewideriskmanagementprocessesandalsoexpectIAtobringinformation
tothemonemergingrisks.AuditcommitteesaremoreconcernedifIAperceptionsof
keyrisksarenotalignedwiththebusinessviewsresultinginthelackofaholistic
viewonkeyrisks.TheimportantquestionthoughisIsIApreparedforthischangein
itsobjective?
Making the transition
ToenableIAtotransitioneffectively,itisimportanttoembedriskthinkingandrisk
assessmentpracticeswithinbusinessunitsaspartofthebusinessplanningand
strategyprocess.OwnershipforriskmanagementshouldrestwithinthebusinessunitsandtheCEOshoulddrivethischangewithintheorganizationbyraisingthe
profileofriskmanagement.Transferringriskmanagementownershiptothebusiness
shouldresultingreaterclarityaroundrisksandfacilitateconvergenceofthetop-down
andbottomsupviewonrisks.ThiswouldalsoenableIAtoindependentlyevaluate
theeffectivenessofthemanagementsriskmanagementprocesses.
2
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
30/38
Point of View
The Institute of Chartered Accountants of Indias (ICAI) guide
on Risk Based Internal Audit (RBIA)
Asitsprimaryactivity,internalauditingshouldheadtowardspromotingrisk
managementinanorganizationandadoptaRiskBasedInternalAudit(RBIA)methodologythatprovidesanassuranceonthemanagementofrisksasagainstan
assuranceoncontrolprocessesundertraditionalmethodology.
Themeasuringyardstickformanagingrisksistheriskappetiteaslaiddownbythe
Board.Itmaybenotedthatonlythoseorganizationsthatarereasonably
risk maturedwouldbeauditableunderRBIAmethodology.
InRBIA,IAreviewsthemanagement'sriskassessmentprocesstoconcludewhether
torelyonitornot.Iftheriskassessmentisreliable,theinternalauditorconcludes
theauditplanasperthemanagementsriskassessment.
Certainfactorsthatinternalauditmayuseindeterminingriskmaturityaresetout
below:
Definedprocessestoidentifyandassessrisks
Riskresponsesareidentified,documentedandthereisclarityonownershipand
actions
Riskappetiteisdefinedatbothagross(inherent)andnet(residual)level
Managementhassetupprocessestomonitorcontrols/actions,reviewresults,
andreportonthemtotheBoardandexecutivemanagement
Thereareprocessesinplacetoidentifyandassessemergingrisksthatarisefrom
strategicchangesandupdatethemintheriskregisters
Managersprovideassuranceontheeffectivenessoftheirriskmanagement
Managersareassessedontheirriskmanagementperformance
Wheretheriskassessmentisnotreliable,internalauditcannotproceedunderthe
RBIAmethodology.Ithastoadopttraditionalinternalauditandcarryoutrisk
assessmentalongwithmanagementtoidentifysignificantriskstobeincludedinthe
auditplan.
Riskspertainingto
thecompanyare
identifiedbythe
managementby
adoptingaconsistententerprisewide
processandclassified
intocritical,high,
moderateandlow
categories.These
risksarethen
assessedperiodically
bytheconcerned
processownersand
reviewedbytherisk
management
committee.IAsroleis
tomonitorthecontrol
measuresand
mitigationplansthroughperiodic
evaluationofERM
23
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
31/38
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
32/38
14%
21%
40%
27%
48%
29%
29%
3%
0% 20% 40% 60%
Not applicable
Full ownership for the program
Full responsibility for testing of controls
Testing of high-risk controls only
Review of process documentation and
process owners
control testing completed by business
Internal control training for business
process owners
Implementation of control self
assessment
None
52%
54%
61%
57%
0% 25% 50% 75%
Providing assurance to CFO on
internal controls operation
Supporting internal audit efforts in
Controls testing
Embedding controls consciousness
within the organization
Providing a basis for management
to identify and deal with controlviolation and deficiencies
Point of View
A perspective on how globally many companies achieved sustainable compliance
CompanieslistedintheUSstockexchangesarerequiredtocomplywithSection404oftheSarbanesOxleyActof2002(SOX).In
theinitialyearsofcomplyingwiththisregulation(2005and2006),manyorganizationsincurredhugecostsastheydeployed
externalresourcesandre-directedtheirIAresourcestowardsSOXtesting.Infact,inmanycompanies,IAbecamemorefocused
onfinancialreportingrisksatthecostofoverlookingsomeoftheoperatingandstrategicrisks.
Someofthebiggestorganizationsrealizedveryquicklythatthismethodofachievingcompliancewasflawedandunsustainable.
Thistrendalsobroughtabouttherealizationthattooptimizecompliancecostsinthelongrun,itwasessentialtoembedcontrols
consciousnesswithinthebusinessandgraduallydecreasethedependenceonexternalandIAresources.Againstthisbackground,
manyorganizationssuccessfullyimplementedCSAandreducedtheircostsofcompliancetosustainablelevels.Thisalsomeantthatorganizationscouldre-directandre-toolIAresourcestofocusonthekeybusinessrisksthatmatter.
CSAoffersseveraladvantagestoanorganizationsuchas:
1.Achievingreductionincostsofcontrolandcompliancebyreducingadd-ontestingefforts
2.Aligningcontrolstestingeffortsandresourcestoriskprofile
3.Embeddingcontrolsconsciousnesswithinthebusiness
4.PrioritizingIAinvolvementincontrolstestingbyfocusingonkeycontrolsinhighriskareasandrelyingonbusinesstestingin
lowriskareas/lesscomplexareas
5.EnablingIAtofreeupresources,tofocusonprovidingrobustriskassurance.
Role of the IA function in helping the organization comply Internal
Control Regulations (SOX/ Clause 49, etc.)
Purpose of Control Self Assessment
Figure 22
Figure 23
25
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
33/38
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
34/38
74%
19%
6%0%
25%
50%
75%
Within the last year One to two years ago Over two years ago
60%
68%
81%
77%
39%
3%
0% 25% 50% 75%
Documenting expectations prior to audit
Focusing audit on the key business risks
Regular communications
during audit
Audit closing meeting to
measure achievement of expectations
Post audit survey
Other
No
39%Yes
61%
Is an independent review carried out prior to issu-
ing the Internal Audit report?
Figure 25
Indicate when the last external quality assessment
review was performed
Methods used by IA to ensure service delivery quality and auditee satisfaction
Figure 27
Figure 28
Yes
31%
No
69%
Does Internal Audit undergo an external quality
assessment review?
Figure 26
27
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009 KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
35/38
84%
46%
86%
38%
17%
46%
29%
11%
50%
60%
32%
3%
0% 25% 50% 75% 100%
Completed audits in comparison to the audit plan
Length of time for issuing audit reports
Significance of audit findings and recommendations
Length of time to resolve audit findings
Budget in comparison to actual hours per audit
Revenue enhancement, savings or
cost reductions identified
Results from auditee surveys
Results from other stakeholders surveys
Percentage of recommendations implemented
Process improvement recommendations
Support of key business initiatives
Other
Point of View
Levers for improving IA effectiveness
Meetingthechallengesinvolvedintheareaofauditqualityandenhancingauditefficiencyrequiresadoptionofqualitystandards
andperformancemeasures.Someimprovementleversinclude:
Developmentofstandardizedworkingpapers,documentationrequirementsandreportingformats
Ongoingsupervisionofauditsandotherprojectsandregularreviewofworkingpapers
Usageofsoftwaretoolsfordataanalysis,automationofauditdocumentation,issuetrackingandresolution
IndependentreviewofinternalauditreportsandtheirapprovalbyCAE
Surveyingorobtainingfeedbackfromstakeholdersoncompletionofauditandotherprojects
DefiningperformancemeasuresandtrackingandreportingofIAsperformanceagainstsuchmeasures.
Itiscrucialtoestablishawelldefinedqualityassuranceprogramthatincludesamixofinternalandexternalqualityassessmentsto
assessthequalityofIAsperformance,itsefficiencyandeffectivenessinmeetingtheneedsofitsstakeholders.
AccordingtotheIIA*,internalassessmentshouldbeperformedthroughongoingmonitoringofIAperformanceandperiodic
reviewsperformedthroughself-assessmentorbyotherpersonswithintheorganizationwithsufficientknowledgeofinternalaudit
practices.Externalassessmentsmustbeconductedatleastonceeveryfiveyearsbyaqualified,independentreviewerorreview
teamfromoutsidetheorganization.
Moreover,havingregularexecutivesessionsbetweentheauditcommitteeandtheCAE(orequivalent)canfacilitateafrankand
openendeddiscussionaboutconcernsandexpectationswhichinturncanalsoaidinarobustperformancemeasurementoftheIA
functionbytheauditcommittee.
Metrics used to measure Internal Audit effectiveness
Figure 29
2
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
*IIA-QualityAssessmentManual,5thedition
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
36/38
Clearlythereisscopeforenhancingcoverageofinternationaloperationsknowledge
oflocallawsandregulationsandemergingriskissuesposethebiggestchallengein
coverageofinternationaloperations.
While15percentoftherespondentsdidnotcoverinternationaloperationsintheir
auditplan,52percentoftherespondentsweresomewhatornotsatisfiedwith
theircoverageofinternationaloperations(seeFigure30)
Knowledgeoflocallaws/regulations(73percent),knowledgeofemergingrisk
issues(47percent)anduseofastandardizedmethodology(32percent)were
citedasthemajorchallengesfacedbyrespondentsinconductingauditsfor
internationaloperations(seeFigure31).
Processes
Internationaloperations
14%
43%
9%
18%
15%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Highly satisfied
Somewhat satisfied
Not satisfied
No international operations
International operationsnot covered in audit plan
31%
16%
28%
32%
73%
47%
0%
20%
40%
60%
80% Language and culture
Use of standardized
methodology (quality
challenges)
Knowledge of local laws /
regulations
Knowledge of emerging risk
issues
Travel time and cost
Other
How satisfied are you with the risk coverage of international operations?
Major challenges faced in conducting audits for international operation.
Figure 30
Figure 31
29
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
KPMGinIndiaandBSE'sInternalAuditSurvey2009
KPMGinIndiaandBSE'sInternalAuditSurvey2009
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
37/38
KPMG in India
KPMGistheglobalnetworkofprofessionalservicesfirmswhoseaimistoturn
understandingofinformation,industries,andbusinesstrendsintovalue.
InIndiathefirmoperatesfromitsofficesinMumbai,Pune,Delhi,Kolkata,Chennai,
BangaloreandHyderabad,andoffersitsclientsafullrangeofservices,including
financialandbusinessadvisory,taxandregulatory,andriskadvisoryservices.
TheIndianmemberfirmsaffiliatedwithKPMGInternationalwereestablishedin
September1993.Asmembersofacohesivebusinessunittheyrespondtoaclient
serviceenvironmentbyleveragingtheresourcesofaglobalnetworkoffirms,
providingdetailedknowledgeoflocallaws,regulations,marketsandcompetition.We
provideservicestoover2,000internationalandnationalclients,inIndia.KPMGhas
officesinIndiainMumbai,Delhi,Bangalore,Chennai,Hyderabad,KolkataandPune.
ThefirmsinIndiahaveaccesstomorethan3000Indianandexpatriateprofessionals,
manyofwhomareinternationallytrained.Westrivetoproviderapid,performance-
based,industry-focusedandtechnology-enabledservices,whichreflectashared
knowledgeofglobalandlocalindustriesandourexperienceoftheIndianbusiness
environment.
Bombay Stock Exchange (BSE)
BombayStockExchangeistheoldeststockExchangeinAsiaandhasplayedapre-
eminentroleinthedevelopmentoftheIndiancapitalmarket.EarlieranAssociation
OfPersons(AOP),BSEisnowacorporatisedanddemutualisedentity,withtwo
leadingglobalExchanges,DeutscheBrseandSingaporeExchange,asitsstrategic
partners.
BSEprovidesanefficientandtransparentmarketfortradinginequity,debt
instrumentsandderivatives.Italsoprovidesahostofotherservicestocapital
marketparticipantsincludingriskmanagement,clearing,settlement,marketdata
servicesandtraining.Ithasaglobalreachwithcustomersaroundtheworldanda
nation-widepresence.BSEsystemsandprocessesaredesignedtosafeguard
marketintegrity,supportthegrowthofthemarketinIndia,andstimulateinnovation
andcompetitionacrossallmarketsegments.
Aboutthesponsors
3
2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwisscooperative.Allrightsres
8/9/2019 IA ResearchC Users Varun AppData Local Temp Nps34D6
38/38
in.kpmg.com
KPMG in India
Mumbai
KPMG House, Kamala Mills Compound
448, Senapati Bapat Marg,Lower Parel, Mumbai 400 013
Tel: +91 22 3989 6000
Fax: +91 22 3983 6000
Delhi
Building No. 10, 8th Floor
Tower B, DLF Cyber City
Phase ll, Gurgaon
Haryana 122 002
Tel: +91 0124 307 4000
Fax: +91 0124 307 4300
Pune
703, Godrej Castlemaine
Bund Garden
Pune - 411 001
Tel: +91 20 3058 5764/65
Fax: +91 20 3058 5775
Bangalore
Maruthi Info-Tech Centre
11-12/1, Inner Ring Road
Koramangala, Bangalore 560 071
Tel: +91 80 3980 6000
Fax: +91 80 3980 6999
ChennaiNo.10, Mahatma Gandhi Road
Nungambakkam
Chennai - 600034
Tel: +91 44 3914 5000
Fax: +91 44 3914 5999
Hyderabad
8-2-618/2
Reliance Humsafar, 4th FloorRoad No.11, Banjara Hills
Hyderabad - 500 034
Tel: +91 40 3046 5000
Fax: +91 40 3046 5299
Kolkata
Infinity Benchmark, Plot No. G-1
10th Floor, Block EP & GP, Sector V
Salt Lake City, Kolkata 700 091
Tel: +91 33 44034000
Fax: +91 33 44034199
Kochi
4/F, Palal Towers
M. G. Road, Ravipuram,
Kochi 682 016
Tel: +91 484 309 4120
Fax: +91 484 309 4121
KPMG Contacts
Neville M. Dumasia
Executive Director and
Head - Governance, Risk and Compliance ServicTel: +91 22 3983 6402
e-Mail: [email protected]
Romal Shetty
Executive Director
Governance, Risk and Compliance Services
Tel: +91 80 3065 4100
e-Mail: [email protected]
Raman Sobti
Executive Director
Governance, Risk and Compliance Services
Tel: +91 124 407 3801
e-Mail: [email protected]
Raajeev Batra
Executive Director
Governance, Risk and Compliance Services
Tel: +91 22 3983 6404
e-Mail: [email protected]