Deloitte SA Blog

Icon

Is your internal audit model giving you value?

internal audit

The issue of out-sourcing, co-sourcing or in-house

As a CEO or Board member, do you ever ask yourself:

  • Are we getting valuable information and insights from our investment in Internal Audit?
  • Does our Internal Audit team have the skills and experience needed to address the risks in our business before they become a problem?
  • How can we better manage internal audit costs?
  • Is it possible to shift from a fixed to a more variable cost structure?

Today’s dynamic business environment requires internal auditors to have a strategic orientation and to provide value and insights beyond the traditional assurance and compliance perspective.  For internal auditors to deliver on their mandate and meet the expectations of CEO’s and Boards, they need broader skill sets and the ability to add  the most value and the flexibility to properly respond to changes caused by internal and external factors.

Questions to consider when you make your decision:

Factors to consider   in sourcing Internal Audit Your in-house   internal audit team Outsourced/Co-sourced   internal audit
Flexibility You are understaffed during “crunch time”. During peak periods, gain access to additional staff.
Multidisciplinary   knowledge The skills required to execute   speciality audits may not reside in-house. Access to depth and   breadth to resources to bring the right mix of skills for each audit.
Insight Staff may lack the   methodology and tools to readily identify and mitigate risk. Access to proven   methodologies, tools and leading practices to help you gain a broader risk   perspective.
Cost In-house costs are fixed and   may be difficult to retain. Pay only for the resources   you need and use.
Tools and   methodologies Staff may lack   access to leading practices and automated tools. Deloitte leverages   the latest benchmarking and analytical tools.

Ultimately, when considering different sourcing options, you should consider which model best addresses your organisation’s needs. As with all strategies, there is no “one size fits all” solution, as these will need to be tailored depending on your requirements. The underlying principle guiding organisations to re-evaluate internal audit functions is the need to enhance the value that internal auditors provide, and the fact that the internal audit function is increasingly becoming an advisor to the business and an example of leading practices. These are the principles which CEOs and Board members must demand from their internal auditors.

Contacts

Pramesh Bhana

Director, Risk Advisory

Africa Leader – Governance, Risk and Oversight

Email: pbhana@deloitte.co.za

Tel: +27(0) 11 209 6337

Justine Mazzocco

Partner, Risk Advisory

Email: jmazzocco@deloitte.co.za

Tel: +27 (0)11 806 5395

Improving the relationship between internal audit, management and the audit committee

broken triangle

Deloitte is knowledge partner at the Black Management Forum Annual Conference taking place at Gallagher Estate from 23 – 25 October 2013. You can register for the conference or receive updates from the conference on Twitter using the #BMFConf2013 hashtag.

The Broken Triangle – Improving the relationship between internal audit, management and the audit committee

The disconnect between internal audit, executive management, and the audit committee is nothing new. The broken triangle has existed for decades at many organisations, with varying degrees of severity. But dysfunction that was deemed tolerable in the ’80s, ’90s, and ’00s is unacceptable today.

The stakes — both personal and corporate — have been ratcheted to a new level. Regulators, analysts, stakeholders, and even litigators all have a keen interest in how well this corporate trio, so essential to good governance and effective risk management, works together to protect and propel the organisation.

What are the symptoms of a broken triangle? Financial restatements. Material weaknesses. Regulatory non-compliance. Contentious or ineffectual board meetings. Voluntary and involuntary turnover. Missed earnings. Excessive litigation. Failed partnerships and alliances. Unmitigated risk. And so on. If your organisation exhibits any of these symptoms, you have an obligation to seek a cure. A good place to start may be to examine the structural integrity of the triangle.

Download the full article . . . . Improving the relationship between internal audit, management and the audit committee

If you would like to have a more detailed discussion relating to talent development and retention strategies, contact Dave Kennedy (Service Line Leader – Risk Advisory at Deloitte South Africa) at dkennedy@deloitte.co.za.

We invite you to subscribe to the Deloitte weekly email where we introduce topical Deloitte articles and to join one or more of our groups on LinkedIn

 

How to ensure regulatory compliance by integrating risk advisory and assurance

Ensuring regulatory compliance

Deloitte is a knowledge partner at the Black Management Forum Annual Conference which takes place at Gallagher Estate from the 23rd – 25th October 2013. You can still register for the conference or receive updates from the conference on Twitter on the #BMFConf2013 hashtag.

In an environment where the global economic recession, demise of major financial institutions and changing business landscape has led to stricter regulations in major industries and countries around the world, the word “Regulatory Compliance” has become an all-important language that can make or mar an organisation and its directors.

Organisations are increasingly elevating the processes and structures they need to enhance compliance with regulations. The awareness of existing and new legislation applicable to an organisation as well as the implication of compliance or otherwise with the provision of each piece of legislation is a major focus area for the board.

In achieving effective Compliance Regulatory Management within an organization, the integrated roles of key management functions, mainly Legal, Compliance, Risk and Internal audit must be understood and enabled.

Download the full article . . . . Ensuring Regulatory Compliance – Integrating Risk Advisory and Assurance

If you would like to have a more detailed discussion relating to talent development and retention strategies, contact Dave Kennedy (Service Line Leader – Risk Advisory at Deloitte South Africa) at dkennedy@deloitte.co.za.

We invite you to subscribe to the Deloitte weekly email where we introduce topical Deloitte articles and to join one or more of our groups on LinkedIn

The postdigital grapevine – Social media and the role of internal audit

The role of internal audit

We are pleased to announce the release of a whitepaper entitled Social media and the role of Internal Audit.

With more and more users linking, liking, friending and following, how can Internal Audit (IA) help assess and mitigate risks associated with social business?

This paper discusses the proactive steps IA can take to help address such growing challenges as:

  • Brand and reputation damage
  • Regulatory compliance
  • Information leakage
  • Third-party risk
  • Governance risk

In each of these categories, IA can play a critical role in understanding the potential risks of engaging in social business. IA can also help to monitor and manage threats and strike a balance between risks and opportunities.

To download the whitepaper, click here

We hope that you will find this publication informative and helpful. If you would like to discuss any of these issues in greater detail, please feel free to contact one of our regional leaders listed at the end of the whitepaper.

Who plays the major role in ensuring compliance within your organisation?

In an environment where the global economic recession, demise of major financial institutions and changing business landscape has led to stricter regulations in major industries and countries around the world, the word “Regulatory Compliance” has become an all-important language that can make or mar an organisation and its directors.

Organisations are therefore increasingly elevating the processes and structures they need to enhance compliance with regulations. The awareness of existing and new legislation applicable to an organisation as well as the implication of compliance or otherwise with the provision of each piece of legislation is a major focus area for the board.

In achieving effective Compliance Regulatory Management within an organization, the integrated roles of key management functions; mainly Legal, Compliance, Risk and Internal audit must be understood and enabled.

Legal / Compliance

It is the responsibility of the Legal/Compliance function to stimulate and train the board and management on legislation pertinent to the organisation. The core responsibilities of this function spans across the compilation and maintenance of a “legislative universe” for the organization. New requirements arising from amendments to existing or new legislation should be identified, analysed and communicated to both management and the board.

The Legal/Compliance function should also work with the Risk Management function to undertake the risk prioritization of all applicable pieces of legislation and this should be documented for monitoring purposes in a document called the Compliance Risk Management Plan (“CRMP”). The CRMP should contain key legislation clauses translated into plain language, key issues, impacted area – process, systems and policies, controls, risk exposure, responsible parties and the monitoring plan from business units. The CRMP should be utilized for ongoing monitoring and report-back to both management and the board. This unit should also identify and report any non-compliance issues to the board.

Risk Management

The Risk Management function should support the Compliance Office with the risk rating of the relevant legislation once such legislation becomes operational in the business. A compliance risk register for the regulatory universe, showing both the inherent and residual ratings of each piece of legislation, based on impact and likelihood, should be the product of this process. The penalties – financial, imprisonment, etc – and other business risks associated with key provisions of the legislation should be identified and captured on the compliance risk register as this triggers compliance action on the part of both management and the board.

Business Operational Compliance

Business is responsible for ensuring the implementation of compliance requirements identified by Legal / Compliance. Business units should have their own Business Operational Compliance Officer / Champion who undertakes the operational monitoring of the compliance of business processes to the legislative requirements. Key issues that may arise from compliance requirements should be identified and captured on the CRMP for monitoring and report-back to relevant structures and the board.

Internal Audit

Internal Audit, as the assurance provider, is responsible for reviewing the adequacy and effectiveness of the functioning of controls
implemented by management to ensure compliance with legislative requirements.

In conducting a review of compliance within the organisation, Internal Audit should ask the following questions:

  • What are the pieces of legislation that should be reviewed?
  • What policies and processes have been / are being put in place to cater for compliance requirements?
  • What new systems are being put in place to support and monitor compliance?

From their review, Internal Auditors should be able to provide assurance on the level of compliance or otherwise within the organization, identify non-compliance issues and report this appropriately to the Compliance Officer, management and the board as well as make valuable recommendations that will improve processes and responsibilities around regulatory compliance.

An Internal Auditor is ideally well positioned to assess the adequacy and effectiveness of management’s controls over regulatory compliance; however, some organisations may decide to further upskill their internal auditors on specific compliance areas by requiring them to undergo particular relevant certification programmes.

To conclude

With the current business landscape, where legislation emerges and changes continuously with increasing requirements to keep business on the right track, it is critical for every organisation to implement adequate and effective structures, to embed and ensure a culture of compliance.

Do you require the full version? Here is the article you may download  . . . . Ensuring regulatory compliance

This article was written by Bukkie Adewuyi (Senior Manager: Risk Advisory at Deloitte & Touche Southern Africa). If you have any questions relating to regulatory compliance within your organisation, feel free to contact Bukkie at aadewuyi@deloitte.co.za

The role of internal audit in integrated reporting – A blend of the right ingredients

Deloitte Risk Advisory has produced a paper which discusses the role of internal audit in integrated reporting. I have provided an introduction below and invite you to download the full paper. If you have any questions, you may contact Mark Victor at mvictor@deloitte.co.za.  

The role of internal audit in integrated reporting – A blend of the right ingredients

Businesses today face heightened expectations around their role in society and the world, with profitability being one of many criteria by which performance is measured. Rising in importance is the impact a company has on its stakeholders, society and even the planet.

Integrated reporting, which encompasses elements of traditional financial reporting, sustainability reporting and governance reporting within a single presentation represents a growing trend that reflects these new expectations.

In the absence of a generally accepted framework, companies that wish to move towards integrated reporting may encounter several dilemmas around relevance, scope, assurance and other issues. Deloitte has prepared a paper that explores the role of internal audit in integrated reporting, and how internal audit has – from the perspective of their assurance role – an opportunity to help the business enhance its maturity in terms of enhancing the robustness of the sustainability and integrated reporting process and controls, and through providing recommendations in terms of enhancing the relevance and reliability of the related reports.

Download the paper . . . .  The role of internal audit in integrated reporting

Did you find this useful? We welcome your feedback! Please share with your network!

The broken triangle – Improving the relationship between internal audit, management and the audit committee

The disconnect between internal audit, executive management, and the audit committee is nothing new. The broken triangle has existed for decades at many organizations, with varying degrees of severity. But dysfunction that was deemed tolerable in the ’80s, ’90s, and ’00s is unacceptable today. The stakes — both personal and corporate — have been ratcheted to a new level. Regulators, analysts, stakeholders, and even litigators all have a keen interest in how well this corporate trio, so essential to good governance and effective risk management, works together to protect and propel the organization.

What are the symptoms of a broken triangle? Financial restatements. Material weaknesses. Regulatory noncompliance. Contentious or ineffectual board meetings. Voluntary and involuntary turnover. Missed earnings. Excessive litigation. Failed partnerships and alliances. Unmitigated risk. And so on. If your organization exhibits any of these symptoms, you have an obligation to seek a cure. A good place to start may be to examine the structural integrity of the triangle.

Read the full article . . . . The Broken Triangle

Did you find this useful? Please comment and share with your network

The Risk Intelligent Chief Audit Executive

In today’s environment of complex and multiplying risk, chief audit executives (CAEs) have a unique opportunity to influence multiple fortunes — their company’s, their department’s and their own. For many CAEs in the 21st century, their department bears little resemblance to that of even five years ago. New regulatory pressures, increased scrutiny, accelerating risk, escalating litigation and intensifying competition pose critical challenges for today’s CAE.

The fifth title in our series on Risk Intelligence, this paper provides audit executives with practical guidance that relates directly to the challenges they face daily on a corporate, department and individual level.

Click Here to view the entire paper

Visit the Deloitte Risk Advisory web page

The changing role of internal audit in dealing with financial fraud

As the mandate and role of Internal Audit continues to evolve and grow, management are increasingly depending on Internal Audit functions to monitor, detect and investigate incidences of fraud as and when they arise.

Has the recent recession had impact on organisations’ approach to fraud risk management? Do management increasingly expect that Internal Audit have a wider role to play in this area? Are today’s Internal Auditors suitably equipped to respond to these increased expectations and assess incidences of suspected fraud which occur?

Deloitte’s inaugural Internal Audit Survey sought to ascertain how businesses are being impacted by fraud and explores how the position of Internal Audit may have changed over the past 18 months. We examine the role of the Internal Audit function in preventing and detecting fraud, as well as their appetite and ability to fulfil this role.

The results of this cross-industry survey are based on responses to a number of quantitive questions answered by 75 Heads of Internal Audit during May and June 2010.

Read the full article . . . . The changing role of internal audit in dealing with financial fraud (891.17 KB)

Visit the Deloitte  Risk Advisory home page

Subscribe to our blog

Subscribe to our newsletter

We share topical, role specific thought ware no more than once a week.

  • Click here to subscribe
  • Download our apps

    You can keep up to date with all the thought leadership and insights posted on this blog via our mobile apps.

  • iPad
  • Nokia Ovi
  • iPhone
  • Subscribe to our RSS Feeds

    Our authors

    Meet the Deloitte Thought Leaders who have made this blog possible. You can follow their individual tweeting and get in touch via LinkedIn from this page as well.


    Meet our authors

    Switch to our mobile site