Professional Documents
Culture Documents
The New Head of Internal Audit: First 100 Days As Newly Appointed Chief Audit Executive (CAE)
The New Head of Internal Audit: First 100 Days As Newly Appointed Chief Audit Executive (CAE)
The New Head of Internal Audit: First 100 Days As Newly Appointed Chief Audit Executive (CAE)
Head of
Internal
Audit
First 100 days as newly appointed
Chief Audit Executive (CAE)
kpmg.ch
Editorial
The appointment as the new Head of Internal Audit (IA)
presents an array of exciting prospects and challenges for a
Chief Audit Executive (CAE).
Introduction 4
Closing perspective 20
As the head of an Internal Audit (IA) department one has to lead an
independent department providing assurance to the Board of Directors
(BoD) regarding risk management, control and governance processes.
Introduction
The Audit Committee (AC) of the BoD expects IA to be able to provide With companies navigating through a volatile
meaningful insights and unbiased opinions, which add value and economic landscape, Chief Audit Executives
improve an organization’s operations. The top concerns of ACs are (CAE) face difficult choices when addressing
listed below: the evolving issues and related risk factors of
their organizations. Changing stakeholder
expectations and a new view of risk
management have prompted an important
shift in the role of IA in many organizations.
of defense:
Risk governance
Management. Examples of functions include Risk
Management, Compliance, Legal, Quality Control etc.
Risk Reports to
Day-to-day business operations
1st line Risk identification and assessment,
of defense Feedback
Directors
Board of
Executive Management/
risk management and risk reporting
Risk Committee
Risk Reports to
Strategic management, policy setting
Reports to
2nd line and oversight function
of defense Guidance, monitoring and improvement Feedback
(standard setters)
Feedback
Committee
Risk
Audit
Reports to
3rd line Independent challenge and assurance
of defense (Internal Audit)
From an underperforming
IA function… … to … … an excelling IA function
Individual assurance silos, no Coordinated approach to Single view and understanding of key
coordinated risk perspective understanding key risks risks across the organization
Focus on internal controls (ICoFR) Risk-based assurance across Strategic value creation is actively
assurance and partially on internal operations, financials and compliance incorporated into risk-based auditing
compliance processes
Misaligned skill sets, underleveraged Active talent management within the Operational experience, «skills on
Characteristics
staff, limited career prospects, no organization and continuous demand» including guest auditor and
rotation program development of skill sets rotation programs
Ad hoc use of data analytics (DA) More frequent use of DA to assess Leveraging DA to assess the impact of
processes business strategy; assess effectiveness
and efficiency of processes and
controls; DA incorporated into IA
methodology
Reactive, annual risk assessment Enhanced risk identification and Proactive monitoring of key risk indicators
effective management; ad hoc using DA (e.g. dashboards); forward
response rolling of the strategic audit plan
2. Assessing regulatory and compliance standards relevant for the assurance objective of IA
Recommended
Focus area CAE’s objectives/activities timing
Requirements • Outline the regulatory environment the organization is operating in. 0 – 30 days
• Assert the responsibilities of the organization regarding these requirements.
Risk assessment • Identify the key risks, align assurance level expectations with stakeholders. 0 – 30 days
• Determine the maturity level of risk responses across the organization.
Company-wide • Assess if the compliance requirements of the organization are incorporated 30 – 60 days
implementation into the business processes.
Training and guidance • Assess what awareness training programs are provided within the 30 – 60 days
organization.
Compliance • Conduct independent audit and provide assurance on the maturity level of the 60 – 90 days
Management System CMS to key stakeholders.
(CMS) maturity
Remediation actions • Provide assurance on the corrective actions taken by the organization. Over 90 days
4. U
sing risk • Review the • Establish processe/ • Determine whether • Consolidate and
management Enterprise Risk procedures to there is an align processes to
to define the Management identify, monitor and organization-wide drive efficiency and
strategic IA plan process and align/ incorporate approach to gain positive returns.
benchmark with emerging risks into identification and • Lay an agenda
internationally the risk assessment. monitoring of for all future risk
accepted multiple and cross- management
frameworks (e.g. enterprise risks. strategies, focusing
ISO31000, COSO • Assess if risk on ensuring returns.
ERM). management
processes are
embedded within
each business unit.
5. Assessing the • Identify key • Develop a robust • Ensure the right kind • Conduct regular
expectations of stakeholders and stakeholder strategy of leadership and quality assessments.
stakeholders and assess their and an action plan to direction are • Improve the quality
aligning IA expectations address their provided to staff of audits and their
operations regarding assurance assurance needs. internal auditors. outcomes.
accordingly levels. • Hire and retain
people with the
appropriate skill
sets.
• Support staff
development
proactively and
assess possibilities
for guest auditors/
rotation programs.
• Involve subject
matter specialists
where possible to
build credibility,
provide deeper
insights and added
value, e.g. best
practice and
benchmarking.