2018 INTERNAL AUDIT MANAGEMENT INSIGHTS. Risk and Allocation of Audit Effort. A North American Pulse of Internal Audit Supplemental Report / 1

Transcription

1 2018 INTERNAL AUDIT MANAGEMENT INSIGHTS Risk and Allocation of Audit Effort A North American Pulse of Internal Audit Supplemental Report / 1

2 About the of Internal Audit NUMBER OF RESPONSES CAEs 552 Directors/senior managers 84 Total 636 The IIA s Audit Executive Center (AEC ) has gathered insight from leaders in the profession through the annual Pulse of Internal Audit survey (Pulse) since Each survey collects information about both established and emerging issues that are important to the profession as well information about internal audit management (such as areas of focus and staff levels). In Pulse reports, CAEs and directors/senior managers are collectively referred to as CAEs, and the terms audit department, audit function, and audit activity are used interchangeably. The survey results are analyzed and presented in multiple reports, of which this is one. Complimentary high-level reports are made available to the public through The IIA s Pulse of Internal Audit resource page (visit More in-depth reports for internal audit management are available exclusively to members of the AEC. For more information about joining the AEC, visit Internal Audit Maturity (Self-assessed) Industry Groupings* Initial 4% Finance and insurance 30% Building/infrastructure 18% Services 26% Performing/integrated 37% Leading/managed 27% Industrial 25% Controlling/optimal 14% Government and education 19% Organization Type with Financial Services Breakout** Internal Audit Function Size (FTEs) 31% 30% 34% 21% 23% 27% 9% 9% 10% 6% Publicly traded Financial services Public sector Privately held Nonprofit 1 to 3 4 to 9 10 to to 49 More than 50 *Industry groupings were defined as follows: Industrial manufacturing; construction; utilities; mining, quarrying, and oil and gas extraction; transportation and warehousing; waste management/remediation services. Services health care; retail trade; real estate; accommodation and food; wholesale trade; entertainment; information; professional; agriculture. Government and education public administration and educational services. Finance and insurance financial institutions, insurance, asset management, broker-dealers. **See the Organization Type Differences section for more details.

3 Executive Summary... 2 Risk Assessment Overview... 3 Cyber Risks Rated Highest Overall... 3 Financial Services, Public Sector, Nonprofits Report Higher Risk... 4 Risks Trending Up... 5 Audit Effort Overview... 6 Effort Focused on Operational, Compliance, and Financial Risks... 6 Audit Effort Differs Widely Among Organization Types... 7 Audit Effort Increasing for Compliance Risks... 8 Six-Year Trend Shows Operational Risk Focus Declining... 9 About One-Third of Audit Effort Goes to Strategic Goals Risk Temperature Introducing a New Measure for Risk Risk Temperature Increasing Most in Public Sector and Financial Services Organization Type Differences Publicly Traded Organizations: Increasing Financial Effort Financial Services: Compliance and IT Concerns Public Sector: New Emphasis on Compliance Privately Held Organizations: More Interest in ERM Nonprofit Organizations: Highest Risk in Cyber and Compliance Analysis of Risk vs. Audit Effort Cyber, IT, and Third-party Risks: More Audit Effort Needed? Compliance/Regulatory Risks: Effort Follows Risk Operational Risks: Gradual Decline in Audit Effort ERM and Governance Risks: Increased Attention Fraud and Cost Containment Risks: Risk Increasing Considerations for CAEs Appendix A: Risk Temperature Calculation Appendix B: Anticipated Audit Effort (2013 to 2018) Appendix C: Risk Area Summary / 1

4 CAEs have a number of responsibilities in managing an internal audit function. Few are more important than assessing areas of risk and allocating audit effort to those areas. The results from Pulse provide interesting insights into CAEs view of risks and what needs to be audited. Cyber is the No. 1 risk but gets little audit attention. Sixty-five percent of respondents rate cyber as a high risk 1, but allocate only 7 percent of their resources to audit this risk. Concerns over compliance and regulatory risks are increasing. Those experiencing the brunt of increased government attention financial services, health care, and public sector are assessing this risk the highest and allocating it a lot of resources. Financial reporting is not considered a high risk by many, but it gets a lot of attention. While most organizations do not spend a lot of time on this risk, publicly traded organizations devote nearly a third of their effort to this single risk. Operational risk receives more resources than any other risk, but it is not considered a particularly high risk. This risk has been a mainstay of internal audit focus, but has been on a six-year slide downward as far as resource allocation. The type of organization has a large impact on where CAEs see risk and how they respond. Risks are very different for different types of organizations except cyber, which is of concern to everyone. Small audit functions are not that different from large organizations when it comes to risk and resource allocation. While smaller internal audit functions face a number of unique challenges, (e.g., it is more difficult to dedicate resources to specific tasks, ensure there is sufficient breadth and depth of skills to cover the organization s full scope of risks), there were very few instances where the responses from smaller audit functions were different than larger functions. This year, Pulse introduces a new metric, Risk Temperature a single value that measures how much of the audit universe is rated as high risk, weighted by the importance of each risk area. Risk Temperature increased from 2017 to 2018 for all but one organization type. CAEs should seriously consider the mechanisms they use to assess risk and allocate audit efforts. These are fundamental aspects of the role of the CAE. This report can help identify areas where a CAE s views are different from those of their peers. While not necessarily wrong to have these inconsistencies, each CAE should explore the potential reasons for such differences, ensuring they are due to differences in their specific organization and not due to inertia or inadequate consideration of risk. 1 The term high risk in this report collectively refers to survey responses of high and very high. 2 /

5 Identifying, analyzing, and assessing risk requires substantial effort and professional judgment, but is necessary to ensure that CAEs focus effort on areas of greatest importance. Cyber Risks Rated Highest Overall Topping this year s list of higher organizational risks are cyber, compliance/regulatory, IT, third-party relationships, and operational risks. Exhibit 1: Risk Assessment All Respondents (2018) Cyber (prevention and/or recovery) 65% 29% 6% Compliance/regulatory (excluding ICFR) 47% 35% 18% IT (not covered in other choices) 46% 43% 11% Management of third-party relationships 36% 40% 24% Operational (not included elsewhere) 36% 48% 16% ERM programs and related processes 26% 46% 28% Cost/expense reduction or containment 23% 42% 35% Governance and culture 20% 38% 42% Fraud identification and investigation 15% 41% 44% Financial (excluding ICFR) 14% 44% 42% Financial reporting (including ICFR) 14% 36% 50% Sustainability or other nonfinancial reporting 5% 18% 77% Support for external audit 4% 13% 83% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. All respondents. n = 630. / 3

6 Financial Services, Public Sector, Nonprofits Report Higher Risk CAEs from different types of organizations have very different assessments of risk. For example, while all organizations rate cyber as the highest risk area, depending on organization type, the percentage of respondents rating cyber as high risk range from 49 percent to 82 percent. The risk areas with the highest divergence among organization types, in addition to cyber, are compliance/regulatory and operational. Exhibit 2: Risk Areas Assessed as High Risk by Organization Type (2018) Risk areas Publicly traded Privately held Financial services Public sector Nonprofit All Cyber (prevention and/or recovery) 49% 52% 78% 64% 81% 65% Compliance/regulatory (excluding ICFR) 32% 32% 60% 50% 61% 47% IT (not covered in other choices) 34% 42% 56% 51% 48% 46% Management of third-party relationships 33% 28% 42% 32% 35% 36% Operational (not included elsewhere) 30% 46% 33% 45% 28% 36% ERM programs and related processes 17% 32% 27% 33% 28% 26% Cost/expense reduction or containment 20% 32% 15% 33% 28% 23% Governance and culture 13% 26% 19% 31% 17% 20% Fraud identification and investigation 12% 20% 15% 20% 13% 15% Financial (excluding ICFR) 7% 20% 14% 21% 22% 14% Financial reporting (including ICFR) 15% 4% 20% 13% 8% 14% Sustainability or other nonfinancial reporting 4% 4% 2% 10% 2% 5% Support for external audit 4% 2% 4% 5% 2% 4% Low High Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. n = 194 for publicly traded. n = 54 for privately held. n = 186 for financial services. n = 133 for public sector. n = 54 for nonprofit. n = 630 for all. 4 /

7 Risks Trending Up Risks are not static. Risk changes as organizations experience disruption and changes in their circumstances. The change in the percentage of CAEs who rated an area as a high risk is a good indicator of their perspective of the changing risk landscape. The overall message is clear CAEs see risk levels as increasing, often substantially. Most notable is the greater percentage of CAEs who assessed cost/expense reduction or containment, ERM, IT, compliance/regulatory, and cyber as areas of high risk in Only two risk areas show decreases, financial reporting and fraud identification/investigation, each with relatively minor decreases. The message is clear CAEs see risk as increasing, often substantially. (Note: Percentage point change is the arithmetic difference of the two percentages shown.) Exhibit 3: Change in Risk Areas Assessed as High Risk All Respondents (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 59.6% 64.5% 4.9 Compliance/regulatory (excluding ICFR) 40.9% 46.8% 5.9 IT (not covered in other choices) 39.2% 46.3% 7.1 Management of third-party relationships 34.8% 36.0% 1.2 Operational (not included elsewhere) 31.6% 35.6% 4.0 ERM programs and related processes 18.9% 25.5% 6.6 Cost/expense reduction or containment 12.9% 22.7% 9.8 Governance and culture 16.0% 20.2% 4.2 Fraud identification and investigation 18.6% 15.4% -3.2 Financial (excluding ICFR) 12.5% 14.4% 1.9 Financial reporting (including ICFR) 14.8% 14.3% -0.5 Sustainability or other nonfinancial reporting 3.0% 4.5% 1.5 Support for external audit 3.6% 4.0% 0.4 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. All respondents. n = 630 for n = 523 for / 5

8 CAEs allocation of effort the percentage of the audit plan allocated to each risk area must be based on a documented risk assessment. Pulse respondents provided a detailed breakdown of the allocation of their resources. Effort Focused on Operational, Compliance, and Financial Risks Pulse respondents are allocating internal audit resources primarily to operational, financial reporting, and compliance risks in Audit Focus IIA Implementation Standard 2010.A1 The internal audit activity s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process. Exhibit 4: Anticipated Allocation of Audit Effort All Respondents (2018) Risk areas Anticipated allocation in 2018 Operational (not included elsewhere) 17% Compliance/regulatory (excluding ICFR) 16% Financial reporting (including ICFR) 14% IT (not covered in other choices) 9% Financial (excluding ICFR) 8% Cyber (prevention and/or recovery) 7% ERM programs and processes 6% Fraud identification and investigation 5% Support for external audit 4% Governance and culture 4% Management of third-party relationships 4% Cost/expense reduction or containment 3% Sustainability or other nonfinancial reporting 1% Other risk category not listed 2% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. All respondents. n = /

9 Audit Effort Differs Widely Among Organization Types As with risk assessment, allocation of effort differs substantively by the CAE s organization type. Exhibit 5: Anticipated Allocation of Audit Effort by Organization Type (2018) Risk areas Publicly traded Privately held Financial services Public sector Nonprofit All Operational (not included elsewhere) 15% 17% 18% 20% 15% 17% Compliance/regulatory (excluding ICFR) 10% 13% 17% 22% 18% 16% Financial reporting (including ICFR) 30% 10% 10% 2% 4% 14% IT (not covered in other choices) 8% 9% 11% 8% 9% 9% Financial (excluding ICFR) 6% 10% 7% 9% 12% 8% Cyber (prevention and/or recovery) 6% 7% 9% 5% 9% 7% ERM programs and related processes 5% 6% 7% 6% 7% 6% Fraud identification and investigation 5% 6% 4% 7% 5% 5% Support for external audit 4% 4% 4% 3% 4% 4% Governance and culture 2% 3% 5% 6% 3% 4% Management of third-party relationships 3% 5% 4% 4% 4% 4% Cost/expense reduction or containment 3% 6% 2% 5% 6% 3% Sustainability or other nonfinancial reporting 0.4% 1% 1% 1% 1% 1% Other risk category not listed 1% 2% 2% 2% 3% 2% Low High Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Totals may not equal 100% due to rounding. n = 197 for publicly traded. n = 54 for privately held. n = 186 for financial services. n = 134 for public sector. n = 54 for nonprofit. n = 625 for all. / 7

10 Audit Effort Increasing for Compliance Risks Exhibit 6 shows the changes in anticipated allocation of audit effort to risk areas for 2018 compared with the actual allocation in While the specific respondents in 2017 and 2018 were not identical, the overall yearly averages are a good indication of how the allocation of audit effort changed from 2017 to Exhibit 6: Change in Anticipated Allocation of Audit Effort All Respondents (2017 to 2018) Risk areas Percentage point change Compliance/regulatory (excluding ICFR) 13.0% 15.6% 2.6 ERM programs and processes 4.9% 6.2% 1.3 Cyber (prevention and/or recovery) 6.3% 7.2% 0.9 Other risk category not listed 1.1% 1.7% 0.6 Governance and culture 3.6% 3.9% 0.3 Management of third-party relationships 3.4% 3.7% 0.3 IT (not covered in other choices) 9.2% 9.4% 0.2 Sustainability or other nonfinancial reporting 0.8% 0.7% -0.1 Financial reporting (including ICFR) 14.2% 14.0% -0.2 Cost/expense reduction or containment 4.2% 3.4% -0.8 Fraud identification and investigation 6.0% 5.0% -1.0 Financial (excluding ICFR) 9.0% 8.0% -1.0 Operational (not included elsewhere) 18.6% 17.1% -1.5 Support for external audit 5.7% 4.0% -1.7 Audit plan totals 100% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. All respondents. n = 636 for n = 535 for CAEs in financial services, public sector, and nonprofit organizations are driving the increase in allocation of effort to compliance/regulatory risks. CAEs in financial services and privately held companies are driving the change in allocation to ERM risks. 8 /

11 Six-Year Trend Shows Operational Risk Focus Declining For a number of years Pulse has asked respondents to provide their allocation of audit effort by risk area. Exhibit 7 shows the trending of the responses from 2013 through Risk areas other than operational and compliance were grouped by color. Appendix B provides more details. Exhibit 7: Anticipated Allocation of Audit Effort All Respondents (2013 to 2018) 27.0% Color Code for Risk Groups 25% Financial reporting risks IT and third-party relationship risks ERM and governance risks Fraud and cost containment risks 20% 17.1% Operational 15% 14.9% 15.6% Compliance/regulatory (excluding ICFR) 13.8% 13.4% 14.0% Financial reporting (including ICFR) 11.1% 10% Strategic business risks 7.6% 9.4% IT (not covered in other choices) 8.0% Financial (excluding ICFR) 7.2% Cyber 6.2% ERM and related processes 5% 5.5% 3.9% 3.3% 2.9% 1.9% 3.1% 5.0% Fraud 4.0% Support for external audit 3.9% Governance and culture 3.7% Third-party relationships 3.5% Cost/expense reduction 0% Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. To simplify the exhibit, some risk areas with lower allocations are not shown. There were some changes in categories over these six years. The strategic business risks category was removed effective 2017 as audit effort in this category could overlap with most any of the other categories. Cyber was added in Most likely, the effort devoted to cyber was previously included either in the operational or IT risk categories. All respondents. n = 502 (2013), 424 (2014), 326 (2015), 443 (2016), 509 (2017), 636 (2018). / 9

12 There have been some major shifts in allocation of audit effort among risk areas over this six-year period: Operational audit effort is declining. Financial reporting (including ICFR) effort was declining for many years but recently has increased. Allocation of audit effort has been low throughout this entire period for a number of risk areas, with little change. Cyber risk effort is low for both years it has been broken out in the survey, at roughly 7 percent of total effort. Audit Effort Trend Analysis The Pulse has asked a variety of different questions over the years, but a consistent question for the last six years has been to allocate audit effort to specific risk areas. For the first time, all six years of data have been assembled for inclusion in this 2018 report. ERM effort has not changed in 2018, even with the issuance of the revised Committee of Sponsoring Organizations (COSO) ERM framework in late 2017 and the updated International Organization for Standardization (ISO) standard in early About One-Third of Audit Effort Goes to Strategic Goals In addition to analyzing audit effort per risk area, the Pulse survey also asked CAEs to describe their audit work at a higher level, with risks categorized as strategic, routine, regulatory compliance, or areas of lower importance. Responses varied by organization type, as noted in Exhibit 8. In addition, higher maturity of the internal audit function is associated with higher allocation of effort to strategic risks. Finally, organizations with higher levels of cosourcing allocate the most resources to regulatory compliance risks. Exhibit 8: High-level Priorities for Audit Effort by Organization Type Nonprofit 42% 12% 34% 9% 3% Public sector 41% 10% 33% 10% 6% Privately held 33% 13% 38% 10% 6% Publicly traded 31% 23% 35% 7% 4% Financial services 30% 20% 37% 7% 6% All 34% 18% 35% 8% 5% Strategic goals Regulatory compliance Routine operations Lower importance Other activities Note: Q51: What percentage of your total audit effort addresses each of the following groups of organizational activities? Rounding has been adjusted so that totals equal 100%. All respondents. n = /

13 Introducing a New Measure for Risk Assessment of risk for individual areas is critical, but CAEs assessment of the overall level of risk of their audit universe provides additional insight. (An audit universe is all the risk areas included in an audit plan.) This year Pulse introduces an overall measure of risk called the Risk Temperature of the Audit Universe (Risk Temperature). Risk Temperature measures how much of the audit universe is rated as high or very high risk, weighted by the importance of each risk area. (Appendix A provides a more detailed explanation of the calculation of Risk Temperature.) This new measure reveals some very interesting indications on how internal auditors view risk, but the real story is in the change from the prior year to the current year (Exhibit 9). Exhibit 9: Risk Temperature All Respondents (2017 to 2018) Risk areas in the audit universe Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to 2018 Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes 13.0% 40.9% 5.3% 15.6% 46.8% 7.3% % 12.9% 0.5% 3.4% 22.7% 0.8% % 59.6% 3.8% 7.2% 64.5% 4.6% % 18.9% 0.9% 6.2% 25.5% 1.6% 0.7 Financial (excluding ICFR) 9.0% 12.5% 1.1% 8.0% 14.4% 1.2% 0.1 Financial reporting (including ICFR) Fraud identification and investigation 14.2% 14.8% 2.1% 14.0% 14.3% 2.0% % 18.6% 1.1% 5.0% 15.4% 0.8% -0.3 Governance and culture 3.6% 16.0% 0.6% 3.9% 20.2% 0.8% 0.2 IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) 9.2% 39.2% 3.6% 9.4% 46.3% 4.4% % 34.8% 1.2% 3.7% 36.0% 1.3% % 31.6% 5.9% 17.1% 35.6% 6.1% 0.2 Support for external audit 5.7% 3.6% 0.2% 4.0% 4.0% 0.2% 0.0 Sustainability or other nonfinancial reporting Other risk category not listed 0.8% 3.0% 0.02% 0.7% 4.5% 0.03% % % Risk temperature 100% % 100% % 4.8 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. All respondents. n = 535 for n = 636 for / 11

14 Risk Temperature Increasing Most in Public Sector and Financial Services For all organization types except publicly traded, CAEs see risk as increasing often significantly (Exhibit 10). Public sector moved to having the highest Risk Temperature with significant increases in compliance/regulatory and operational risks. Financial services is a close second with significant increases in compliance/regulatory, cyber, IT, and operational risk areas. Nonprofit (which is primarily health care and education related) also is near the top with increases in compliance/regulatory and cyber risk areas. Privately held had little change with increases in ERM and finance (other than financial reporting) risk areas, partially offset by a decrease in financial reporting. Publicly traded CAEs are the most relaxed with no significant change from last year. Exhibit 10: Change in Risk Temperature by Organization Type (2017 to 2018) 27.9% 37.8% 37.7% 36.9% 33.6% 29.4% 27.4% 29.5% 22.5% 22.4% 26.3% 31.1% Public sector Financial services Nonprofit Privately held Publicly traded All Percentage Point change point increase Percentage point decrease Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Public sector n = 103 (2017) and 134 (2018). Financial services n = 148 (2017) and 186 (2018). Nonprofit n = 51 (2017) and 54 (2018). Privately held n = 50 (2017) and 54 (2018). Publicly traded n = 166 (2017) and 197 (2018). All respondents n = 535 (2017) and 636 (2018). 12 /

15 Averages from all respondents provide an overall view of the view from the internal audit profession. However, analysis by the organization type is extremely useful to identify and understand shifts in audit attention as actions and views of CAEs in different types of organizations vary. This section looks at data and trends for five organization types: publicly traded, public sector, privately held, nonprofit, and financial services. Due to significant participation from, and the unique characteristics of, financial services organizations, financial services was created by extracting financial services respondents from the other four organization types. Due to the small size of some organization types, and minor changes in those groupings over this period, the six-year trend analysis only looks at the risk areas getting the most audit effort, and only for the four largest organization types (which represent the large majority of respondents to the Pulse in each year). The distribution of respondents by organization type, and the top industries for each organization type, are: Publicly Traded Excluding Financial Services (31%) Manufacturing (31%) Mining, quarrying, and oil and gas extraction (12%) Utilities (8%) Information (6%) Health care and social assistance (5%) Financial Services (30%) Financial institution (54%) Insurance (27%) Asset management (7%) Broker-Dealer (3%) Other (9%) Public Sector Excluding Financial Services (21%) Public administration (41%) Educational services (31%) Utilities (8%) Privately Held Excluding Financial Services (9%) Manufacturing (28%) Professional, scientific, and technical services (13%) Other services (7%) Health care and social assistance (7%) Retail trade (7%) Nonprofit Excluding Financial Services (9%) Health care and social assistance (54%) Educational services (22%) Other services (9%) / 13

16 Publicly Traded Organizations: Increasing Financial Effort Publicly Traded Risk Assessment Publicly traded organizations span a wide variety of industries (except financial services), size, and maturity of their internal audit functions. The assessment of risk for these organizations follows the same pattern as all other organizations. There are two notable differences from the responses of CAEs in this organization type. Publicly traded organizations are usually less likely to assess a risk area as high risk than the average for all organizations. The exception is financial reporting, with 15 percent of CAEs assessing risk as high, more than any other organization type (except financial services organizations). Publicly traded organizations have specific requirements under the U.S. Sarbanes-Oxley Act of 2002 related to internal controls over financial reporting, which likely explains the higher assessment of risk around financial reporting. Exhibit 11: Risk Assessment Publicly Traded (2018) Cyber (prevention and/or recovery) 49% 42% 9% Compliance/regulatory (excluding ICFR) 32% 40% 28% IT (not covered in other choices) 34% 54% 12% Management of third-party relationships 33% 42% 25% Operational (not included elsewhere) 30% 50% 20% ERM programs and related processes 17% 50% 33% Cost/expense reduction or containment 20% 41% 39% Governance and culture 13% 40% 47% Fraud identification and investigation 12% 42% 46% Financial (excluding ICFR) 7% 40% 53% Financial reporting (including ICFR) 15% 38% 47% Sustainability or other nonfinancial reporting 4% 19% 77% Support for external audit 4% 13% 83% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. Publicly traded excluding financial services. n = 194. P 14 /

17 Publicly Traded Risk Assessment Change from Prior Year CAEs from publicly traded organizations did not have major swings in their assessment of risk versus last year. The overall variation in risk assessment was less pronounced for these organizations than any other type of organization. The changes in risk assessment for publicly traded organizations have some strong similarities with changes for private companies, but are generally differ than other types of organizations. Specifically: Assessment of risk for cyber decreased, an assessment matched only by private organizations in having a decrease in this risk. The largest decreases in risk are for finance and financial reporting. This organization type is the only one with a real decrease in finance, and had the largest decrease for financial reporting risk. Exhibit 12: Change in Risk Areas Assessed as High Risk Publicly Traded (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 53.7% 49.2% -4.5 Compliance/regulatory (excluding ICFR) 32.9% 32.0% -0.9 IT (not covered in other choices) 29.9% 34.2% 4.3 Management of third-party relationships 29.6% 33.0% 3.4 Operational (not included elsewhere) 27.9% 30.1% 2.2 ERM programs and related processes 14.4% 16.5% 2.1 Cost/expense reduction or containment 13.6% 20.1% 6.5 Governance and culture 12.7% 13.4% 0.7 Fraud identification and investigation 17.7% 11.9% -5.8 Financial (excluding ICFR) 11.3% 6.7% -4.6 Financial reporting (including ICFR) 20.7% 15.0% -5.7 Sustainability or other nonfinancial reporting 3.6% 4.2% 0.6 Support for external audit 0.6% 4.4% 3.8 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Publicly traded excluding financial services. n = 194 for n = 164 for / 15

18 Publicly Traded Audit Effort The level of effort devoted to risk areas for publicly traded organizations is distinctly different from other organizations. Financial reporting has been, and continues to be, the risk area that is the primary focus of publicly traded companies consuming 30 percent of all audit effort. Audit effort is expected to increase in 2018 for financial reporting, indicating this risk is not going away from the perspective of these CAEs. Effort toward operational risk is growing, but the level of effort allocated to operational risks by publicly traded organizations is currently the lowest of all organization types. Even with this increase, they will be on the low end of the level of effort allocated to operational risks. Exhibit 13: Change in Anticipated Allocation of Audit Effort Publicly Traded (2017 to 2018) Risk areas Percentage point change Financial reporting (including ICFR) 29.1% 30.4% 1.3 Operational (not included elsewhere) 12.5% 14.9% 2.4 Compliance/regulatory (excluding ICFR) 9.7% 10.2% 0.5 IT (not covered in other choices) 8.8% 8.4% -0.4 Financial (excluding ICFR) 7.6% 6.5% -1.1 Cyber (prevention and/or recovery) 6.0% 6.2% 0.2 ERM programs and processes 4.2% 5.2% 1.0 Fraud identification and investigation 5.5% 4.7% -0.8 Support for external audit 6.4% 4.3% -2.1 Management of third-party relationships 2.5% 3.0% 0.5 Cost/expense reduction or containment 3.9% 2.8% -1.1 Governance and culture 2.2% 2.2% 0.0 Sustainability or other nonfinancial reporting 0.4% 0.4% 0.0 Other risk category not listed 1.2% 0.9% -0.3 Audit plan totals 100% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Publicly traded excluding financial services. n = 197 for n = 166 for /

19 Publicly Traded Audit Effort, Six-year Trend There are no substantial changes in the order of risks areas when ranked by allocated level of audit effort. However, there are some clear trends. For all six years, the amount of effort allocated to financial reporting by publicly traded organizations exceeds that for any other organization type. Operational risk, which is the most significant focus area of all other organization types, comes in second for all years, although generally declining. As most other areas had a fairly consistent allocation of effort over this time period, it appears that the recent increase in attention to financial reporting has come at the expense of the operational risk area. Appendix B provides more details. Exhibit 14: Anticipated Allocation of Audit Effort Publicly Traded (2013 to 2018) 30% 25% 20% 28.2% 20.3% 30.4% Financial reporting (including ICFR) Color Code for RIsk Groups Financial reporting risks IT-related risks 15% 14.9% Operational 10% 5% 12.1% 11.4% 11.0% 4.0% 10.2% Compliance/regulatory (excluding ICFR) 8.4% IT 6.5% Financial (excluding ICFR) 6.2% Cyber 5.2% ERM and related processes 0% Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. To simplify the exhibit, some risk areas with lower allocations are not shown. Publicly traded excluding financial services. n = 171 (2013), 140 (2014), 102 (2015), 110 (2016), 166 (2017), 197 (2018). / 17

20 Publicly Traded Risk Temperature The Risk Temperature for publicly traded organizations is lowest, and the only one trending down compared to the other organization types. Most audit effort is devoted to areas not considered high risk. Cyber, IT, third parties, and compliance were the top four risk areas, all relatively unchanged from last year. The risk of financial reporting has declined notably. The most audit effort goes to financial reporting and operational risks, both increasing only slightly in The combination of little change in allocation of audit effort, and a decrease in assessed risk of financial reporting, resulted in the decrease in Risk Temperature. Exhibit 15: Risk Temperature Publicly Traded (2017 to 2018) Risk areas in the audit universe Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to 2018 Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes Financial areas (excluding ICFR) Financial reporting (including ICFR) Fraud identification and investigation 9.7% 32.9% 3.2% 10.2% 32.0% 3.3% % 13.6% 0.5% 2.8% 20.1% 0.6% % 53.7% 3.2% 6.2% 49.2% 3.1% % 14.4% 0.6% 5.2% 16.5% 0.9% % 11.3% 0.9% 6.5% 6.7% 0.4% % 20.7% 6.0% 30.4% 15.0% 4.6% % 17.7% 1.0% 4.7% 11.9% 0.6% -0.4 Governance and culture 2.2% 12.7% 0.3% 2.2% 13.4% 0.3% 0.0 IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) 8.8% 29.9% 2.6% 8.4% 34.2% 2.9% % 29.6% 0.7% 3.0% 33.0% 1.0% % 27.9% 3.5% 14.9% 30.1% 4.5% 1.0 Support for external audit 6.4% 0.6% 0.0% 4.3% 4.4% 0.2% 0.2 Sustainability or other nonfinancial reporting Other risk category not listed 0.4% 3.6% 0.01% 0.4% 4.2% 0.02% % % Risk temperature 100% % 100% % -0.1 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Publicly traded excluding financial sector. n = 166 for n = 197 for /

21 Financial Services: Compliance and IT Concerns Financial Services Risk Assessment The financial services industry can be characterized by strong and overlapping regulations, and some unique risks. This organization type was created by aggregating primarily banking and insurance companies into one group, regardless of ownership structure. Internal audit groups in financial service organizations are typically larger than other types of organizations. Unlike for publicly traded organizations, financial services organizations generally assess risk higher than the average for all risk areas. This is especially notable for cyber, compliance, and IT risk areas. Exhibit 16: Risk Assessment Financial Services (2018) Cyber (prevention and/or recovery) 78% 21% 1% Compliance/regulatory (excluding ICFR) 60% 31% 9% IT (not covered in other choices) 56% 38% 6% Management of third-party relationships 42% 37% 21% Operational (not included elsewhere) 33% 52% 15% ERM programs and related processes 27% 47% 26% Cost/expense reduction or containment 15% 36% 49% Governance and culture 19% 39% 42% Fraud identification and investigation 15% 37% 48% Financial (excluding ICFR) 14% 45% 41% Financial reporting (including ICFR) 20% 38% 42% Sustainability or other nonfinancial reporting 2% 12% 86% Support for external audit 4% 13% 83% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. Financial services from all organization types. n = 186. / 19

22 Financial Services Risk Assessment Change from Prior Year CAEs from financial services organizations had a moderate level of change in risk assessment (when compared with other types of organizations), but changes were generally upwards. Compliance, cost reduction, cyber, and IT had the greatest increase in assessed risk, similar to public sector organizations. No risks areas had a notable decrease in risk. Exhibit 17: Change in Risk Areas Assessed as High Risk Financial Services (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 67.8% 78.4% 10.6 Compliance/regulatory (excluding ICFR) 49.0% 59.7% 10.7 IT (not covered in other choices) 44.8% 55.7% 10.9 Management of third-party relationships 38.4% 42.2% 3.8 Operational (not included elsewhere) 27.9% 33.5% 5.6 ERM programs and related processes 21.7% 26.8% 5.1 Cost/expense reduction or containment 4.4% 15.4% 11.0 Governance and culture 16.0% 18.9% 2.9 Fraud identification and investigation 16.1% 15.1% -1.0 Financial (excluding ICFR) 9.6% 14.5% 4.9 Financial reporting (including ICFR) 16.1% 19.8% 3.7 Sustainability or other nonfinancial reporting 3.8% 1.9% -1.9 Support for external audit 5.1% 4.0% -1.1 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Financial services from all organization types. n = 186 for n = 147 for /

23 Financial Services Audit Effort Financial services organizations are increasing attention to risks that already have a healthy resource allocation when compared to other organizations. Compliance related audit effort has increased. ERM has jumped substantially from a low level of resources in the past. Cyber is increasing, consistent with increase in risk. Resources are primarily being pulled from operational risk and redirected to other areas. Exhibit 18: Change in Anticipated Allocation of Audit Effort Financial Services (2017 to 2018) Risk areas Percentage point change Operational (not included elsewhere) 22.0% 17.7% -4.3 Compliance/regulatory (excluding ICFR) 13.7% 17.1% 3.4 IT (not covered in other choices) 10.9% 11.1% 0.2 Financial reporting (including ICFR) 10.7% 10.0% -0.7 Cyber (prevention and/or recovery) 7.1% 8.7% 1.6 ERM programs and processes 4.9% 7.4% 2.5 Financial (excluding ICFR) 7.5% 7.1% -0.4 Governance and culture 4.0% 4.5% 0.5 Support for external audit 6.1% 4.3% -1.8 Management of third-party relationships 4.3% 4.0% -0.3 Fraud identification and investigation 4.4% 3.6% -0.8 Cost/expense reduction or containment 2.7% 2.2% -0.5 Sustainability or other nonfinancial reporting 1.1% 0.6% -0.5 Other risk category not listed 0.6% 1.7% 1.1 Audit plan totals 100% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Financial services from all organization types. n = 186 for n = 148 for / 21

24 Financial Services Audit Effort, Six-year Trend The six-year trend of resource allocation for financial services organizations is largely stagnant, except for operational risk. Operational risks consistently are losing resources. The areas that have consumed these freed up resources are mixed. The effort devoted to cyber was likely previously included in operational or IT, potentially explaining part of the drop in operational. There also are small drops in a variety of other risk areas, but none substantial. It is noteworthy that the amount of effort devoted to compliance and regulatory risks has varied, but stayed in the same general range over this six-year period. Appendix B provides more details. Exhibit 19: Anticipated Allocation of Audit Effort Financial Services (2013 to 2018) 30% 25% 30.6% Color Code for Risk Groups Financial reporting risks IT-related risks 20% 15% 17.0% 17.7% Operational 17.1% Compliance/regulatory (excluding ICFR) 10% 5% 12.5% 11.2% 8.3% 7.1% 11.1% IT 10.0% Financial reporting (including ICFR) 8.7% Cyber 7.4% ERM and related processes 7.1% Financial (excluding ICFR) 0% Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. To simplify the exhibit, some risk areas with lower allocations are not shown. Financial services from all organization types. n = 90 (2013), 97 (2014), 91 (2015), 139 (2016), 139 (2017), 186 (2018). 22 /

25 Financial Services Risk Temperature Risk Temperature for financial services organizations is the second highest and has the second greatest increase from last year. The two greatest areas of audit effort are compliance and operational, which are also two of the five areas assessed as high risk. However, the primary drivers of Risk Temperature change come from a few different areas. Compliance risk is rated high by 10 percent more respondents than last year, and is allocated more audit effort. This results in compliance being the largest driver of the increase in Risk Temperature. Cyber is the area considered a high risk by more respondents than any other risk area, and 10 percent more respondents rated it high risk than last year. Audit effort increased, but only modestly. IT was the third area where 10 percent more respondents rated it as high risk than last year, although the allocation of audit effort was nearly flat. These organizations see the largest increases in risk in areas likely interrelated: compliance, cyber, and IT. Exhibit 20: Risk Temperature Financial Services (2017 to 2018) Risk areas in the audit universe Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to 2018 Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes Financial areas (excluding ICFR) Financial reporting (including ICFR) Fraud identification and investigation 13.7% 49.0% 6.7% 17.1% 59.7% 10.2% % 4.4% 0.1% 2.2% 15.4% 0.3% % 67.8% 4.8% 8.7% 78.4% 6.8% % 21.7% 1.1% 7.4% 26.8% 2.0% % 9.6% 0.7% 7.1% 14.5% 1.0% % 16.1% 1.7% 10.0% 19.8% 2.0% % 16.1% 0.7% 3.6% 15.1% 0.5% -0.2 Governance and culture 4.0% 16.0% 0.6% 4.5% 18.9% 0.9% 0.3 IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) 10.9% 44.8% 4.9% 11.1% 55.7% 6.2% % 38.4% 1.7% 4.0% 42.2% 1.7% % 27.9% 6.1% 17.7% 33.5% 5.9% -0.2 Support for external audit 6.1% 5.1% 0.3% 4.3% 4.0% 0.2% -0.1 Sustainability or other nonfinancial reporting Other risk category not listed 1.1% 3.8% 0.04% 0.6% 1.9% 0.01% % % Risk temperature 100% % 100% % 8.3 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Financial services from all organization types. n = 148 for n = 186 for / 23

26 Public Sector: New Emphasis on Compliance Public Sector Risk Assessment Cyber, IT, and compliance are the three top risk areas for public sector organizations, consistent with the overall average for all organizations. While governments and educational organizations, the primary organizations in this organization type, have some unique activities, their identified high-risk areas are not that unique. Internal audit groups in public sector organizations are typically smaller than in other types of organizations. Exhibit 21: Risk Assessment Public Sector (2018) Cyber (prevention and/or recovery) 64% 28% 8% Compliance/regulatory (excluding ICFR) 50% 33% 17% IT (not covered in other choices) 51% 35% 14% Management of third-party relationships 32% 38% 30% Operational (not included elsewhere) 45% 42% 13% ERM programs and related processes 33% 46% 21% Cost/expense reduction or containment 33% 44% 23% Governance and culture 31% 39% 30% Fraud identification and investigation 20% 48% 32% Financial (excluding ICFR) 21% 47% 32% Financial reporting (including ICFR) 13% 28% 59% Sustainability or other nonfinancial reporting 10% 28% 62% Support for external audit 5% 19% 76% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. Public sector excluding financial services. n = /

27 Public Sector Risk Assessment Change from Prior Year CAEs from public sector organizations exhibited the greatest variation in risk assessments of the three larger organization types responding to the survey (publicly traded, financial services and public sector). Most of the changes were increases in risk, as for financial services, but by even greater amounts. Governance and operational risks showed large increases that were not seen for any other organizational type. Exhibit 22: Change in Risk Areas Assessed as High Risk Public Sector (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 51.5% 64.3% 12.8 Compliance/regulatory (excluding ICFR) 36.3% 50.0% 13.7 IT (not covered in other choices) 38.0% 50.8% 12.8 Management of third-party relationships 29.6% 32.3% 2.7 Operational (not included elsewhere) 33.0% 45.1% 12.1 ERM programs and related processes 21.4% 33.3% 11.9 Cost/expense reduction or containment 16.7% 33.1% 16.4 Governance and culture 15.7% 30.8% 15.1 Fraud identification and investigation 26.5% 19.9% -6.6 Financial (excluding ICFR) 21.0% 20.6% -0.4 Financial reporting (including ICFR) 5.6% 12.5% 6.9 Sustainability or other nonfinancial reporting 1.2% 10.1% 8.9 Support for external audit 7.5% 5.4% -2.1 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Public sector excluding financial services. n = 133 for n = 103 for / 25

28 Public Sector Audit Effort Although public sector organizations can be viewed as average in their views of high-risk areas, their allocation of resources to risk areas is outside the normal average. Compliance risks receive more attention from public sector organizations than any other organization type. This is the same as in 2017, but the gap has widened. The increased attention to cyber is at the expense of resources allocated to operational risk. Financial reporting receives almost no resources as most public sector organizations look to their external auditors to address this risk area. Exhibit 23: Change in Anticipated Allocation of Audit Effort Public Sector (2017 to 2018) Risk areas Percentage point change Compliance/regulatory (excluding ICFR) 16.1% 21.6% 5.5 Operational (not included elsewhere) 24.4% 20.4% -4.0 Financial (excluding ICFR) 9.5% 8.9% -0.6 IT (not covered in other choices) 8.1% 8.3% 0.2 Fraud identification and investigation 8.6% 7.3% -1.3 ERM programs and processes 5.3% 5.7% 0.4 Governance and culture 5.6% 5.6% 0.0 Cyber (prevention and/or recovery) 4.7% 5.5% 0.8 Cost/expense reduction or containment 4.8% 4.5% -0.3 Management of third-party relationships 3.4% 3.7% 0.3 Support for external audit 4.4% 3.1% -1.3 Financial reporting (including ICFR) 2.1% 1.9% -0.2 Sustainability or other nonfinancial reporting 1.2% 1.2% 0.0 Other risk category not listed 1.7% 2.3% 0.6 Audit plan totals 99.9% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Public sector excluding financial services. n = 134 for n = 103 for /

29 Public Sector Audit Effort, Six-year Trend Public sector organizations have been making some substantial shifts in resource allocation over the last six years. Operational risks have historically been the largest focus, but for the first time in 2018, compliance risks are slightly edging out operational risks for resources. The effort related to cyber (which was first broken out in 2017) was most likely included in the operations or IT risk areas in prior years. However, this reclassification does not significantly affect the overall trend of reducing effort on operational risk. Appendix B provides more details. Exhibit 24: Anticipated Allocation of Audit Effort (2013 to 2018) Public Sector 35% 30% 35.2% Color Code for Risk Groups Financial reporting risks IT-related risks 25% 20% 18.5% 21.6% Compliance/regulatory (excluding ICFR) 20.4% Operational 15% 12.9% 10% 5% 8.8% 7.5% 5.5% 8.9% Financial (excluding ICFR) 8.3% IT 7.3% Fraud 5.7% ERM and related processes 5.5% Cyber 0% 0.9% % Financial reporting (including ICFR) Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. To simplify the exhibit, some risk areas with lower allocations are not shown. Public sector excluding financial services. n = 106 (2013), 88 (2014), 61 (2015), 103 (2016), 103 (2017), 134 (2018). / 27

30 Public Sector Risk Temperature The Risk Temperature for the public sector is the highest of all organization types and increased nearly 10 percentage points in The risk of the areas within the audit universe, as seen through the perspective of those in the public sector, is only going in one direction up, and doing so significantly. For areas that represent more than half of all audit effort, risk was assessed as increasing significantly. Compliance and governance/culture have 15 percent more respondents assessing the areas as high risk, followed closely by increases in cyber, operational, and IT. Except for a modest increase in the allocation of audit effort to compliance, the audit effort for the other five areas of increased risk show essentially no change. The only notable area of Risk Temperature decrease is fraud, with declines both in risk assessment and audit effort. Exhibit 25: Risk Temperature Public Sector (2017 to 2018) Risk areas in the audit universe Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes Financial areas (excluding ICFR) Financial reporting (including ICFR) Fraud identification and investigation Governance and culture IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) Support for external audit Sustainability or other nonfinancial reporting Other risk category not listed Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to % 36.3% 5.8% 21.6% 50.0% 10.8% % 16.7% 0.8% 4.5% 33.1% 1.5% % 51.5% 2.4% 5.5% 64.3% 3.5% % 21.4% 1.1% 5.7% 33.3% 1.9% % 21.0% 2.0% 8.9% 20.6% 1.8% % 5.6% 0.1% 1.9% 12.5% 0.2% % 26.5% 2.3% 7.3% 19.9% 1.5% % 15.7% 0.9% 5.6% 30.8% 1.7% % 38.0% 3.1% 8.3% 50.8% 4.2% % 29.6% 1.0% 3.7% 32.3% 1.2% % 33.0% 8.1% 20.4% 45.1% 9.2% % 7.5% 0.3% 3.1% 5.4% 0.2% % 1.2% 0.01% 1.2% 10.1% 0.1% % % Risk temperature 99.9% % 100% % 9.9 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Public sector excluding financial services. Primary industries are public administration (48%), educational services (30%), and other (22%). n = 103 for n = 134 for /

31 Privately Held Organizations: More Interest in ERM Privately Held Risk Assessment Privately held organizations span a wide variety of industries (except financial services) and maturity of their internal audit functions. However, internal audit functions in privately held organizations are on average smaller than other types of organizations. The top three risks are similar to other organizations except operational risk, which is the second most frequent area considered high risk, unlike all other organization types. The other notable difference is few CAEs assess financial reporting risk as high, likely because private organizations rarely publicly distribute financial reports. Exhibit 26: Risk Assessment Privately Held (2018) Cyber (prevention and/or recovery) 52% 37% 11% Compliance/regulatory (excluding ICFR) 32% 45% 23% IT (not covered in other choices) 42% 41% 17% Management of third-party relationships 28% 47% 25% Operational (not included elsewhere) 46% 43% 11% ERM programs and related processes 32% 37% 31% Cost/expense reduction or containment 32% 45% 23% Governance and culture 26% 23% 51% Fraud identification and investigation 20% 39% 41% Financial (excluding ICFR) 20% 43% 37% Financial reporting (including ICFR) 4% 38% 58% Sustainability or other nonfinancial reporting 4% 10% 86% Support for external audit 2% 10% 88% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. Privately held excluding financial services. n = 54. / 29

32 Privately Held Risk Assessment Change from Prior Year CAEs from privately held organizations changed their assessment of risk very much in line with publicly traded organization. Compliance, cyber, and financial reporting all decreased. The one notable area of difference for privately held organizations is the large increase in risk assessment for ERM. Exhibit 27: Change in Risk Areas Assessed as High Risk Privately Held (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 61.2% 51.9% -9.3 Compliance/regulatory (excluding ICFR) 38.8% 32.1% -6.7 IT (not covered in other choices) 42.0% 41.5% -0.5 Management of third-party relationships 38.8% 28.3% Operational (not included elsewhere) 44.0% 46.3% 2.3 ERM programs and related processes 12.8% 31.5% 18.7 Cost/expense reduction or containment 22.5% 32.1% 9.6 Governance and culture 20.4% 26.4% 6.0 Fraud identification and investigation 18.4% 20.4% 2.0 Financial (excluding ICFR) 10.4% 20.4% 10.0 Financial reporting (including ICFR) 11.4% 4.3% -7.1 Sustainability or other nonfinancial reporting 0.0% 4.0% 4.0 Support for external audit 6.5% 2.0% -4.5 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Privately held excluding financial services. n = 54 for n = 50 for /

33 Privately Held Audit Effort Resource allocation by privately held organizations in 2018 is consistent with the average of all organizations. The unique aspect of these organizations is where changes are expected in The increase in resources allocated to ERM and third parties are more than for any other organization type. Exhibit 28: Change in Anticipated Allocation of Audit Effort Privately Held (2017 to 2018) Risk areas Percentage point change Operational (not included elsewhere) 18.7% 17.4% -1.3 Compliance/regulatory (excluding ICFR) 11.4% 12.6% 1.2 Financial (excluding ICFR) 12.1% 10.2% -2.0 Financial reporting (including ICFR) 12.6% 10.1% -2.5 IT (not covered in other choices) 8.6% 9.1% 0.5 Cyber (prevention and/or recovery) 5.8% 6.7% 0.9 ERM programs and processes 3.4% 6.2% 2.8 Cost/expense reduction or containment 7.3% 6.1% -1.2 Fraud identification and investigation 5.6% 5.7% 0.1 Management of third-party relationships 2.7% 4.8% 2.1 Support for external audit 6.9% 4.5% -2.4 Governance and culture 3.1% 3.4% 0.3 Sustainability or other nonfinancial reporting 0.8% 0.8% 0.0 Other risk category not listed 1.0% 2.5% 1.5 Audit plan totals 100% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Privately held excluding financial services. n = 54 for n = 50 for / 31

34 Privately Held Audit Effort, Six-year Trend The overall trend of audit effort is generally less distinct for privately held organizations, except the trend in operational audits. The amount of effort devoted to operational risk has dropped notably for the last two years with a corresponding increase spread over a number of categories. While the smaller number of Pulse respondents from this type of organization increases the variability of averages from year to year, it also is the case that privately held organizations may not be as influenced by certain external factors as other organizations (e.g., certain compliance requirements). Appendix B provides more details. Exhibit 29: Anticipated Allocation of Audit Effort Privately Held (2013 to 2018) 30% 25% 28.7% Color Code for Risk Groups Financial reporting risks IT-related risks 20% 17.1% 17.4% Operational 15% 10% 5% 14.3% 11.9% 9.9% 4.5% 12.6% Compliance/regulatory (excluding ICFR 10.2% Financial (excluding ICFR) 10.1% Financial reporting (including ICFR) 9.1% IT 6.7% Cyber 6.2% 6.1% ERM and related processes Cost/expense reduction 0% 1.3% Note: Allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. To simplify the exhibit, some risk areas with lower allocations are not shown. Privately held excluding financial services. n = 80 (2013), 70 (2014), 33 (2015), 62 (2016), 51 (2017), 54 (2018). 32 /

35 Privately Held Risk Temperature The Risk Temperature for privately held organizations is the second lowest of the five organization types, with only publicly traded lower. It also has the second lowest increase from 2017 (with only publicly traded lower). The slight increase in Risk Temperature is driven by two areas of increase (ERM and financial), partially offset by one area of decrease (financial reporting). However, caution should be taken as the modest number of respondents in this organization type make detailed generalizations challenging. Consistency characterizes this group of organizations when it comes to risk assessment and allocation of audit effort. Exhibit 30: Risk Temperature Privately Held (2017 to 2018) Risk areas in the audit universe Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes Financial (excluding ICFR) Financial reporting (including ICFR) Fraud identification and investigation Governance and culture IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) Support for external audit Sustainability or other nonfinancial reporting Other risk category not listed Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to % 38.8% 4.4% 12.6% 32.1% 4.0% % 22.5% 1.6% 6.1% 32.1% 2.0% % 61.2% 3.5% 6.7% 51.9% 3.5% % 12.8% 0.4% 6.2% 31.5% 2.0% % 10.4% 1.3% 10.2% 20.4% 2.1% % 11.4% 1.4% 10.1% 4.3% 0.4% % 18.4% 1.0% 5.7% 20.4% 1.2% % 20.4% 0.6% 3.4% 26.4% 0.9% % 42.0% 3.6% 9.1% 41.5% 3.8% % 38.8% 1.0% 4.8% 28.3% 1.4% % 44.0% 8.2% 17.4% 46.3% 8.1% % 6.5% 0.4% 4.5% 2.0% 0.1% % 0.0% 0.0% 0.8% 4.0% 0.03% % % Risk temperature 100% % 100% % 2.1 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show "high" and "very high" risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Privately held excluding financial services. n = 50 for n = 54 for / 33

36 Nonprofit Organizations: Highest Risk in Cyber and Compliance Nonprofit Risk Assessment Organizations focused on health care, social assistance, and educational services are the primary organizations in this grouping. Their assessment of the top risks are consistent with all other organizations, except the percentage of those assessing a risk as high is generally greater than other types of organizations for these top risks. Exhibit 31: Risk Assessment Nonprofit (2018) Cyber (prevention and/or recovery) 81% 17% 2% Compliance/regulatory (excluding ICFR) 61% 26% 13% IT (not covered in other choices) 48% 42% 10% Management of third-party relationships 35% 45% 20% Operational (not included elsewhere) 28% 55% 17% ERM programs and related processes 28% 45% 27% Cost/expense reduction or containment 28% 52% 20% Governance and culture 17% 36% 47% Fraud identification and investigation 13% 37% 50% Financial (excluding ICFR) 22% 43% 35% Financial reporting (including ICFR) 8% 28% 64% Sustainability or other nonfinancial reporting 2% 16% 82% Support for external audit 2% 4% 94% High or very high Medium Low or very low Note: Q49: How would you describe the level of risk in your organization in the following areas? ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. Nonprofit excluding financial services. n = /

37 Nonprofit Risk Assessment Change from Prior Year The large increases reported by CAEs from nonprofit organizations were similar to those in financial services and public sector organizations compliance, cost reduction, and cyber. The risk assessment for ERM increased as it did for public sector organizations, but not by as much. The one change not seen in any other organization type was a decrease in operational risk. Exhibit 32: Change in Risk Areas Assessed as High Risk Nonprofit (2017 to 2018) Risk areas Percentage point change Cyber (prevention and/or recovery) 70.6% 81.5% 10.9 Compliance/regulatory (exluding ICFR) 52.9% 61.1% 8.2 IT (not covered in other choices) 51.0% 48.1% -2.9 Management of third-party relationships 46.0% 35.2% Operational (not included elsewhere) 39.2% 28.3% ERM programs and related processes 20.0% 28.3% 8.3 Cost/expense reduction or containment 17.7% 27.8% 10.1 Governance and culture 19.6% 17.0% -2.6 Fraud identification and investigation 13.7% 13.0% -0.7 Financial (excluding ICFR) 12.0% 22.2% 10.2 Financial reporting (including ICFR) 11.1% 8.5% -2.6 Sustainability or other nonfinancial reporting 7.0% 2.0% -5.0 Support for external audit 0.0% 2.0% 2.0 Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Nonprofit excluding financial services. n = 54 for n = 51 for / 35

38 Nonprofit Audit Effort Allocation of audit effort by nonprofit organizations does not diverge substantially from other types of organizations except in a few areas. The increased attention to compliance is at the expense of resources allocated to operational and fraud risks. Financial reporting receives almost no resources. Exhibit 33: Change in Anticipated Allocation of Audit Effort Nonprofit (2017 to 2018) Risk areas Percentage point change Compliance/regulatory (excluding ICFR) 15.9% 18.1% 2.2 Operational (not included elsewhere) 17.2% 15.1% -2.1 Financial (excluding ICFR) 13.2% 12.3% -0.9 IT (not covered in other choices) 8.7% 9.4% 0.7 Cyber (prevention and/or recovery) 8.6% 9.4% 0.8 ERM programs and processes 7.1% 6.9% -0.3 Cost/expense reduction or containment 4.5% 5.6% 1.1 Fraud identification and investigation 6.6% 4.6% -2.0 Financial reporting (including ICFR) 4.8% 4.2% -0.6 Management of third-party relationships 4.5% 4.0% -0.5 Support for external audit 3.5% 3.9% 0.4 Governance and culture 3.5% 3.2% -0.3 Sustainability or other nonfinancial reporting 0.6% 0.7% 0.1 Other risk category not listed 1.2% 2.6% 1.4 Audit plan totals 99.9% 100% Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Nonprofit excluding financial services. n = 54 for n = 51 for A six-year trend of the allocation of audit effort is not provided for nonprofit organizations due to the small number of respondents for this grouping in some years as well as minor changes to this grouping over this period. 36 /

39 Nonprofit Risk Temperature Nonprofit organizations fall in the middle in regard to both the 2018 Risk Temperature and change from last year. However, unlike financial services and public sector which have consistent increases in risk, and publicly traded and privately held which show very muted changes in risk, nonprofits have some notable changes in specific risk areas. Organizations in this grouping exhibit greater fluctuations than other organization types. Some of this may be due to the smaller number of respondents in this grouping, but some may also be due to perception that risks are changing notably for these organizations. Exhibit 34: Risk Temperature Nonprofit (2017 to 2018) Risk areas in the audit universe Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Audit effort (average percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Percentage point change in Risk Temperature from 2017 to 2018 Compliance/regulatory (excluding ICFR) Cost/expense reduction or containment Cyber (prevention and/or recovery) ERM programs and related processes Financial areas (excluding ICFR) Financial reporting (including ICFR) Fraud identification and investigation Governance and culture IT (not covered in other choices) Management of third-party relationships Operational (not included elsewhere) Support for external audit Sustainability or other nonfinancial reporting Other risk category not listed 15.9% 52.9% 8.4% 18.1% 61.1% 11.1% % 17.7% 0.8% 5.6% 27.8% 1.6% % 70.6% 6.1% 9.4% 81.5% 7.7% % 20.0% 1.4% 6.9% 28.3% 2.0% % 12.0% 1.6% 12.3% 22.2% 2.7% % 11.1% 0.5% 4.2% 8.5% 0.4% % 13.7% 0.9% 4.6% 13.0% 0.6% % 19.6% 0.7% 3.2% 17.0% 0.5% % 51.0% 4.4% 9.4% 48.1% 4.5% % 46.0% 2.1% 4.0% 35.2% 1.4% % 39.2% 6.7% 15.1% 28.3% 4.3% % 0.0% 0.0% 3.9% 2.0% 0.1% % 7.0% 0.0% 0.7% 2.0% 0.0% % % Risk temperature 100% % 100% % 3.3 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Nonprofit excluding financial services. Primary industries represented are healthcare and social assistance (51%), educational services (25%), and other (24%). n = 51 for n = 54 for / 37

40 Internal auditors following a risk-based plan incorporate the assessment of risk into the decisions on how to allocate audit effort. However, that does not necessarily mean that there must be a firm alignment between importance and effort. In other words, the CAE will not necessarily allocate the most effort to the highest priority risk. One might expect a strong relationship between assessed risk and allocation of audit effort, but this relationship is not always as straightforward as one might expect. Audit Focus IIA Standard 2010: Planning The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization s goals. There is no clear mathematical model to determine how much audit effort should be devoted to each risk area. While risk is a critical factor, it is not the only factor. The CAE also considers, among others: Ease of performing audit work. The interest of external parties. Externally imposed compliance/regulatory requirements. Interest of internal stakeholders (e.g., board, senior management). The scope of internal audit work as defined in its charter. Monitoring performed by second line of defense functions. Work performed in prior years. What is important is that the total effort, considering all applicable factors, is adequate to address the risk. The remainder of this section explores each risk area separately exploring four key metrics. Throughout these exhibits, icons highlight areas with more significant increases or decreases in the allocation of audit effort or risk assessment. The risk areas have been combined into related groups using the same color-coded table headers as in the exhibits that showed six-year audit effort trending. These risk groups are further organized according to the percentage of respondents who consider the areas as high risk (as shown in Exhibit 35). 38 /

41 Exhibit 35: Risk Assessment and Anticipated Allocation of Audit Effort All Respondents (2018) Risk areas High/very high risk Audit effort allocation Cyber (prevention and/or recovery) 65% 7% Compliance/regulatory (excluding ICFR) 47% 16% IT (not covered in other choices) 46% 9% Management of third-party relationships 36% 4% Operational (not included elsewhere) 36% 17% ERM programs and related processes 26% 6% Cost/expense reduction or containment 23% 3% Governance and culture 20% 4% Fraud identification and investigation 15% 5% Financial (excluding ICFR) 14% 8% Financial reporting (including ICFR) 14% 14% Sustainability or other nonfinancial reporting 5% 1% Support for external audit 4% 4% Other risk category not listed - 2% Note: Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. n = 636. Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100%. All respondents. n = 636. Cyber, IT, and Third-party Risks: More Audit Effort Needed? Cyber and IT risks are significantly dependent on technology and understanding how that technology interfaces with work processes. Since IT services are often acquired through third-party relationships, this risk area is also included in this grouping. For all three of these risk areas, CAEs generally assessed the risk as higher than other risks, but allocated modest levels of audit resources. Cyber is the area considered high risk by more CAEs than any other area. CAE are planning to devote a small amount of audit effort to cyber in 2018, although it is the area most likely to have increasing audit effort. There are a number of possible reasons for the low level of audit effort planned to be devoted to cyber risk. / 39

42 CAEs may be deciding to limit audit effort if the maturity of the organization s response to cyber risk is low and multiple other parties are working on improvements (e.g., IT security, external consultants). It may be premature to devote high levels of audit effort if the conclusion is obvious. The complexity and unknowns around cyber risk may be inhibiting devoting substantial effort if to do this is not generally understood. Internal audit may lack specialty skills precluding it from performing more extensive audit work. Information technology is considered a high risk by the third highest percentage of CAEs. However, this area is allocated less than 10 percent of effort, essentially the same as in When analyzed by organization type, there is little or no relationship between assessment as high risk and the amount of audit effort currently allocated to the area, or plans to increase audit effort in Audit effort appears to have settled into a range with which most CAEs are comfortable, even though the risk level is high and rising. CAEs allocate one of their lowest levels of audit effort to risks related to third-party relationships, but a higher-thanaverage percentage of CAEs considered it an area of high risk. Use of third parties by organizations has risen notably over the years, but the extent of this use can vary substantially between organizations. The change in risk assessment from last year also varies substantially among organization types with large decreases in privately held and nonprofit organizations, and reasonable increases in the other three. The amount of audit effort allocated to this risk is modest (compared to other risks), with little change from last year (for most organization types). The range of risk as assessed by different organization types narrowed in 2018 versus The same is noticed for the amount of audit effort allocated to this risk. While the total allocation of effort has changed little, the range of responses by organization type is tighter than in /

43 Compliance/Regulatory Risks: Effort Follows Risk There are a vast array of compliance and regulatory risks, and they affect organizations differently. However, nearly all organizations have this risk to some extent, and some organizations consider this a substantial risk area. The compliance/regulatory area is assessed as higher risk by many organizations, but there are notable differences based on organization type and the differences in assessment of this risk by organization type have widened in Approximately half of CAEs in financial services, nonprofit, and public sector organizations assessed this risk as high which was a higher percentage than in Only one-third of those in the other two organization types assess this risk as high which was a lower percentage than in The decision whether to increase audit effort in 2018 is closely related to the risk assessment. Financial services, public sector, and nonprofit organizations are all increasing their audit effort related to this risk. Financial services firms face a wide variety of compliance requirements. The increase in risk for these organizations is most likely due to increased attention by regulators to existing and emerging risks. Public sector internal auditors are likely also responding to stakeholders interests as more state and local auditors in the public sector are being asked to devote attention to compliance risks. As health care related organizations make up a substantial portion of the nonprofit sector, it is understandable that they might devote more resources to compliance risk as health care organizations face increasing regulations. Publicly traded and privately held organizations, the two organization types viewing this risk as decreasing, are not substantively changing their allocation of audit effort or increasing it only modestly. / 41

44 Operational Risks: Gradual Decline in Audit Effort Operational audits are commonly considered part of the bread and butter of internal audit. Internal audit has been devoting significant resources to operational audits for decades, but this amount has been decreasing for most organization types. CAEs allocate the greatest level of planned audit effort to audits addressing operational risks in Since CAEs rank operational risks fourth in the list of areas considered higher risk, there are clearly factors involved other than risk assessment that drive a high level of audit effort. The percentage of audit resources devoted to this area varies only slightly among types of organizations, and there is only mild association between this level of effort and assessing the area as higher risk when comparing responses by organization type. While all but nonprofit organizations consider the risk increasing, most are decreasing audit effort (except for publicly traded organizations). There is no apparent association between an increasing assessment of this risk and the change in allocation of audit effort. As increased risk in other areas indicates a need to increase audit effort, that effort needs to be pulled from somewhere else. When looking at the patterns for financial services, publicly traded, and public sector, there is a clear association between increasing audit effort to a rising risk (e.g., compliance/regulatory, financial reporting), and a reduction in effort allocated to operational. The comfort level of many CAEs with this bread and butter risk area may be resulting in resources diverted away from it. 42 /

45 ERM and Governance Risks: Increased Attention Governance, culture, and risk management have been receiving increased attention throughout the business community as failures in these areas are increasingly considered the cause of business problems. The risk assessment for ERM programs and processes was the third largest increase of all risk areas. This increase is likely associated with more organizations giving attention to risk management and the issuance of the updated COSO ERM Framework Enterprise Risk Management Aligning Risk with Strategy and Performance in Consistent with the increase in the assessment of this risk, the increase in audit effort for this risk was substantive, smaller only than the increase in IT effort. Unless board or management attention to ERM falls in the future, one could expect these trends to continue. Governance and culture has been getting increasing attention with a number of issues that surfaced in recent years (e.g., VW, Wells Fargo, Kobe Steel). However, the percentage of CAEs who consider this a high-risk area is modest, with only a small increase from last year. CAEs in publicly traded organizations, where governance and culture risk exposure may be greatest, are the least likely to consider governance and culture a high risk. Little audit effort is devoted to this area in 2018, an amount that is essentially unchanged from last year. It is difficult to argue culture has no impact when it is toxic and that toxicity becomes public. However, it appears that CAEs see this as a risk mostly for other organizations, not their own. More may consider this a high risk as they become more cognizant of the risk or experience a problem in their organization. / 43

46 Fraud and Cost Containment Risks: Risk Increasing The easiest way for some CAEs to show value from their efforts is to deliver cost savings or identify a fraud. While most CAEs consider other risk areas as more important than these, fraud and cost containment risks remain a foundational element of internal audit work for many CAEs. Cost/expense reduction or containment had the largest increase in the percentage of respondents who rated the area as high risk. The percentage who assessed this risk as high is modest, but the large increase is unusual in a period that overall financial conditions are generally considered to be trending upward. This large increase was present in all organization types, but especially the public sector. There was a period when many internal audit functions focused heavily on this risk, using cost savings as a way to quantify internal audit s value. As internal audit functions matured, and stakeholders gained an awareness that internal audit s value is not limited to reducing expenses, internal audit efforts diversified away from this risk. Consistent with this view, even though more CAEs are considering it a high-risk area, they are reducing audit effort related to this risk. Fraud can take a number of different forms in an organization, ranging from theft to false reporting to bribery and more. The percentage of respondents who view this area as high risk has fallen, as has the planned level of audit effort in Those who consider fraud a high-risk area devote more attention to it. Public sector and privately held organizations have the highest percentage of CAEs who consider fraud a high-risk area and these CAEs correspondingly give this area more attention than CAEs in the other types of organizations. 44 /

47 Financial Risks: Priority Only in Publicly Traded Organizations Finance is a very traditional area for internal auditing. Many CAEs administratively report to their CFO and a large number of auditors can often trace their work history back to a finance position. However, unless an organization is publicly traded or in financial services, few CAEs consider finance to be a high-risk area. Financial reporting (including internal controls over financial reporting) has been a traditional internal audit focus area. It gained increased attention for publicly traded organizations with the passage of Sarbanes-Oxley and the requirements of Section 404, Management Assessment of Internal Controls. Few respondents, even in publicly traded organizations, assess this area as high risk. For most organization types, this is consistent with the relatively low level of audit effort allocated to this risk area. Outside of publicly traded organizations, little audit effort is devoted to this risk and is expected to decline in For publicly traded organizations, however, there is a different situation. While only a modest percentage assess this risk as high, this risk area is allocated the most audit effort, more than twice any other risk area. In addition, audit effort is expected to increase in Similar to financial reporting, financial related risks have been a traditional area of focus for internal audit. While the percentage of respondents who considered this area high risk is equal to that for financial reporting, the amount of audit effort is significantly lower, more in line with the level of risk. Other The other risk areas had relatively lower assessments of risk from Pulse respondents. Support for external audit and nonfinancial reporting each were considered high risk by less than 5 percent of respondents. For the reader s convenience, Appendix C provides a table that combines all of the data used in this discussion of audit plan risk areas. / 45

48 This report provides information for CAEs to compare their functions with those of their peers. In analyzing this information, an approach CAEs should consider is: Understand the similarities and differences between their assessment of risk and the averages for comparable organizations included in this report. Consider whether these differences are explained by unique organizational factors or different evaluations and decisions made by other CAEs. Where it is possible that other CAEs are assessing risk areas differently, not because of organizational specific factors, CAEs should consider challenging their own assessment of risk. Understand the similarities and differences between allocation of audit effort and the averages for comparable organizations included in this report. Where peers have made different decisions, consider whether similar changes in their own internal audit functions might improve internal audit s effectiveness. Do not assume past practice is most appropriate when evidence exists that peer organizations are notably different. Explore potential changes in risk assessments and/or allocation of audit effort. Perform additional benchmarking and inquiry, and critically evaluate what is in the best interest of the organization. Decide on specific action steps to implement needed changes. Internal auditors are partially, but not wholly, driven by risk in making decisions allocating audit effort. While survey responses indicate the presence of factors other than risk affecting decisions to allocate audit effort, each CAE should be very careful that old habits, limitations of current skills, inattention, or other factors do not preclude allocating audit effort based on risk. The information and data presented in this report is necessarily at a high level. Much more in-depth analysis of these topics, as well as many other additional topics, is possible through The Audit Executive Center of The IIA by using the benchmarking capabilities of The IIA Audit Intelligence Suite, which includes a detailed benchmarking report, a staff skills assessment, and an option to survey key stakeholders. 46 /

49 This year s Pulse of Internal Audit introduces the Risk Temperature of the Audit Universe (Risk Temperature). Risk Temperature provides a way to look at the risk level of the audit universe as a whole, calculating how much of the audit universe is rated as high/very high risk. (An audit universe is all the risk areas included in an audit plan.) This measure can be calculated for an organization as well as for parts of or groups of organizations. Two factors are used to create Risk Temperature: 1) the percentage of the audit effort assigned to each risk area and 2) the risk assessment for each risk area. These two factors allow the Risk Temperature to be weighted according to audit effort so that risk areas with higher audit effort are weighted more heavily in the calculation. Risk Temperature is computed as follows: Percent of Pulse respondents who rated a risk area as high or very high, multiplied by average effort devoted to each risk area for respondents. The product of these two factors is the contribution to the Risk Temperature from that risk area. All of the computed amounts are summed to arrive at the Risk Temperature. The following simplified example shows how Risk Temperature is calculated, as applied to an individual internal audit function. In this example, the compliance/regulatory risk area receives 40 percent of the audit effort (column 1) and was rated as high/very high risk (column 2) by 30 percent of the respondents, this results in the compliance/ regulatory risk area contributing 12 percent to the Risk Temperature (column 3). This same calculation is used for all of the risk areas allocated audit effort. The sum of the computed percentages in column 3 is the overall Risk Temperature of this audit universe, which is 27 percent. In other words, 27 percent of the audit universe is considered high/very high risk. Exhibit A.1: Risk Temperature Calculation Example Column 1 Column 2 Column 3 Risk areas in the audit universe Audit effort (percentage of audit plan) Percentage who rated risk area as high risk Percentage of audit universe rated high risk Compliance/regulatory (excluding ICFR) 40% 30% 12% Operational (not included elsewhere) 30% 20% 6% Cyber (prevention and recovery) 18% 10% 2% IT (not covered in other choices) 10% 70% 7% Other 2% - Risk temperature 100% 27% / 47

50 Risk Temperature can range from 0 to 100 percent. If no risk areas were assessed as high risk, the Risk Temperature would be zero. If every risk area was assessed as high risk, the Risk Temperature would be 100 percent. Risk Temperature can be viewed in two different, but related, ways: Risk temperature represents the portion of the audit universe that is rated as high risk, weighted by the amount of audit effort devoted to that area. It represents the percentage of audit effort devoted in a year to high risk areas. In either case, the Risk Temperature is a useful metric to judge how Pulse respondents view the change in risk levels in their organization related to the areas in their audit universe. The Risk Temperature for all respondents as a group increased from 26.3 percent to 31.0 percent. One way of thinking about this metric, on average, is 31 percent of the audit universe is considered high risk. Alternatively, CAEs are allocating 31 percent of their effort to those risk areas they assess as high risk. Note: The calculation of Risk Temperature is limited to using data related to the risk areas typically included in the internal audit universe. It is likely there are other risk areas for organizations, but they are not included in internal audit s scope of work. However, the risk areas addressed in Pulse represent 98 percent of the audit effort of the respondents. 48 /

51 Exhibit B.1: Anticipated Allocation of Audit Effort (2013 to 2018) All Respondents Risk areas Operational 27.0% 23.9% 23.0% 23.9% 18.7% 17.1% Compliance/ regulatory (excluding ICFR) 14.9% 14.2% 13.9% 13.8% 12.9% 15.6% Financial reporting (including ICFR) 13.4% 12.4% 10.7% 10.6% 14.6% 14.0% IT (not covered in other choices) 11.1% 10.3% 11.9% 11.5% 9.2% 9.4% Financial (excluding ICFR) 13.8% 9.1% 8.2% 6.9% 9.0% 8.0% Cyber 6.3% 7.2% ERM and related processes 5.5% 7.0% 7.1% 7.6% 4.8% 6.2% Fraud identification and investigation 3.9% 3.5% 4.0% 3.9% 5.9% 5.0% Governance and culture 2.9% 4.4% 4.4% 4.5% 3.6% 3.9% Support for external audit 5.6% 4.0% Third-party relationships 3.1% 4.2% 4.4% 3.3% 3.7% Cost/expense reduction or containment 1.9% 1.6% 3.0% 2.1% 4.1% 3.5% Sustainability or other nonfinancial reporting 0.8% 0.7% Other risk category not listed 1.8% 4.0% 1.7% 1.9% 1.1% 1.7% Crisis management 0.6% 0.8% 1.6% 1.3% Strategic business risks 3.3% 5.7% 6.4% 7.6% SUM 100% 100% 100% 100% 100% 100% Number of respondents Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. There were some changes in categories over these six years. The strategic business risks category was removed effective 2017 as audit effort in this category could overlap with most any of the other categories. Cyber was added in Most likely, the effort devoted to cyber was previously included either in the operational or IT risk categories. All respondents. n = 502 (2013), 424 (2014), 326 (2015), 443 (2016), 509 (2017), 636 (2018). / 49

52 Exhibit B.2: Anticipated Allocation of Audit Effort (2013 to 2018) Publicly Traded Risk areas Operational 20.3% 20.0% 19.1% 17.7% 12.5% 14.9% Compliance/ regulatory (excluding ICFR) 11.4% 9.2% 11.2% 9.3% 9.7% 10.2% Financial reporting (including ICFR) 28.2% 24.8% 22.8% 26.9% 29.1% 30.4% IT (not covered in other choices) 11.0% 11.2% 11.9% 11.4% 8.8% 8.4% Financial (excluding ICFR) 12.1% 10.1% 8.7% 7.6% 7.6% 6.5% Cyber 6.0% 6.2% ERM and related processes 4.0% 4.8% 4.9% 6.3% 4.2% 5.2% Fraud identification and investigation 3.5% 2.9% 3.5% 3.9% 5.5% 4.7% Governance and culture 2.5% 3.1% 3.7% 3.9% 2.2% 2.2% Support for external audit 6.4% 4.3% Third-party relationships 2.3% 3.7% 3.4% 2.5% 3.0% Cost/expense reduction or containment 2.2% 1.3% 2.8% 1.9% 3.9% 2.8% Sustainability or other nonfinancial reporting 0.4% 0.4% Other risk category not listed 1.5% 4.5% 1.5% 1.0% 1.2% 0.9% Crisis management 0.4% 0.5% 0.8% 0.8% Strategic business risks 3.0% 5.3% 5.5% 5.9% SUM 100% 100% 100% 100% 100% 100% Number of respondents Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. Publicly traded excluding financial services. n = 171 (2013), 140 (2014), 102 (2015), 110 (2016), 166 (2017), 197 (2018). Exhibit B.3: Anticipated Allocation of Audit Effort (2013 to 2018) Financial Services Risk areas Operational 30.6% 24.9% 24.4% 24.9% 22.4% 17.7% Compliance/ regulatory (excluding ICFR) 17.0% 16.5% 14.0% 16.0% 13.7% 17.1% Financial reporting (including ICFR) 8.3% 8.9% 7.3% 8.8% 10.8% 10.0% IT (not covered in other choices) 12.5% 11.6% 13.4% 12.6% 11.0% 11.1% Financial (excluding ICFR) 11.2% 7.4% 7.2% 6.6% 7.5% 7.1% Cyber 7.3% 8.7% ERM and related processes 7.1% 9.7% 8.2% 7.9% 4.9% 7.4% Fraud identification and investigation 2.5% 2.6% 4.1% 3.0% 4.4% 3.6% Governance and culture 3.6% 5.3% 4.4% 4.1% 4.0% 4.5% Support for external audit 6.0% 4.3% Third-party relationships 2.9% 4.7% 4.6% 4.0% 4.0% Cost/expense reduction or containment 0.7% 0.6% 2.3% 1.4% 2.5% 2.2% Sustainability or other nonfinancial reporting 1.1% 0.6% Other risk category not listed 2.4% 2.4% 1.7% 1.9% 0.6% 1.7% Crisis management 0.9% 0.7% 1.8% 1.3% Strategic business risks 3.2% 6.4% 6.6% 7.0% SUM 100% 100% 100% 100% 100% 100% Number of respondents Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. Financial services from all organization types. n = 90 (2013), 97 (2014), 91 (2015), 139 (2016), 139 (2017), 186 (2018). 50 /

53 Exhibit B.4 Anticipated Allocation of Audit Effort (2013 to 2018) Public Sector Risk areas Operational 35.2% 26.4% 24.8% 27.4% 24.4% 20.4% Compliance/ regulatory (excluding ICFR) 18.5% 19.6% 20.0% 16.8% 16.1% 21.6% Financial reporting (including ICFR) 0.9% 0.4% 0.2% 0.6% 2.1% 1.9% IT (not covered in other choices) 8.8% 6.5% 11.0% 10.0% 8.1% 8.3% Financial (excluding ICFR) 12.9% 7.6% 7.4% 5.3% 9.5% 8.9% Cyber 4.7% 5.5% ERM and related processes 7.5% 8.1% 7.5% 8.2% 5.3% 5.7% Fraud identification and investigation 5.5% 5.7% 4.9% 5.1% 8.6% 7.3% Governance and culture 2.6% 5.9% 4.9% 6.1% 5.6% 5.6% Support for external audit 4.4% 3.1% Third-party relationships 4.6% 5.0% 4.4% 3.4% 3.7% Cost/expense reduction or containment 3.1% 2.3% 3.7% 2.6% 4.8% 4.5% Sustainability or other nonfinancial reporting 1.2% 1.2% Other risk category not listed 1.4% 5.4% 2.5% 3.1% 1.7% 2.3% Crisis management 0.5% 1.4% 1.9% 1.7% Strategic business risks 3.1% 6.1% 6.3% 8.7% SUM 100% 100% 100% 100% 100% 100% Number of respondents Note: Anticipated allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. Public sector excluding financial services. n = 106 (2013), 88 (2014), 61 (2015), 103 (2016), 103 (2017), 134 (2018). Exhibit B.5: Anticipated Allocation of Audit Effort (2013 to 2018) Privately Held Risk areas Operational 28.7% 25.0% 27.6% 27.8% 18.7% 17.4% Compliance/ regulatory (excluding ICFR) 14.3% 15.0% 10.7% 11.8% 11.4% 12.6% Financial reporting (including ICFR) 9.9% 8.8% 11.0% 5.3% 12.6% 10.1% IT (not covered in other choices) 11.9% 11.0% 9.8% 11.6% 8.6% 9.1% Financial (excluding ICFR) 17.1% 10.0% 10.8% 7.7% 12.1% 10.2% Cyber 5.8% 6.7% ERM and related processes 4.5% 7.0% 7.8% 7.9% 3.4% 6.2% Fraud identification and investigation 3.7% 4.0% 3.0% 3.7% 5.6% 5.7% Governance and culture 2.8% 3.6% 4.0% 4.5% 3.1% 3.4% Support for external audit 6.9% 4.5% Third-party relationships 3.5% 3.0% 4.9% 2.7% 4.8% Cost/expense reduction or containment 1.3% 2.3% 2.6% 3.2% 7.3% 6.1% Sustainability or other nonfinancial reporting 0.8% 0.8% Other risk category not listed 1.2% 4.1% 1.5% 1.4% 1.0% 2.5% Crisis management 0.8% 0.7% 2.4% 1.2% Strategic business risks 4.0% 5.0% 5.9% 9.1% SUM 100% 100% 100% 100% 100% 100% Number of respondents Note: Allocation of audit effort according to the annual Pulse survey from 2013 to ICFR = internal controls over financial reporting. ERM = enterprise risk management. Privately held excluding financial services. n = 80 (2013), 70 (2014), 33 (2015), 62 (2016), 51 (2017), 54 (2018). / 51

54 52 /

55 Note: Q48: Looking ahead over the next 12 months, please indicate what percentage of your audit plan you anticipate will be allocated to each of the risk categories listed. All respondents. n = 636 for n = 535 for Q49: How would you describe the level of risk in your organization in the following areas? Percentages show high or very high risk. ICFR = internal controls over financial reporting. ERM = enterprise risk management. Rounding has been adjusted so that totals equal 100% for anticipated allocation of audit effort and risk assessment (high/very high). All respondents. n = 630 for n = 523 for / 53

56 A Better View of Your Internal Audit Activity Introducing the Audit Intelligence Suite Benchmark Assess Survey Benchmark your audit function, assess your team, and survey your key stakeholders. Once you know the results, you will be in a better position to improve your audit activity. Learn More

57 ABOUT THE AUDIT EXECUTIVE CENTER The IIA s Audit Executive Center (AEC ) is the essential resource to empower CAEs to be more successful. The Center s suite of information, products, and services enables CAEs to respond to the unique challenges and emerging risks of the profession. For more information on the Center, visit ABOUT THE IIA The Institute of Internal Auditors (IIA) is the internal audit profession s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 190,000 members from more than 170 countries and territories. The association s global headquarters are in Lake Mary, Fla. For more information, visit DISCLAIMER The AEC and The IIA publish this document for informational and educational purposes. This material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The AEC and The IIA recommend that you always seek independent expert advice relating directly to any specific situation. The AEC and The IIA accept no responsibility for anyone placing sole reliance on this material. COPYRIGHT Copyright 2018 by The Institute of Internal Auditors (IIA) located at 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, U.S.A. All rights reserved. This report, including the written content, information, images, charts, as well as the pages themselves, is subject to protection under copyright laws. As copyright owners, only The IIA has the right to 1) copy any portion; 2) allow copies to be made; 3) distribute; or 4) authorize how the report is displayed, performed, or used in public. You may use this report for non-commercial, review purposes. You may not make further reuse of this report. Specifically, do not incorporate the written content, information, images, charts, or other portions of the report into other mediums or you may violate The IIA s rights as copyright owner. If you want to do any of these things, you must get permission from The IIA. This report is reserved for your exclusive use as a member of the Audit Executive Center. To distribute this report or any contents, you must get permission from The IIA.