Internal

Audit:
Whats on
the horizon?

kpmg.co.uk

Internal Audit: Whats on the horizon? | 2

Being nimble is a critical attribute for all internal audit teams. There is
an ongoing responsibility to survey the landscape to look for new, or
heightened, risks and ensuring scarce resources are directed to the areas
that matter most.
As we approach the end of 2011,
a powerful combination of factors means
the ability to adapt is more important than
ever. Economic uncertainty, the fragility of
the technology on which we depend, the
search for new ways of working to drive
efciency, new market and product
opportunities, regulation, human
behaviour and the pace of organisational
change, are all contributing to the
increased velocity of emerging risks that
can threaten business stability.
With this in mind we have pulled
together a summary of common risks
impacting how internal audit teams
are looking at their future plans.

Teams are also challenging established operating models to re-dene how they
provide assurance and add value to the organisations they serve. The areas being
targeted include:
Flexibility: The world is changing at
a phenomenal pace. Internal audit plans
must be regularly reviewed and
challenged to ensure they remain
relevant. If a plan looks the same as it
did 12 months ago, alarm bells should
be ringing.
Effective challenge: Internal audit must
be the control conscience of the
organisation. The team should be clear
in articulating what is needed from an
assurance perspective and make sure
their voice is heard, encouraging debate
and securing the right resource and
specialist skills.
Innovate: With demands to do more for
less innovation is key. Enhanced self
assessment processes or detailed
control surveys are two examples.
Embedding more and better use of
technology is becoming the norm,
ranging from data analytics to continuous
audit initiatives.

Refresh: Teams are taking a fresh look

at their integrated governance, risk and
control frameworks. Are roles clearly
dened, and do activities t seamlessly?
Assurance mapping is just one example:
do you have a clear picture of how
all of your assurance activities are
working together?
Engage: Internal audit have a unique
opportunity, and responsibility, to
identify emerging risks and support the
board and risk teams as part of an
effective, integrated governance, risk
and assurance cycle. Now is not the
time to be a bystander.
Be brave: Assurance spend must be
managed efciently just as in any other
part of the business. However, when
resource and budget constraints
become the primary driver of assurance
activity, something is wrong and
concerns must be raised.

The ongoing global turbulence and sheer velocity of business change means some of
the issues faced may be new and uncharted, but the responsibility is no different:
internal audit must support the strategic and risk management teams to understand
the consequences of todays and tomorrows business operations, what might go
wrong and where internal audit can best support business objectives.

Paul Sawdon
Partner, UK Head of Internal Audit

2011 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member rm of the KPMG network of independent member rms afliated with
KPMG International Cooperative, a Swiss entity. All rights reserved.

Internal Audit: Whats on the horizon? | 3

Internal Audit:
Whats on the horizon?
IT change and external threats

Threats to information security are more sophisticated and emerging faster. Now, organisations and individuals are
being specically targeted for attack and motivations arise for many reasons including from organised crime and political
beliefs. This, combined with the pace of change and adoption of new technologies make all things IT an imperative.
Data leakage have you classied data according to its sensitivity and can you identify where all your data is and who has
access to it? Think about how the business is protecting itself against data leakage incidents, monitoring to detect where they
may have occurred, creating effective incident response processes and updating your approach when a new threat arises.
New technologies cloud computing, server virtualisation, near eld communication and micro-payment systems are racing
forward. Have you identied the risks and audit needs associated with a new technology, planned or recently implemented,
for example: security; maintenance; vulnerability; contamination; backup/recovery?
Understanding your specic cyber threat internal audit must consider the specic threat; does your industry, prole,
nature of operations or relationships put you at a higher risk? If the answer is yes, direct the audit plan to focus on security.
Any system change IT changes do not always need to be exotic. A new inventory system going wrong can have
signicant value implications. Make sure internal audit is providing assurance at the right time.
Skills and resources IT risks are complex and mercurial. Assurance has to be in place, delivered by teams with the right
skills. Leaving black holes in the audit plan because of potential skills gaps must be avoided.

Keeping up with
business change

Business continuity, disaster

recovery and business survival
can you cope with a crisis?

Growth and cost reduction strategies focused on doing

things differently place specic demands on internal
audit. New operations in emerging markets, joint
ventures, outsourcing, offshoring and new product
development, as well as process efciency projects
such as shared service centres, all present new risks to
be managed and questions for internal audit
to consider. For anything new:

Constant change is todays norm but are those changes

reected in existing and new business and IT service
continuity arrangements? In planning audit work there
are a broad range of considerations including:

Have business needs raced ahead of control design?

Is risk management appropriately embedded?

Is your business impact analysis good enough? Does

it adequately determine business critical processes
and functions, their critical dependencies, partners and
recovery timescales?
Have plans been adequately tested?

Has the need for independent programme assurance

been assessed?

Have you covered all the angles legacy infrastructure,

a growing technology estate and new technologies such
as Cloud?

Do systems and controls deviate from the group standard?

Are all group operations fully aligned?

Is there an impact from negative economic policies or

purely political risks, for example, contentious elections,
political violence?

Has crisis management been tested to restrict

reputational damage?

Can local expertise be relied upon to deal with

complex legislation, adverse regulatory changes and
administrative requirements?
Are the language and cultural skills of existing internal
audit staff up to the task?

Has the business identied and worked with its critical

partners? Ask suppliers for evidence of their testing plans.
Are different parts of the business fully aligned?
When looking at business continuity, consider more
extreme disruptions; for example rioting, regime change,
and extreme natural disasters.

2011 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative, a Swiss entity. All rights reserved.

Internal Audit: Whats on the horizon? | 4

Fraud still on the increase

Global economic uncertainty

treasury related risks

Fraud in the UK reached 1.1bn in the rst six months of

2011 compared to 609m in the same period in 2010.

With continuing global economic uncertainty, treasury

and funding risks, including the management of
counterparty credit risk, are receiving a high level
of focus from boards. The complexity, both real and
perceived, of treasury operations, often means it is
an internal audit blind spot for some organisations.
In todays world this has to be avoided and audit must
look at how controls are working:

KPMGs Fraud Barometer, June 2011

Companies continue to invest in improving their antifraud controls, yet the level of internal and external fraud
is still rising. Potential questions for internal audit include:
Has the business mapped the fraud threat landscape
against a changing controls environment?
Is the business aware or in denial of the risk?

Are treasury management systems used and are

they effective?

Is there a fraud risk management strategy?

Is training required on current treasury practices?

Have you reviewed the existence and adequacy of

fraud policy, staff training and awareness, and the fraud
reporting structure?

What kind of measures does the business use to capture

and monitor counterparty risk and are all deposits and
derivatives of subsidiaries covered?

Do you include fraud risks in all audits and pull together

a fraud risk picture as part of progress/annual reporting?
Has restructuring of areas such as nance exposed
controls to weakness or breach?
Are fraud related roles clear?

Is measurement of exposure to counterparty credit risk,

across the whole Group, performed frequently, given the
dynamic nature of markets?
Has consideration been given to market sensitive
indicators, such as credit default swap spreads, for
managing counterparty exposure, as well as primary
methods such as credit ratings?

Response to Financial
Reporting Council (FRC)
paper on risk

Non-nancial disclosures

The FRC Paper Boards and risk: A summary of

discussions with companies, investors and advisors
sets out three main conclusions as well as some
useful insights.

Increasing corporate transparency and reporting

for regulatory needs, such as the Carbon Reduction
Commitment, have led to more new information
being shared on a regular basis. The lack of history,
established standards and reporting protocols can
lead to mistakes. If this information is unreliable and
not robustly managed, the business and directors are
publicly exposed.

There has been a step change in the Boards focus on

risk in the last few years. This conforms to the emphasis
in the revised Code on the Boards responsibility for
strategic risk decision-making.
While Internal Control: Revised Guidance for Directors
(the Turnbull Guidance) is still broadly t for purpose,
some change is needed to reect the role of the Board
as articulated in the new version of the Code. The FRC
intends to carry out a limited review during 2012.
The approaches and techniques used by boards have
been developing rapidly. One size very denitely does
not t all, but there are some common themes and
techniques found to be useful.
Many audit teams are driving the discussion around
what the FRC paper means to their business. Now
may be the right time for an independent audit of risk
management processes.

Internal audit teams should be looking at what

information, away from nance, is being published.
All risks, whether reputational, regulatory or other,
must be factored into the annual audit plan.
Where reporting and monitoring are off system, single
entry, and spreadsheet based, there is frequently
a higher risk of error.
Internal audit should consider whether the team involved
in preparing reports and disclosures have training
and experience in the relevant eld for example
environmental, carbon or health and safety reporting.
Does the team really understand the subject at hand?

2011 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative, a Swiss entity. All rights reserved.

Internal Audit: Whats on the horizon? | 5

Core controls testing is

risk based audit

Expanding into new markets

joint ventures

The focus on risk based auditing in recent years has

moved some teams away from core controls testing
as it was perceived as routine. The pressures created
by the current economic environment, combined with
potentially fatal consequences of poor forecasting,
surprise write offs or breaching covenants, can today
mean a focus on core controls is risk based auditing.

In a post credit-crunch world, with limited borrowing

opportunities, companies are expanding into new
markets by pooling resources and knowledge with
other parties. Investing in joint venture operations
fundamentally changes the demands on internal audit.
Internal audit has a critical role in determining
where assurance is needed and key assessment
criteria includes:

Internal audit has to be, above all, the core control

expert. There is no excuse for not knowing what the
controls are and whether or not they are working.
While of general importance, an increased focus by internal
audit may be required in particular circumstances:
Is your organisation experiencing cost reduction
pressures or signicant strategic change?
Is there uncertainty over key risks and where
vulnerabilities are?
Has your organisation experienced recent breakdowns in
internal controls?
Are there multiple compliance projects/controls
requirements? Get involved early serve as a catalyst for
positive change in processes and controls.
Has there been a high turnover of staff recently?
Have operations fallen behind budget or market expectations?

Do you have appropriate visibility over the processes and

controls in your joint venture?
Has the business recently invested in a joint venture in a
new market/country/segment?
Is there limited interaction between your staff at HQ and
the staff based in the joint venture?
Is the joint venture partner you are working with
favoured by the local government?
Does the joint venture operate in a market which has
legal uncertainty?
Are you in a legal dispute with your joint venture partner?
Have you been forced to give back equity in your
joint venture?

Anti-Bribery and Corruption (AB&C)

is your compliance programme
embedded and effective?
Companies are already implementing compliance programmes to address the Bribery Acts adequate procedures
provisions. These programmes must be embedded throughout the organisation from top to bottom, and in particular
in overseas operations in emerging markets, becoming part of the day to day operating procedures. Internal audit
must consider whether the programme is adequate to manage AB&C risks and adapt its audit programmes to
incorporate appropriate testing of anti-bribery controls. Important considerations include:
Do you have a detailed knowledge of what your organisation has done and have you developed a comprehensive plan to test
the design and effectiveness of AB&C controls?
How are internal audit assessing AB&C risks and the actions to mitigate those risks? How quickly is internal audit responding
to changes in business operations?
Does the business have a well developed set of red ag criteria and challenge transactions on this basis? Authorities expect
businesses to pay close attention to such indicators. Ignoring them will be regarded as evidence that corporate procedures
were far from adequate.
Does the business know who their associated persons are and if the level of due diligence conducted on them is in line with
the risk they bring? Under the Act, an organisation may be liable for bribery committed by an associated person acting for or on
their behalf.
Are you looking at the detail? For example, have you reviewed the contractual clauses with third parties and suppliers to
ensure that they contain the appropriate AB&C clauses?

2011 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative, a Swiss entity. All rights reserved.

Contact us
Paul Sawdon
Partner, UK Head of Internal Audit
T: +44 (0)20 7311 8169
E: paul.sawdon@kpmg.co.uk
David Defroand
Partner
T: +44 (0)20 7311 8161
E: david.defroand@kpmg.co.uk
Anthony Kennedy
Partner
T: +44 (0)20 7694 2875
E: anthony.kennedy@kpmg.co.uk
Jenny Morgan
Partner
T: +44 (0)121 232 3873
E: jenny.morgan@kpmg.co.uk
Andrew Sayers
Partner
T: +44 (0)20 7694 8981
E: andrew.sayers@kpmg.co.uk
Stephen Spellman
Partner
T: +44 (0)20 7694 3544
E: stephen.spellman@kpmg.co.uk

The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular situation.
2011 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member rm of the KPMG network
of independent member rms afliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.

www.kpmg.co.uk

RR Donnelley I RRD-258902 I December 2011