Section or Chapter title

Nordic Internal Audit

Benchmarking program
Denmark, Finland, Norway, Sweden
2016

© Ernst & Young. All rights reserved.

Confidential & Proprietary. 1
Internal Audit Benchmarking Program 2016
Contents
Introduction 3
Background 4

Respondent insights 5

EY’s methodological approach 6

Summary of results 7

Executive summary 8

Top ratings by Nordic country 18

Detailed survey results 21

Right direction 22

Right competencies 25

Right enablers 32

Page 2 Internal Audit Benchmarking Program 2016

 Section or Chapter title

Introduction

© Ernst & Young. All rights reserved.

Confidential & Proprietary. 3
Page 3 Internal Audit Benchmarking Program 2016
Background

The world continues to change 2014

► Volatile markets and financial instability continue to plague global economies, while the pace of technological change is
continuously picking up speed. Organizations need flexibility to balance in the changing environment. Internal Audit functions have
to foresee emerging threats and adopt their assessment procedures and audit plans in order to be able to provide input and insight
on these threats or risks.
► With organizations increasingly relying on vast amounts of digital data to do business, cybercrime is growing ever more, rendering
damage to the organization and its brand. Companies may not be able to control when information security incidents occur, but
they can control how they respond to them. Expanding detection capabilities is a good place to start for Internal Audit functions.
► Applying up-to-date digital tools and technologies in daily audit routine increases possibility to detect cybercrime or potential weak
areas. Internal Audit functions can support organizations with the establishment of a security operations center, focused on
securing and enabling the business as well as protecting sensitive information.
► More and more, robotics is replacing traditional operations. In line with the increased connectivity and Internet of Things (IoT), new
rules and regulations are being introduced. Internal Audit functions should bulk up on domain expertise and skills in their teams to 2016
meet these challenges.
► Consumers, investors and regulators are demanding greater visibility in everything that an organization does. Respectively,
organizations need their Internal Audit function to take on a much larger role within the organization and serve as a subject matter
specialist to business management around strategic initiatives, challenges and changes in the organization.

Page 4 Internal Audit Benchmarking Program 2016

Respondents to the Nordic Internal Audit Benchmarking survey 2016

► In February and May 2016, EY conducted a survey, undertaking qualitative interviews to gain insight into the internal audit practices
adopted by Nordic-based organizations. The majority of the respondents are Chief Audit Executives in diverse industrial companies.

Demographics of survey participants:

51
Respondents Annual revenue (EUR) respondents
2%
> 15 billion
4%
10%
CAE 10-14,9 billion
8% 31%
Head of 7-9,9 billion
Internal Control 27%
5-6,9 billion
Other
10% 3-4,9 billion
CFO
86% 10% 12% 1-2,9 billion
< 1 billion

Industry Employees 8

6
> 100 000
Industrial products 22% Power and utilities 8% 8%
4% 50 000-99 999 18
25%
Real estate 10% Retail and
6% 25 000 - 49 999
wholesale
Transportation 10% 25% 19
10 000 - 24 999
Telecommunication 6%
Automotive 8% 14% 5 000 - 9 999
Other 22%
Consumer 24% <5 000
8%
products

Page 5 Internal Audit Benchmarking Program 2016

EY’s methodological approach to Internal Audit Operating Framework

Using our extensive knowledge, we have designed a framework to describe leading practices in internal audit. Each of the framework elements were considered in our
assessment of the survey results. Our methodology is based on the three main strategies illustrated below:

Right direction
Aligning Internal Audit’s purpose and mandate
with the expectations of the Audit Committee,
executive management and other Purpose and
stakeholders mandate

Stakeholder
Right competence relationship
Acquiring the people, competencies and management
experience to achieve Internal Audit’s Team and People and
objectives organization skills
structure development

Right tools Tools and Operations and

Establishing appropriate technology reporting
infrastructure to facilitate the
Internal audit Quality and
achievement of Internal Audit’s methodology
Knowledge
risk
objectives management
and delivery assurance

Page 6 Internal Audit Benchmarking Program 2016

 Section or Chapter title

Summary of results

© Ernst & Young. All rights reserved.

Confidential & Proprietary. 7
Page 7
Executive summary
Direction
Internal Audit is expected to be
at the forefront of new
challenges in the changing
environment
Competence
To align with the changing
mandate and new focus areas,
access to domain expertise is
of utmost importance
Putting technology and robust
Tools
audit software within the reach
of every auditor is crucial to
improve efficiency and
effectiveness
Page 8
► Internal Audit functions are aiming to take on the role of strategic advisor through increasing their focus on both
operational and strategic risks connected to the organizations business objectives.
► Internal Audit is paying increased attention to emerging risks, e.g., related to cybersecurity.
► There is a general focus on monitoring and supervision activities in industrial companies, e.g., compliance
functions are becoming more common, executive management gets more involved in the internal audit planning
processes, etc.
Internal Audit functions are implementing flexible sourcing models (guest auditors, co-sourcing, outsourcing, etc.)
►
to improve the efficiency of audit execution and manage competence gaps.
► As the organization's strategic objectives, risk environment and market and regulatory landscape evolve, the skills
and experience of the audit function must respond accordingly.
► Some areas have experienced a high rotation of Internal Audit executives in the past two years. This highlights a
challenge for Internal Audit functions and may impact the ability to attract and retain people with solid business
understanding and auditing experience.
► Nordic Internal Audit functions possess insufficient in-house data analytics competence, which is partially
compensated by either outsourcing or co-sourcing.
► As demand for value-adding activities increases, Nordic Internal Audit functions face additional requests to
improve risk coverage and services without increasing their budgets.
► Increased industry scrutiny of supervisory boards and executive managers pushes internal auditors to perform
deep-dive reviews of audited areas, and to assess risk exposures more critically.
Internal Audit Benchmarking Program 2016
Internal Audit retains the role of strategic advisor

► Operational audits and compliance and financial reporting remain top audit tasks for the Nordic Internal Audit functions. Even
though operational audits are identified as one of the top tasks, 35% of respondents considered operational risks as “less important” or A clear understanding of the
“least important” in the risk assessment. A high focus on compliance is highlighted by the risk and competency ratings; compliance risks ownership of risk and control
are one of the highest-rated risks, as 51% of those surveyed state that compliance represents the “most important” or “important” risk. It processes across the company
is also rated as the fourth most necessary key competence. A key factor driving this development could be the increase in compliance allows for greater clarity in the
functions, from 50% in 2014 to 76% in 2016. role of Internal Audit. This
► Internal Audit departments will continue to focus on operational and strategic risks in the next two years. However, the decline understanding helps Internal
witnessed from 2014 levels may possibly be due to prior implementation. Compliance and financial reporting risks are expected to Audit deliver its mandate to
rise in importance over the next years compared to 2014. support the board and executive
management in protecting the
► In response to the changing requirements for the third line of defense, Internal Audit has become more involved in the organization’s assets, reputation and
risk assessment procedures by supporting the management with professional input. sustainability of the company.

Involvement of Internal Audit in supporting the

Allocation of available time by the Internal Primary mandate of focus for Internal Audit
management in identifying, assessing and
Audit function in the next 2 years
consolidating risks
Operational audits 2016 2014
37% 64%
Increased focus on operational risks 54% 63%
of respondents support
36% the management with
Compliance and financial reporting Increased focus on strategic risks 40% 58% professional input,
compared to the 52%
20%
in 2014
Increased focus on compliance and 35% 21%
19%
financial reporting risks

2016 2014 Movement versus 2014

Page 9 Internal Audit Benchmarking Program 2016

Technology and emerging market risks affect Internal Audit focus

Internal Audit functions perform separate

► Internal Audit functions are expected to be in the forefront of new, potential challenges in the emerging risk assessments
changing environment. In particular, cybersecurity is a top emerging risk that companies
face today, having been ranked third in 2014. 19%
► Internal Audit functions are increasingly performing separate emerging risk assessments of companies
compared to 2014 (19% vs. 10%). However, two thirds of companies surveyed are yet to carry undertake separate
one out. emerging risk
assessments within
► The threat of so called cyber-physical incidents is becoming increasingly severe as industrial their Internal Audit
companies are becoming more and more connected. Cyber threats increase with every functions
additional technology connection and socially embedded system.
► Even though cybersecurity and major shifts in technology feature among the top 5 emerging
risks, technology as a competence is rated relatively low with relatively low improvement
needs. This could indicate that Internal Audit functions are not preparing their capabilities so
as to respond to the expected, serious risks. Top 5 emerging risks that organizations
monitor 2016 2014

1 Cybersecurity 60% 35%

Other risks when operating in emerging

2 markets
47% 58%

Companies need a common cybersecurity strategy to support operating effectiveness,

safety, reliability standards, business transformation and financial controls compliance. In 3 Regulations around data privacy 43% 26%
this regard, effective cooperation between the Internal Audit, operational technology and
information technology functions is required.
4 Strategic transactions in emerging
markets
32% 40%

28% 35%
5 Major shifts in technology

Developments compared to 2014

Page 10 Internal Audit Benchmarking Program 2016

Domain expertise will drive the Internal Audit function

► Nordic Internal Audit functions are mainly composed of small-sized teams with experienced staff and low turnover. This setup
originates from the Nordic, trust-based culture and long-term employee-employer relationships. Leading Internal Audit
functions use a mixed
► However, the high rotation of Internal Audit executives in some areas during the past two years highlights a potential challenge for
sourcing strategy, using
Internal Audit functions to attract and retain people with solid business understanding and auditing experience.
internal specialists, guest
► In-depth business knowledge is seen as one of the most important competence areas, and also as an area where further
auditor programs, rotation
improvement is needed. However, Internal Audit functions demonstrate a low level of internal recruitments.
programs and partnerships
► The low staff turnover and large number of auditors with more than 10 years of experience highlights a potential challenge: Internal with external professional
Audit functions might not be able to address the competency improvement needs through new recruitments and will have to
services firms to ensure
train internally instead. However, internal training might prove to be a challenge as well since training budgets are low.
access to specialist skills,
► In order to manage staffing and competence gaps, general internal audit co-sourcing, fraud investigations and technical skills benchmarking, local
(e.g. data analytics) remain top outsourcing areas.
coverage and resource
► Specific process competence and the knowledge of local legislation and regulation are becoming increasingly outsourced. flexibility.

Internal Audit function size Internal Audit function turnover Internal auditors’ level of experience
48%
12% less than 5 auditors
28% > 15%
37%
18% 43% 6-9 auditors 10-14% 19%
12% 21% 48%
15% 24%
5-9% 13%
10-14 auditors 20%
< 5% < 3 years 3-6 years 7-10 years > 10 years
27% 15%
more than 15 auditors

2016 2014

Page 11 Internal Audit Benchmarking Program 2016

Nordic Internal Audit functions meet new stakeholders

Stakeholders involved in the planning process

► Over the last two years, strict regulation and industry risk exposures have led to the increased establishment of
compliance and risk management functions in Nordic organizations.
► This development indicates an increased importance of the second line of defense, creating a potential challenge for Executive Management 84%
23%
Internal Audit in terms of how to effectively leverage the work performed by their second line of defense. Also, a
competition for resources might ensue. 82%
Audit Committee 89%
► Executive management’s and the Board of Directors’ involvement in the internal audit planning process has
ERM and/or Internal Control 68%
increased significantly, which is a key enabler for Internal Audit to focus more on the areas and topics that are important functions 95%
for the success of the business. This is evidenced by the fact that a larger number of audit reports now have a high or
critical grading compared to 2014. Line Management 56%
61%
► With regards to increasing cybersecurity risks, Internal Audit should assess whether such risks are reported to the
board adequately, and consider the Chief Information Security Officer and Chief Security Officer as key stakeholders. Other 30%
68%

22%
Not applicable 16%

Board of Directors 18%

Companies with a Risk Management Function/ Internal Control Function/
Compliance Function
2016 2014

Effective audit function structures must facilitate a close relationship between

the management and key stakeholders in the wider organization. This entails
clear accountability at senior levels of the Internal Audit function for owning the
relationships with key divisional, regional and risk leaders within the
organization, in addition to executive management and boards.

Yes, formally led by head of function or equivalent Yes, led by someone else (E.g., CFO) No

Page 12 Internal Audit Benchmarking Program 2016

Competence-wise, a “risk-based audit plan” must be supported by a risk-
based resourcing model

► Internal control, operational audit and in-depth knowledge of the Internal Audit competencies
Industrial companies have
company’s business remain the most important competencies for
consensus on the need for more
Internal Audit. Internal control 70% 9%
specialist and expert skills.
► Data analytics as an Internal Audit competence remain a top priority Capabilities like data analytics, Operational audit 66% 6%
for improvement. Industrial companies recognize the advantages of modelling, CAAT tools, cyber and In-depth knowledge of the company’s business 62% 19%
data analytics as they can improve fraud recovery, generate expense compliance and regulatory-related Compliance/regulatory 47% 19%
savings and bring about process improvement opportunities. expertise are key for auditors. Analytical skills 45% 6%
► Ongoing organizational transformations and turbulent environments Internal Audit leaders perform in- Internal audit risk assessment 38% 19%
have led to the re-prioritization of Internal Audit competencies that depth analyses on where gaps exist, Financial audit and accounting 38% 6%
need improvement. Change management, relationship acumen and in both competencies and the Data analytics 36% 40%
fraud investigation as competencies for improvement have number of employees. A capability Relationship acumen 34% 26%
replaced written communication and technology since 2014. development model is then defined: Written communication 32% 17%
► Nordic Internal Audit functions do not see the definition of “Move”, “Develop” or “Buy” for each Verbal communication 32% 13%
competencies nor training requirements for Internal Audit staff as a competency gap. Fraud investigation 32% 26%
priority. Presentation and facilitation 30% 17%
Process improvement 30% 4%

Leadership and teamwork 28% 23%

Business strategy 28% 15%
Other 26% 21%
Top 3 important Internal Audit competencies Top 3 Internal Audit competencies for improvement
Deep industry knowledge 26% 6%
2016 2014 2016 2014 Project management 21% 15%
Technology
1 Internal control 70% 81%
Data analytics 40% Data analytics 55% Change management
19% 13%
17% 28%

2 Operational audit 66% 74% Change

28%
Written
36%
Advisory or consulting experience 13% 13%
management communication
In-depth knowledge of the company’s Most important Improvement needs
3 business 62% 76% Relationship
acumen
26% Technology 31%

Movement compared to 2014

Page 13 Internal Audit Benchmarking Program 2016

Nordic Internal Audit functions are becoming more critical in their assessments

► Internal Audit functions are moving the balance of their audit planning towards a more “top-
down” approach, explicitly aligning the activity of the Internal Audit function with the key risks

►
faced by the organization.
The main areas considered in the Internal Audit risk assessments cover operational,
85%
strategic, cybersecurity and compliance risks. of Internal Audit functions
► During the last two years, increased industry scrutiny by supervisory boards and executive reports are graded as
managers has resulted in internal auditors performing deep-dive reviews of processes and Medium or High in 2016
audited areas, and assessing risk exposures more critically. This has dramatically increased compared to 59% in 2014.
the number of Internal Audit reports with a “high” grading.
► Internal Audit uses the number of recommendations implemented according to plan as
one of the key performance measures. This makes a difference when recommendations
have a higher tendency to be closed within the set deadlines, which adds value to the
business. Risks considered in the risk assessment
► An increase in the recommendations managed within set deadlines (i.e., by making this a key
measure for Internal Audit) can also be detected. Operational risk 30% 25% 10% 18% 17%

► A trend in many larger audit functions is the introduction of a secondary rating for audit Financial reporting risk 23% 22% 35% 13% 7%
reports. This approach supplements the traditional audit rating with a secondary rating for the Strategic risk 19% 33% 28% 17% 3%
adequacy of management’s approach to risk and control. Cybersecurity risk 18% 34% 16% 24% 8%
IT risk 18% 21% 28% 28% 5%
Financial risk 18% 27% 25% 28% 2%
Compliance risk 17% 34% 10% 29% 10%
Audit plans are focusing more on recognizing potential root causes of multiple issues
Reputational risk 15% 23% 28% 21% 13%
and risks across the company, having greater impact on the company as a whole.
Regulatory risk 11% 26% 32% 18% 13%
Fraud risk 10% 28% 44% 10% 8%
Industry risk 5% 38% 23% 31% 3%

most important important medium less important least important

Page 14 Internal Audit Benchmarking Program 2016

Nordic Internal Audit functions need to employ robust audit software throughout
the audit lifecycle

The Internal Audit analytics maturity model

► Nordic Internal Audit functions demonstrate low leverage levels
of data analytics, which is partially compensated through
outsourcing to third party providers.
► A significant increase has been noted in organisations leveraging
data analytics in more than 50% of audits, indicating that
analytics is an efficient tool once effectively established.
► In-house data analytics competence is not developed to a
sophisticated level (conclusion drawn from the EY data analytics
survey and data analytics competence gap).
► A data-driven approach is becoming essential to drive efficiency,
quality and insight from the audit activity.

Extent to which organizations are leveraging data analytics

> 50% 15%

5%

40-49% 4%
2%

30-39% 4% Big data is fundamentally changing the way the enterprise operates. Organizations
12%
have identified analytics as an efficient tool for testing outcomes, supplementing
20-29% 13% controls testing and other traditional audit techniques.
14%

10-19% 17%
17%

< 10% 47%

50%

2016 2014

Page 15 Internal Audit Benchmarking Program 2016

 Efficiency and effectiveness of Nordic Internal Audit functions is questioned by
the stakeholders

Budget allocation of Internal Audit functions (EUR)

► Followed by competitive cost pressure, stakeholders expect increased assurance with the means of
the same budget. 38%

► Influenced by the increased demand on the function’s output and new emerging risks, Internal Audit 2016
leaders foresee significant improvement opportunities within the function pertaining to the 26% 25%
21% 2014
reporting process to stakeholders, efficiency and effectiveness as well as risk awareness in the 19% 21%
business.
10% 12% 10%
► External auditors exhibit limited reliance on Internal Audit functions in their work. The number of 7%
2% 4% 5%
Internal Audit functions that do not coordinate with external auditors has significantly increased 0%
compared to 2014. To ensure effective use of Internal Audit resources, both functions have to
Don't have < 300 000 300 000- 500 000- 1-1.9 million 2-2.9 million > 3 million
coordinate. a separate 499 999 999 999
Internal Audit improvement opportunities budget for
internal
audit
Improve the reporting process to relevant stakeholders 67%
60%

Improve efficiency and effectiveness of the Internal Audit function 60%

60%
Reliance of external auditors on the work of internal
50% auditors
Support in improving risk awareness in the business 57%
15% 15% significant reliance
Improve the internal audit risk assessment and planning 55%
procedures 57%
limited reliance
Increased leverage of audit technology tools 55%
48%
38%
no reliance
Improve the overall skills and personnel in the Internal Audit 70%
function 45%

Improve stakeholder management 33%

40%

40%
Achieving the maximum value from the Internal Audit function requires significant
2016 Enhance risk coverage of key risks
40% investments in people, knowledge, technology and methodology over a sustained
2014 Other 24% period of time.

Page 16 Internal Audit Benchmarking Program 2016

Further reading
Explore our insights on governance, risk and compliance at: ey.com/GRCinsights

How do you find the criminals Can privacy really Using cyber analytics to
before they commit be protected help you get on top of
the cybercrime? anymore? cybercrime
A closer look at cyber threat Privacy trends 2016 Third-generation security
intelligence operations centers
February 2016
March 2016 November 2015

There’s no reward Predicting project risks Metrics matter

without risk: GRC improves success How Internal Audit can
survey 2015 How predictive analytics help organizations assess
Looking at risk differently provides the insight to unlock performance
the value of your program measurement
August 2015
investments
March 2015
July 2015

Harnessing the power Accelerating high-growth

of data companies’ climb to the top
How Internal Audit can Strong risk management
embed data analytics practices and internal audit
and drive more value capabilities as drivers for
growth
November 2014
August 2014

Page 17 Internal Audit Benchmarking Program 2016

 Section or Chapter title

Top ratings by Nordic

country

© Ernst & Young. All rights reserved.

Confidential & Proprietary. 18
Page 18 Internal Audit Benchmarking Program 2016
Breakdown by Nordic country
Top ratings

Rating
Key tasks 1. Operational audits
2. Compliance and financial
reporting
3. Other
Top input for risk 1. Enterprise resource
assessments management
2. Interviews with top
management
Primary mandate for No changes
Internal Audit in the
next 2 years
Top emerging risks 1. Social media
2. Cybersecurity
3. Strategic transactions in
emerging markets and other
risks when operating in
emerging markets
One-on-one meetings 1. Quarterly
between the Audit
Committee chairman
and head of Internal
Audit
1. Operational audits
2. Strategic audits
3. Education and administration
1. Interviews with top
management
Increased focus on strategic and
operational risks
1. Cybersecurity
2. Climate change and
sustainability
3. Strategic transactions in
emerging markets; major shifts
in technology; regulation
around data privacy; economic
stability
1. Quarterly or annually
1. Operational audits
2. Strategic audits
3. Compliance and financial reporting
1. Interviews with top management
Increased focus on strategic risks
1. Other risks when operating in
emerging markets
2. Cybersecurity
3. Strategic transactions in emerging
markets; major shifts in technology;
regulation around data privacy;
economic stability
1. Semi-annually
1. Operational audits
2. Compliance and financial
reporting
3. Planning
1. Interviews with top management
Increased focus on operational risks
1. Cybersecurity
2. Regulation around data privacy
3. Other risks when operating in
emerging markets
1. Quarterly

Page 19 Internal Audit Benchmarking Program 2016

Breakdown by Nordic country
Top ratings
Rating
Key outsourced 1. Cultural challenges; specific
Internal Audit areas process competence
2. General internal audit co-
sourcing; assistance with
internal audit planning;
sector competence
3. Fraud investigations;
specific technical skills;
knowledge of local laws and
regulations
Most important 1. Internal control
competency areas 2. Operational audit
3. Relationship acumen; in-
depth knowledge of the
company’s business
Top competency 1. Change management;
areas that need leadership and teamwork;
improvement relationship acumen
2. Data analytics and project
management
3. Fraud investigations and
Internal Audit risk
assessment
Page 20
1. General internal audit co-
sourcing
2. Specific technical skills
3. Specific process competence
1. Written communication; in-
depth knowledge of the
company’s business
2. Internal control; data analytics;
analytical skills; deep industry
knowledge; verbal
communication
3. Project management
1. Data analytics
Internal Audit Benchmarking Program 2016
1. Coverage of international locations
2. General internal audit co-sourcing;
fraud investigations; specific
technical skills
3. Knowledge of local laws and
regulations
1. Internal control; operational audit;
data Analytics; business strategy
2. Relationship acumen; in-depth
knowledge of the company’s
business; deep industry knowledge;
Internal Audit risk assessment; fraud
investigation; presentation and
facilitation
1. Data analytics
2. Presentation and facilitation;
business strategy; in-depth
knowledge of the company’s
business; fraud investigation;
compliance and regulatory
1. Fraud investigations
2. General internal audit co-
sourcing
3. Coverage of international
locations; specific technical skills;
knowledge of local laws and
regulations
1. Operational audit
2. In-depth knowledge of the
company’s business and Internal
control
3. Analytical skills
1. Data analytics
2. Written communication; fraud
investigation; compliance and
regulatory
3. Verbal communication;
presentation and facilitation;
advisory or consulting experience
 Section or Chapter title

Detailed survey results

© Ernst & Young. All rights reserved.

Confidential & Proprietary. 21
Page 21
Right
direction
Page 22 Internal Audit Benchmarking Program 2016
Purpose and mandate
Internal Audit role and responsibilities framework

► Operational audits, compliance and financial reporting remain the top audit tasks in 2016. Overall, task allocation has not deviated from 2014 results.
► The responsibilities of Nordic Internal Audit functions are primarily defined by policies, guidelines, roles and responsibilities. Fewer than one fifth of Internal Audit functions
have no framework that defines their responsibilities, accounting for a 6% decrease compared to 2014.
► Almost two thirds of Internal Audit functions support management with professional input to identify, assess and consolidate risks, and 4% of the Internal Audit functions
perform all of the activities themselves. Less than 20% do not participate in risk assessment.

How is the available time for the Internal Audit Is there a framework in place where the responsibilities of How involved is Internal Audit in supporting
function allocated between the following tasks? Internal Audit and other risk and controls functions are management to identify, assess and consolidate
well-defined? risks?

Compliance and financial reporting 20%

19% Yes, policies and guidelines 60% Perform all activities to identify, assess and 4%
37% 64% consolidate the risk assessment 2%
Operational audits
36%
9% Yes, roles and responsibilities 60%
Strategic audits 10% 48% Support management with professional input
64%
52%
5%
Advisory engagements 7% 11%
Yes, other
12%
Planning 7% There is no separate risk assessment 7%
9% performed by management 10%
6% No 15%
Education/admin 6% 21%
6% 19%
Fraud investigations Not involved in the risk assessment
5% 19% 29%
2016 Don't know
4% 0% 2016
Excused leave 6% 2014 2016
2014 6%
19% Other
Other 6% Not applicable 7% 2014
2% 0%

Page 23 Internal Audit Benchmarking Program 2016

Purpose and mandate
Emerging risks and primary focus in the next years

What are the top emerging risks that your organization is monitoring?
► Cybersecurity is seen as the top emerging risk in 2016, having been ranked joint third in 2014. Data
privacy, ranked third as an emerging risk, has increased significantly compared to 2014. This
development is driven by the new European Union regulation.
Cyber security 60%
35% ► Technology is ranked low in the most important competence section and had also relatively low
Other risks in when operating in emerging markets 47% improvement needs. This is somewhat unexpected as cyber security presents a top emerging risk.
58%
Regulations around data privacy 43% ► An increased focus on operational and strategic risks remain high in importance for Internal Audit
26% functions. However, a potential shift towards compliance and financial reporting risks is emerging.
Strategic transactions in emerging markets 32%
40% ► Internal Audit functions are performing more separate emerging risk assessments compared to
Major shifts in technology 28%
35%
2014, yet most companies do not perform them.
Climate change and sustainability
23% ► Nearly two thirds of Internal Audit leaders believe that Internal Audit’s involvement in risk
23%
assessments will not change in the next three years.
Economic stability 21%
33% ► The developments since 2014 may indicate that Internal Audit functions have delivered on their
Social media 19% expectations relating to focus areas and the risk assessment process.
5%
Sovereign risk 4% 2016
0%
Other 11% 2014 Do you currently complete a separate emerging risk assessment within Internal Audit?
7%
No 67%
80%
What will be the primary mandate or focus for internal auditors in the next two 19%
Yes 10%
years?
2016
No, but plan on doing so in the next two years 14% 2014
10%
Increased focus on operational risks 54%
63%

Increased focus on strategic risks 40%

58%
How do you anticipate Internal Audit involvement in the risk assessment to change in the next
No changes 38% three years?
55% 62%
5%
43%
Increased focus on compliance and financial reporting risks 35% 2016 32% 2016
21%
2014 0% 0% 6% 2% 2014
Other 21%
12%
Increase Stay the same Decrease Don’t know

Page 24 Internal Audit Benchmarking Program 2016

Right
competence
Page 25 Internal Audit Benchmarking Program 2016
Team and organization structure
Internal Audit staff – composition and employment

How is your Internal Audit function structured? What is the current size of the Internal Audit function ► Compared to 2014 survey results, the number of
within your organization? (Number of employees based
on in-house and co-sourced resources)
functions of less than 9 employees has decreased
Organized by business unit
4%
14%
significantly, while functions with 10−14 and 20−29
Organized by geography
20% 2016 employees have increased.
16% 2016 55%
22% 2014
Organized by competency 20% 2014 43% 31% ► Nearly half of Nordic Internal Audit functions are self-
Hybrid 11%
14% 27%
18%
organized and only 1 in 20 are organized by business
Other 43% 5% 5% 2% 5% 5% unit (vs. 1in 7 in 2014).
36% 2% 2% 0%0%
► Almost 50% of Internal Audit staff have more than 10
<5 5-9 10-14 15-19 20-29 30-39 > 40
years of experience. Since 2014, the share of internal
Please estimate the distribution of experience among To what extent is your Internal Audit staff recruited auditors with 3−6 years of experience has increased by
your Internal Auditors internally? 6%, while those with 7−10 years of experience has fallen
by 5%.
21%
2014 2016 >75% ► In half of the surveyed companies, less than 25% of
36% 2016
48% Internal Auditors are recruited internally in 2016 and the
10% 2014
50-74% 9%
12% 19% general trend of internal recruiting is downward.
21% 48% 19%
24% 25-49%
13% 15% 12% ► Nordic Internal Audit functions exhibit low turnover rates,
< 3 years 3-6 years 7-10 years > 10 years < 25% 50% where half of the respondents have less than 10%
43%
turnover, and more than one third have less than 5%
For which programs do you have to identify and recruit turnover rate.
What is your approximate annual staff turnover rate
employees within your organization to the Internal Audit
within Internal Audit? ► The majority of Internal Audit functions have no specific
function?
> 25%
7% 2016 63% program for internal recruiting. However, the guest
7% No specific program
4% 2014 75% auditor program has become increasingly popular since
20-24% 14% Guest Auditor program 13%
27% 2014, used by more than 1 in 4 Nordic Internal Audit
15-19% 17% functions.
12% Staff rotation 10%
20% 8%
10-14%
12% 8%
Internship
5-9% 15% 2% 2016
12% 37% Other 25% 2014
0-5% 43% 2%

Page 26 Internal Audit Benchmarking Program 2016

Team and organization structure
Administrative reporting and geography

► Internal Audit leaders have How many Audit Committee meetings are held per year? To whom does the head of Internal Audit report administratively?
multiple administrative reporting
lines, primarily to the CFO and 52% CFO 51%
CEO. >5
55% CEO 41%
► Audit Committee meetings are 4 27%
33%
usually held more than 4 times per Other 33%
13%
year. In nearly half of all cases 3 5% The Board 24%
(47%), Internal Audit leaders have 0%
2 Audit committee 8%
quarterly one-on-one meetings 0%
with the Audit Committee 1 0% General/Legal Council 8%
0%
Chairman, while 13% have no
meetings at all. 0% Executive Management 2% 2016
0 0%
► Participating companies operate in 8% 2016
Not applicable 7% 2014
multiple continents around the
world, where 68% operate in more
than one continent and 40% In which of the following geographical areas does your How often does the Audit Committee chairman have one-on-
operate in all continents. company operate? one meetings with the head of Internal Audit?

100% 2016
No meetings; 13% Monthly; 3%
2014

62% 64% 67%

54% 51% 54%
51% 48% Annually; 24%
44%
Quarterly; 47%

Semi-annually; 13%

South North Asia Africa Europé Oceania

America America

Page 27 Internal Audit Benchmarking Program 2016

 Team and organization structure
Internal Audit outsourcing

► The leading outsourcing areas remain general internal audit co-sourcing, fraud investigations and Please specify the areas within which you use third party provider(s) for
specific technical skills (e.g., data analytics). Furthermore, specific process competence and Internal Audit purposes?
knowledge of local laws and regulations have increased as an outsourcing area compared to 2014, General internal audit co-sourcing 55%
which corresponds with the main rationale behind outsourcing: to manage competence gaps. 53%
Fraud investigations 45%
56%
► In 2016, 1 in 5 Internal Audit functions do not use third party providers at all, and almost two thirds
Specific technical skills (e.g. data analytics) 45%
source less than 25% of their internal audit activities from third party providers (whereas less than 65%
half did so in 2014). This could be influenced by decreasing Internal Audit budgets. Specific process competence 35%
42%

► The majority of respondents do not expect any changes to their Internal Audit outsourcing over the Knowledge of local laws and regulations 37%
24%
next three years.
Coverage of international locations 34%
41%
Compliance and internal control testing 24%
29%
Do you source all or part of your internal audit Sector competence 24%
24%
activities from a third party provider? 75-100% 8%
Cultural challenges 24%
7% 2016 2014 6%
2% 18%
50-74% 9% Assistance with the internal audit planning
6% 2016
6% Assistance with the internal audit risk assessment 5%
25-49% 19% 9% 2014
63% Other 24%
<25% 49% 0%
We do not use third-party provider to assist with 21%
internal audit activities 16%
How do you think that your use of sourcing from third party provider(s)
will evolve over the next three years?
What is the rationale behind sourcing from
a third-party provider? 66%
To manage competence gaps 74%
34% Staying the same over the next three years 73%
To manage short term resource restraints
26% 58%
To have a flexible internal audit operating model 32% 21%
38% Increasing over the next three years 33%
To be able to leverage on third-party providers’ enablers and methodology 50% 2016
38% 2016 2014 Decreasing over the next three years 6%
24% 9% 2014
Other
6%

Page 28 Internal Audit Benchmarking Program 2016

Stakeholder relationship management
Reliance and coordination

Does your company have a risk management, internal control or

► The majority of Nordic Internal Audit functions operate in companies where compliance compliance function?
and risk management functions are established and led by a function Head, while 51%
have no internal control function. Since 2014, the presence of compliance functions has
increased by 26%. 24% 15%
26%
50% 23% 51% 50%
► The key stakeholders involved in the internal audit planning process are executive 17%
24%
management, Audit Committee and risk management or internal control functions. The 10%
Board of Directors is also increasingly involved (18%), having had no involvement in 21% 24%
59% 62%
50%
2014. 40%
28% 26%
► In the majority of cases (two thirds), external auditors exhibit limited reliance on Internal 2016 2014 2016 2014 2016 2014
Audit functions in their work. Similarly, 25% of Internal Audit functions do not coordinate
COMPLIANCE R I S K MA N A G E ME N T INT ERNAL CONT ROL
with external auditors in 2016 (only 1 in 11 did so in 2014), while the overwhelming
majority, 4 in 5, cooperate on scoping and audit plans.
No Yes, led by someone else (for example CFO) Yes, formally led by Head of function or equivalent

To what extent does your external auditor rely on the work of the Internal Audit function?

Significant reliance 17% Which stakeholders are involved in the internal audit planning process?
15%
Limited reliance 68% 2016
70% 84%
2014 Executive Management 23%
No reliance 15%
15% Audit Committee 82%
89%
ERM and/or Internal Control functions 68%
95%

How does your Internal Audit function coordinate with external auditors? Line Management 56%
61%
Other 30%
We share/discuss scoping and audit plans 79% 68%
81%
33% Not applicable 22%
We discuss scoping of engagements that have been partly covered… 31%
2016 16%
We have different forums in which we communicate 33% Board of Directors 18%
43% 2014 0%
We don’t coordinate 25%
7% 2016 2014
Other 29%
17%

Page 29 Internal Audit Benchmarking Program 2016

People and skills development
Internal Audit competencies and education

► Internal control, operational audit and in-depth knowledge of the company’s business are seen as Select the competency areas that you believe are the most important within
the most important competencies. Data analytics, change management, relationship acumen and the Internal Audit function and the competency areas where you see
fraud investigation are considered to need the most improvement. improvement needs within your Internal Audit function
► Nearly half (9 in 22) of the competencies have major improvement needs (+19%). However, only
Internal control 70% 9%
19% of the Internal Audit functions have well-defined competencies and training requirements.
Operational audit 66% 6%
► Half of the Internal Audit functions are in progress, or have partially defined, competencies and In-depth knowledge of the company’s business 62% 19%
training requirements for Internal Audit staff, while 1 in 3 have not defined them at all.
Compliance/regulatory 47% 19%
► More than half of the auditors have between 25−47 training hours per year, while one third of Analytical skills 45% 6%
auditors have less than 25 hours. In 2016, only 12% have more than 50 hours of training. Almost Internal audit risk assessment 38% 19%
60% of Internal Audit functions have an education budget of less than 10 000 EUR. Financial audit and accounting 38% 6%
Does the Internal Audit function have well-defined competencies and training requirements for Data analytics 36% 40%
its auditors by rank? Relationship acumen 34% 26%
2016 2014
Written communication 32% 17%
Yes; 19% Yes; 24%
Partly/In progress; Partly/In progress; Verbal communication 32% 13%
48% 33% Fraud investigation 32% 26%
Presentation and facilitation 30% 17%
No; 31% No; 29% 4%
Process improvement 30%
Leadership and teamwork 28% 23%
How much do you spend on education and How many training hours does each auditor Business strategy 28% 15%
training of the Internal Audit function? (EUR) have per year? Other 26% 21%

28% 31% Deep industry knowledge 26% 6%

59% < 25
< 10 000 61% Project management 21% 15%
25-49 56%
34% 52% Technology 19% 13%
10 000 - 49 999 50-74 6%
37% 15% Change management 17% 28%
50 000 - 99 999 5% 75-99 0% 4% Advisory or consulting experience 13% 13%
2% 2% 2%
> 100
2% 2016 2014 2016 2014
>100 000
0% None 0% 4% Most important Improvement needs

Page 30 Internal Audit Benchmarking Program 2016

People and skills development
Internal Audit competencies and education

Select the competencies that you believe are the most important within the Internal Audit function and the competency areas where you see improvement needs within your Internal Audit
function.

The most important Internal Audit competencies

81% 76% 74%
70% 66%
62%
55% 52%
45% 48% 45% 47%
38% 38% 38% 31%
34% 36%
32% 32% 40% 30% 36% 30% 36% 32% 33% 28% 26%
28% 29% 29% 21% 26% 26% 24% 17% 26%
19% 19% 13% 17% 12%
0%

2016 2014

55% Internal Audit competencies that need improvement

40%
36%
28% 31%
26% 26% 24% 23% 26% 21% 26%
21% 19% 19% 21% 15% 19% 21% 19% 19% 21%
21% 19% 17% 17% 14% 17% 14%
10% 14% 15% 13% 13% 13%
9% 6% 6% 6% 6%
7% 4%
0% 0%

Page 31 Internal Audit Benchmarking Program 2016

Right tools
Page 32 Internal Audit Benchmarking Program 2016
Internal Audit methodology and delivery
Internal Audit risk assessment

How do you get input to the Internal Audit risk assessment session?
► Almost all Internal Audit functions perform an Internal Audit risk assessment, obtaining input from
interviews with top and line management and from enterprise risk management, primarily. Acting 93%
Interviews with top management 75%
as input-providers has become more frequent since 2014 for these three functions.
Enterprise Risk Management (ERM) 79%
55%
74%
► Internal Audit risk assessment provides the following risk categorization: Interviews with line management
68%
2016
Interviews with external auditors 69%
Top 3 important risks* Top 3 medium risks Top 3 minor risks** 55% 2014
Operational risk Fraud risk Compliance risk Interviews with Audit Committee 50%
34%
Strategic risk Financial reporting risk Operational risk 12%
Interviews with Board of Directors
Cybersecurity risk Regulatory risk Industry risk 9%
Other 29%
16%
► There is little consensus regarding the importance of the risks identified by Internal Audit leaders.
For example, 30% assess operational risk as the most important while 17% have the opposite
opinion. What types of risks are considered in your Internal Audit risk assessments?

Operational risk 30% 25% 10% 18% 17%

Priority Risk Individual risk rating
Most important Operational risk 30% Financial reporting risk 23% 22% 35% 13% 7%

Important Industry risk 38% Strategic risk 19% 33% 28% 17% 3%
Medium importance Fraud risk 44% Cybersecurity risk 18% 34% 16% 24% 8%
Less important Industry risk 31% IT risk 18% 21% 28% 28% 5%
Least important Operational risk 17% Financial risk 18% 27% 25% 28% 2%
Compliance risk 17% 34% 10% 29% 10%
Do you perform an Internal Audit risk assessment to serve as a basis for the Reputational risk 15% 23% 28% 21% 13%
Internal Audit plan?
Regulatory risk 11% 26% 32% 18% 13%
Yes 86%
89% 2016 Fraud risk 10% 28% 44% 10% 8%

14% 2014 Industry risk 5% 38% 23% 31% 3%

No 11%
most important important medium less important least important
* Note that these results have been obtained by adding the percentages for the risks considered ”Most important” and ”Important”
** Note that these results have been obtained by adding the percentages for the risks considered ”Less important” and ”Least important”

Page 33 Internal Audit Benchmarking Program 2016

Internal Audit methodology and delivery
Internal Audit value and performance compliance

► The main instruments to measure the value provided to the organization by Internal How does Internal Audit measure the value provided to the organization?
Audit are:
Satisfaction surveys 64%
• satisfaction surveys 52%
Number of implemented recommendations according to 51%
• the number of implemented recommendations according to plan plan 36%
• control and process improvement measures Control and process improvement measures
26%
25%
► Approximately 1 in 5 of Internal Audit functions are subject to external quality
21%
assurance and are rated as ‘generally conforms’ or ‘partially conforms’ with IIA Support of key business initiatives 14%
standards. The majority (55%) of respondents do are not certified, but rather apply Compliance with internal and external standards (e.g. 15%
the relevant parts of the IIA standards in their work. Roughly one fifth do not plan to IIA) 14%
become certified according to the IIA standards. Not measured 13%
20%

Cost savings and/or revenue enhancements 10%

2%

Other 3% 2016 2014

5%

Do you comply with the IIA standards?

No, but we apply relevant parts of the IIA standards 55%

No, and we don't plan to become certified 22%

Yes, we have done external quality assuarance

review within last 5 years and are rated as 17%
‘Generally Conforms’
Yes, we have done external quality assuarance
review within last 5 years and are rated as ‘Partially 6%
Conforms’

Page 34 Internal Audit Benchmarking Program 2016

Tools and technology
Data analytics

► Internal Audit functions have increased their leverage of data analytics compared to 2014, in particular among functions that use analytics to a wider extent. 15% uses
analytics in more than 50% of audits, which reflects a large increase from 2014. In addition, 50% state that they have increased their use of data analytics. However, nearly
half of the functions leverage less than 10% on data analytics, which is a slight decline from 2014.
► Looking into the future, data analytics is expected to become even more important as 81% of the respondents state that leveraging data analytics will increase over the next
three years. Data analytics is also considered as one of the ten most important competencies for Internal Audit functions. 40% of respondents also state that data analytics
is a competence area that requires improvement.

To what extent does your Internal Audit function

How has leverage of data analytics changed in the last 24 How do you anticipate leverage of data analytics
currently leverage data analytics (e.g. the ACL tool)
months? to change in the next three years?
in relation to the total number of audits per year?

15% Increased 50% 81%

> 50% 60% Increase
5% 60%

40-49% 4% 40% 15%

2% Stayed the same Stay the same
38% 24%

30-39% 4%
12% Decreased 2% 2%
2016 0% Decrease
0% 2016
2016
20-29% 13%
14% 2014
Don’t know 8% 2014 2% 2014
2% Don’t know
17% 16%
10-19% 17%

< 10% 47%

50%

Page 35 Internal Audit Benchmarking Program 2016

Operations and reporting
Performance indicators

How many audits are performed per year?

► The number of audits per year varies widely between the Internal Audit functions. Most companies perform 10 to
19 or 50 to 99 audits per year.
► On average, audits have a total duration of 5 to 6 weeks. <10; 12% > 100; 10%
► The most common duration for planning is less than 5 days, for fieldwork 5 to 9 days, and for wrap-up and
reporting less than 5 days.
50-99; 21%
► Despite an increase in the number of reports with high gradings, the average number of days from closing meeting 10-19; 21%
date to issue of final report has decreased, indicating that Internal Audit functions are becoming more effective in
the reporting process.
40-49; 6%
20-29; 15% 30-39; 15%

What is the average number of days from closing

What is the average duration of individual audits for each of the following phases? meeting date to issue of final report?

2016 2014
Planning 17% 2016
Planning 58% 22% 9% 11% 51% 27% 10% 12% < 5 days
5% 2014

5-9 days 21%

19%
Fieldwork 31% 35% 15% 19% Fieldwork 31% 31% 17% 21%

10-14 days 19%

17%
Wrap up Wrap up
33% 22% 24% 21% and reporting
27% 29% 27% 17%
and reporting 15%
15-19 days
29%

Less than 5 days 5-9 days 10-14 days More than 15 days > 20 days 28%
30%

Page 36 Internal Audit Benchmarking Program 2016

Operations and reporting
Performance indicators

To what extent are reported findings managed

► Survey results indicate successful management within set deadlines. 52% of the respondents have indicated that within set deadline?
more than 80% of reported findings are managed within the given deadline. This is an improvement from the 44%
reported in 2014, and may indicate that Internal Audit’s standing has improved.
> 80% 52%
► Similarly, the severe grading of Internal Audit reports has increased in 2016 compared to 2014. 85% of Internal 35%
Audit reports are graded as ‘medium’ or ‘high’ in 2016 (59% in 2014), whereas Internal Audit reports graded as 44%
50-79%
‘high’ or ‘critical’ has more than doubled compared to 2014. 48%

► The number of ad-hoc requests varies between Internal Audit functions from 1 to 25 for both additional audits and 25-49% 4%
12%
investigations with up to 50 requests for analysis per year. In combination, 1 in 3 Internal Audit functions are
requested to improve risk coverage and services using the same budget (a 13% increase from 2014). < 25% 0%
5%
2016 2014
► The large increase in requests for additional services (with the same or lower budget) could indicate that
stakeholders see potential for improvements in both Internal Audit efficiency and effectiveness.

How many ad hoc requests are executed beyond the original Is your Internal Audit function being asked to improve What is the approximate distribution of grading as
Internal Audit plan per year? risk coverage and/or services? a result of different audits?

Other ; 12% 6%
Yes, with an increased budget 16%
40%
High (critical)
31% 18%
Analysis; 20% Additional audits; Yes, at the same budget 19%
36%
Yes, with a lower budget 6%
2% 45%
Investigation; 32% Medium (major)
50%
No 54%
58%
Ad hoc requests max avg min
3% 15%
Don’t know 5% Low (minor)
Additional audits 25 6 1 32%
Investigation 25 7 1 2016 2014
2016 2014
Analysis 50 9 1
Other 20 12 2

Page 37 Internal Audit Benchmarking Program 2016

Quality and risk assurance
Opportunities and challenges

► The changing trend from 2014 to 2016 indicates that budgets for Internal Audit functions are in the increase, as is the size of the function teams. This implies an opportunity
to deliver more value and assurance to the business. 25% of Internal Audit functions have a budget from 1 to 1,9 million EUR, representing an increase of 13% from 2014.
The number of functions with a budget below 1 million EUR has gone down significantly in the last two years.
► Internal Audit functions are making progress. Comparing to the results from 2014, the amount of audits completed on time has increased significantly from 55% to 79%. In
addition, a high percentage of audits completed within budget has seen a marked increase from the 2014 levels, increasing from 79% to 89%.
► Almost all (88%) of Internal Audit leaders think that there are opportunities to improve their Internal Audit function. They identify most significant focus areas in reporting to
relevant stakeholders, efficiency and effectiveness, and risk awareness in the business (as seen on page 39).
► Our previous findings (see page 39) identified the current challenges Internal Audit functions are facing as: 1) attracting individuals with the right business knowledge to
ensure IA adds value 2) managing a diverse and decentralized business and 3) managing the interaction with the second line of defense.

What percentage of audits is completed within What is the current budget of your Internal Audit
What percentage of audits is completed on time?
budget? function?

38%

79% 89%
> 75% > 75%
55% 79%
26% 25%
21% 21%
13% 9% 19%
50-74% 50-74%
20% 15%
10% 12% 10%
7% 5%
6% 0% 4%
25-49% 2%
25-49% 0%
18% 3%

Don't have < 300 000 300 000- 500 000- 1-1.9 2-2.9 > 3 million
a separate 499 999 999 999 million million
2% 2% budget for
< 25% < 25%
7% 3% internal
2016 2014 2016 2014
audit

Page 38 Internal Audit Benchmarking Program 2016

Quality and risk assurance
Opportunities and challenges

Describe the overall challenges that your Internal Audit function faces or provide other comments
Do you believe that there are opportunities to improve your Internal Audit
that you believe are relevant for this study
function?
► “Attracting people with solid business understanding to judge the business risks and
recommend improvements in a pragmatic manner”. 88%
2016 Yes
► “Our organization is very diverse and geographically spread out. Senior management does 91%
not set a goal of achieving a homogeneous culture either. As such, much of our work consists 2014 12%
No
of figuring out how the individual businesses operate and finding the correct communications 9%
approach with the local management. It is not difficult per se, but it does mean that we are
quite reliant on personal connections in discovering new risks and agreeing remediation
measures with the managers. So we try to keep staff turnover minimal because every leaver
takes the opportunity to easily and informally approach senior staff”. In which of the following areas do you see opportunities to improve your Internal
► “We have more of a compliance audit primarily on the project level and then self-evaluation in Audit function?
the line of the operational and finance processes”.
Improve the reporting process to relevant stakeholders 67%
► “Top management and the board (Audit Committees) have a significant knowledge gap on 60%
assurance functions (e.g. Internal Audit and Compliance) and respectively do not provide full
Improve efficiency and effectiveness of the Internal Audit function 60%
support. This causes passive approach coming from "top down".” 60%
► “Bring truly meaningful insights to the business and not mainly "housekeeping" (which, of
Support in improving risk awareness in the business 50%
course, is important as well)”. 57%
► “To leverage our knowledge and make it known to wider part of the organization. Being a very Improve the internal audit risk assessment and planning 55%
decentralized company, each business unit operates separately and implementing common procedures 57%
tools and policies is challenging and by that also auditing”.
Increased leverage of audit technology tools 55%
► “Staying relevant in an increasingly dynamic and fast changing business environment as well 48%
as handling the companies transformation agenda”.
Improve the overall skills and personnel in the Internal Audit 38%
► “Who actually directs our work: AC, Board or Executive Management? What are the function 45%
consequences for the daily work of IA? The increased role of the second line of defense. How
Improve stakeholder management 33%
is co-operation organized and presented to both the business and the Board and AC”? 40%
► “How to keep adding value to the organization? How to keep clear lines between the third and 40%
second line of defense? How to handle pressure from second line as an assurance provider”? Enhance risk coverage of key risks 40%
► “The Internal Audit function is undergoing a transformation to serve the Group and to become 24%
2016 2014 Other
more professional. It’s a challenge to manage this journey and reach the goals”. 0%

Page 39 Internal Audit Benchmarking Program 2016

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working
world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about
our organization, please visit ey.com.

© 2016 EYGM Limited

All rights reserved

Contact details:
Henrik Lind
Tel: +46 31 63 77 04
Mobile: +46 705 83 77 04
Email: henrik.lind@se.ey.com

40