Internal Audit in the Era of Continuous Transformation. Survey of Internal Auditors in Romania

In the era of continuous transformation, the role of internal audit has steadily increased, becoming one of the strategic pillars of today’s companies. In the current context, where corporate governance, risk management and internal controls are increasingly in the hands of regulators, shareholders and the general public, internal auditors have the task of reacting proactively and responsibly to the challenges of the market. Thus, it is important to understand the way in which internal audit activity is being carried out as well as its directions of development.


Introduction
In a constantly changing business environment, through the survey of internal auditors in Romania, KPMG in Romania intends to focus on the priorities and challenges of this profession as a result of high interest in the best practices in the market.
In the survey conducted among companies that already have an internal audit function in place, one of the greatest challenges of the internal audit function in recent years has been the positioning of internal audit as a strategic asset that adds value to a company. In the context of ongoing developments in the IT industry as well as changes in operational processes, the ability of internal audit functions to readjust audit plans, verification processes and the human resources needed to carry out their activity is continuously being challenged.
The study illustrates the current practices of internal audit activity, highlighting strengths and weaknesses that department managers currently identify and outlining optimization directions to ensure the evolution of the audit function to a level that enables it to support proactively the organization's operations in accordance with the increasingly demanding regulations and requirements.
Thus, maximizing the value added provided by the internal audit function is imperative in the context of maintaining its effectiveness and in this respect it becomes necessary to identify innovative practices that support the internal audit function in its process of transformation into this era of digitization and "big data". This research highlights the need for a better alignment of the internal audit function to the objectives of the organization and a greater focus on increasing operational efficiency and effectiveness. In this respect, a number of key points to be achieved in order to increase the level of productivity are identified: proper dimensioning of the internal audit department, establishing the optimal level of investment in human capital and its professional training, adequate use of technologies to increase the efficiency of operations, a better understanding of the potential cyber risks faced by the organization and the establishment of a management plan in advance.
The study reveals that organizations currently perceive these measures to optimize their internal audit function as "nice to have", but it is important to point out that the increasingly demanding level of internal audit requirements and regulations requires rethinking the process and a clear repositioning of the role of the internal audit function in such a way that it responds better to the company's objectives.
At the same time, it is necessary to mention the areas in which the process is currently carried out optimally in most organizations: the frequency of the internal audit, the typology of the skills involved and the clear orientation towards identifying risk.

Target population
The respondents in this research are heads of internal audit within Romanian companies.
Executives in the field of internal audit were selected to provide answers on all the coordinates assessed in the study.

Research Methodology
100 invitations were sent to an online platform where the respondents filled in an electronic questionnaire anonymously. Responses were obtained from 38 of the selected entities in the initial sample of 100 companies. The survey was conducted at the end of 2018.

Profile of the respondents
Of the 38 respondents, 42% represent the banking sector, 21% the insurance sector, while the remaining 37% are from production and non-financial services.
As far as the distribution of companies by turnover is concerned, 24% are entities with a turnover of more than RON 2 billion, 18% have a turnover between RON 500 million and RON 2 billion, and 58% obtain income of up to RON 500 million.
In terms of the number of employees, the structure of the companies participating in the survey is the following: 31% have up to 250 employees, 29% have between 250 and 1000 employees, while 40% of the companies have more than 1000 employees. There is no information available to verify to what extent the structure of the studied sample proportionally reflects the structure of the totality of companies that have an internal audit department. The figures in this paper are the authors" projection of the results obtained in the study.

Role and priorities of the internal audit function
The main objective of this section is to observe the way in which the role of the internal audit function has expanded and continues to expand beyond the boundaries of traditional responsibilities in the compliance area. We will also highlight the strategic priorities of this function, according to the results of our survey.
Thus, our survey revealed that internal audit has moved its center of interest to having a strategic role within the company, being considered a strategic function by 63% of respondents to the survey. For the others (37%), however, internal audit is not yet ready to go beyond a compliance function (Figure no.1).

Figure no. 1: Internal audit within a company -a strategic function or a compliance function
As a foundation of robust corporate governance, an effective internal audit function provides indisputable benefits to companies, such as:  It provides a means to monitor and improve the company's internal control environment.  It provides independent reporting to the board of directors.  It focuses on the major risks and issues for the company, as advised by the board of directors.  It provides valuable information on a wide range of risks for companies, including financial, operational, technological, strategic, fraud and compliance risks.  It improves internal controls by risk mitigation, increasing efficiency and effectiveness and / or ensuring compliance with regulatory requirements.
 It provides recommendations to increase the efficiency and effectiveness of operational procedures.
 It facilitates a rapid alert system to identify and rectify deficiencies in a timely manner.
In relation to the internal audit plan, we identified the following three main areas of focus for companies in 2019: operational efficiency and effectiveness, alignment with company objectives, and compliance with current regulations. Thus, 89% of respondents are concerned about the efficiency and operational effectiveness of internal processes. 71% of respondents place the alignment of operations with the strategy and objectives of the company on their list of priorities, in the planning of internal audit engagements.

Figure no. 2. Main challenges of the internal audit department
In the current economic climate, characterized by slow growth, economic uncertainty, technological advancement, cyber threats, disruptive business models, increasingly restrictive regulations and intensified checks, companies need to constantly analyze their business strategy and risk appetite.
In addition, we found that, for 58% of respondents, compliance with regulations and related reporting is the third focal point (Figure no. 3).

Figure no. 3. Main priorities of the internal audit departments in relation to the audit plan
Developing a strategy to mitigate the restrictive effects of compliance activities on business operations has become a necessity. For example, internal audit can maintain an inventory of all regulatory requirements that have impact on the company's business or provide specific training to employees in order to ensure compliance with these requirements.
We have found that IT governance and cyber security are not among the top three priorities; only 21% of respondents consider them to be a priority, although companies recognize the increase in the incidence of cyber risks. At the same time, the expectations of the audit committees, according to the KPMG global survey -2017 Global Audit Committee Pulse Survey -rank cyber security as the top priority for the internal audit function.
Moreover, we have found that 66% of respondents place the effectiveness of risk management programs at the top of the list of challenges faced by companies. The opinion of the audit committees, expressed in the 2017 KPMG Global Audit Committee Pulse Survey, identifies on the list of challenges an increase in the focus on operational risks (IT, security data, supply chain) and specific internal controls. Audit committee members consider, according to the above-mentioned survey, that risk programs and processes require substantial revision in order to address the need to adequately identify emerging risks.
42% of respondents recognize that cyber-security risk management is the biggest challenge for companies in terms of internal audit. (See also the chapter entitled Impact of Technology on Internal Audit).
Another important issue for 39% of respondents -which is directly related to the digital transformation of companies -is how talent is attracted, managed and retained in the company so as to maximize the impact of digital resources (Figure no. 4).

Figure no. 4. Main challenges facing companies from the perspective of the heads of the internal audit department
58% of respondents claim that the budget of the internal audit department will remain unchanged in the next 3 years, and 39% of them believe the budget will increase. A properly designed budget is an extremely important tool for business decisions: it will support internal auditors and the audit committee in meeting the objectives and benefits of an effective internal audit (Figure no. 5).

Figure no. 5. Forecasts on the evolution of the budget of the internal audit department in the following 3 years
The coordinators of the internal audit function were invited to present their view on the features of a wellplanned and valuable internal audit. Thus, 47% of respondents consider at the forefront the discovery of the existing risks faced by companies as well as the emerging risks (Figure no. 6).

Figure no. 6. Attributes of a well-planned and valuable internal audit
The roles of the internal audit function concerning risk are represented by:  Providing independent assurance on risk management processes.
 Providing independent assurance that risks are properly assessed.
 Evaluating risk management processes.  Evaluating Key Risk Reporting.  Review of Key Risk Management. However, as the third "line of defense", internal auditors should not assume responsibilities in relation to:  Establishing the risk appetite.  Enforcement of risk management processes.  Decision-making on risk responses.
 Implementing risk responses on behalf of management.  Risk management. Another important feature, highlighted by 39% of respondents, is the ability to provide a complete picture of the efficiency and effectiveness of financial and operational processes, as well as internal controls within the company.
1 out of 2 respondents believe that the key role of the internal auditor is to meet the complexity requirements of the audited topics. Indeed, professionals aspire for their role to be that of a fully-fledged strategic partner (Figure  no. 7).
A stronger presence in the company means more power to facilitate decision-making, as appreciated by 40% of the survey respondents.

Figure no. 7. Vision on the evolution of the internal audit role as a profession
Measuring the performance of internal audit activity is of particular importance because it offers the opportunity to assess how the internal audit function is positioned in relation to other functions within the company. In this way, it is possible to identify the areas where improvements in the applied audit practices and instruments are needed.
Our survey highlights the preference for the following three categories of indicators used to measure internal audit performance (Figure no. 8

):
 Audit plan execution level: 63% of respondents use the quantitative indicator "completed versus planned audit engagements."  Recommendation Implementation Level: 53% of specialists measure the quality of the audit engagement through accepted and implemented recommendations or through external audit evaluation (39%).  Surveys / feedback received from stakeholders: satisfaction of the board of directors / supervisory board, audit committee, executive management (47%) or audited departments (32%).

Figure no. 8. Ways of measuring the performance of internal audit activity
Using specific tools for customer service departments, such as feedback surveys, the internal audit department can measure the audit committee / board of directors" perspectives on the audit experience or the quality and effectiveness of the audit processes.
Feedback received from internal clients can help internal audit departments recalibrate to improve the services they offer.
Less than half of our respondents (47%) say they measure stakeholders" satisfaction through feedback surveys (Figure no. 9).

Figure no. 9. Availability of feedback surveys on audited subjects' satisfaction in relation to internal audit missions
58% of respondents use independent external audits of internal audit work (every five years), in line with the requirements of the International Standards on Internal Auditing 1312 -"External Assessments" (Figure no. 10).
An independent external view may highlight areas where internal auditing can be optimized, as well as a comparison with best practices by access to constructive recommendations. Some strategic questions to which an independent external assessment of the internal audit function could provide an opinion:  What added value do internal audit services generate for stakeholders? Is the internal audit adequately positioned, in strategic terms, to contribute to the success of the company?
 Does the internal audit have an adequate strategy, human resources and ability to carry out its duties?
 How effective is internal audit as the third "line of defense" within the corporate governance of the company?
 Are internal auditing processes consistent with business needs?
 How well does the company's internal audit work, compared to similar companies and best practices?

Methodologies applied in conducting internal audit missions
All companies participating in this survey carry out their internal audit work on the basis of an internal audit plan. Therefore, we found that 61% of the responding companies are developing internal audit plans covering 1 year, while the rest of the companies (39%) develop internal audit plans for longer periods of 2, 3 and 5 years (Figure no. 11).
Regardless of the period covered by the internal audit plan, the priorities of the functions and audited areas are defined in the internal audit plans based on several ways of establishing them.

Figure no. 11. Period covered by the internal audit plan
The key drivers in developing the internal audit plan are the use of a risk-based methodology (mentioned by 92% of the participants), requests from the Audit Committee (76% of the participants) and the development of legislative requirements (71% of companies). The consulting of the previous year's internal audit plan is mentioned by two-thirds of the companies participating in the survey, while one-third mention consultations with external auditors.
Except for a limited number of companies that base their internal audit plan on a single criterion, the rest of the companies use a combination of the elements detailed in Figure no. 12 when defining internal audit priorities. In addition, a small number of the respondents to our survey mentioned additional criteria taken into account in defining internal audit plans, i.e. proposals received from executives, consultations with the parent company, audit cycle, incidents from previous years) etc.

Figure no. 12. Ways of establishing the internal audit plan
Effective business governance is based on a framework that supports management's activities to achieve corporate goals. A robust framework defines the limits of acceptable behavior without necessarily restricting entrepreneurship. Risk management and internal audit are important parts of the governance framework.
Internal auditing strengthens corporate governance of a company through its perspective on process and structures, providing an independent view of the effectiveness of all internal processes of a company.
In this context, we found that 31 respondent companies rated corporate governance as being developed or highly developed, accounting for about 81% of the companies surveyed. On the opposite side, only two respondents have classified corporate governance as poorly or very poorly developed (Figure no. 13).

Figure no. 13. Degree of corporate governance development within the company
Half of the respondents (53%) hold meetings with members of the audit committee / board of directors 3-4 times a year and the others (47%) mention a higher frequency of meetings. Following analysis of the responses received, we noticed that about 83% of respondents, which hold at least 3-4 meetings a year with the audit committee / board of directors, are companies which consider their corporate governance developed or highly developed (Figure no. 14).

Figure no. 14. Frequency of formal meetings with the audit committee/ management board
Since it has an assurance and advisory role that adds value to the company and helps it achieve its strategic and operational goals, internal audit is management"s basic ally. Therefore, in addition to the internal audit engagements established according to well-defined criteria, the internal audit receives and honors ad hoc requests from the company's management to address specific issues / situations that, by their nature or circumstances, could not be taken into account in the audit plan.
Of the total number of 38 respondents, the internal audit functions of 18 companies mentioned 1-2 ad-hoc internal audit engagements per year, while 7 companies mentioned 3 or 4 ad-hoc audit engagements per year (Figure no. 15).
More than 4 ad-hoc internal audit engagements were mentioned by 8 companies. Most of these companies reported more frequent meetings with the audit committee / board of directors than the other companies participating in the survey.
3 internal audit functions do not receive management requests to carry out ad hoc internal audit engagements.

Figure no. 15. Frequency of internal audit ad-hoc missions requested by senior management
When it comes to including cyber risks in the internal audit methodology, our survey shows that 74% of respondents include checks on cyber risk management as part of the internal audit process (Figure no. 16).

Figure no. 16. The existence of cyber security risk management reviews
A reason for concern is that a quarter (26%) of our respondents do not take into account cyber threats in their internal audit, in a world where such attacks have become more and more virulent in recent years.
Companies should take into account that occurrence of such attacks could have disastrous consequences for their business, from the impossibility of accessing data in the case of "Ransomware" attacks, to difficulties or impossibility to access computer systems in the case of "denial of service (DoS)" attacks.
Of the respondents who consider cyber risk management reviews, half of them state that they carry out internal audits that specifically target the security of IT systems (Figure no. 17).
The other respondents treat these threats either as part of a classic IT internal audit (32%) or as part of the reviewing of disaster recovery plans (18%).

Figure no. 17. Types of audit used for the review of the security of information systems
Performing security audits of computer systems used by companies may involve either more complex checks (information systems penetration tests) or more superficial analyses. The latter, although they can discover intrinsic vulnerabilities in computer systems, do not show a complete picture of the cyber risks to which a company may be exposed (vulnerability analyses).
In our survey, internal auditors were asked what types of checks they carry out in internal audits centered on information system security. Thus, almost half of respondents (47%) state that they are limited to vulnerability scans, while only a third of them (34%) perform penetration tests (internal and / or external). Although it is a very good starting point, companies should focus their efforts on more and more complex procedures to identify the risks they are exposed to and then apply the necessary safeguards (Figure no. 18).
An important area in conducting any specialized internal audit, as well as cyber security audit, is the use of appropriately prepared resources, i.e. cyber security and/ or information security specialists. Consequently, survey participants were asked what kind of specialists they use in assessing the cyber risk management process (Figure no. 19).

Figure no. 18. Approaches used in audits focused on the security of information systems
The results revealed that, in general, internal audit departments do not use their own resources to carry out these audits: only a quarter of the respondents (26%) have specialists in the internal audit function.
A similar percentage (24%) uses specialized resources within the group, most likely resources that are shared between different entities within a group. The remainder of respondents prefer to work with external consultants (34%) or to use specialists from other departments within the company (16%).

Human capital of the internal audit function
Professionals in the internal audit function must respond agilely to a very dynamic business environment, regulations, the emergence of new business and operational risks, and digitization by constantly assimilating new information, and demonstrating flexibility in changing priorities and projects. Optimizing the skills of internal auditors requires significant investment in resources, methods, continuous training programs, career models and technical infrastructure.
Our survey shows that 59% of companies use only internal resources in internal audit engagements, 19% of them only external experts, and 22% of them use both internal and external experts (Figure no. 20).
Companies with an insourced internal audit function benefit from instant access to specialized knowledge on a particular case, which allows them to be fully in control. One of the drawbacks of the model is the difficulty of some internal auditors to obtain or maintain a certain level of special skills they need (e.g. IT).
By using external resources, the company can focus on building the key skills needed for internal specialists and can also access specific skills, industry practices and internal audit expertise.

Figure no. 20. Types of human resources used during the internal audit missions
In order to carry out the internal audit plan, the company must provide the appropriate qualifications for internal auditors as well as ongoing professional training. Vocational training programs are tailored to audit professionals, as 61% of survey respondents say (Figure no. 21), with up to 5% of the total amount of training budgets allocated to the internal audit department (Figure no. 22). In addition, we found that in most of the responding companies (87%) the members of the internal audit department have professional certifications (Figure no. 23).

Figure no. 21. Availability of a predefined professional training program for internal audit employees Figure no. 22. Proportion of the budget assigned to professional development in the total budget of the internal audit department Figure no. 23. Availability of professional certifications within the internal audit department
Certifications of the members of the internal audit department reflect the regulated requirements (Figure no. 24). Thus, certifications in internal audit are mainly in the accounting and auditing area, i.e. financial auditors are members of the CAFR (88%), CIA (55%) and ACCA / ACA / CPA (45%), while only 33% of the companies have auditors certified in the auditing of computer systems (i.e. CISA).
The latter is a significant risk area, given the importance of IT expertise in the context of digitization and cyber risks.
According to the results of our survey, 73% of members of the internal audit department in the companies surveyed are members of the Association of Chartered Certified Accountants (ACCA) or have the Certified Internal Auditor (CIA) qualification.

Figure no. 24. Types of professional certifications held by the members of the internal audit department
Our survey reveals that internal auditors consider the following areas of expertise to be essential in order to successfully conduct their internal audit engagements:  IT skills, data analysis, fraud investigation for 89% of respondents.
 Technical skills on internal processes for 84% of respondents.
 Internal audit for 79% of respondents. Technical skills remain essential, but internal auditors of the future must possess a variety of non-technical attributes, in addition to strong technical expertise (Figure no. 25).

Figure no. 25. Essential training areas on which permanent professional training courses for the internal audit department members are based
Competencies in the field of professional standards, governance, business and control / risk are essential to deliver quality internal auditing. However, personal skills such as communication, power of influence or critical thinking determine the impact of recommendations and observations issued by internal auditors (Figure no. 26).
According to the results of the survey, 55% of respondents face difficulty in retaining talent in the company, and 39% of them believe that the main challenge of the internal audit function is the availability of required skills and abilities. A plan to attract and develop non-technical skills and abilities for internal audit specialists can be outlined as follows:  Develop a coherent internal audit brand to attract top talent.  Apply rigorous selection to identify candidates with the potential to develop these skills and abilities.  Organise professional training programs focused on communication, critical thinking or "design thinking".  Develop performance programs which reward these skills and abilities.

The impact of technology on the internal audit function
Embracing technology in internal audit engagements, as well as the need to analyze a large amount of data, have transformed the profession of internal auditor. Technology and data analytics are not used to full capacity, and there is room for significant improvement in order for companies to fully benefit from these innovations. At the moment, all business sectors invest in Robotic Process Automation (RPA) advanced technologies, data analysis, predictive analysis, cognitive systems, "machine learning" or artificial intelligence to automate work.
The concept of automation is no longer a novelty, but there are a number of factors that creates a need to embrace intelligent automation. In this context, our survey indicates that 63% of respondents use technology to increase the efficiency of internal audit work.
In spite of the added value that can be obtained by using the analysis of a large amount of data ("big data"), 37% of the internal auditors participating in this survey indicated that this is not a pattern in their model of internal audit engagement delivery (Figure no. 27).

Figure no. 27. Use of technology to increase the efficiency and effectiveness of internal audit
Adoption of data analytics tools provides the opportunity to increase efficiency and to facilitate concentration on areas with the greatest potential risks. In this context, we noticed that 63% of respondents considered data analytics to be extremely important, while 37% of them considered it important (Figure no. 28).
Data integration and data analytics in compatible technologies as well as audit tools and techniques at all stages of the audit engagements (risk assessment, planning, execution and reporting) add value to the company's internal processes and mitigate risks.
Data analytics can be applied in the following three important areas:  In terms of planning, it can be used for risk profile determination, data testing by simulation and statistical sampling.
 Data analytics can ease the execution of internal audit: it can provide a way to monitor internal controls (fast and cost-effective) or to identify risks and fraud.
 It can support risk reporting and quantification, management of outliers and root-cause analysis.

Figure no. 28. The degree of importance of big data analysis to increase the added value of a company
Innovations in intelligent automation have the potential to increase speed, operational efficiency, cost efficiency, control and accuracy of daily activities.
These innovations will also support professionals in making the right decisions in a shorter time.
Our survey reveals the benefits of using data analytics (Figure no. 29):  Processing very large volumes of information with fewer resources and lower costs at a high-quality level (82%).  Easier identification of potential risks and the need to carry out an in-depth investigation of anomalies (76%).  Increase in efficiency (71%). How internal audit can contribute to the preparation and implementation of such a program:  By integrating governance, risks and controls throughout the automation project.  By identifying opportunities to implement automated key controls in an operational process or in another department within the company. Certainly, the internal audit function can rely on automation to streamline its own activities.

Conclusions and future directions
Currently, a large number of internal auditors appreciate that the internal audit function has a strategic role in companies. They demonstrate this by aligning it with the overall strategic planning process through consultations with the board of directors and assessing the potential risks associated with strategic directions.
The results of the survey reveal an upward trend in the key role already played and which is to be played further in the future by the internal audit function.
Companies are currently facing an accelerated increase in the complexity of the needs to which the internal audit department has to answer, and are thus faced with critical decisions about how they choose to allocate resources in that direction. New requests from the board of directors, leaders and regulators require internal auditors to increasingly focus their efforts on activities that help the organization understand and manage associated risks, achieve the expected results of automation, and continue to innovate to obtain added value. The main priorities of the internal audit departments in 2019 in relation to the internal audit plan are: increasing operational efficiency and effectiveness, aligning operations to the organization's objectives, and ensuring compliance with current regulations.
On the other hand, the biggest challenges currently faced by internal audit departments relate to the availability of employees' skills, the ability to use data to stimulate innovation and the need to enhance corporate governance and strategic processes.
In this respect, the introduction of technologies in order to accelerate labor productivity, as well as investment in human resources capable of managing both the technological factor and the implications of advanced analysis of the information received, together with the development of the capability to anticipate potential changes in legislation, all represent tools which need to be taken into account in order to increase the efficiency of the internal audit function.
By using intelligent automation solutions, the internal audit function gains efficiency and effectiveness by improving the quality and consistency of processes, of planning, testing and reporting activities, including the transition from limited sample testing to full testing of the audited population.
Moreover, through digitization and automation processes, the internal control environment can be improved, especially in the prevention area, by introducing automatic controls instead of manual ones, real-time analysis, followed by automatic escalation and anomaly resolution, thus allowing the organization to add value with limited resource consumption.
At the same time with the use of the most advanced automation and digitization technologies, it has become imperative to develop the skills of the internal audit staff in order for them to be able to effectively access these technologies and to make out of the information received the best operational directions.
A professional in the internal audit function needs an extensive set of skills in his or her daily activity (analytical and synthesis capacity, effective communication, critical thinking), but currently, the budgets allocated for providing specialized training cover less than 5% of the total budget of the internal audit department for most respondents.
Moreover, forecasts for the development of the internal audit budget are rather moderate, in contrast to the high expectations of the development of the internal audit function so that it can respond as closely as possible to the increasing complexity of the areas audited.
Another important issue to point out is that cyber security is ranked 8th among the top priorities of the Internal Audit function, and yet no less than 42% of internal auditors recognize that cyber security risk management is one of the main challenges which companies face.
Thus, the directions for the successful future development of the internal audit function are clearly outlined: the accelerated incorporation of technologies designed to develop the capacity of data analytics and investment in the human factor so that internal audit staff are able both to manage technological advances and analyze the results of the analyses carried out. Effective monitoring of the growing cyber risk is also a critical consideration for the future.