2015 State of the Internal Audit Profession study

Financial Services
Internal Audit

Increased expectations of value

The critical issues financial institutions face today are affecting their entire business. The industry
continues to face regulatory reform and rapidly growing regulatory demands and expectations,
combined with pressures to implement cost-effective technologies, acquire talent, deal with changing
customer behaviors, and meet increasing demands from stakeholders are forcing financial institutions
to rethink business strategies, which inherently introduces new risk.
The volatile business environment in which financial services companies operate is prompting them
to transform operations. According to the PwC 2015 State of the Internal Audit Profession Study Finding True North in a period of rapid transformation, two-thirds of financial services companies
have recently gone through or are going through a business transformation, and an additional 13%
anticipate doing so in the next two years. Transformation comes hand in hand with new risks: 70% of
financial services participants said risks to their companies are increasing either significantly or
moderately; only 3% said risks were decreasing.
In the asset management, banking and capital markets, business services, and insurance sectors,
more than 360 chief audit executives (CAEs), senior management, and board members participated
in PwCs annual study by contributing their opinions on the capabilities, skills, and value of their
internal audit functions. Our study revealed stakeholder expectations of internal audit performance
are rising as financial services institutions react to increased regulatory scrutiny and pressure. Likely
as a result of those heightened expectations, the percentage of all financial services respondents who
say internal audit provides significant value has decreased from 2014 to 2015 by approximately
14 points. As expectations and the demands on internal audit functions rise, the bar for defining
significant value also rises, forcing internal audit functions to elevate their performance in order to
continue to add value to their organizations.

www.pwc.com

Our organization is focused on becoming a digital leader, which requires constant innovation in an environment
that can easily adapt and flex. Similarly, internal audit must disrupt its conventional thinkinginnovating in
tandem with its business partners and developing centers of excellence to bring value to our stakeholders.
Jim Tietjen, Executive Vice President and Chief Auditor, Capital One Financial, USA
At a time when the sector is facing
business transformation, greater
risk, and increased pressure from
regulators, internal audits ability to
perform against expectations is of
paramount importance. Our study
shows that internal audit functions
adding the greatest value are
adaptive to their companys risk
landscape. Internal audit is actively
involved in the most impactful
business imperatives, offering a
proactive perspective on all business
risks (strategic, compliance,
financial, and operational) and
providing recommendations on how
to mitigate risks before they occur.
The majority of financial services
survey respondents report they

have not reached that level of

value. When asked to define the
contribution their internal audit
functions are providing, the majority
said their internal audit departments
were either delivering objective
assurance on the effectiveness of
internal controls (28%) or delivering
a combination of objective assurance
and problem solving by performing
analysis and offering perspective
on the root causes of issues (37%).
PwC introduced in the survey the
concept of trusted advisor two years
ago. In this years survey, just 10%
of financial services respondents
identified their internal audit
function as being a trusted advisor,
providing value-added services and

proactive strategic advice for the

business well beyond the execution
of the audit plan (Figure 1).
However, in line with the
companys heightened expectations,
stakeholders and CAEs alike expect
to evolve to be a proactive
contributor to business initiatives.
Within the next five
years, the majority of financial
services stakeholders and CAEs
(54%) expect internal audit to move
up the value spectrum and become a
Trusted Advisor.

Figure 1
2015 Current
perception of
internal
audit value

Expected
internal
audit value
in 5 years

Trusted advisor 10%

54%

Insight
generator

23%

28%

Problem solver

37%

11%

Assurance
provider

28%

2%

2015 State of the Internal Audit Profession study

www.pwc.com

To add significant value and become

a trusted advisor, an internal audit
department must look beyond
effective and efficient execution of
the audit plan in order to incorporate

other value-added services, including

providing strategic advice. When
asked what would enable internal
audit departments to contribute at
that strategic level, financial services

respondents identified the following

critical areas: risk focus, business
acumen, talent, alignment across
the lines of defense, and use of data
analytics (Figure 2).

Figure 2: Top factors enabling internal audit to contribute to strategic initiatives

Risk focus

Business acumen

Talent/Resource skills
Alignment with ERM, other lines
of defense
Use of data analytics
0%

20%

40%

60%

80%

Percent of respondents rating each area as a significant enabler

Finanacial Services

Management and audit committee

support is clearly imperative if
internal audit is to raise its
performance and value. That support
also ranked high as an enabler of
internal audits success. In large part,
such support will be achieved if
internal audit executes well across
the identified focus areas. That is,

Global -all industries

internal audit needs to (1) be

forward-thinking and risk focused,
(2) demonstrate understanding of
the business through a diverse team
of professionals, and (3) align with
the organizational risk management
framework. That increased support
will also result in management and
the audit committees call for

internal audits input on a more

frequent and strategic basis. Thus,
progressing in those high-priority
areas is fundamental to internal
audit remaining a valuable
contributor to the business and
keeping pace with the rapidly
changing financial services industry.

2015 State of the Internal Audit Profession study

www.pwc.com

Focusing on the right

risks at the right time
In our survey, 85% of financial
services companies reported their
internal audit function performs well
in focusing on the critical risks and
issues the companies are facing, yet
when asked about internal audits
role in their transformational
initiatives, financial services
respondents reported that internal
audit is not always involved (Figure
3).

For example, most financial services

internal audit functions are involved
in increasing their companies risk
management and compliance
capabilities, which is important given
the expectations of regulatory
requirements such as the Volcker
rule in Dodd-Frank. However, less
than half are involved in growth
initiatives such as developing new
products and services and increasing
sales and marketing activities.
Internal audits involvement in these
areas is also important.

For example, given the heavy focus

on antimoney laundering (AML)
compliance requirements, internal
audit needs to be involved in new
products and services, with a process
in place to understand such new
offerings and provide insight on new
AML risks. Internal audit functions
that are involved in sales and
marketing discussions are providing
advice on emerging regulatory risks
and controlscritical given the
uptick in consumer regulations
within the sector.

Figure 3: Top financial services initiatives and internal audits involvement

Implementing privacy and security controls

Increasing risk management or compliance
capabilities
Focusing on cost reduction and/or learn initiatives

Developing new products and services

Increasing marketing and sales activities

0%

10%

Internal audit is involved

20%

30%

40%

50%

60%

70%

Company is undertaking the initiative

2015 State of the Internal Audit Profession study

www.pwc.com

The survey data also shows that

financial services internal audit
functions that are adding significant
value are not just involved in the
initiatives but also engaging at the
optimal time in the process to be able
to focus on strategic risks ahead of

risk occurrence. More than twothirds of these highly valued internal

audit functions get involved in
transformational initiatives early,
providing a proactive perspective on
controls before risk occurrence
(Figure 4). That compares with just

15% of all other financial services

internal audit functions. This
represents a marked difference in the
ways valued internal audit functions
are operating relative to their peers.

Figure 4: How financial services internal audit functions are participating in transformational initiatives
Financial services internal audit functions contributing significant value

12%

All other financial services

internal audit functions

Providing a proactive perspective and

recommendations on internal control
before risk occurrence

3%

Identifying risk during the annual risk

assessment process

46%

16%

22%
68%

Auditing processes and controls for

mitigating risk once they are in place, but
before risk occurrence
Auditing processes and controls for
mitigating risk after risk occuerence (in
response to risk occurrence)

To continue elevating both strategic

and proactive involvement, audit
functions that contribute significant
value look for opportunities to
partner with the business outside of
audits and to increase trust through
such activities as helping the
business prepare for regulator

examinations. Additionally, those

internal audit functions look for ways
to innovate and to disrupt their
conventional thinking. They are
creative in their approach and keep
an open mind toward new methods
and technologies so as to better
address todays growing stakeholder
and regulatory expectations.

15%
17%

If internal audit says it is

going to learn business
acumen, it will fail. Internal
audit needs people who will
train themselves by digging
into the details, and that starts
with intellectual curiosity.
Intellectual curiosity is key.
Ninette Caruso, Chief Audit
Executive, Genworth Financial,
USA

2015 State of the Internal Audit Profession study

www.pwc.com

Elevating talent and

business acumen
Sourcing and developing internal
audit talent are continuing battles in
the financial services industry.
Internal audits performance in this
area dropped by 15 points from 2014
to 2015: from 68% performing well
in obtaining, training, and/or
sourcing the right talent in 2014 to
53% performing well this year.
Despite all of the change the industry
is undergoing, many financial
services internal audit groups are
comprised primarily of traditional
internal audit skills. Financial

controls, general information

technology (IT), compliance, and
business continuity are all skills that
the vast majority of financial services
internal audit departments possess
internally (Figure 5).
Internal audit functions providing
significant value have a mix of talent,
recognizing that nontraditional
backgrounds bring different and
valued perspectives. In areas where
internal audit might not have deep
experiencesuch as model
validation, data, credit, liquidity, and
market risksinternal audit tends to
turn to third parties for specialized

skills. Many find cosourcing an

effective way to gain access to a
variety of talent and technological
capabilities. Further, financial
services internal audit departments
we interviewed are expanding their
use of data analytics and elevating
their data skills across all auditors.
Survey results indicate that nearly
two-thirds of financial services CAEs
believe their internal audit
departments already possess data
analytics skills. Of those who say they
dont possess those skills, just over
half plan to build them internally,
and 12% plan to fill the gap by using
third parties.

Figure 5: Skills currently possessed by internal audit departments in financial services

Financial controls
Compliance (including fraud & ethics)
General IT
Business continuity
Data analytics
Data privacy
Specialized IT
0%

Internally

20%

40%

60%

Internally and through third parties

80%

100%

Through third parties

2015 State of the Internal Audit Profession study

www.pwc.com

Aligning with enterprise

risk management and
other second-line-ofdefense functions
Protecting a company from risks
presented by industry change and
reaching the elevated value expected
by stakeholders are far more possible
and more effective if internal audit is
aligned with the companys
enterprise risk management program
and other second-line-of-defense
functions, including operational risk
and compliance. However, our study
showed that only 49% of financial
services companies said they have
formal processes to aggregate and
review risk across the company.
While internal audit functions need
to remain independent of the other
risk functions, and be positioned to
evaluate their effectiveness, by
aligning their efforts where possible
and operating with a common
definition of risk, the overall risk
coverage and risk management
effectiveness are improved. Internal
audit departments we interviewed
indicated that the time is right to
synchronize the efforts of the three
lines of defense and drive
collaboration. That collaboration can
positively affect the organizations
viewpoint toward internal audit as
well as internal audits overall
relationships across the organization.

81% agree with the statement,

We do our best to determine all
the risks associated with our
growth strategy, and we focus
our efforts on mitigating risks
once weve put our plans
into action.

In considering the increased

regulations financial services
companies are facing today,
companies have sharpened their
focus on reputation risk because
news headlines routinely highlight
noncompliance. For instance, with
new legislation and regulations in the
US such as OCC Guidelines
Establishing Heightened Standards
for Certain Large Insured National
Banks, Insured Federal Savings
Associations, and Insured Federal
Branches legislation at the forefront
of management and internal audit
focus, leading internal audit
functions in the US we interviewed
are coordinating with second-line-ofdefense functions to develop plans
that will validate the new
regulatory expectations.

communicate its risk appetite,

establish a well-defined personnel
management program, and have
internal audit monitor managements
alignment efforts. As discussed in
PwCs Financial Services Regulatory
Brief from February 2014, some
firms will have more difficulty than
others in enhancing their operations
so as to meet the new requirements.
Even though the new requirements
are not yet in effect, our research
indicates that as banks are
developing their plans, internal audit
departments may be called on to
assist in both performing initial
assessment of plans and certifying
overall validation of compliance
along with the second-line-ofdefense functions.
More data is not better; better
data is better.
Carolyn Chin, Audit
Committee Chair, State Farm
Bank, USA

Part 30 establishes minimum

standards for the design and
implementation of a risk governance
framework. In short, the guidelines
require management to define and

Our study also shows that among

internal audit functions adding
significant value:

92% said their companys risk

management program is fully
aligned with internal audit.

2015 State of the Internal Audit Profession study

www.pwc.com

Leveraging data to
provide direction
As business operations become more
proficient in their use of both
structured and unstructured data,
analytics are informing decisions
across the company in ways never
before considered. Whereas most
internal audit functions are
experimenting with analytics (Figure
6), those internal audit functions that
are keeping pace with their
companies in this area are more
advanced in their use of data,
including wider application across
the audit life cycle. For example,
survey results indicate there is a
desire that internal audit use data
analytics to help in its risk
assessments. And even though 52%
of financial services respondents
said they are currently using data
analytics for risk analysis, more
can be done.

Effective analytics as part of risk

analysis is an area where internal
audit can expand its organizational
role to that of a trusted advisor by
adding value beyond effective and
efficient execution of the audit plan.
Financial services companies are
starting to use data analytics in AML,
but this, too, is an area in which
more could be done. Internal audit
could also use analytics around
mortgage and credit card approvals
to find out whether the business
is redlining, following its own
guidelines on credit scores, and
more. Our research shows that highperforming functions are using data
in support of antibribery and
anticorruption by analyzing e-mails,
scrutinizing expenses, investigating
vendors, and researching other data

to target audits and test controls. In

the insurance sector, claims
processing is a high-priority area for
internal audits use of data analytics
by providing a focus for audits based
on claims denied versus claims paid
and other demographic
characteristics.
Building the right skills in internal
audit paves a critical path to broader
use of analytics by the function.
Among internal audit functions that
have the skills in place, the next step
has involved promoting creativity in
the ways analytics are being used in
audits and across the risk
assessment, planning, scoping and
reporting phases of the audit
lifecycle.

Figure 6: Internal audit's use of data analytics (all respondents)

Risk analytics
Fraud management
Compliance monitoring of operational controls
Antimoney laundering
Dashboard reporting
Customer-and revenue-related analytics
Profit and loss; pricing and profitability
Vendor analysis
Investments and trade
Customer care and customer service management
0%

20%
Currently using

40%
Not using but plan to

60%

80%

100%

Do not plan to use

2015 State of the Internal Audit Profession study

www.pwc.com

Contributing value as the

business changes
In an environment in which financial
services companies are pressured to
evolve on many fronts, internal audit
functions providing significant value
are evolving as well, thereby raising
the bar on the levels of performance
and value they deliver for their
organizations.
To make the journey, CAEs and
stakeholders begin by determining
how and where internal audit should
be contributing, with a vision that
challenges the status quo and pushes

internal audit to think beyond

standard objectives and deliverables.
That vision comes to life by way of an
internal audit strategic plan where
the functions true north is defined,
charting a path to where the function
should move, not constrained by
current limitations. This new vision
almost always begins with a mind-set
shift. As our research indicates, such
a plan will include a focus on the
right risk at the right time,
intentional and proactive
talent development, alignment
with other lines of defense, and the

use of data throughout the internal

audit life cycle.

It is important for internal

audit to have a strategic plan to
complement the audit plana
plan that focuses on what
internal audit needs to do to
continue to evolve, improve,
and deliver value to the
organization.
Karla Munden, Senior Vice
President, Chief Audit
Executive, Lincoln Financial
Group, USA

2015 State of the Internal Audit Profession study

www.pwc.com

www.pwc.com

To have a deeper conversation about how this

subject may affect your business, contact:
Jason Pett, Partner
US Internal Audit Services Leader
+1 410 659 3380
jason.pett@us.pwc.com
John Feely, Partner
Global Internal Audit Services Leader
+61 (2) 8266 7422
john.feely@au.pwc.com
Michelle Hubble, Partner
US Internal Audit Services Center of Excellence Leader
+1 309 680 3230
michelle.hubble@us.pwc.com
Princy Jain, Partner
Internal Audit Services
+1 408 817 3870
princy.jain@us.pwc.com
Thomas Snyder, Partner
Internal Audit Services
+1 646 471 4068
thomas.h.snyder@us.pwc.com
Abhinav Aggarwal, Partner
Financial Services Internal Audit Services
+1 646-471-0820
abhinav.aggarwal@us.pwc.com
Hanh Pham, Director
Financial Services Internal Audit Services
+1 646 471 7982
hanh.pham@us.pwc.com

2015 PwC. All rights reserved. PwC and PwC US refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member
firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information
purposes only and should not be used as a substitute for consultation with professional advisors.
PwC US helps organizations and individuals create the value theyre looking for. Were a member of the PwC network of firms, with 169,000 people in
158 countries. Were committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us
at www.pwc.com/us.