The document discusses the current challenges faced by internal audit teams, such as a rapidly changing risk environment and static audit plans, and suggests that the integration of internal audit and governance, risk, and compliance (GRC) can help overcome these challenges. It emphasizes the need for more agile and risk-driven audit processes, leveraging data analytics, and enhancing visibility and reporting. The ultimate goal is to evolve beyond traditional practices to improve effectiveness and collaboration across organizations.

1. EVOLVE BEYOND
THE THIRD LINE
INTEGRATING AUDIT & RISK
FOR GREATER AGILITY, VISIBILITY & EFFECTIVENESS

2. PANELISTS
Patrick Potter
GRC Strategist
RSA Archer
@pnpotter1017
Kirk Hogan
COO
Iceberg Networks
@KW_Hogan
Moderator:
Glen Gower, Iceberg Networks

3. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
AGENDA
1 What are today’s IA challenges?
2 Why do these challenges exist?
3 How can we evolve?

4. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
1. TODAY’S INTERNAL AUDIT CHALLENGES
• Rapidly changing risk environment
• Audit teams are slow, audit plans are static
• Audit engagements are past-looking (vs. forward looking)
• Limited budget & resources
• Compliance-driven vs. risk-driven

5. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
WHAT POSES THE GREATEST CHALLENGE?
Source: KPMG’s Audit Committee Institute –“Is Everything Under
Control?” 2017 Global Audit Committee Pulse Survey
41%
Effectiveness of the risk
management program 34% Legal/regulatory compliance
28%
Managing cyber
security risks 28%
Maintaining the control
environment
24%
Tone at the top &
organizational culture

6. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
HOW CAN INTERNAL AUDIT MAXIMIZE VALUE?
Source: KPMG’s Audit Committee Institute –“Is Everything Under
Control?” 2017 Global Audit Committee Pulse Survey
56%
Expand audit plan on key
areas of risk (e.g. cyber,
operational, technology)
53% Maintain flexibility in the
audit plan
49%
Expand the audit plan on
effectiveness of risk
management processes

7. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
2. WHY DO THESE CHALLENGES EXIST?
• Industry inertia
• External auditor & regulator expectations
• IA independence challenge
• Heavy regulatory burden

8. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
3. HOW CAN WE EVOLVE?
ü Integrate IA + GRC
ü Leverage the 2nd Line of Defense
ü Dynamic / Agile risk-driven audit plans
ü Continuous control monitoring
ü Data Analytics

9. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
WHAT IS INTEGRATED GRC?
Business
Continuity
Management
Vendor Risk
Management
Enterprise
Legal
Management
IT Risk
Management
Corporate
Compliance
Audit
Management
Operational
Risk
Management
Integrated risk management…
recognizes the interconnected
nature of operational risk across
an enterprise

10. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
1st Line of Defense 2nd Line of Defense 3rd Line of Defense
LEVERAGE THE 2ND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU company Law Directive, article 41
Management
Controls
Internal
Control
Measures
Internal Audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
Senior Management
Governing Body / Board / Audit Committee
ExternalAudit
Regulator

11. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
AGILITY
(PWC 2017 State of the Internal Audit Profession Study)
“To meet business expectation, Internal Audit needs to be able
to execute more agile audits. Speed and flexibility are key–
getting the work done and reported quickly; less of audits
running on for weeks.”
–Mike Taylor, Head of Global Internal Audit, Experian plc

12. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
AGILITY
Source: CBOK Practitioner Survey, 2015
63%
of CAEs update audit
plans no more than
twice per year
15%
have ‘highly flexible’
plans
31%
don’t update risk
assessments
21%
deploy continuous risk
assessments

13. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
BENEFITS OF AGILE IA
Source: PWC 2017 State of the Internal Audit Profession Study
73%
change course and
evaluate risk at the
speed required by the
business
63%
have increased the
frequency of audit plan
development and
modification
47%
Have increased the
use of data mining &
data analytics for
continuous
monitoring of trends
and potential impacts
of disruption

14. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
VISIBILITY & REPORTING
Source: Deloitte’s Global Chief Audit Executive Survey, 2016
Static Word Processing Reports Static Presentations Dynamic Visualization Tools Dynamic Analytics Tools
How will you communicate – today vs. future?
Today Future

15. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
RECAP: INTERNAL AUDIT CHALLENGES
• Rapidly changing risk environment
• Audit teams are slow, audit plans are static
• Audit engagements are past-looking (vs. forward looking)
• Limited budget & resources
• Compliance-driven vs. risk-driven

16. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
Risk-based
audit
(prioritization)
More efficient
audit process
Fewer
workarounds
Visibility &
reporting
(metrics,
stats)
Enable
“self-serve”
Tracking of
issues &
findings
Integrate
functions –
audit,
compliance,
risk
Address
regulator
findings re:
process
A GRC SOLUTION FOR AUDIT

17. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
RSA ARCHER
IT and Security Risk
Management
Third Party
Governance
Audit
Management
Regulatory and
Corporate
Compliance
Management
Business Resiliency

18. Patrick Potter
@pnpotter1017
Kirk Hogan
@KW_Hogan
BENEFITS OF AUDIT + GRC
Cross business lines &
organizational boundaries for
Collaboration
Define & enforce risk
ownership through
Accountability
Automate processes for
Efficiencies
Consolidate data and
enable risk Analytics
& Visibility

19. RISK INTELLIGENCE
ACADEMY
icebergnetworks.com

20. EVOLVE BEYOND
THE THIRD LINE
THANK YOU!
icebergnetworks.com/audit-webinar
info@icebergnetworks.com • 855-595-0808 x261