26 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 27 Survey findings | Embed Internal Audit’s evolving role • Internal Audit is moving away from overseeing the risk management program to an assurance/advisory role that enables it to assess the effectiveness, efficiency and reliability of the organization’s risk management program. • As a result, Internal Audit can determine the extent to which it can leverage the work of others. • This, in turn, can enable Internal Audit to adjust its scope to focus more of its efforts on the risks that matter, including strategic risks. 1. Enhance ability to identify and assess emerging risks 2. Better leverage the work of other risk/control/compliance functions 3. Enhance reporting to present findings in perspective to the risks 4. Maximize usage of technology to reduce costs and improve risk coverage 5. Increase usage of data analytics Top five opportunities for Internal Audit in 2015 90% of respondents say risk management oversight is provided by someone other than Internal Audit. 46% of respondents say Internal Audit leverages the work of others today. 72% of respondents say Internal Audit will leverage the work of others in three years. Optimizing functions and processes Organizations need to establish a structure in which it can efficiently and effectively execute its risk strategy. Percentage of coordination among risk management functions 21 67 Well Somewhat Minimal None 52 25 21 4 5 1 The appropriate operating model, talent, skillsets and risk management policies and processes enable the smooth execution of risk response activities. Respondents identified the following as the most important skills or experiences required to enhance their risk functions: 1. Risk management 2. Business strategy 3. Critical/analytical thinking 4. Regulatory compliance 5. Process improvement Risk management policies and processes are integral to: • Influencing behaviors • Coordinating activities • Establishing communication protocols • Facilitating risk reporting Today In 3 years Our global governance, risk and compliance survey 2015 was conducted between February and March 2015: it asked how well organizations are managing risk and what they need to do to better manage the risks that drive performance. Almost 1,200 members of the C-suite, board audit committees and various assurance and/or compliance executives participated — representing major industries in 63 countries around the globe. The majority of the survey responses were collected during face-to-face meetings: when this was not possible, the questionnaire was completed online. We thank all participants for their invaluable insights. Survey methodology Respondents by number of employees 1,196 respondents 63 countries worldwide 25 industry sectors Profile of participants Respondents by industry sector Automotive and transportation 77 Banking and capital market 146 Cleantech 4 Consumer products 121 Government and public sector 72 Health care 46 Insurance 49 Life sciences 32 Media and entertainment 29 Mining and metals 46 Oil and gas 53 Power and utilities 90 Real estate 21 Technology 73 Telecommunications 48 Wealth and asset management 20 Other (please specify) 269 Respondents by roles/titles Board of directors member — audit committee member 15 Board of directors member — risk committee member 6 Chief executive officer or president 18 Chief financial officer (or equivalent) 62 Chief information officer 13 Chief risk officer 127 Chief audit executive 648 SOX/compliance leader 57 Other (please specify 250 Less than 1,000 320 1,000 to 5,000 293 5,000 to 15,000 235 15,000 to 50,000 188 50,000 plus 160 Key: EMEIA 556 Americas 411 Asia-Pacific 214 Japan 15 Respondents by area Respondents by total annual company revenue Key: More than US$50 billion 55 US$1 0 — US$50 billion 174 US$1billion — US$10 billion 393 US$100 million — US$1 billion 248 US$10million — US$100 million 95 Less than US$10 million 198 Government, nonprofit 21 Not applicable 12