Developing a 2025 Strategic Planof the Internal Audit FunctionKristiina LagerstedtVP, Audit & Assurance @SanomaBoard member @ECIIABoard member @Uutechnic Group Plc (Nasdaq Helsinki)

Agenda1. Making assurance relevant to the Board andTop Management2. Siloed vs combined functions, 3 lines ofdefense3. Should Internal Audit lead the change?2

What is the role ofInternal Audit & Assurance Board and the management needs to know what is happening in the various areas ofthe business – and to have the trust that business operations/ actions are heading theright way. Compliance activities ensure the right guidance is in place and it is adequatelyimplemented (training). A good Internal control framework assures that the laws and company policies/standards are being followed, the authorization limits are adhered to and no surprisesarise from the businesses. Internal control is responsibility of the board and CEO (thebusiness ,1st LoD), Internal Audit & Assurance can help in implementing andmonitoring this activity; and in maintaining the Internal Control Framework. Reporting is the way for the management and board to follow if the businessoperations/ actions are successful (Financial reporting KPI’s for strategic goals).Effective Internal controls ensure that the financial reporting is correct.3

What is the role ofInternal Audit & Assurance Risk management facilitates a process to identify, prioritize & manage the mainrisks. Board and CEO is ultimately responsible for risk in their organizations. Investigative activities occure when issues have arisen from a whistleblowerchannel or from an Internal audit or other channels (Ethics & Compliance/ Security/Internal audit). There needs to be a way to have corrective actions to change controls/or have adequate monitoring to prevent similar issues in the future. The Internal audit activities are conducted to check processes/ issues that are ofhigher importance to the management or has greater impact from shareholder valueperspective - or areas where lack of controls or incidents of fraud are identified.Internal audit can also have the lead in investigation activities where it can works inclose cooperation with Compliance/ Security. External audit provides assurance that the financial statements give a true and fairview.4

Board and top management expectations fromInternal Audit and AssuranceAssurance on: Execution of strategy Provide a view on significant risks emerging risks and the mitigation of those Adherence to external and internal regulation(laws and policies) Monitoring and Financial reporting Assurance that the right things are doneDoing the rightthings right5

Agenda1. Making assurance relevant to the Board andTop Management2. Siloed vs combined functions, 3 lines ofdefense3. Should Internal Audit lead the change?6

History of Assurance Functions and Internal audit1992:COSO Internalcontrol Integratedframework1941 IIAformed2004 releaseof 80’s:Increasedfocus oncontrols andcompliance inFinancialindustry2002 SOX20002020

Second line of defense and internal audit 8Understanding role and responsibility foreach separate function (Internal Controls,Compliance, Risk Management, InternalAudit and also External Audit) is a challengeto directors serving on the Board of DirectorsThree lines of defense model makes thismore clear but on high levelIn worst cases the siloed functions use a lotof time between themselves to argue abouttheir roles and responsibilitiesFrom Board and Top Managementperspective it does not matter who does it,but they want it to be done in a systematicand clear way

Current Guidance from IIA related to second line ofdefense tasks The key question is if the Internal Audit Function canwork independently and objectively if support isprovided on areas relating to Risk Management,Compliance and Internal Controls.Combining the Internal Audit and second line ofdefense functions is not the preferred solution fromthe perspective of the three lines of defense modeland the auditor’s independence and objectivity.Need to consider what is the best way to operate –this depends on––––91) what business(es) the company operates in and howregulated those are2) what countries the company operates in3) what is the maturity of the assurance relatedprocesses and4) the quality of the resourcesSource: IIA Netherlands: White paper - Combining Internal Audit andSecond Line of Defense Functions? 2014

Agenda1. Making assurance relevant to the Board andTop Management2. Siloed vs combined functions, 3 lines ofdefense model3. Should Internal Audit lead the change?10

Internal audit vs 2nd Line of Defense functions In 3 LoD model Internal audit is expected to auditthe 2nd LoD functions 2nd LoD functions does not have ownership ofthe areas where they provide help to thebusiness (Risk and Controls) The target for ALL of these functions is same – toprovide assurance on Doing the right things When having less resources, the doing ofInternal controls and Risk management shouldbe pushed to where ownership belongs – to the1st LoD, and to also audit these activities on thatlevel This approach provides Internal audit (orAssurance functions, whatever you call it) tofocus on more important areas and to delivergreater value to Board and Top Management11

Internal auditInternal audit definitionInternal auditing is an independent, objective assurance and consulting activitydesigned to add value and improve an organization's operations. It helps anorganization accomplish its objectives by bringing a systematic, disciplined approach toevaluate and improve the effectiveness of risk management, control, and governanceprocesses.Internal audit missionTo enhance and protect organizational value by providing risk-based and objectiveassurance, advice, and insight.12

Core Principles for the Professional Practice of InternalAuditing 13Demonstrates integrity.Demonstrates competence and due professional care.Is objective and free from undue influence (independent).Aligns with the strategies, objectives, and risks of the organization.Is appropriately positioned and adequately resourced.Demonstrates quality and continuous improvement.Communicates effectively.Provides risk-based assurance.Is insightful, proactive, and future-focused.Promotes organizational improvement.

Internal audit(or Assurance Functions) in 2025 Coordinates or leads the work of separateassurance functions Based on a Company risk assessment Internalaudit and Assurance functions can be integrated insome cases Coordinated/ joint development of Assurance Focus on Big Digit items from Strategy, Risk orBoard/ Top Management perspective to grow orprotect shareholder value14


IIA Position Paper: THE THREE LINES OF DEFENSE INEFFECTIVE RISK MANAGEMENT AND CONTROL - JANUARY2013IIA Netherlands, White paper: Combining Internal Audit andSecond Line of Defense Functions? – September 2014IIA Practice Guide: Internal Audit and the Second Line ofDefense – January 2016 Upcoming changes to International Standards for theProfessional Practice of Internal Auditing16