The great majority of chief audit executives acknowledge that the internal audit function at their organization needs to be improved, according to a new survey.
The survey, by Ernst & Young, polled 695 chief audit executives and C-suite executives and found that 80 percent of them admitted that their organization’s internal audit function has room for improvement. The
The survey noted that the key priorities of both CAEs and stakeholders have clearly shifted from compliance and financial controls to risk coverage and business relevance. Future focus areas they cited include improving the risk assessment process and enhancing the ability to monitor emerging risks. In addition, they cited reducing overall internal audit function costs without compromising risk coverage and identifying opportunities for cost savings in the business.
To focus on the major risks and help the organization achieve its objectives, internal audit functions need to align their strategy with the overarching organizational strategy. However, 61 percent of the survey respondents reported that they had no documented mandate that aligns internal audit with the organizational strategy.
“Internal audit can use the organization’s overarching organizational strategy to identify the risks that matter most in the context of the organization’s risk appetite,” said Ernst & Young advisory global risk leader Randall Miller in a statement. “Elements of the organizational strategy will vary by industry and are very specific to the business but to remain relevant, internal audit needs to use risk assessments based on the organization’s strategic objectives.”
Internal audit risk assessments, regulatory requirements and enterprise risk assessments are the top three drivers of the audit plan. Internal audit is playing a more prominent role in organizational issues, such as major capital projects (49 percent), IT systems implementations (42 percent), mergers and acquisitions (37 percent) and material contracts (32 percent).
Technology also remains a key area of focus for internal audit functions, making up 18 percent of the current audit plan.
Improving the risk assessment process is the number one priority of CAEs and stakeholders alike. Identifying risks that are truly significant to the business is the first step to effective risk management and monitoring. Today’s internal audit functions focus on enterprise-wide risk coverage, leadership engagement and direct linkage to strategy to increase the relevance of the risk assessment. Most leading organizations are also incorporating a quantitative component.
Forty-six percent of the survey respondents indicated that their internal audit functions performed either annual updates or none at all. That could leave them unprepared for unanticipated events such as transactions, new product launches or retirements, new market entry, patent expiry and litigation.
Nearly one-fifth of the poll respondents indicated that they would like to see improvements in internal audit reporting by putting issues into perspective relevant to the risk and identifying trends. Thematic audits are one way of doing this. Stakeholders increasingly want to know the implications, magnitudes and insights conveyed by audit findings.
As the role of the internal auditor evolves and stakeholder expectations rise, internal audit functions increasingly require competencies that exceed the more traditional technical skills, such as the ability to team with management and business units on relevant business issues.
When asked which areas of the respondent’s internal audit function had defined competency plans for staff development, 58 percent indicated they had a plan for technical internal audit skills, 54 percent have a plan for business or industry acumen, while only 47 percent have a plan for business management and leadership. Eight percent indicated they have no defined competency plan at all.
Two main approaches that internal audit functions can take to attract the right capabilities include an auditor rotation program across business units or functions in other parts of the organization and a guest auditor program for high-performing employees from other parts of the business to gain internal audit experience.
