Internal auditors are overlooking risks

Register now

Plans for internal audits often don’t take into account some of the most common risks, such as cybersecurity, governance and sustainability, according to a new report from the Institute of Internal Auditors.

The IIA’s 2020 North American Pulse of Internal Audit, which includes input from more than 600 internal audit executives, found that many internal audit plans did not allocate any resources to certain key risk areas. Nearly one-third (32 percent) did not include cybersecurity/information technology. More than half didn’t include governance/culture (55 percent) or third-party relationships. (52 percent). Ninety percent didn’t include sustainability.

The perceptions of chief audit executives about risk levels have risen dramatically over the past four years for many risk areas. The percentage of CAEs who rated cyber as a high or very high risk to their organizations jumped from 60 percent for 2017 to 77 percent for 2020. Similar increases were seen in other risk areas, with third-party relationships going from 35 to 51 percent, and IT from 39 to 59 percent.

However, audit plan allocations don’t seem to reflect that same sense of urgency. Instead they’re changing more slowly and gradually. Audit plan allocation for cybersecurity increased from 6.3 to 7.3 percent, while third-party relationships went from 3.3 to 3.8 percent, and IT dropped from 9.2 to 9 percent.

The report also found that one out of five CAEs reported that their audit functions are operating at a low maturity level, below where the internal audit function conforms to IIA standards.

However, the report does contain some good news, such as an increase in the number of women now holding CAE roles. Across virtually all types of businesses and industries, the percentage of women in internal audit leadership roles is growing. Overall, 40 percent of the CAEs who responded to the survey are female. However, the public sector is the only category for which the percentage of female CAEs (52 percent) exceeds that of males (43 percent). Publicly traded (32 percent) and privately held (34 percent) organizations have the lowest proportions of women. The report also discusses generational shifts in the profession’s top ranks. Other sections include benchmarking data on staffing, resources, hiring practices, reporting lines and more.

Separately, the IIA also announced this month that it is transferring several of its certifications in the environmental, health and safety (EHS) area to the Board for Global EHS Credentialing (BGC). The Certified Professional Environmental Auditor (CPEA) and Certified Process Safety Auditor (CPSA) certifications will now be run by the BGC. Both credentials are under the Board of Environmental, Health & Safety Auditor Certifications (BEAC) and include five specialties: environmental compliance, health and safety, management systems, responsible care and process safety.

“The IIA will continue our focus on professional internal audit credentials, particularly our flagship Certified Internal Auditor (CIA),” said IIA president and CEO Richard F. Chambers in a statement. “These offer a critical step to not only sharpen important skills and proficiencies, but also increase career advancement and earnings potential.”

For reprint and licensing requests for this article, click here.
Audits IIA Richard Chambers Cyber security Corporate governance