Internal Auditors Not Giving Enough Risk Insights

CFOs and audit committee chairs are not getting enough insights into corporate risk management from their companies’ internal audit function, according to a new survey.

KPMG polled more than 400 CFOs and audit committee chairs at companies with between $1 billion and $50 billion in revenue (including more than 200 in the U.S.) to learn what insights internal audit functions are providing, and where companies believe internal audit can provide more value.

The report, “Seeking Value through Internal Audit,” highlights a gap between what audit committee chairs and CFOs want and what they are actually getting from their companies’ internal audit functions, especially in providing insights on risk management and emerging risks.

The most significant gap occurred in the area of risk management. Only 22 percent of the respondents indicated their companies receive help assessing risks and risk management practices from internal audit, while 57 percent said that type of information would be most valuable to receive from internal audit.

Only 5 percent of the survey respondents said they receive informed perspectives on emerging risks from internal audit, far short of the 36 percent who would like to receive such insights. When asked about the top five skills needed in internal audit professionals, 62 percent of respondents pointed to technology skills, reflecting the desire for a technology-enabled approach to internal audit.

Nearly half of the companies in the survey said they track risk through a compliance function, half as many through their legal function and only 9 percent through an enterprise-wide risk management function. The respondents indicated they care more about how internal audit responds to emerging risks than about what
function was accountable for risk tracking.