Internal auditors around the world are bearing the brunt of a quickly changing regulatory landscape, especially in financial services, according to a new survey by Thomson Reuters.
As organizations continue to play catch-up with a shifting regulatory environment, the focus of internal audit practitioners’ roles is changing dramatically, and resources being stretched, as the function is asked to take increasing responsibility for company-wide corporate governance and reporting to the board.
Thomson Reuters Accelus surveyed more than 1,100 internal audit practitioners across Europe, the Americas, Australia, Asia, Africa and the Middle East to ask their views of the state of internal audit and the biggest challenges for the year ahead.
Respondents represented firms from a wide range of industries, including financial services, manufacturing, government, education, life sciences, energy and other highly regulated industries.
The report found that 26 percent of organizations cited fraud and corruption as one of their top three areas for time and resources, compared with only 16 percent of organizations who cited fraud and corruption last year. Legal and regulatory risk occupied the same spot as last year, although fewer organizations selected it.
Sixty-one percent of organizations’ audit committees only reported to the board on a quarterly basis, while 12 percent weren’t sure how often they reported to the board and 2 percent only reported on an annual basis.
Seven percent fewer internal auditors said that they spoke to the compliance function on a weekly basis than in 2012 highlighting the need for more effective cross-function communication. Fifty percent of auditors thought that the risk management tools they currently used either provided them with no satisfaction or left them very dissatisfied when used to conduct risk assessments.
“Changes driven by the financial crisis and implemented in the first instance by the financial services sector will, in time, permeate all sectors and set the standard for risk governance and the expected role and remit of the internal audit function,” said Mark Schlageter, managing director of governance, risk and compliance at Thomson Reuters, in a statement. “To meet increased expectations of both internal and external stakeholders, internal audit practitioners need the ability to tap greater resources as well as garner the clear support of their company right through to Board level to truly achieve success in this changing operational environment.”
Historically, the focus of internal audit has been on process-level risk assessment and assurance. While this continues to be a trend in 2013, the depth of the internal audit function is changing and its parameters are widening. The recent spate of financial scandals involving banks conducting fraudulent activities has created a much more risk-averse operational environment resulting in greater regulatory oversight as well as an increased need for risk-based assurances to be provided to the board and senior management.
As a result, internal audit practitioners are placing greater emphasis on areas such as fraud and corruption with 26 percent of organizations saying it fell into their top three areas where internal audit’s time and resources are dedicated, compared with only 16 percent last year. In addition, there has been a shift in focus towards “softer” skill sets such as monitoring activity which rose from 8 percent in 2012 to 18 percent in 2013 and highlights that certain activities, once the domain of other functions within an organization, are now being handled by internal audit.
In addition to having major implications for resourcing the internal audit function, this shift has meant that less time is being spent on other areas such as IT security and risk, which dropped considerably, from 54 percent in 2012 to 42 percent this year.
Resource constraints also mean that priorities for the internal audit function are not always able to be met. Strategic level risk management, for example, came near the bottom of internal auditors top three concerns (nominated by only 9 percent of firms); however, when asked what the top priorities should be for internal audit 36 percent nominated the activity.
The Basel Committee on Banking Supervision’s revised supervisory guidance has said that a bank’s board of directors should support the internal audit function in effectively discharging its duties, thus ensuring it is up to date and gives due weight to matters of note.
While this is the case, the Thomson Reuters survey found that in 61 percent of organizations, the audit committee only reported to the board on a quarterly basis. This highlights the need for internal audit to improve its understanding of regulation and proactively engage senior management to identify and manage issues, rather than merely conducting a box-ticking exercise. In addition, internal audit needs to develop improved channels of communication with the board, helping to ensure an efficient internal control system is in place to prevent risk and reputational damage.
Notably, one of the top three areas that internal auditors believe they will spend more time on in the coming year than previously includes reporting to senior management. This may indicate that internal auditors are reporting more to the audit committee, even though the audit committee has not increased its level of engagement with the full board.
Separately, insufficient skilled resources was expected to be the second largest challenge for organizations over the coming year, which further highlights that internal auditors are feeling pressure in terms of resources and may be unable to fulfill all of their duties, such as reporting to the board on a regular basis.
Risk management is an area that has experienced significant change in the wake of the financial crisis. Companies increasingly need more coherent and consistent risk reporting with input from internal audit, risk and compliance functions alike to ensure adequate coverage of all relevant risks.
The survey found that half of all internal audit practitioners polled said their organization has a risk management function that is immature, in development or non-existent. Respondents’ poor opinions could be attributed to organizations using inappropriate risk management tools, such as well-established IT packages that are core to a company’s corporate culture, instead of bespoke IT audit packages which will require staff training.
By working with other functions more regularly, internal audit practitioners can increase their knowledge base, maximize resources and help to present the board with a more complete picture around risk management. The interaction of internal audit with risk management functions however was found to be in decline with just 18 percent of respondents interacting on a weekly basis compared to 32 percent in 2012. Similarly, fewer internal auditors said that they spoke to the compliance function on a weekly basis than was the case in 2012.
A full copy of the report can be downloaded at
