Internal auditors urged to look at emerging risks
Internal auditors should not be deterred by regulatory reforms, but need to give extra scrutiny to risks in areas such as corporate communications and environmental, health and safety regulations, according to a new report.
The report, from the Institute of Internal Auditors, encourages auditors to look more closely at four often-overlooked risk areas. In addition to company communications and environmental, health and safety risks, internal auditors should also devote attention to internal audit’s use of data analytics and the interpersonal dynamics between internal audit and the clients it serves.
Information shared with investors, customers and other stakeholders through means other than financial statements can have an impact on an organization as much as a glaring error in a 10-K report, the IIA noted. According to the IIA’s 2017 North American Pulse of Internal Audit survey of more than 500 chief audit executives, internal audit directors and senior managers, 66 percent said they have high concerns about reputational risks associated with inaccurate, incomplete or misleading information.
However, only 9 percent provide assurance in this area other than internal audit’s review of formal financial reports. In addition, 20 percent of the survey respondents indicated they are not aware of any assurance being provided on non-traditional communications.
In terms of environmental, health and safety risks, the IIA noted that in 2015, U.S. organizations paid more than $13.3 billion in EPA and OSHA fines. However, less than half of the chief audit executives who responded to the survey said they include EHS risks in their audit plans.
The use of data analytics by internal audit is on the rise, with more than 9 out of 10 respondents saying they include data analytics in their audits. More than 4 in 10 indicated they “always” or “frequently” use data analytics in their audits, according to the survey. But more than half the survey respondents indicated poor analytics design led to extra work and inefficiency that probably could have been avoided through proper planning and resourcing.
Negative exchanges between internal audit and its clients can also hurt the effectiveness of the internal audit functions. Half the survey respondents said a negative exchange could have an impact on the ability to conduct an audit (with 50 percent of them saying yes or maybe).
The IIA report, Courageous Leadership: Instilling Confidence from Within, urges internal auditors to examine these frequently overlooked risk areas. It could instill more self-confidence in internal auditors and increase confidence from management and the board in the internal audit function.
“Courage is a character trait top audit leaders will need to exhibit not just in dealing with the evolving risk landscape, but also in addressing areas that may be taboo or historically overlooked,” said IIA president and CEO Richard F. Chambers in a statement. “We believe this demonstration of fortitude by CAEs will help build a poised and assertive audit function that is valued by stakeholders and benefits the entire organization.”