Most Chief Audit Executives Admit Room for Improvement with Internal Audit Functions
With risk, control and compliance becoming increasingly important in today’s global marketplace, a new global survey of 695 chief audit executives (CAEs) and C-suite executives released by Ernst & Young today reveals that 80% of organizations acknowledge that their internal audit function has room for improvement.
The future of internal audit is now report, highlights that 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance and an equal percentage believe that their internal audit function has a positive impact on their overall risk management efforts.
In December 2011, Ernst & Young commissioned Forbes Insights to conduct a global survey of 695 stakeholders and audit professionals about the evolving role of internal audit. Respondents included chief audit executives (CAEs), C-suite executives and board members representing organizations with global revenues of US $500 million or more and spanning 26 industry sectors.
Aligning internal audit strategy to the business
The survey identifies that the key priorities of both CAEs and stakeholders have clearly shifted from compliance and financial controls to risk coverage and business relevance. Future focus areas becoming more relevant to achieving business objectives cited by respondents include improving the risk assessment process and enhancing the ability to monitor emerging risks. Additionally, reducing overall internal audit function costs without compromising risk coverage and identifying opportunities for cost savings in the business were also cited.
In order to focus on risks that matter, create value and help the organization achieve its objectives, internal audit functions need to align their strategy to that of the overarching organizational strategy. However, 61% of respondents reported that they had no documented mandate that aligns internal audit to the organizational strategy.
Commenting on this approach, Randall Miller, Ernst & Young Advisory Global Risk Leader says, “Internal audit can use the organization’s overarching organizational strategy to identify the risks that matter most in the context of the organization’s risk appetite. Elements of the organizational strategy will vary by industry and are very specific to the business but to remain relevant, internal audit needs to use risk assessments based on the organization’s strategic objectives.”
Improve the risk management process
Internal audit risk assessments, regulatory requirements and enterprise risk assessments are the top three drivers of the audit plan, and internal audit is playing a more prominent role in organizational issues, such as major capital projects (49%), IT systems implementations (42%), mergers and acquisitions (37%) and material contracts (32%). Technology also remains a key area of focus for internal audit functions, comprising 18% of the current audit plan.
Improving the risk assessment process is the number one priority of CAEs and stakeholders alike. Identifying risks that are truly significant to the business is the first step to effective risk management and monitoring. Today’s internal audit functions are focused on enterprise-wide risk coverage, leadership engagement and direct linkage to strategy to increase the relevance of the risk assessment. As well, most leading organizations are incorporating a quantitative component.
Forty-six percent of respondents indicated that their internal audit functions perform annual updates, or none at all, leaving themselves unprepared for events that could crop up throughout the year including transactions, new product launch or retirement, new market entry, patent expiry and litigation.
Brian Schwartz, Ernst & Young Americas Internal Audit Leader comments, “No longer an annual process, the audit plan must be refreshed regularly, with triggering events and leading functions are developing a “three + nine” plan, a three-month frozen window and nine-month fluid plan.”
Assess skills and manage talent
Nearly one-fifth of respondents indicated that they would like to see improvements to internal audit reporting by putting issues into perspective relevant to the risk and identifying trends. Thematic audits are one way of doing this and are making resurgence as stakeholders increasingly want to know the implications, magnitudes and insights that audit findings convey.
As the role of the internal auditor evolves and stakeholder expectations rise, internal audit functions increasingly require competencies that exceed the more traditional technical skills, such as the ability to team with management and business units on relevant business issues.
When asked which areas of the respondent’s internal audit function had defined competency plans for staff development, 58% indicated a plan for technical internal audit skills, 54% have a plan for business or industry acumen and only 47% have a plan for business management and leadership. Surprisingly, 8% indicated no defined competency plan at all.
Two main approaches that internal audit functions can take to attract the right capabilities include an auditor rotation program across business units or functions in other parts of the organization and a guest auditor program for high-performing employees from other parts of the business to gain internal audit experience.
Miller summarizes, “With the right internal audit-focused strategy in place, internal audit can add value to the business by becoming strategic advisors, identifying efficiencies across the enterprise, supporting key business initiatives and quantifying internal audit’s return on investment.
Schwartz adds “The future of internal audit is not on the horizon. It’s here and internal audit functions need to act now to remain relevant to the business, or be left behind.”