Research Identifies Opportunities for Internal Auditors to Provide Greater Insight to Their Organizations
The Institute of Internal Auditors Research Foundation (IIARF) has recently released a new report examining the prospect for internal auditors to make meaningful contributions to the organizations they serve by providing insight into organizational risks and opportunities.
Based on a 2011 survey of 358 chief audit executives (CAEs), board members, and senior management from organizations in 39 countries, as well as in-depth follow-up interviews, Insight: Delivering Value to Stakeholders provides a global snapshot of stakeholders’ views on whether internal audit should and is delivering insight, and with what regularity.
“The value of the internal audit activity is in its ability to provide objective assurance and insight on the effectiveness and efficiency of governance, risk management, and internal control processes,” explains IIARF Vice President Margie Bastolla, CIA.
“And although there is extensive reference material available to support the assurance and objectivity aspects of the function, there’s an opportunity for The IIARF to provide more detailed knowledge about the topic of internal audit insight.”
With that in mind, The IIARF commissioned research to gain an understanding of how CAEs and key stakeholders view the current state of insight delivery. Researchers also explored key enablers or hindrances to insight delivery and provide suggestions for CAEs eager to enhance the delivery of insight by internal audit.
The top five factors consistently identified as critical enablers of insight delivery are:
A strong control environment and tone at the top, where executive leadership and operating management are open to improvement recommendations.
Clear board and management expectations for value delivery.
A reporting relationship that supports the independence of the internal audit function.
A competent CAE.
An internal audit team with sufficient practical skills as well as industry and organizational knowledge to provide a pragmatic bridge between an audit process and the business management of risk.
The study also revealed a gap between CAEs’ perceptions of how the internal audit activity provides insight versus stakeholders’ perceptions. Specifically, 66 percent of CAEs indicated their internal audit function “always or frequently” provides insight, whereas only 61 percent of board members believe their organization’s internal audit function always or frequently provides insight. That number drops sharply for senior management executives: A mere 38 percent believe their internal auditors always or frequently provide insight.
In the interviews, board members consistently identified the importance of internal auditors having strong information technology (IT) knowledge and experience. This partially sheds some light on the differences in opinion between board and executive stakeholders regarding internal audit’s actual delivery of insight “frequently” or “always.”
During research interviews, board members expressed they value the assurance on internal controls and risk management that internal auditors provide. They particularly value assurance on IT areas of the organization where, as board members, they generally have minimal hands-on experience.
Executive stakeholders felt IT assurance, however, does not rise to the level of “insight” They do view as insight the advice from internal auditing on things such as a new way to approach an issue or a useful recommendation to enhance operations.”
Stakeholders expressed that an internal auditor’s lack of operating or general management experience is viewed as a hindrance to providing true organizational insights, and may cause management to reject an internal audit analysis or recommendation.
“We hope CAEs use the information provided to thoughtfully self-assess their functions, consider the applicability of the examples provided by other CAEs, discuss expectations with their stakeholders, and ultimately strive to enhance insight delivery within their organizations,” says Deloitte & Touche Internal Audit Partner Patricia Miller, CIA, who co-authored the report.
If there is one take-away CAEs should glean from the study, she says it is this: “You have to be proactive, well-informed, articulate, business- and management-knowledgeable, and sometimes a courageous leader to demonstrate insight delivery to your stakeholders.”
The IIARF report indicates an opportunity for internal audit practitioners to bridge the gaps and provides workable guidance and recommendations. It outlines five “next steps” for CAEs to enhance insight delivery:
Meet with your stakeholders routinely.
Consider the importance of reporting relationships and sufficient organizational independence.
Align the internal audit mission and focus with the agreed expectations.
Refocus your internal audit approach to agree with the mission.
Assess your leadership skills and communication style.
Researchers also found a statistically valid relationship between certification and insight delivery. Those CAEs with more than 50 percent of their staff holding a certification were more likely to agree that their internal audit organization delivered insights, and did so more frequently than those who had fewer certified staff members.