The latest data on the state of internal audit suggests the profession has heard the news that it is facing new expectations to take a higher-level view of risk and control, but it is still retooling to live up to them.

According to a Thomson Reuters study, internal auditors say they are beginning to shift their attention and resources toward strategic risks but are still heavily bogged down in the basic financial controls and assurance over financial reporting. “This looked globally at the internal audit function, and it confirmed on a global spectrum what we tend to see in the United States,” says Warren Stippich, national partner on governance, risk, and compliance for Grant Thornton. “Internal audit departments are generally moving in the same direction, but at different speeds.”

Roughly 80 percent of 1,100 internal auditors surveyed said assurance of internal controls consumes the majority of the department's time and resources, with IT security and risk and legal and regulatory risk ranking just below, and those numbers didn't drop significantly from the prior year. Yet internal auditors also say they are placing greater importance on areas like fraud and corruption risk, monitoring activities, and strategic risk management.

Susannah Hammond, senior regulatory intelligence expert at Thomson Reuters, says internal auditors are being asked to carry on with the assurance over financial controls as they have over the past decade or so, but also to pile on some new duties with respect to strategic risks, such as corporate governance, the quality of an organization's culture, and tone at the top. The problem, she says, is internal auditors are still trying to learn to operate in those new areas. “Those are significantly softer areas,” she says. “Where is the rulebook associated with effective corporate governance? It's a judgment call as to whether management is effective or not, and that's a really big change for internal audit.”

Jason Pett, leader of U.S. internal audit services for PwC, says the Thomson Reuters findings are consistent with other recent survey findings that suggest internal auditors are working on meeting a new mandate from regulators, boards, and industry leaders—but they're still working on it. “Internal audit functions desire to move into higher-risk, higher-value areas,” he says. “What's holding them back is capability. They continue to wrestle with first identifying what those bigger, emerging risks are, and then aligning their skills to meet the organizations where they are.”

Carolyn Saint, vice president of internal audit for 7-Eleven, says she sees internal audit functions in many organizations working to define what is strategically relevant for the organization, then trying to determine what will hinder a company's ability to achieve its strategic objectives. At 7-Eleven, for example, some key relevance factors are the fact that the company operates under a franchise model, and it is growing. “So what are the initiatives that support growth and support the franchise model?” she says. That takes the company down the path of identifying the risks that might derail its strategies.

“Internal audit functions are desiring to move into higher risk, higher value areas. What's holding them back is capability.”

—Jason Pett,

Leader of U.S. Internal Audit Services,

PwC

Bill Watts, partner in charge of internal audit for Crowe Horwath, says he sees internal auditors looking for ways to become more forward looking, even as they continue to focus the majority of their time and resources on “bread-and-butter” areas, such as assurance of compliance, financial controls, information technology, and other similar pursuits. “We know we need to move toward a practice that is focused on continuous monitoring, being more proactive and not reactive,” he says. “The question is how do we build on that?”

Tom Harper, executive vice president and general auditor at Federal Home Loan Bank of Chicago, says one of the biggest challenges facing internal auditors is the ambiguity associated with taking that kind of approach. “We are asking internal auditors to look at things where there isn't a framework to follow,” he says. “Nobody has set out the controls that have to be in place. Instead, we're trying to look at what might go wrong or look at regulations that may or may not be implemented. That's much harder for people in the audit profession to deal with. They're used to those very black and white, bright lines.”

RISK MANAGEMENT

Below are some results from the Thomson Reuters survey in regard to companies' risk-management function.

Just over 50 percent of respondents felt that the risk-management

function in their organization ranged from implemented (but requires

additional work and resources) to robust and embedded; 9 percent

of respondents felt that their organization had a robust, mature risk

assessment program, with a further 41 percent saying that while a

system had been implemented, it needed some work. This left nearly

20 percent of respondents who felt that their organizations had

immature risk assessment processes.

Australasia (62 percent) and Europe (57 percent) felt that their risk-management functions ranged from implemented (but requires

further work and resources) to robust and embedded. Africa (39

percent) recorded the weakest responses in this area with Asia (47

percent), South America (47 percent), and North America (50 percent)

also recording low scores.

The survey results showed that 9 percent of respondents' time was

spent on strategic-level risk management (a decrease of 1 percent

from 2012). Process-level risk management registered 30 percent

of respondents' time, again a decrease on 2012 results. Whereas 36

percent of respondents felt that strategic-level risk management

should be one of the top three internal audit priorities for the next

year, with 26 percent highlighting process-level risk management, 36

percent felt that strategic-level risk management should be one of the

top three priorities for the board in 2013.

Across the regions the percentage difference between those internal

auditors who were already spending time on strategic-level risk

management and those who felt they should be spending more

time was consistent. The lowest desired increase was in the Middle

East, where 25 percent of respondents felt they should be spending

more time on strategic-level risk management. This was followed by

Europe (26 percent), Asia (27 percent), Australasia (29 percent),

North America (30 percent), and South America (31 percent).

One reason for the poor opinion respondents appeared to have of their

firms' risk-management function might be that firms have not been

investing in appropriate risk-management tools (both inside the audit

function and beyond). Half the auditors surveyed thought that the

tools they currently used the most, the top two being Excel (91 percent)

and Word (78 percent), either provided them with no satisfaction or left

them very dissatisfied when used to conduct risk assessments.

Thomson Reuters has been told anecdotally that the reason more

firms do not opt for bespoke IT audit packages is that it is more

difficult for everyone to understand how to use them than it is simply

to use the well-established Excel-type packages that are core to firms'

corporate culture. It can also be a barrier when changes to software or

specialized reporting have to be processed through an IT department,

with the inherent delays and change management controls that this

incurs.

Source: Thomson Reuters.

Making Strides

There's cause for optimism, though, according to many internal audit experts. Pett believes the profession is on the right track. “When you are focused on something you tend to make progress, but it's hard to move quickly,” he says.

Saint believes the profession could make great strides if it focused some effort on leveraging resources internally and communicating more closely with other risk and control functions inside the organization. She points to some recent guidance from the Institute of Internal Auditors that tells auditors in the trenches to think about how specific duties are assigned and coordinated within organizations. The model advocated by the IIA would provide a straightforward and effective way to enhance communications on risk management and control by clarifying essential roles and duties. “I really think people will start getting behind that model,” she says. “Given that resources are always scarce, how do you better leverage what's happening inside the company?”

To be sure, internal audit has a lot of work to do. The study noted only 9 percent of internal auditors believed their organizations had mature risk-management processes. John McLaughlin, a partner at BDO USA, says companies would be wise to put more emphasis on increasing their capabilities to address risks. “You have to listen to management about what's on their mind and what they're seeing on a day-to-day basis,” he says. “Then you have to incorporate that perception of risk into how is it best to monitor that risk. Having a comprehensive monitoring capability extends beyond what the internal audit function may have.”

Stippich expects that internal audit will continue a gradual migration toward emerging, bigger-picture risks as they continue addressing the skills issue. In certain skill areas—such as IT, engineering, treasury, commodities, and environmental— it's difficult to entice the right talent to join the internal audit cause. Some companies are coping by rotating their operational professionals into the internal audit area, but that has limitations as well. “It's a struggle if you don't grow up with an audit mindset,” he says. “The documentation is pretty intense.”

Websites

We are not responsible for the content of external sites

Topics