Internal Auditors Face New Challenges in 2010

As corporations try to find their way out of the economic crisis and back into healthy growth, boards may be leaning more on internal audit departments to help them find the way.

A consensus is emerging among internal auditors that the problems they should be worried about revolve around operational or risk-management issues—not financial reporting and the internal controls over it, which dominated corporate governance thinking in the 2000s.

Indeed, when the IIA recently polled its members to assess their priorities for 2010, operational risks were their top worry, followed by compliance risk, the effectiveness of risk management, and cost containment. Testing for Sarbanes-Oxley compliance, like the good old days? At the bottom.

Richard Chambers, president and CEO of the Institute of Internal Auditors, calls it “another one of those turning points for internal audit.” The profession, he says, is being asked to provide a more “diversified focus”—which he readily admits is an oxymoron.

DeLoach

Events of the past several months have brought boards to a “reflection point,” says Jim DeLoach, managing director for consulting firm Protiviti. “Is internal audit a resource for stamping the Sarbanes-Oxley 404 compliance process? Or is it a consulting activity designed to add value?”

Companies have already assigned internal audit departments to identify ways to reduce costs throughout the organization, even as internal auditors suffered the same staff and budget cuts that other departments have experienced. “This forced internal audit functions to audit smarter, by leveraging technology,” said Eric Holt, a partner at KPMG who focuses on internal audit.

Departments are making greater use of computer-assisted audit technologies and are pushing to develop continuous auditing frameworks to help identify potential control and performance issues, Holt says. That, in turn, helps to identify where diminished auditing resources should go.

Like Chambers, Holt also says boards and senior leadership are asking internal auditors to move their efforts beyond financial control and regulatory compliance. Now internal auditors are supposed to provide greater insight into fraud risks, operational risks, and cost reductions, as well as to play a larger role in assessing and managing risk overall.

Gallagher

Michael Gallagher, managing director for CBIZ Risk & Advisory, puts it more succinctly: Internal auditors spent so much time on accounting and finance risks that “we ended up not auditing what management was trying to manage.”

Internal auditors spent so much time on accounting and finance risks that “we ended up not auditing what management was trying to manage.”

—Michael Gallagher,

Managing Director,

CBIZ Risk & Advisory

For that reason, many internal audit departments are reviewing their expertise and looking for personnel with knowledge beyond pure accounting, says John Peirson, managing partner with Deloitte. The financial services sector, for example, could have used more internal auditors who had a better understanding of the mortgage-based financial products that companies were buying and selling.

Risks in Focus

As 2010 unfolds, regulators continue to pressure boards to pay more attention to risk management. Various initiatives at the Securities and Exchange Commission, the stock exchanges, and even in Congress may compel boards to play a more active role.

And when that happens, Chambers says, those boards will inevitably ask their internal audit departments for help. “Management will always tell the board they have their arms around it,” he says, but internal auditors are better positioned to give boards the objective assurance they will need.

DeLoach stresses that boards and management will always have ultimate responsibility for identifying risks and establishing the company’s risk appetite. But internal audit can play a greater role in assessing risks—especially emerging risks the board hasn’t considered or doesn’t know how to handle—and in evaluating whether management’s risk-management process is effective.

“Chief audit executives recognize they are at a reflection point for the profession,” DeLoach says. “They’re staring it right in the face. Internal audit has to focus on how to raise their game.”

Peirson says he sees numerous internal audit departments more focused than ever before on identifying emerging risks, mostly by projecting the magnitude of those risks and the time horizon over which they could arise. “They’re trying to focus attention on those things that could have the greatest impact on the near horizon,” he says.

But, Peirson adds, it’s not unusual for organizations to have multiple risk assessments or risk-management processes living in different parts of the company at the same time. He sees great opportunity for internal audit departments to integrate those processes into a single risk program, so the entire enterprise is working from the same page.

Internal auditors also have plenty of room to keep pushing audit technology, especially for continuous monitoring, Peirson says. Internal auditors could better pinpoint risks that should be audited, the thinking goes, if continuous monitoring provided more opportunities to spot anomalies.

Gary Sturisky, global practice leader for risk advisory services at Jefferson Wells, says internal audit departments seem more focused than before on management of liquidity risks as a result of the economic crisis. That’s not too surprising, when you consider how external auditors these days are poring over clients’ ability to continue as a going concern; sweating over liquidity risks is the internal auditor’s counterpart to that.

IA CHALLENGES

10 Key Challenges in the Year Ahead:

Aligning internal audit coverage to meet new expectations

Realigning skills to address new requirements

Addressing internal audit’s role in assessing risk management

Leveraging technology to achieve greater efficiencies

Coping with diminished resources

Demonstrating value and adding to the bottom line

Maintaining stature with the audit committee

Developing a continuous focus on risks

Maintaining a focus to prevent and detect fraud

Source

IIA: What’s Next for Internal Audit? (2009).

“If you think back to the lessons learned, the liquidity crisis caught many companies in a lurch,” Sturisky says, so they’re doing more analysis around worst-case scenarios, data quality, cash flow strategies, and assessing whether their audit plans reflect the risk.

In a related vein, Sturisky also sees internal audit departments doing more stress-test analysis, a kind of worst-case analysis to see what the effects of any given risk might be. The idea has received lots of attention in the financial sector where crisis was most acute, but it applies just as well to companies in any industry, he says.

As Always, Fraud

And needless to say, fraud risk continues to be a sharp concern for internal auditors. Yes, Sturisky says, companies started paying more attention to fraud as the recession settled in, but that pressure doesn’t ease as companies emerge from crisis and try to get back to everyday business.

Martin

Alyssa Martin, executive partner at regional audit firm Weaver, says she sees internal audit departments encountering fewer “sacred cows” that historically were off-limits to internal audit. She sees 2010 as the year internal auditors get more control over the nature and scope of audit planning, where the managers whose work is being checked have less influence over what will be scrutinized.

Mark Plichta, a partner at law firm Foley & Lardner, says he doesn’t see his clients assigning any new duties or roles to internal audit. “In large part, for the past year or so, people have been hunkered down in survival mode,” he said. “They’re only now really coming out and starting to think about the big picture.”

Plichta

He also questions whether a new role for internal audit would have any real power to avert a future crisis. The root of the recent financial crisis lies in complex financial instruments that are beyond the expertise of the typical internal auditor, he says.

“I’m not saying companies shouldn’t do anything, but there are limits to what internal audit can do,” he contends. “This is fighting the last battle. The hard part is preventing the next problem. That’s easier said than done.”

Holt

Holt at KPMG believes a new role indeed is emerging for internal auditors, and it’s is likely to remain with Corporate America for a long time to come. Boards will be looking for objective assessment of risk management while senior managers will continue to demand reviews that will drive cost reduction and profitability, he says.

“And internal audit will continue to be asked to do more with less, which will continue to drive internal auditors to better leverage technology across all their key processes,” he says.