Study: Internal Audit Needs to Expand Its Horizons

Internal auditors have long known in their gut that they had to take more initiative in identifying and helping to prevent enterprise risks. Now they have some long-awaited affirmation—you might even call it a mandate—to take their companies and their profession down that new path.

The Institute of Internal Auditors last week unveiled the full results of a global study that declared internal auditors are, or at least should be, broadening their focus from internal controls and traditional assurance tasks to the bigger issues of risk and governance. The study polled 13,000 internal auditors in more than 100 countries plus some of internal audit's important audiences, such as CEOs and audit committee members. The goal was to determine where the expertise and resources of internal audit can provide the most value, as companies around the world recover from an economic crisis touched off in large part by unidentified, unmanaged risks.

The message was clear, says Richard Anderson, a professor at DePaul University and one of several study co-authors: “Internal audit is shifting its focus and resources to look at more areas around risk, risk management, and corporate governance,” he says. “Internal auditors are not abandoning their very heavy focus on internal controls, but people are starting to think about the different skills and resources they need as they broaden their focus on these other areas.”

The survey found that 80 percent of internal auditors globally expect to spend more time on risk-management activities in the coming five years, and 23 percent expect to give greater attention to corporate governance reviews during the same period. About half of the respondents expect to recruit more staff in the coming years to expand the audit function's expertise into the operational aspects of the business, risk analysis, and control assessment techniques, especially those relying on technology and automated tools.

The results of the survey prompted the IIA to produce six separate reports, each one giving chief audit executives practical ideas for steering in this new direction. The first five reports cover the characteristics of an internal audit activity, the core competencies of internal auditors, how to measure the value of internal audit, where the profession is headed in the future, and how the profession should adapt itself to the new expectations. The sixth report focuses exclusively on the perceptions of internal audit stakeholders in the United States, to give CAEs some deeper insight into what their bosses are expecting from them.

Internal audit departments in different companies and different cultures are at varying stages of answering the call for more focus on risk management, Anderson says. The six reports will contain something for any audit shop along that continuum, he adds.

“We're stressing to chief audit executives to sit down, go through this, and focus at a high level on the themes and the imperatives,” he says. “And if you think you're far along, fine; then move further. Now is not the time to sit back on our laurels and become complacent about what we've been doing the last few years.”

Some trends in the internal audit profession could prove challenging to auditors eager to move up the value chain and grab a seat at the executive table. For one, the survey found that internal auditors are getting younger: The portion of internal auditors aged 26 to 36 grew from 11 percent in 2006 to 30 percent in 2010. On the other hand, indications are that internal auditors now enter the profession with more training; a greater percentage have advanced degrees; and more candidates are graduating from college with a major in internal audit.

“Now is not the time to sit back on our laurels and become complacent about what we've been doing the last few years.”

—Richard Anderson,

Professor,

DePaul University

The Right Direction

Paul Sobel, vice chairman of professional development for the IIA, and a chief audit executive for a global corporation, says the conclusions for him didn't contain any new revelations, but some affirmation that the profession is heading in the right direction. “It helps reinforce that we really have an opportunity to be a more integral part of our organization's success,” he says. “It gives me a lot of confidence that we're headed in the right direction, but we still have a long way to go to optimize the value we can add.”

Sobel was particularly intrigued by the report's suggestion that internal auditors need to brush up on their networking and communication skills so they can be more engaged with their audit committees and chief executives and take on a more advisory-like role in helping identify and manage risks. It's a departure from the compliance-driven focus that internal auditors have honed in recent years in response to the Sarbanes-Oxley Act, but it's not a stretch for the profession, he says.

IIA FINDINGS

The IIA Research Foundation provides the following summary of results from its global internal audit poll:

Competence and Skills

1. In the wake of the turbulent global economy and the impact on financial markets and corporate viability,

CAEs, internal audit staff, and managers identified three of the top five competencies as:

Communication skills (including oral, written, report writing, and presentation).

Problem identification and solution skills (including core, conceptual, and analytical thinking).

Keeping up to date with industry and regulatory changes and professional standards.

2. Understanding the business ranked as the most important overall technical skill in both the 2006 and

2010 surveys.

It is the top technical skill for management and CAEs and the third most important technical

skill for internal audit staff. This response is consistent with the 2006 and 2010 survey rank of

risk analysis and control assessment techniques as important technical skills because a solid

understanding of the business is essential for internal auditing to effectively identify emerging risk

and control issues.

3. CAEs indicate the ability to promote the value of the internal audit as the most important competency

for them to perform their work.

4. The results indicate that keeping up to date is now considered very important at all three professional

levels — not just at the CAE level.

Keeping up to date was the third most important competency for CAEs in both the 2006 and 2010

surveys. For internal audit staff and management, keeping up to date moved from about the bottom

one-third of competencies in 2006 to the fourth highest ranked competency in 2010.

5. Communication skills ranked as the top overall general competency for both the 2006 and 2010 surveys.

Based on the survey results, the general competency rankings for all industries are consistent with

the overall general competency rankings.

Knowledge Areas and Audit Tools

1. In terms of core knowledge areas, survey results for 2006 and 2010 are similar, indicating the continuing

importance of internal auditors possessing knowledge of auditing, internal audit standards, ethics, and fraud

awareness.

2. In 2010, enterprise risk management (ERM) replaced technical knowledge by industry as the fifth

ranked knowledge competency.

The higher knowledge ranking for ERM is consistent with the technical skill common core

competency of risk analysis and control assessment techniques. It also aligns with the most

currently used (and predicted increase in usage in the next five years) audit tool or technique on an

engagement—risk-based audit planning techniques—as indicated in the 2010 survey. Knowledge

of ERM helps the internal auditor effectively apply risk analysis and control assessment techniques

and risk-based audit planning techniques.

Source: The IIA Research Foundation.

“Internal auditors get to see an awful lot of aspects of the company, and they do develop insights that can be quite valuable,” he says. “Too many internal audit functions in the past have stayed in their comfort zone. I'm hopeful this is a call to action to get out of that comfort zone.”

On their face, the IIA findings also sounds like a departure from the messages preached in recent years about auditors remaining objective, but Sobel doesn't see it that way. Professional standards provide some guidance on remaining objective, he says, but don't prohibit auditors from serving as advisers or consultants. “Management still owns the risk and the actions to mitigate the risks, but when you get into the standards, there is nothing wrong with giving advice,” he says.

Like Sobel, Kathleen Swain, senior vice president of internal audit at Allstate, finds the results of the study to be affirming. “My first reaction was validation that we had read the environment correctly and we are heading in the right direction,” she says. She too was struck by the emphasis on the importance of better communications and relationship building with the audit committee. “It is important to grow the conversation, not just maintain it at the level it is at,” she says.

Some bad news for internal auditors: They generally believe they're doing a better job at meeting these new objectives than CFOs and audit committee members do. 

Dan Bolger, senior manager with Deloitte, says individual auditors need to better understand what their specific audit committees and chief executives expect; those expectations may not necessarily align exactly with the study results. “The big takeaway is to make it a priority to understand and learn the expectations of your own stakeholders,” he says. “We saw some results where some internal auditors weren't aware of their stakeholder expectations. That's not good.”

Rob Kastenschmidt, national leader for risk advisory services at RSM McGladrey, says the focus on communication skills is perhaps most salient for internal auditors in the United States. Internal auditors need the technical skills to identify risks, but even further they need to hone their communication skills to take on a more advisory-type, forward-looking role with audit committees and management. “You need to be able to explain it, frame it, and capture the imagination of the audit committee,” he says, to inspire the higher-ups to act on what you've uncovered.