A new survey of internal auditors finds that they are most concerned about improving their mastery of IT risks and global accounting standards, but seem to be less worried about their expertise in enterprise risk management.
So say the results of the 2010 “Internal Audit Capabilities and Needs Survey,” conducted by consulting firm Protiviti, which polled more than 700 chief audit executives in the public, private, government, and non-profit sector. Respondents were asked to rate their competency on more than two dozen areas of technical knowledge. Topping their concerns were the Guide to Assessment of IT risk (which also topped the 2009 survey) and the transition to International Financial Reporting Standards.
U.S. securities regulators are considering whether to adopt IFRS in this country, but any firm decision is still at least a year away. Regardless, the Protiviti report stressed, any move to scrap U.S. accounting standards for IFRS will have profound implications for a business well beyond the accounting department.
“As a result, internal audit functions undoubtedly will need to be engaged not only in the IFRS transition but also in ongoing reviews of these areas that will have many new processes, controls, and procedures in place for reporting under IFRS,” the report said.
The XBRL financial reporting language and ISO 27000, the certification standard for information security, were two other concerns ranking high on audit executives’ minds; ISO 27000 has been among the top five areas of improvement for three years running. COBIT, another framework to measure IT risks and controls, also made its debut in the top five this year.
Graham
During an April 15 Webcast discussing the study’s results, Scott Graham, a managing director at Protiviti, recommended that other companies use the survey data as a benchmark to compare their own competencies and weaknesses. The key lesson is that “if you’re not up to speed in these areas, get up to speed,” he said. “The auditing of IT processes and activities within organizations is—or should be—among the highest priorities for today’s internal audit departments, particularly given IT’s purpose as a critical enabler of virtually all business functions.”
In contrast, enterprise risk management dropped from fourth place on the worry list last year to 10th this year. Bob Hirth, also a managing director at Protiviti, speculated that the drop might be a function of the survey’s timing: It was conducted in the fall of 2009, before the Securities and Exchange Commission adopted new proxy disclosure rules that make risk management a top priority. Had the survey been done today, he said, ERM would probably have ranked in the top five.
Changes to IIA Standards
The Protiviti study also captured auditors’ worries about competency with the Institute of Internal Auditing’s new professional practices framework, which was published in 2009. That framework includes six new standards covering topics such as assessing fraud risks, assessing IT governance, avoiding direct responsibility for risk management (which should be left to business managers themselves), and more.
Internal audit functions undoubtedly will need to be engaged not only in the IFRS transition but also in ongoing reviews of these areas that will have many new processes, controls, and procedures.
The study found that the framework changes are proving “challenging for the internal audit function to implement,” said Basil Woller, owner of Basil Woller & Associates and a board member of the IIA.
The IIA’s new standard for auditing IT governance was poll respondents’ highest concern. That’s not surprising, the report said. “Historically, IT governance has not been an area of focus for many departments, and as such the skills and capabilities to address this risk may not be fully resident within the department,” the report said. At the same time, Woller noted, the ever-growing reliance on technology has made addressing IT governance all the more important.
Standard 1312, which requires an external review of the internal audit function at least once every five years, was another high concern on the Protiviti study. According to results from the study, most organizations have not completed an external quality assessment as the Standard requires—which means, Hirth stressed, that internal auditors cannot say their work has been done in accordance with IIA standards.
An external quality assessment review can be completed in three ways: a third party can visit and do the entire assessment; a group of at least three peers can follow a peer-review approach; or a company can do a self-assessment and then hire a third party to validate the results.
Woller
Woller did note one oddity in the Protiviti survey related to external reviews: Chief audit executives in the survey rated the need to improve external assessments higher than all respondents as a whole. That differs with his experience, Woller said, which has been that audit executives are sharply aware of the need of quality assurance programs with both internal and external components.
Woller and others did concede that some businesses might wonder why they need to perform a quality assurance review at all, and they stressed that companies cannot be punished if they don’t do one. But instead, Woller urged, focus on the overall benefits to the internal auditing program and how to demonstrate to stakeholders in the organization the value of doing one.
No comments yet