Emerging Expectations for Alignment of Internal Audit and Risk Oversight

With companies trying to find different ways to increase shareholder value and increase the attractiveness of the company to investors, senior executives, especially Chief Risk Officers (CRO’s), are looking at different ways to add value through better risk oversight.

This study conducted by PricewaterhouseCoopers, LLP establishes five distinct trends that are developing in regards to risk oversight and likely to have the greatest impact on internal audit. Data was compiled from survey responses from chief audit executives (CAEs) among Fortune 250 companies. Noted trends include globalization, changes in risk management, advances in technology, talent and organizational issues, and changing internal audit roles. By 2012, internal audit and risk mitigation will be interrelated for many companies and will be a continuous function instead of one that is performed on a periodic or annual yearly basis. The report argues that internal audit functions within organizations are at a crossroads. They can continue to do what they are doing today or they can embrace a more continuous focus on providing risk management assurance to better align itself with the organization’s desire to mature its risk management functions.

A continuous risk oversight process allows companies to create specialized audits and programs to help strengthen internal controls and mitigate many risk areas for the company. Also, it allows companies to be able to solve problem areas that arise on a more timely basis. To meet this greater focus on risk management assurance, internal auditors will need to develop a risk-centric mindset instead of having a controls mindset. This will put more pressure on internal auditors because they will now need to be more conceptual and see the big picture of the business and less focused so much on individual controls for the company.

Impact of Globalization

Companies are already extensively focused on growing internationally and outsourcing many functions. By 2012, China and India are expected to be even more powerful economic centers than they are now. Along with the dominance of China and India, the globalization of securities markets along with the development of international accounting standards will require companies to think about risk on a global level and not just focusing on risk in the United States. In the survey, almost 75% of respondents stated that globalization will have a moderate to strong impact on the functions of internal auditors.

Companies will have to spend a lot of time and education to develop internal auditors with the skill set necessary to examine risks associated with globalization. There is also concern for many chief audit executives (CAE’s) about the ability of small internal audit groups to handle the many functions associated with assessing the global risk of the company. As companies begin to increase their presence internationally, they will also need to take into account whether they need a centralized internal audit practice or one with numerous locations that house various internal audit roles.

Changing Internal Audit Roles

As risk becomes more of the focus within organizations, internal audit time will be more devoted to risk management, fraud, internal controls, and process flows. Technology will be the more significant trend to affect the auditors’ time along with new regulations, risk management, corporate governance, and ethics and compliance. Technology advances will assist internal audit in developing a continuous process for monitoring risk within the company, which in turn will also increase the responsibilities for those in internal audit.

With the changing roles for internal audit and the structure of companies Sarbanes-Oxley compliance is expected to remain at the same level or decline by 2012. With CAE’s becoming more focused on technology and how it affects the company, many more roles/job functions will be developed for people with an IT background. This will provide many professionals with the opportunity to broaden their skill set and work in different areas as well as increase the number of jobs available for those looking to work in internal audit.

Changes in Risk Management

As risk oversight evolves from a periodic to a real-time, continuous process, audits will become more developed and will have to follow a similar approach. Audits will now be able to be done on an as needed basis instead of on a strict timeline. Internal auditors will now be able to establish key risk indicators (KRIs) to monitor risk conditions. In 2012, the audit planning
process will focus more on an annual risk assessment rather than a hope that a future risk assessment plan might be developed in a few years.

Talent and Organizational Issues

By 2012, CAE’s will be focusing major efforts on finding talent that has the skills to understand organizational risk as a whole. However, there is an issue with companies having the resources available to acquire new talent. CAE’s are really concerned with finding talent that is able to detect fraud along with analyze risk data. Data mining will be a key function of new hires in the future.

Technological Advancement

Technology will affect the functions of internal auditors the most in the years to come. Technology risk is one of the key areas that will cause great concern for companies. Therefore, companies plan on keeping a separate IT department to meet the upcoming technological needs.

Solution Section Strategies

It will be very important for companies to begin playing and taking the initiative to begin moving towards a risk-centric business structure in the upcoming months. CAE’s should begin aiding internal auditors with the skills necessary to assess risk along with examining internal controls.

Click to download full report.

Citation: “Internal Audit 2012” PwC. Dec. 31, 2007.