The Institute of Internal Auditors gathered feedback from 28 chief audit executives, service providers, and regulators at a March 2009 roundtable and from 34 Fortune 100 company chief audit executives and audit directors responding to a pre-roundtable survey regarding the role of internal audit in their organizations. This article, authored by Peter L. Bernstein, discusses the findings show that internal audit is changing risk priorities and audit coverage in response to changing stakeholder expectations in the current economic crisis.
Changing Stakeholder Expectations are Prompting Audit Strategy Revisions
With changing stakeholder expectations, internal audit is taking on a more strategic role and focusing more on ERM processes and recession-related risks. Internal audit is also providing greater assurance that line businesses are accurately reporting their activities, risks, and results.
To do this, internal auditor is increasing communication with audit committees, especially regarding company risks and risk management. Internal audit is playing a more strategic role in governance and oversight, in some cases by including governance audits in audit plans. While internal audit’s position in an organization’s governance structure varies, the substance of the reporting line and relationship is key and in most cases this relationship appears strong as management is increasingly asking for internal audit’s opinion regarding strategic business issues. Internal audit is also adding value to organizations by taking a leading role in working with management and risk management groups to brainstorm and identify emerging risks.
A Broader, More Strategic Focus on Risk Is Developing
The economic crisis highlighted the need for enhanced and more focused risk management and internal audit is often being asked to head this effort. The desired approach to risk management is also shifting from a tactical to a strategic level. Key to effectively making this shift is communicating information throughout the organization because many organizations lack a centralized risk management plan so risk oversight is not connected on an enterprise wide level. There is also a need for an authoritative person or team to be in charge of organizational risk management to effectively and efficiently carry out risk management plans.
Performing an audit of organizational risk management processes is a good first step for internal auditors to take to show results from this more strategic approach to risk management. Through this process, internal audit will gain a better understanding of the organization’s business and strategic plans and be able to offer insight into the risk and control processes. Internal audit can improve risk assessments by utilizing scenario planning and by considering risk velocity, preparedness, and resilience in addition to risk probability and impact. Because internal audit is increasingly being asked to help answer questions about business strategies and risk, their communications with senior management and the audit committee are gaining credibility.
The Focus of Internal Audit’s Coverage Is Shifting Dramatically
Internal audit is proactively shifting the focus of audit plans in response to organizations’ changing risk profiles. The areas respondents most frequently indicated an increase in audit activity were operational risks (61.8%), cost and expense reduction or containment (60.6%), exposure to third parties in financial stress (58.8%), and liquidity and credit risks (52.9%).
As part of this increased coverage of operational risks, internal auditors are providing objective analysis to those charged with governance and oversight so program performance and operations can be improved. Internal audit is updating risk assessments more frequently because of the rapidly changing business environment and ensuring reputational risk is considered in economic-related plans and initiatives. Internal audit is also increasing its focus on fraud, particularly in areas with recession-related risks as part of a risk-based audit plan.
Internal audit is emerging from the economic crisis with increased flexibility, adjusting to changing stakeholder expectations and risk priorities. Internal audit priorities are shifting from a financial and compliance focus to a more operational and ERM effectiveness strategy that links the audit plan to business strategies and current risks. Respondents indicated several leading practices and strategies for internal auditors as they implement these changes:
- Increase communication with management and the audit committee.
- Renew focus on risk management and governance processes.
- Strengthen risk assessment processes.
- Operate with a more flexible and adaptable audit plan.
- Serve as a risk management educator.
- Focus on recession-related risks and activities.
- Expand fraud testing in the audit plan.
- Strengthen business knowledge.
- Strengthen relationships and communications with the organization’s other governance, risk, and control functions.
- Enhance the efficiency of audit processes.