Current State of the Internal Audit Profession and Risk Oversight

The fallout from the recent financial crisis has quickly changed the way many companies operate.  Not only are businesses more concerned with consumer perception but also with cutting costs, retaining growth and embracing new IT.  Internal audit is the one branch of an organization that has the authority, knowledge and reach to identify and address significant challenges faced.  PwC found in its 6th annual assessment of the current state of the internal audit profession that while companies recognize the priorities of internal audit, there is a gap in achieving these key attributes.  This survey polled over 2,000 internal auditors from more than 50 territories around the world to capture a snapshot of internal audit today.

The primary challenge internal audit faces as it evolves is agreeing on the new role it will play and then effectively delivering on those higher standards.  The 2010 survey asked participants to rank the importance and current performance gap of the following eight attributes of high-performing internal audit functions. 

• Leverage technology effectively
• Enable a client service culture
• Promote quality improvement and innovation
• Deliver cost-effective services
• Engage and manage stakeholder relationships
• Match talent model to value proposition
• Align value proposition with stakeholders’ expectations

• Focus on critical risks and issues

This paper, published by PwC, found that the attribute that was the most important, but also had the largest area of improvement, was the ability of internal audit to focus on critical risks and issues.  Two other attributes that ranked similarly were the matching of the talent model to internal audit’s value proposition and aligning this value proposition with stakeholders’ expectations.  On the other hand, the creation of a client service culture was the least important attribute surveyed.

Risk Management

The survey also polled participants about the functions internal audit performs in support of corporate governance in their organizations.  Some of the activities that were most often performed include providing the board with an assessment of key enterprise risks and risk mitigation effectiveness, conducting investigations of ethics assessments and the code of conduct, and review and assessing IT governance.  The surveyors also point out that internal audit’s risk assessments may not provide insights into key risks that boards are looking for, indicating the need for management and directors to clearly communicate the risk factors they need to know about most. 

Other findings from the survey showed that internal auditors were developing top-down steps to further the coordination and integration of various risk and compliance functions such as defining an overall risk management policy or developing a common risk assessment methodology.  Additionally, while Sarbanes 404 and external audit had the most structured integration processes and plans in place with internal audit, Enterprise Risk Management, information security, and risk and compliance functions were most often the functions internal auditors were actively working to improve coordination.  Further investigation into what particular activities will receive increasing or decreasing attention provided interesting results.  Risk management topped the list with 91% of respondents increasing efforts and IT risks had 83% of respondents increasing efforts.  Surprisingly, 26% of respondents anticipate decreasing efforts concerning financial controls in place.

Technology and Internal Audit

With the increased need for both technical and critical thinking skills combined with the reluctance of companies to expand staffing of internal audit, surveyors considered how these new skills are being developed.  Leading organizations use an “apprentice model” or a mixed approach of both classroom training and on-sight coaching.  Surprisingly, the least likely way organizations are cutting costs or increasing efficiencies is by staffing reductions.  Instead they are increasing the use of technology and automated tools as well as simplifying and streamlining reporting. 

While the use of technology can increase efficiency, the survey finds that most internal auditors are still not taking advantage of specialized tools that are available such as data warehouse software and ERP systems.  These systems would allow internal auditors to place less reliance on other functions for reporting, yet require some technical skills in both obtaining and analyzing the data that aren’t yet housed in internal audit. 

How to Start

This survey provides a detailed look at how internal auditors can successfully tackle the challenges they are facing today and create a more efficient program.  These steps include:

1. Start with a plan including input from management and the audit committee,
2. Rethink risk assessment practices to better understand critical risks to objectives,
3. Fill the skills and capabilities gap,
4. Align with other assurance functions, and

1. Focus on obtaining Return on Investment from Technology,

Click below to download report