Eighty percent of chief audit executives acknowledge room for improvement with internal audit functions
London 18 July 2012: With risk, control and compliance becoming increasingly important in today’s global marketplace, a new survey of 695 chief audit executives (CAEs) and C-suite executives released by EY today reveals that 80% of organisations acknowledge that their internal audit function has room for improvement.
The future of internal audit is now report, highlights that 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance and an equal percentage believe that their internal audit function has a positive impact on their overall risk management efforts.
Aligning internal audit strategy to the business
The survey identifies that the key priorities of both CAEs and stakeholders have clearly shifted from compliance and financial controls to risk coverage and business relevance. Future focus areas becoming more relevant to achieving business objectives include improving the risk assessment process and enhancing the ability to monitor emerging risks. Additionally, reducing overall internal audit function costs without compromising risk coverage and identifying opportunities for cost savings in the business were also cited.
In order to focus on risks that matter, create value and help the organisation achieve its objectives, internal audit functions need to align their strategy to that of the overarching organisational strategy. However, 61% of respondents reported that they had no documented mandate that aligns internal audit to the organisational strategy.
Commenting on this approach, Alison Kay, EY UK & Ireland Risk Leader, said: “Internal audit can use the organisation’s overarching strategy to identify the risks that matter most in the context of the organisation’s risk appetite. Elements of the organisational strategy will vary by industry and are very specific to the business but to remain relevant, internal audit needs to use risk assessments based on the organisation’s strategic objectives.”
Improve the risk management process
Internal audit risk assessments, regulatory requirements and enterprise risk assessments are the top three drivers of the audit plan, and internal audit is playing a more prominent role in organisational issues, such as major capital projects (49%), IT systems implementations (42%), mergers and acquisitions (37%) and material contracts (32%). Technology also remains a key area of focus for internal audit functions, comprising 18% of the current audit plan.
Improving the risk assessment process is the number one priority of CAEs and stakeholders alike. Identifying risks that are truly significant to the business is the first step to effective risk management and monitoring. Today’s internal audit functions are focused on enterprise-wide risk coverage, leadership engagement and direct linkage to strategy to increase the relevance of the risk assessment.
Forty-six percent of respondents indicated that their internal audit functions perform annual updates, or none at all, leaving themselves unprepared for events that could crop up throughout the year including transactions, new product launch or retirement, new market entry, patent expiry and litigation.
Assess skills and manage talent
Nearly one-fifth of respondents indicated that they would like to see improvements to internal audit reporting by putting issues into perspective relevant to the risk and identifying trends. Thematic audits are one way of doing this and are making resurgence as stakeholders increasingly want to know the implications, magnitudes and insights that audit findings convey.
As the role of the internal auditor evolves and stakeholder expectations rise, internal audit functions increasingly require competencies that exceed the more traditional technical skills, such as the ability to team with management and business units on relevant business issues.
When asked which areas of the respondent’s internal audit function had defined competency plans for staff development, 58% indicated a plan for technical internal audit skills, 54% have a plan for business or industry acumen and only 47% have a plan for business management and leadership. Surprisingly, 8% indicated no defined competency plan at all.
Two main approaches that internal audit functions can take to attract the right capabilities include an auditor rotation program across business units or functions in other parts of the organisation and a guest auditor program for high-performing employees from other parts of the business to gain internal audit experience.
Kay summarises: “With the right internal audit-focused strategy in place, internal audit can add value to the business by becoming strategic advisors, identifying efficiencies across the enterprise, supporting key business initiatives and quantifying internal audit’s return on investment.The future of internal audit is not on the horizon. It’s here and internal audit functions need to act now to remain relevant to the business, or be left behind.”