Compliance risk is trumping even financial risk as an area for audit focus, and companies are starting to think about how to streamline compliance testing to cope with increasing, sometimes redundant or overlapping requirements.
That's the conclusion of the latest chief audit executive survey from Grant Thornton, one of several pieces of internal audit intelligence to emerge with the opening of the Institute of Internal Audit's annual general audit management conference. The 330 chief audit executives who answered the Grant Thornton survey ranked compliance risk as the most important risk for audit to focus on, even beating financial risk, which has ranked on top in prior surveys.
Warren Stippich, a partner with Grant Thornton and leader of the firm's national GRC practice, says companies are showing increasing interest in the “one-to-many” approach to compliance testing, where IT controls, for example, are tested once in a way that would satisfy multiple requirements -- such as Sarbanes-Oxley requirements, quality standards, service organization audit needs, and other purposes. “If you can go in and test once, it's a real conversation starter,” he says. Only half of the respondents to the Grant Thornton survey said they have not yet adopted such an approach.
Other new internal audit intelligence also emerged at the start of the IIA conference from PwC, Protiviti, and IIA. The IIA's Pulse of the Profession says 70 percent of chief audit executives participating in the IIA survey said they report administratively to the CEO or CFO of the organization, with an increasing number reporting directly to the CEO. The survey also found the majority of CAE officers also report directly to the full board or audit committee. That's up from 20 percent of chief audit executives who reported to the CEO a decade earlier, the IIA said.
PwC polled almost 1,100 chief audit executives, plus more than 630 related officers and directors, such as CEOs, audit committee chairs, and others. The survey found 80 percent believe threats to the organization are increasing, yet only 12 percent believe the organization is extremely effective in managing those threats. “As risks increase, internal audit's coverage of risk and performance in emerging areas is critical, which provides internal audit with an ideal opportunity to demonstrate the value of the evolving profession,” said Dean Simone, leader of PwC's U.S. risk assurance practice, in a statement. “Internal audit must then aggressively increase its capabilities and add true value in risk areas most critical to the organization.”
In another piece of internal audit intelligence, Protiviti issued a survey that focuses largely on social media. Of more than 1,000 internal audit professionals who participated, 43 percent said their company has no policy on social media, and many who have policies fail to address basic issues. One in three organizations, for example, provides no focus on information security and approved use of social media applications in their existing social media policies, the survey revealed.