As the internal audit profession prepares to gather for a major annual conference, multiple survey results show internal auditors continue to juggle concerns about compliance, strategic business risk, resources, and technology.
The Institute of Internal Auditors will host the 2014 General Audit Management conference to gather chief audit executives, audit committee and board members, and financial and executive management to cover the latest developments in internal audit. Surveys from the IIA, PwC, Protiviti, and Grant Thornton say the internal audit profession is still evolving, mired in expanding compliance and regulatory demands while also wrestling with rapid advances in technology and increasing demands to look more broadly at strategic and operational risks.
The IIA's annual “Pulse of the Profession” report says, for example, chief audit executives increasingly are embracing the IIA's “three lines of defense” model, but are not clearly defining who is responsible for which aspects of the defense model. The “three lines” model specifies the division of responsibilities for risk and control activities among the board, senior management, and internal audit. The IIA's 2014 survey found that among North American CAEs, only 34 percent indicate the duties are clearly articulated and carefully observed.
IIA advocates the model to assure companies establish complete, efficient coverage for their risks and controls. When companies end up with blurry lines, “you run the risk of potential gaps, but also overlap,” says Richard Chambers, president and CEO of IIA. It also makes it difficult for internal audit to provide independent assurance to the board if IA ends up taking on risk management duties that are intended for management, he says, raising the need for a third-party audit on areas that IA is covering.
The IIA survey also reveals a disconnect between the importance of strategic business risk and internal audit's coverage of it. CAEs said strategic risk is the top concern among its stakeholders, with 28 percent calling it the top priority for audit committees and 46 percent saying it's the top priority for executive management. Yet only 6 percent of the overall audit plan is devoted to strategic risk, the study shows. Chambers suggests that could be the case because strategic risk is integrated into other areas of audit coverage.
The IIA report also says organizations increasingly are reaching out to the business not just to staff the internal audit department, but to appoint the chief audit executives as well. The reports says 42 percent of CAEs in North America held positions outside of audit immediately before becoming a CAE. Chambers says he recognizes the demand for expertise in functional business areas to better understand business risks, but worries about the possibility of the CAE role serving as part of an executive development track with an expectation of reassignment elsewhere in the business. "Just how objective can that individual be in their tenure in that role if they know their future career assignment depends on the relationships they build?" he asks.
PwC's annual “Risk in Review” survey says business executives and risk managers worldwide are struggling with increasing risk across the board. Nearly 60 percent of executives said they see increased risks related to technological change and information technology as well as increasing regulatory complexity. Half said they also see increased risk related to rapidly changing customer needs.
Jason Pett, risk assurance internal audit services leader for PwC, says the survey reveals companies are showing progress in their alignment across risk functions. “Companies are stepping back and saying ‘we're pouring a tremendous amount of resources into risk management and internal audit, so let's really focus on how we are aligning and how are we efficiently executing this broad range of risk management that we're trying to implement,'” he says. The survey data suggests while companies are making progress, they expect to be a stronger position in another 18 months, he says.
Protiviti's 2014 Internal Audit Capabilities and Needs survey report says internal auditors are turning up their focus on social media risks and leveraging technology to improve the audit process. On the social media side, internal auditors are most concerned about possible financial loss, interruptions to business, risks to intellectual property and employee property, and viruses and malware. As for technology, internal auditors are concerned about mobile applications, cybersecurity, cloud computing, and data analysis technologies.
Grant Thornton also issued a report earlier indicates internal auditors are struggling to strike the right balance between an increasing compliance burden and an increasing demand for more strategic or operational audit coverage. One-third of audit executives polled by Grant Thornton said they believed increasing regulation is complicating the effort to devote resources to higher-value audit activities.