Accounting & Auditing Update

The Institute of Internal Auditors is reworking its International Professional Practices Framework, including the addition of a mission statement, core principles, and guidance for emerging issues. “After months of careful consideration, we are proposing enhancements we believe make the IPPF more reflective of the profession’s core principles and mission,” IIA senior vice chairman Larry Harrington said. Details inside.

Nearly 7 in 10 internal audit leaders participating in the IIA’s annual “Pulse of Internal Audit” survey ranked cyber-attacks and other security issues as a major concern, but only about one-third said they have high confidence in their organizations’ ability to address such risks. IIA President Richard Chambers says the results confirm that “organizations must improve how they identify emerging risks.”

Yet more findings—these from Grant Thornton—reveal that audit committees and chief audit executives differ on priorities. According to the survey, audit committees rank financial risk as most important for internal audit, followed by compliance, operational, and strategic risks. CAEs, however, give compliance risk top billing, followed by operational, financial, and then strategic risks.

Protiviti’s recent survey of more than 800 internal audit professionals reports that half of respondents said a cyber-security evaluation is included in their current audit plan, and 60 percent of those organizations use the National Institute of Standards and Technology cyber-security framework to evaluate risks. Protiviti EVP Brian Christensen said the survey “shines a light on the evolving set of challenges faced by internal audit professionals as they work to incorporate cyber-security frameworks into business processes.” More inside.

The Federal Housing Finance Agency has provided a primer for corporate audit committees on how not to appoint and manage a chief audit executive. The FHFA’s inspector general has released a detailed report criticizing Fannie Mae’s selection of a chief audit executive in 2013, calling the audit committee’s process “far from diligent” and “haphazard at best.” More inside.

A PwC poll suggests internal audit still struggles to keep up with the rapid pace of change in the business environment. Nearly 70 percent of organizations said they are going through or have recently gone through a significant transformation in the business, yet only 11 percent of chief audit executives said their current internal audit functions provide value-added services to the business.

At Compliance Week’s annual conference this week, Jose Tabuena, chief compliance officer for NextHealth, advocated for the three lines of defense model. “I’ve worked with the accounting firms and those working with the COSO framework, and I find three lines of defense easier to explain,” he said. “The board may have limited time, and you have to explain a lot in that limited time. I don’t think the COSO cube does it.” More inside.

The Public Company Accounting Oversight Board has issued a staff consultation paper looking for input on whether and how to revise standards around the auditor’s use of the work of specialists. PCAOB Chairman James Doty said, “We want our standards to keep pace with the realities in the marketplace, and I look forward to receiving public comment on this important topic.” More inside.

The Institute of Internal Auditors has unveiled the latest enhancements to its nearly 70-year-old framework that governs the internal audit profession globally. Larry Harrington, senior vice chairman of the IIA’s global board, says the updates are intended to strengthen the position of internal audit as a key player in the organizational structure. More inside.

A recent report from the Institute of Internal Auditors found that nearly 40 percent of audit departments worldwide are getting their arms around technology at what they consider to be appropriate levels. However, the study also found only one in 10 internal auditors entering the profession has education in computer science. That means the internal audit profession faces “vast opportunities and challenges,” IIA President Richard Chambers says. More inside.

Internal audit departments might better demonstrate the value they bring to public companies if they had a more robust way of measuring their own performance.

Rapid innovation, disruption, and growth in cyber-security risks are the biggest technology challenges for IT auditors, a survey from ISACA and Protiviti says. Managing Director David Brand says, “IT audit professionals have recognized the need to grow their knowledge and expertise while also updating their policies, processes, people, and technology, all in order to arm themselves against the increasing challenges and threats presented by an ever-evolving technology landscape.” Details inside.

As talent and staffing challenges persist for the internal audit profession, 43 percent of public companies other than those in financial services reached outside the organization for help, according to the latest data from the Institute of Internal Auditors. Financial institutions, public and private alike, make the greatest use of third-party services at 45 percent globally.

The Institute of Internal Auditors is proposing a change to its professional practice standards to give internal auditors some new guidance in light of evolving business demands. The IIA says the proposed changes are focused on enhancing existing standards on communications and quality assurance, and creating new standards addressing objectivity in assurance and consulting roles. In addition, proposed changes address new roles internal audit functions are taking on in many internal audit shops.

Internal audit leaders are becoming alarmed with their latest survey results that suggest the internal audit profession is not moving as nimbly as they’d like to address emerging business risks. A report from the Institute of Internal Auditors says 89 percent of organizations polled see prevention and education as the best way to address cyber-threats, with limited focus on what to do once an attack is detected.

In a survey from KPMG and Forbes of more than 400 CFOs and audit committee members nearly 60 percent said they would welcome help in assessing risks and risk-managing practices, but only 22 percent said they get that from internal audit; 36 percent said they would like to see an informed perspective on emerging risks coming from the internal audit shop, but only 5 percent actually see it. Craig Carter, a KPMG principal in internal audit, risk, and compliance services, says, “There’s a need to translate the value of the internal audit function into more than black-and-white compliance.” 

A new survey from Protiviti of 1,300 internal audit professionals shows that companies have made big progress in the past year integrating cyber-security risk into internal audit plans. Nearly three out of every four organizations include cyber-security risk in their internal audit plans, according to the poll, up from only half of organizations in 2015. Nearly 60 percent of auditors said their companies have received inquiries from customers, clients, or insurance providers about the entity’s readiness to withstand a cyber-attack. 

Third-party risk represents the “next frontier” in the ongoing cyber war, says Kelly Barrett vice president of internal audit and corporate compliance at Home Depot, where she navigated a cyber breach like it was “a blow to the head” and now tells the story of how the entity faced the crisis.

The Institute of Internal Auditors has issued a white paper to motivate staff auditors to tackle heightened expectations from audit stakeholders. It provides five strategies for performance management tailored to internal audit and promises to help CAEs set goals, retain talent, equip employees, assess performance, and respond to success. “If internal auditors are to become true agents of change, internal audit leaders must help them expand their capabilities ... ” said IIA Chairman Larry Harrington.

At a recent Institute of Internal Auditors conference, audit executives heard the early returns from the annual IIA Common Body of Knowledge study that suggest North American audit stakeholders would welcome more help in identifying strategic risks. Brian Christensen, executive vice president at consulting firm Protiviti, which assisted with the study, says: “It is an opportunity for us as leaders in the internal audit profession to step forward, to step into maybe some gray space.”

Internal auditors looking to get more involved in information systems audits can turn to a new white paper titled Information Systems Auditing Tools and Techniques: Creating Audit Programs, from ISACA, a global global association of professionals focused on IS audit and control. The paper outlines five steps auditors should take to effectively plan an information system audit.

Tammy Whitehouse explores new guidance and intelligence that has emerged recently on how internal audit can raise its game in the face of rising regulatory expectations and market demands.

For companies still struggling to get their arms around financial compliance, especially with respect to internal control over financial reporting, technology may provide the answer, according to the Financial Executives Research Foundation. Tammy Whitehouse reports.