Breaking Down the Walls of the Internal Audit Department

Internal audit departments are increasingly assessing an ever-expanding range of risks.

Along with internal control, they're also examining risks from IT, regulatory, fraud, and corruption, among others. Along with these new areas, however, comes a need for additional skill sets. To meet these demands, internal audit departments are adding expertise outside of traditional auditing skill sets and borrowing employees from other departments to leverage their abilities. Internal audit is also doing a better job of coordinating its activities with other departments in the organization.

“Internal audit follows the risks,” says Richard Chambers, president and chief executive officer at the Institute of Internal Auditors. For instance, as compliance risks have become more pronounced for many companies, internal audit spends more time examining them.

Given that internal audit is being tasked with assessing a broader range of risks, their need to work effectively with colleagues in other departments increases as well. “The chief audit executive can't execute his or her responsibilities in a vacuum,” says Chambers.

Developing productive working relationships with other control departments, as well as IT, can offer several benefits. Perhaps most critically, these connections can lead to a more encompassing view of the risks an organization faces, says Susannah Hammond, senior regulatory expert, governance, risk, and compliance at Thomson Reuters.

Hammond, who is author of “The State of Internal Audit 2013” report, says that companies are taking a more unified approach to risk management. “Internal audit, risk, and compliance functions need to align their approaches and coordinate their responsibilities to ensure adequate coverage of all relevant risks and, critically, ensure that the board has a clear line of sight to the overall risk position of the firm,” she writes in the report, which reflects input from more than 1,100 internal audit professionals from around the globe.

A more coordinated approach is also “becoming a regulatory expectation,” Hammond adds. 

Compliance and Internal Audit

As internal audit increasingly is expected to understand and assess the compliance risks an organization faces, it is increasingly coordinating its activities with the compliance department, Chambers says.  More than one-third of respondents (36 percent) to another recent report, the IIA's “Pulse of the Profession 2013,” said the focus on compliance within their internal audit departments was increasing.

The shift reflects the growing significance of compliance risks, Chambers says.  “Around the world, the legislative process has become more aggressive in passing new laws to mitigate what legislators see as the causes of the financial crisis.”

Communicating and coordinating with these departments can provide internal audit with a better understanding of the risks, as well as the steps compliance is taking to address them, Chambers notes. It also may allow for greater efficiency. Compliance and internal audit may be able to coordinate their interviews with senior management, for example, to use their time most efficiently.

Internal audit is also working far more closely with IT. “To me, this is the biggest risk other than the economic risk” organizations always face, says John Higbee, who sits on the audit committee of Rex Energy's board of directors.

Several internal audit experts say companies should including employees with IT expertise on the internal audit staff, so they can determine where the information systems may be vulnerable to compromise. “It's important that internal audit is staffed with someone capable of doing a cyber-risk evaluation,” says Mary Beth Vitale, who chairs the governance and nominating board committee at financial holding company CoBiz Financial.

Forging Relationships

Meeting the growing need to reach out to other departments requires more emphasis on communication and other people skills. Yet some auditors prefer to focus on the technical aspects of their jobs, rather than “seek out the limelight,” says Sridhar Ramamoorti, an associate professor with a focus on internal audit at Coles College of Business at Kennesaw State University. He says internal auditors may need to find ways to become more comfortable working with others.

Ramamoorti points out that as an advisory or staff function, “internal audit can sell its recommendations, but it can't tell anyone to do anything.” Of course, that shouldn't be used as an excuse if others decide not to follow the recommendations put forth by internal audit. Instead it may mean that “internal audit has to do a better job educating others and marketing itself,” Ramamoorti says.

Indeed, “communications ability” was ranked second, after analytical and critical thinking when the IIA survey asked respondents which audit skills were most sought after, ahead of accounting, data mining and analytics, and business acumen, among other skills.

One of the keys to fostering more cooperation and communication between internal audit and other departments is simply making that communication a priority and making time for it. When Hammond was previously the head of retail regulatory risk at a bank based in the United Kingdom, for example, she met each Friday morning with the heads of internal audit and risk.  The conversations were critical, she says. “A small risk as seen by compliance could add weight to something the risk department or internal audit saw,” and provide a more comprehensive view of potential and emerging risks.

“Internal audit can sell its recommendations, but it can't tell anyone to do anything. Internal audit has to do a better job educating (others) and marketing itself.”

—Sridhar Ramamoorti,

Associate Professor,

College of Business at Kennesaw State University

Fewer internal audit teams, however, appear to be taking this formal approach, although there are indications that they are meeting more informally. The Thomson Reuters report shows that the amount of time internal audit regularly spent with other control functions had dropped over the past year. Last year nearly one-third of internal audit teams met weekly with risk management; this year, just 18 percent did. The percentage now meeting on an ad hoc basis jumped from 22 to 29 percent.

Similarly, fewer were talking with compliance weekly. About one-third did last year, compared to 25 percent this year. Conversely, the percentage meeting on an ad hoc basis increased from 19 to 25 percent.

Perhaps this shouldn't be surprising. Most internal auditors, as well as their colleagues in other departments, work with limited resources. Forty-three percent of respondents to the Thomson Reuters survey ranked insufficient skilled resources as a top challenge for the year ahead, up from 35 percent the year before. The increase likely reflects the shift in the internal auditor's role from “a quantitative assessor with a spreadsheet and toward a more qualitative assessor of the desires and strategies of the firm's management,” the report notes.

Even so, the trend comes with risks. “If it's left to ad hoc (meetings), they're too easy to put off,” Hammond observes.

How Close Is Too Close?

Another challenge is internal audit's need to maintain independence. “You have to be careful that internal audit doesn't work too closely with the departments they'll later audit,” Higbee says. While some trust is necessary, an internal auditor shouldn't become so close to other employees that he or she neglects to ask the questions that are needed to properly assess a risk.

CHANGES TO REPORTING RELATIONSHIPS

In the following chart from the IIA, respondents to the “Pulse of the Profession” survey rank how they feel the internal audit reporting relationship should be changing within companies.

A noteworthy 17 percent of all respondents perceive internal audit's independence would be enhanced by changing the CAE's functional and/or administrative reporting relationship. Among these respondents, the preferred changes are represented in this chart.

Source: IIA.

While internal audit may need to gather information from the Treasury Department, for example, about the ways in which derivative financial instruments are used, the auditors need to develop and follow their risk assessment, Higbee adds.  That way, they're less likely to be influenced by someone who wants to lead internal audit away from a problem area.

The relationship between internal audit and the board is also critical. Most boards of directors “operate at a bird's eye view of the organization,” says Ramamoorti. Internal audit can become “the eyes and ears” of the board, and particularly the audit committee, Ramamoorti adds. But, this is most likely to happen only if the two groups interact. 

According to the Thomson Reuters report, at 61 percent of organizations the audit committee reports to the board of directors only quarterly or less.

Given that a failure on the part of internal audit to identify and communicate areas of exposure can be serious—as Chambers notes, it's the last line of defense before the external auditors and regulators—internal auditors need to do their jobs as effectively as possible.  Increasingly, that means working productively with other departments, while maintaining some measure of independence.