Internal audit leaders are becoming alarmed with their latest survey results that suggest the internal audit profession is not moving as nimbly as they’d like to address emerging business risks.
“It is time for internal audit to move beyond being capable of handling old risks and align with the strategic objectives of the organization, stepping into the role of trusted adviser,” concludes the latest North American Pulse of Internal Audit report by the Institute of Internal Auditors. “As current risks evolve and new risks emerge, a sense of urgency to audit at the speed of risk is vital to meet and exceed the needs of key stakeholders.”
The 2016 report, just issued by the IIA, focuses on four key areas where internal audit practitioners are coping with new and emerging demands -- cybersecurity, use of data, auditing organizational culture, and interpersonal skills. The IIA says the vast majority of organizations polled, 89 percent, see prevention and education as the best way to address cyber threats, with limited focus on what to do once an attack is detected or how to protect corporate reputation.
“In the face of a cyberattack, addressing business continuity and reputational risk are paramount, yet few organizations are taking time to think beyond prevention,” said Richard Chambers, president and CEO of the IIA, in a statement. “The IIA has been promoting cyber resiliency — the concept of addressing the full spectrum of prevention, detection, reaction, and restoration — for some time, so these findings are particularly alarming.”
More than half, or 58 percent of internal auditors, said they do not audit organizational culture, the IIA report says. High-profile scandals and failures point to the critical role of culture in governing organizations, the report says, but internal auditors are avoiding the area because they don’t have adequate ability to identify or measure culture, nor do they have adequate support from management and the board.
For example, 24 percent said they do not believe internal audit has the freedom to assess the entire organization and staff. More than one-third, or 35 percent, do not believe internal audit has the full support of executive management for such scrutiny, and 23 percent believe they do not have the support of the board or audit committee.
Also alarming to the IIA, organizations are using more data in more sophisticated ways to drive decisions, yet only 29 percent of internal auditors reported they are highly confident in the organization’s strategic decisions based on the data collected and analyzed. In addition, the IIA reports less than half believe their teams have even a moderate level of proficiency in interpersonal skills. “The data suggests significant room for growth,” the report says.