Internal Audit Continues a Push Into Risk Management

The role of internal audit continues to evolve.

New requirements from Nasdaq and the Federal Reserve will put increased demands on internal auditors, as they continue to grow out of their traditional tick-and-tie roots into more risk-focused watchdogs and advisers.

Nasdaq has proposed through the Securities and Exchange Commission to require that all of its listed companies establish an internal audit function by the end of 2013, whether they staff it internally or outsource it entirely. The idea is to assure that listed companies have a process to regularly review and assess their internal controls, identify any weaknesses, and remediate as necessary. “The rule is also intended to make sure that the listed company's management and audit committee are provided with ongoing information about risk-management processes and the system of internal control,” Nasdaq writes in its proposal.

The proposal came on the heels of a policy statement from the Federal Reserve establishing a new baseline for the internal audit function at any financial institution under its purview with greater than $10 billion in assets. The Fed's policy says internal audit departments should go beyond the primary function of auditing internal controls to also provide some “enhanced practices” within their overall processes.

Those enhanced practices include things like analyzing the effectiveness of risk management, looking at a higher level at “thematic macro control” issues that might be missed through traditional audit tactics, challenging management to develop appropriate policies and procedures, scrutinizing infrastructural changes, monitoring the board's and management's compliance with their own stated risk tolerances, and evaluating governance. “What the Fed has articulated here in some ways are leading practices,” says Richard Chambers, CEO of the Institute of Internal Auditors. “These are two developments that indicate stakeholders are stepping up their expectations of internal auditors.”

The Federal Reserve policy statement also says chief audit executives should report functionally to the audit committee and administratively to the chief executive officer. If a CAE reports to someone other than the CEO, the audit committee should document a rationale and explain its plan for assuring the CAE's independence under that reporting arrangement, the policy says. “That could push even more chief audit executives to report to the CEO even outside of banking,” says Chambers. “We've been saying this for some time.”

Jonathan Feld, a lawyer with law firm Dykema, says he sees reporting structures rising into higher management ranks. “They need to have the ability to go to these people and address them when the need arises,” he says. “What had been something of a staid profession is becoming a more proactive profession.”

The IIA and other internal audit groups have been calling on the profession in recent years to equip themselves to meet rising expectations, Chambers says. The most progressive internal auditors have moved on from their focus on financial controls required by the Sarbanes-Oxley Act and faced new expectations and responsibilities for addressing risk in the aftermath of the financial crisis and recession. “Now the regulatory and listing bodies are stepping up as well,” he says. In Chambers' view, the requirements in the Federal Reserve policy statement will set a standard for many public companies. “There are several requirements in there that will make their way out of the financial services community,” he says.

Still, internal auditors in the trenches see plenty of resistance on the part of management to elevating—and in some cases even having— internal audit functions. Bill Hagerman, a career internal auditor who in 2009 started his own consulting firm, WH Solutions, says companies still widely see internal audit as a “necessary evil.” Companies such as those listed on Nasdaq will establish internal audit functions only when explicitly required to do so, he says.

“These are two developments that indicate stakeholders are stepping up their expectations of internal auditors.”

—Richard Chambers,

CEO,

Institute of Internal Auditors

John Fraser, senior vice president of internal audit at Hydro One Networks, says improvements in governance are generally not made voluntarily. He puts the Nasdaq and Federal Reserve initiatives in the same category as such mandates contained in the Foreign Corrupt Practices Act, Sarbanes-Oxley, the Dodd-Frank Act, and others that have established minimum requirements for companies to follow. “It will not be perfect at first, but will become the norm for the better of governance,” he says. Some companies will “hire token internal audit staff at first,” he says. Some of those internal auditors will add value, expand their scope, and eventually their boards and audit committees will see the benefit, he says.

Surveys and studies by several organizations, including the IIA, PwC, Protiviti, and Grant Thornton, have found that the recession era freeze on resources available to internal audit departments is finally thawing, and it's just in time to enable internal audit departments to invest in technology and staffing to meet new demands.

STAFF SIZE

Below, results from the Institute of Internal Auditors' study of internal auditors shows how staff size has fluctuated since 2007 for respondents, with 23% noting an increase in 2013.

Year

Increased

Same

Decreased

2012-2013

23%

70%

7%

2011-2012

21%

65%

14%

2010-2011

19%

73%

7%

2009-2010

18%

73%

9%

2008-2009

20%

61%

19%

2007-2008

22%

70%

8%

Source: Institute of Internal Auditors.

The IIA study, for example, says internal audit departments will have more budget and more staffing available to them in 2013 than in any year since the financial crisis. The PwC study concluded that internal audit departments need to stretch themselves to increase their performance and add greater value.

“Internal audit functions are being challenged to elevate their game,” says Tom Lawless, a partner in the financial services office at Ernst & Young. Internal audit's use of technology, especially data analytics and data mining, are big areas where internal audit can invest and do more, he says. “I'm not sure anyone has gotten it completely right yet with data analytics,” he says. “That's one area that continues to evolve.”

The focus on thematic audits is also getting more attention, he says, a point raised in the Federal Reserve policy statement. “Look at thematic control issues across the entire organization,” Lawless says. “If you have an issue in New York in the Americas, does it also exist in Asia or in Europe? Is it a thematic problem across the organization?”

BUDGET SIZE

Below, results from the Institute of Internal Auditors' study of internal auditors shows how budget size has fluctuated since 2007 for respondents, with 37% noting an increase in 2013.

Year

Increased

Same

Decreased

2012-2013

37%

52%

2011-2012

37%

46%

2010-2011

26%

48%

16%

2009-2010

30%

45%

25%

2008-2009

27%

44%

29%

2007-2008

36%

50%

14%

Source: Institute of Internal Auditors.

Warren Stippich, a partner at Grant Thornton, says he sees increasing interest around streamlining audit testing. There's a great deal of planning required and obstacles to navigate, but the potential payoff is turning heads, he says. When companies look at the various requirements to which they must comply, “you're going to have overlap of upwards of 80 percent,” he says. “Instead of going in four or five times and testing for different requirements, you go in once and knock out that 80 percent.”

PwC's study suggested internal auditors have more work to do to better align themselves with management and the board. They are not always on the same page in some big areas, such as their view of the critical risks facing the company, or the role of internal audit in relation to risk management, compliance, or other functional areas.

“The biggest thing internal auditors can do is really drive that dialogue,” says Jason Pett, internal audit leader for PwC. “Audit committees need to have the loudest voice in ensuring internal audit has a clear focus on what the key risks are, and management tends to be closer to those risks, so they all have a role to play. Internal audit needs to make sure that dialogue happens and on a regular basis.”