Chief audit executives are developing their 2013 audit strategy, and the plans are shaping up to look drastically different than they did in 2012, or at least they should, say audit advisers.
With budgets and hiring increasing for many internal audit shops, CAEs are generally expecting to have more resources at their disposal in 2013, says Richard Chambers, president and CEO of the Institute of Internal Auditors. Recent survey results suggest several companies are easing constraints on internal audit department budgets for the first time since 2009, he says. They'll need the extra cash and manpower to address a host of pressing audit issues as risks continue to emerge and economic volatility persists.
Bill Watts, partner and leader of Crowe Horwath's internal audit services, says companies are beefing up their internal audit departments after a few years of stagnating or declining budgets, with expectations that internal auditors will broaden their focus on a wider array of business and operational risks, not just financial or compliance-oriented risks. “We still hear there's a gap between what management and internal audit is focused on and what stakeholders need,” he says. That's inspiring internal audit shops to look for more operational talent, rather than just hiring traditional accountants or auditors, to round out the skill sets of the internal audit department.
According to Watts, the mandate on internal audit has shifted even in recent weeks as Hurricane Sandy exposed weaknesses in business continuity plans. Even companies that were not affected by the storm are rethinking their approach to disaster recovery. “This is going to be hot for the next 12 months,” he says. “Are we doing enough? Are we casting a wide enough net to be able to operate and recover from any type of disaster?”
It's not just an East Coast issue, says Jason Pett, internal audit services leader for PwC. “It raises questions like: What are our risks to our supply chain?” he says. “What are our alternative plans? Internal audit should be paying a lot more attention to this right now.”
Companies are also rethinking their overall approach to risk. Because of the rapid pace of change over the past few years in particular, internal audit should think about the risk assessment underlying their annual audit plan as a more continuous process rather than an annual exercise, says Pett. “The annual risk assessment is obsolete,” he says. “It's just not keeping up with the times and the speed of change.” Some companies are starting to move in this direction, he says, although they're also still trying to figure out the best way to assess risk continually or more frequently.
Watts agrees companies are and should be looking for a way to assess risk on a more continuous basis. “The whole idea of risk velocity is just coming into the risk assessment,” he says. “How quickly does a risk change? The problem that internal audit shops struggle with is: how do you do this? How often and what exactly are we supposed to be doing? There are not a lot of schools of thought on this yet.”
“In a way it's a new examination. Every organization has its secrets. So the question to internal audit is what are you doing to assure your organization maintains a sufficient control environment”
—John McLaughlin,
Partner,
BDO USA
Another operational risk that is gaining a higher position on internal audit priority lists for 2013 is the broad area of data protection, including privacy, security, cyber risks, social media, and cloud computing. “This is getting so much more complex, and internal audit is being asked to play a more active role in that space,” says Pett.
According to John McLaughlin, a partner with BDO USA, a new approach to the audit of third-party service organizations is partly driving the demand for internal audit to get more active in data protection. The American Institute of Certified Public Accountants set new standards for the audit of controls at service organizations, bringing greater focus through its SOC2 reports to a service organization's controls over security, availability, processing integrity, confidentiality, and privacy. “In a way it's a new examination,” says McLaughlin. “Every organization has its secrets. So the question to internal audit is what are you doing to assure your organization maintains a sufficient control environment?”
Project Assessments
Internal audit shops also should anticipate being more active in 2013, helping assess large program implementations or large capital spends, experts say. Janine Koch, a partner with Deloitte focused on the oil and gas sector in Houston, says companies are developing more active spending plans, and they want internal auditors to help with more of the analytics. “It's not just looking back, which has been the traditional internal audit approach,” she says. “Instead, they want auditors to look at a project, consider past experience, and try to model what could happen. They want auditors to be more predictive in their analysis to help determine whether a project is going to be successful.”
COSO FRAMEWORK Q&A
Below is a sample of answers to frequently asked questions regarding COSO's Internal Control-Integrated Framework project update:
Will the conceptual and logical construct of the Framework (i.e. the three objective
categories and five components) be overhauled?
No. The experienced stakeholder will find much familiar in the updated Framework, which
builds on what has proven effective in the original edition. The updated Framework is
expected to be consistent in many respects with the original Framework, and includes the
same definition of internal control, three categories of objective—effectiveness and
efficiency of operations, reliability of reporting, and compliance with applicable laws and
regulations; five components of internal control—control environment, risk assessment,
control activities, information and communication, and monitoring activities. Also, the
updated Framework continues to emphasize the importance of management judgment in
designing, implementing, and conducting internal control, and in assessing the effectiveness
of a system of internal control.
What are the requirements for an effective system of internal control in the updated
Framework?
In response to public comments on the exposure draft, COSO has clarified the requirements
for effective internal control. An effective system of internal control reduces, to an
acceptable level, the risk of not achieving an objective relating to one, two, or all three
categories of objectives—that is, operations, reporting, and compliance. It requires that (i)
each of the five components of internal control and relevant principles are present and
functioning, and that (ii) the five components are operating together in an integrated manner.
The existence of a major deficiency in a relevant principle and component precludes an
organization from concluding that the entity's system of internal control is effective.
In determining whether an overall system of internal control is effective, senior management
and the board of directors assess whether each of the five components and relevant principles
are present and functioning and whether the components operate together in an integrated
manner. When an organization determines that an internal control deficiency exists, the
updated Framework requires management to use judgment to assess the severity of that
deficiency in determining whether the relevant principle and component are present and
functioning.
Source: COSO.
That means internal auditors need to get more comfortable using data analytics, says McLaughlin. Many internal audit shops are using data analytics to detect duplicate vendors or payments, for example, but there will be growing demand on them to use analytics in more innovative ways. “We need to keep finding breakthrough ways to drill deeper and use that data all over the place to enhance the internal audit function.”
Of course, the usual hot spots are high on the list of priorities as well—risks associated with emerging markets, global operations, and third-party vendors or agents. And it's not just a bribery and corruption issue, says Pett. Third-party risks can also include problems with the supply chain, he says, a reality that played out recently with the fungal meningitis outbreak that has caused more than 30 deaths in the United States.
And now that the election is past and the political direction of the administration is more certain, companies can expect plenty of new regulation, says Chambers. “We are expecting a more active regulatory landscape than we've seen even in the past four years,” he says.
Also important to the 2013 audit plan, experts say CAEs should assure they are prepared to implement any changes that might come with the ongoing update to the COSO Internal Control–Integrated Framework. The framework won't be finalized to be effective in 2013, but executives should watch for it and prepare for it in 2013, says McLaughlin.
Companies also should take a close look at the practice guide published this summer by the IIA, says Dan Swanson, president and CEO of Dan Swanson & Associates. The guide encourages internal auditors to focus on an audit strategy rather than an audit plan, he says. “It encourages internal auditors to assure that their audit strategy is aligned with the business plan,” he says.
No comments yet