Internal Auditors Finding New Ways to Add Value in Expanded Role
by Terri Eyden on
By Frank Byrt
Chief audit executives (CAEs) are working to expand their roles within their organizations, moving from their traditional focus on compliance to include suggesting ways to improve processes and providing insights that influence strategy, according to a Grant Thornton LLP survey.
"CAEs, who have a wealth of knowledge about their organizations, are in a really good position to continue down the path of value creation," said Warren Stippich, CPA, partner and National Governance, Risk and Compliance Solution Leader at Grant Thornton, in a March 18 press release summarizing the survey. "But, it's not without its challenges - it requires using technology, being smarter about audit approaches, and getting more involved, both at the business unit or process level and the strategic thinking level."
The 2013 survey of 330 CAEs was aimed at discovering how internal auditors are adjusting to the evolving expectations of their role. "Perhaps one of the biggest challenges for audit executives is the ongoing quest to rebalance traditional internal audit activities and methods, while becoming more strategic in mind-set and strategic in approach," according to the survey report, Today's Chief Audit Executive: Continuing on a Path to Value Creation.
Although CAEs would like to find growing acceptance as strategic partners, CAEs said their departments face challenges in achieving that status. They cited budget constraints (58 percent), talent limitations (51 percent), and image problems (51 percent) as barriers that impede the internal audit department from delivering greater insights and strategic value.
When asked to rank a number of risk areas based on their potential to impact growth, CAEs cited:
- Execution of strategy
- Emerging technologies
- Data privacy and security
- Third parties/vendors
- Supply chain
- Business community
"These are all cutting-edge areas that CAEs should be focused on," Stippich told AccountingWEB in an interview.
Use of Technology and Data Analytics
Internal audit departments remain slow to maximize technology to gain efficiencies:
- More than three-quarters (77 percent) said they're not using governance, risk management, and compliance (GRC) software or an internal audit-specific tool. This is only a slight increase from last year's 79 percent.
Although respondents have yet to fully embrace GRC technology, the use of data analytics and business intelligence tools has more than doubled since last year's survey, with 66 percent of respondents saying they're taking advantage of this tool:
- 38 percent use it for forensic analysis, 32 percent for performance measurement, and 15 percent for predictive analytics.
"Our survey suggests that CAEs believe their departments have the ability to deliver the most value when they're helping to mitigate risks, identify improvement opportunities, and strengthen corporate governance," Grant Thornton said in the report.
According to Stippich, increasing the value of an auditor is even more compelling for small and midsized firms, including those with outside auditors. That's because, with the right suggestions, it's possible to create a greater impact on a small company than a huge one. "The smaller the company, the easier it is for an auditor or tax preparer to contribute value, simply because the level of sophistication of the clients is a little less."
Regardless of organization size, two areas worth focusing on are cybersecurity and fraud risk assessment.
Nevertheless, compliance-related activities remain the primary focus of the audit plan. More than half of respondents (56 percent) said between 1 and 25 percent of their audit plan is focused on regulatory compliance. Nearly one-quarter (24 percent) said 26 to 50 percent of the audit plan is focused on compliance, while 16 percent said compliance activities account for 51 percent or more of their audit plan.
However, 51 percent reported they've yet to adopt a "one-to-many" approach to streamline compliance testing, whereby they test once but comply multiple times with various regulatory standards or other mandates. This statistic highlights that there's substantial room for improvement when it comes to leveraging control testing requirements for maximum benefit.