By Jason Bramwell
According to a recent survey from the Audit Executive Center of the Institute of Internal Auditors (IIA), internal audit departments are putting a greater focus on compliance risks and less emphasis on Sarbanes-Oxley (SOX).
"We are seeing a stronger trend toward internal audit focusing on areas other than financial controls", IIA President and CEO Richard Chambers said in a written statement. "Risks themselves are diversifying and are not concentrated in one single area as there may have been in years past."
The Pulse of the Profession: Defining Our Role in a Changing Landscape survey is a semiannual assessment of the state of the internal audit profession in North America. According to the 428 chief audit executives (CAEs) and others in audit management roles who responded to the survey, operational audits make up the largest type of 2014 audit coverage (27 percent), followed by compliance/regulatory audits (15 percent). Financial, IT, and SOX testing/support each represent 11 percent of audit coverage.
Audit committee survey respondents ranked compliance/regulatory and operational, both at 68 percent, as the top risk areas, followed by strategic business risks (53 percent), IT (45 percent), and financial (44 percent). The number-one risk area identified by executive management respondents was operational (74 percent), followed by strategic business risks (71 percent), compliance/regulatory (53 percent), financial (39 percent), and IT (39 percent).
The report also details why and how, in 2014, internal auditors (1) anticipate risks associated with the Affordable Care Act (ACA), and (2) plan to prepare for the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control-Framework Implementation in the coming year.
Affordable Care Act
Because ACA requirements are beginning to go into effect, health care is becoming an area where internal audit may see an increased focus on compliance in 2014, according to the IIA.
"One of the greatest opportunities facing the profession this coming year relates to the US Affordable Care Act", Chambers said. "To take advantage of this opportunity, internal audit cannot assume a reactive posture. This regulation challenges internal audit to become a visionary, proactive function in their organization."
Survey results indicate that a potential expectation gap is emerging related to internal audit's ability to help stakeholders understand the risks associated with the ACA and their organization's preparedness to mitigate those risks.
Among respondents who noted that the 2014 ACA requirements would apply to their organization, 41 percent believed risks associated with the legislation would be moderately or extremely impactful to their business, 37 percent said somewhat impactful, and 22 percent said they were unsure whether the ACA would affect their organization.
When it comes to their knowledgeability of the ACA, 38 percent of respondents who noted the legislation would apply to their organization rated themselves as not very knowledgeable, and another 43 percent rated themselves as only somewhat knowledgeable.
"At the same time, 17 percent of respondents for whom this legislation will apply agreed that their organization will likely act to mitigate risks associated with the ACA by reducing or dropping health care benefits in the next one to three years", the report stated. "Another 21 percent of respondents were unsure if their company will be reducing or dropping benefits. For Fortune 500 organizations, the percentage of respondents that agreed that their company would likely mitigate risks through reduced benefits was 24 percent."
Chambers noted that today's legislative headlines are likely to become tomorrow's compliance risks. "Being cognizant of the effects of regulatory activity allows internal audit to demonstrate foresight when it comes to compliance risk", he said.
Regarding COSO 2013 implementation, survey results showed internal audit departments that are implementing the revised framework by December 2014 are anticipating a smooth transition. More CAEs are looking to adopt or transition to COSO 2013 (87 percent) than previously used the 1992 COSO framework (73 percent).
In particular, 45 percent of respondents who plan to adopt the framework indicated their internal audit department has overall responsibility for their organization's assessment and reporting on internal control, while 42 percent have overall responsibility for COSO implementation.
Overall Outlook for Internal Audit
In addition, the Pulse of the Profession survey reported a strong outlook next year for internal audit resources, with resources stabilizing close to prerecession levels. Thirty-six percent of all respondents indicated their budgets will be higher in 2014, and 54 percent stated budgets will remain stable next year.
In terms of staffing, 25 percent of survey participants expected staff levels to increase in 2014, 72 percent believed they will remain stable, and only 4 percent thought staff levels will decrease next year.
"Over the years, the internal audit profession has adapted to the challenges of an ever-changing business environment, and looking toward 2014, we are well-positioned as a profession to tackle the obstacles before us", Chambers concluded. "There are still a lot of drivers asleep at the wheel, and the time is now to get up to speed as real risks manifest themselves."
About the survey: The IIA Audit Executive Center conducts the North American Pulse of the Profession: Defining Our Role in a Changing Landscape survey to assess the state of the internal audit profession. This survey looks at trends and emerging issues in the internal audit profession within the United States, Canada, and the Caribbean. For 2013, 428 chief audit executives and others in audit management roles responded to the survey.