Research Finds Internal Auditors Must Reach for New Heights or Risk Losing Relevance

Share this content

By Frank Byrt

According to PricewaterhouseCooper's (PwC) 2013 State of the Internal Audit Profession Study issued March 18, uncertainty, volatility, and complexity are here to stay. And, as risks increase, internal audit's coverage of risk and performance is even more critical. However, many internal audit functions are not keeping pace, and companies are facing a major challenge in determining their strategy for internal audit and realizing value from their investment.
PwC surveyed about 1,100 chief audit executives and more than 630 stakeholders (CEOs, audit committee chairs, board members, and senior finance and risk managers) worldwide for the company's ninth annual survey on the role of internal auditors.  
"Our survey shows that 80 percent of respondents believe threats are increasing, yet only 12 percent think their own organization manages risk extremely well," said Dean Simone, leader of PwC's Risk Assurance practice. "As risks increase, internal audit's coverage of risk and performance in emerging areas is critical, which provides internal audit with an ideal opportunity to demonstrate the value of the evolving profession. Internal audit must then aggressively increase its capabilities and add true value in risk areas most critical to the organization."
However, the survey found that even as companies plan to increase spending to add to their internal audit capabilities over the next eighteen month, those departments have not been keeping pace with their new duties. As a result, "companies face a major challenge in determining their strategy for internal audit and realizing value from their investment," the report says.
"Our research clearly indicates that internal audit must continue to evolve in its focus and significantly improve its performance – or risk losing relevance as other risk functions become more vital contributors to the organization's risk management," PwC warned in its report.
"Audit committees and management expect more from internal audit, providing a huge opportunity for internal audit functions to be relevant contributors to protecting stakeholder value and the business from the most critical risks," said Jason Pett, Internal Audit Services Leader for PwC.
Fifty-nine percent of those surveyed said the top focus on corporate spending will be on adding to data analytics capabilities; however, 54 percent said they would fill that capacity from reallocating resources within the company, rather than through new hires or hiring outside contractors.
"Technology has emerged as a key enabler for internal audit to improve audit quality and value while remaining cost-effective," the report said. "One of the fundamental ways internal audit can leverage technology is through data analytics."
The survey also found that 46 percent of the audit executives plan on building their company's general IT capabilities, and 63 percent said they would accomplish that through hiring or through outside vendors. Forty-one percent of those executives said they plan to beef up their IT security skills, and 71 percent said they expect to do that via new hires or contracting with third parties.
The survey of board members found that 79 percent think that internal audit contributes significant value, whereas only 44 percent of executive management felt the same way. At the same time, only 56 percent of the board members said that internal audit's performance was strong, compared to 37 percent of management.
"While this management view is far from positive, at least there is a relationship between perceived value and performance," the report said. "That is not the case with board members, who rated internal audit's value contribution high, yet rated its performance in core capabilities much lower, indicating they appear satisfied with average performance."


Please login or register to join the discussion.

PWC as well as the rest of the Big Four have been making such claims based on their proprietary surveys for many years. The onus is typically put on the internal audit to bridge this apparent gap. More often than not, they espouse the application on enterprise risk management methodology and systems which the Big Four want to market to their clients.

Having worked for several listed companies during my twenty years as a chief auditor of medium size organizations, i have yet to find a board member who takes active interest in the internal audit function in a meaningful way, except for the few short spells during the annual audit committee meetings. After the meetings, they are disengaged with internal audit. On two occassions, a board member expressed whether a full time internal audit was needed since the listing rules did not require it. The member felt they ought to rely entirely on the external auditor for assurance. On another, the board member wanted to explore the cost, but expressed reluctance after receiving the estimates from a Big Four.

I think it is time the Big Four shift some of the onus to the board members who ultimately hold the authority to appoint and fire the chief auditor to bridge this gap. If the board is convinced that enterprise risk management is something that internal audit should aspire and implement, then they ought to allocate the budget and resources because it requires a long term commitment and recurring expense, which may be one of the reasons why so few companies have installed such systems. Stop laying the responsibility on internal audit. The buck stops at the chief executive and board members.
There is a good recent example of JP Morgan who had installed sophisticated risk management system and still got it wrong because of the complexity of managing such systems (and manipulation).