New challenges for internal audit: Business and operational risks
Internal audit departments are in the middle of "an evolutionary transition" facing great opportunity and challenges, according to Ernst & Young's 2007 Global Internal Audit Survey, which analyzes current developments and identifies future trends and leading practices based on findings from a survey of Internal Audit directors of 138 predominantly public companies. Because of the scope of internal audit's knowledge of a company - from the management level to day-to-day operations - internal audit departments are increasingly expected to move beyond compliance and financial reporting responsibilities to implement enterprise risk assessments and focus on business and operational risk.
The survey found that in the post Sarbanes-Oxley environment, despite the decline in demand for compliance testing and the expectation that internal audit should focus on testing higher areas of risk, over 36 percent of the companies surveyed said that internal audit still has full responsibility for testing all SOX 404 controls. Many departments are, nevertheless, moving to align audit coverage with business and operational initiatives and risk areas that include major programs, contract management, international expansion transactions, and major change initiatives. Seventy-five percent reported involvement in business process improvement, and more than 50 percent indicated involvement in contract and major program auditing.
Stakeholders including boards of directors, audit committee members, employees, regulators, and stockholders are watching to see how internal audit responds to its growing strategic role, particularly in the area of identifying risk, the report says.
Key challenges for internal audit in meeting these expectations are hiring and training the people needed for their compliance and expanded strategic role, interacting and aligning with other risk managements in the company, and measuring the value of their services as they take on additional business activities. Adjusting to these challenges and seizing the opportunity for a visible role in improving business performance will require internal audit leaders to "think differently and react quickly," the study's authors say.
Hiring and keeping the "right kind of talent," is internal audit's greatest challenge. Many respondents said they had adequate financial resources but gaps in internal audit coverage and problems completing the Internal Audit Plan resulted from:
Increase in the size of the internal audit function (49 percent)
Operating at less than 90 percent budgeted headcount (38 percent)
High staff turnover. One in five reported turnover in excess of 20 percent. Thirty six percent reported turnover of more than 15 percent.
An associated challenge is matching the skills of internal audit personnel with an organization's needs and demands. Most companies reported having too many internal auditors with financial reporting compliance skills.
Survey respondents indicate that 25 percent of their staff are focused on IT activities, but more than a third of the respondents said they did not have staff trained in fraud prevention and detection. Significant skills gaps exist in other key risk areas including transactions, tax, major programs, and contract auditing. Hiring people with knowledge of local law and custom for international audit coverage is a major challenge for many of these large companies.
At least 52 percent of the respondents reported that staff did not meet their training requirement standards in the last year, indicating a need for greater focus on training and increasing or retooling competency.
Integrating risk management functions with other areas of the organization is an area of great opportunity for internal audit, the survey concluded, but at this point only 29 percent of respondents reported significant interaction with other risk management functions in the company. Internal audit and other risk managements should engage in knowledge sharing, specifically information about risks and controls.
Internal audit should communicate all risk findings to the audit committee, but the survey found that while 89 percent of respondents conduct a risk assessment to support their internal audit planning, only 43 percent present risks not covered by the internal audit plan to the audit committee. In a separate study, 2007 Risk Management in Emerging Markets Survey, E&Y found that there was clear room for improvement in documentation and communication of the risk assessment process across a company.
The survey concluded that internal audit departments need to leverage their knowledge and technology to improve their coverage. They should also develop metrics that show the value of the expanded services. Half the respondents said that they did not track the value their internal audit functions provide to the organizations, and 13 percent measure their value based on cost savings. Tracking value becomes more applicable, the survey's authors say, as internal audit becomes more involved in risk areas such as program auditing and contract auditing.
You can read the complete survey results.