Amid increasing focus on how internal auditors can evolve in their positions, a newly published survey of stakeholders offers guidance on best practices. Not surprisingly, a focus on strategic planning and risk management within auditors’ organizations is key.
The survey report by the Institute of Internal Auditors Research Foundation and global consultancy Protiviti is based on responses from 1,124 participants in 23 countries. About a third (34 percent) were board members and the remainder were executives in the C-suite.
Content seriesView full content series
Here’s a sampling of their recommendations:
1. The bedrock: Know the organization’s mission, strategy, risks and objectives
“This was a central overriding message from all categories of stakeholders,” the report states. The majority (64 percent) of stakeholders believe auditors should have a more active role in strategic risks and more than knowledge of the organization’s strategy. They should “get inside” it. “Internal auditors need to be masters of the business of their organizations,” the report states.
2. Assurance is assumed, now build on it
Respondents highly value auditors’ work to assure that organizational risks are under control. But they also want auditors to branch out into advisory and consulting roles.
“Variance among stakeholders was mostly from the type and extent of advisory services internal audit should provide, not whether assurance is primary,” the report states. “When asked for a specific input on the balance between assurance and advisory work, stakeholders usually volunteered that advisory work, if provided, should fall within the range of 20 percent to 50 percent of effort.”
Stakeholders made clear that, “when looking beyond assurance, they believe internal audit can be most valuable to organizations by being involved in risk identification and management,” the report states.
Other areas that the majority of respondents said internal audit should address beyond assurance include business process improvements and emerging issues.
3. Best practices in providing assurance
When stakeholders were asked how auditors could most improve their work in responding to strategic risks, they most recommended a focus on risks during assurance work. “This does not mean internal audit ignores financial, operational or compliance risks,” the report states. “In almost all cases, these risks are directly linked to the organization’s strategy. The key is being able to link these ‘traditional’ risk areas to strategy.”
So how can auditors improve their role in responding to strategic risks?
While most stakeholders want auditors to focus on strategic risks during projects, 86 percent of board members favored that over 74 percent of the C-suite respondents.
Likewise, the majority want auditors to evaluate and communicate key risks, with 76 percent of board members favoring that over 69 percent of the C-suite.
But when it came to auditors’ evaluations of how strategic initiatives were conducted, 53 percent of the C-suite recommended that over 48 percent of board members. Those percentages were identical in stakeholders’ interest in seeing more assessment of metrics used to monitor strategic efforts.
4. Coordinate with the second line of defense
Stakeholders may not always see clear relationships between the second line of defense (compliance and risk management) and internal audit. Except that, internal audit is expected to work with the others. The general view is that coordination is the goal but only to the extent that the other functions earn that reliance, the report states.
How to be Successful
It’s all about understanding organizational structure and relationships. Internal audit is described as the third line of defense. As such, reporting to the board is essential but there can be competing demands. Board members want auditors reporting to them and attending meetings; the C-suite favors a “proper reporting structure” instead.
But it’s important that board members and the C-suite recognize that reporting to the board isn’t a passive activity. “The board needs to be the primary body to engage with internal audit on developing the audit plan,” the report states. “It needs to be able to hear objective messages from them, not ones filtered through management.”
As for relationships, they’re critical for understanding changes within the business but also in resolving competing demands. That hinges on communication – and in person, too.