For Internal Audit, it’s Time to Get Uncomfortable

Feb 23rd 2016
Share this content

Internal auditors are stuck in the familiar territory of financial and operational risks but failing to keep up with new challenges, according to a new report from the Institute of Internal Auditors (IIA), 2016 North American Pulse of Internal Audit: Time to Move Out of the Comfort Zone.

“As risks change, as new risks emerge, and as stakeholder expectations continue to evolve, internal auditors must move out of their comfort zone to audit at the speed of risk,” the report states.

But that was the challenge addressed in last year’s report, too. And it remains: Get out of the usual annual planning and typical audit areas.

“The consequences of a toxic culture, the destructive impact of a cyberattack, the exponential growth in the collection and reliance upon data – these represent just a sampling of today’s risks that increasingly fall outside of the traditional comfort zone in which many auditors operate,” the report states.

Here’s a snapshot of how internal audit can get, shall we say, uncomfortable.

Organizational culture. Explore it because it plays a crucial role. Less than half (42 percent) of survey respondents address this in their own organizations. Board members and managers don’t support audit sticking its nose into culture. And audit lacks the ability to measure organizational culture. Combine those two issues and you’ve got the reason why audit avoids this risk.

Cybersecurity. This remains a major concern. Most respondents believe prevention is the key response to cybersecurity issues. But while organizations must be prepared to respond to risks, survey respondents indicated they may not be as prepared as they should be. More than half (52 percent) admit their lack of expertise keeps them from addressing cyber-risk as they should.

“In the face of a cyberattack, addressing business continuity and reputational risk are paramount, yet few organizations are taking time to think beyond prevention,” IIA President and CEO Richard Chambers said in a prepared statement. “The IIA has been promoting cyber-resiliency – the concept of addressing the full spectrum of prevention, detection, reaction, and restoration – for some time, so these findings are particularly alarming.”

Strategic decision-making and data. They are increasingly linked. Internal auditors aren’t as involved in all aspects, and less than a third (29 percent) are very or extremely confident in the strategic decisions made based on data.

People skills. This has become increasingly important. Chief audit executives aren’t satisfied with the level of these skills among their people, and less than half of respondents said their teams have more than moderate proficiency in “soft skills.”

Internal audit is at a critical juncture, the report states, and getting out of the comfort zone requires more than “rebranding” internal audit. Instead, it means “fundamentally changing the makeup of internal audit.”

Addressing the four “discomforts” listed above requires internal audit to invest in its staff to improve soft skills, the report states.

“It is time for internal audit to move beyond being capable of handling old risks and align with the strategic objectives of the organization, stepping into the role of trusted advisor. For many, this requires a shift in mindset from auditing what is comfortable to auditing what is critical. As current risks evolve and new risks emerge, a sense of urgency to audit at the speed of risk is vital to meet and exceed the needs of key stakeholders,” the report states.


Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.