Internal audit isn’t keeping pace with the disruptive forces affecting organizations, and that’s undermining how stakeholders value the function.
That’s the bare-knuckled message of PwC’s 2017 State of the Internal Audit Profession Study.
“Stakeholders reporting that internal audit adds significant value dropped from 54 percent in 2016 to 44 percent in 2017, reaching its lowest level in the five years we’ve been tracking this metric,” PwC states.
Of the stakeholders who say they get significant value from internal audit, half of them expect more.
But here’s the key to the whole discussion: Stakeholders support a stronger role – more “value-added,” as the study puts it – for internal audit, which should empower chief audit executives (CAEs) to amp up what internal audit does. The wild card is the “disruptive and uncertain environment” that many organizations face, according to the study. But if internal audit can help organizations navigate the disruption, its perceived value grows. If not, “the function will likely fall behind as the business charges ahead,” the study states.
Of the nearly 1,900 executives who responded to a survey for the study, only 18 percent said their internal auditors play a valuable role in helping their company prepare and respond to business disruption.
So, what are these disruptive forces at work? Here are the top five that affect a variety of industries:
- New regulation (58 percent)
- Changes in business model or strategy (44 percent)
- Cybersecurity and privacy threats (37 percent)
- Financial challenges (36 percent)
- Technology advancements (34 percent)
In financial services, however, about 76 percent of respondents indicated that regulatory changes were by far the biggest disruptive factor.
Going forward, respondents said new regulation and cybersecurity issues are the most likely disruptions expected, but changes in business models, financial challenges, and technology advances will pose the most significant impacts.
Despite these findings, the report indicated that there are notable differences in how board members, management, and CAEs view internal audit’s handling of disruptions – and the board was far more positive about their company’s response to several disruptors than management or CAEs.
For example, 81 percent of board members said their company’s response to new regulations was effective, compared to 69 percent of management and 60 percent of CAEs.
Changes in business models won 70 percent of board members’ approval of corporate effectiveness, compared to 50 percent of management and 48 percent of CAEs. And 63 percent of board members said their company’s response to changes in customer preferences was effective, compared to 37 percent of management and 41 percent of CAEs.
The report offers the following six steps that internal audit can take to become more responsive to disruptions:
- Be flexible in the procedures required for different projects.
- Develop test programs in phases where the results of the first round affect subsequent rounds.
- Perform projects in areas where controls aren’t yet developed or operating.
- Use data to enable activities beyond testing execution, such as risk insights, root-cause identification, and predictive analytics.
- Embed data trending within the planning process to develop a “snapshot” of the area under review, which will delineate specific questions and execution.
- Create a talent strategy that includes rotating employees after a specified period.