Given the clear need for internal audit to sharpen its focus on risk, and thereby provide more value, internal auditors find themselves at a strategic crossroads: They can either pursue the status quo, a path that could lead to their obsolescence, or they can transform themselves from an internal-audit model focused on controls assurance to a risk-centric model based on the effectiveness of risk management processes. The latter path is far more likely to address the evolving needs of modern organizations and meet the rising expectations of directors and senior management.
The findings of Internal Audit 2012, a major survey and interview project by PricewaterhouseCoopers, suggests ways that corporate directors can help reshape internal audit strategies and thereby enable internal-audit functions to provide more value. In reassessing the primary focus of internal audit, it suggested that members of audit committees ask these key strategic questions:
- Do we have a clear understanding of internal audit’s current value proposition?
- Do we want internal audit to stay the course and maintain a strong focus on controls? Or are we ready for internal audit to adopt a more risk-centric mindset?
- If internal audit is ready to provide risk-management assurance as well as assurance over controls, what skill sets will it need to achieve its objectives?
- Is internal audit helping the audit committee identify emerging issues?
Improving Risk Management
The migration toward a more risk-centric approach to internal audit is being driven by five closely related trends: globalization, changing internal-audit roles, changes in risk management, shortage of audit talent, and technological advancement.
Globalization and new technology continue to have a dramatic impact on how companies structure business processes and operations. These changes—together with regulations, institutional investor demands, and the complexity of today’s multinational corporations—are influencing corporate efforts to improve risk management. Study participants expect increased globalization and advances in technology to have a sizable impact on internal audit and the talent it needs to meet its objectives. By understanding these factors and their implications, audit committee members will be able to work more effectively with internal-audit leaders to determine how to help senior management identify and manage risk.
Globalization Drives Demand
The Internal Audit 2012 project identified globalization as one of the most significant and growing trends examined. As organizations expand overseas, there is a corresponding increase in the demand for internal-audit services. In the future, a majority of the study’s survey respondents expect globalization, outsourcing, and off-shoring to have a profound impact on the roles and responsibilities of internal audit.
Yet while Internal Audit 2012 survey participants see new responsibilities stemming from globalization, chief audit executives (CAEs) from experienced global companies express caution, pointing out that risks associated with the pursuit of global markets can be difficult for internal auditors to identify and assess. Other audit leaders cite challenges relating to cultural issues in China, India, and other growing markets.
PwC’s research also suggests that audit committees and senior management pay closer attention to shifting political risk in global markets. At a time when risk-based auditing has become a driving force within business circles, internal-audit risk assessments should take political risk factors into consideration. For companies operating abroad in unfamiliar political environments, new types of risks and complexities can threaten business performance and may also mask new opportunities. Factors range from regulatory changes lowering barriers to market entry to practices that violate the Foreign Corrupt Practices Act (FCPA).
If a company has a presence in foreign markets, or if it is thinking about making major investments abroad, it needs timely, accurate, and objective assessments of the political environment. Economic analysis alone fails to tell the whole story, particularly in situations where useful statistical data is either hard to come by or subject to manipulation.
As companies expand globally, they also need to determine whether to provide audit coverage from a central location or from a satellite operation aligned geographically with the business footprint—not a decision to be taken lightly. Internal Audit 2012 survey respondents generally expect that the internal-audit organizational structures for U.S. companies will remain U.S.-based, albeit with a growing global dimension.
If you are a director of a company active in global markets, you should be asking:
- Does our internal audit group have what it takes to address the risks of international expansion?
- How good are we at complying with the Foreign Corrupt Practices Act?
- Does management’s existing enterprise-wide risk assessment address political risk?
- Should our internal audit group provide audit coverage from a central location or from a satellite operation aligned geographically with our expanded operations?
The Risk-Centric Mindset
By 2012, according to the PwC study, internal-audit groups with risk-centric mindsets will be providing assurance over both risks and controls. This evolution in the primary role of internal audit is consistent with the Institute of Internal Auditors’ revised definition of internal audit: providing objective assurance over both controls and risk management. Directors should view this evolution as a strategic expansion of internal-audit’s role and one that directly enhances the ability of the audit committee to oversee the company’s controls and practices.
When Internal Audit 2012 survey participants were asked to rate factors expected to create more responsibilities for internal audit by 2012, the leading choice was continuous auditing, which was given a 90-percent rating. Auditing the enterprise risk management (ERM) process ranked second, with 77 percent, followed closely by globalization, with 75 percent. Fraud detection, fraud risk-assessments, and fraud investigations—three key aspects of a comprehensive antifraud program—are also projected to generate significantly greater responsibilities for internal-audit groups over the next few years. And when asked what business trend will have the most significant impact on internal-audit roles and responsibilities over the next five years, 95 percent of respondents said technology.
A Real-Time Dimension
To remain relevant, internal auditors will need to move beyond a static, cyclical approach to auditing, and adopt a continuous, comprehensive approach to audit and risk assessment. In these pursuits, the ability to identify and analyze emerging risks will be essential, as will the ability to direct audit resources toward areas of greatest risk and to conduct audits on a targeted basis in response to specific risk concerns.
According to PwC research, internal auditors will be sharpening their focus on continuous auditing between now and 2012 in an effort to streamline the audit process. As risk assessments and risk monitoring assume a more real-time dimension, audit timing will become more dynamic. Audits will be conducted on an as-needed basis, triggered more by changes to organizational risk profiles than by set plans.
When asked to describe their internal-audit planning processes in 2012, nearly half (47 percent) of the survey respondents indicate they expect to have an ongoing risk assessment conducted with an annual audit plan that is revised and updated throughout the year.
Shortage of Audit Talent
PwC research indicates that audit leaders consider a lack of capacity and capabilities to be among their primary challenges. Thus the audit committee must have a mandate to regularly assess the adequacy of internal-audit resources and skills.
CAEs are particularly concerned about having sufficient talent to address strategic and business risks, as well as risks stemming from fraud and technology. According to the CAE of a global software company, the supply of traditional internal-audit skill sets is much smaller than marketplace demand, suggesting that competition for well-qualified internal-audit talent extends beyond the ranks of IT, finance, and risk management. With baby boomers about to retire over the next decades, audit leaders foresee significant shortages of experienced internal auditors.
Although traditional accounting and auditing skills are expected to remain important in 2012, a broader set of risk-monitoring and analysis capabilities are needed for a risk-centric auditing environment. On a collective basis, there is need for a critical mass of auditors who can access, assess, and analyze risk data as well as help prevent and detect fraud. Too often, audit leaders report on the size of their staffs without regard to internal-audit skill sets. Directors should ask whether internal audit has people who can evaluate and test internal controls, audit complex IT environments, and address both enterprise-wide risk and governance issues.
In particular, audit leaders talk about the need to develop teams of professionals who are strong in both data extraction and analysis to evaluate key risk indicators (KRIs) and compare them with industry norms. CAEs are targeting analysts who understand risks, can provide timely risk-and-control assurances, and can update organizational risk profiles. Such analysts would also have the capability to focus on fraud and other areas of significant risk, monitor KRIs, and analyze business processes to determine which controls, if any, can be removed with little or no negative impact.
Directors should also be inquiring about internal-audit’s career-development programs. To attract and retain talent, according to Internal Audit 2012 interviewees, internal audit needs to be viewed as a function that offers talented people ample opportunity for career development.
Technological Advancement
Directors should be aware of the potential impact of technology on the ability of internal audit to identify and audit risks and to enhance functional effectiveness and efficiency. Given the speed of technology development, it is not surprising that survey participants predict that technology will affect internal-audit roles and responsibilities more than any other business trend. All 2012 survey respondents predict that their use of technology will increase over current levels, with 46 percent expecting the increase to be dramatic and 43 percent projecting a moderate increase. Respondents foresee a sharp surge in the importance of technology in continuous monitoring and fraud detection. And they expect to leverage technology to pinpoint KRIs in order to identify changes in organizational risk profiles in advance of internal control breakdowns and enable CAEs to initiate audits in those areas.
At the same time, 79 percent of 2012 survey respondents believe technology risks will pose a higher degree of risk to their organizations between now and 2012. To address technology risks and the need for IT audit resources, survey respondents intend to employ a variety of infrastructure, human resources, and organizational strategies. Some audit leaders plan to acquire more sophisticated technology tools to address these risks while others plan to integrate auditors with IT skills into a core internal-audit function.
Gaining More Strategic Value
As organizations expand their risk-and-control activities, and involve more functions in these critical areas, directors should ensure that their internal-audit groups adopt a risk-centric mindset. This may require audit leaders to redefine departmental roles and establish a unified value proposition so that their departments will be viewed as strategic players.
To achieve a risk-centric mindset, internal auditors need to adopt a more conceptual approach to audit, risk assessment, and risk management that goes beyond a narrow focus on controls. This will require a sweeping change that includes forging a strong link between the risk-management initiatives of internal-audit functions and those undertaken by the rest of the organization. In addition to facilitating this change, directors need to ensure that internal audit receives the budget and management support needed to achieve this transition. If internal audit fails to evolve in this manner, it could be viewed as a narrow, controls-oriented entity, and its potential contribution marginalized.
To gain more strategic value from internal audit, audit committees should encourage internal audit leaders to pursue the following strategic initiatives:
- Make it a primary objective to provide assurance over risk management.
- Include strategic risks within the risk universe targeted by internal audit.
- Identify emerging risk issues and trends and bring them to the attention of key stakeholders.
- Strengthen risk coverage of technology, fraud, and strategy–areas of high priority (where traditional internal-audit groups may be less sure of their traditional role).
- Coordinate with other risk-and-control functions to ensure that risks are appropriately controlled and managed.
Dennis Bartolucci is a partner and Richard Chambers is a managing director at audit firm PricewaterhouseCoopers.