Internal audit functions still not up to scratch – EY report
Eighty per cent of organisations acknowledge that their internal audit function has room for improvement, an Ernst & Young report has found.
With risk, control and compliance becoming increasingly important in the global marketplace, a new global survey of 695 chief audit executives and C-suite executives highlighted how 75 per cent of respondents believe strong risk management has a positive impact on their earnings performance.
The report, entitled ‘The future of internal audit is now’, also found one in four executives to be aware of their internal audit function’s positive impact on their overall risk management efforts.
The survey shows that the key priorities of both chief audit executives and stakeholders have clearly shifted from compliance and financial controls to risk coverage and business relevance. Future focus areas becoming more relevant to achieving business objectives cited by respondents include improving the risk assessment process and enhancing the ability to monitor emerging risks. Additionally, reducing overall internal audit function costs without compromising risk coverage and identifying opportunities for cost savings in the business were also cited.
To focus on risks that matter, create value and help the organisation achieve its objectives, internal audit functions need to align their strategy to that of the over-arching organisational strategy. However, 61 per cent of respondents reported that they had no documented mandate that aligns internal audit to the organisational strategy.
“Internal audit can use a company’s overarching organisational strategy to identify the risks that matter most in the context of the organisation’s risk appetite. Elements of the organisational strategy will vary by industry and are very specific to the business but to remain relevant, internal audit needs to use risk assessments based on the organisation’s strategic objectives,” Randall Miller, Ernst & Young advisory global risk leader, said.
Internal audit risk assessments, regulatory requirements and enterprise risk assessments are the top three drivers of the audit plan, and internal audit is playing a more prominent role in organisational issues, such as major capital projects (49 per cent), IT systems implementations (42 per cent), mergers and acquisitions (37 per cent) and material contracts (32 per cent). Technology remains a key area of focus for internal audit functions, comprising 18 per cent of the current audit plan.
Improving the risk assessment process is the top priority of CAEs and stakeholders. Identifying risks that are truly significant to the business is the first step to effective risk management and monitoring. Today’s internal audit functions are focused on enterprise-wide risk coverage, leadership engagement and direct linkage to strategy to increase the relevance of the risk assessment.
As the role of the internal auditor evolves and stakeholder expectations rise, internal audit functions increasingly require competencies that exceed the more traditional technical skills, such as the ability to team with management and business units on relevant business issues.
When asked which areas of the respondent’s internal audit function had defined competency plans for staff development, 58 per cent indicated a plan for technical internal audit skills, 54 per cent have a plan for business or industry acumen, and only 47 per cent have a plan for business management and leadership. Eight per cent indicated no defined competency plan at all.