Considering Protiviti's 2011 Internal Audit Survey

My friends at Protiviti have issued a new Internal Audit Capabilities and Needs Survey. As usual, it hits several high notes, which it will address at a webinar on March 23.

The report highlights these “notable takeaways”:
  1. Play a leadership role – Help the organization evolve its risk management program and internal audit’s role in it.
  2. Support the C-suite and board agenda – Work with board members and executive management to focus on strategic risks, strategic assumptions and risk appetite.
  3. Be prepared for continuous and ongoing change – New laws, regulations and standards (e.g., IFRS, Dodd-Frank Act) continue to alter the landscape.
  4. Use technology effectively – Improve coverage, reduce costs, increase frequency and enhance effectiveness.
  5. Internal auditing is still about people – Attract, develop and transfer out the best.
  6. Add value – As noted in The IIA’s definition of internal auditing, this is what internal auditors are supposed to do.
I agree that all of these are excellent points for any internal audit executive to consider. Let me add a few that are not included, some of which are “capabilities” that internal auditors need to address quickly.
1.      The capabilities needed to assess risk management. Protiviti talks about understanding different elements of risk management, such as the 2009 global standard from ISO (31000), risk appetite, etc. But, internal auditors do not typically have experience or training in risk management and lack the confidence to assess its adequacy. Given the clear failures of risk management over the last few years, this is indeed a critical “capability” that needs significant improvement.
2.      Provide assurance on governance, risk management, and related controls
a.      Although internal audit departments have provided assurance through traditional audits of controls at individual locations and within selected business processes, few have made the move to providing assurance on the organization as a whole.
b.      In addition, few have taken on the challenge of providing assurance on governance activities and processes, or on risk management. I expect to see IIA release guidance on auditing governance shortly, and they did issue a Practice Guide on assessing risk management last year
c.       Departments need to move from the traditional audit of risks at a location, to auditing the management of risks that matter to the business as a whole. This requires a shift away from the concept of an audit universe to focusing audit attention on risks to the organization
3.      An internal audit strategy. It’s one thing to have an annual plan (preferably one that is updated constantly, as risks change). It’s another to have a vision for the internal audit function and a plan to get there. According to a recent IIA study, only about half internal audit functions have developed such a plan. (For more on recent IIA studies, click here.) By the way, staying where you are because you don’t need to change is high risk — everybody needs to continue to grow, develop, and enhance their ability to deliver value.

What do you consider the top “capabilities and needs”, and let’s add “practices” to the list, that internal audit need to address with urgency?

Posted on Mar 18, 2011 by Norman Marks

Share This Article:    

  1.  Norman:

    I agree with all of your commentary above of what internal auditors are missing and need to address quickly. As to the internal audit practice guide issued late last  year on assessing risk management, I think that for the most part it is a useless guide. If you want to know more details and how I reached  this conclusion, please advise further.

    As to why we are in the situation that we are in (i.e. in the year 2011 why internal auditors are struggling with what is basic stuff), there is a long history behind this. This long history needs to be addressed- root cause in order for the changes  you suggest to take hold and if these issues are not addressed, you will be writing about the same stuff next year at this time.


  1. Protivity has also done a survey for COSO entitled Board Risk Oversight - A Progress Report.  By reading this, the Internal Audit community can gain insight into what the board is actually looking for in terms of information and analysis.

  1. Protivity has just done a survey for COSO entitled "Board Risk Oversight - A Progress Report".  By reading this, Internal Audit can see what boards are looking for now in terms of information and analysis of risk management.  It is available for viewing on COSO's website. 

Leave a Reply