2014: Where Will Internal Audit Be Focused?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 

I started this year with a blog post detailing what I thought auditors should be focused on in 2013. As the year draws to a close, I wanted to focus on the year ahead — the outlook for internal auditing and what’s on the radar for chief audit executives (CAEs), as measured by the Audit Executive Center’s recent North American Pulse of the Profession report, “Defining Our Role in a Changing Landscape” (PDF). While I recognize that this survey is somewhat North America-centric, my recent global travels lead me to believe that many of these trends will be observed around the world.

The most encouraging 2013 survey results centered on internal audit resources. Expectations for budget and staffing levels are at pre-recession levels, with 90 percent of CAEs saying they expect their budgets to hold steady or increase in 2014. Additionally, 97 percent expect staffing to remain the same or increase.

While the outlook for resources is good, I am concerned that there is an emerging misalignment in the allocation of those resources. As I have commented often in this blog, internal audit should follow the risks. While strategic business risks rank near the top of executive and audit committee concerns, CAEs reported that such risks account for only 4 percent of audit plan coverage overall, and 57 percent of CAEs surveyed said they’ve made no provision for strategic business risks in their 2014 audit plan.

I agree with Dick Anderson’s assessment, published in the report. Anderson, a clinical professor at DePaul University and a former colleague of mine from PricewaterhouseCoopers’ internal audit services, attributes the misalignment to a “bottom-up” risk assessment, which tends to underweight “top-down” concerns.

History suggests that this misalignment will correct itself. Compliance risk, for example, was an underweighted category in the past. However, it will be getting its due in 2014 — thanks in large part to the updated COSO Internal Control–Integrated Framework and the U.S. Affordable Care Act. (I’ll examine this topic in more depth in an upcoming post.) But as I have said before, today’s legislative headlines are tomorrow’s compliance risks.

The survey also revalidated the trend we have been observing since 2009 of internal audit’s focus shifting away from financial risks. In fact, the projected coverage for financial risks is down to only 22 percent of internal audit plans. Instead, coverage of operational risks (27 percent), compliance risks (15 percent), and information technology (11 percent) has collectively comprised a majority of internal audit plans. As I have observed on numerous occasions, this pronounced shift in coverage has mirrored the evolving risk profile of many companies.

Before we become too attached to the picture the survey paints for next year, however, we should remember that internal audit’s resource levels and focus are always subject to unforeseen or emerging risks. Should there be a major economic crisis, regulatory initiative, or catastrophe in a major industry or sector, the outlook could change swiftly and dramatically.

If you haven’t had a chance to review the latest Pulse of the Profession, I would encourage you to do so. Those of you who have seen it, what are your impressions? What’s on your mind for 2014? And what can we do to better align audit resources with top-down risk concerns?

Posted on Dec 4, 2013 by Richard Chambers

Share This Article:    

  1. This is troubling.  If Internal Audit is not reviewing strategy, ERM and governance how can they possibly be in conformance with the IIA Professional Standards. 

    Why do Audit Committees with direct line responsibility continue to allow this misalignment of resources? 

    I heard a CAE from a major airline say recently the only way to go with a QAR is to use another CAE (peer review), in this case from a casino. 

    Apparent that QAR programs are not highlighting these disconnects in scope, compliance and oversight.

    What we are not getting to is root cause as we continue to see the same results year in and year out.

    Let's learn from history:

    This is precisely what the OCC/FRB did when they previously reviewed financial institutions. Bottoms up! They did not emphasize the evaluation of governance, ERM, BOD standing up to the CEO, risk appetite and succession planning.  As a result, they did detect or prevent the devasting practices that led to the 2007 economic collaspe and did not ensure the safety and soundness of the banks they regulated, their only mission. They have since turned their evaluation model upside down to emphasize these areas.

    I guess if internal audit won't or can't, someone else will.

    As a profession, we owe it to company stakeholders to be more transparent on what they are actually getting from this independent assurance and advisory function and what they are not.

    Richard, thanks for highlighting the Pulse results.

    Mike

     

  1. It is critical that the internal auditor not be confused with the role of the external auditor. The first is an "arm of management" working with and for management while the latter is not a member of management's team and instead is really working for the stockholders and public as their independent eyes and ears. In 1988 the Institute of Internal Auditors Research Foundation released a study titled Evaluating the Effectiveness of Internal Audit Departments. In this study one thing stood out: "If any single characteristic of the successful director of internal audit stood out, it was the ability to perceive and direct the department as management desired." Additionally, the study noted that whenever the director was in alignment with management, they received the highest ratings as "effective" departments, despite the fact that there was not just one central audit focus on either financial, controls, business risks or compliance among the companies surveyed. It is not the role of internal auditors or IIA for that matter to dictate to management or the Board what they should or must do. Furthermore, frequently management does not need an "audit" instead they need evaluations, assessments, counsel. Many in my profession act as if they have only one tool in their tool box, an audit, and forget that the IIA definition of Internal Auditing, does not even include the word "audit" and instead refers to "assurance and consulting activity." Risk management certainly includes business risk and if departments are not involved in this area, they will become dinosaurs.
  1.  One of the challenges that Internal Audit will have to deal with is breaking out of the "groupthink" box. Dr. Hughes' comment highlights one such example when it refers to the audit report. The internal audit report became the defacto norm for communicating the results of Internal Audit activity. But it doesn't have to be that way. However, someone has to be willing to take changes and innovate. They have to be willing to break from the norm. The risk they run though is when they are benchmarked or peer reviewed. If they are compared against the "industry norm", they may be painted as being outside the norm, as if that was a negative. I would love to see the IIA partner with a companies in each size category to pilot innovative practices. This would give more credibility and license to the changes that Internal Audit departments implement.  

  1.  I guess it is obvious that IA and Management will hardly see eye to eye.

    Operational risk being a top priority for IA is no surprise. Is basically ensuring the "bread and butter".

    Also no surprise with Strategic risk for Management. Does not matter how much research is done,involves some chance taking. And management does not want the guardians of reasonableness to cast doubt over their decisions. Otherwise, who was then running the company?

    Unfortunately, I think that IA is still seen by management as handy to have around for certain things. But not for big  strategic decision making.

    All in all, IA and management will always have different views because they serve different purposes.

  1. If we win would be large the gap in the organization and higer the risk of mistake. Personal challenger shouldn't let / be let organizations pay off. wichever side they seat. But to lift do forget limiting risks or we can close. Gov is a better heading path.
  1. Richard: I believe the Financial Stability Board in their July 2013 paper "Principles for an Effective Risk Appetite Framework" spelled out the best vision for IA I have seen so far. The goal of internal audit in my opinion should be to do what it can to get the board, senior management, business units to accept the roles proposed by the FSB in the July paper and move the internal audit paradigm towards the vision for internal audit described on page 12 of the document. The challenge will be whether the profession is ready to accept the type of role envisioned by the FSB and whether the IIA can equip them to meet these new heightened expectations. A link to the FSB paper is below. http://www.financialstabilityboard.org/publications/r_131118.pdf
  1. I totally agree with the Dr. Huges statement: "frequently management does not need an "audit" instead they need evaluations, assessments, counsel. Many in my profession act as if they have only one tool in their tool box, an audit.." After decades of internal auditing experience, I conclude that the biggest risk to the organization, a department, a program, a function is some degree of a lack of accountability, control, transparency, efficiency and effectiveness. I passionately believe that if Internal Audit assesses at these 4 risks areas in a comprehensive and integrated manner, their audit advisory reports can have the greatest impact on the organization. To address these four risks, one needs to understand for example, the auditee's strategic plan, policy and procedures, method of problem solving, policy & procedures, etc.

Leave a Reply