While some charge complacency, resources may be the real problem
A new survey from the Institute of Internal Auditors (IIA) suggests that internal audit departments are not changing fast enough to address emerging risks that lie outside the traditional purview of internal audit.
The survey highlights four areas—cybersecurity, data analytics, auditing culture, and developing interpersonal skills—where it found that corporate internal audit shops were lagging behind in keeping up with fast-paced organizational changes that bring emerging risks.
“The 2016 North American Pulse of Internal Audit [survey] raises serious questions about how practitioners are coping with these new demands,” the IIA said in a statement announcing the publication of the survey. In the publication, the IIA urged internal audit executives to “move out of their comfort zone.”
“It is time for internal audit to move beyond being capable of handling old risks and align with the strategic objectives of the organization, stepping into the role of trusted adviser,” the report concludes. “As current risks evolve and new risks emerge, a sense of urgency to audit at the speed of risk is vital to meet and exceed the needs of key stakeholders.”
Some of the evidence that internal audit aren’t moving fast enough to address emerging risks sufficiently include:
- 58 percent of respondents said they don't audit organizational culture.
- 52 percent reported that a lack of cyber-security expertise among internal audit staff affects internal audit’s ability to address cyber-security risk.
- 71 percent said they weren’t very confident in strategic decisions made by the organization based on data.
- 65 percent rated their average audit team member as not at all, slightly, or only moderately proficient in accounting for the organization’s politics.
- 63 percent had the same doubts about the average audit team member's ability to manage conflict effectively
As “alarming” as these figures are, the problem may lie more with a lack of resources than with internal audit leaders who are resistant to change. Several surveys have identified that organizations are pushing internal audit shops to do more with less. Few are increasing budgets and adding staff.
The pulse survey, for example, showed 55 percent of organizations plan to keep budgets the same, while 8 percent were making cuts. Moreover, 71 percent plan to keep staffing levels the same. It’s quite likely that, given resource constraints, internal auditors consider these areas as “nice to have,” but need to put their traditional internal audit responsibilities first.
Another problem is resistance inside the organization, which IIA identified in some spots in the Pulse survey. A quarter of respondents, for example, said they do not believe internal audit has the freedom to assess the entire organization and staff. About a third say that internal audit doesn’t have the full support of executive management to audit culture, and 23 percent believe they do not have the support of the board or audit committee for such scrutiny.
“The evolution of risk in the marketplace has become as rapid as it is complex, with diverse factors coalescing in varied ways to create new business challenges. As a result, the demands on internal audit are evolving dramatically,” the IIA stated.
It’s true that audit practitioners must branch out and step out of their comfort zones into these critical areas. It’s also true that originations must give internal audit the resources and support to make it happen.