Ten years after the Sarbanes-Oxley Act made financial controls job number one for internal auditors, companies want these employees to increase the amount of attention they pay to operational risks.
According to a recent survey by the Institute of Internal Auditors (IIA), just over one-quarter of corporate internal-audit work this year will focus on operating risks. That’s a substantially higher proportion than compliance risks (which will make up 15% of internal-audit efforts) and Sarbanes-Oxley testing (12%).
The overall expansion in scope for internal-audit teams in 2012 is made possible by an increase in hiring. In the IIA survey, 22% of chief audit executives who work for Fortune 500 companies said their internal-audit staffing level will rise this year. IIA president and chief executive officer Richard Chambers says that many companies across the board will see stable or slightly higher staffing levels in internal audit this year.
Moreover, those who keep a close watch on the work of internal auditors, including CFOs, are looking for additional skills to round out the department. Indeed, the IIA survey, of 461 internal-audit professionals based in North America, revealed that companies are moving away from traditional profiles of internal audits. The following are the top five skills sought for new internal auditors:
- Analytical and critical thinking (73%)
- Communication skills (61%)
- Data mining and analytics (50%)
- General IT knowledge (49%)
- Business acumen (46%)
Financial and accounting backgrounds are still needed, of course. But the new skills currently in high demand will “diversify” the team’s offerings, according to Chambers. At the same time, he says, internal-audit teams should not be well rounded “just for the sake of it.” Instead, the teams’ makeup and priorities should depend on each company’s assessments of its risks.
Chambers notes that companies are looking beyond the finance department for potential internal auditors. “The ability to mine and analyze data has been high on the list for the last couple of years,” he says.
The IIA has been insisting in recent years that the internal-audit profession has moved away from acting solely as finance and compliance cops and now must act as advisers and experts who can opine on broader matters, including strategic risks to the business.
Some of that progress was stalled by the financial crisis, Chambers acknowledges, since many internal-audit teams were downsized. Still, “the last three or so years have shown a remarkable trend toward companies diversifying their internal-audit coverage,” he says.
In a way, the credit crisis was good for the role. As regulators continue to call upon managers and boards to improve their oversight of risk management, through speeches and regulations stemming from the Dodd-Frank Act, managers and boards are looking to internal auditors to weigh in on whether the company is assessing its risks and mitigating them within their risk-tolerance levels.
In contrast, Sarbanes-Oxley’s demand on proper and effective internal controls over financial reporting narrowed the focus of internal-audit teams. That change, of course, made sense since the profession is a risk-based function: internal auditors are expected to focus on prioritizing the risks to their business, and controls were a high-risk area during the past decade. “In the wake of Sarbanes-Oxley, there was a huge risk for companies who failed early SOX 404 audits,” which dealt with internal controls over financial reporting, Chambers says. “Internal audit was heavily focused on that area.”