Ten years after the Sarbanes-Oxley Act made financial controls job one for internal auditors, companies want auditors to shift some of their attention to operational risks.
A recent survey by the Institute of Internal Auditors (IIA) found that just over one-quarter of corporate internal audit work this year will focus on operating risks. The survey of 461 internal auditors in North America also found that compliance risks will make up 15% of internal audit efforts and Sarbox testing will take 12%.
The findings suggest that companies are looking for a wider range of skills from their internal auditors than they did a decade ago. “In the wake of Sarbanes-Oxley, there was a huge risk for companies that failed early [Sarbox] 404 audits,” which tested the effectiveness of their internal controls over financial reporting, says Richard Chambers, president and CEO of the IIA. As a result, “internal audit was heavily focused on that area,” he says.
But times are changing. The IIA survey found that analytical and critical thinking is the skill that companies are seeking most in internal auditors this year, named by 73% of respondents. Next are communication skills (61%), data mining and analytics (50%), general IT knowledge (49%), and business acumen (46%).
These results reflect a growing trend, Chambers says: internal auditors are evolving from finance and compliance cops to advisers and experts who can opine on broader matters, including strategic risks to the business. The financial crisis stalled some of that progress, since it led companies to downsize many internal audit teams, he admits. But in other ways, the credit crisis may have been good for the role, Chambers says. As regulators called on managers and boards to improve their oversight of risk management, the executives in charge may have given more responsibility, and prominence, to the internal audit team.
While the addition of skills will diversify companies’ audit teams, internal auditors should not be well rounded “just for the sake of it,” cautions Chambers. Rather, executives should decide what skills their auditors need after assessing their companies’ unique, industry-specific risks and priorities.