Chief Audit Execs: Internal Audit Can Do Better

CAEs say their function doesn't make adequate efforts in communicating with the board and management, among other shortcomings.
David McCannMarch 6, 2019

In this time of fluid dynamics around disruptive technologies, geopolitical uncertainty, and threatening global economic conditions, optimal performance is a moving target for every business function.

Nowhere is that more evident than in the internal audit function. Most chief audit executives (CAEs) see significant gaps between existing performance levels and those they wish to attain.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The Institute of Internal Auditors (IIA) surveyed 512 audit managers and directors, including 447 CAEs. The degree of dissatisfaction registered by the respondents was notable, given that they were to some extent pointing a finger at themselves.

With respect to the top area of concern for CAEs, cybersecurity, 53% of survey participants said their organizations are putting forth “extremely significant” or “significant” effort to “communicate to executive management and the board the level of risk to the organization and efforts to address such risks.”

But while they don’t expect anything to be perfect, on average the respondents indicated they’d be happy if that figure reached 80%.

Similar gaps in current-vs.-desired effort levels relating to cybersecurity were found for:

  • “Providing assurance over readiness and response to cyber threats” (46% to 82%)
  • “Working collaboratively with IT and other parties to build effective defenses and responses” (41% to 64%)
  • “Ensuring communication and coordination with the organization regarding cyber risk” (37% to 58%)

“The effort gap may reflect that internal audit is failing to adapt quickly enough to changing needs,” IIA said in its survey report. “It also suggests that there is a potential misalignment between risk priorities and the audit plan.”

Identifying obstacles to addressing cybersecurity risk, about half (51%) of survey participants said a lack of cybersecurity expertise among internal audit staff had a significant or extremely significant effect.

Almost half (43%) said the same about both a lack of cooperation or communication from the IT department and a lack of support from executive management.

Survey results make it clear that “internal audit is making slow progress in hiring, availing itself of third-party expertise, or training staff who can provide valuable independent assurance in this risk area,” IIA said.

The report offered some advice for CAEs. It said they should:

1. “Report to the audit committee any progress — or lack thereof — in building cyber skills within the function and the reasons why. Candid discussion with the audit committee about where audit coverage is either inadequate or skill sets are lacking is the only way to prompt changes in those conditions.”

2. “Alert the audit committee and management of any cybersecurity effort gaps. This means CAEs must document the reasons effort gaps exist, including insufficient resources for co-sourcing or outsourcing, misaligned audit plan priorities, and any real or perceived disconnect with IT.”

3. “Invest more time in building relationships/partnerships with chief information security officers and chief information officers. Lack of cooperation from IT may reflect a weak relationship or concerns about internal audit’s lack of cyber competence.”

4. “Invest more time in educating their teams about cybersecurity, including developing an in-depth understanding of the frameworks commonly used in cybersecurity, such as NIST CSF, NIST 800-53, and ISO/IEC 27001.”

5. “Consider co-sourcing as a viable option, when in-house skills are not adequate.”

6. “Look for opportunities for their staffs to perform basic cybersecurity auditing with support from IT that does not require cyber expertise.” Such opportunities include: “identifying the organization’s most significant assets in need of protection; testing insider threat controls; and evaluating processes and structures designed to protect against accidental or inadvertent disclosure of organization information.”

Meanwhile, the survey exposed some other areas of lax attention to risks. For example, almost half (48%) of those surveyed said their organizations are making only ad hoc, weak, or non-existent efforts to monitor third-party service providers. And just 9% of participants rated such efforts as “strong.”

Also, only 30% of the survey base reported that they use advanced data analytics to identify and assess emerging and atypical risks. Yet almost half (43%) said they are no more than moderately confident in internal audit’s ability to identify and assess such risks.

Finally, 57% of those surveyed said they rarely or never discuss with the board or management the accuracy, completeness, timeliness, truthfulness, or transparency of the information internal audit supplies to the board.

“The challenges internal auditors face today — complex, accelerated, global — will require agility, innovation, and effective dialogue with the board and executive management,” IIA said in its conclusion to the report. “For internal audit to find its place in this brave new world, practitioners must raise their voices.”