Improving risk-assessment processes and enlarging internal audit’s focus to encompass broader organizational risks that have business relevance are top priorities of chief audit executives, but a large majority think that to do that, their internal-audit functions need upgrading.
In a July Ernst & Young survey of 695 global chief audit executives, 80% said their internal-audit functions related to risk management have room for improvement, and 70% believe those improvements should be undertaken within the next 24 months.
“The survey points out clearly that the governance structure and risk management of a company drives long-term performance,” Brian Schwartz, Ernst & Young Americas internal-audit leader, says. “And the internal-audit function itself is a critical part of the risk-management framework.”
Still, it could be a more vital piece of the framework. While internal-audit’s job is not to manage risk but to help an organization understand risk and to examine risk-management processes, internal audit does need to work more closely with risk management, for example.
“We’re encouraging the auditing function to get together with risk management and share resources, because coordination is critical. They need to address risks holistically,” says Schwartz.
Internal-audit’s function differs from company to company, however. “Sometimes the audit function actually audits the enterprise risk management (ERM) process and sometimes audit is a catalyst to get the ERM framework going in a company,” Schwartz says.
Regardless, internal-audit teams are now regularly focusing on a broader set of risks, the survey found. Strategic and operational risks are competing for center stage with more traditional areas such as internal controls and Sarbanes-Oxley compliance, Schwartz says.
The chief audit executives surveyed said their teams now play a more prominent role in strategic organizational initiatives such as:
• Major capital projects (49%),
• IT systems implementations (42%),
• Mergers and acquisitions (37%), and
• Material contracts (32%).
It’s no surprise that audit chiefs believe they need to add competencies to their team beyond traditional technical skills to tackle their broader role. Fifty-four percent of the audit chiefs surveyed, for example, said they have a plan to increase the business or industry acumen of their staff.
As stakeholders inside companies seek more cross-functional coordination on risk, internal audit also has to improve its communications to executive management and other departments. The E&Y survey found that 46% of respondents perform only annual updates or no updates at all to their risk-related audit plans. That can leave a company unprepared for events that arise throughout the year, like new product launches or retirements, new market entry, and litigation.
While audit plans used to be “set in stone,” the trend now is to take periodic “fresh looks” at them, says Schwartz. “Risk profiles change as companies make acquisitions or move into emerging markets,” he points out.