In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Of the 1,900 stakeholders responding to this year’s online survey, 58% were internal audit leaders and their direct reports and 42% held management or board titles. Of the latter, 160 were CFOs, according to a spokesperson for the company.
A key reason that so many stakeholders of the internal audit function — including, apparently, many internal auditors themselves — feel that internal audit isn’t adding significant value is that they’re slow to anticipate the huge changes affecting businesses these day, according to Mark Kristall, a PwC partner and an author of the report.
Such IA departments “aren’t keeping up with the pace of change,” he said. They only become involved “after the disruption has already happened and affected the organization.”
For his part, Richard Chambers, president and chief executive officer of The Institute of Internal Auditors, characterizes the steep descent in stakeholders’ notions of the value of internal audit is part of the “ebb and flow” of the percentage over the four years that PwC has asked the question. Thus, he noted, it was 54% in 2014 and 48% in 2015, before rising again to 54% in 2016 and dropping to its nadir of 44% this year.
“I’m not particularly troubled by a one-year fluctuation,” says Chambers, who points out that he worked on the survey while serving as national practice leader in internal audit advisory services at PwC until 2009.
“Stakeholders, like consumers, tend to vote with their wallets,” he adds. “If I look at what stakeholders are doing in terms of investment in internal audit, I would have to say that they are continuing to invest resources.”
Chambers cited a recent IIA study that found that 30% of 538 internal auditors expect their staff size will grow 30% in 2017, the highest percentage of growth forecast in the study in the last five years. “If almost one in three internal audit departments are getting more staff, that’s usually a pretty good indication for me that they are serving the needs of their stakeholders, and that those stakeholders are investing yet more to enhance that service to even the higher level,” he says.
Defining Disruptions
The PwC study’s authors define “disruptions” as “significant, quickly developing, and potentially unplanned or unanticipated events that create risk and potential opportunity, demanding the attention and resources of the business.”
These events “are no longer episodic,” according to the authors. “In fact, they are constant, ranging from disruptive innovation that creates a new market, to economic volatility, regulatory changes, or even a catastrophic event,” they write.
Asked to name five disruptions their businesses are facing, 58% said “new regulation”; 44%, “changes in business model or strategy”; 37%, “cybersecurity and privacy monitoring threats”; 36%, “financial challenges”; and 34%, “technology advancements.”
Noting that the most significant disruptions can vary by company or industry, Kristall said that, for example, the hospitality and taxi and car service industries have recently been facing the likelihood of significant regulatory change.
Just a few years ago, the core competition for hotel chains were other hotel chains. Now, these chains are being challenged by apps that direct users to accommodations in people’s homes. Similarly, taxi companies are being challenged by private drivers summoned by mobile apps. At the same time, the public is looking at these new players to determine “what regulations we need” to govern them, Kristall said.
Internal auditors “have to understand the regulatory environment to provide value back to stakeholders,” he added.
Most respondents who felt that internal auditors weren’t consistently responding well to disruptions felt that the biggest barrier internal auditors face in providing such value is “a lack of subject matter knowledge to address disruption,” according to the study.
Some companies are coping with shortfalls in internal auditor subject knowledge on a project basis by using “guest auditor programs,” according to Kristall. Such companies might consider shifting their supply chain experts to serve temporarily on internal audit teams, for instance, he said.
A more long-term approach involves rotating subject matter experts into internal audit departments, the consultant said, noting that some internal audit organizations use outsourcing to fill the knowledge gap.
Overall, an internal auditor needs to become a “strategic partner” to management rather than the corporate “police officers” they’ve traditionally been, according to Kristall. Speaking of a major disruption, “if an internal auditor is finding about it after the fact, it’s too late,” he said.