Chief Audit Execs: Internal Audit Can Do Better
The degree of dissatisfaction registered by the respondents was notable considering that they were to some extent pointing a finger at themselves
|Wednesday, March 6, 2019|
By David McCann for CFO.com
CAEs say their function doesn't make adequate efforts in communicating with the board and management, among other shortcomings.
In this time of fluid dynamics around disruptive technologies, geopolitical uncertainty, and threatening global economic conditions, optimal performance is a moving target for every business function.
Nowhere is that more evident than in the internal audit function. Most chief audit executives (CAEs) see significant gaps between existing performance levels and those they wish to attain.
The Institute of Internal Auditors (IIA) surveyed 512 audit managers and directors, including 447 CAEs. The degree of dissatisfaction registered by the respondents was notable, given that they were to some extent pointing a finger at themselves.
With respect to the top area of concern for CAEs, cybersecurity, 53% of survey participants said their organizations are putting forth “extremely significant” or “significant” effort to “communicate to executive management and the board the level of risk to the organization and efforts to address such risks.”
But while they don’t expect anything to be perfect, on average the respondents indicated they’d be happy if that figure reached 80%.
Similar gaps in current-vs.-desired effort levels relating to cybersecurity were found for:
Identifying obstacles to addressing cybersecurity risk, about half (51%) of survey participants said a lack of cybersecurity expertise among internal audit staff had a significant or extremely significant effect.
Almost half (43%) said the same about both a lack of cooperation or communication from the IT department and a lack of support from executive management.
Survey results make it clear that “internal audit is making slow progress in hiring, availing itself of third-party expertise, or training staff who can provide valuable independent assurance in this risk area,” IIA said.
The report offered some advice for CAEs. It said they should:
Meanwhile, the survey exposed some other areas of lax attention to risks. For example, almost half (48%) of those surveyed said their organizations are making only ad hoc, weak, or non-existent efforts to monitor third-party service providers. And just 9% of participants rated such efforts as “strong.”
Also, only 30% of the survey base reported that they use advanced data analytics to identify and assess emerging and atypical risks. Yet almost half (43%) said they are no more than moderately confident in internal audit’s ability to identify and assess such risks.
Finally, 57% of those surveyed said they rarely or never discuss with the board or management the accuracy, completeness, timeliness, truthfulness, or transparency of the information internal audit supplies to the board.
“The challenges internal auditors face today — complex, accelerated, global — will require agility, innovation, and effective dialogue with the board and executive management,” IIA said in its conclusion to the report. “For internal audit to find its place in this brave new world, practitioners must raise their voices.”