What Is the Future for Internal Audit?
CAEs face a multiplicity of urgent challenges, including new legal/regulatory requirements, increased enforcement activity, changing and incompatible stakeholder expectations, increased sensitivity to risk incidents, faster risk velocity, and greater public scrutiny of incidents. Yet headcount is flat and short-term improvement initiatives, while worthwhile, don’t replace the need for a longer-term vision and strategy.
What’s the problem?
CEB’s 2012 benchmarking studies have shown that Internal Audit (IA) headcount has, on average, remained flat for the fifth year in succession. However, Chief Audit Executives (CAEs) continue to face a multiplicity of urgent challenges, including:
- Companies expanding into new territories and launching products
- New legal or regulatory requirements or increased enforcement activity
- Increased, changing, and incompatible stakeholder expectations
- Heightened sensitivity to risk incidents, faster risk velocity and greater public scrutiny of incidents
- Absence of a coherent view of effective corporate governance
- Varied potential roles for Internal Audit – from compliance monitoring to business partner / advisor or from traditional audits to strategic risk assurance
As a result, every year CAEs have short-term improvement initiatives to address issues that are particularly urgent in the moment, but do not contain a clear longer-term goal. In isolation, each initiative is worthwhile, but the execution occurs in the absence of a longer-term vision and strategy.
Is the problem going to change?
- The operating situation for many CAEs could become more stable and predictable because:
- There are now similar laws, regulations, and listing requirements in the major economies,
- Companies have greater knowledge of the operating environment in their newer markets,
- Key risks (see below) remain common, interconnected, and enduring:
1. Talent management
2. Regulation compliance
3. Data security and IP protection
5. Sustainability of their business model and supply chain
- Companies are improving the quality of their Board & Audit Committee oversight by upskilling the people involved and improving the flow of information they receive,
- CAE s and their companies have projects in play to improve the quality of their first and second Lines of Defense (LoD).
What do most companies do?
Most CAEs launch a project or two each year to improve the quality of some aspect of their department function, typically, audit activity or value delivered. Normally, these projects focus upon ERM first or second LoD improvements (moving IA into advisory or strategic auditing, introducing data analytics, or improving the audit talent pool) one dimension at a time.
However, we see that separate projects running sequentially demonstrate little apparent clarity over the longer-term goal. Further, the thinking around the development of IA appears to be disconnected to other projects led by General Counsel, Company Secretary, Compliance, and Risk Manager or those required by external bodies.
CAEs often refer to their external audit firm and IIA for guidance on the vision of the future. All of these organizations have published a paper this year on the future of internal audit. While these perspectives show some insight into the possible future of audit, they are without a clear connection to the wider issues.
What do leading companies do?
- We are starting to see some leading companies create a more coherent vision of corporate governance including the role of IA. Companies with a coherent vision of corporate governance collaborate with other functions to:
- Build a coherent view of their desired corporate governance and risk management framework including committees, policies, roles, information flow, checks & balances.
- Ensure they have an open management style with transparent flow of key information and a strong, positive, supportive corporate culture
- Build an active, engaged, skilled, motivated and visible first LoD that genuinely take on their responsibilities for risk management
- Ensure the second LoD is coordinated and effective with common vocabulary, taxonomy, shared information, and coordinated activity
- Leverage technology to monitor performance, report breaches, and flag trends and variances that will automatically prompt action by the appropriate team
- Identify the optimal mix of compliance and advisory roles for IA, paying close attention to the appropriate team size, skills, methodologies and culture of your organization