Today’s dynamic business environment is a result of customer, technology and regulatory changes. New regulations have added to an already lengthy compliance activity slate, and more regulations keep coming. With limited internal audit resources, compliance requirements often take top priority. If internal audit departments are utilizing a disproportionate amount of resources on compliance activities, there could be significant lost opportunities for value-added governance, operational, strategic and IT audits. The dilemma many chief audit executives face is how to continue adding strategic value given the current compliance-heavy environment. I believe the solution is not to leave compliance behind in place of focusing on strategic and/or operational areas, but instead to understand how you can leverage compliance activities to add value. With the focus firmly on compliance for the foreseeable future, internal audit’s challenge is to get as much value out of its compliance activities as possible. This is not necessarily a bad thing. In Grant Thornton’s 2014 Chief Audit Executive Survey, 45 percent of respondents felt that the impact of regulation on their organizations was improving their governance and rigor of testing1. So the question isn’t about decreasing — or even balancing — compliance activities against other priorities. It is increasingly about how to wring the most value out of testing so that other important risks are simultaneously addressed through compliance. To meet all key risks, the internal audit plan must become more holistic and efficient — internal audit activities simply can’t be segregated as distinct goals anymore for planning purposes. If any risk area is left on the table, it creates more risk for the organization as a whole and puts the internal auditors in a precarious position. CAEs therefore must find a path to success through efficiency and using the right mix of tools and strategy to get the most out of compliance activity.
Maximizing Current Resources
A critical piece of internal audit efficiency is fully utilizing existing resources. Internal audit departments are not identical, so you must determine the right mix for your organization. Consider the following options:
Leveraging control testing across multiple compliance areas — the “one-to-many approach” — is slowly taking hold. Since last year’s survey, we’ve found 54 percent of respondents indicating they have found ways to implement one-to-many, up from 49 percent. The approach isn’t easy to implement, and internal auditors may be tied to the idea that they must silo the control testing for accuracy. I challenge CAEs to at least take another look at the possibility. Intuitively, “killing two (or more) birds with one stone” is a clear path to efficiency gains, although not an easy one.
Effectively Leveraging Technology
Another path to efficiency gains may be through technology. Allocating an appropriate amount of scarce budget dollars to technology may be a challenge, but the payoff in efficiency gains may quickly offset costs. In the survey, 29 percent of respondents reported that their companies are using GRC-specific technology, up from only 23 percent in last year’s survey. While adoption numbers have increased, however, only 22 percent of respondents believe their organizations effectively leverage GRC technology. Significantly, 36 percent don’t feel their organizations effectively leverage GRC technology.
Sixty percent of survey respondents reported using data analytics to enhance the internal audit function. CAEs also reported that they used analytics for such other tasks as forensic analysis, predictive analytics and performance measurement. Since these resources are in place, the question is about fully using their capabilities and moving beyond basic analytics into more advanced realms of prescriptive and predictive analytics2. This swiftly evolving field holds major potential for internal audit organizations looking for efficiency and accuracy in choosing testing targets. Data analytics are here to stay. Fully embracing this evolving discipline can be a critical differentiator for internal audit.
The Talent Gap
Part of the equation of getting the most out of an organization’s compliance work is about the people who are doing the work. In fact, for 40 percent of survey respondents, “talent quality or capacity” was seen as a barrier to delivering the greatest value. Internal audit leaders have an ongoing opportunity to upgrade staff skills. When asked to list their top three goals for the internal audit organization in the next 12 months, a solid amount of survey respondents listed “build talent and skills,” making it the third choice in a close category.
Third-party risk is a topic that is getting major attention from regulators. With billion-dollar settlements being paid out, particularly in the banking industry, it makes sense to thoroughly test any area relating to third parties in any industry. Third-party risk information can feed into GRC efforts, which include the formulation of the internal audit risk universe and annual internal audit plan. When asked if third parties have the potential to impact their organization’s growth, 22 percent of survey respondents felt it was a highly significant risk, a major rise from just 14 percent last year. When asked which risk areas were included in their audit plans, 66 percent of respondents said third parties were currently in scope. Maximizing the use of current resources in this case means the opportunity cost of avoiding regulatory action by building and adhering to a solid internal audit approach around third-party risk.
Less budget for value-added activities due to expanding regulatory requirements means CAEs have additional pressure to work harder and smarter to keep their internal audit organizations moving ahead. It can be done, but significant change means taking significant action. Leveraging current resources means understanding the universe of options and making realistic choices that will move your organization forward. This process is highly company-specific and can be challenging. With the array of available tools, there are solid opportunities for moving forward, however. Internal audit is still an important strategic contributor for any organization. Taking a closer look at technology innovations, analytics, staff training, supplemental specialized resources and any of the other tools available to CAEs is important in embracing this new paradigm, as regulatory expectations will only expand.
1 Read the survey report at grantthornton.com/caesurvey.
2 For more information, see Grant Thornton’s white paper, Prescriptive analytics: Winning in a competitive environment, available at grantthornton.com/issues/library/whitepapers/advisory/2014/BAS-prescriptive-analytics.aspx.