Risk management provides new opportunities for internal auditors

Internal auditors have an opportunity to expand the value they bring to businesses by playing a larger role in risk management, according to a recent survey.

Business leaders want more involvement from internal auditors as a key component in managing risks, a  PwC study on the state of the internal audit profession shows.

In the report, “Aligning Internal Audit: Are You on the Right Floor?”, 45% of respondents said the majority of their critical risks are well-managed. The survey polled 870 chief audit executives (CAEs) as well as a total of more than 660 “stakeholders” – executives, audit committee chairs and board members – on the internal audit function.

Sixty-five percent of stakeholders said they want internal audit to play a more substantial role in monitoring risks. The most-requested area for more involvement was data privacy and security, where 46% of stakeholders said they want internal audit to add capabilities.

Jason Pett, PwC’s US internal audit services leader, said this creates an opportunity for internal auditors. “They need to be able to provide real, valuable points of view, incorporating perspectives into both assurance-type work and consulting/advisory-type work, and really be forward-looking,” he said during a webcast discussing the report.

A changing business landscape is helping fuel this focus on risk management. Eighty percent of respondents in the survey said risks to their organisation are increasing. Nearly 75% said economic uncertainty is their biggest risk, but financial markets are considered organisations’ best-managed risk, with 63% saying that risk is managed well.

Data security threats, mergers and acquisitions, and increased regulation are other areas of significant risk faced by businesses, the survey says. The survey found the respondents believe their most poorly managed risk is talent and labour.

Pett said that seems surprising because a high unemployment rate would seem to indicate that there’s a wealth of talent available to businesses that need it. But he said businesses leaders believe that the workers available in technical, engineering and product-development positions aren’t necessarily the right ones to lead them into the future. Barry Ward, CFO of Maryland insurance company Fidelity & Guaranty Life, said it can be helpful to include talent and labour metrics in a company’s risk management dashboard.

“Most companies consider people to be their most important asset,” Ward said during the webcast.

The report says internal auditors need to provide new competencies to help companies manage some of these risks. The report suggests that internal auditors think and act strategically, deriving audit activities from a top-down risk assessment. The report also advises auditors to simplify reporting with concise reports clearly linked to business risks.

A full understanding of the business and its initiatives is necessary for internal auditors to function capably in this realm, according to the report. And building relationships with the right people helps internal audit deliver valuable information in a timely fashion.

“You don’t just wait for the board meeting,” David Burritt, Lockheed Martin’s audit committee chairman, said during the webcast. “You make sure you can call the audit committee chair at any time.”

Barriers could prevent internal auditors from adding risk management functions to their duties. The report says there can be cultural and organisational resistance to accepting internal auditors as something more than police on the lookout for policy offenders. CAEs also struggle to find people with the skills needed to handle complex issues, according to the report.

Despite the report’s focus on risk management, stakeholders still ranked auditing of financial controls and compliance as their first expectation of internal auditors.

Burritt said internal auditors need to make sure they don’t take on additional duties, unless they are handling their current duties well and possess the requisite skills in the new functions they wish to pursue.

“There’s nothing worse than overreaching when you’re not ready to do that,” Burritt said.

If internal auditors are ready, though, the report shows that there is an opportunity and a desire for them to make bigger contributions and increase their relevance.

“We need to provide insight,” Pett said. “We need to align our talent with the risks of the business.”

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine senior editor.