Disconnect between audit committee and audit executives, survey shows

Chief audit executives and audit committee members see internal audit priorities differently, according to an annual Grant Thornton survey.

CAEs and audit committee members have differing views on the importance of several risk types. They also don’t see eye-to-eye on where internal audit can deliver the most value, according to the report.
 
Audit committee members ranked financial risks first in a list of four focus areas. CAEs who were asked the same question ranked compliance risks first and financial risks third of the four. The full lists for each:

Audit committee
Financial risks
Compliance risks
Operational risks
Strategic risks

CAEs
Compliance risks
Operational risks
Financial risks
Strategic risks

CAEs believe they can add the most value through identifying improvement opportunities, mitigating risk, increased efficiency, stronger corporate governance, and stronger financial controls compliance.

Audit committee members, however, placed a stronger emphasis on financial controls compliance, ranking it second behind mitigating risk as an area where they want internal audit to deliver value.

Grant Thornton’s report recommends ongoing discussions about priorities to overcome the barriers that may prevent internal audit from delivering maximum value. CAEs cited the following barriers: budget constraints (60%), talent quality or capacity (47%), focus heavily weighted to compliance (43%), perception of internal audit within the organisation (40%), organisational politics (40%).

The compliance focus

The compliance category in the report included regulatory compliance, financial controls compliance, and Sarbanes-Oxley compliance. The report said many companies are mired in compliance initiatives, meaning that providing advice in addition to assurance can be difficult.

Still, that focus may be changing, according to another survey, which showed that nearly half of internal audit stakeholders expect internal audit to move out of its traditional assurance role into a more advisory role in the next five years.

Grant Thornton’s report offered five ways that companies can optimise compliance activities, which can offer more chances for activities that add value.

• Leverage control testing across multiple compliance areas in a “one-to-many” approach. Testing once but reporting on multiple compliance requirements can allow organisations to streamline such testing, meet more regulatory requirements, and provide a framework for long-term compliance. The report said 86% of those who have found a way to implement the one-to-many model can do so with up to 50% of their control testing.
• Use governance, risk, and compliance technology and data analytics for more automated and predictive control monitoring and reporting activities. More respondents this year (32%, compared with 22% in 2014) say their organisation effectively employs such technology. The main value for the 47% who say they’re using data analytics tools is that their internal audit process is more efficient.
• Implement the 2013 update of the COSO Internal Control framework. The survey said that 25% of respondents said they had no plans to switch to the new framework in the next year, and 21% said they didn’t know whether they were going to adopt the new framework.
• Leverage an enterprise-wide view of risks and controls. CAEs and audit committee members said it was a high priority at their organisations to integrate operations with business strategy and to refine the existing approach to enterprise risk management.
• Understand potential enhanced first and second lines of defence control activities. The Institute of Internal Auditors published a model for enhancing communication about risk management, listing, in order, the lines of defence as operational managers, risk management and compliance functions, and internal audit. James DeLoach, a Protiviti managing director, said companies can think of risk management as having five lines of defence, the first being the organisation’s risk culture and the last, after internal audit, being a company’s escalation process.

—Neil Amato (namato@aicpa.org) is a CGMA Magazine senior editor.