However, according to survey respondents, before internal audit reaches for new heights, it must keep pace and continue to evolve its focus. Internal audit must also significantly improve its performance or risk losing relevance as other internal risk functions become more vital contributors in the risk management area.
Representing 18 industries and 60 countries, nearly 1,100 chief audit executives and more than 630 stakeholders, including CEOs, audit committee chairs, other board members and senior finance and risk managers, took part in this year’s survey. Participants contributed their views on today’s critical risks, the role they expect internal audit to play in addressing them and the performance of their enterprises’ internal audit function.
“Our survey shows that 80 percent of respondents believe threats are increasing, yet only 12 percent think their own organization manages risk extremely well," said Dean Simone, Leader of PwC’s U.S. Risk Assurance practice. “As risks increase, internal audit’s coverage of risk and performance in emerging areas is critical, which provides internal audit with an ideal opportunity to demonstrate the value of the evolving profession. Internal audit must then aggressively increase its capabilities and add true value in risk areas most critical to the organization."
The study reveals that organizations have more work to do to align stakeholders’ expectations and approach on coverage of critical risks, providing an opportunity for internal audit to deliver value outside of the traditional focus areas. Compared with management, board members are more likely to believe there are more risks and that they are growing faster, posing greater threats than there were a year ago.
“Audit committees and management expect more from internal audit, providing a huge opportunity for internal audit functions to be relevant contributors to protecting stakeholder value and the business from the most critical risks," said Jason Pett, Internal Audit Services Leader for PwC. “However, for internal audit functions to maximize their value to the organization, they must ensure alignment on multiple levels. There must be clear understanding and alignment of stakeholder expectations, alignment of internal audit focus on the highest risk areas and alignment of internal audit capabilities to the needs of today and those emerging needs of tomorrow. Only then can internal audit contribute to the organization in a way that establishes relevance and value in the eyes of all key stakeholders."
Companies are raising the bar on performance to contend with the ever-changing risk landscape, but are not raising the bar on internal audit at the same pace, according to PwC’s survey. In addition, stakeholders are requesting increased capabilities with internal audit’s contribution in emerging risk areas such as large program assessment, new product introductions, capital project management and mergers and acquisitions.
“Those with the right plan, appropriate resources and capabilities that are aligned with what stakeholders expect, will be recognized for their contribution. They will see increased access within the organization, and more opportunities to demonstrate value. As a result, they will multiply the value internal audit delivers," said Abhi Aggarwal, a principal in PwC’s Risk Assurance practice.
PwC’s survey indicates that high performing internal audit functions have excelled in four important areas. They demonstrate significantly stronger foundational capabilities, coordinate with their organization’s governance, risk and compliance activities, more effectively incorporate emerging risk into audit areas and partner with those they serve by providing proactive advice and actively engaging with management in organizational initiatives. To help reach these new heights, PwC outlines the key steps audit committees, management and chief audit executives can take to enhance the value internal audit can and should deliver to organizations:
Audit committee: Ask more questions
Most audit committees consider oversight of risk management to be a primary responsibility. However, they should ask if the internal audit’s actions align with critical business risks and if internal audit has established a clear, strategic plan to raise capabilities and deliver value.
Management: Expect more
Management teams should require their organizations to have a strong enterprise-wide risk assessment process, enabling management, internal audit and the board to have a productive and transparent discussion about risk management. Management should expect internal audit to have the skills necessary to contribute value in key risk areas.
Chief audit executives: Deliver more
Chief audit executives should have a strategic vision that aligns to stakeholder expectations, including an investment strategy such as investing in the right resources. They must also be prepared to respond, or proactively engage, in conversations with the board and management about the internal audit’s performance.
There are opportunities for internal audit to demonstrate a more valuable contribution, but to do so, not only must every stakeholder have a role in helping internal audit move in the right direction, but there must be a well-thought plan and well-charted course. “Chief audit executives must get prepared, close performance gaps, and raise the bar on itself. Whether that is by increasing capabilities in new and emerging risk areas or delivering a greater level of service within those more traditional areas, the time is now for internal audit to take decisive action to strengthen their core performance and capabilities, resulting in value added contributions," continued Pett.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.