PwC reports on the state of the internal audit profession – their opinion
I added the phrase ‘their opinion’ to the end of the title, because while PwC always reports what respondents say, it is understandably difficult to do so with bias. PwC has always had a perspective to share, and frankly I always look forward to hearing it – whether I agree with it or not.
You can download the 2012 (8th) edition of this report here.
I recommend you skip past the highly questionable statement at the beginning, that business are facing more risks than ever before (I suspect they are just more aware of the risks rather than the number of risks has grown in the last year), to the substance.
For example, they make this statement which is not only true but essential to understanding the speed of business and the required speed and relevance (in my opinion) of internal audit:
“With global trade, supply chains, and financial markets all intricately linked, risks become apparent quickly, unexpectedly, and with significant impacts on company operations, reputations, and even survival.”
PwC echoes my view that internal audit has to change:
“Stakeholders and CAEs alike have recognized that in order for internal audit to be effective in supporting organizational risk management efforts, the minimum standard of performance has to rise. In today’s ever-shifting risk landscape, internal audit can’t settle for simply reacting to events; instead, it must adopt a strategic mindset that is responsive to risks and helps ready their organizations for new threats and opportunities.”
The report includes this very important observation:
“…on average less than half (45%) of those surveyed told us that they are comfortable with how well their most critical risks are being managed— despite the fact that 74% of those surveyed have formal enterprise risk management (ERM) processes in place.”
But, rather than pointing out that internal audit teams need to assess and help improve risk management programs, PwC has focused on telling internal auditors to improve their understanding of the “organization’s risk landscape”.
Isn’t the point that perhaps the greatest risk to an organization’s success is their failure to understand and address risks – in other words, that they don’t have effective risk management? A case can be made that internal audit has a great opportunity to add value by being a catalyst for improving risk management frameworks, processes, and understanding!
PwC positions internal audit as “having an important role to play in monitoring their organizations’ top risks”. That seems dangerous to me: I strongly believe that it is a management role to monitor, report, and respond to risk. Internal audit’s role is to provide assurance that those processes, including the controls relied upon to manage risks at acceptable levels, are designed and functioning as needed.
The report has a useful section, with a chart, that lists risk areas that don’t get sufficient attention from internal audit. I would have included these, in addition to risk management:
- The effectiveness of governance processes, including oversight of risk management
- The quality and timeliness of information used to run the business – at speed
One section of the report that I like is where PwC describes (with a nice illustration) a “new floor for internal audit”. In particular, I agree with this statement:
“But risks have shifted and expectations have risen, and all internal audit functions need to rise to this new floor: providing assurance on a broader range of critical risks and clearly communicating deeper insights, all while staying in complete alignment with stakeholder expectations.”
An area for concern is that the study identified that only 55% of internal audit functions are building their audit plan based on a top-down, risk-based process that focuses on critical risks to the organization. That is not (either in my or PwC’s opinion) the path to success.
There’s a lot of good content in the report and I strongly recommend downloading and spending time on it.
What are your takeaways?
By the way, did you respond to the survey on whether COSO or ISO is a better risk management standard/framework? The direct link is here.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman a good review of a generally good report. It does however have a number of points which I am concerned about. First on page 12 it belies the external audit provider of internal audit issue of first priority is internal financial control. Why? No company ever failed from weak financial control. It fails because of a business failure which is then either covered up or not addressed through financial control much later. Second I am not keen on the three lines of defence model. Assurance is more miscible between internal audit, management and third parties. Third the exhortation to focus on business risk – this is not new and a bit depressing that it needs to be said. Fourth on page 20 the idea that objectivity could be a barrier to business partnership is strange. Does being objective mean that you cannot work with others? Strange. Fifth, my pet hate. The split of advisory and assurance. They practically one and the same thing. The idea that a value-added suggestion is somehow not audit is not correct and bizarre. Sixth, simpler reporting. Another pet hate. I am a board member and I want reports that are well written and focused, but not simpler reporting. I want more meaningful reporting which avoids tick box, traffic light, meaningless nonsense so many auditors produce. Seventh, and then the final point. The solution to all of these problems is to outsource provision (to PWC?). Of course as a CAE I should seek additional specialist resources when and where needed and do. But the firms are to some extent populated with audit generalists. Where are the specialist architect auditors or surveying auditors, or HR auditors? There seems to be a choice of specialists or audit trained generalists. Perhaps that is the real market gap?
Nicely said. I agree with your points, although I can see a difference between consulting services and assurance – although both provide assurance, one is more formal.
I agree with all of the points made by Norman. The most important point in my view is the strong belief that it is a management role to monitor, report, and respond to risk. Internal audit’s role is to provide assurance that those processes, including the controls relied upon to manage risks at acceptable levels, are designed and functioning as needed.
Hi Normon,
In my view, role of Internal Audit has changed in today’s worild from Assurance provider to pro active partner in Risk mitigation efforts. This is what PWC is trying to portrait.
Norman,
In the PWC study, they said that one of the areas that don’t get sufficient attention from auditors is “competition”. My question is HOW does one perform an audit of management’s controls regarding competition?
Khanh, I think they are referring to risk arising from competition, and management should have processes in place to monitor and respond. Does that make more sense?
I can understand processes in place to monitor and respond to comeptition (and most if not all banks do this), but what kind of risk measures would be appropriate when it comes to competitive threats? Short of naming the usual financial ratios of ROA, etc.
Khanh, when I was running risk management at Business Objects, I had management assess the likelihood and potential impact of different actions by competitors (including those who would be new to the market and as yet identified) such as IBM, Oracle, Hyperion, and so on. At Maxtor, competition was a major issue and we monitored very closely the new products from our competitors, what they were doing with supply chain (we shared a major vendor for a critical component), and so on.
When you say risk measures, you are talking about some form of rating? I would either use a financial impact rating (such as potential impact on revenue or profit), convert it to a qualitative measure (high, medium, low), or focus on whether the risk is higher than my risk criteria/appetite.
Are we getting closer?
I am aware of these riks management processes, but what exactly is the role of an auditor on these processes–what would auditors be opining on?
The auditor is assessing management’s process for managing the risks. So, before I started the risk management function at Business Objects, monitoring competitor actions was very informal and lacking in (a) rigor and (b) frequency of update. An audit might have identified that.
I know of one company that only monitors known, large competitors and is blind to emerging competition. Again, an audit might identify flaws in management’s processes.
Norman, this sounds more like the job of a risk manager rather than an auditor.
The auditor’s job is to assess management’s processes for governance and risk management, including the related controls. So auditing risk management processes is absolutely something an auditor would and should do.