Home > Risk > Ernst & Young says the future of internal audit is now – and they are right

Ernst & Young says the future of internal audit is now – and they are right

September 17, 2012 Leave a comment Go to comments

A July 2012 publication, The future of internal audit is now: Increasing relevance by turning risk into results is another rallying cry for internal audit to provide assurance on what matters now to the business. (I prefer this expression to ‘risk-based auditing’, because it more clearly says that internal audit should focus on the risks on the agenda of today’s meetings of the board and executive management team.)

They provide some interesting and revealing insights into current practices. While more people are boarding the bus, there are still a lot of empty seats!

EY’s results are based on a survey of board members, top executives, and heads of internal audit (CAEs). Unfortunately they haven’t said whether there was a divergence of answers between the groups.

“In the survey, 75% of respondents believe strong risk management has a positive impact on their long-term earnings performance. An equal number believe that their internal audit function has a positive impact on their overall risk management efforts. And yet, 80% of respondents acknowledge that their internal audit function has room for improvement. Of these respondents, 70% believe that the improvements should be undertaken within the next 24 months.”

Not only does this express a sense of urgency, but it shouts for concern that a full 25% do not believe risk management is adding value, and the same number are saying internal audit didn’t help.

EY asked about the top priorities for internal audit.

  • The #1 answer was improving risk management, and #2 was monitoring emerging risks.
  • #3 was damning – “becoming more relevant to achieving the organization’s business objectives”.
  • Reducing cost ranked higher, at #4, than identifying cost savings for the business (#5).

The authors say, and explain with a fine graphic:

“Based on previous research and our own experience, we believe that companies with more mature risk management practices outperform their peers financially. To truly focus on the risks that matter, create value and help the organization achieve its objectives, internal audit needs to focus on aligning its own strategy to that of the overarching organizational strategy.”

There’s a lot of good stuff in this publication and I recommend that board members, CFOs, and CAEs all read and consider it carefully. I like the way EY concluded:

“Ernst & Young’s global internal audit survey results confirm that the future of internal audit is now. Nearly three-quarters of respondents believe that internal audit has a positive impact on the organization’s overall risk management efforts. But an even larger majority believes that internal audit can do more — and wants them to do it within the next two years.

Internal audit functions can turn risk into results and become more relevant to the business by:

  • Using the organization’s overarching business strategy to identify the risks that matter most and set the tone for an internal audit strategy
  • Developing an internal audit-specific strategy with a three- to five-year time horizon that focuses on stakeholder expectations, coordinates risk functions and drives internal audit initiatives
  • Employing critical enablers throughout the internal audit life cycle, such as an organizational structure that aligns to the business and fits the organization’s culture, and an appropriate talent management program that ensures internal audit has the right people with the right skills in the right positions
  • Running internal audit like a business by employing data analytics to drive enterprise efficiencies and results and by designing a value charter and scorecard that define how value to the organization is measured and whether internal audit is achieving its goals
  • “With the right internal audit-focused strategy in place, internal audit can add value to the business by becoming strategic advisors, identifying efficiencies across the enterprise, supporting key business initiatives and quantifying internal audit’s return on investment.

“The future of internal audit is not on the horizon. It’s here. And internal audit functions need to act now to remain relevant to the business — or be left behind.”

I welcome your comments and perspectives.

  1. Deb
    September 17, 2012 at 9:49 PM


    This is another good survey, albeit with predictable (for most) results and findings. I’ve absolutely no doubt on the bona fides of the surveyors, or the veracity of the survey findings. However, what many such surveys may fail to do is something we we all have been advocating fervently for the field of GRC viz. integration. It’s all very well to say that 75% appreciate IA and so many % think IA contributes greatly to RM, but are these the same % of population?

    As you rightly point out towards the beginning of your piece, the key may lie in the potential divergence of numbers. Or, rather, the coefficient of correlation of the different responses. Can someone bind it all through a chain and show the (I’d bet small, but useful) % of really sincere companies who appreciate the potential of IA to ‘go where no one has gone before’ (for instance, governance audit), integrate IA into the ERM structure (while retaining its independence), put in place a robust RM governance & oversight structure and processes, and then link all of this through to objectives and performance? That’d perhaps make all the disparate pieces of the jigsaw puzzle fall (more or less) into place. Short of that, many of the responses may look like empty homilies, something like ‘we’re sure IA can do better (though we don’t know how), but would prefer they don’t look at certain places’…

    What we in IA may need is something like the research effort which went into a ‘Good to Great’ (Jim Collins), with tangible results martialled to support the conclusions (including some counter-intuitive ones) and way forward.

    My 2 cents.

    Max Healthcare

  2. michaeljcorcoran
    September 18, 2012 at 10:03 AM

    Maybe a good time for the the large accounting firms to take a risk-based approach to their main business financial auditing like the PCAOB does. The future of external audit is now and the quality according to the PCAOB is not improving and getting worse. Perhaps if they used the finding above for their external audit practice we may see improvements.


  1. September 18, 2012 at 5:14 AM
  2. November 4, 2012 at 12:15 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: