The State of Internal Audit Capabilities in 2015
Overall, I am pleased to see the progress the internal audit practice has made over the last few years. While there are still serious problems regarding independence and resources in some parts of the world (where internal audit is established only to “check-the-box, not with any intent to be a serious activity), more and more organizations are moving to what I call “enterprise risk-based” auditing; perhaps half are providing assurance through formal audits and assessments of the management of risk; and, many are focusing on identifying problems before rather than after the occur has become a recurring mantra.
That progress is reflected, for example, in Protiviti’s latest Internal Auditing Around the World and in the IIA’s CBOK series.
Yet, the picture is not entirely rosy.
This year, I have been privileged to work with the National Association of Corporate Directors. I was a panelist at three separate events where they discussed cyber risk.
In one group session, a director said that the board could not ask internal audit to assess and help with cyber risk because they lacked that capability. The others voiced their agreement, one and all.
This is a huge problem!
Internal audit may not always have the talent on staff to address every risk or concern, but if the board would only give it the resources, internal audit can either hire that staff or outsource the task.
As a chief audit executive, I have hired specialists to address specific risks in IT (including highly technical personnel), environmental compliance, engineering, fraud investigations, and more. Where possible, I have provided staff (including myself) training in specialized areas, such as derivatives trading, Six Sigma, and Lean Manufacturing.
I also used outside resources from consulting and personnel agencies:
- A derivatives trading and management specialist
- A “white hat” penetration testing team
- A former global procurement executive
- An expert in sales contracting and management
- A corporate tax specialist
- and more
Some talk about internal audit being the “consultant of choice”. I wouldn’t go that far. Where I would go is that internal audit should have the capability, whether through its own personnel, co-sourcing, or other contract staffing, to address and provide assurance on the key risks facing the enterprise.
Internal audit should:
- Inform the audit committee when it has insufficient resources to address a specialized area of risk, and endeavor to persuade them to provide such additional resources (headcount or dollars) to address the need
- Inform the audit committee that it has the capability to obtain the necessary resources to address specialized areas such as cyber security, ethics compliance, corporate culture, corporate governance and more. This means that the CAE needs to build a network that he/she can tap to locate and hire the necessary expertise
- Challenge management and even the audit committee when either goes outside to obtain assurance on an area of risk
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I think it is appropriate for management to perform a risk assessment and if that requires going outside to hire a specialist what could be wrong with that.
Many organizations, especially the ones on financial services, now a days have Information Security unit which to a certain extent handle such risks (cyber risks). But yes, to give assurance on the effectiveness of managing such risks, Internal audit is required.
I agree, audit has the role of providing assurance to management and the board hence the department has to be well resourced to accomplish that. Being adequately resourced with skills and capabilities could be by acquiring the skill internally through training or as it where outsourcing the skill from outside experts. It serves the purposes to management. Outsourcing is one way to reconfigure and horne one’s capabilities especially in this technologically dynamic environment.
Couldn’t agree more, especially in the IT area. I aimed for a ratio of about one specialist IT auditor to about four ‘general’ auditors. The IT auditors would have programming/analysis experience and be studying for ISACA exams. I used to recruit from the company’s IT department as IT auditors are in short supply. We hired in specialist IT staff if necessary.
Several organizations publish lists of top 10 risks for audit, technology, safety, quality, etc. I would assume that every CAE is aware of the pertinent “top 10 risk” list(s) for his or her business. While these lists change from year to year as the risks and responses are updated, the most of those risks stay on the list for several years. It seems highly irresponsible for internal audit to NOT address, either through training or hiring, the known risks to their organization. Yes, there are often emerging risks that need to be addressed on an ad hoc basis by hiring an external consultant. Cyber-security, however, is not an emerging risk. Nor is ethics or compliance.
As auditors, we have the basic skills to assess risks, to identify the controls that mitigate the risks, and to test the effectiveness of those controls. That’s what we do. If there is a consistent risk that we are not comfortable assessing, we need to learn more so we become capable. We don’t need to be an expert in what we audit – that has never been a requirement. We do, however, have a responsibility to our organizations and to our profession to identify deficiencies; that applies to our own training just as much as it does to the control environment.
Richard, I agree with the last part of your comment. However, I believe that these days the risks change quickly and significantly so an internal audit department needs (a) to know about them, (b) modify the audit plan throughout the year, and (c) be nimble in addressing the risks.
I totally agree with the article. I’m coming from an organization where management does not feel that Cybersecurity is a risk. How does once even convince the board to carry out a review of the cybersecurity controls when they do not even feel that this is a risk?
Paul, something is wrong somewhere if the board doesn’t think cyber is a risk. Who is telling them what?
Paul, if they don’t consider cybersecurity a risk, have they considered the risk of a quill pen shortage?
I feel for you!
The Audit Committee and the Chief Audit Executive should encourage the IA staff to continuously learn about new risks and mitigation strategies so that the IA function could be a strong value adding proposition to the Company and its stakeholders.
I totally agree with these thoughts. Sources should be allocated to auditors help the organisation deal with the high profile identified risks.
Ultimately the Audit Committee would have the call, but really shouldn’t it be a consensus between management, Internal Audit and the Committee? I’d include IT in management.
I think management (including IT) should have a voice, but a small one.