Internal auditors are going to be asked to take on much harder tasks in the years ahead, according to a new study by the Institute of Internal Auditors (IIA). They won't just be looking for fraud or compliance problems. Now they are going to be examining corporate governance, keeping an eye on top executives' behavior and evaluating enterprise risk management processes. "Over the last decade, internal audit was focusing on complying with Sarbanes-Oxley," says Richard Chambers, the IIA's CEO. "Then, as we wound out of the initial phase of SOX, and into the financial crisis, the concern was with very fundamental risks--the financial performance of companies, and business and strategic risks. But two years ago, we started to see a dramatic shift to looking at the significant risk that inadequate corporate governance poses to the enterprise, and to the effectiveness of the risk management function."
Initial findings from a five-part survey show that over the next five years, internal auditors will focus more on corporate governance, ERM, strategic reviews, ethics audits and the migration to international financial reporting standards, and put much less emphasis on operational and compliance audits, auditing of financial risks, fraud investigations and internal controls evaluation.
"SOX has been kind of commodified, financial reporting changes have been learned, and so what the survey is telling us is that the real value-added function of internal audit now is playing more of an advisory role on governance," says Paul Sobel, recently hired to head internal audit at Georgia-Pacific, a privately held manufacturer of paper products. "As for risk management, it's been on radar screens for 15 years, but now it's really in the limelight. It's going to become a top responsibility for internal audit for years going forward."
Glenn Sumners, director of the Center for Internal Auditing at Louisiana State University, hails the evolution of internal audit. "Look back at the 50 top corporate frauds and it's the CEO and/or the CFO in every case, so you really need to monitor those functions," Sumners says. "They are the ones who can override your controls."
At the same time, he warns, fraud isn't going away, "so internal audit cannot avoid fraud detection and prevention, either."
"Internal audit is realigning to handle the most complex issues I've ever seen," says the IIA's Chambers. This may explain why the survey found that half of companies are adding more internal audit staff, and that an increasing number of corporate internal auditors hold graduate degrees, including Ph.D.s.
To read about an audit group's work on internal controls, see Monitoring the Monitors.