Boards, audit committees and senior management now want internal audit to take on a bigger and more strategic role in helping companies manage an increasing array of business risks, according to PwC’s 2012 State of the Internal Audit Profession study. The survey polled 1,530 executives from 16 industries in 64 countries.
“The survey shows the trend has changed from just a few years ago, when internal audit was limited to the finance and compliance function,” says Jason Pett, internal audit services leader for PwC. “At the end of the day, the work of internal audit is with key risks to the business. Internal audit needs to be aligned with the business to make sure it is allocating time and effort to the high-risk areas.”
Stakeholders and chief audit executives (CAEs) say their businesses now face more risks than ever before and identified 15 risk areas. They want internal audit to bring its objective point of view to focus on evaluating processes and controls in these other areas, Pett says. The top areas where stakeholders are asking for increased internal audit focus are data privacy and security, and regulations and government policies, according to the survey.
Risk areas that respondents said receive too little attention from internal audit include: talent and labor (33%), competition (32%), new product introductions (31%), mergers and acquisitions and joint ventures (29%), commercial market shifts (25%) and large program risk (25%).
“One hundred percent of stakeholders and CAEs say internal audit needs to spend more time, not less, on business risks,” Pett says. “What successful companies are doing is inviting internal audit to participate early on in strategic discussions on where the business is moving,”
Internal audit has the ability to have a real impact if its objective point of view is inserted throughout the process, he says. For instance, with M&A, internal audit can evaluate the processes and the control environment of the acquisition target, its Foreign Corrupt Practices Act profile and the impact of the acquisition on the overall business and culture of the acquirer. “So companies can know what they are getting before they get it,” Pett says, instead of bringing internal audit in after the acquisition to tell the organization what it bought.