Internal audit teams are expanding their work to focus more on operational and strategic risks, after having spent much of their time since Sarbanes-Oxley was enacted 10 years ago looking at financial reporting and compliance risk.
The change shows internal audit groups are responding to the evolving needs of senior executives and boards of directors, says Richard Chambers, president and CEO of the Institute of Internal Auditors. “As we’ve gone through this global economic crisis, the risk portfolios of most big companies have shifted,” Chambers says. “Today they’re dealing with operational risk more so than financial reporting risk, and the whole challenge of effective risk management itself is important for most boards and senior management.”
Internal audit departments used to spend more time on operational risks, but that changed when Sarbanes-Oxley was enacted in 2002. “It’s as if everyone put pencils down on operational auditing,” he says. “So much risk was perceived to be in place around accurate financial reporting that that became almost the No. 1 priority of many audit departments.”
A recent Ernst & Young survey of chief audit executives, other senior executives and board members shows operational risks make up 21% of current audit plans, while strategic risks make up 19%.
“More and more audit functions are moving in the direction of doing more audits regarding operational and strategic risks, as opposed to just financial or compliance risks,” says Brian Schwartz, Americas internal audit leader at Ernst & Young.
Chambers argues that internal audit needs to focus still more on strategic risks and on the effectiveness of the company’s risk management efforts.
The question of risk management effectiveness “has become a huge priority for corporate boards,” he says. “In the wake of this financial crisis, there’s a widespread perception that it was risk management that failed, in the financial sector in particular.” Regulators are pushing corporate boards to demonstrate their oversight of risk management effectiveness, Chambers adds. “So we see the internal audit function as ideally suited to provide some assurance to the board on how well risks are being managed.”
The shift in focus means internal audit groups are altering their recruiting to put less weight on accounting expertise and more on understanding the company’s business. “You have to know the business if you’re going to audit the business,” Chambers says. “That’s become a primary recruiting priority for chief audit executives."
Three-quarters of the executives surveyed by E&Y say the work of internal audit has a positive impact on the company’s risk management. But executives are looking for more, with 80% saying they see room for improvement in their company’s internal audit function, according to the survey.
The executives’ top priority for internal audit, according to the survey, is improving the risk assessment process.
Schwartz, who's pictured at left, says that while audit teams routinely use their own risk assessment process when putting together their audit plan, he’s now seeing internal audit groups working to link their risk assessment with the company’s overall risk assessment. The E&Y report emphasizes the importance of integrating internal audit’s work with the company’s strategic goals.
Another priority high on executives’ list is improving internal audit’s ability to monitor emerging risks. “We are just starting to notice audit functions take responsibility to notice what the emerging risks are,” says Schwartz, who notes that spotting emerging risks is “somewhat of a different skill set” for internal audit. “They’re trying to become better at being more forward looking.”
He notes that internal audit teams are also moving away from annual audit plans that are set in stone. “It used to be, ‘let’s define a plan and then spend the rest of the year carrying that out,” he says. “Now it’s very much a dynamic audit plan. What audit execs are doing and what stakeholders are demanding they do is take a step back and say, ‘Is this audit plan still super-relevant?’”
A company’s risk profile changes all the time, he notes, whether it’s because the company has done a transaction or is entering a new market. “Now the audit plan can flex with it, which is good.”
For an earlier report on the evolution of internal audit, see Internal Audit and Business Risk.