Paul Sobel knows a thing or two about budgets. As vice president for internal audit at Mirant Corp. in Atlanta, he has spent his time poring over the minutiae of the $3 billion merchant energy company’s books. Now, however, he has to think about his own budget as well. With the economy in crisis, the budget for his 14-person department is “flat,” he says, which means he has had to “be smart about allocation of resources.” For Sobel, that has meant shifting away from the past few years’ concentration on Sarbanes-Oxley testing to focus more on technology risk and strategic risk.
It’s a story being repeated all across the corporate landscape, according to PricewaterhouseCoopers, which just conducted a survey of more than 700 internal auditors. “This was the first survey we’ve conducted in which internal auditors said their budgets had been reduced or that they expected [them] to be reduced,” reports Gary Chamblee, internal audit services partner and co-author of the report. “Even in Fortune 500 companies, we had auditors saying they expected reductions.”
Chamblee says this year’s report shows that internal auditors need to focus on emerging risks and also be prepared to step outside of the usual annual audit plan. “With things changing so fast, you need to be checking your GPS along the way,” he says.
Since many corporate departments are focusing on enterprise risk management (ERM), hard-pressed internal auditors can “leverage that focus” by examining the company’s ERM. “If it looks pretty good, then you don’t have to focus there yourself,” he says.
At the same time, he says internal auditors need to become more technologically proficient, particularly when it comes to data mining and analytics. “ERM has massive amounts of data. If you can process that data for your own purposes, looking for anomalies or red flags, that can help you enormously,” Chamblee explains. “Instead of just trolling for problems, you can locate where you should be fishing.”
“There is a need for training and retraining,” adds Peggy Hardek, the other co-author of the study. “Technology was never really required before for internal audit.”
That might sound like a budget buster. Chamblee suggests that “a good idea is to use your vendors. An Oracle or SAP will have someone the internal auditor can talk to. You may well find that the system the company is using has capabilities that you just haven’t been using.”
Mirant’s Sobel, who is also president of the research foundation of the Institute of Internal Auditors, agrees. “Using data analytics is becoming increasingly important,” he says. “But knowing what to do with the data is also important. Like saying, ‘Hmmm, why would this employee have the same address as one of our vendors?’”