Internal audit teams are expanding their work to focusmore on operational and strategic risks, after having spent much oftheir time since Sarbanes-Oxley was enacted 10 years ago looking atfinancial reporting and compliance risk.

|

The change shows internal audit groups are responding to theevolving needs of senior executives and boards of directors, saysRichard Chambers, president and CEO of the Institute of InternalAuditors. “As we've gone through this global economic crisis,the risk portfolios of most big companies have shifted,” Chamberssays. “Today they're dealing with operational risk more so thanfinancial reporting risk, and the whole challenge of effective riskmanagement itself is important for most boards and seniormanagement.”

|

Internal audit departments used to spend more time onoperational risks, but that changed when Sarbanes-Oxley was enactedin 2002. “It's as if everyone put pencils down on operationalauditing,” he says. “So much risk was perceived to be in placearound accurate financial reporting that that became almost the No.1 priority of many audit departments.”

|

A recent Ernst & Young survey of chief audit executives, othersenior executives and board members shows operational risks make up21% of current audit plans, while strategic risks make up 19%.

|

“More and more audit functions are moving in the direction ofdoing more audits regarding operational and strategic risks, asopposed to just financial or compliance risks,” says BrianSchwartz, Americas internal audit leader at Ernst & Young.

|

Chambers argues that internal audit needs to focus still more onstrategic risks and on the effectiveness of the company's riskmanagement efforts.

|

The question of risk management effectiveness “has become a hugepriority for corporate boards,” he says. “In the wake of thisfinancial crisis, there's a widespread perception that it was riskmanagement that failed, in the financial sector in particular.”Regulators are pushing corporate boards to demonstrate theiroversight of risk management effectiveness, Chambers adds. “So wesee the internal audit function as ideally suited to provide someassurance to the board on how well risks are being managed.”

|

The shift in focus means internal audit groupsare altering their recruiting to put less weight on accountingexpertise and more on understanding the company's business. “Youhave to know the business if you're going to audit the business,”Chambers says. “That's become a primary recruiting priority forchief audit executives.”

|

Three-quarters of the executives surveyed by E&Y say thework of internal audit has a positive impact on the company's riskmanagement. But executives are looking for more, with 80% sayingthey see room for improvement in their company's internal auditfunction, according to the survey.

|

The executives' top priority for internal audit, according tothe survey, is improving the risk assessment process.

|

Schwartz, who's pictured at left, says that whileaudit teams routinely use their own risk assessment process whenputting together their audit plan, he's now seeing internal auditgroups working to link their risk assessment with the company'soverall risk assessment. The E&Y report emphasizes theimportance of integrating internal audit's work with the company'sstrategic goals.

|

Another priority high on executives' list is improving internalaudit's ability to monitor emerging risks. “We are just starting tonotice audit functions take responsibility to notice what theemerging risks are,” says Schwartz, who notes that spottingemerging risks is “somewhat of a different skill set” for internalaudit. “They're trying to become better at being more forwardlooking.”

|

He notes that internal audit teams are also moving away fromannual audit plans that are set in stone. “It used to be, 'let'sdefine a plan and then spend the rest of the year carrying thatout,” he says. “Now it's very much a dynamic audit plan. What auditexecs are doing and what stakeholders are demanding they do is takea step back and say, 'Is this audit plan stillsuper-relevant?'”

|

A company's risk profile changes all the time, he notes, whetherit's because the company has done a transaction or is entering anew market. “Now the audit plan can flex with it, which isgood.”

|

For an earlier report on the evolution of internal audit,see Internal Audit and Business Risk.

|

Complete your profile to continue reading and get FREE access to Treasury & Risk, part of your ALM digital membership.

  • Critical Treasury & Risk information including in-depth analysis of treasury and finance best practices, case studies with corporate innovators, informative newsletters, educational webcasts and videos, and resources from industry leaders.
  • Exclusive discounts on ALM and Treasury & Risk events.
  • Access to other award-winning ALM websites including PropertyCasualty360.com and Law.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Susan Kelly

Susan Kelly is a business journalist who has written for Treasury & Risk, FierceCFO, Global Finance, Financial Week, Bridge News and The Bond Buyer.