PwC’s recent “2016 State of the Internal Audit Profession Study” provides a mix of insights—some new, some old. It’s definitely worth a read.
Some findings are pretty much the same as in previous year—internal audit still needs to be more aligned with the business around risk focus, and should use technology more extensively and effectively. The report includes a variety of data points around current and expected use of data analytics.
But one finding really surprised me:
“While just 11% (of CAEs) characterize their current internal audit function as providing value-added services and proactive advice for the business, 60% believe that they will need to be doing so within the next five years.”
Really? Only 11%? So how does this align with the IIA’s own definition of internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations”?
Audit tradition vs. modernity
Maybe it’s just a reflection of workload or a reluctance to do things differently, that most internal audit departments are still focused on their traditional assurance, controls testing, and compliance-type functions and steer away from providing insight into things that more directly matter to business management.
Of course, these traditional roles do provide great value—even though they may not seem at times to be the most exciting activities. Without having someone to make sure that business processes are working as they should and effective controls are in place, the chances are that businesses would not be as profitable and would be at risk for serious regulatory compliance problems. However, it is clear that much of the leadership of audit profession is not content with this role and wants to deliver more, to “earn a seat at the table” by contributing in ways that really matter to senior management and the board.
Which takes us to some of the newer findings in the PwC study:
“Senior management and boards are looking for internal audit functions to be actively involved in business imperatives and offer proactive perspectives on all business risks.”
Today, based on various surveys (and some of my own informal questions to audiences at audit conferences), approximately 5-10% of audit teams include some strategic business initiatives and risks in their audit plan.
What does it take to shift focus?
There are various reasons for this number being so low.
The PwC report points out that it requires certain talent and business acumen that relatively few auditors have. This is at least partially accurate, though the report included three quotes which each provide interesting insight on the topic:
“The main area of challenge is not technical but behavioral: finding auditors with sufficient global and business acumen who can face management and provide appropriate and constructive levels of challenge.” —Abdulrahman al Harthy, CAE, Oman Oil Group
“Internal audit is not second-guessing strategic direction. [It] should be looking at the project management of strategic initiatives, the key risks, and the business processes.” —JoAnne Stephenson, chair of audit and risk committees, Challenger Limited
“If internal audit says it is going to ‘learn business acumen,’ it will fail. Internal audit needs people who will train themselves by digging into the details, and that starts with intellectual curiosity. Intellectual curiosity is key.” —Ninette Caruso, CAE of Genworth Financial
No one really expects an auditor to suddenly morph into a hotshot business strategy consultant who is going to point out where the CEO is going wrong. But if you can combine the attributes referred to in the quotes above—none of which should be beyond the reach of an audit department—all of the sudden it seems quite feasible for auditors to be delivering value and insights around strategic business issues.
I would also add one more critical attribute to the mix:
Internal auditors need the ability to harness the power of technology and work with data from across the enterprise in a way that probably no role in the organization, except for internal audit, gets to do.
The internal audit profession is some way from achieving its own expectations or those of other organizational stakeholders, but the PwC report shows the progress that is being made in audit’s ongoing transformation. And I cannot help but reflect on how all of this converges with ACL’s vision of “a world where GRC professionals are an organization’s most sought after people.”
Published with permission from ACL Services. Written by John Verver
John Verver, CPA CA, CISA, CMC is an acknowledged thought leader, writer and speaker on the application of data analysis technology in audit, fraud detection, risk management and compliance. He is recognized internationally as a leading innovator in continuous controls monitoring and continuous auditing and as a contributor to professional publications. He is currently a strategic advisor to ACL, where he has also held vice president responsibilities for product strategy, as well as ACL’s professional services organization. Previously, John was a principal with Deloitte in Canada.