Internal audit teams expected to make risk-informed decisions, AuditBoard finds

Over half of audit committees, boards, and CFOs have asked internal audit to take on more activities around risk in the past two years, AuditBoard has revealed.

According to an industry survey, these expectations are coming at a time when internal audit has limited bandwidth for advisory-related services, and increasing risk demand and insufficient risk management capacity are creating a risk coverage gap for the business.

The survey argues that change and unpredictability from economic, geopolitical, regulatory, and cyber risks are “unrelenting”, and if not managed from a position of strength and preparedness, they can lead to significant negative consequences for enterprises, including damaging financial and reputational impacts, penalties for noncompliance with regulations, lost revenues or market share from third-party risk incidents, and material weaknesses that can lead to losses in market value and investor confidence. 

The most critical impact, however, is that management isn’t getting the information needed to make risk-informed decisions and drive business value. 

The report looks at where internal audit teams are currently spending the majority of their time, and where adjustments could be made to help shift focus to value-added, risk-related activities. 

One of the survey findings revealed that internal audit’s remit is expanding as organisations increasingly look to leverage the function’s risk and controls expertise to help respond to today’s “highly volatile” risk landscape.

Information security control testing appears to be growing in practice, with 82% of chief audit executives (CAEs) involved in some capacity and 44% either owning or heavily involved. 

However, only 28% of CAEs either own or are heavily involved with continuous monitoring of a key process, but 60% of surveyed auditors have some level of involvement in ERM — and 40% have no involvement whatsoever. 

Internal audit also faces changing expectations from many of its key stakeholders. The research shows that more than half (55%) of CAEs indicate that their administrative reporting managers (typically CFOs, and CEOs) have asked internal audit teams to be involved in more activities in the past two years, including ERM, ESG, governance, operational initiatives, and quality assurance. 

While surveyed CAEs identified integrated risk management (IRM) as their top area for increasing responsibilities, most organisations still have a “long way to go” toward IRM maturity – 96% of organisations lack mature IRM programs and 11% of organisations report having no IRM strategy whatsoever. 

Tom O’Reilly, field chief audit executive and connected risk advisor at AuditBoard, said: “Organisations can better manage risk by adopting a connected risk strategy — a modern, cross-functional approach to managing risk across the enterprise. Taking the lead on connected risk is a natural evolution of internal audit’s role given their wide range of governance, risk, and compliance expertise coupled with their deep cross-functional relationships.”