The roles of the internal audit function, defined loosely, are to make the business better and to keep it out of trouble — but the two don’t necessarily get equal time.
In the several years following the passage of the Sarbanes-Oxley Act in 2002, at the typical U.S. public company the pendulum swung far to the keep-out-of-trouble side, with resources heavily allocated to complying with the act’s requirements for attestation and testing of internal controls.
But now efforts are afoot to move back toward equilibrium, according to a new report from Ernst & Young. Internal audit functions are being asked to “raise their game” and deliver more value by covering not only compliance and financial risks, but strategic and operational risk areas as well, the report states.
The new trend has several roots. For one, the passage of time has taken the edge off the angst of Sarbox compliance. Further easing the pressure is the new Auditing Standard No. 5, which allows external auditors to focus on the riskiest areas of internal controls, rather than probe all controls in detail. But perhaps most significant is the stark realization — quite recently, for many companies — that business risks may be far greater than previously presumed.
A key risk with both strategic and operational components is that business processes are not optimal. In E&Y’s survey of internal audit executives at 348 companies — most of them multinationals with revenues above $5 billion — 57 percent said process improvement recommendations were “very important” in meeting management’s expectations for internal audit.
That result is interesting in light of another survey E&Y did just a year ago. Then, only 36 percent of internal auditors said process improvement recommendations were among management’s top three expectations.
“Stakeholders in various companies are asking internal audit to provide more,” Steven Singer, a principal in E&Y’s risk advisory services group, told CFO.com. “Don’t just be the compliance police. Literally help identify opportunities for process improvement, and focus more on strategic and operational risk.”
But establishing that focus may be easier said than done. Because of the years of focus on Sarbox, many internal audit teams today are thin on the experience needed to operate in a new way.
Only 17 percent of respondents to the recent survey rated their current team’s skill at enterprise risk assessment as “very competent.” Just 19 percent said the same for fraud detection, 22 percent for use of technology and analytics, and 39 percent for business process improvement.
More than a third of respondents said it was “very difficult” to recruit people skilled at enterprise risk assessment. Similar percentages said the same for auditing skills in specialized areas such as mergers and acquisitions, tax, and fraud detection. A total of 68 percent said it was either very difficult or somewhat difficult to find people knowledgeable about operational auditing or process improvement, compared to 51 percent for compliance auditing.
“If you look at the survey data, the leaders of organizations do not have full faith right now in internal audit’s ability to execute their mission,” said Singer.
Of course, E&Y, like the other major public accounting firms, have large risk management and internal auditing consulting practices, so they stand to benefit from corporations’ lack of wherewithal. However, even the Institute of Internal Auditors agrees with the characterization of internal audit as unprepared for current challenges.
“The movement to divert internal audit capacity to support management in accomplishing [Sarbanes-Oxley Section] 404 compliance was done against the will of internal auditors,” said Dominique Vincenti, IIA’s chief advocacy officer.
All of the skills at which E&Y survey respondents said their internal audit teams were less than “very competent” — enterprise risk assessment, fraud detection, use of technology and analytics, and business process improvement — “should be absolutely fundamental and core to any internal auditor who is trying to take his job seriously,” Vincenti said. “But we did not have a focus on those competencies over the past few years. We’re suffering from a lack of supply.”
She went further, saying that attesting on internal controls over financial reporting is not even the responsibility of internal audit. “The law is very clear that it’s management’s responsibility,” she stressed. Companies that devote their resources in that direction miss the value traditionally gotten from internal audit, “which is alerting you to things that are going wrong, or about to go wrong, or could be improved,” Vincenti added.
The road to reinventing internal audit functions may be a steep one for many companies. In the E&Y survey, 51 percent of respondents said they have little or no involvement in enterprise risk management, and just 22 percent reported heavy involvement. In fact, almost a third of the survey participants said their companies are not performing any enterprise-wide risk assessment.