2017 Pulse of Internal Audit: Courage Instills Confidence
Fortitude needed to examine overlooked risk areas
LAKE MARY, Fla. (March 20, 2017) — The wave of deregulatory fervor spreading across the federal government landscape promises to make the already difficult challenge of identifying and managing risks more complex. While regulatory compliance pressures likely will ease for businesses across numerous sectors, the risks the rules were designed to mitigate won’t disappear.
This evolving risk landscape requires chief audit executives (CAEs) to be especially vigilant about identifying new and hidden risks that could develop as a results of regulatory reform. Indeed, they& need to show the& courage to identify& and provide assurance on new risks as well as existing risks not typically on their radars.
The 2017 North American Pulse of Internal Audit examines this aspect of risk management and concludes bold actions by CAEs can boost stakeholder confidence in the value of internal audit.
In Courageous Leadership: Instilling Confidence from Within, The IIA’s Audit Executive Center urges deeper examination of four overlooked risk areas as examples of how strong leadership can instill self-confidence in internal auditors, boost management’s and the board’s confidence in the internal audit function, and heighten stakeholder confidence in the organization overall.
“Courage is a character trait top audit leaders will need to exhibit not just in dealing with the evolving risk landscape, but also in addressing areas that may be taboo or historically overlooked,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “We believe this demonstration of fortitude by CAEs will help build a poised and assertive audit function that is valued by stakeholders and benefits the entire organization.”
The areas highlighted in this year’s Pulse report reflect that not all risks are new or emerging. Indeed, critical risks exist that may not have grabbed the attention of stakeholders or internal audit. The report identifies two organizational risks — company communications and environmental, health and safety (EHS) — as deserving of more of internal audit’s attention.
Two additional risks require the courage to look inward at internal audit’s use of data analytics and the interpersonal dynamics between internal audit and the clients it serves.
Internal audit leaders should be willing to show “the same objective and professional skepticism used when assessing others,” when conducting this self-examination, according to the report.
The four areas highlighted in the Pulse report reflect how some risks can lurk just outside of the purview or reach of many internal audit functions. They are by no means the only ones, but they offer good examples.
- Non-traditional communications — information shared with investors, customers and other stakeholders through means other than financial statements — can impact an organization just as easily as a glaring error in a 10-K report.
According to the Pulse survey of more than 500 CAEs and internal audit directors/senior managers, 66 percent said they have high concerns regarding reputational risks associated with inaccurate, incomplete or misleading information. Yet, only 9 percent provide assurance in this area other than internal audit’s review of formal financial reports. What’s more, 20 percent of survey respondents said they are not aware of any assurance being provided on such non-traditional communications.
- In 2015, U.S. organizations paid more than $13.3 billion in EPA and OSHA fines. Yet, less than half of CAEs responding to the Pulse survey said they include EHS risks in their audit plans.
- The use of data analytics by internal audit is growing, with more than 9 in 10 survey respondents saying they include it in their audits. More than 4 in 10 “always” or “frequently” use data analytics in their audits, according to the Pulse survey. Yet more than half of survey respondents said that& poor analytics design caused extra work, inefficiency that likely could have been avoided by proper planning and resourcing.
- Negative exchanges between internal audit and its clients can minimize the function’s effectiveness. Indeed, half of the survey respondents said a negative exchange could impact the ability to conduct an audit (50 percent said yes or maybe).
The report provides specific steps internal audit functions can take to address the overlooked risks examined in the report, but its overarching theme pushes a bigger agenda. CAEs are urged to, “Have the courage to peel pack the layers of prior practice, old expectations, and a lack of awareness in these areas to reveal and address risks that could materialize into bigger problems.”
The 2017 Pulse of Internal Audit report debuted at The IIA’s 2017 General Audit Management (GAM) Conference today at the Gaylord Palms Resort in Orlando. Copies of the report are available here.