2017 Pulse of Internal Audit: Courage Instills Confidence
Fortitude needed to examine overlooked risk areas
LAKE MARY, Fla. (Feb. 13, 2017) — Chief audit executives who are willing to examine risk areas not typically on their radars can boost stakeholder confidence in the value of internal audit, according to The Institute of Internal Auditors’ 2017 North American Pulse of Internal Audit.
In Courageous Leadership: Instilling Confidence from Within, The IIA’s Audit Executive Center urges deeper examination of four overlooked risk areas as examples of how strong leadership can instill self-confidence in internal auditors, boost management’s and the board’s confidence in the internal audit function, and heighten stakeholder confidence in the organization overall.
“Courage is a character trait many top audit leaders exhibit, not just in dealing with the pressures inherent to the job, but also in addressing areas that may be taboo or historically overlooked,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “We believe this demonstration of fortitude by CAEs helps build a poised and assertive audit function that is valued by stakeholders and benefits the entire organization.”
The areas highlighted in this year’s Pulse report reflect that not all risks are new or emerging. Indeed, critical risks exist that may not have grabbed the attention of stakeholders or internal audit. The report identifies two organizational risks — company communications and environmental, health and safety (EHS) — deserving of more of internal audit’s attention.
Two additional risks require the courage to look inward at internal audit’s use of data analytics and the interpersonal dynamics between internal audit and the clients it serves. Internal audit leaders should be willing to show “the same objective and professional skepticism used when assessing others,” when conducting this self-examination, according to the report.
The four areas highlighted in the Pulse report reflect how some risks can lurk just outside of the purview or reach of many internal audit functions. They are by no means the only ones, but they offer good examples.
- Non-traditional communications — information shared with investors, customers and other stakeholders through means other than financial statements — can impact an organization just as easily as a glaring error in a 10-K report.
- According to the Pulse survey of more than 500 CAEs and other risk professionals, 66 percent said they have high concerns regarding reputational risks associated with inaccurate, incomplete or misleading information. Yet, only 9 percent provide assurance in this area other than internal audit’s review of formal financial reports. What’s more, 20 percent of survey respondents said they are not aware of any assurance being provided on such non-traditional communications.
- In 2015, U.S. organizations paid more than $13.3 billion in EPA and OSHA fines. Yet, less than half of CAEs responding to the Pulse survey said they include EHS risks in their audit plans.
- The use of data analytics by internal audit is growing, with more than 9 in 10 survey respondents saying they include it in their audits. More than 4 in 10 “always” or “frequently” use data analytics in their audits, according to the Pulse survey. Yet more than half of survey respondents said they “rarely or never” use data analytics to assess risks in developing their department audit plan.
- Negative exchanges between internal audit and its clients can minimize the function’s effectiveness. Indeed, half of the survey respondents said a negative exchange could impact the ability to conduct an audit (50 percent said yes or maybe).
The report provides specific steps internal audit functions can take to address the overlooked risks examined in the report, but its overarching theme pushes a bigger agenda. CAEs are urged to, “Have the courage to peel pack the layers of prior practice, old expectations, and a lack of awareness in these areas to reveal and address risks that could materialize into bigger problems.”
The full 2017 Pulse of Internal Audit report will debut at The IIA’s 2017 General Audit Management (GAM) Conference, March 20-22 at the Gaylord Palms Resort in Orlando.