2020 Pulse of Internal Audit Uncovers Critical Gaps in Risk Coverage
LAKE MARY, FL (March 18, 2020) – The coming decade offers the internal audit profession significant opportunities driven by increasing public demand for accountability and transparency. To leverage those opportunities, internal audit must forge a clear path toward higher levels of maturity and work with stakeholders to ensure that all key risk areas are within its scope of work.
The 2020 Pulse of Internal Audit, however, reveals serious gaps in internal audit’s coverage, with audit plans deficient in key risk areas, including:
- Almost one-third of respondents did not include cybersecurity/information technology in their audit plans.
- More than half did not include governance/culture or third-party relationships.
- Ninety percent did not include sustainability.
To be sure, chief audit executives’ perceptions about risk levels increased dramatically over the past four years in many risk areas. For example, CAEs who rated cyber as a high or very high risk to their organizations jumped from 60% to 77% during the period. Third-party relationships (35% to 51%) and IT (39% to 59%) saw similar sharp increases.
However, audit plan allocations did not reflect a similar urgency, as they evolved gradually. For example, audit plan allocations for cyber increased from 6.3% to 7.3%; third-party relationships went from 3.3% to 3.8%; and IT dropped from 9.2% to 9%.
The 2020 Pulse report, based on input from more than 600 internal audit executives, includes in-depth analysis of key risk and audit plan allocation trends, including breakouts for organization types, which audit leaders and stakeholders can use to benchmark against those of their peers. These side-by-side comparisons show the stark difference between how CAEs view risks and how internal audit resources are allocated.
In addition, Pulse provides a deeper focus on staffing, reporting lines, and audit function maturity.
Access the report now.