When All Defenses Fail: Internal Audit Lessons From the HealthCare.gov Debacle
November 25, 2013Internal Auditors Should be ‘Willing to Throw the Flag’ Before the Play
December 11, 2013I started this year with a blog post detailing what I thought auditors should be focused on in 2013. As the year draws to a close, I wanted to focus on the year ahead — the outlook for internal auditing and what’s on the radar for chief audit executives (CAEs), as measured by the Audit Executive Center’s recent North American Pulse of the Profession report, “Defining Our Role in a Changing Landscape” (PDF). While I recognize that this survey is somewhat North America-centric, my recent global travels lead me to believe that many of these trends will be observed around the world.
The most encouraging 2013 survey results centered on internal audit resources. Expectations for budget and staffing levels are at pre-recession levels, with 90 percent of CAEs saying they expect their budgets to hold steady or increase in 2014. Additionally, 97 percent expect staffing to remain the same or increase.
While the outlook for resources is good, I am concerned that there is an emerging misalignment in the allocation of those resources. As I have commented often in this blog, internal audit should follow the risks. While strategic business risks rank near the top of executive and audit committee concerns, CAEs reported that such risks account for only 4 percent of audit plan coverage overall, and 57 percent of CAEs surveyed said they’ve made no provision for strategic business risks in their 2014 audit plan.
I agree with Dick Anderson’s assessment, published in the report. Anderson, a clinical professor at DePaul University and a former colleague of mine from PricewaterhouseCoopers’ internal audit services, attributes the misalignment to a “bottom-up” risk assessment, which tends to underweight “top-down” concerns.
History suggests that this misalignment will correct itself. Compliance risk, for example, was an underweighted category in the past. However, it will be getting its due in 2014 — thanks in large part to the updated COSO Internal Control–Integrated Framework and the U.S. Affordable Care Act. (I’ll examine this topic in more depth in an upcoming post.) But as I have said before, today’s legislative headlines are tomorrow’s compliance risks.
The survey also revalidated the trend we have been observing since 2009 of internal audit’s focus shifting away from financial risks. In fact, the projected coverage for financial risks is down to only 22 percent of internal audit plans. Instead, coverage of operational risks (27 percent), compliance risks (15 percent), and information technology (11 percent) has collectively comprised a majority of internal audit plans. As I have observed on numerous occasions, this pronounced shift in coverage has mirrored the evolving risk profile of many companies.
Before we become too attached to the picture the survey paints for next year, however, we should remember that internal audit’s resource levels and focus are always subject to unforeseen or emerging risks. Should there be a major economic crisis, regulatory initiative, or catastrophe in a major industry or sector, the outlook could change swiftly and dramatically.
If you haven’t had a chance to review the latest Pulse of the Profession, I would encourage you to do so. Those of you who have seen it, what are your impressions? What’s on your mind for 2014? And what can we do to better align audit resources with top-down risk concerns?
I welcome your comments via LinkedIn or Twitter (@rfchambers).