2020 Pulse of Internal Audit: There’s Good News and Bad News

The fast-spreading coronavirus (COVID-19) has brought into sharp focus risks on many levels, from employee safety and productivity and supply-chain weaknesses to the extent to which modern economies are globally interdependent. From an internal audit perspective, it offers challenges and opportunities to demonstrate the value that independent assurance can provide to crisis management. 

Unfortunately, the coronavirus has also thrown a spanner into the works for The IIA’s annual General Audit Management (GAM) Conference. As many of you know, we have cancelled the in-person gathering planned this week in Las Vegas, but we also are moving ahead with an enhanced virtual conference streaming live starting Monday.

Cancellation of the on-site event has disrupted the traditional rollout of the annual Pulse of Internal Audit report, but that certainly doesn’t diminish the importance of the report. As often is the case with these North American reports, this year’s findings include both good news and some troubling news for the profession. 

As for the good news, many internal audit functions continue to experience growth in both budgeting and staffing. Considering that internal audit functions in 90 percent of publicly traded companies (and 84 percent overall) report functionally to their audit committee, board, or equivalent, growth in resources likely indicates that they are delivering on board expectations.

This year’s report also reflects growing diversity (both generational and gender) in internal audit leadership. More on that later.

But the report highlights ominous clouds on the horizon — issues that could portend challenges ahead for our profession.

One of the most alarming findings in the 2020 North American Pulse of Internal Audit is that audit plans for many organizations are missing key risks. The data, based on responses from 630 internal audit executives, paints a troubling picture of organizations not allocating audit resources to issues as significant as cybersecurity, IT, and third-party relationships. 

Consider this:

• Overall, nearly a third (32%) of Pulse survey respondents do not plan to devote any audit resources to cybersecurity. That is particularly disturbing for public-sector audit functions, in which 54% report no plans for cybersecurity audits.
• Smaller functions especially struggle to include cyber. Just half of functions with fewer than four employees plan to address cyber in the coming year. The percentage peaks at 83% for functions with more than 50 employees.
• No audit resources are planned for IT risks for 31% of respondents.
• 52% do not plan to address third-party risks in their audit plans.
• Despite the growing interest in sustainability issues, especially among shareholders, 9 in 10 audit functions have no plans to audit this risk, either.

The relevance of these findings becomes clearer when we consider additional trending data in this year’s Pulse. For the first time, the report offers comparisons of risk trends — how respondents rate risk relevance on 13 key risks — versus the percentage of audit plans devoted to those risks. When presented side by side, the four-year trending data is startling. The Pulse report goes the additional step of breaking down those comparisons for five organization types: publicly held, privately held, public sector, nonprofit, and financial services.

Pulse also offers a glimpse at audit function maturity and how the face of the profession’s leadership is changing.

Respondents were asked to rate the maturity of their audit functions based on descriptions in the Internal Audit Ambition Model, developed by IIA–Netherlands. The encouraging news is that 8 in 10 rated their functions at levels that support strategic risk management, long-term planning, and continuous improvement. However, 2 in 10 rated their functions at levels that fall below integration into the organization and conforming to The IIA’s International Standards for the Professional Practice of Internal Auditing.

A demographic profile of chief audit executives (CAEs), meanwhile, finds a generational shift, with members of Generation X (39 to 54 years old) now accounting for more than half (54%) of respondents. Baby Boomers (55 to 73 years old) make up 36%, and Millennials (23 to 38 years old) make up 10%.

The number of women in internal audit leadership is growing, now accounting for 40% of all respondents. Four-year trending data shows an overall 7% increase in the percentage of female CAEs. The biggest increase was 11% among publicly traded companies, where women now account for 32% of CAEs. However, that organization type still lags all others, and women account for the majority (52%) of CAEs in just one organization type — the public sector. That is a 9% increase since 2017.

In addition to risk and audit plan trends, Pulse also contains important metrics on staffing, hiring practices, and reporting lines. 

While the annual report reflects data collected from CAEs in North America, I believe it contains valuable information for all CAEs to consider. I encourage all my readers to download a copy.

As always, I look forward to your comments.