By Richard Chambers | March 15, 2020
The fast-spreading coronavirus (COVID-19) has brought into sharp focus risks on many levels, from employee safety and productivity and supply-chain weaknesses to the extent to which modern economies are globally interdependent. From an internal audit perspective, it offers challenges and opportunities to demonstrate the value that independent assurance can provide to crisis management.
Unfortunately, the coronavirus has also thrown a spanner into the works for The IIA’s annual General Audit Management (GAM) Conference. As many of you know, we have cancelled the in-person gathering planned this week in Las Vegas, but we also are moving ahead with an enhanced virtual conference streaming live starting Monday.
Cancellation of the on-site event has disrupted the traditional rollout of the annual Pulse of Internal Audit report, but that certainly doesn’t diminish the importance of the report. As often is the case with these North American reports, this year’s findings include both good news and some troubling news for the profession.
As for the good news, many internal audit functions continue to experience growth in both budgeting and staffing. Considering that internal audit functions in 90 percent of publicly traded companies (and 84 percent overall) report functionally to their audit committee, board, or equivalent, growth in resources likely indicates that they are delivering on board expectations.
This year’s report also reflects growing diversity (both generational and gender) in internal audit leadership. More on that later.
But the report highlights ominous clouds on the horizon — issues that could portend challenges ahead for our profession.
One of the most alarming findings in the 2020 North American Pulse of Internal Audit is that audit plans for many organizations are missing key risks. The data, based on responses from 630 internal audit executives, paints a troubling picture of organizations not allocating audit resources to issues as significant as cybersecurity, IT, and third-party relationships.
The relevance of these findings becomes clearer when we consider additional trending data in this year’s Pulse. For the first time, the report offers comparisons of risk trends — how respondents rate risk relevance on 13 key risks — versus the percentage of audit plans devoted to those risks. When presented side by side, the four-year trending data is startling. The Pulse report goes the additional step of breaking down those comparisons for five organization types: publicly held, privately held, public sector, nonprofit, and financial services.
Pulse also offers a glimpse at audit function maturity and how the face of the profession’s leadership is changing.
Respondents were asked to rate the maturity of their audit functions based on descriptions in the Internal Audit Ambition Model, developed by IIA–Netherlands. The encouraging news is that 8 in 10 rated their functions at levels that support strategic risk management, long-term planning, and continuous improvement. However, 2 in 10 rated their functions at levels that fall below integration into the organization and conforming to The IIA’s International Standards for the Professional Practice of Internal Auditing.
A demographic profile of chief audit executives (CAEs), meanwhile, finds a generational shift, with members of Generation X (39 to 54 years old) now accounting for more than half (54%) of respondents. Baby Boomers (55 to 73 years old) make up 36%, and Millennials (23 to 38 years old) make up 10%.
The number of women in internal audit leadership is growing, now accounting for 40% of all respondents. Four-year trending data shows an overall 7% increase in the percentage of female CAEs. The biggest increase was 11% among publicly traded companies, where women now account for 32% of CAEs. However, that organization type still lags all others, and women account for the majority (52%) of CAEs in just one organization type — the public sector. That is a 9% increase since 2017.
In addition to risk and audit plan trends, Pulse also contains important metrics on staffing, hiring practices, and reporting lines.
While the annual report reflects data collected from CAEs in North America, I believe it contains valuable information for all CAEs to consider. I encourage all my readers to download a copy.
As always, I look forward to your comments.
I welcome your comments via LinkedIn or Twitter (@rfchambers).