How Are Audit Committee Views of Internal Audit Shaping Up in 2015?

Welcome to what I call “white paper season” for internal auditors. Around this time each year, a number of survey-based white papers are released that provide insight into key challenges and opportunities facing our profession and include the perspectives and expectations of our key stakeholders. Internal auditors should make a point of seeking these out and absorbing the key messages before crafting strategies for the year ahead.

There is no more enduring challenge for internal auditors than achieving and maintaining alignment with the expectations of our key stakeholders. As I have noted before, these expectations are dynamic and definitely prone to change. Assessing the perspectives of audit committee members is an important step in recalibrating internal audit’s focus. I believe that it is essential that we have a keen understanding of what is keeping those we work for up at night, as well as their assessment of our ability to help. What we learn from those findings can be fundamental to our quest to add value in our organizations.

By and large, audit committees have voiced strong support for internal audit over the past decade. However, there is a chronic sense that we can deliver even greater value for our organizations. The recently released 2015 Global Audit Committee Survey from KPMG’s Audit Committee Institute sums up the view of audit committee members in one powerful and clear sentence: “On internal audit, audit committees are still looking for greater value.”

This conclusion would seem to contradict a finding in the survey that 78 percent of respondents were satisfied or somewhat satisfied with their organizations’ internal audit function. But it is important that we, as internal auditors, make a distinction between performance satisfaction and value.

A deeper dive into the KPMG survey shows that audit committee members continue to search for assurance related to key risks that are all too familiar: economic and political uncertainty; regulation and the impact of public policy initiatives; operational risk; and cybersecurity. However, it is the answers to two other questions that may help us better understand the difference between satisfaction and value:

• How much agenda time should audit committees devote to particular issues?
• Which areas do audit committee members see the greatest opportunities for improvement with external audit performance?

Respondents said the areas that deserved more of their time ­— and presumably their focus — were cybersecurity and the related pace of technological change, legal and regulatory compliance, the adequacy of internal controls around operational risks, and oversight of the risk process.

In response to the question on improving external audit performance, the top answers were: offering insights/benchmarking on industry-specific issues, helping audit committees stay apprised of accounting/auditing developments, and sharing views on quality of the financial management organization.

It is significant that most of the responses are in areas that internal audit has staked claims to within the organization. Yet the survey reflects that audit committee members feel they need more information about them or are more comfortable turning to external auditors. Here, we have the answer to our question on satisfaction and value.

Internal audit still has work to do to better inform audit committees of our desire and ability to provide assurance in these most pressing and volatile areas. Until we do so, stakeholders may be satisfied with our performance within a limited scope but remain underwhelmed by the value — or perceived value — we offer to the organization.

The KPMG white paper offers numerous considerations for audit committee members in their oversight of auditors. They include one about internal audit that, in my opinion, puts the issue into proper perspective:

Internal audit should be a crucial voice on risk and control matters — from financial reporting and compliance issues to key operational and technology risks facing business. Does internal audit have the stature — and the direct line to the audit committee — to ensure that its voice is heard and valued?

Is your voice “heard and valued?” If not, why not? I urge you to probe for answers within your organization and then forge the strategies to drive change.

I’d like to know your thoughts on how we can better communicate internal audit’s value to our stakeholders.