6 Things Audit Committee Members Often Won’t Say to Internal AuditMarch 2, 2023
New Report Reveals Surprising Insights from Internal Audit ExecutivesMarch 20, 2023
For 15 consecutive years, The IIA has used its impressive reach to survey internal audit professionals throughout North America. The 2023 North American Pulse of Internal Audit report is now available, and it once again offers timely data for benchmarking by leading internal audit functions. It should be considered a go-to resource for those dealing with budgeting, staffing and risk-based audit planning.
For this year’s report, The IIA surveyed more than 560 senior internal audit leaders – 83% of whom are CAEs. Respondents were primarily from organizations headquartered in the United States (83%) and Canada (11%). As in past years, audit leaders were surveyed on key resource trends and internal audit’s plans and priorities. The report is organized around five key areas:
- Internal audit budgets
- Internal audit staffing
- Audit plans
- Risk levels
- Leadership metrics
With 15 years of data upon which to draw, the report paints a compelling picture of important trends:
- Budgets. The report shows that increases and decreases in “internal audit budgets have returned to pre-COVID levels.” About 38% reported increased budgets last year, while 12% experienced decreases. The remaining 50% whose budgets stayed about the same were indicative of historical trends when the economy was not in recession. While the statistics are generally positive, it must be noted that inflation in 2022 soared to 40-year highs (6.5% year-over-year). So, the question must be asked – is the fact that 38% reported increased budgets good news or cause for alarm that the number wasn’t much higher? Financial service institutions and other publicly traded companies experienced the most significant growth – with 43% and 42%, respectively, reporting higher budgets than in 2021. When asked if their budgets were sufficient, CAEs of almost 65% of corporate internal audit functions said yes compared with only 38% of public sector CAEs. This highlights once again the serious shortfall of internal audit resources focused on economy, efficiency, and integrity in government.
- Staffing. The report notes that, despite some positive momentum, internal audit staffing growth has not yet returned to pre-COVID levels. In fact, only 25% of respondents reported staffing growth in 2022 compared with 29% in 2019 (the year prior to COVID). Staffing growth coupled with turnover created significant demand for new internal audit talent in 2022, with more than 60 percent of audit functions of three or more members recruiting new staff during 2022. For larger internal audit functions, those with 10 or more staff, the growth was 93% or more. CAEs report that their biggest challenge when recruiting is compensation expectations – likely exacerbated by the demand for internal audit talent coupled with 40-year-high inflation rates. In addition to compensation challenges, the survey also disclosed that many financial services CAEs struggle to find talent with the internal audit experience needed (49%) and industry knowledge (44%). The survey also revealed that “remote work is decreasing, but still common.”
Audit Plans. Among the most anticipated insights to come from surveys such as the Pulse report is a look at internal audit’s priorities for audit coverage. According to the survey results, a typical internal audit plan in 2023 comprised the following:
- Financial reporting – including ICFR (15%)
- Operational (15%)
- Compliance and regulatory (15%)
- Cybersecurity (10%)
- Other IT (9%)
- Other financial (7%)
- ERM (5%)
- Fraud (5%)
- Cost/expense reduction (4%)
- Third-party relationships (4%)
- Support for external audit (4%)
- All other (7%)
It is noteworthy that cybersecurity and other IT (when combined) account for 19% of a typical plan. That’s a stark contrast to bygone eras, when internal audit didn’t have the expertise to focus extensively on IT risks.
- Risk. Any review of internal audit coverage is not complete unless it is compared and contrasted with the risks facing the overall organization. Once again, gaps are clearly observed (percentages indicate rating of each risk as “high/very high”):
- Third-party relationships (51%)
- Compliance/regulatory (46%)
- ERM and related processes (28%)
- Governance and culture (21%)
- Financial reporting (19%)
- Cost/expense reduction (19%)
Gaps between the level of internal audit coverage and perceived risks indicate a potential emerging strategic risk for the profession. But that is a topic for another blog.
As with last year’s Pulse, this year’s survey results were accompanied by extensive analysis. The report is packed with data and an impressive array of graphs and charts depicting internal audit trends, including those by sector and industry. It’s a perfect benchmarking tool for leading internal audit teams and those that are striving to get there.
Pulse is an important resource that can “keep on giving” for leaders of North American internal audit departments. For those of you in the rest of the world, I still recommend reviewing this report for insights into how internal audit functions in some of the world’s largest companies are navigating the volatile and disruptive era we are all living through.
Richard, you state that “cybersecurity and other IT (when combined) account for 19% of a typical plan” That is probably insufficient. My teams typically spent 20%-25% on IT audit activities. Its many years since IA departments didn’t address IT risks because they lacked expertise.