By Richard Chambers | April 6, 2022
Several reports in recent months paint a picture of a profession that is agile enough to pivot in the face of risk-induced disruption from the pandemic, and one that can be resilient in terms of its resources. However, upon closer look, many of these reports also reveal storm clouds building on the horizon. There are at least five signals from these reports that internal auditors should heed before our hard-earned stature shows serious signs of erosion:
Internal audit is losing ground in its reporting relationships. One of the most jaw-dropping statistics in the IIA’s recent 2022 North American Pulse of Internal Audit report is that 76% of CAEs at publicly traded companies say they work administratively for the CFO! I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who “own” internal audit are more likely to use the function to focus on their own priorities. Even more alarming is that only 4% of respondents are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.
Too many internal audit functions are the “SOX shops” in their companies. Another troubling statistic from the Pulse report is that 60% of publicly traded companies’ internal audit functions report they also have SOX program management responsibilities. This statistic is likely influenced by the number who work administratively for the CFO. Either way, it signals that we are not as risk-centric as we profess. While accurate financial reporting and SOX compliance are important, they are not risks that warrant a continually heavy focus of professional internal auditors. Compliance is a management responsibility. Internal audit should provide assurance over the effectiveness of compliance, not be the day-to-day control testers.
When internal auditors lack expertise to address a critical risk, sadly they often avert their eyes. The IIA has been concerned about this phenomenon for years. It is a risk that inevitably leads to the uncomfortable question of “where were the internal auditors” when things go bad. Pulse reports that 85% of respondents rate “cybersecurity” as a high or very high risk, but it only accounts for 11% of internal audit plans. Allocation of resources to cyber risks is lower than to compliance and regulatory risks, operational risks, and internal controls over financial reporting (SOX). In a recently released Gartner survey, 53% of respondents said they believed “inadequate assurance over cybersecurity” was an important or extremely important issue in 2022. As Gartner observed, “A hot jobs market, and increasing demands on auditors, mean that many audit leaders are struggling to retain the staff they have. . . . Over a third of audit leaders report that high-performing talent is leaving their organization.” If we lack the skills or expertise to address a critical risk, we must acknowledge the gap with management and the board. And until we can acquire the skills or upskill our existing team, co-sourcing or other strategies are essential to addressing complex or emerging risks.
We lack confidence in our ability to address new and emerging risks. In a LinkedIn poll I conducted last year, I asked internal auditors to identify the most significant strategic risk that the profession will face in the decade ahead. The top risk (by more than double the next closest) was “the internal audit profession keeps missing emerging risks.” In an era when risk velocity and volatility have converged to wreak havoc, this concern doesn’t surprise me. Yet, the profession isn’t demonstrating a lot of confidence in its ability to overcome this strategic risk. In fact, 74% of CAEs in the Pulse survey rate “responding to new and emerging risks” among their top three concerns (and more than twice any other concern). If we are not able to identify and address new, shifting, or emerging risks, we will likely end this decade with far less stature than we have today.
Our resource outlook is less promising than it has been in more than a decade. In 2005, I was part of a team that launched PwC’s annual “State of the Profession” surveys. When I joined The IIA in 2009, we continued the tradition. Among other topics, we probed annually on the resource posture and outlook for internal audit. Both at PwC and later at the IIA, I was encouraged by the outlook for internal audit to acquire additional resources to address new and emerging risks. However, the 2022 Pulse report finds that only 24% of CAEs anticipate budget increases in the year ahead – the second lowest percentage in the 14-year history of the IIA survey. As Gartner pointed out, many CAEs are struggling simply to retain the staff they have and all signs point to talent-management struggles in the year ahead.
There are certainly other risks facing the profession, perhaps use of technology being the most glaring. More than half of Pulse respondents rate technology tools as the most helpful enabler to increase internal audit maturity, and 68% would invest more in data analytics software, if the resources were available. Yet, 56% told Gartner that “making the leap to more advanced analytics applications” is among their top challenges in 2022. What’s more, CAEs have the least confidence in being able to address the analytics issues.
Lest there be too much despair over the concerns I share here, it’s not the first time I’ve sounded the alarm. As I observed in a 2011 blog post, surveys signaled that the glass was only half-full for internal audit despite some remarkable successes. I said it then and will repeat it here: As we navigate the remainder of 2022 and beyond, it is imperative to heed the warnings and “fill the glass.”
I welcome your thoughts.
I welcome your comments via LinkedIn or Twitter (@rfchambers).