
The 5 Myths That Must be Challenged During “Internal Audit Month”
May 3, 2024
For Chief Audit Executives, Alignment Fuels Success
May 13, 2024Occasionally, important research or insightful thought leadership on internal audit falls under the radar. That may have been the case in March, when Deloitte’s Center for Board Effectiveness and the Center for Audit Quality (CAQ) released “Audit Committee Practices Report: Common Threads Across Audit Committees.” The report, based on a survey of 266 audit committee members, offers some timely information on audit committee priorities in 2024.
Part of what makes this report valuable is rare insight into audit committee members’ collective thinking about internal audit. Yet, not many in our profession appear to have taken note.
There was a time when the Big 4 and others routinely published reports that explored audit committee perspectives on internal audit. I don’t know why such insights are harder to come by these days, but when they are available, we should take advantage of their findings to raise our game.
Setting aside my disdain for reports that lump “finance and internal audit” into a single category (and, frankly, Deloitte and CAQ should know better), the report’s most valuable insight for us is concern about internal audit talent.
In fact, when asked to rank the top audit committee priorities over the next 12 months, respondents selected “finance and internal audit talent” as third, behind only cybersecurity and ERM. That’s some pretty impressive company.
Diving deeper into the results, there’s even more feedback on audit committees’ perception of internal audit:
“We also asked respondents to share perspectives on their internal audit functions. Overall, the majority of respondents view internal audit as both an effective function and one that adds demonstrable value. That suggests internal audit can bring the appropriate business acumen to its activities and provide dynamic internal audit risk assessments, not only in its role as an assurance provider but also to help anticipate and advise on the risks ahead. Yet, almost 80% of respondents agreed or strongly agreed that there is opportunity for internal audit to add more value. This view may be more a reflection of the talent crunch and rapidly changing business environment than of any discontent with the internal audit function itself, but it is still a point worthy of consideration.”
The report stops short of exploring where talent gaps exist or what aspects of talent need to be upgraded. But when I speak to audit committees, I find six critical skills that would strengthen internal audit:
- Technology acumen. In the digital age, internal auditors must possess a solid understanding of technology and its impact on business processes, controls and risks. Internal audit candidates with IT acumen can effectively leverage technology to enhance audit effectiveness, efficiency and relevance. Additionally, strong internal audit job candidates should possess a level of technology acumen that includes an understanding of IT general controls, the ability to evaluate system configurations, and the ability to audit IT processes, such as change management and access controls.
- Critical thinking and problem-solving. Internal auditors must possess strong critical thinking and problem-solving skills to effectively assess risks, evaluate controls and identify root causes of issues. Newly recruited internal auditors should demonstrate analytical rigor, creativity and the ability to think strategically to address complex audit challenges effectively.
- Risk-management acumen. In an era of uncertainty and volatility, internal auditors must possess strong risk-management skills. Internal audit candidates should be adept at conducting risk assessments, developing risk-mitigation strategies, and evaluating the effectiveness of risk-management processes within organizations.
- Data analytics and data science. With the proliferation of big data and advanced analytics tools, proficiency in data analytics is paramount. Internal auditors should be able to gather, analyze and interpret large datasets to identify patterns, anomalies and trends, enabling more effective risk assessment and audit planning.
- Cybersecurity expertise. Beyond general technology acumen, internal auditors should have a deep understanding of cybersecurity principles and practices. Indeed, internal audit candidates with expertise in assessing cybersecurity risks, evaluating controls and recommending mitigation strategies are highly sought.
- Understanding of AI concepts and applications. It’s becoming increasingly important for internal auditors to have a foundational understanding of AI concepts, such as machine learning, natural language processing and predictive analytics. This includes knowledge of how AI algorithms work, their applications in business processes, and their potential impact on audit procedures and outcomes.
The Deloitte-CAQ survey asked additional questions about internal audit. For example, the report found overall satisfaction (a combination of those who “agreed” or “strongly agreed” with the questions asked) with internal audit. But I was a bit troubled by the tepid percentage of audit committee members who “strongly agreed” with these statements:
- Internal audit has a high level of understanding of business operations: 43%.
- Internal audit is effective in assisting management in identifying new risks: 29%.
- Internal audit professionals (other than the CAE) bring needed insights to stakeholders: 19%.
- Internal audit plans are promptly updated in response to emergent risks: 35%.
I’m sure some of you may feel I’m being too negative. Afterall, when those who “agreed” with the second statement about identifying new risks are factored in, the total percentage of “agreed” and “strongly agreed” soared to 86%.
But let’s be honest: How many of us really believe our audit committee members think we are effective in helping management identify new risks? It’s more likely the 29% who marked “strongly agreed.”
I have been writing a lot this year about the dangers of complacency. I would not let results of the Deloitte-CAQ survey lure me into a sense of complacency.
Despite implications in the report that internal audit is on audit committees’ radar, I find oversight of internal audit by typical audit committees to be woefully inadequate. In fact, the most popular blogs I have written in 2024 deal with that topic. But I thank Deloitte and CAQ for the report and the insight it provides into what’s on audit committee members’ minds when it comes to internal audit.
I welcome your feedback on my perspectives via LinkedIn, X or by email to blogs@richardchambers.com.
I welcome your comments via LinkedIn or Twitter (@rfchambers).