In today’s ever-evolving business environment, it is clear that internal auditors need to constantly align — and realign — their audit coverage to address emerging risks and avoid damaging surprises. But are audit functions up to the task?
The latest North American Pulse of Internal Audit report from The IIA’s Audit Executive Center indicates they are — to an extent. More than half of the 311 CAE and audit management level respondents to the Pulse survey say internal audit’s biggest challenge in continuously assessing risks is its ability to identify emerging risks and incorporate them into the audit plan. However, nearly 90 percent of respondents say their audit planning is designed to be responsive to changes in the organization’s risk profile.
To be sure, 61 percent of respondents say their audit functions have the resources and expertise to assess risks continuously and analyze their potential impact to the business model. However, audit functions are waging a battle for talent, with 40 percent of those surveyed saying attracting and retaining talent is a high or critical priority.
The need for both a broader and deeper understanding of critical business issues comes across loud and clear in recent research by the ERM Initiative at North Carolina State University. According to the study, 59 percent of senior finance executives say the volume and complexity of risks facing their companies have changed “extensively” or “mostly” in the last five years. And 65 percent say their organization was caught off guard by at least one operational surprise “somewhat” or “extensively” during that time.
Continuous assessment of emerging risks can be more of a challenge for small internal audit departments than for larger, better-resourced functions. In our cover story, “Small Audit Functions, Big Ideas,” author Arthur Piper looks at the practices some small audit departments implement to ensure they provide comprehensive, continual assessments of the risks facing the organization.
According to the Pulse report, geopolitical, macroeconomic, and cyber-related risks will put enormous pressure on many internal audit functions to raise their game. Given the significance of these emerging risks, it is imperative that internal audit functions be able to assess risk on a continuous basis. As the authors of the report state, “In today’s fast-paced operating environments, internal auditors need to audit at the speed of risk.”