The IIA kicked off its General Audit Management (GAM) pre-conference sessions on Sunday in Dallas-Fort Worth, Texas, featuring a workshop on The Institute's 2019 North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape. The session, held exclusively for members of The IIA Audit Executive Center, was facilitated by IIA President and CEO Richard Chambers and IIA Managing Director, CAE Solutions, Harold Silverman.
Chambers began the workshop with a review of demographics from this year's Pulse report, noting that the survey's 512 respondents consist of 87 percent chief audit executives (CAEs) and 13 percent directors/senior managers. More than 40 percent, he added, have five or fewer years' CAE/director experience, and 25 percent have six to 10 years' experience.
Chambers noted this is a marked change, with longer CAE tenures reported in past years. He suggested the change could be due to reliance on rotational CAE models.
Organization types represented in the report include publicly traded (31 percent), financial services (30 percent), public sector (19 percent), privately held (10 percent), and nonprofit (10 percent). Most audit functions fell in the four to nine (37 percent) and 10 to 24 (26 percent) employee range.
"We're continuing to see growth in the profession in this country," Chambers told the CAE audience. Twenty-six percent of all respondents' functions experienced a staffing increase in 2018.
Chambers noted that, on average, four risk areas comprise the bulk of audit plans: financial reporting, including internal control over financial reporting (ICFR) and non-ICFR (22 percent); IT and cyber (17 percent); operational (16 percent); and compliance (16 percent).
He also cited the report's finding that 91 percent of audit functions at publicly traded companies report functionally to the audit committee, board, or equivalent. He said it was alarming, however, to see that 75 percent of audit functions in publicly traded companies are reporting administratively to the chief financial officer. "I thought we had broken away from that trend a few years ago," he told attendees.
Chambers and Silverman then began group discussions around four key risk areas identified in the Pulse report: emerging and atypical risks, cybersecurity and data protection, third-party risks, and board and management activity.
Emerging and Atypical Risks
"Internal audit has an opportunity to step up and play a role in helping companies identify and stay abreast of emerging and atypical risks," Chambers told the audience.
The session attendees discussed how internal audit can remain agile in addressing emerging and atypical risks, with one CAE noting that he dedicates a certain percentage of hours in the audit plan to being agile and responding to new requests.
Attendees also discussed how they communicate to — and get buy-in from — stakeholders when seeking to modify internal audit plans due to emerging and atypical risks. "We need to be agile in that we need to be ready to respond," Silverman noted, "but we're not changing our plan because something is new." It may be new, but not as important, he explained.
Cybersecurity and Data Protection
Silverman noted that 70 percent of CAEs say potential reputational damage from inappropriate disclosure of private data is a high or very high concern. It is one of the most significant events that a CAE or organization will encounter, he said.
There is a gap, however, between actual and desired assurance over readiness and response to cyber threats, according to the Pulse findings. CAEs report a 36 percent effort gap, and 51 percent of CAEs say lack of cyber expertise within the internal audit staff is an obstacle to addressing cybersecurity risk.
Silverman questioned internal audit's confidence to assess this area. When dealing with chief information officers, chief information security officers, and even CEOs, he said, internal audit hasn't done enough to show how it can add value in this area, so it doesn't have the respect of those groups.
Silverman also discussed Pulse findings pertaining to third-party risks. He said that 21 percent of CAEs describe third-party selection processes as ad hoc, weak, or nonexistent. Additionally, 48 percent of CAEs say third-party monitoring processes are ad hoc, weak, or nonexistent. Despite these findings, the average audit function allocates only about 4 percent of its resources to third-party risk assurance.
Board and Management Activity
Finally, the audience considered materials shared with the board and if internal audit is assessing whether they are complete, accurate, and timely. Fifty-seven percent of CAEs say they rarely or never discuss with the board and management the quality of information given to the board.
Silverman questioned whether boards have time to review the materials they receive and whether management teams are being completely forthright with boards regarding those materials. "Are they presenting a balanced perspective that shows not only risks in 2019 but thinking forward to 2020 and 2021 and what strategies are in place to get there?" he asked.
Only 49 percent of Pulse respondents strongly agree that management provides the board with all pertinent information related to risk, not just information that is supportive of the views of management. Fifteen percent somewhat or strongly disagree with that perspective.