During the last few years, internal auditing has faced significant criticism from both stakeholders and practitioners. Much of it centers around audit effectiveness and the profession’s ability to identify and report risks and failures, as highlighted in research from professional service firms. The IIA’s own 2019 North American Pulse of Internal Audit points to audit communication deficiencies and potential misalignment with corporate boards on risk areas. But does the profession deserve all of this criticism? Is it truly underperforming?
In my experience, senior management at publicly listed companies mostly views internal audit as a necessary evil — a nonessential service function that is either required by a listing exchange or by corporate boards. Otherwise, there is no general appetite to maintain an internal audit function unless the senior executive team, or the board, recognizes the value internal audit adds in providing assurance and improvement opportunities. Because internal audit is not valued, it is not granted sufficient operating budget, which limits the function’s ability to cover organizational risks.
Not surprisingly, many surveys of the profession reveal that internal audit struggles to attract and retain talent, is mostly underfunded, and lacks resources, including technology. Gartner’s 2018 Audit State of the Function report projected budgets increasing only slightly in 2019 and flat head count for 2019, consistent with prior years. And among respondents to Deloitte’s 2018 Global Chief Audit Executive survey, more than 40% said their audit functions lacked skills and talent; plus, only 21% used advanced analytics. How can the profession proactively identify and manage cutting-edge risks in areas such as blockchain, cybersecurity, and fraud when it does not have appropriate capital and technology?
But limited budgets and resources are not the profession’s only impediments — lack of control over internal audit’s activities and purview, as manifested through our organizational reporting relationships, also presents a problem. At most U.S. publicly listed firms, the chief audit executive reports administratively to the chief financial officer (CFO) and functionally to the audit committee. This configuration risks the CFO providing insufficient budget and other resources and using internal audit to complete projects and tasks not included in the audit plan — activities that might ordinarily fall on other CFO functions — thereby detracting from internal audit’s ability to conduct risk-based audits or complete its plan.
Given its limited budgets, inadequate technology resources, understaffing, and lack of autonomy, the profession does not deserve much of the harsh criticism it has received. Only when the audit function is truly independent and empowered will it be able to provide effective support to management and the board, sit at the forefront of risk management, and be able to proactively identify and help remedy corporate misconduct and fraud.