Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Opportunities for Alignment

OnRisk 2022 identifies where gaps in risk perception lie among stakeholders, and how internal audit can better respond to expectations.

Comments Views

​The lingering impact of the COVID-19 pandemic has changed the risk landscape for most organizations, with many prioritizing risks differently as business activity edges closer to pre-lockdown levels. While respondents to last year's IIA OnRisk report rated risks that had an immediate impact on operations most highly — such as third-party risk management and board information — this year respondents prioritized risks that are likely to have a longer term impact on the future success of the business. 

Talent management and culture, for instance, have risen from the bottom-placed risks in last year's report to second place and fifth place, respectively, this year. This could partly be due to organizational unease about how to balance a return to the workplace with remote working, but also to internal audit's awareness of its relative lack of experience in dealing with risks related to human resources. Organizational governance also has moved up to third place. Meanwhile, third-party risk and supply chain disruption have noticeably dropped down the list.

Like last year, the latest survey's findings are based on qualitative interviews with 30 board members, 30 C-suite executives, and 30 chief audit executives (CAEs) from 90 different North American organizations. At the top of the 12 risks listed remains cybersecurity — and respondents expect it to stay there for some time. Alongside talent management and culture, disruptive innovation and economic and political volatility round out the list of top five risks that respondents identified as those they expect to increase in relevance in the next three to five years. 

However, with the exception of culture, where there was strong alignment among the key risk players, the other four key risks for 2022 also had the largest gaps between risk relevance, organizational capability, and personal knowledge, with talent management being the highest (a 46-point relevance-capability gap) and cybersecurity coming second (with a 45-point gap). 

Experts say such misalignment is a serious cause for concern. But they add that internal auditors should view these findings as an opportunity to grow. Where there is misalignment among internal auditors, boards, and management, "internal audit can play a key role in driving the education, alignment, and assurance around enterprise risks for the business," says Bethmara Kessler, an internal audit advisor and former CAE based in Chicago. 

Impact of ESG and the Pandemic

Among other key risk areas (see "Areas of Misalignment," below right), the survey found that perceptions vary greatly across environmental, social, and governance (ESG) components. While alignment among the three groups is relatively strong on these risks, organizational governance holds far greater relevance for respondents than do social sustainability and environmental sustainability. Indeed, one manufacturing C-suite executive characterized the focus on ESG risks as "more of a gimmick for customers than a real market-driven desire," while one finance CAE said a lack of clear direction or standards for measuring and reporting ESG hampered progress. 

Such views are regarded differently in Europe, where ESG risks and reporting are generally regarded as being taken more seriously by companies, regulators, and stakeholders. John Chesshire, audit committee chair and director at audit consultancy JC Audit Training in Oxford, U.K., is surprised that environmental sustainability is not viewed as one of the top five risks respondents expected to increase in relevance in the next three to five years. "I wonder whether this risk would have crept into the list if the survey had been run in Europe," he says. "My instinct is that it would have." Other European internal auditors interviewed share these sentiments.

As well as highlighting gaps in risk management priorities, the survey also points to several "upsides." For instance, the pandemic has revealed opportunities to improve organizational risk management. COVID-19 may not have improved the ability to predict risks, but it has increased confidence for many in reacting to risks. For others, it has provided a wake-up call on how they manage risk and the added challenges associated with managing risk in decentralized or siloed conditions. 

One board member at a nonprofit organization said the pandemic "has made us aware that there are scenarios that might happen in the future that we have to manage, and now we're hyper aware of shortfalls of our risk approach." A retail industry board member, meanwhile, saw the good and bad in the pandemic-induced introspection. "It showed us that we weren't really good at predicting risk, but I think we reacted very well. It made us aware of scenarios that might happen in the future and how we will handle them."

​Areas of Misalignment

While the largest alignment gaps were found among key areas such as culture and governance, gaps were also alarmingly wide for other areas, including data privacy, supplier and vendor management, and environmental sustainability. The largest variation between two respondent groups on capability — 23 points between the C-suite and the board — was around disruptive innovation, where just two in 10 respondents rated capability as high. 

For talent management and environmental sustainability, the capability rating was 20 points lower for board respondents compared to their C-suite counterparts. It was 13 points lower for organizational relevance. Meanwhile, CAEs were less confident in their organization's ability to address supplier and vendor management risk. Their ratings were 20 points lower than board respondents and 16 points lower than the C-suite.

While alignment generally between the key risk players is good, similar variations were noted in risk relevance ratings. Boards were significantly more likely to rate disruptive innovation as a highly relevant risk (77%) than were senior executives (50%). This 27-point variance was the greatest between any two respondent groups in the risk relevance ratings. Meanwhile, nearly every CAE (97%) rated cybersecurity as a highly relevant risk to his or her organization, but board respondents lagged by 10 percentage points (87%) and the C-suite lagged by 20 percentage points (77%).

CAEs also were more likely to describe supplier and vendor management as highly relevant — 17 points higher than the board and 10 points higher than the C-suite. A similar 17-point difference is noted between CAE and board ratings for economic and political volatility. 

Challenges and Opportunities

The survey also found that senior executives and boards desire broader scope for internal audit services, which offers the profession an opportunity to demonstrate the value of independent assurance across a wider spectrum of risks. Experts say the profession must act fast to capitalize on these demands, and it must address some of the shortcomings that are evident from the study's findings.

Break out of the Box "Boards and senior management want internal audit to get more involved in nontraditional audit areas — especially strategic risks — rather than to continue focusing primarily on providing financial assurance, Sarbanes-Oxley, and other regulatory compliance," says Karen Brady, corporate vice president and chief compliance officer at Baptist Health South Florida in Coral Gables, Fla. "Executives and the board want us to be trusted advisors on a range of strategic issues rather than just financial assurance providers."

Brady also says internal audit's stakeholders want the function to "break out of the box" and step up their identification of emerging risks, as well as their responses to them. But she notes that these expectations will require internal auditors to upskill. "It is not an option for internal audit to say it can't help," she says. "We have to be seen as adding value to the organization."

Brady adds that some of the risks where there is a large gap between relevance and capability "should be in internal audit's wheelhouse" — including environmental sustainability and talent management. "People are the driving force of any business, and any problem in trying to attract, retain, and nurture talent in-house must be considered as a key business risk that CAEs need to be aware of," she says. "An audit of the organization's talent management should be considered for any risk-based audit plan."

Mind the Gaps Tim Berichon, The IIA's director of Global Advocacy, says the survey's findings pose big questions for internal audit functions. "All the risks we asked about had higher risk relevance ratings than organizational capability ratings, with some having more significant gaps," he says. "I get the lag, but internal audit needs to work out how big the misalignment is, why it is happening, and whether there are any opportunities that can be leveraged within these gaps." He adds that organizations' enterprise risk management programs can use their internal audit functions to more frequently — if not continuously — scan and assess new and emerging risks "to reduce the element of surprise."

Berichon says organizations need to look at all the risks that have a higher potential impact even if they have a lower likelihood, but he points out that the survey "raises questions about whether many do so, or if they do it well." He also says organizations should use their internal audit functions to try to stay ahead of fast-emerging areas like ESG reporting, an area Berichon thinks could be "the next Sarbanes-Oxley" in terms of reporting requirements. "Organizations should consider using their internal audit function's experience and expertise to not just advise on internal control frameworks or to provide assurance on financial reporting, but as experts on internal controls over anything," he says.

He adds that boards and management should consider using their audit functions to perform the OnRisk methodology at their own organizations to discover gaps in risk appreciation and awareness. "It would be a great discovery if there is any significant misalignment among the key governance players and if there are any key risks that have higher risk relevance but not adequate confidence in organizational capability," Berichon says.

Demand for Broader Services For some, the survey's findings demonstrate how volatile and uncertain the world is, and that there is a vital need for internal audit to step up to help boards mitigate risks but — equally importantly — realize opportunities. "There's a lot going on — a lot that presents challenge and a lot that can present opportunity for our organizations," Chesshire says. "Getting that balance right, and successfully navigating these waters of volatility, are clearly vital, and internal audit must actively contribute to this or face the dangers of irrelevancy."

Despite a clear message from senior executives and boards that they want a broader scope for internal audit services, "the question is: Why are we still not quite nailing this?" Chesshire says. "An effective, 21st century internal audit team must cover far, far more than just financial and compliance risks." 

The fact that boards have consistently asked for more from the function in numerous audit surveys over recent years — but seemingly don't get it — suggests there are some clear challenges for internal audit as a profession, particularly around skills, Chesshire says. "Do we invest enough in training, development, and gaining the skills we need to provide insightful assurance and consulting engagements that truly support our organizations in addressing these complex, multifaceted challenges?" he asks. "I'm not sure that we do, and I'm certain we need to do more." 

Strategic Upsides Phil Tarling, a corporate governance and internal audit consultant, shares Chesshire's views. He agrees that the profession is not performing as it should be and needs to improve. "As many of the findings are the same as previous years, internal audit should have taken the relevant action by now," Tarling asserts. For example, he says, "cybersecurity has been a major risk for the last five years, and any internal audit unit that has not had a serious focus on this area already has been lacking in its coverage. Talent management and culture, although maybe not identified as key risks for as long, have been on the risk agenda for some years and should also have already been within the function's focus for the last few years, too."

Tarling also says that if internal audit is to be taken more seriously and included in more strategic areas, it should be constantly looking for potential strategic upsides. "With the pandemic's impact on making governments more protectionist, internal audit should be focused on what is being done to identify opportunities for the organization to change partners to national newcomers that may have emerged in the supply chain," he says. "Internal audit should also look to see what is being done to identify new opportunities for the organization to expand into." 

Kessler says internal audit needs to be a lot sharper about identifying and leveraging opportunities where it can provide boards and senior management with useful input, particularly as the pandemic has put risk management and business resilience at center stage. "The profound changes driven by the pandemic and broader economic volatility are leading executives and boards to be more open to changing how their businesses manage enterprise risks," Kessler says. "This provides a window of opportunity for internal audit to be at the table or take the lead in making those changes happen."

Beyond the Comfort Zone

Kessler says there is an openness and desire from executives and the board for internal audit to play a bigger role in providing assurance beyond financial and compliance risks, which is "terrific news" for the profession. "Internal audit is being given a vote of confidence around its ability to retool knowledge, skills, and scopes of work to deal with more strategic business risks," she says. However, Kessler warns that internal auditors can no longer "just focus on providing assurance for the areas where they are most comfortable and avoid those where they are not." 

Part of the problem is that "it is apparent that internal audit is not very comfortable with its capability to deal with new or emerging risks," says Liz Sandwith, chief professional practices advisor at the U.K. and Ireland's Chartered Institute of Internal Auditors. "The survey shows that internal audit rates its capability to deal with the traditional risks, such as organizational governance, very well, but the low ratings for risks such as talent management and culture show a worrying sign of where there are significant problems."

Sandwith is also surprised to see several current risks missing from the list of key risks — namely workplace health and safety, as well as insolvency. "The pandemic is still ongoing and remote working is still very much a reality," she says. "The financial viability of many organizations is also very precarious and could result in some major corporate collapses and further supply chain and economic disruption. I would have thought these issues would have merited their own ratings on the list of key risks."

But internal audit is not the only area where there are shortcomings. Sandwith points out that some of the comments made by executives and board members included in the survey are also far from encouraging. One board member at a financial services company says the firm prioritizes paying attention to risks that it can control, for example. "I strongly disagree with this sentiment," Sandwith says. "Some risks have the power to bring an organization to its knees. A reluctance to prioritize them because they are more difficult to control is a very dangerous attitude to have."

Looking for Opportunities

Undoubtedly, the survey highlights areas where internal audit is struggling, particularly around risks such as talent management that may be unfamiliar to many CAEs. Internal audit's "misalignment" with executives and board members around risk relevance, as well as the lack of perceived capability to mitigate these risks, is also a real concern. But experts say that CAEs can turn these negatives into positives easily by looking for the upsides of these problems and turning them into opportunities for internal audit to do more, provide better assurance on a broader range of issues, and interact more deeply with management and the board.

Neil Hodge
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Neil HodgeNeil Hodge<p>​Neil Hodge is a freelance journalist based in Nottingham, U.K.</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Remember the 98 Account the 98 Account
Hidden Goals Goals