The 2017 Internal Audit Planning and Staffing Priorities Report from MISTI shares the results of a survey of more than 600 internal auditors in North America. (I am not sure the results would be much different if the survey obtained responses from a global group.)
I can't say that the results are surprising. Disappointing, perhaps, but not surprising. After all, this why I wrote Auditing That Matters!
Here are some excerpts from the MISTI report:
- To truly add value to their organizations, many internal audit leaders need to look beyond traditional internal audit focus areas, such as procurement and travel and expense reporting, and take a more critical look at functions and processes that really make organizations grow and become more profitable, such as sales and marketing, product innovation, and leadership development.
- Here, the survey identifies a disconnect: While the vast majority of respondents say they use risk assessments to formulate audit plans, few seem to be focused on the biggest threats facing most businesses, such as sales declines, aging product lines, or the loss of key employees. Fewer than 15 percent are looking at anything related to these categories, while tried and true topics, such as accounts payable, compliance and ethics, and travel and expenses remain the most common.
- "CAEs say they are developing risk-based audit plans," says Tom O'Reilly, vice president and general manager for internal audit and seminars at MISTI. "But what we find is that there is still a lack of correlation between what internal audit is focused on and what CEOs are typically focused on."
- Many are finding it difficult to attract and retain talent with the skills and competencies to reposition internal audit to assess what really matters in the organization and provide value.
- More than a third (35 percent) say they expect the resources for internal audit to increase, 57 percent expect them to stay the same. And more than half (55 percent) consider the resources they have adequate to do the job, even if they might like more.
- A full 89 percent say the products and services provided by internal audit meet or exceed audit committee expectations, proportions that hold true for both audit staff and audit executives.
The MISTI survey was of internal audit professionals. Surveys of audit committee members and executives do not show the same level of confidence that internal audit is contributing the value it should.
As the report says, few internal audit functions are auditing the areas that are of concern to the CEO — the areas he or she is focusing on, typically those that relate to the success of the organization.
I believe there are a number of reasons, each of which needs to be addressed if internal audit is to audit what matters, contributing the valuable insight and assurance our stakeholders need.
- Have a deep understanding of the business: its operations, organization, people, and extended enterprise (such as partners and suppliers).
- Understand not only the enterprise objectives and strategies, but what is necessary to achieve them — in other words, not only what could go wrong but what needs to go right.
- Discard the traditional audit universe (obsolete thinking) in favor of a risk universe. The latter is the set of risks to key enterprise objectives. If risk management is effective, leverage it as much as you can. If it is not, then work hard to help management improve it.
- Build and maintain the audit plan to address the risks that matter — what needs to go right as well as what could go wrong — with the goal of helping the organization achieve or exceed its objectives.
- Be agile. Strip every audit down to essentials so it can deliver results to our stakeholders when they need them. Update the audit plan continuously, always asking, "is this the right audit to do next?"
- For every audit, every communication, ask whether it is something that will provide actionable information that executives and/or the board need. If not, then question why you are doing the audit.
- Make sure you have the resources to address the risks that matter. If necessary, change the resources and tools of the department.
- Question whether there is any part of your process that can be discarded to improve the efficient delivery of the actionable information your stakeholders need. For example, what is the value of working papers? Why do you write an audit report?
Of course, there is more in the book. You might also read Richard Chambers' book on Trusted Advisors.
Questions for you:
- Does your audit department address the risks that could affect the achievement of enterprise objectives like EPS growth, revenue growth, customer satisfaction, and product innovation?
- Does it provide insight and assurance that merits the attention of the full board? Do they report issues that require action by the CEO and discussion by the full board?
- If the internal audit function disappeared, how would that affect the achievement of enterprise objectives?
Please join the discussion by clicking on the Subscribe button below.