My friends at Protiviti have issued a new Internal Audit Capabilities and Needs Survey. As usual, it hits several high notes, which it will address at a webinar on March 23.
The report highlights these "notable takeaways":
Play a leadership role – Help the organization evolve its risk management program and internal audit's role in it.
Support the C-suite and board agenda – Work with board members and executive management to focus on strategic risks, strategic assumptions and risk appetite.
Be prepared for continuous and ongoing change – New laws, regulations and standards (e.g., IFRS, Dodd-Frank Act) continue to alter the landscape.
Use technology effectively – Improve coverage, reduce costs, increase frequency and enhance effectiveness.
Internal auditing is still about people – Attract, develop and transfer out the best.
Add value – As noted in The IIA's definition of internal auditing, this is what internal auditors are supposed to do.
I agree that all of these are excellent points for any internal audit executive to consider. Let me add a few that are not included, some of which are "capabilities" that internal auditors need to address quickly.
The capabilities needed to assess risk management. Protiviti talks about understanding different elements of risk management, such as the 2009 global standard from ISO (31000), risk appetite, etc. But, internal auditors do not typically have experience or training in risk management and lack the confidence to assess its adequacy. Given the clear failures of risk management over the last few years, this is indeed a critical "capability" that needs significant improvement.
2. Provide assurance on governance, risk management, and related controls
- Although internal audit departments have provided assurance through traditional audits of controls at individual locations and within selected business processes, few have made the move to providing assurance on the organization as a whole.
- In addition, few have taken on the challenge of providing assurance on governance activities and processes, or on risk management. I expect to see IIA release guidance on auditing governance shortly, and they did issue a Practice Guide on assessing risk management last year.
- Departments need to move from the traditional audit of risks at a location, to auditing the management of risks that matter to the business as a whole. This requires a shift away from the concept of an audit universe to focusing audit attention on risks to the organization.
3. An internal audit strategy. It's one thing to have an annual plan (preferably one that is updated constantly, as risks change). It's another to have a vision for the internal audit function and a plan to get there. According to a recent IIA study, only about half internal audit functions have developed such a plan. (For more on recent IIA studies, click here.) By the way, staying where you are because you don't need to change is high risk — everybody needs to continue to grow, develop, and enhance their ability to deliver value.
What do you consider the top "capabilities and needs," and let's add "practices" to the list, that internal audit need to address with urgency?