We have some recent surveys and reports on this topic.
Thomson Reuters, a software vendor that has provided internal auditors with audit management solutions for many years (formerly known as Paisley), has published State of Internal Audit report 2014: Adapting to Complex Challenges. Grant Thornton, a CPA firm, shared the results of their CAE survey, Adding internal audit value: Strategically leveraging compliance activities.
If you are going to assess the state of internal auditing, your survey has to ask the right questions. I am not persuaded that either organization did this.
Both talk about the increasing burden on internal auditing.
But while Grant Thornton talks as if internal audit is and should be consumed by compliance (implying that internal audit bears responsibility at least in part for compliance with ever-increasing compliance requirements), Thomson Reuters talks more accurately about the growing complexity of the world in which we operate:
"The survey has demonstrated that the world and work of internal audit continues to be as complex, and challenging as ever. Both the volume and diversity of issues that internal auditors need to understand and assess continues to increase globally and across all industries."
To Grant Thornton's credit, they talk about different risk areas. But, they fail to mention the need for internal audit to assess and provide assurance on the effectiveness of organization's management of risk.
While all CAEs should have a quick look at the Grant Thornton survey, I find it lacking and without great value.
This is disappointing for an organization that provides internal audit services.
The Thomson Reuters document is better.
I especially like the fact that it discusses whether internal audit is doing enough with respect to governance processes and organizational culture. (The answer in both cases is "no.")
However, like Grant Thornton, they don't mention (except perhaps as part of the assessment of governance processes) the need for internal audit to assess the management or risk.
Whether they asked the right question or not, I am disappointed that internal auditors, according to the survey, remain entrenched in providing assurance on internal control processes and have not upped their game (or reached the new "floor" as PwC puts it) and moved to providing assurance on the management or risks.
Controls exist to manage risk and we cannot say controls are adequate without considering whether they manage the risks that matter to the business.
Which is of more value: saying controls are good or the management of risk is effective? Clearly, it is the latter.
Thomson Reuters start their concluding paragraphs with this wisdom:
"The future risk and control landscape for internal audit is evolving and in some areas is beginning to change quickly. Against that background it is notable that the results of the Accelus State of Internal Audit Survey, at a high level, have remained relatively unchanged for the last few years. Is there a risk that internal audit is being left behind, relying on outdated mind sets, historic practices and old methodologies? It is too early to tell, but there is no doubt that remaining unchanged in a changing world does no one any favors — not the firm, not the customer and certainly not the internal auditor."
I am seeing some progress with internal audit departments getting more involved through assurance and advisory services to help their organizations manage risk effectively across and throughout the organization.
It is time for every internal audit function, including those in co-sourcing organizations, to upgrade their skills, tools, and mindsets — helping organizations navigate to achieve their objectives in a world of dynamic and disruptive change.
What do you think?