With today’s rapidly changing risk and regulatory landscapes, internal audit is playing an increasingly important role in organizations’ governance, risk, and compliance (GRC) efforts.
However, a recent report from the Institute of Internal Auditors (IIA) reveals that many businesses struggle with aligning internal audit functions to key risk areas.
Based on a survey of more than 500 chief audit executives (CAEs) and managers in North America, the IIA’s 2019 Pulse of Internal Audit report identifies several areas that tend to get neglected in internal audit plans and resource allocation:
- Cybersecurity and data protection
- Third-party / vendor risk
- Emerging and atypical risks
- Board and management activity
Internal Audit Priority #1: Cybersecurity
Even though cyber and IT issues represent nearly 20% of the average audit plan, survey data indicates that audit planning, skills development, and resource allocation are still primarily focused in more traditional, lower-risk areas such as operational risk or financial reporting.
Yet nearly 70% of CAEs rate cyber risk as high or very high at their organizations. So why the disconnect between recognizing cybersecurity as a critical risk area and making it an internal audit priority?
The IIA suggests that an “effort gap” may be part of the problem. That is, many internal audit departments report a discrepancy between their current efforts versus what is needed to provide effective assurance over key areas of cybersecurity.
Audit executives pinpointed the biggest gap in the area of providing assurance over readiness and response to cyber threats. Forty-six percent of organizations said they currently deliver extreme or significant effort in this area, while 82% said they need to deliver extreme or significant effort.
According to IIA researchers, this gap may suggest that 1) Internal audit is failing to adapt quickly enough to changing risks and stakeholder needs, and 2) There may be misalignment between enterprise risk and audit plan priorities.
Contributing to these challenges, internal audit teams are facing a number of common obstacles to addressing cyber risk, including:
- Lack of cybersecurity expertise among internal audit staff
- Lack of cooperation or communication from IT department
- Lack of support from executive management to address risk
Internal Audit Priority #2: Third-Party / Vendor Risk
Despite the fact that organizations rely heavily on third parties in key risk areas such as IT, vendor risk management is frequently underrepresented in the internal audit function.
Survey responses showed “minimal audit plan allocation for examining third-party relationships” — the average audit department dedicates only 4% of its resources to vendor risk assurance.
Nearly half of CAEs view their organization’s oversight of third-party relationships as ad-hoc, weak, or non-existent. Only 9% describe organizational vendor monitoring processes as strong, and more than two-thirds of executives express some level of dissatisfaction with their organization’s third-party risk management.
Researchers point out that vendors can increase risk in a number of categories, from cyber and fraud to operational and reputational risk.
“Organizations cannot afford to view risks related to third-party relationships as separate from the organization’s own risk landscape.”
– IIA Pulse of Internal Audit
This risk exposure — and the clear lack of oversight at many organizations — should prompt internal audit departments to re-examine vendor risk as an internal audit plan priority.
Internal Audit Priority #3: Emerging and Atypical Risks
Internal audit frequently has little involvement in identifying and assessing emerging or atypical risks. Boards are much more likely to rely on subjective input from executive management to gather information about organizational risk, rather than the objective metrics provided by the risk management or internal audit functions.
In addition to pointing to the value of internal audit seeking greater involvement in this area, the research shows room for improvement. Survey results indicate that only 30% of internal audit departments effectively leverage advanced data analytics to identify and assess risk. Furthermore, fewer than half identify and monitor key risk indicators (KRIs).
This suggests that better analytics and integration with other risk management functions could help internal audit teams become a valuable source of risk data.
Internal Audit Priority #4: Board and Management Activity
Growing regulatory pressures are increasing organizations’ focus on board and management oversight. The survey sought to gauge internal audit’s role in providing assurance on the information boards receive and whether they’re getting a holistic view of enterprise risk.
The majority of CAEs surveyed (60%) said that internal audit rarely or never provides assurance on management information sent to the board. Researchers concluded that current reporting practices may be hindering internal audit’s ability to communicate important findings, given that “variances in audit committee structure and responsibility…create the real possibility that in some organizations internal audit is not involved with committees that handle critical issues, such as cybersecurity or overall risk governance.”
These findings highlight the importance of robust reporting capabilities and effective integration between departments and business units.
How to Get Your Internal Audit Priorities Straight
This research indicates that internal audit departments need to realign their priorities with their organization’s current risk landscape. If your organization finds itself in a similar situation, Quantivate can help. Our Internal Audit Software provides tools for risk assessment, resource planning, reporting, and more to ensure your organization can implement a consistent, structured auditing framework that integrates with other organizational risk management activities.
Ready to implement a GRC toolkit for your internal audit team? Explore how the Quantivate Audit Software Bundle unlocks deeper integration and data-sharing that increases coordination with other risk management efforts.