There is a growing disconnect between the escalating demands placed on internal audit functions and their limited capacity to address emerging risks.
According to a new report from AuditBoard, there is a significant bandwidth constraints facing internal audit teams.
Those with Sarbanes-Oxley (SOX) responsibilities allocate a mere 15% of their time to advisory work, while teams without SOX duties fare only slightly better, dedicating 21% of their time to such activities. This limited capacity for advisory work is particularly concerning given the increasing stakeholder expectations placed on internal audit functions.
Indeed, the report highlights a growing demand for risk-related work from internal audit teams. A majority of CFOs (55%) and half of audit committees and boards are requesting increased involvement in risk-related activities. This external pressure is mirrored internally, with 61% of Chief Audit Executives (CAEs) actively pushing to take on more responsibilities. These figures underscore the expanding role of internal audit in today’s complex risk landscape.
As internal audit teams seek to meet these growing expectations, certain focus areas are emerging as priorities. Integrated Risk Management (IRM) is identified as the top area where CAEs believe they should have more responsibility.
Additionally, Enterprise Risk Management (ERM) and continuous monitoring of key processes rank high on the priority list. This shift in focus reflects the evolving nature of risk management and the need for more comprehensive, integrated approaches.
However, the report also exposes a significant maturity gap in risk management practices. A staggering 96% of organisations lack mature IRM programs, with only 4% of CAEs reporting an IRM strategy and approach that is working well. This gap between aspiration and current capabilities presents both a challenge and an opportunity for internal audit teams to lead the way in developing more sophisticated risk management practices.
Despite recognising the need for improvement, many internal audit teams are struggling to optimise their processes. While 87% of CAEs see opportunities to enhance traditional internal audit processes, nearly half admit they’re not actively working towards making these improvements. This inertia, likely due to resource constraints and competing priorities, highlights the need for a strategic approach to process optimisation that can help internal audit teams create more capacity for value-added activities.
Time for a connected risk approach?
“Taking the lead on connected risk is a natural evolution of internal audit’s role given their wide range of governance, risk, and compliance expertise coupled with their deep cross-functional relationships,” says Tom O’Reilly, Field Chief Audit Executive and Connected Risk Advisor at AuditBoard.
To address these challenges, the report advocates for a “connected risk” approach – a modern, cross-functional strategy for managing risk across the enterprise. This approach aims to break down silos, increase alignment, enable collaboration, unify data, and automate key processes.
The report outlines a roadmap for internal audit teams to build the foundations for connected risk:
1. Modernise internal audit processes
This step involves optimising internal audit activities to free up time for more strategic work. The report suggests focusing on two key areas:
-
- Reducing time spent on SOX compliance by educating control owners, automating routine tasks, delegating appropriate responsibilities, eliminating unnecessary work, advocating for the SOX program, and increasing reliance on management’s work.
- Optimising internal audit activities by developing an actionable strategic plan, focusing on risks that matter, automating manual processes, improving real-time reporting capabilities, and ensuring audits are completed by staff with appropriate competencies
2. Conduct a data governance review
This foundational project aims to establish a baseline understanding of an organisation’s key data. It involves:
-
-
- Identifying the organisation’s key data, including intellectual property and other critical information.
- Documenting where this data is located (network or physical location).
- Determining who has access to the data.
- Assessing what controls are in place to protect and monitor the data.
-
3. Perform assurance mapping
This process helps understand who is performing assurance work for the organisation’s key risks and controls. It involves:
-
- Identifying the organisation’s key risk areas.
- Documenting which internal and external teams provide assurance over these risk areas.
- Mapping out the controls, workflows, processes, strategies, and projects these teams have for each risk area.
- Identifying areas of duplicative effort and gaps in assurance coverage.
4. Assess technology maturity
This step involves inventorying and evaluating the technologies currently used for audit, risk, and compliance. Key aspects include:
-
- Identifying all audit, risk, and compliance applications used in the organisation.
- Assessing the ease of sharing data across these applications.
- Evaluating the level of effort and costs required to periodically update each application’s data.
- Considering the potential for leveraging purpose-built platforms that enable automation, data analytics, and real-time reporting.
5. Establish shared risk definitions
This final foundational project aims to create a common language and approach to risk across the organisation. It involves:
-
- Assessing different risk rating systems used across teams and agreeing on a consistent taxonomy.
- Identifying common risk attributes that can be used in future risk assessments.
- Establishing thresholds for risk appetites and risk tolerance.
- Agreeing on shared Key Risk Indicators (KRIs) that can be used across teams.