Brian Sims
Editor

“Gap widens between rising risks and workforce bandwidth” reports AuditBoard

COMPLIANCE AND risk management specialist AuditBoard has announced the results of its industry benchmark survey, available in the accompanying report entitled ‘Internal Audit’s Expanding Role: The Foundation for Connected Risk’, which finds that over 50% of key stakeholders including Audit Committees, Boards of Directors and CFOs are looking to internal audit teams to take on more risk-related work.

The study reveals that these expanding expectations are emerging at a time when Internal Audit has limited bandwidth for advisory-related services, while in parallel increasing risk demand and insufficient risk management capacity are creating a risk coverage gap for businesses.

Change and unpredictability arising from economic, geopolitical, regulatory and cyber risks are unrelenting. If not managed from a position of strength and preparedness, they can lead to significant negative consequences for enterprises, including damaging financial and reputational impacts, penalties from non-compliance with regulations (currently averaging £11 million per non-compliance event), lost revenues or market share from third party risk incidents and material weaknesses that can lead to losses in market value and investor confidence alike.

The most critical impact, however, is also the most common. In most organisations, management simply isn’t gleaning the information needed to make solid risk-informed decisions and drive business value.

The AuditBoard report examines where internal audit teams are currently spending the majority of their time and also where adjustments could be made to help shift the focus towards value-added, risk-related activities.

Key findings

Internal Audit’s remit is expanding as organisations increasingly look to leverage the function’s risk and controls expertise in order to help respond to today’s highly volatile risk landscape.

Information security control testing appears to be growing in practice, with 82% of chief audit executives involved in some capacity and 44% either owning that testing or otherwise being heavily involved.

Continuous monitoring deserves greater internal audit focus. Only 28% of chief audit executives either own or are heavily involved with continuous monitoring of a key process, but 60% of surveyed auditors have some level of involvement in enterprise risk management. Further, 40% have no involvement whatsoever. 

Internal Audit also faces changing expectations from many of its key stakeholders. More than half (ie 55%) of chief audit executives indicate that their administrative reporting managers (typically CFOs and CEOs) have asked Internal Audit teams to be involved in more activities in the past two years, including enterprise risk management, governance, operational initiatives and quality assurance.

Lacking in maturity

Risk management maturity is lacking in most organisations. While surveyed chief audit executives identified integrated risk management as their top area for increasing responsibilities, most organisations still have a long way to go towards attaining maturity in this area.

Integrated risk management was chief audit executives’ top response for where they should be more involved. Notably, though, the discipline is not even reflected in auditors’ top existing responsibilities even though it was an answer option. Also of note, enterprise risk management was the second highest response in terms of where chief audit executives firmly believe they should be more involved.

No fewer than 96% of organisations surveyed lack mature integrated risk management programmes. Further, 11% of organisations report having no integrated risk management strategy in place, with audit, risk and compliance functions working independently, while 51% of organisations questioned seem to know integrated risk management is needed, but nonetheless have no cohesive strategy to address the issue.

Another 24% of respondents have no formal strategy in place, but do say they’re actively working towards connecting audit, risk and compliance functions. This finding is promising and reflects a recognition of the need for integrated risk management even if that specific term isn’t being adopted. 

“Organisations can better manage risk by adopting a connected risk strategy: a modern, cross-functional approach to managing risk across the enterprise,” said Tom O’Reilly, field chief audit executive and connected risk advisor at AuditBoard. “Taking the lead on connected risk is a natural evolution of Internal Audit’s role given the wide range of governance, risk and compliance expertise involved, coupled with the deep cross-functional relationships being fashioned.”

*Read ‘Internal Audit’s Expanding Role: The Foundation for Connected Risk’ in full by visiting AuditBoard’s website

Company Info

WBM

64 High Street, RH19 3DE
EAST GRINSTEAD
RH19 3DE
UNITED KINGDOM

03227 14

Login / Sign up