Internal auditors may need to change their approach to audit planning to keep up with unexpected and fast-paced changes in risks, a new global survey shows.
Most internal audit departments are not flexible in adapting their audit plans to handle rapidly changing risks, according to the Institute of Internal Auditors (IIA) 2015 Global Pulse of Internal Audit survey. More than 3,344 chief audit executives (CAEs) participated in the global survey.
Just 16% of CAEs reported that their organization has a highly flexible audit plan that matches the organization’s changing risk profile. Almost one-fourth (24%) of CAEs said their organization has a formal enterprise risk management process with a chief risk officer or equivalent, and almost half (47%) said their risk management processes are informal, developing, or nonexistent.
Many internal auditors encounter barriers to important resources, as just 54% of CAEs said internal audit at their organization has complete and unrestricted access to employee records and property for their work.
The report concludes that:
- CAEs need to understand emerging risks quickly, frequently revise their audit plans in response to new information, and effectively communicate these changes to key stakeholders.
- Internal audit needs to have a broad view of risks, working closely with other risk functions in defining, assessing, and providing assurance over risks.
- Many CAEs have an opportunity to contribute their expertise and insight in support of integrated and sustainability reporting. Internal audit can provide assurance to increase the credibility of integrated reporting, and can bring value by communicating the impact of sustainability on business processes, according to the report.
- To successfully navigate political pressures, CAEs need to optimize their reporting lines, consider the impact their choices have on their objectivity when performing internal audit activities, and insist on access to the information they need.
—Ken Tysiac ( email@example.com ) is a JofA editorial director.