The push continues for internal auditors to focus on strategic risks, but regulatory compliance duties are standing in the way, a new survey shows.
More than two-thirds (69%) of 433 internal audit professionals in the United States surveyed by Grant Thornton said regulation is increasing internal audit costs in their organization, and 36% said regulation will prevent internal audit from devoting resources to higher-value activities.
“You can’t walk away from your responsibility to address the compliance requirements,” said Bailey Jordan, CPA, an internal audit practice leader at Grant Thornton. “They have to be done.”
Many industries have seen increased regulation in recent years as policymakers attempt to prevent problems that have been perceived to have led to the recent global financial crisis. Jordan said emerging regulatory responsibilities that are adding to internal audit’s workload include:
- The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203.
- The Patient Protection and Affordable Care Act, P.L. 111-148.
- Anti-corruption regulations.
- Payment card industry regulations.
- The newly updated internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
At the same time, the percentage of Grant Thornton survey respondents who consider strategic risk their top audit focus grew to 21% in 2014 from 18% the previous year.
And North American chief audit executives (CAEs) responding to an Institute of Internal Auditors (IIA) survey released in January said strategic business risk ranked as the top priority for management and audit committees. Forty-six percent said strategic business risk is the top priority for executive management, and 28% said it is the top priority for audit committees.
But in the same survey, business strategy accounted for just 6% of CAEs’ overall internal audit plan, while auditing operational (24%) and compliance/regulatory (14%) risks were the most significant parts of the internal audit plan. Another form of regulatory compliance, Sarbanes-Oxley (SOX) auditing, made up 12% of audit plans.
In Grant Thornton’s survey, compliance risks were rated as the area of highest audit focus, followed by financial risks and operational risks. The difference at the top of the surveys may be partly explained by the fact that the IIA survey had a separate category for SOX compliance.
It appears that internal audit departments will have more resources at their disposal in 2014 as they attempt to meet their compliance challenges. Forty-one percent of North American CAEs in the IIA survey said their budget will increase this year, while just 15% said their budget would decrease.
In the same survey, 26% of CAEs predicted staffing increases this year, while just 8% predicted decreases. The percentage of CAEs predicting increases marked highs in the survey’s seven-year history for both budget and staffing.
Internal auditors may need those extra resources to deal with the impact of regulation. One way for internal audit to provide more value in this environment, according to the Grant Thornton report, is to use compliance activities to contribute in strategic, operational, and financial risk areas.
Almost half (45%) of respondents in the Grant Thornton survey said the impact of regulation on their organizations is improving their governance and the rigor of their testing. Jordan said internal audit can add “a tremendous amount” of value by facilitating discussion between different compliance functions within an organization such as legal, human resources, and IT.
“It’s almost like getting an inventory of where you have different compliance responsibilities in the organization and having internal audit be the facilitator and moderator of getting all those people together so they can discuss it and make sure you don’t have gaps,” Jordan said, “and also make sure you’re not testing something twice without it being necessary.”
Where to improve
Internal auditors also can use a variety of tactics to improve their efficiency and give themselves more time for value-added activities, Jordan said. These include:
Leveraging control testing across multiple compliance areas. Complying in multiple ways with various mandates through one test can save time but requires careful planning and coordination across functions. The percentage of respondents using this “one-to-many” approach grew to 54% from 49% the previous year. But there is room for more use of this tactic—92% of respondents said it’s possible to apply one-to-many principles to up to 50% of their control testing.
Use technology more effectively. Just 29% of respondents said their companies are using governance, risk, and compliance-specific (GRC) technology. That’s up from 23% in last year’s survey, but 36% of respondents said their organizations do not effectively leverage GRC technology. Respondents are using this technology most to manage their departments and report audit plans and results.
Use data analytics. Sixty percent of survey respondents are using data analytics to enhance the internal audit function. The top four benefits of using analytics were listed as increased efficiency; quick identification of patterns, trends, and relationships; increasing internal audit coverage; and (importantly) improving the strategic value of the internal audit function.
Upgrade staff skills. Forty percent of respondents said talent quality or capacity is a barrier to delivering maximum value for internal audit teams. Jordan said internal audit can identify areas for improvement by conducting a skills gap assessment by mapping the skills of the audit team against the audit plan. “It’s in your plan, so you’ve got to acquire that skill, whether you do it in-house or out,” Jordan said.
Jordan said many internal audit functions have effective tools and techniques available but don’t use them as much as they could. He said the increased demand for resources to comply with regulations makes it even more important to create additional value from compliance activities and to find ways to be more efficient.
“Internal audit can play a role in that coordination between different functions responsible for compliance and then apply the ‘one-to-many’ to the extent you can,” he said. “It’s just leveraging technology, looking at the skills of your team and where you have gaps, and take action so you can hopefully free up some hours to do more value-add projects.”
Ken Tysiac (
) is a JofA senior editor.