By Rob Starr, Big4.com Content Manager
KPMG and Forbes surveyed over 400 chief financial officers and audit committee chairs at companies ranging from $1 billion to just under $50 billion in revenue worldwide recently. The resulting study was titled “Seeking Value through Internal Audit,” and it focused on a gap between what audit committee chairs and CFOs want and what they are actually getting from their organizations IA functions. Craig Carter, Principal in Internal Audit, Risk and Compliance Services at KPMG LLP and Global Leader, Internal Audit Innovation filled us in on the relevant takeaways.
Why is there a gap between what audit committee chairs and CFOs want and what they are actually getting from their companies’ IA functions?
The inherently different roles, accountabilities and perspectives among the Audit Committee, CFO and Internal Audit (“IA”) can lead to disparate views of what IA should focus on and how it
fulfills its charter. Although a strong majority of survey respondents said that IA is a strategic function (99%) and are included in the strategic planning process (94%), they note the need for IA to diversify their skills to better mirror the complexity of the organization and increase the “range” of IA. Simply stated, Audit Committee chairs and CFOs expect IA to have an equivalent level of knowledge and expertise of the business as the functions they are auditing. This finding suggests that IA has an opportunity to increase the use of subject matter expertise and level of sophistication to provide additional insight into operational effectiveness and efficiency as well as risk and control compliance.
How does providing insights on risk management factor in?
IA plays a key role in assessing the overall effectiveness of the numerous assurance providers within the business. Leading IA functions evaluate the effectiveness of the entire control environment on a ‘near real-time basis,’ providing insight into areas that may be over-controlled as well as under-controlled given changes to the organization’s compliance profile changes over time. IA’s perspective and insight needs to closely correspond to the velocity of change within the business, which is increasingly moving at a faster rate and demands a more informed view of emerging business risks. Technology skills are identified as the second most valuable for internal auditors (62%), second only to communication (67%) and underscores the need for IA to leverage technology to monitor changes in the control environment.
The survey also highlights the need for “strategic risk alignment” — that is, for IA to focus on audits that align against the strategy of the business rather than simply providing coverage of the audit universe. Eighty-two percent of the respondents indicated that “valuable and insightful audits” would identify potential revenue enhancements, cost savings, and smarter CapEx spending. Based on the results, “adding value” goes beyond providing compliance and operational performance feedback.
What can you say about the way emerging risks are handled?
Leading practice IA functions evaluate emerging risks not only when they are developing their IA plans, but also periodically throughout the audit year. Most respondents indicate that their IA functions are competent in terms of assessing existing strategic, operational and compliance risks. The job gets done – only 20% of respondents believe that risk identification has been an issue for their company historically. But when it comes to more comprehensive detection and response to emerging risks, the response is remarkably tepid — only one in ten respondents believe that this is taken care of adequately. Also note that none of the respondents are completely happy with this — 0% gave their function the highest marks available. This gap suggests that IA needs to be more proactive in identifying and mitigating risk, not just assessing the controls already in place. Further, it points to a unique opportunity for IA to leverage a more dynamic and continuous risk assessment process, which could inform audit selection and coverage and also serve as a basis for evaluating how effectively the company is managing emerging and strategic risks. Respondents identified the need for IA to increase their use of technology in general and data analytics specifically to monitor the effectiveness of controls executed by the first line and second line of defense and increase the speed and quality of audits.
What did the report find about the skills needed for IA professionals?
Not surprisingly, communication was the highest ranking skill, reflecting the importance that executives place on the ability of IA to both listen to what their stakeholders are saying and respond in a way that accurately assesses the residual risk to the business. Technology skills and critical thinking closely followed, indicating that there is a need for the IA function to have a balanced compliment of both “soft” and “hard” skills. Most notably, 71% of respondents viewed effective and efficient audits of highest value and importance, followed by audits with measurable impact (63%).
What needs to be done? (please share what needs to be done to address the gaps identified and ensure that IA delivers value)
The study underscores the desire of Audit Committee Chairs and CFOs to enhance the value provided by the IA function. The responses point to a perceived value gap that should be recognized between what Audit Committee Chairs and CFOs are currently receiving from the IA function and what they believe they need and should be receiving. The results speak to addressing that “value” gap in terms of:
- Providing actionable insights into the strategic drivers of the business;
- Aligning assurance coverage across assurance providers and functions and focusing on strategic risks; and
- Leveraging technology to better identify emerging risks, assess risk coverage and improve audit quality and speed.