Thomson Reuters Accelus (TRA) has released its annual survey of internal audit practitioners, State of Internal Audit 2014 – Adapting to Complex Challenges. The results indicate that, while most of the focus of internal audit staffs is on the effectiveness of internal controls and IT security, internal auditors believe that they should be spending more time on issues relating to corporate governance and corporate culture.
TRA surveyed more than 900 internal audit professionals in 50 countries. Key findings of the 2014 survey include –
The top four areas to which respondents said that internal audit’s time and resources were devoted in their organization were assurance on internal control processes (81 percent); IT security and risk (45 percent); process level risk management (39 percent); and legal and regulatory risk (38 percent). Corporate governance ranked sixth, at 27 percent.
However, when asked what their priorities should be, these rankings changed. While assurance on internal control processes and IT security and risk remained first and second, strategic level risk management (41 percent) and corporate governance (36 percent) rose to third and fourth.
Internal audit’s involvement with corporate governance has been limited thus far. Worldwide, roughly 25 percent of internal auditors report having had no involvement in assessing their firm’s corporate governance; in North America, this figure is 32 percent. Similarly, 49 percent of respondents have had no involvement in assessing their organization’s culture.
TRA draws the following conclusion from the 2014 survey: “The growing focus which policymakers and regulators have been placing on culture, corporate governance and risk management has emphasized still further the need for a strong, well-resourced independent audit function operating, and in particular reporting, in close coordination with other risk and compliance functions, all with visible support from the top of the organization. Yet the results show a relatively unchanged picture in these areas from previous years. As the risks increase so does the need for internal audit to react to those changes.”
4 Update │ August 2014
Comment: The internal audit function typically reports, either directly or on a dotted-line basis, to the audit committee, and, as these survey results suggest, audit committees may want to give thought to whether internal audit should be deployed to look at a broader range of issues than the traditional concentration on internal control processes and IT. At the same time, it is important that internal audit not lose focus on its core responsibilities, particularly in light of the current regulatory emphasis on financial reporting controls. In addition, the skill-set and resources of internal audit would have to be taken into account in deciding whether it is appropriate for it to direc