State of Internal Audit 2018

Impact and Opportunities

MetricStream’s latest survey on the state of internal audit finds auditors focused on delivering timely insights on key risks, aligning audit planning with business strategy and improving audit processes and operational effectiveness. Manu Gopeendran details the survey’s findings.

For years, internal auditors have been the eyes and ears of the enterprise, providing assurance around the efficacy of risk mitigation strategies and controls. But today they are being asked to do more – to go beyond simply protecting business value to actually creating value. Much of this shift is being driven by larger business changes. Traditional business models, for instance, are rapidly being disrupted. Technology is advancing faster than ever. Emerging risks around data privacy and geopolitics are coming to the fore. And global concerns around corporate ethics and integrity are on the rise.

Now more than ever, internal auditors are needed at the executive and boardroom tables, not just to deliver assurance, but also to provide strategic intelligence that can accelerate business performance and growth, highlight critical risks and opportunities and drive better informed business decisions. Stakeholders want to know if something is going wrong or can go wrong in their business well before it actually does. No other function is arguably as well-positioned as internal audit to deliver those insights in a timely manner.

Where Does Internal Audit Stand Today?

MetricStream Research conducted a survey in the first half of 2018 to better understand internal audit’s impact and opportunities. The respondents represented more than 600 organizations across 15 industries globally. The survey covered three primary areas of internal audit: challenges and priorities, program structure and the role of technology.

Here are the key highlights of the survey report:

Internal audit’s focus is on strengthening risk awareness and aligning with business strategy

Respondents reported that their top internal audit priorities for 2018 are to provide timely insights on key risks, align audit planning with business strategy and improve audit processes and operational effectiveness.

Adding value to the business is a key audit challenge

While internal auditors may be increasingly seen as strategic business advisors, it is still a big challenge for them to add value to the business – that’s according to respondents from large, mid-sized and small enterprises. Other internal audit challenges include aligning audit processes to changes in the business, ensuring effective risk management and performing cybersecurity audits.

Auditors are turning to emerging technologies for real-time data and analysis

As boards and executive management teams demand deeper insights into risks, internal auditors are looking to leverage more analytics and other emerging technologies. Seventy-seven percent of respondents reported an interest in data querying and analysis tools, 75 percent in continuous control monitoring tools, 60 percent in data visualization capabilities and 58 percent in modeling and predictive analysis tools.

Enterprise risk management (ERM) is not yet pervasive

Only 50 percent of respondents reported having a dedicated ERM team and program in place. Of the remaining respondents, 25 percent indicated not having an ERM program at all – a significant cause for concern. Meanwhile, 25 percent reported that their organizations’ ERM programs are maintained by their internal audit teams.

Auditors have embraced a risk-based approach

When it comes to audit planning and execution, 86 percent of respondents reported that they follow a risk-based approach.  Of them, the majority (75 percent) perform simple risk assessments (i.e., they assess the auditable entity directly based on risk factors, such as reputational risk or operational risk). Only 54 percent of respondents reported following a more comprehensive approach of assessing risks based on impact and likelihood prior to determining a rolled-up risk score.

Most auditors define their audit universe ahead of audit planning

Eighty percent of respondents indicated that their audit universe is defined before the audit planning stage. On the other hand, 39 percent of respondents define their audit universe during audit planning, while 20 percent define it during audit execution. The latter two groups are likely to have more flexibility when it comes to making changes to the audit universe during the audit cycle.

Balanced scorecards are not widely utilized to assess internal audit efficacy

Only 19 percent of respondents reported using a balanced scorecard approach to evaluate the effectiveness of internal audit programs. The majority still rely on qualitative, unstructured assessment approaches, like open dialogues between the senior management and auditors (63 percent) and self-assessments by the audit team (52 percent).