Survey: Organizations Uplevel Internal Audit Teams as the Gap Widens Between Rising Risks and Workforce Bandwidth
2024年8月1日 - 1:00AM
ビジネスワイヤ(英語)
Over half of audit committees, boards, and CFOs
have asked internal audit to take on more activities around risk in
the past two years
AuditBoard, the leading cloud-based platform transforming audit,
risk, compliance, and ESG management, today announced the results
of its industry benchmark survey, available in its accompanying
report, Internal Audit’s Expanding Role: The Foundation for
Connected Risk, which found over half of key stakeholders including
audit committees, company boards, and chief financial officers are
looking to internal audit teams to take on more risk-related work.
The study revealed that these expanding expectations are coming at
a time when Internal Audit has limited bandwidth for
advisory-related services — and increasing risk demand and
insufficient risk management capacity are creating a risk coverage
gap for the business.
Change and unpredictability from economic, geopolitical,
regulatory, and cyber risks are unrelenting, and if not managed
from a position of strength and preparedness, they can lead to
significant negative consequences for enterprises, including
damaging financial and reputational impacts, penalties from
noncompliance with regulations (averaging $14M per non-compliance
event), lost revenues or market share from third-party risk
incidents (averaging $1B per third-party incident); and material
weaknesses that can lead to losses in market value and investor
confidence. The most critical impact, however, is also the most
common: In most organizations, management simply isn’t getting the
information needed to make risk-informed decisions and drive
business value.
The report looks at where internal audit teams are currently
spending the majority of their time, and where adjustments could be
made to help shift focus to value-added, risk-related activities.
Key findings include:
- Internal Audit’s Responsibilities Have Expanded in Key
Areas: Internal Audit’s remit is expanding as organizations
increasingly look to leverage the function’s risk and controls
expertise to help respond to today’s highly volatile risk
landscape.
- Information security control testing appears to be growing in
practice, with 82% of chief audit executives (CAEs) involved in
some capacity and 44% either owning or heavily involved.
- Continuous monitoring deserves greater internal audit focus.
Only 28% of CAEs either own or are heavily involved with continuous
monitoring of a key process, but 60% of surveyed auditors have some
level of involvement in ERM — and 40% have no involvement
whatsoever.
- Expectations are Evolving from All Directions: Internal
audit also faces changing expectations from many of its key
stakeholders.
- More than half (55%) of CAEs indicate that their administrative
reporting managers (typically CFOs, and CEOs) have asked internal
audit teams to be involved in more activities in the past two
years, including ERM, ESG, governance, operational initiatives, and
quality assurance.
- Risk Management Maturity is Lacking in Most
Organizations: While surveyed CAEs identified integrated risk
management (IRM) as their top area for increasing responsibilities,
most organizations still have a long way to go toward IRM maturity.
- IRM was CAEs’ top response for where they should be more
involved. Notably, however, IRM is not even reflected in auditors’
top existing responsibilities, though it was an answer option. Also
of note, Enterprise Risk Management (ERM) was the second top
response for where CAEs believe they should be more involved.
- 96% of organizations lack mature IRM programs. 11% of
organizations report having no IRM strategy whatsoever, with audit,
risk, and compliance functions working independently, while 51% of
organizations seem to know IRM is needed, but have no cohesive
strategy for it.
- Another 24% have no formal strategy, but say they’re actively
working toward connecting audit, risk, and compliance functions.
This finding is promising, reflecting a recognition of the need for
IRM even if they aren’t yet using the specific term.
“Organizations can better manage risk by adopting a connected
risk strategy — a modern, cross-functional approach to managing
risk across the enterprise,” said Tom O’Reilly, Field Chief Audit
Executive and Connected Risk Advisor at AuditBoard. “Taking the
lead on connected risk is a natural evolution of internal audit’s
role given their wide range of governance, risk, and compliance
expertise coupled with their deep cross-functional
relationships.”
For more information about the expanding role of internal audit,
read the full report here.
Methodology
AuditBoard collected data from 150 respondents globally in an
online survey conducted in February 2024. All respondents
self-identified as a CAE or internal audit leader. Approximately
28% of respondents were from the industrial sector, 25% from
finance/insurance, 19% from services, 19% from
government/education, and 10% from technology. More than 38% of
respondents were from organizations with annual revenues between
$500M and $5B, 19% $50M–$500M, 12% $5B–$20B, 12% up to $50M, and 7%
above $21B. Another 14% cited revenues as confidential.
About AuditBoard
AuditBoard is the leading cloud-based platform transforming
audit, risk, compliance, and ESG compliance management. Nearly 50%
of the Fortune 500 leverage AuditBoard to move their businesses
forward with greater clarity and agility. AuditBoard is top-rated
by customers on G2, Capterra, and Gartner Peer Insights, and was
recently ranked for the fifth year in a row as one of the
fastest-growing technology companies in North America by Deloitte.
To learn more, visit: AuditBoard.com.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240731515950/en/
Laura Groshans press@auditboard.com