Over half of audit committees, boards, and CFOs have asked internal audit to take on more activities around risk in the past two years

AuditBoard, the leading cloud-based platform transforming audit, risk, compliance, and ESG management, today announced the results of its industry benchmark survey, available in its accompanying report, Internal Audit’s Expanding Role: The Foundation for Connected Risk, which found over half of key stakeholders including audit committees, company boards, and chief financial officers are looking to internal audit teams to take on more risk-related work. The study revealed that these expanding expectations are coming at a time when Internal Audit has limited bandwidth for advisory-related services and increasing risk demand and insufficient risk management capacity are creating a risk coverage gap for the business.

Change and unpredictability from economic, geopolitical, regulatory, and cyber risks are unrelenting, and if not managed from a position of strength and preparedness, they can lead to significant negative consequences for enterprises, including damaging financial and reputational impacts, penalties from noncompliance with regulations (averaging $14M per non-compliance event), lost revenues or market share from third-party risk incidents (averaging $1B per third-party incident); and material weaknesses that can lead to losses in market value and investor confidence. The most critical impact, however, is also the most common: In most organizations, management simply isn’t getting the information needed to make risk-informed decisions and drive business value.

The report looks at where internal audit teams are currently spending the majority of their time, and where adjustments could be made to help shift focus to value-added, risk-related activities. Key findings include:

  • Internal Audit’s Responsibilities Have Expanded in Key Areas: Internal Audit’s remit is expanding as organizations increasingly look to leverage the function’s risk and controls expertise to help respond to today’s highly volatile risk landscape.
    • Information security control testing appears to be growing in practice, with 82% of chief audit executives (CAEs) involved in some capacity and 44% either owning or heavily involved.
    • Continuous monitoring deserves greater internal audit focus. Only 28% of CAEs either own or are heavily involved with continuous monitoring of a key process, but 60% of surveyed auditors have some level of involvement in ERM — and 40% have no involvement whatsoever.
  • Expectations are Evolving from All Directions: Internal audit also faces changing expectations from many of its key stakeholders.
    • More than half (55%) of CAEs indicate that their administrative reporting managers (typically CFOs, and CEOs) have asked internal audit teams to be involved in more activities in the past two years, including ERM, ESG, governance, operational initiatives, and quality assurance.
  • Risk Management Maturity is Lacking in Most Organizations: While surveyed CAEs identified integrated risk management (IRM) as their top area for increasing responsibilities, most organizations still have a long way to go toward IRM maturity.
    • IRM was CAEs’ top response for where they should be more involved. Notably, however, IRM is not even reflected in auditors’ top existing responsibilities, though it was an answer option. Also of note, Enterprise Risk Management (ERM) was the second top response for where CAEs believe they should be more involved.
    • 96% of organizations lack mature IRM programs. 11% of organizations report having no IRM strategy whatsoever, with audit, risk, and compliance functions working independently, while 51% of organizations seem to know IRM is needed, but have no cohesive strategy for it.
    • Another 24% have no formal strategy, but say they’re actively working toward connecting audit, risk, and compliance functions. This finding is promising, reflecting a recognition of the need for IRM even if they aren’t yet using the specific term.

“Organizations can better manage risk by adopting a connected risk strategy — a modern, cross-functional approach to managing risk across the enterprise,” said Tom O’Reilly, Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. “Taking the lead on connected risk is a natural evolution of internal audit’s role given their wide range of governance, risk, and compliance expertise coupled with their deep cross-functional relationships.”

For more information about the expanding role of internal audit, read the full report here.

Methodology

AuditBoard collected data from 150 respondents globally in an online survey conducted in February 2024. All respondents self-identified as a CAE or internal audit leader. Approximately 28% of respondents were from the industrial sector, 25% from finance/insurance, 19% from services, 19% from government/education, and 10% from technology. More than 38% of respondents were from organizations with annual revenues between $500M and $5B, 19% $50M–$500M, 12% $5B–$20B, 12% up to $50M, and 7% above $21B. Another 14% cited revenues as confidential.

About AuditBoard

AuditBoard is the leading cloud-based platform transforming audit, risk, compliance, and ESG compliance management. Nearly 50% of the Fortune 500 leverage AuditBoard to move their businesses forward with greater clarity and agility. AuditBoard is top-rated by customers on G2, Capterra, and Gartner Peer Insights, and was recently ranked for the fifth year in a row as one of the fastest-growing technology companies in North America by Deloitte. To learn more, visit: AuditBoard.com.

Laura Groshans press@auditboard.com