A majority of Hong Kong companies plan to increase investment in internal audit, as the role becomes more instrumental in helping organizations achieve their strategic objectives, according to a joint survey by KPMG and The Institute of Internal Auditors (IIA) Hong Kong.
The survey titled An Evolving Internal Audit Landscape – Beyond conventional compliance, reveals that more than half of respondents expect their internal audit investment to increase over the next three years, driven by demand from the audit committee/board (51 percent), senior management (32 percent), stricter levels of compliance and regulatory requirements (44 percent) and an increasing need to hire more specialists (30 percent).
The survey highlights that over 80 percent of senior audit executives rated the role of their internal audit function as a key business advisor. In contrast, only 4 percent of surveyed Audit Committee Chairman and committee members, and 16 percent of senior management viewed an internal audit function as a business advisor.
Plenty of room for improvement
This significant discrepancy suggests there is plenty of room for improvement before internal audit can be fully considered as a business advisor by some key stakeholders.
More than half of survey respondents said a key role of internal audit is to improve business performance and efficiency, beyond its traditional role of assurance against internal policies, listing rules, Companies Ordinance and other industry regulations.
“Internal audit can enhance shareholder value by challenging the way a business operates and providing assurance on risk and internal control systems,” says Alva Lee, Partner, KPMG China. “Most importantly, there are growing expectations among market practitioners that an internal audit function can grow beyond conventional compliance-type-roles and evolve into a trusted business advisor of the organization.”
Assessing and identifying the risks and opportunities brought about by digitalization is a key role of the internal audit function. However, insufficient use of data analytics is identified by 40 percent of respondents as one of the challenges within their internal audit function. Only 9 percent said they are fully utilizing data analysis tools for all internal audit projects.
Exposed to higher cyber security risks
Meanwhile, companies are exposed to higher cyber security risks with increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services and the collection/analysis of big data.
Regulators are seeing this threat and are putting pressure on businesses to comply with tighter rules and regulations, to admit to cyber breaches publicly, and to submit to detailed examinations.
Stephen Lee, President, IIA Hong Kong, says: “Possessing an internal audit function with a clear cyber strategy can help better determine the extent to which internal controls can be adapted to these changes. Companies should consider putting cybersecurity as a focal point when formulating their internal audit plans, and conduct reviews at regular intervals.”
While all financial services respondents were said to have incorporated and embedded cyber risks in the planning of their internal audit activities, only half of non-financial services respondents did the same, according to the survey. This is a potential weakness as cyber risks concern every organization and those that are not prepared for it in their internal audit plan will be at risk, the survey finds.
Insufficient resources a challenge
Insufficient resources was highlighted as one of the challenges. Nearly a quarter of respondents consider their internal audit functions to have insufficient resources, skill set or experience to perform their day-to-day duties. More than three quarters of respondents indicated their internal audit teams comprise predominantly of audit professionals.
Stephen Lee says: “A well-balanced mix of audit professionals and business executives is important as it could help provide a more complete skill set to operate in an increasingly complex business environment. In addition to reassessing the talent compositions of internal audit functions, expanding its capabilities in data analytics and risk spotting is another way to promote its role as a business advisor to an organization.”
Alva Lee concludes: “As the industry continues to develop, an internal audit function should no longer be confined to being a mere compliance checker and is now transitioning into a trusted business advisor that can provide valuable insights to the senior management. It should also expand its scope beyond traditional process-level audits and into areas such as culture and behavior, and to keep up with the times and start embracing big data analytics in their auditing, while making sure they are aware of the threats cyber risks pose.”