Internal audit practitioners globally are bearing the brunt of a quickly changing regulatory landscape, particularly in financial services, according to a new survey by Thomson Reuters. As organisations continue to play catch-up with a shifting regulatory environment the focus of internal audit practitioners’ roles is changing dramatically, and resources being stretched, as the function is asked to take increasing responsibility for company-wide corporate governance and reporting to the Board.
Thomson Reuters Accelus surveyed more than 1,100 internal audit practitioners across Europe, the Americas, Australia, Asia, Africa and the Middle East to canvass their views on the state of internal audit and the greatest challenges for the year ahead. Respondents represented firms from a wide set of industries including financial services, manufacturing, government, education, life sciences, energy and other highly-regulated industries.
Among the key findings is 26% of organisations nominated fraud and corruption as one of their top three areas for time and resources, compared with only 16% of organisations stating this last year. Legal and regulatory risk occupied the same spot as last year, although fewer organisations nominated it.
Sixty-one percent of organisations’ audit committees only reported to the board on a quarterly basis whilst 12% weren’t sure how often they reported to the board and 2% only reported on an annual basis.
The survey also found that 7% fewer internal auditors said that they spoke to the compliance function on a weekly basis than in 2012 highlighting the need for more effective cross-function communication.
Meanwhile, half (50%) of auditors thought that the risk management tools they currently used either provided them with no satisfaction or left them very dissatisfied when used to conduct risk assessments.
“Changes driven by the financial crisis and implemented in the first instance by the financial services sector will, in time, permeate all sectors and set the standard for risk governance and the expected role and remit of the internal audit function,” said Mark Schlageter, managing director, Governance, Risk & Compliance, Thomson Reuters. “To meet increased expectations of both internal and external stakeholders, internal audit practitioners need the ability to tap greater resources as well as garner the clear support of their company right through to Board level to truly achieve success in this changing operational environment.”
Regulatory Impact on Internal Audit
Historically, the focus of internal audit has been on process-level risk assessment and assurance. While this continues to be a trend in 2013 the depth of the internal audit function is changing and its parameters are widening. The recent spate of financial scandals involving banks conducting fraudulent activities has created a much more risk-averse operational environment resulting in greater regulatory oversight as well as an increased need for risk-based assurances to be provided to the Board and senior management.
As a result, internal audit practitioners are placing greater emphasis on areas such as fraud and corruption with 26% of organisations saying it fell into their top three areas where internal audit’s time and resources are dedicated, compared with only 16% last year. Additionally, there has been a shift in focus towards ‘softer’ skill sets such as monitoring activity which rose from 8% in 2012 to 18% in 2013 and highlights that certain activities, once the domain of other functions within an organisation, are now being handled by internal audit.
As well as having major implications for resourcing the internal audit function, this shift has meant that less time is being spent on other areas such as IT security and risk, which dropped considerably, from 54% in 2012 to 42% this year. Resource constraints also mean that priorities for the internal audit function are not always able to be met. Strategic level risk management, for example, came near the bottom of internal auditors top three concerns (nominated by only 9% of firms); however, when asked what the top priorities should be for internal audit 36% nominated the activity.
Reporting to the Board
The Basel Committee on Banking Supervision’s revised supervisory guidance has said that a bank’s board of directors should support the internal audit function in effectively discharging its duties, thus ensuring it is up to date and gives due weight to matters of note.
While this is the case, the Thomson Reuters survey found that in 61% of organisations, the audit committee only reported to the board on a quarterly basis. This highlights the need for internal audit to improve its understanding of regulation and proactively engage senior management to identify and manage issues, rather than merely conducting a box-ticking exercise. In addition, internal audit needs to develop improved channels of communication with the board, helping to ensure an efficient internal control system is in place to prevent risk and reputational damage.
Notably, one of the top three areas that internal auditors believe they will spend more time on in the coming year than previously includes reporting to senior management. This may indicate that internal auditors are reporting more to the audit committee, even though the audit committee has not increased its level of engagement with the full board.
Separately, insufficient skilled resources was expected to be the second largest challenge for organisations over the coming year, which further highlights that internal auditors are feeling pressure in terms of resources and may be unable to fulfill all of their duties, such as reporting to the board on a regular basis.
Communication with other Risk and Control Functions
Risk management is an area that has experienced significant change in the wake of the financial crisis.
Companies increasingly need more coherent and consistent risk reporting with input from internal audit, risk and compliance functions alike to ensure adequate coverage of all relevant risks.
The survey results were therefore surprising in that half of all internal audit practitioners surveyed were of the view that their organisation has a risk management function that is immature, in development or non-existent. Respondents’ poor opinions could be attributed to organisations using inappropriate risk management tools, such as well-established IT packages that are core to a company’s corporate culture, instead of bespoke IT audit packages which will require staff training.
By working with other functions more regularly, internal audit practitioners can increase their knowledge base, maximise resources and help to present the board with a more complete picture around risk management. The interaction of internal audit with risk management functions however was found to be in decline with just 18% of respondents interacting on a weekly basis compared to 32% in 2012. Similarly, fewer internal auditors said that they spoke to the compliance function on a weekly basis than was the case in 2012.