Internal Audit’s and Risk Management: AuditBoard's Survey

AuditBoard, a leading cloud-based platform for audit, risk, compliance, and ESG management, has recently announced the results of its industry benchmark survey, available in its accompanying report, Internal Audit’s Expanding Role: The Foundation for Connected Risk, which found that 55% of CFOs and 50% of audit committees are looking to internal audit teams to take on more risk-related work. 

The study revealed that these expanding expectations are coming at a time when Internal Audit has limited bandwidth for advisory-related services — and increasing risk demand and insufficient risk management capacity are creating a risk coverage gap for the business. 

“While many companies are used to managing an ever-increasing risk velocity and impacts, recent difficulties centre around several factors: a lack of company capacity to manage their risks, siloed teams, disparate data, and legacy technology,” says Tom O’Reilly, Field Chief Audit Executive and Connected Risk Advisor at AuditBoard.

The survey also highlights how change and unpredictability from economic, geopolitical, regulatory, and cyber risks are persistent. If they are not managed from a position of strength and preparedness, these risks can lead to severe negative consequences for enterprises. 

The risk exposure gap can result in damaging financial and reputational impacts, including penalties from noncompliance with regulations (averaging US$14m per noncompliance event), and lost revenues or market share from third-party risk incidents (averaging US$1bn per third-party incident); and material weaknesses that can lead to dropping share prices, valuations, and investor confidence.

Results – 

The survey reveals a critical issue: most organisations' management is not receiving the essential information needed to make risk-informed decisions and drive business value. The report also highlights the current focus of internal audit teams and suggests potential adjustments to prioritize more value-added, risk-related activities.

According to the survey, a significant portion of internal audit capacity is still devoted to traditional audit and Sarbanes-Oxley (SOX) compliance work. On average, internal audit functions with SOX responsibilities allocate only 15% of their time to advisory activities, such as enterprise risk management (ERM), continuous controls monitoring, information security controls testing, and corporate investigations. In contrast, functions without SOX responsibilities dedicate slightly more time to advisory work, averaging 21%.

The results underscore a need for internal audit functions to expand their remit and take on more advisory responsibilities – 61% of CAEs expressed a desire to take on more responsibilities, reflecting a recognition that traditional internal audit work alone is insufficient to close the risk exposure gap. 

This sentiment is echoed by key stakeholders, including CFOs and audit committees, who are increasingly relying on internal audit to provide more comprehensive risk management support​​.

To address these challenges, the survey highlights the importance of a connected risk approach. This modern, cross-functional strategy involves integrating audit, risk, and compliance teams through enabling technologies that connect teams, unify data, and automate processes. Internal audit is well-positioned to lead this approach due to its comprehensive view across the organisation and its expertise in governance, risk, and compliance​.

“The easiest way companies can improve their risk management capacity to help close the gap between rising risk demands and limited risk management resources is to employ a connected risk approach — proactively seeking to centralise data, teams, and workflows to improve the culture of risk management across the first line, which will better serve executive decision-making and the board’s oversight responsibilities,” says Tom.

The survey also points out that most organisations lack maturity in integrated risk management (IRM). Only 14% of respondents reported having a formal IRM strategy, and a mere 4% indicated that it was working well. This presents a significant opportunity for internal audit to add value by driving the adoption of connected risk strategies​.

Manager Insight: What role do you see internal audits playing in addressing the challenges highlighted in the report?

“I personally see internal audit being the best positioned in many organisations to be the catalyst and champion of their connected risk strategies,” says Tom. “Just like internal audit has been tapped on the shoulder for SOX in the U.S. and now the UK Corporate Governance Code in the UK because of their controls expertise,  internal audit is being sought after to architect their organisation’s connected risk approach because of their enterprise-wide expertise of their GRC environment. Our survey revealed that management and the Board wants more risk work from internal audit, and at the same time, internal audit believes they can play a bigger role in their organisation’s risk management efforts. I predict, and we are already seeing, connected risk being the most impactful area internal audit lead from the front of their organisation.”

**************

Make sure you check out the latest edition of FinTech Magazine and also sign up to our global conference series – FinTech LIVE 2024. 

**************

FinTech Magazine is a BizClik brand​​​​​​​