The recent global economic uncertainty is considered the biggest risk to companies this year by chief audit executives and stakeholders, according to a report issued by Professional Services Firm PwC.
Along with concerns regarding the financial recession, companies worldwide cite traditional areas of concern such as fraud and ethics, mergers and acquisitions, large programmes, the introduction of new products and business continuity among their top five risks to business.
Businesses are increasingly looking toward internal auditors to broaden and deepen their role in helping them navigate the rapidly changing risk landscape across a range of risks, including data privacy and security, regulation and government politics.
These are some of the findings of the eighth annual 2012 PwC State of the Internal Audit Profession Study. The study, which was carried out among 1, 530 executives from 16 different industries and 64 countries, focuses on the rising importance of risk management and the increasing expectations of internal audit's contribution to the effect. While previous studies surveyed only chief audit executives to learn their responses to the year's most pressing challenges, this year's report was broadened to include other executives, audit committee chairs, and board members, who were asked their views on today's critical risks and the role they expect internal audit to play in addressing them.
As the risk landscape continues to evolve, the majority of business leaders surveyed said they were not comfortable with how their risks were being managed, even though 74% of those surveyed had formal enterprise risk management processes in place. The relatively low confidence level expressed by participants in many risk areas tells us that stakeholders won't feel their organisations are managing risks effectively until they significantly up their game regarding both the management of risk and the communication of risk management results.
With risks rising and an awareness of those risks becoming a matter of increasing concern to investors, they are seeking greater assurance in their companies' ability to manage current and future risks. Respondents see internal audit as having an important role to play in monitoring their organisations' top risks.
To deliver what stakeholders want, the standard for an effective internal audit function has been raised and internal audit needs to evaluate its performance to meet the always increasing stakeholder expectations. Businesses must evaluate total enterprise risk, coordinate with the internal audit function and break down organisational barriers to provide a holistic approach to risk management.
Successful internal audit functions create plans through comprehensive, top-down risk assessments where the entire enterprise risk management process is taken into consideration. According to the results of the survey, 45% of organisations still do not create their audit plans using a robust, top-down risk assessment approach.
The majority of participants identified organisational and cultural resistance as the most common barriers to internal audit's ability to step up and meet stakeholders' increasing demands, followed closely by a lack of internal audit resources and expertise.
As more stakeholders seek an objective point of view to more effectively manage local as well as global risks while concurrently desiring deep expertise to meet the demands of the company where it is today as well as where it is going tomorrow, internal audit functions are turning to co-sourcing to move from a reactive to proactive risk management strategy, and better anticipate and respond to growing risks.
The report adds that internal audit functions at leading companies provide stakeholders with advice on how to improve risks and controls rather than just reporting on gaps. The majority of participants (78%) whose companies were better at managing risk say their chief audit executives have an active role in executive meetings. This is exactly what the King III Report on Corporate Governance strives for. Furthermore, they take into consideration the organisation's enterprise risk management process and are able to adapt their approach more quickly when changes are required.
To add to stakeholder confidence and be seen as a vital, contributing business partner, internal audit must do much more than give assurance over financial controls and compliance – it needs to provide assurance across a broader range of business risks, provide deep insights and business perspectives and be able to present to stakeholders in a way that cuts through the clutter.
Our survey confirms that boards and audit committees expect more from internal audit. They want internal audit to act as their eyes and ears and provide essential comfort that critical business risks are being well managed. But while internal audit clearly matters, the challenge for the chief audit executive is to find a way to consistently deliver on these increasing expectations.
The 2012 State of the Internal Audit Profession survey was conducted in the fourth quarter of 2011 and the first quarter of 2012 and includes more than 1,530 respondents in 16 separate industry sectors from 64 countries across the globe. This year, for the first time, in addition to surveying internal auditors about the state or the profession, PwC surveyed the profession from the outside in, asking CFOs, audit committee members, CEOs, and other stakeholders to share their views on internal audit's role in the organisation and its capabilities for supporting the risk management activities of the company.
More than 660 non-internal audit stakeholders shared their points of view through participation in the 2012 State of the Internal Audit Profession survey in addition to approximately 870 Chief Audit Executives across the globe. In addition, nearly 100 CAEs and stakeholders participated in one-on-one interviews, enabling PwC for the first time to share a comprehensive outside-in look at the profession.