Poll Shows Internal Audit Shifting Slowly to Bigger Risks

By: Tammy Whitehouse, ComplianceWeek

Internal audit departments have heard the battle cry from regulators and industry leaders to take a higher-level view of risk and control, and they are shifting slowly. Still, most internal audit departments are focused primarily on assuring internal control processes and IT and security risk, according to the latest global poll from Thomson Reuters Accelus.

The firm surveyed more than 1,100 internal auditors globally in early 2013 to get their views on the state of the profession and the challenges ahead. The results suggest internal auditors are shifting their focus and their resources -- gradually, not radically -- to look more at strategic level risk management and monitoring activities.

The results showed, for example, that 81 percent of respondents say assurance of internal control processes consumes the majority of their audit team's time and resources, followed by IT security and risk (42 percent) , and legal and regulatory risk (30 percent). Although those same functions held the same ranks in last year's survey, the percentage of internal auditors citing them as consuming the majority of the department's focus fell for all three areas. In the 2012 survey, internal control process drew an 84-percent response, IT security and risk drew 54 percent, and legal and regulatory risk drew 41 percent.

Rising importance is being placed on areas such as fraud and corruption, the survey suggests, where 26 percent of respondents said it was a key area of focus in 2013 compared with 16 percent the year before. Likewise, prominence grew for monitoring activities, where 18 percent named it as an important focus in 2013 compared with 8 percent in 2012. When asked about strategic risk management, only 9 percent of internal auditors said it is a top-three concern in 2013, but 36 percent said it should be a top priority for the company going forward. With respect to corporate governance, 23 percent of internal auditors said it was one of the top three resource-intensive areas for the department, but 29 percent said it should be a top-three priority.

The survey also sought to assess the state of risk management, looking for internal auditors' views on how well developed those functions are within organizations. Only 9 percent of internal auditors said their companies have a robust and embedded framework and resource in place to manage risk, while 41 percent said they have a program implemented, but it requires more work and resources. Another 39 percent said their programs are immature or in the development stage, and 11 percent said there is no formal program or resources in place.