Internal Audit 2.0 - The Evolving RoleRisk Management, Business Acumen Top the New Must-Have Skills Organizations and security controls have changed, so senior management and regulators now demanding more of internal auditors.
Beyond financial and control issues, internal auditors now are being asked to assess the effectiveness of an organization's enterprise risk management program, says Warren W. Stippich, Jr. CPA, CIA, Partner and Chicago Practice Leader at Grant Thornton, LLP.
For the past eight years, Stippich says, internal auditors spent much of their time focused on compliance with Sarbanes Oxley (SOX). But over the past 18 months, many organizations have automated SOX processes, freeing auditors to focus elsewhere. "Internal audit function is evolving to play a role in addressing the risks facing an organization and adding value in areas of cost savings and containment," Stippich says.
As this role transforms, auditors are pushed to deliver increased value to the organizations by covering the risks that matter.
"Internal audit is starting to reassert its involvement in a range of risks that an organization is facing today," says Richard Chambers, President of the Institute of Internal Auditors (IIA). "There is a much greater broadening of the internal audit focus today, as they're looking at operational risks, compliance risks, fraud risks and overall getting into the business and strategic risk management role in an organization".
Role in Risk Management:
According to the IIA, the key role of internal audit is to "provide senior management and the board with an objective assurance and independent advice that the major business risks are being managed appropriately and that the risk management and internal control framework is operating effectively". As advisers in risks and controls, internal auditors aim to help organizations identify and assess risks, as well as help them to develop appropriate ways of controlling or mitigating these risks, says Cory Gunderson, managing director of risk and compliance at Protiviti, Chicago. In effect, internal auditors act as 'facilitators and consultants' within the overall risk management process by:
- Aligning people, processes and systems with business strategy;
- Giving assurance on risk management processes;
- Giving assurance that risks are correctly evaluated;
- Evaluating risk management processes;
- Analyzing and quantifying risk factors in new business ventures and strategies;
- Identifying, evaluating and reporting key risks;
- Reviewing the management of key risks and evaluating if they are being addressed effectively;
- Working with risk managers on the use of particular tools and techniques to help them manage risk (specific methods include techniques such as Control Risk Self-Assessment);
- Developing risk management strategy for board's approval.
"A major challenge for internal auditors in this role is, however, to have the necessary talent and skills to assess risks," says Joseph Wambia, CIA, CEO and managing principal of Wambia Capital, LLC a merchant banking and investment advisory firm located in Maryland. Most internal auditors come with a strong background in financial controls and audit and do not understand the business aspect as well as the impact the organization has on over all risk management -- a critical factor in this role transition, adds Wambia.
Stippich agrees, saying that senior audit leaders have to take it upon themselves to train and retrain their internal audit staff to come up to speed with their growing role and filling the skills gap.
The New Skills
These are the skills most valued in the internal audit role today, thought-leaders say:
- Industry and business knowledge;
- Understanding and prioritizing of business strategy and goal accomplishment;
- Improved interpersonal skills to communicate with business units throughout the enterprise as well as with board management executives;
- Risk management assessment and evaluation skills;
- Building continuous monitoring techniques;
- Fraud detection and prevention skills;
- In-depth knowledge of IT automation of internal control environment;
- Investing in specific certifications, including CIA, CFE, CISA, CFSA.
Companies are also rotating staff as a solution to having a diversified talent pool representing risk, fraud, business, and financial skills within the internal audit function. These organizations are hiring internal auditors from business units within the organization for a specified time, after which the employees rotate out of the internal audit department and back into other parts of the company.
"This practice is used by some companies as a management training strategy because of the internal audit function's involvement in so many areas of an organization, as well as its focus on risk management, processes, and internal control structure," says Chambers.
According to a recent survey by the IIA's 2009 Recruitment and Retention Benchmarking Study covering 1,665 IIA members from 57 countries, 31 percent of respondents say they have rotational models in place.
The same survey also says that internal audit departments have experienced staff reductions since 2008. However, the cuts were not as steep in Fortune 500 companies, where the average reduction was only 12 percent of the staff, as compared to an average cut of 21 percent of the staff in the overall survey population.
In response to the recession and the new threat environment, internal auditors are changing their focus from cost containment and expense reduction and contemplating new approaches to risk assessment -- looking closer at factors such as probability, possible impacts of risks, and their organization's preparedness for these risks.
"[They] are transforming their role into risk management and strategic business development by positioning themselves not only to keep their companies out of trouble, but to enhance the business as well," says Wambia. "However, this transition will take some time."