5 Top Takeaways From Internal Audit’s Expanding Role: The Foundation for Connected Risk

5 Top Takeaways From Internal Audit’s Expanding Role: The Foundation for Connected Risk

How can internal audit teams keep pace with the rapidly evolving risk landscape? 

As organizations face increasing regulatory complexities and technological advancements, internal auditors must adapt to provide more strategic value. Our hypothesis was that modernizing internal audit functions could help bridge the gap between traditional responsibilities and emerging risk management needs. 

To test this, we surveyed 150 Chief Audit Executives (CAEs) and internal audit leaders to understand how internal audit teams are adapting to the rapidly evolving risk landscape, focusing on key areas such as integrated risk management (IRM), connected risk approaches, and optimizing audit activities

Our research report reveals a notable risk exposure gap: only 15% of internal audit functions with SOX responsibilities and 21% without SOX responsibilities allocate their time to advisory work. Over half of CFOs and Audit Committees are asking internal audit teams to expand their roles, yet bandwidth limitations pose a significant challenge. In fact, 61% of CAEs have pushed to take on more responsibilities, with IRM being the top area where they feel they should be more involved.

But how can internal audit free up time to provide more value to the organization through the resources already allotted?

AuditBoard’s comprehensive report, Internal Audit’s Expanding Role: The Foundation for Connected Risk, offers a roadmap for internal auditors to modernize their functions, reduce time spent on traditional audit activities, and focus on higher-value advisory work. 

By adopting these best practices, internal auditors can enhance their capabilities and better support their organizations in managing risk and driving business performance. Download the full report here, and continue reading to explore strategies for enhancing internal audit’s role in enterprise risk management.

Download Internal Audit’s Expanding Role: The Foundation for Connected Risk

1. Recognize the Risk Exposure Gap

The modern risk environment is characterized by pervasive uncertainty and volatility. Organizations are struggling to manage the widening gap between risk demand and management capacity, leading to potential financial and reputational damage. 

This unprecedented risk landscape — characterized by pervasive uncertainty, ambiguity, and volatility — is coupled with a lack of capacity within most organizations to manage these risks to an acceptable level. This mismatch between increasing risk demand and insufficient risk management capacity creates what we call the risk exposure gap.

Risk Exposure Gap

Closing the risk exposure gap is no simple task. With siloed teams, manual processes, fragmented data, resource constraints, lagging technology adoption alongside rapidly increasing digital risk, and the challenges of attracting and retaining the talent needed to address emerging risks — many organizations simply lack the capabilities needed to address the gap. 

2. Embrace an Expanding Remit

To address the widening risk exposure gap, many organizations are looking to their internal audit teams for help. A 2024 AuditBoard survey of internal audit leaders found that 55% of CFOs and 50% of audit committees and boards are asking internal audit to do more work around risk. But as our survey also found, the bulk of internal audit’s capacity continues to be locked up in traditional audit and SOX work. 

Internal Audit Time Allocation

Figure 2 shows that on average, internal audit functions with Sarbanes-Oxley (SOX) responsibilities are currently allocating only 15% of their time to advisory-related work focused on key capabilities like enterprise risk management (ERM), continuous controls monitoring, information security controls testing, corporate investigations, and others. Functions without SOX responsibilities allocate only slightly more advisory time: 21% of their total bandwidth, on average.

At the same time, survey results clearly reflect an expanding remit: Internal auditors are already being asked by audit committees, boards, and CFOs to become involved in more advisory areas. In other words, internal audit typically has only a small slice of its overall bandwidth to allocate to a massive (and growing) bucket of crucial advisory responsibilities. 

The survey nevertheless found that internal auditors themselves believe they can and should be doing more: 61% of chief audit executives (CAEs) say they have pushed to take on more responsibilities within the past two years. These findings could reflect a growing perspective that traditional internal audit work alone may be insufficient to help organizations close their ever-widening risk exposure gap. 

3. Prioritize Integrated Risk Management (IRM)

One answer is connected risk, a modern, cross-functional approach to managing risk across the enterprise. A connected risk approach enables audit, risk, and compliance teams to work smarter through integrated risk management (IRM) supported by enabling technologies that connect teams, unify data, and automate processes — and internal audit is well-positioned to take the lead. Indeed, the CAEs we surveyed self-assess IRM as the #1 area in which they should have more responsibility. But most organizations lack IRM maturity: Only 14% report having a formal IRM strategy and approach, and a mere 4% say it’s working well.

Internal Audit Top 5 Areas of Greater Responsibility

Connected risk is a vital way internal auditors can create value that helps their organizations close the risk exposure gap. After all, if internal auditors don’t proactively and strategically help to define the profession’s evolving role, there’s no guarantee they’ll still be needed years down the road. This report will break down key insights on internal audit’s expanding remit, evolving stakeholder expectations, and the impact on the growing risk exposure gap, and provide actionable guidance on key internal audit projects to help your organization build the foundations for connected risk.

4. Address Capacity Challenges

Siloed teams, disconnected data, labor-intensive manual processes, budget and resource constraints, lagging technology adoption alongside rapidly increasing digital risk — these and other factors make closing the risk exposure gap incredibly challenging. 

Again, risk management capacity simply isn’t keeping pace with demand in most organizations. Audit, risk, and compliance teams — already stretched thin — have limited bandwidth to take on additional risk-related work or upskill teams in emerging risk areas. Further, these teams are often relying on legacy processes and technologies that limit agility, productivity, collaboration, and access to real-time information and insights. This often results in outsized efforts expended in the wrong areas, duplication of effort, audit fatigue, and different perspectives from different audit, risk, and compliance teams. How can business leaders make effective decisions when they’re getting conflicting information from their various trusted advisors? 

The solution is a new and emerging strategy for organizations to better manage risk: connected risk, a modern, cross-functional approach to managing risk across the enterprise. Connected risk solves for the risk exposure gap by breaking down silos, increasing alignment, enabling collaboration and information sharing, unifying data, and automating key processes. 

Purpose-built, intelligent technology solutions like AuditBoard help increase adoption from risk and control owners while increasing reliance, reducing audit fatigue, providing improved visibility on risks, controls, and potential weaknesses, streamlining compliance work, and enabling continuous risk monitoring — all crucial capabilities for helping organizations scale the risk exposure gap. Connected risk also empowers stakeholders with the real-time data, insights, and context they need to make better business decisions and provide effective oversight. 

5. Modernize Internal Audit Functions

Internal audit’s reputation for controls management will be a factor in adoption of connected risk in other parts of the organization. Accordingly, before turning your focus to helping others improve their processes, begin by cleaning up your own backyard in two key areas. 

1. Reduce Time Spent on SOX

If your internal audit function is responsible for SOX, are you doing everything you can to reduce the time you’re spending on it? As parts one and two of this article series explain, you can uplevel your function’s SOX approach by focusing on six core tenets:

  • Educate control owners to help prevent control deficiencies (e.g., training, observation, involvement in risk assessments).
  • Automate routine tasks (e.g., status updates, reporting, evidence collection, control certifications) with GRC technology. 
  • Delegate appropriate responsibilities (e.g., data collection, control testing, project management) to colleagues in Finance, Operations, or IT, or consider peer testing strategies. 
  • Eliminate work that isn’t needed (e.g., certain processes or controls for in-scope entities, certain audit reports) according to your annual SOX risk assessment.
  • Advocate for your SOX program by sharing positive control performance (e.g., newsletter) and gamifying SOX work. 
  • Increase reliance by working with the external auditor to increase their reliance on management’s work.

2. Optimize Internal Audit Activities

Again, only 13% of the CAEs we surveyed felt their functions were optimized. Ask yourself:

  • Does internal audit have an actionable strategic plan that is actively supported by working to achieve key performance metrics? 
  • Are internal audit’s efforts focused on the risks that matter
  • Is significant time spent manually reviewing and approving test steps? 
  • Does your department lack capabilities to provide real-time reporting on testing status, audit completeness, and issue resolution?
  • Are there automated notifications and reminders to notify audit customers of items required from them, including document requests, audit surveys, and needed action plans?
  • Are audits completed by trained auditors who have the appropriate competencies and expertise? If not, are training plans developed and linked to the audit plan to ensure audits are completed by those with the needed skill sets?

By adopting these best practices, internal auditors can not only enhance their own functions but also play a pivotal role in their organization’s overall risk management strategy. 

To dig deeper into these insights and learn how to implement a connected risk approach in your organization, download the full report: Internal Audit’s Expanding Role: The Foundation for Connected Risk.

Download Internal Audit’s Expanding Role: The Foundation for Connected Risk
Tom

Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.