Internal Audit: A Bright Future or Storm Clouds?

Internal Audit: A Bright Future or Storm Clouds?

The internal audit profession is at a crossroads. The profession clearly demonstrated resilience during the pandemic, and emerged as an innovative and agile resource in many organizations. However; recent research indicates that storm clouds may be brewing for the profession in the months and years ahead. 

In this episode of AuditTalk, Richard Chambers, Senior Internal Audit Advisor at AuditBoard and former CEO of The Institute of Internal Auditors, explores the strengths and opportunities facing the profession in terms of stature and the value it adds, including:

  1. Why unprecedented risk velocity and volatility have created a state of risk Bedlam.
  2. Signs that internal audit is heading toward a bright future, including resilient resources and cultivating a diversity of skills. 
  3. Ominous indicators that the future will present significant challenges for the profession, such as losing ground in reporting relationships and losing the war for talent. 
  4. How internal audit can contend with the unrelenting pressure of new risks to make sure that our brightest days are ahead.

Watch the full conversation, and read the can’t-miss highlights below.

Richard Chambers examines strengths and challenges for internal audit in today’s unprecedented environment of risk Bedlam.

We Are Living in a Time of Risk Bedlam

“In the last 24 months, we have weathered the tail end of the worst global pandemic in 100 years, the highest unemployment rate in 90 years during the depths of the unemployment numbers in 2020, the most significant war in Europe in 80 years, the poorest first-half market performance in 52 years, the highest rate of inflation in our country in more than 40 years, and the highest gasoline price as adjusted for inflation ever. That’s pretty remarkable. That, my friends, is not normal. To me, that list of milestones is all the proof we need that we’re not living in ordinary times, and if we continue to try and execute the internal audit mission as we traditionally have, we’re going to find ourselves being really ineffective at serving our organizations.”

“The only word that I can use to describe what we’re living through is Bedlam… a noun defined as a place, scene, or state of uproar and confusion. If I didn’t just illustrate a state of uproar and confusion for you a few minutes ago, then I didn’t do my job today, because what I’m trying to do is to make sure that all of us are riveted on the extraordinary times that we’re living in and the extraordinary challenges that these times are going to present to us as internal auditors.”

“Now, why is this Bedlam such a part of the world that we’re living in? … We have seen an acceleration in the velocity of risks — how fast they emerge— and the volatility of risk — how much those risks change and are displaced. We have seen a convergence of risk velocity and volatility at a rate of speed unparalleled, certainly in our lifetimes and in all likelihood in human history. There certainly have been periods in human history where over a longer period of time, maybe there was more seismic change for human mankind or for mankind or the human race, but certainly not in the rapid-fire succession that we’re living in now.”

Five Signs of the Future for Internal Audit Is Bright

1. Our Resources Are Resilient

“We have emerged from the worst of the COVID experience with our resources largely intact, and that’s not always been a guarantee when you have a macroeconomic shake-up. I’ve seen many recessions in my career, and internal audit always seemed to get hit a bit disproportionate to a lot of other functions in an organization. We didn’t see that so much this time, and that was good news.”

One of the reasons that I think internal audit didn’t get hit as hard as it might have is that there’s another decision-maker at the table. In decades gone by, decisions about internal audit’s resources were by and large made by the C-suite and the audit committee really wasn’t involved in that decision. I think now perhaps they have a little more of a voice, although we have some data that says they may not exercise their voice enough. 35% of Mid-Year Survey respondents said that their budgets in 2022 are greater than they were in 2021, even taking out the effects of inflation. And only 12% said that they had lost any staffing in the last year. And The IIA’s recent report indicated that a lot of those folks have said they lost staffing because of the impacts of the great resignation and not being able to fill the positions. I think we are in a good place for the future in terms of where we stand today with our resources. If I’ve got an uphill run, I’d always rather start from a level place than to have to get myself out of a basement.”

2. Focus on Emerging Risks

Our focus in internal audit needs to start addressing the risks that are emerging earlier on. One of the things that we saw over the last decade is how slow internal audit was to truly appreciate and embrace the challenge that cybersecurity risks presented. For years, we would hear internal auditors acknowledge that cyber risks were huge for their company, but then you’d look at what were they doing in cyber risk and it wasn’t very much. We’re seeing the same thing now with some other areas like climate change, environmental sustainability — ESG risks, if you will — human capital, diversity, and talent management. All of these areas are starting to show up when internal auditors are surveyed about their future audit plans… and that’s encouraging. It tells me that we are starting to appreciate the impact that some of these emerging risks — in some cases they’ve already clearly emerged — are going to present to our organizations. 

3. Embracing Technology

“Most surveys are in agreement on the fact that coming out of COVID, internal audit accelerated its adoption of technology because we didn’t have much choice. We found ourselves sequestered at home or in a hybrid work environment, having to get innovative about every aspect of our mission. I think in some ways, COVID probably helped us leap five years forward in terms of where we were in adoption of key technologies. Data extraction, advanced analytics tools are very, very commonplace now in internal audit functions that, five years ago, we were just hopeful that they could get there someday.”

“Cloud-based audit management and IRM platforms are now pretty commonplace. We’ve seen a real migration away from some of those legacy audit management systems that were developed back in the nineties and maybe were modernized over time by glomming on new features. We’re seeing the rise of solutions like those that AuditBoard provides, and it’s one of the reasons why I think some companies like AuditBoard have become so immensely popular with the profession. We’ve also had to use a lot of innovative techniques for communication, including video conferencing for audits and workthroughs. That embracing of technology has, I think, been a good news story.”

4. Innovation

“I think the profession is demonstrating a real quest for agility and innovation. Agile auditing has taken root in a lot of audit departments and it’s influencing everything from how we gather and analyze evidence, to the way we report audit results, to the staffing strategies that we have in place… I am one who doesn’t believe you have to formally adopt agile audit methodologies to bring an agile mindset to the table. I think agility has always been critical for internal audit, particularly when we’re in volatile times — the ability to assess a directional change and to pivot and move in that direction. That to me is something we’ve done very well these last couple of years, and gives me hope for the future.”

5. Diversity of Skills

“The World Economic Forum’s Future of Jobs Report has some very insightful information, looking at which jobs are going to be the most in-demand in the coming decade and which ones show demand declining. That report indicated that “accountants and auditors” was the fourth on the list of jobs that would be decreasing in demand. That was alarming, but I didn’t focus on that because that’s really saying if you’re outdated in the way you do internal audit, you may not be around very long.”

“When I matched the list of skills that were going to be most in demand in the next decade up against the skills that internal audit departments are recruiting for, there was a really strong match. When you ask chief audit executives what they look for when they recruit new talent, they’ll talk about people who have strong business acumen, people who understand how to do data analysis, intellectual curiosity, creative thinking ability, strategic mindset, the ability to do organizational analysis, and strong risk acumen. Those are the things that are being recruited for internal audit, and those are the skills that are going to be most in demand in the next decade, which tells me that this is going to be a very popular field for people to migrate to as we move through the remainder of the 2020s.

Five Signs the Future for Internal Audit Is Stormy

1. Losing Ground in Reporting Relationships

“We saw right after the passage of Sarbanes-Oxley 20 years ago, a real rapid rise in internal audits reporting relationships. We saw a lot more audit departments getting a functional reporting relationship to the audit committee. We saw more audit departments starting to move up and have a reporting relationship to the CEO. Yet, I look at statistics today and I sense that we’re regressing. In fact, The IIA’s Global View report that came out earlier this year gives me real concern. 76% of internal audit functions and publicly-traded companies report administratively to the CFO… in the US, only 13% of internal audit departments work for the CEO. The rest of the world shows that 65% work for the CEO. Now, there are those who take a different point of view. They believe that working for the CEO is not that great, that CEOs don’t have time to support internal audit like the CFOs do, but I think at a minimum, having internal audit work for the CFO creates the appearance of an objectivity impairment. I’m not saying that it automatically means that internal audit is impaired by working for the CFO. The IIA standards permit it. But I have joined a chorus of others who say the ideal reporting relationship for internal audit administratively is to the CEO, not the CFO, but the point is, there’s something very, very different about the way the profession is organized, particularly in the US versus other parts of the world.”

“Overall, in the Mid-Year Snapshot Report, we asked, “Who has a high degree of influence on internal audit’s budget?” And 52% said the administrative line. Only 27% said that the functional line, the audit committee or the board, has a high degree of influence on internal audit’s budget. One could say that the CEO and CFO are going to help internal audit formulate its budget, everybody will be in agreement, and it will get submitted to the audit committee. I’m just troubled to see the functional reporting line having such a small degree of influence on the budget for internal audit. To me, it indicates that maybe we haven’t progressed as far as we thought we had in terms of our independence in the organization and our ability to maintain objectivity.”

2. Diluted Responsibilities

“Over the last 20 years, there has been a proliferation of responsibilities assigned to internal audit, and it showed up in some of the surveys that were done over the last few months, particularly The IIA’s 2022 North American Pulse of Internal Audit. 60% of publicly-traded companies said they were responsible for SOX program management in their company. 41% of those in publicly-traded companies say they are responsible for ERM. That doesn’t mean that it’s one or the other, some of them may have both. 17% said they’re responsible for the compliance function.”

“I understand the need to dual hat internal audit on occasion, but I have also said that every time you add another hat to internal audit, you obscure its vision. That is, the more things you have internal audit responsible for, the more difficult it is for internal audit to be able to go back into those areas and provide any kind of assurance. If you have given it the SOX function, the ERM function, the compliance function, the corporate ethics function — the more responsibilities you assign to internal audit, the less effective it is at being objective enough to address all the risks in the organization.

3. Inadequate Resources to Address Risks

“This is not contradicting what I said earlier about being fairly resilient — that means we’ve got as many resources as we had two years ago. Now I’m saying that there’s evidence that may not be enough resources in a lot of organizations. In fact, only 61% of North American chief audit executives believe they have sufficient budgets. And frankly, I would say that a lot of them are — to use an old expression when I was a kid — ‘whistling past the graveyard,’ not acknowledging that really they probably don’t have sufficient resources.”

“I have long said audit committees shouldn’t be asking the question, ‘Do you have an adequate budget? Do you have the resources to carry out your mission?‘ Audit committees should be asking, ‘what are the top risks that you cannot audit because you don’t have the budget or the resources to do so?’ That puts the question in a very different light, and it allows the chief audit executive to be forthcoming. It allows the audit committee to assess whether they have the risk appetite to not have those risks covered because internal audit doesn’t have adequate resources.”

4. Declining Confidence on Emerging Risks

“When I asked the question late last year, ‘What are the biggest strategic risks facing internal audit?’ I had almost 1000 responses to that LinkedIn poll. The second biggest strategic risk to internal audit was that we miss emerging risks in the coming decades, that we don’t get better at anticipating the risks that are going to bring the carnage tomorrow. We know all the things that have happened over the last 18 months. What is sitting out there just beyond the edge of your screen? What are the next few months going to bring?”

5. Losing the War for Talent

“I think we may be losing the war for talent. In a LinkedIn poll I ran a few months ago, more than 50% said they have vacancies more than three months old. When you have positions that are vacant for that long, you really have structurally reduced the size of internal audit, because I may as well not have the positions. That is a critical challenge. Add onto that a few demographic statistics, 89% of chief audit executives in this country were born before 1981. Certainly, I was born before 1981 — I was an internal auditor in 1981 — but what I think we’re seeing is that we have CAEs in many instances who are trying to recruit talent from the ranks of millennials and even Gen Zs who have a very different philosophy and outlook on their careers and on what they want to attain.”

“In the Mid-Year Snapshot we ask, what are the most successful strategies you have for recruiting and retaining talent? Number one, offering remote work options. That is the number one successful strategy for hiring and retaining talent in 2022 in internal audit. Number two, varying the types of assignments. Number three, offering flexible work conditions. Number four, devoting more CAE time to recruiting and staff engagement. Number five is compensation and benefits — this is the one that the CAEs of my generation and younger would have expected to attract talent. The times, they are changing, as Bob Dylan says, and I think there’s no place where that’s more evident than in the war for talent.”

2024 Focus on the Future Report

Our Actions Today Will Ensure That Our Brightest Days Lie Ahead

“We’ve had risk volatility for a long time, but I think risk Bedlam is a new phenomenon — it’s volatility on steroids. And if we continue to see the kind of events we’ve seen over the last 24 months — not even counting COVID — we’re going to have a challenging time as internal audit professionals maintaining a dynamic risk-centric audit plan. I think assessing risks and maintaining those plans has never been more challenging than it is today, but I do think there are signs that some of our most successful days are ahead.” 

“I think we all have our work cut out for us, but at the end of the day, we can be advocates. We can be champions. We can be out there standing on the hilltop, talking about how great internal audit is, but it’s not until the rubber meets the road in your internal audit department and you’re serving your key stakeholders that our case can be made. The future is really in our hands. I would encourage everyone here on this call and throughout the profession to take it upon ourselves to make sure that our brightest days are ahead.”

Looking for more thought leadership? Check out our on-demand webinar library, and stay tuned for more AuditTalk videos featuring audit community leaders about industry issues, insights, and experiences.