A new survey on the state of the internal audit profession finds that companies are slightly investing in internal audit again and working to return to normal on the back end—fingers crossed—of the pandemic. The overall message of the report may well be that only incremental change has come to internal audit in the last year.
“In general, damage control in response to the pandemic’s initial wave has subsided, with the percentage of functions cutting budgets and staff nearly returning to pre-pandemic levels,” the Institute of Internal Auditors noted in a statement announcing the publication of its 2022 North American Pulse of Internal Audit: Benchmarks for Internal Audit Leaders report, released earlier this week.
The report finds that the number of respondents who experienced an increase in the internal audit budget grew slightly, from 20 percent in 2020 to 24 percent in 2021. But the bigger story was on the other end of the spectrum, with far fewer internal audit departments seeing budget cuts. In 2020’s report, in the depths of the pandemic, 36 percent said they experienced cuts to the internal audit budget, however only 18 percent said the internal audit budget declined in 2021, when the survey was conducted. The majority (58 percent) said that budgets were unchanged. Those numbers likely reflect pandemic related changes, such as cuts to travel and live training that pushed budgets down in 2020, but still haven’t returned to pre-pandemic levels well into 2021.
Staffing Mostly Unchanged
Internal audit staffing was largely left unchanged in 2021, with 67 percent of chief audit executive and audit leader respondents reporting no change in the number of auditors on their teams. Only 12 percent said the number of staff declined, and 21 percent increased the staffing of their teams. Publicly traded companies were most likely to increase budgeting and staff, with a third of audit leaders at such companies reporting an increase in the internal audit budget and 31 percent reporting new hiring. Non-profits were most likely to experience cuts to budgets and staffing, with 25 percent reporting belt tightening.
The report’s authors indicate that while budgets were growing “sluggishly,” that may begin to accelerate into this year and beyond, as the pandemic subsides. “Organizations must prioritize internal audit investments in order to meet the growing demand for environmental, social, and governance (ESG) assurance and address boards’ and executive management’s concerns about new and emerging risks,” they stated.
If chief audit executives (CAEs) had access to more funding, nearly half say they would spend it on adding staff. The second most popular response is investing in technology, and of those who chose “technology,” 68 percent say they would invest in data analytics software. The growing demand for data-driven analysis, alternative work from home models, and the need to provide assurance over nonfinancial disclosures demand prioritization and investment in technology, the survey concluded.
“Pulse 2022 makes clear the importance of organizations investing in internal audit to meet today’s challenges and emerging risks,” said Anthony Pugliese, president and CEO of the IIA. “This year’s report also highlights the need for organizations to support technology and automation to allow internal audit functions to focus on tasks that add more human value, including analysis of emerging issues such as cybersecurity and ESG,” he said.
Tech Issues Dominate Risks
When asked about the biggest risks facing their organizations, internal audit leaders cited risks related to technology at the top of the list. Indeed, the top three risks involve technology. Cybersecurity, which has held the top spot on nearly every list of the biggest risks for years now, was once again the leading concern, with 85 percent of audit leader respondents citing it as a “high or very high” risk. General IT and third-party relationships followed, with 61 percent and 55 percent of respondents putting them in the top risk category, respectively. The report’s authors noted that third-party relationships often include those with IT service providers.
“As in previous years, technology was a common component for risk areas that respondents rated as high or very high risk. Cybersecurity, IT, and third-party relationships rated as the top 3 risks,” the report’s authors write. Compliance and operational risks rounded out the top five.
For the first time in the survey’s history, sustainability (ESG) and nonfinancial reporting risk levels edged upward, especially for publicly traded companies. But the boost is not yet seen in audit plans, the report finds. Indeed, the survey showed that what internal audit respondents cited as the top risks aren’t always reflected in how they allocate resources in the audit plan. For example, while cybersecurity ranks as the top risk, it only ranks third in terms of allocated audit plan resources, although that reflects an increase from prior years. Financial reporting figures near the bottom of risks that concern internal auditors, yet it is near the top in terms of allocated audit plan resources.
Said IIA’s Pugliese: “These are exciting times for our profession with good data in hand and appropriate resources, the modern independent internal auditor is well equipped to help the organization meet today’s rapidly evolving challenges.”
The report is available for download on the IIA’s website. 
Joseph McCafferty is editor & publisher of Internal Audit 360°