From supply chain disruptions to cybercrime; from environmental concerns to labor shortages, the list of challenges confronting most companies has evolved quickly and dramatically over the past few years and even months.
Such speedy developments are expanding the types of risks many internal audit departments must identify and assess. Given that traditional financial control and reporting risks aren’t going away, these shifts prompt the question: Is internal audit being asked to do too much? Or, is this a natural evolution of internal audit’s role?
“Internal audit’s list of core competencies is evolving,” says Sarah Fedele, U.S. internal audit leader with Deloitte. It’s possible to argue that key issues like cybersecurity, ESG, and emerging technologies are fast-becoming core competencies for internal audit, she says. “It is internal audit’s mission to provide assurance, advice, and insights on anything that could pose a risk to an organization’s success, inclusive of new and future business risks,” she adds.
Many internal auditors and industry experts say internal audit is capable of and should effectively assess the new risks confronting most organizations. The challenge often is obtaining the needed staff, training, and tools to get the job done.
“Internal audit has always had the responsibility to identify inherent risks facing their organizations, making sure their risk assessments evaluate (these risks) along with their respective mitigating controls,” says Jacqueline Breslauer, chief audit executive at Valley National Bank in Wayne, New Jersey. Some new emerging risks, however, require different skill sets to audit. “Twenty years ago, nobody was looking at cyber or ESG,” she says.
Top Emerging Risk Areas
“Cyber security continues to be one of the most prominent newer areas of risk, as it’s embedded in just about every part of an organization,” says Phil Benvenuti, senior director of internal audit with Pegasystems Inc. “It is no longer good enough for the financial and operational internal auditor to have a mere awareness level on this topic, but rather it must be considered in every facet of their internal auditing.” Indeed, cybersecurity often ranks at or near the top of just about any list of the biggest risks organizations must address.
Another growing risk area is ESG, or environmental, social and governance issues. ESG will increase in prioritization as it becomes a focus globally with boards, shareholders, and other stakeholders, Benvenuti says. As organizations are compelled to publicly describe their ESG initiatives, internal audit can verify the accuracy of claims and assure controls are in place over the reports, he adds.
Labor is another area of risk. Many organizations have struggled over the past few years to attract and retain quality candidates. “We’re offering highest pay ever and more benefits, and we still can’t get enough people, says Stephen Young, chief compliance officer and vice president, internal audit with Maclean Fogg. Internal audit will “have to pay a lot more attention to human resources and how we get and retain workers,” he says.
Similarly, the supply chain challenges of the past few years show no sign of disappearing. Prices on some shipments from Asia jumped by 25 to 30 percent, Young says. Internal audit has a role to play in assessing companies’ supply chain and contracts, he says. This may mean recommending a more diversified supply base, even if it impacts costs, and trying to include in customer contracts the ability to pass along some cost increases.
Even as new risks demand attention, existing risks remain. For instance, check fraud, an “oldy but a goody” Breslauer says, is still a growing concern, as the technology to reproduce checks is widely advanced and available, making check fraud and other fraud on the rise again.
Underfunded Internal Audit Departments
Many internal audit executives say their departments can and should assess this growing array of risks. Yet resource constraints can limit their ability to do so effectively. “Resourcing and upskilling continue to be a top concern and priority among most audit functions, given the rapid change in the risk landscape and technologies and, in many cases, heightened expectations from stakeholders,” says Cassie Putnam, a managing director in Protiviti’s Internal Audit & Financial Advisory practice.
At the top of the list is the struggle to find qualified internal auditors. “For the past five to seven years, finding a senior auditor in Dallas Fort Worth has been like finding a purple unicorn,” says Joseph Mauriello, director of the Center for Internal Auditing Excellence at the University of Texas at Dallas.
One likely reason is the declining number of accounting majors. Disciplines like business analytics are attracting students who likely would have been accounting majors a decade ago, Mauriello says.
The pandemic has also had an impact. “In general, since COVID, the labor force has been challenged by a shortage of experienced individuals and this will likely continue,” says Erica McManaman, chief auditor with Signature Bank. In addition to recruitment, audit executives “need to spend a significant amount of time around talent management as a whole, including effective retention mechanisms,” she adds.
Even many internal audit departments that are fully staffed may struggle to gain the expertise needed to properly provide assurance over many new and emerging risks. This isn’t unlike internal audit’s role with SOX and continuous monitoring of internal controls over financial reporting, Benvenuti says. But unlike with SOX, the environmental piece (of ESG) involves a knowledgebase that is very new to most internal auditors. “Getting up to speed quickly, engaging with SMEs at their organizations, leveraging contractors in this space, and continuing to keep a pulse on how these initiatives evolve will be crucial,” he adds.
Bridging the Gaps
Internal audit executives are considering multiple ways to address both the changing risk landscape and the resource constraints most face. Because assessing these new risks demands new skill sets, many internal audit departments are both co-sourcing with outside experts and upskilling their own employees.
For instance, many internal audit teams are engaging outside firms, at least to start, to help them handle ESG audits, Breslauer says. “They have the resources to do extensive research and benchmarking to help guide those organizations that must comply with the up-and-coming SEC reporting. We’ll learn from them, and then bring those skills inhouse,” she says.
At Pega, Benvenuti’s team collaborates closely with key stakeholders and experts who oversee ESG initiatives to learn about the risks and mitigation efforts. “While this is nothing groundbreaking, collaborating and demonstrating a true partnership with auditees and clients will ultimately make internal auditors more successful,” he says.
Co-sourcing can be a viable solution when it comes to cybersecurity as well, Breslauer says. The reason? It’s often costly to hire individuals with a cybersecurity background and keep them current.
Engaging outside firms can also make sense for work that doesn’t require specialized expertise. Young’s department has delegated some routine tasks that don’t require much direction to professional temp firms. These partner firms can relatively quickly make sure the resources, training, and clearances are in place, he adds.
To be sure, engaging outside workers means internal auditors also need to be effective project managers. “They really have to be on top of the outside resources we’re bringing in,” Young says. To help, they’ll identify in advance key performance measures for the audit and then will check in at various points to make sure the work is on track, he adds.
The New-Look Internal Auditor
Some internal audit teams are considering a wider range of backgrounds in internal audit candidates too. “We look to hire a diverse group of individuals with varying skillsets,” McManaman says. Sometimes this means hiring individuals with specific subject matter expertise—data analytics being an ongoing area of focus. In some cases, the focus is on individuals with a strong analytical mindset who have the aptitude to learn, she says.
Breslauer says that while her team continues to source individuals with core finance and banking skills, they’re also looking at individuals with data analytics backgrounds, as well as engineers and project managers. Addressing all the new and emerging risks requires team members who are critical thinkers and innovative, she adds.
Technology also can help internal audit meet the current challenges. “The pandemic showed the need for more technology,” says Dan Yunker, partner and internal audit leader with Crowe. While relying on sample data sets was a reasonable approach when audits were done manually, technology allows internal audit to bring the rigor of the audit to full data sets faster and more efficiently. Auditors then can focus on relating the risks to the organization’s objectives. “This is where the profession can add value,” he adds.
Ultimately, audit executives likely will combine multiple solutions as they strive to effectively manage the evolving roster of risks, Mauriello says. Technology can reduce the human capital needed for some assurance activities; co-sourcing and guest auditors can offer additional expertise when needed; and expanding the pool of potential audit candidates can deepen the skills of the internal audit staff. “There’s not one magic bullet,” he says.
Addressing these new challenges also requires strong relationships with other areas of the business, says Vicky Gregorcyk, managing partner, risk advisory services, with BDO. Most auditors impact their organization through their influence. Solid relationships and effective communication skills are key to building influence, she adds.
“Truly understanding risk, risk prioritization, and managing resources to audit against those risks are always challenges,” Benvenuti says. Particularly with small departments and as risk factors evolve, time should be earmarked to handle special requests that were not necessarily known when the plan was developed. “A good plan is one that can be changed, and it usually is!” he adds.
Karen Kroll is a finance and business writer based in Minneapolis, Minnesota.
Excellent article on the current trends and developments. Really like the solutions-based approach presented in this article. Bravo!
The old universal mantra of keeping abreast of the evolving landscape (technology and regulation) stays relevant to all times. Continous learning keeps everyone, not just the IAs, relevant and in demand.