Grant Thronton conducted a US based survey of Chief Audit Executives (CAE) to find out the developments in internal audit department (IAD) functioning. The report – Looking to the future: Perspectives and trends from internal audit leaders – Chief Audit Executive Survey 2011 in informative and is a good read for risk managers across geographies. Most of the issues raised in the survey are applicable to quite an extent to Indian internal audit departments. I am highlighting some of the common points below.
1. Size of Departments
Of the 300 CAE’s participating in the survey, 75% relied on 10 or less employees and just 8% employed more than 25 employees. Secondly, 63% of the respondents stated that all internal audit activities are performed in-house. Just 2% have outsourced the internal audit function completely. The third aspect mentioned in the survey is the growing trend to focus on operational and compliance risks besides the financial risks. Of the total time available with IAD, 36% is allocated to operational risks and 33% of compliance risks. Ideally, under these circumstances the IAD size should increase. However, 73% respondents have stated that the size of the department will remain the same in 2011.
The survey is focused on number of internal audit staff. It does not give details on the size of the organization in revenues or staff strength. As the third dimension is missing, it is difficult to assess optimum staffing of internal audit departments. A number of additional factors influence the size and structure of internal audit departments. Major contributors for determining size of IAD are – industry the organization is operating in ( example, banking is more audit intensive), mission and objectives of IAD, governance structure, maturity of risk management processes, technology used by IAD, salary cost of auditors and audit committee expectations. Most of these components are not analyzed in the survey. Hence, in my opinion though the data provided in the survey is interesting, it does not facilitate in making an informed decision.
2. International Focus
With globalization IAD in US are either providing supervision or directly conducting assignments in different geographies. In the survey, 39% of the CAEs stated that some internal audit activities are being done outside US. Of this, 48% of CAEs stated that 25% of the work is performed in BRICS countries. Hence, the survey results emphasize the growing importance of emerging markets.
The survey highlights two other interesting aspects. Results indicate that 85% of US staff travels to other countries to conduct assignments. However, the survey hasn’t given any information on the IAD work being done by BRICS or other countries for the US team. For example, US companies outsource SOX compliance work to Indian business process outsourcing organizations. This work is quite substantial and reduces cost of US IAD department. Organizations have to watch out for the trend of IAD outsourcing testing and data analytics work to other countries and focusing instead on strategic risks.
While work is outsourced, the IAD structure continues to be complex. The survey indicated that 69% of foreign internal audit personnel do not report directly to CAEs in the U.S. This data shows that IAD teams are still not globally integrated. This could be the weakest link for IAD of multinational organizations. There may still be hurdles in sharing best practices, skilled resources, and maintaining independence of local audit teams.
3. Use of Information Technology
While use of technology is taken for granted in most fields, IAD are still lagging behind. In the survey 44% of the respondents stated that GRC specific technology is not used optimally. Secondly, automated technology that facilitates GRC processes are used in just 54% of the organizations although 68% stated they are using data analytics. Auditors don’t sppear to be in love with information technology and that is not a good sign.
The GRC software enables audit planning, conducting tests and analysis, preparing work papers, dashboards and reports. The CAEs using GRC software reported that data analytics alone helped then improve audit processes, identify trends and increase audit coverage.
The results clearly present a strong business case for using technology in IAD functions. In countries as in India, where annual salary cost of auditors are low in comparison to cost of automating, the hesitation to use technology is higher. However, reliance of manual auditing processes reduces efficiency and quality of audit. Hence, with increasing complexity on GRC functions, IAD should be gunning to use technology for their work.
The survey has raised excellent points relating to board relationships, internal auditors career paths, risk management and focus on fraud investigations. If you are planning the audit strategy for the next quarter, read this report. While some aspects look like old wine in a new bottle, some give fresh insights and may give clarity in thinking.