Data from the past year revealed concerns that internal audit and its stakeholders must address heading into the future.
Five Important Insights for Internal Audit From 2019
Blogs Jim Pelletier, CIA Jan 02, 2020
Five Important Insights for Internal Audit From 2019
I have worked at The IIA for more than six years, and the experience has been incredible. With help from an amazing network of volunteers, we have built a powerful team of experts to support, guide, and advocate for internal audit professionals around the world.
The internal audit profession continues to evolve, and 2019 was a particularly insightful year. Our exploration into the future of the profession yielded a treasure trove of important findings for internal auditors to leverage. Looking back, here are my top five insights gleaned in 2019.
Boards Are Overconfident and Dissatisfied With the Information They Receive
OnRisk 2020, The IIA's new flagship report, found that boards consistently rate their organizations' capability to manage risks higher than executive management views it. This demonstrates a clear gap between what management believes and what it communicates to the board.
According to the 2018–2019 NACD Public Company Governance Survey, "53% of directors indicate that the quality of management reporting to the board must improve, suggesting boards need better — not more — information from management." Internal audit should play an important role in addressing this issue. Unfortunately, 60% of chief audit executives (CAEs) say they rarely or never provide assurance on information going to the board. To avoid being caught off guard by developing risks, boards need to leverage the expertise of their internal audit functions.
Misalignment Between the Board, Management, and Internal Audit
Another key insight from OnRisk 2020 was that board members and management believe there is a "healthy" level of disconnect among CAEs, the board, and management. While I can understand that levels of personal knowledge regarding different risks will vary based on the individual and his or her role, misalignment on the organization's capability to manage that risk should be unacceptable. The three key players in risk management — the board, executive management, and internal audit — must have transparent, direct conversations about risk. Misalignment will only lead to someone being caught off guard when something goes wrong or when a significant opportunity is missed.
Long-term Strategy Remains a Victim of Short-term Interests
In the 2019 North American Pulse of Internal Audit survey, only 24% of CAEs strongly agreed that management evaluates issues based on long-term impact. This was reinforced in the release of The IIA's new American Corporate Governance Index (ACGI). Tied for the lowest rating in the index was the statement, "Your company is not willing to sacrifice long-term strategy for the benefit of short-term interests." To be clear, CAEs responding to the ACGI survey gave the lowest ranking to a statement that says their organizations don't sacrifice long-term strategy for short-term gains.
There are many reasons for this. Among them is the natural human tendency to value immediate rewards rather than waiting for something greater. More concerning, the ACGI survey data shows that more than one-third of board members are unwilling to challenge the views of the CEO. In combination, these two data points should worry anyone concerned with an organization's long-term sustainability.
Independence Drives Stronger Governance
The ACGI offers another important insight. The research finds that independent boards drive stronger governance. For years, many have argued that a combined CEO–chairman role represents a risk to effective governance practices. The ACGI data did not find any statistical differences in governance scores between companies with and without the combined role. Instead, survey data showed that the ACGI score is stronger among companies with a higher percentage of independent board members.
I believe the same applies to the independence of the internal audit function. When the board takes its oversight responsibilities of internal audit seriously, a stronger and more effective internal audit function is the result. When the board shirks these responsibilities and pushes internal audit down under management, you end up with an internal audit function with a very different focus.
The Cybersecurity Effort and Knowledge Gap
In the Pulse survey, 82% of CAEs state they should be expending significant or extremely significant effort on cybersecurity while only 46% say they actually do. This difference identifies a troubling "effort gap." Internal audit's role in cybersecurity is further complicated by OnRisk 2020 data that shows CAEs are far more confident in their organization's capability to handle cybersecurity risk than both management and the board.
We know that a good portion of the cybersecurity effort gap stems from a scarcity of expert talent in this area. More than half of CAEs identify a lack of cybersecurity expertise among internal audit staff as having an extremely or very significant effect on internal audit's ability to address cybersecurity risks. Further, more than 4 in 10 CAEs identify a lack of cooperation or communication from IT and a lack of support from executive management as having an extremely or very significant effect.
That said, evidence also points to the likelihood that CAEs are shying away from tackling a risk that they are less comfortable with and are relying too heavily on what others are saying. Given the likelihood and impact associated with cyber risk along with a strong focus from boards, internal audit needs to significantly raise its game.
While significant, these insights are just the tip of the iceberg. I encourage you — if you haven't already — to read through the Pulse of Internal Audit, OnRisk 2020, and ACGI. Thank you all for contributing to a great 2019. I look forward to the next steps we'll take in 2020.