Mind of Jacka: What Lies Beneath the Pulse

I just finished reading and synthesizing some of the material within the 2025 North American Pulse of Internal Audit report — proof of my nerdhood; I enjoy this annual report. As usual, the report is very good and contains some interesting stuff. But, of course, pure numbers represent data, not information. So, let’s dig in and put some of the pieces together to see what might be buried between the lines. (Ah, mixed metaphors; I’ve missed you the most.)

Let’s start with one that always grinds my gears. When asked “What is the primary administrative reporting line for the CAE,” 35% of respondents said they reported to the CEO. That is not good enough. This is an area where no quarter should be given. Auditing must have the ear of the CEO. The best way to accomplish this is for auditing to report directly to that CEO. The minute we report to a “lesser” C-suite position is the minute the dialogue with the CEO begins to die. Further, the status of our department within the organization also drops. Important enough to report to the CEO? People will listen. Not that important? Well, they might listen.

Three more (relatively) quick hits about the audit department’s administrative reporting. First, more departments report to the CFO (43%) than the CEO (35%). That is a quick road to skewed audit work. Multiple studies (you’ll have to trust me on this; I swear I had them on me a minute ago) show that departments reporting to the CFO do a much greater percentage of financial audits. Not necessarily the highest risk audits, just higher-risk financial audits.

Second, 18% of CAEs are reporting to “other executive leadership.” This is even scarier. The report doesn’t describe what that reporting is, but lots of questions are raised by that response. I was talking to an auditor whose department previously reported to the CEO but changed their reporting to the COO. In our discussion, he responded that it would be good because the CAE got along with the COO better than with the CEO. There’s lots of worms in that can, but I simply asked, “What happens when there is a new COO, one who does not like auditing? Does the reporting relationship get kicked further down the food chain?”

Third, 4% report to the audit committee. Again, hard to tell what this means. But, in general, this is a waste of the audit committee’s time and could lead to rubber stamping that does not provide accurate oversight of internal audit.

Next are the fascinating results regarding attendance at audit committee meetings. Good news, 87% said they attended all committee meetings held in the past year. Wait, did I say good news? Yes, there might be reasons why one or two individuals had to miss a meeting — life happens. But 8% missed one or two and 5% missed three or more!?!? (I can’t put enough questions marks and exclamation points after that last stat.) It is the audit committee. They are our bosses. It is imperative that we are there. And when we start missing meetings, we miss being a part of what is going on. Also, it would be interesting to know what caused these meetings to be missed. Did the audit committee even notice internal audit was missing? Worse, did the committee ask them not to attend? And is this a function of the reporting structure discussed above? Issues pile on issues.

A real quickie: When asked “To what degree has internal audit at your organization implemented the following technology tools and approaches?” 57% rated their implementation of audit management software as high or advanced. What is going on with the other 43%? Shouldn’t this be a no-brainer? Shouldn’t everyone have closed this gap? Shouldn’t this barn door have been closed a long time ago?

Moving on. It is actually good to see that, when asked about the most critical skills for internal auditors in the future, the top-rated skills were adaptability and learning agility and strategic thinking and business acumen. Yes, IT and cybersecurity were right up there, as they should be. But CAEs seem to recognize that there are more important things in life. (I am heartened to see the number one area was adaptability and learning agility. That is the only way the profession will be able to address future issues. Now, let’s see if the CAEs actually do something about this.)

Okay, there’s a lot more I could say about other stats in the report regarding such things as IT, cybersecurity, training, and another of my pet peeves, the U.S. Sarbanes-Oxley Act of 2002 (SOX). But let’s move on to what I think are the most important/troubling/downright scary stats.

“Section 1: Management” leads with the headline “Alignment with organizational strategy and internal audit funding were strongly correlated.” Well, that seems pretty obvious. To get sufficient funding, internal audit has to prove its value. To prove its value, it must provide impactful findings, assurance, and operations. And to be impactful, internal audit needs to be in alignment with the organization’s strategy.

But then the second chart in that section shows the jaw-dropping result which may explain why internal audit still struggles to be relevant in so many organizations.

“To what extent do you believe your internal audit function is aligned with the strategic plan of your organization?” As I just said, alignment leads to impactful work. Therefore, the role of strategic alignment in internal audit’s success should be a top priority for any internal audit operation. Accordingly, we should all expect a strong correlation in these results.

Bad news. Almost fully aligned: 36%; Somewhat aligned: 39%; Minimally or not aligned: 7%. Do the math and you will see that a meager 18% — 18%!?!? — consider themselves in full alignment with the organization’s strategic plan. (Once again, I am unable to supply sufficient exclamation points and question marks.) Some of you might think that having nearly 40% almost fully aligned is good. But I would argue that this is not an area where we can allow any wiggle room. It’s not like we’re all new to this. Audit departments have existed for a long time. So why can’t they make the jump from “Almost” to “Fully”? We can’t wait any longer. How can only 18%, less than one in five, not be fully aligned? How can there be any gap between what internal audit is doing and what the organization is doing?

You want to know what is wrong with internal audit? There it is. For whatever reason — a lack of trying, access, or understanding — internal audit departments are not fully aligning themselves with the organization’s strategic plans.

No wonder the C-suite thinks we’re out of touch, thinks we don’t understand, and thinks we don’t care.

And I’ll throw in one more thing. Another part of the report shows that 47% of internal audit departments are also responsible for fraud investigation, 36% for SOX, 33% for ethics, and 32% for enterprise risk management (ERM). In fact, the headline reads “Almost 90% have at least one area of responsibility outside of internal audit.”

Over 80% of internal audit departments are not fully aligned to the organization’s strategy, and yet they are responsible for other operations. Does that mean that those operations are similarly out of sync? For example, if one-third are responsible for ERM, yet 80% are not in alignment, what does it say for the accuracy and success of the organization’s ERM activities?

I hear you out there. “Nay, Nay — not me.” And I say, “Yeah, yeah — you.” And I also say, “Prove it.” I don’t mean prove it to me; I’m nothing in all this. Prove it to yourself. Don’t take the answers for granted. Prove it. Prove it in an annual review. Prove it in a monthly check-up. And prove it daily in what you say, how you act, what others say, and how they act around you.