Internal audit teams are increasingly being relied upon by key stakeholders such as audit committees, company boards, and chief financial officers to take on more risk-related work, a recent study by AuditBoard has revealed. This new expectation comes at a time when internal audit teams are already stretched thin, leading to a growing risk coverage gap within organizations.
The ever-changing and unpredictable nature of economic, geopolitical, regulatory, and cyber risks means that companies need to be proactive in managing these risks to avoid significant negative consequences. Failure to effectively manage risks can result in financial losses, reputational damage, regulatory penalties, and other costly repercussions. However, many organizations struggle to gather the necessary information to make informed decisions and drive business value.
To address these challenges, the report suggests that internal audit teams need to reallocate their time and resources towards value-added, risk-related activities. Currently, internal audit teams are focusing primarily on information security control testing, with a growing emphasis on continuous monitoring and enterprise risk management (ERM).
Furthermore, internal audit teams are facing changing expectations from their stakeholders, with 55% of Chief Audit Executives (CAEs) reporting that their reporting managers have requested increased involvement in activities such as ERM, ESG, governance, and operational initiatives over the past two years.
Despite the increasing demands on internal audit teams, most organizations still lack mature Integrated Risk Management (IRM) programs. The majority of organizations have yet to fully integrate their audit, risk, and compliance functions, with only 11% reporting having no IRM strategy at all. This lack of maturity in risk management highlights the need for organizations to adopt a more comprehensive and connected approach to managing risks across the enterprise.
Tom O’Reilly, Field Chief Audit Executive and Connected Risk Advisor at AuditBoard, emphasized the importance of organizations adopting a connected risk strategy to better manage risks. With internal audit teams possessing a wide range of risk and compliance expertise, as well as deep cross-functional relationships, they are well-positioned to take the lead on connected risk initiatives within organizations.
In conclusion, internal audit teams are facing increasing demands to take on more risk-related work to help organizations navigate today’s volatile risk landscape. By reallocating their focus towards value-added, risk-related activities and adopting a connected risk strategy, internal audit teams can play a crucial role in helping organizations effectively manage risks and drive business value in the long run.