Internal audit practitioners across the globe are bearing the brunt of shifting regulation, particularly in financial services, according to Thomson Reuters research. The focus of internal audit practitioners’ roles is changing dramatically, and resources are being stretched, as the function is taking on increasing responsibility for company-wide corporate governance and reporting to the board.
Mark Schlageter, managing director of Governance, Risk & Compliance at Thomson Reuters, said:?”Changes driven by the financial crisis and implemented in the first instance by the financial services sector will, in time, permeate all sectors and set the standard for risk governance and the expected role and remit of the internal audit function.”
Regulatory impact on internal audit
Historically, internal audit has focussed on process-level risk assessment and assurance. The recent spate of financial scandals involving banks conducting fraudulent activities, however, has created a more risk-averse environment. This has resulted in greater regulatory oversight, as well as an increased need for risk-based assurances to be provided to the board and senior management.
Internal audit practitioners nominated fraud and corruption as their top areas for time and resources. Additionally, there has been a shift in focus towards ‘softer’ skill sets, such as monitoring activity, which rose from eight per cent in 2012 to 18 per cent in 2013. This highlights that certain activities, once the domain of other functions within an organisation, are now being handled by internal audit.
But this shift also means that less time is being spent on other areas, such as IT security and risk. Resource constraints also mean that priorities for the internal audit”function are not always able to be met. Strategic level risk management, for example, came near the bottom of internal auditors top three concerns. When asked what the top priorities should be, however, 36 per cent stated its importance.
Reporting to the board
The Basel Committee on Banking Supervision’s revised supervisory guidance’states that a bank’s board of directors should support the internal audit function by effectively discharging its duties.
The survey found that in 61 per cent of organisations, the audit committee only reported to the board on a quarterly basis. This underlines the need for internal audit to improve its understanding of regulation and proactively engage senior management to identify and manage issues. In addition, internal audit needs to develop improved channels of communication with the board, ensuring that an efficient internal control system is in place to prevent risk and reputational damage.
Communication with other risk and control functions
Companies increasingly need more coherent and consistent risk reporting with input from internal audit, risk and compliance functions alike to ensure adequate coverage of all relevant risks.
Half of respondents viewed their organisation’s risk management function as immature, in development or non-existent. Their poor opinions could be attributed to organisations using well-established IT packages that are core to a company’s corporate culture, instead of bespoke IT audit packages which will require staff training.
By regularly working with other functions, internal audit practitioners can increase their knowledge base, maximise resources and help to present the board with a more complete picture around risk management.