Chief audit executives (CAEs) report to an audit committee of a public company’s board of directors, so it is critical that they are in tune with the concerns of board members and the C-suite. A recent analysis, however, reveals a divergence in risk perception that must be addressed if audit functions are to succeed in their expressed desire to serve their organizations in a more consultative capacity.
The 2019 Top Risks survey by Protiviti and North Carolina State University’s ERM Initiative found that CAEs, despite their broader ambitions, remain focused primarily on traditional operational risks, such as financial risk, infrastructure and cybersecurity, while CEOs and board members are more focused on strategic risks, such as disruptive change, customer loyalty and the regulatory environment.
The perception of internal audit departments, historically, has been that they are always working from past information and trying to caution against similar mistakes in the future. These survey results reinforce that perception. To move forward, CAEs need to start talking about trends: What new threats loom on the horizon, and how prepared is the company to avoid them or adapt to the change?
If internal auditors want to be taken seriously as strategic consultants, they need to spend more time thinking strategically and worrying about the same things board members and executives worry about. This is a topic that has been discussed within the internal audit community for more than a decade. I’ve seen significant progress in that direction, but, based on this year’s survey results, there’s still a long way to go.
Some of the areas where internal auditors are expected to add valuable insight include:
- Market risk and the pace of change
- Macroeconomic conditions, and what effect they might have on business
- Third-party and supply chain risk
- Changes in customer loyalty patterns
- Product development cycles and how they compare against industry benchmarks
- The use of big data and data analytics to predict consumer and vendor behavior
Big data, process automation and data analytics will play increasingly important roles in freeing up time for more strategic insights. As a result, the auditor of the future is going to require new skill sets to translate an increasingly overwhelming amount of data into meaningful analysis.
The notion of what it means to be an internal auditor is changing, but change can be both exciting and scary. While there is undoubtedly comfort in the routines of the past, the only true security lies in the audit function’s ability to adapt to rapidly changing stakeholder expectations, align themselves with the strategic concerns of the board of directors and the C-suite, and become comfortable with the new normal of being uncomfortable, all while learning and adapting at the pace of change.