Governance, Risk and Compliance Survey 2015 [download the PDF]
The Governance, Risk and Compliance Survey underscores opportunities to optimize compliance activities.
Grant Thornton LLP’s 2015 Governance, Risk and Compliance Survey, which has previously only surveyed chief audit executives (CAEs), expanded this year to include responses from audit committee members. By casting a wider net for perspectives, the survey, now in its fifth year, pointed to subtle signs of a disconnection between these two groups of respondents. The responses suggest that CAEs and audit committee members see internal audit priorities differently.
The responses suggest that CAEs and audit committee members see internal audit priorities differently.Asked to rank their focus on four types of risks, audit committee members cited their priorities as follows: financial, compliance, operational and strategic risks. (See Figure 1.) It’s not surprising that audit committees would be most concerned about risks related to financial controls, especially as it relates to the integrity of financial statements, considering that’s where they have the most responsibility, accountability and exposure.
On the other hand, CAEs ranked their risk focus as follows: compliance, operational, financial and strategic risks. The fact that audit committees viewed financial risks as the top risk, while CAEs ranked it third, hints at conflicting priorities.
Further data also suggested that the two parties may not be completely in sync with other priorities. Asked about the top three areas where they want internal audit to deliver value, audit committee respondents ranked “mitigating risk” first, followed by “stronger financial controls compliance” and “identifying improvement opportunities,” in that order. (See Figure 2.) Again, by prioritizing mitigating risk and stronger financial controls, audit committees signaled that they understand their monitoring and oversight responsibilities for the organization’s financial reporting.
On the other hand, CAEs ranked “identifying improvement opportunities” as the area where they believe they can deliver the most value — in contrast to the audit committee’s third-place ranking of this category. CAEs cited “mitigating risk” in the second position while compliance-related efforts — specifically, “stronger financial controls compliance” and “stronger compliance efforts in other areas” — ranked lower. These findings underscore the idea that, after a decade of considerable attention to risks and controls, including the intensive effort to comply with the financial control requirements of SOX Section 404, CAEs are eager to rebalance or even disproportionately shift activities and concentrate more on bringing a consultative approach to auditing and focusing on adding greater value in areas such as operational auditing.
CAEs were asked, “In which areas are you asked most frequently by the board and management to deliver value?” They identified “mitigating risk” as the top priority for management and boards, followed by “identifying improvement opportunities,” “stronger financial controls compliance” and “stronger compliance efforts in other areas,” in that order. (See Figure 3.)
Part of this prioritization misalignment is due to the past 10 years’ history of the internal audit profession. In the mid- to late-2000s, after three to four years of very heavy SOX 404 financial controls-related effort, which nearly dominated every public company’s internal audit function’s plans, the profession was trying to anticipate a change to more “value-added” activities and shift its activities to add greater value in other areas such as operational auditing.
Again, this response suggests that internal audit’s priorities may conflict to some degree with those of their key stakeholders. The profession also may have underestimated how much priority audit committees place on internal audit for financial controls internal auditing, monitoring and oversight. After all, internal audit is the eyes and ears of the audit committee, and if the first priority of audit committees is financial integrity oversight, then without question the top priority for internal audit should be financial controls and financial reporting monitoring activities.
Not only do different stakeholders vary in how they perceive and prioritize risks, but their sense of priorities can quickly shift along with the whims of regulatory and media scrutiny, as well as changes in the threat environment — witness the heightened concerns about data security breaches brought on by high-profile hacking incidents.
CAEs must ensure they understand and give proper attention to the sometimes moving target of stakeholder priorities.Before internal audit departments can truly have the full support of management, audit committees and the overall board, CAEs must ensure they understand and give proper attention to the sometimes moving target of stakeholder priorities. Even though CAEs may believe plans and activities should focus on the value-added work of operational audits, their stakeholders appear to have a different take on how and where internal audit is most needed. In an effort to become more in sync, CAEs should engage audit committee members in substantive and ongoing discussions about their respective priorities and how they can bridge any gaps and better serve the organization.
These discussions require frank dialogue about the barriers that may prevent internal audit from delivering maximum value. Asked what they consider these barriers to be, CAEs cited familiar concerns: budget constraints, talent quality or capacity, a heavy focus on financial controls and compliance, and the perception of internal audit within the organization. (See Figure 4.)
“Meeting compliance obligations remains a pain point for companies in a variety of sectors,” explains Warren Stippich, partner and Grant Thornton National Governance, Risk and Compliance (GRC) practice leader. “There are continued compliance requirements in highly regulated industries, combined with more scrutiny from the PCAOB (Public Company Accounting Oversight Board) over external auditors regarding the work that is being done around internal controls. The continued compliance-heavy environment makes it clear that internal audit must keep striving to rebalance priorities without leaving any key area or stakeholder group behind. With finite budgets and resource constraints, internal auditors must look toward optimizing all aspects of the work they do, including financial and compliance activities.”
Budget and staffing limitations, in particular, remain an ongoing concern for CAEs. Staff levels and budgets are not rising appreciably — 62% of CAEs said they expect their in-house resources to stay the same, and almost one-third (32%) said internal audit’s budget has not risen to allow for increased regulatory compliance efforts. Only 22% of CAEs said their budget would increase, which is down from 26% last year. To accommodate the increased emphasis on regulatory compliance, CAEs indicated that attention was drawn away from operational projects, consultative projects and enterprise risk management, in that order. (See Figure 5.)"With finite budgets and resource constraints, internal auditors must look toward optimizing all aspects of the work they do, including financial and compliance activities." - Warren Stippich, partner and National Governance, Risk and Compliance (GRC) practice leader
In this survey report, we examine how CAEs can leverage various strategies, tactics and tools to help their departments gain efficiencies and derive more value from their organizations’ financial and compliance efforts — ultimately, optimizing internal audit in the process.
Continue to Page 2: Rebalancing priorities, Path to optimization