Internal Auditors Need More Support from Management

Internal auditors feel they need more visible and vocal support from senior managers within their organizations as changing demands put them under more pressure, according to a new survey.

The survey, by Thomson Reuters, found that the increasing amount of regulation, renewed focus on fraud and corruption and heightened scrutiny around risk management from executives, corporate boards, shareholders and regulators are placing greater emphasis on how the Internal Auditors function can play a role in evaluating and mitigating risk

Over 57 percent of the survey respondents indicated that increased focus on risk and control was the top challenge for Internal Auditors the year ahead. While risk management was seen as a top three priority for organizations and was one area where the Internal Auditors function’s time and resources are primarily applied, only 12 percent of the firms surveyed claimed to have robust and embedded risk management framework and resources in place.

Over 40 percent of the surveyed Internal Auditors indicated that interactions with the compliance and risk management teams were ad-hoc or were unsure of the frequency of these meetings. Many of the poll respondents see room for improvement in audit business processes and the opportunity to move to a more robust operating model.

When asked about what areas the internal audit function’s time and resources were currently applied to, 83 percent of the internal auditors surveyed listed assurance over internal control as a top three activity. IT risk and security was listed as the second priority with 44 percent of respondents.

However, when asked about what the top priorities should be for the Internal Auditors, the survey respondents listed a different set of activities. Thirty-eight percent of the respondents listed strategic level risk management as a top three issue and 30 percent indicated corporate governance as a top area where resources needed to be focused. A broadening remit, coupled with the need to adapt to changing business models, has many internal audit departments looking for new processes and tools to help address these challenges.

“Audit committee chairs and executive management alike need to understand and address the increasing scope and strain on internal audit,” said Mark Schlageter, managing director of governance, risk and compliance at Thomson Reuters. “A vital factor in easing the pressure on the internal audit function is the provision of adequately skilled resources and the ability to leverage off technology to meet the growing demands and challenges. The often under-valued task of internal auditing can be made substantially easier where senior managers visibly and vocally demonstrate support for the internal audit function and promote a culture of sound corporate governance.”

The maturity of standard business processes across a number of audit functions varied from firm to firm with more established processes such as reporting and issue tracking having robust programs in place in the majority of firms.

Even the most basic of audit processes however showed that there was room for improvement. In the case of the management of audit workpapers, only 28 percent of respondents described their process as robust or mature and almost half of the respondents (49 percent) indicated that they had a workpaper process in place but that it still needed work.

Of all of the business processes surveyed, respondents indicated that they had the highest level of maturity on reporting. Forty-one percent indicated that they had a robust, mature program in place for reporting while 48 percent indicated that their reporting processes were implemented but still need some work. Only 11 percent of respondents indicated that they had a relatively immature business process around reporting.

Risk management is one of the areas of most significant change for the audit profession and according to the survey is seen as a top three priority for organizations. Despite this, under one fifth of respondents indicated that robust and mature processes for risk assessment were in place at their firm.

When asked about how they interacted with their counterparts in the compliance and risk management function, the Internal Auditors surveyed showed an emerging yet immature connection to these other assurance functions. In the case of interacting with both teams, over 40 percent of the survey respondents indicated that these interactions were ad-hoc or they were not sure on how frequently they met. In the case of internal audit working with risk management teams, only 21 percent of respondents indicated that they met on a weekly basis. The numbers for internal audit working with compliance departments were similar with only 24 percent of respondents responding that they met weekly with their compliance counterparts.

In conjunction with the survey, Thomson Reuters also announced enhancements in its Accelus Enterprise GRC software. The latest version contains improved configuration options to enable firms to more effectively address the requirements of integrating governance, risk and compliance with risk management and compliance and policy management to meet the changing demands of their business.

Smart Forms capabilities have been expanded to enable firms to configure and design forms with specific fields and layout options that will optimize the experience of users within the organization. Panel Editing features have also been introduced to allow users to enter or update information in a grid formatted panel, to allow them to add or update information for a number of records without needing to navigate to each specific record form.



New Financial Audit Standard Encourages More Talking

New Financial Audit Standard Encourages Oversight

The Public Company Accounting Oversight Board on Financial Audit (PCAOB) today approved a standard on how to help auditors and audit committees communicate better. While Auditing Standard No. 16 (dubbed Communication with Audit Committees) still has to be approved by the Securities and Exchange Commission, the formal adoption of the rule shows the importance the PCAOB is placing on the need for better communication to improve the transparency and integrity of financial reporting by U.S. companies.

Requiring better financial audit communication is expected to help smooth out any wrinkles that might arise in advance of a company’s financial-reporting cycle. It is to the benefit of a company and its financial audit committee to hear upfront about concerns that might spring up over applying new accounting standards or about any unusual financial transactions that are outside of the normal course of business rather than when a company is about to release its earnings. It’s really putting them companies on notice that there’s a risk around financial reporting that we see emerging here.”

Under the new Financial Audit Standard, an auditor would also be required to ask a company what plans it has to mitigate a particular issue before formulating his or her conclusion, which would mark a change from current practice. “This significantly puts the audit committee into the equation and consideration of what the auditor is doing.

The auditor would also have to tell the audit committee about significant risks he or she may have identified and update the audit committee about changes he or she may have to the overall strategy of the audit. If any departure from a standard auditor report is necessary, that would also have to be shared with the audit committee.

Some audit committees may find the new communication process more helpful than others. “Audit-committee members who have had backgrounds as CFOs [and] former auditors really know what information they want and what to ask for, but other audit-committee members may not. This in a way is leveling the playing field so that everyone would get the same type of information.

The PCAOB does not have jurisdiction over corporate audit committees; instead, it would only oversee the way auditors will have to communicate with it going forward. If adopted by the SEC, AS 16 would go into effect for public-company audits of fiscal periods beginning after December 15, 2012.

The new Financial Audit standard became a priority at the board because of a perceived need to improve transparency in the entire audit process, from the development of company financial statements to the deliberations of audit committees to PCAOB inspections. PCAOB board member Jay Hanson notes that the oversight body should share as much as possible about its insights into public-company auditing. It’s clear that at least some audit-committee members are doing an outstanding job, exactly what the Sarbanes-Oxley Act envisioned, and I think part of our job is to help other audit-committee members to get to that high level. Sarbanes-Oxley requires that the audit committee be independent of company management.

The board originally proposed the standard in March 2010, and then worked on a revision at the end of 2011. AS 16 also builds on previous interim PCAOB standards that became effective in 1989, including AU Section 380, the first “Communication with Audit Committees,” and AU Section 310, called the “Appointment of the Independent Auditor.”

The new standard focuses on “communication with the audit committee, not necessarily information sent to the audit committee. “We’re mindful of this standard potentially becoming just another checklist or boilerplate exercise of going through a list of requirements. We heard from commentators who didn’t want that and we’ve been responsive to those comments.

One criticism of AS 16 lies in letting auditors communicate orally with audit committees, instead of just requiring written documentation. Despite the oral presentations, however, the auditor would still have to document what would have been in the report.

The cost to adopt the new standard, however, remains a low concern. The PCAOB says communication between auditors and audit committees can be scaled up or down to fit the size of a company.