Companies can improve their risk management by employing a connected risk approach that leverages the expertise of internal audit teams

Over half of key stakeholders including audit committees, company boards, and chief financial officers are looking for internal audit teams to take on more risk-related work, according to new research.

The study, carried out by AuditBoard, revealed that these expanding expectations are coming at a time when Internal Audit has limited bandwidth for advisory-related services.

It says that this increasing risk demand and insufficient risk management capacity is creating a risk coverage gap for businesses.

The impacts of this include:

  • damaging financial and reputational impacts
  • penalties from noncompliance with regulations (averaging $14M per non-compliance event)
  • lost revenues or market share from third-party risk incidents (averaging $1B per third-party incident)
  • material weaknesses that can lead to losses in market value and investor confidence.

The most critical impact, however, is also the most common. In most organisations, management simply isn’t getting the information needed to make risk-informed decisions and drive business value.

The role of internal audit

The report examines where internal audit could be deployed to help shift focus to value-added, risk-related activities.

Key findings include:

  • Internal audit’s responsibilities have expanded in key areas: Internal Audit’s remit is expanding as organisations increasingly look to leverage the function’s risk and controls expertise to help respond to today’s highly volatile risk landscape.
  • Information security control testing appears to be growing in practice: with 82% of chief audit executives (CAEs) involved in some capacity and 44% either owning or heavily involved.
  • Continuous monitoring deserves greater internal audit focus. Only 28% of CAEs either own or are heavily involved with continuous monitoring of a key process, but 60% of surveyed auditors have some level of involvement in ERM — and 40% have no involvement whatsoever.

More than half (55%) of CAEs indicate that their administrative reporting managers (typically CFOs, and CEOs) have asked internal audit teams to be involved in more activities in the past two years, including ERM, ESG, governance, operational initiatives, and quality assurance.

IRM was CAEs’ top response for where they should be more involved, followed by Enterprise Risk Management. Notably, however, IRM is not reflected in auditors’ top existing responsibilities, even though it was an answer option. 

Tom O’Reilly, field chief audit executive and connected risk advisor at AuditBoard, said “I personally see internal audit being the best positioned in many organisations to be the catalyst and champion of their connected risk strategies.

“Just like internal audit has been tapped on the shoulder for SOX in the U.S. and now the UK Corporate Governance Code because of their controls expertise,  internal audit is being sought after to architect their organisation’s connected risk approach because of their enterprise-wide expertise of their GRC environment. 

“Our survey revealed that management and the Board wants more risk work from internal audit, and at the same time, internal audit believes they can play a bigger role in their organisation’s risk management efforts. I predict, and we are already seeing, connected risk being the most impactful area internal audit lead from the front of their organisation.”

Risk has a long way to go

The report found that risk management maturity is lacking in most organisations.

While surveyed CAEs identified integrated risk management (IRM) as their top area for increasing responsibilities, 96% said that their organisations lack mature IRM programs and a shocking 11% report having no IRM strategy whatsoever, with audit, risk, and compliance functions working independently.

51% of organisations know IRM is needed, but have no cohesive strategy for it.

Another 24% have no formal strategy, but say they’re actively working toward connecting audit, risk, and compliance functions.

O’Reilly said: “The easiest way companies can improve their risk management capacity to help close the gap between rising risk demands and limited risk management resources is to employ a connected risk approach — proactively seeking to centralise data, teams, and workflows to improve the culture of risk management across the first line, which will better serve executive decision-making and the board’s oversight responsibilities.