Internal Audit 2.0 - The Evolving Role

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Organizations and security controls have changed, so senior management and regulators now demanding more of internal auditors.

Beyond financial and control issues, internal auditors now are being asked to assess the effectiveness of an organization's enterprise risk management program, says Warren W. Stippich, Jr. CPA, CIA, Partner and Chicago Practice Leader at Grant Thornton, LLP.

For the past eight years, Stippich says, internal auditors spent much of their time focused on compliance with Sarbanes Oxley (SOX). But over the past 18 months, many organizations have automated SOX processes, freeing auditors to focus elsewhere. "Internal audit function is evolving to play a role in addressing the risks facing an organization and adding value in areas of cost savings and containment," Stippich says.

As this role transforms, auditors are pushed to deliver increased value to the organizations by covering the risks that matter.

"Internal audit is starting to reassert its involvement in a range of risks that an organization is facing today," says Richard Chambers, President of the Institute of Internal Auditors (IIA). "There is a much greater broadening of the internal audit focus today, as they're looking at operational risks, compliance risks, fraud risks and overall getting into the business and strategic risk management role in an organization".

Role in Risk Management:
According to the IIA, the key role of internal audit is to "provide senior management and the board with an objective assurance and independent advice that the major business risks are being managed appropriately and that the risk management and internal control framework is operating effectively". As advisers in risks and controls, internal auditors aim to help organizations identify and assess risks, as well as help them to develop appropriate ways of controlling or mitigating these risks, says Cory Gunderson, managing director of risk and compliance at Protiviti, Chicago. In effect, internal auditors act as 'facilitators and consultants' within the overall risk management process by:

• Aligning people, processes and systems with business strategy;
• Giving assurance on risk management processes;
• Giving assurance that risks are correctly evaluated;
• Evaluating risk management processes;
• Analyzing and quantifying risk factors in new business ventures and strategies;
• Identifying, evaluating and reporting key risks;
• Reviewing the management of key risks and evaluating if they are being addressed effectively;
• Working with risk managers on the use of particular tools and techniques to help them manage risk (specific methods include techniques such as Control Risk Self-Assessment);
• Developing risk management strategy for board's approval.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"A major challenge for internal auditors in this role is, however, to have the necessary talent and skills to assess risks," says Joseph Wambia, CIA, CEO and managing principal of Wambia Capital, LLC a merchant banking and investment advisory firm located in Maryland. Most internal auditors come with a strong background in financial controls and audit and do not understand the business aspect as well as the impact the organization has on over all risk management -- a critical factor in this role transition, adds Wambia.

Stippich agrees, saying that senior audit leaders have to take it upon themselves to train and retrain their internal audit staff to come up to speed with their growing role and filling the skills gap.

The New Skills
These are the skills most valued in the internal audit role today, thought-leaders say:

• Industry and business knowledge;
• Understanding and prioritizing of business strategy and goal accomplishment;
• Improved interpersonal skills to communicate with business units throughout the enterprise as well as with board management executives;
• Risk management assessment and evaluation skills;
• Building continuous monitoring techniques;
• Fraud detection and prevention skills;
• In-depth knowledge of IT automation of internal control environment;
• Investing in specific certifications, including CIA, CFE, CISA, CFSA.

Companies are also rotating staff as a solution to having a diversified talent pool representing risk, fraud, business, and financial skills within the internal audit function. These organizations are hiring internal auditors from business units within the organization for a specified time, after which the employees rotate out of the internal audit department and back into other parts of the company.