Stakeholders demand increased internal audit involvement in risk identification and management
NEW YORK, March 20, 2012 – Businesses are facing more risks than ever before and the consequences are quickly become apparent, according to the 2012 PwC State of the Internal Audit Profession study. Global economic uncertainty tops the list as the biggest perceived risk to companies in 2012, as ranked by nearly three-quarters of stakeholders and chief audit executives surveyed. Yet, other significant risks also have emerged and businesses are asking internal audit to play an increased role helping companies navigate the rapidly changing risk landscape.
While concerns about further economic uncertainty continue to be top of mind for business leaders, issues such as fraud and ethics, mergers and acquisitions, large programs, new product introductions, and business continuity were identified among the top risks impacting businesses. Data privacy and security is now the single most requested area for increased internal audit focus with 46 percent of stakeholders asking for added capabilities in this area. With regulation escalating and evolving, regulations and government policies is the second largest requested area for increased focus, with 32 percent of stakeholders asking internal audit to get more involved in supporting the business in understanding and managing this risk.
“As the risk landscape continues to evolve, the majority of business leaders surveyed said they are not comfortable with how their risks are being managed, although 74 percent of those surveyed have formal enterprise risk management processes,” said Dean Simone, leader of PwC’s U.S. Risk Assurance practice. “To deliver what stakeholders want, the standard for an effective internal audit function has been raised and internal audit needs to elevate its performance to meet the always increasing stakeholder expectations. Businesses must evaluate total enterprise risk, coordinate with the internal audit functions and break down organizational barriers to provide a holistic approach to risk management.”
Companies that manage risk well have internal audit functions that are going beyond the traditional role of exclusively providing assurance over financial controls. The 2012 study found stakeholders are demanding increased internal audit involvement in risk identification and management. Successful internal audit functions create plans through comprehensive, top-down risk assessments where the entire enterprise risk management process is taken into consideration. According to the survey results, 45 percent of organizations still do not create their audit plans using a robust, top-down risk assessment approach. A majority of respondents stated organizational and cultural resistance as the most common barriers to internal audits active involvement in a fully comprehensive risk management function, followed closely by lack of internal audit resources and expertise.
“When it comes to improving their ability to define and manage their global risk profile, companies are asking internal audit to be more engaged than ever,” said Jason Pett, Internal Audit Services Leader for PwC. “With the complexity of risk profiles increasing, the internal audit needs to up its game to be proactive and intentional and not simply reactive. As more stakeholders seek an objective point of view to more effectively manage global risks while concurrently desiring deep expertise to meet the company where it is today as well as where it is going tomorrow, internal audit groups are turning to co-sourcing to move from a reactive to proactive risk management strategy, and better anticipate and respond to growing risks.”
The report finds that internal audit groups at leading companies provide stakeholders advice on risks and controls rather than just reporting on gaps. Seventy-eight percent of the survey respondents whose company were better at managing risk say their chief audit executives have a more active role in the executive meetings, compared to only 61 percent of companies that are behind. In addition, they take into consideration the organizations enterprise risk management process and they adapt their approach quickly when changes are needed.
PwC’s Risk Assurance practice, comprised of 1,900 professionals in the United States alone, provides companies with significant technical expertise as well as deep industry knowledge across all industries. Skilled team members assist companies on developing risk and compliance programs, building and running leading internal audit functions, supporting the needs of high performing internal audit functions with audit control and subject matter expertise, and creating internal controls processes around business performance issues, IT systems as well as strategy and contingency planning.
The 2012 State of the Internal Audit Profession survey was conducted in the fourth quarter of 2011 and the first quarter of 2012 and includes more than 1,530 respondents in 16 separate industry sectors from 64 countries across the globe. This year, for the first time, in addition to surveying internal auditors about the state or the profession, PwC surveyed the profession from the outside in, asking CFOs, audit committee directors, CEOs, and other stakeholders to share their views on internal audit’s role in the organization and its capabilities for supporting the risk management activities of the company.
More than 660 non-internal audit stakeholders shared their points of view through participation in the 2012 State of the Internal Audit Profession survey in addition to approximately 870 Chief Audit Executives across the globe. In addition, nearly 100 CAEs and stakeholders participated in one-on-one interviews, enabling PwC for the first time to share a comprehensive outside-in look at the profession.
About PwC’s Risk Assurance practice
PwC understands that significant risk is rarely confined to discrete areas within an organization. Rather, most significant risks have a wide-ranging impact across the organization. As a result, PwC's Risk Assurance practice has developed a holistic approach to risk that protects business, facilitates strategic decision making and enhances efficiency. This approach is complemented by the extensive risk and controls technical knowledge and sector-specific experience of its Risk Assurance professionals. The end result is a risk solution tailored to meet the unique needs of clients.
About the PwC Network
PwC firms help organizations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at http://www.pwc.com.
© 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.