With more companies focusing on enterprise risk management and strategic risk, the role of internal auditors is being expanded to include risk identification and risk management, a study by the Institute of Internal Auditors (IIA) and Protiviti has found.
According to Relationships and Risk, Insights from Stakeholders in North America, the top three areas where respondents wish to expand the role of internal audit involve identifying and managing risk. Of 433 North American stakeholders surveyed, 85% said they want internal audit involved in identifying known and emerging risk areas; 78% would like to see internal audit facilitating and monitoring effective risk management practices by operational management; and 78% want audit to identify appropriate risk management frameworks, practices and processes.
The survey also found that 58% of stakeholders believe internal audit should be more active in assessing strategic risk.
When asked to choose the best avenues for internal audit to improve its role in responding to the organization’s strategic risks, stakeholders said:
- Internal audit should focus on strategic risks as well as operational, financial, and compliance risks during audit projects.
- Internal audit should periodically evaluate and communicate key risks to the board and executive management.
The report concluded that chief audit executives (CAEs) should consider methods to meet and surpass the needs and expectations of their stakeholders, including:
- Focusing on risk activities—risk identification and management—when performing advisory services.
- Demonstrating an understanding of strategic risks in all audit work. Educating stakeholders on ways you can give attention to nontraditional strategic risks.
- Building soft skills. Communication and relationship building are needed to set priorities when there are competing expectations.