CAE Survey

Internal Audit’s Shortcoming

A new Deloitte report finds internal audit functions fall short of stakeholder demands.
By: | September 7, 2016 • 4 min read

The majority of chief audit executives (CAEs) believe that their internal audit functions don’t have the capabilities to meet stakeholder demands, according to a new Deloitte survey.

Advertisement




They also think that their functions lack a strong influence over the board of directors and executive team, the report found.

More than half (57 percent) of CAEs surveyed said that they weren’t convinced their internal audit groups have the skills and expertise to deliver on stakeholder expectations in terms of efficient audits, insightful reports and effective decision support, let alone meeting future demands.

And only 13 percent of respondents said that they were “very satisfied” their functions have the skills to meet the expectations of shareholders.

More worryingly though, 72 percent believe their internal audit functions do not have a strong impact and influence over the board of directors, executive team and other key personnel. A further 16 percent said that their internal audit had little to no impact and influence.

“Internal audit has been scrambling to meet escalating needs in areas such as cyber security, regulatory compliance, corporate governance and third-party risk management.” – Terry Hatherell, global internal audit leader, Deloitte

We believe that this low satisfaction level with the function’s skills is indicative of the increasing complexity of risks facing organizations and the greater need for specialized skills within internal audit to completely assess these risks and the risk management effectiveness over these risks,” said Terry Hatherell, Deloitte’s global internal audit leader.

DeloitteTerryHatherell-WEB

Terry Hatherell, global internal audit leader, Deloitte

“Internal audit has been scrambling to meet escalating needs in areas such as cyber security, regulatory compliance, corporate governance and third-party risk management. These findings are concerning and indicate a need for internal audit groups to substantially increase their relevance within their organizations,” he said.

The inaugural survey of more than 1,200 CAEs from 29 countries also found that the biggest skills gaps among their function were cyber, cloud computing and other specialized IT skills (42 percent).

That was closely followed by data analytics (41 percent), risk modeling (27 percent), innovation (26 percent) and fraud detection (24 percent).

Hatherell said that such skills were in high demand and short supply, forcing CAEs to turn to alternative resource models, particularly co-sourcing with third parties and the adoption of rotation and guest auditor programs.

Tied in with this, CAEs view talent gaps and access to quality data as key barriers to the greater adoption of analytics.

According to the report, they cited risk anticipation (39 percent) and data analytics (34 percent) as the two innovations most likely to impact their internal audit function in the next three to five years.

Currently 86 percent of those surveyed use analytics, however only 24 percent use them at an intermediate level and 7 percent at an advanced level.

A little over half (58 percent) of respondents expect to be using analytics in at least half of their audits over the next three to five years, with 37 percent anticipating they will employ it in at least 75 percent of their audits.

“While using analytics to deliver audits more efficiently is an important goal, the survey results lead us to believe internal audit should capitalize on the wealth of available data to deliver more insightful views of business issues and risks to stakeholders.” – Neil White, Advisory partner and internal audit analytics leader, Deloitte

Neil White, an Advisory partner and internal audit analytics leader at Deloitte, said that the need to enhance analytics tools and techniques was a top priority.

DeloitteDougAnderson-WEB

Doug Anderson, managing director – CAE Solutions, Institute of Internal Auditors

“While using analytics to deliver audits more efficiently is an important goal, the survey results lead us to believe internal audit should capitalize on the wealth of available data to deliver more insightful views of business issues and risks to stakeholders.”

Doug Anderson, the Institute of Internal Auditors’ (IIA) managing director – CAE Solutions, said that Deloitte’s findings affirmed what the IIA had been telling its members for some time.

Increasingly, he said that CAEs were looking for different skills sets when hiring, including analytical/critical thinking, communication and data mining and analytics.

He added that it was also important for internal audit to provide assurance on how data is being collected and analyzed within their organization.

“The era of internal audit simply providing hindsight has long past,” he said.

“Modern internal audit functions must offer insight and foresight that help organizations identify and manage risks, build successful business strategies, and nurture cultures that support good governance.

Advertisement




“It is up to internal audit leaders and practitioners to develop the skills to meet those demands and develop trusting and honest relationships with stakeholders that position the organization for success.

“Increasing stakeholder confidence in internal audit requires the profession to step up to meet these new demands.”

Going forward, the survey concluded that CAEs needed to assess the talent and skills gaps within their internal audit function and take the appropriate action. They also needed to embed analytics into all of their processes in order to increase efficiency and value throughout the organization, said the report.

Alex Wright is a U.K.-based business journalist, who previously was deputy business editor at The Royal Gazette in Bermuda. You can reach him at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

This senior risk manager values his role in helping Varian Medical Systems support research and technologies in the fight against cancer.
By: | September 12, 2017 • 5 min read

R&I: What was your first job?

When I was 15 years old I had a summer job working for the city of Plentywood, mowing grass in the parks and ballfields, emptying garbage cans, hauling waste to the dump, painting crosswalk lines.  A great job for a teenager but I thought getting a college degree and working in an air-conditioned office would be a good plan long term.

R&I: How did you come to work in risk management?

I was enrolled in the University of Montana as a general business student, and I wanted to declare a more specialized major during my sophomore year. I was working for my dad at his insurance agency over the summer, and taking new agent training coursework on property/casualty risks in my spare time, so I had an appreciation for insurance. My dad suggested I research risk management for a career, and I transferred sight unseen to the University of Georgia to enroll in their risk management program. I did an internship as a senior with the risk management department at Sulzer Medica, and they offered me a full time job.

R&I: What could the risk management community be doing a better job of?

Advertisement




We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks. If we initiate a collaborative exercise with the risk owners — people who may have unique knowledge about that particular risk — and include a cross section of people from other corporate functions, you can do an effective job of taking the risk apart to analyze it, figure out a way to manage that exposure, and then reap the upside benefits while reducing the downside exposure. That can be done with new products and new service offerings, when there isn’t coverage available for a risk. It’s asking, is there anything we can do to reduce the risk without transferring it?

R&I: What emerging commercial risk most concerns you?

Cyber liability. There’s so much at stake and the bad guys are getting more resourceful every day. At Varian, our first approach is to try to make our systems and products more resilient, so we’re trying to direct resources to preventing it from happening in the first place. It’s a huge reputation risk if one of our products or systems were compromised, so we want to avoid that at all costs.

We need to do a better job of saying yes. We tend to want to say no to many risks, but there are upside benefits to some risks.

R&I: What insurance carrier do you have the highest opinion of?

I’ve worked with a number of great ones over the years. We’ve enjoyed a great property insurance relationship with Zurich. Their loss control services are very valuable to us. On the umbrella liability side, it’s been great partnering with companies like Swiss Re and Berkley Life Sciences because they’ve put in the time and effort to understand our unique risk exposures.

R&I: How much business do you do direct versus going through a broker?

One hundred percent through a broker. I view our broker as an extension of our risk management team. We benefit from each team member’s respective area of expertise and experience.

R&I: Is the contingent commission controversy overblown?

Advertisement




I think so. The brokers were kind of villainized by Spitzer. I think it’s fair for brokers and insurers to make a reasonable profit, and if a portion of their profit came from contingent commissions, I’m fine with that. But I do appreciate the transparency and disclosure that came out as a result of the fiasco.

R&I: Are you optimistic about the US economy or pessimistic and why?

David Collins, Senior Manager, Risk Management, Varian Medical Systems Inc.

While we might be doing fine here in the U.S. from an economic perspective, the Middle East is a mess, and we’re living with nuclear threat from North Korea. But hope springs eternal, so I’m cautiously optimistic. I’m hoping saner minds prevail and our leaders throughout the world work together to make things better.

R&I: Who is your mentor and why?

My Dad got me started down the insurance and risk path. I’ve also been fortunate to work for or with a number of University of Georgia alumni who’ve been mentors for me. I’ve worked side by side with Karen Epermanis, Michael Rousseau, and Elisha Finney. And I’ve worked with Daniel Dean in his capacity as a broker.

R&I: What have you accomplished that you are proudest of?

Advertisement




Raising my kids. I have a 15-year-old and 12-year-old, and they’re making mom and dad proud of the people they’re turning into.

On a professional level, a recent one would be the creation and implementation of our global travel risk program, which was a combined effort between security, travel and risk functions.

We have a huge team of service personnel around the world, traveling to customer sites to do maintenance and repair. We needed a way to track, monitor and communicate with them. We may need to make security arrangements or vet their lodging in some circumstances.

R&I: What do your friends and family think you do?

My 12-year-old son thought my job responsibilities could be summed up as a “professional worrier.” And that’s not too far off.

R&I: What about this work do you find the most fulfilling or rewarding?

Varian’s mission is to focus energy on saving lives. Proper administration of the risk function puts the company in a better position to financially support research that improves products and capabilities, helps to educate health care providers and support cancer care in general. It means more lives saved from a terrible disease. I’m proud to contribute toward that.

When you meet someone whose cancer has been successfully treated with one of our products, it’s a powerful reward.




Katie Siegel is an associate editor at Risk & Insurance®. She can be reached at [email protected]