Portrait of Internal Audit Teams, Squeezed

We have two new reports this week on the predicament of internal audit functions, trapped between the need to provide better risk analysis during the pandemic and corporate overlords a bit less than willing to fund your need for better technologies.

The first report came from research firm Gartner on Wednesday, and found that for the first time in several years, corporate audit teams experienced a decrease in their annual budget for 2020. By coincidence, the Internal Audit Foundation and software vendor AuditBoard released a separate survey on Thursday, which found that a majority of corporate audit teams still use manual technologies such as spreadsheets to get their work done — and that those manual technologies were hindering their effectiveness.

Put those two reports together and you see the challenge: a risk environment racing ahead of audit teams’ ability to assess, control, and monitor those risks. 

Let’s start with the budget stuff in the Gartner report, since money makes the world go round. Gartner surveyed the audit teams at 299 companies, and found that internal audit budgets declined by roughly 1.5 percent in 2020, after three years of roughly 5 percent annual growth in those budgets. Headcount also remained flat in 2020. Gartner expects both budgets and headcount to remain flat in 2021, too. 

“It doesn’t look like there will be a way to buy more capacity for most internal audit functions in 2021,” Margaret Moore Porter, managing vice president in Gartner’s audit practice, said in a research note that accompanied the data.  “Leaders will have to be creative and find ways to get more out of the resources they have.”

Gartner also found a big shift within those budgets. Companies are spending more money on cybersecurity risk, IT risk, and vendor risk, as well as “unanticipated risk events.” (I’m not really sure what those are.) Companies are also spending less on operational risk, financial risk, and good ol’ Sarbanes-Oxley compliance. See Figure 1, below.

Gartner also found that 66 percent of the companies it studied were talking with other risk assurance functions about how to share resources, especially for risk assessment and data analytics. That’s interesting because one of those other risk assurance functions would likely be the compliance team, and IT security another.

The fundamental message from the Gartner report, however, is that resources for internal audit have grown tight precisely when risks springing from the pandemic are soaring (which is not breaking news; other surveys have said the same). Hence we see that reallocation of resources away from the ho-hum business of SOX compliance, toward much more pressing concerns about cybersecurity and IT systems. 

Except, the money isn’t there in the budget. So audit teams truly are under pressure to — pardon me while I puke for uttering this phrase — do more with less. 

Which brings us to the AuditBoard report.

Embracing Audit Technology, Or Not

The AuditBoard study polled 134 internal audit leaders about how they are or aren’t using audit management technology. (We should note here that AuditBoard sells audit management technology to corporate audit teams.) The big finding in this report was that as helpful as GRC or audit technology might be, plenty of firms still aren’t using it.

Only 47 percent of survey respondents said they are using GRC software of some kind, which means 53 percent are not. Although, in a nod to how helpful GRC software can be, 22 percent of respondents said they plan to implement GRC or audit management software this year. 

Most firms still mired in manual technology have small audit teams. For example, among respondents with one to five people in the internal audit department, 48 percent said they only use manual technology. Among respondents whose teams had more than 50 people, however, all of them used GRC or audit management software. 

It’s also interesting to see what internal auditors are doing with all this GRC software. Figure 2, below, shows that the tasks most likely to be managed with dedicated software are, in order, document management, issue and action plan management, and testing. 

Source: AuditBoard/Internal Audit Foundation

I can’t help but notice that one task still done almost entirely with manual technology is risk assessment — which, according to the Gartner study, is one area where internal auditors are overworked and looking to share resources and workload with other risk assurance functions. One wonders whether a better use of audit management technology might be a better way to alleviate the burden. (Honestly I don’t know; send me your thoughts at [email protected].)

I was also a bit curious to see dashboards and reporting, as well as evidence management, still relatively low on the automation scale. Those tasks are either important (dashboards and reporting, especially in today’s highly challenging risk environment) or complicated (evidence management, especially in today’s world of so many SaaS vendors needing security assessments). The automation numbers for both tasks — well, they’re not terrible, but they’re not where they should be. 

Back to the Predicament

The Gartner report mentions how the rest of the corporation often perceives internal audit as a cost center. To overcome that stigma, audit teams need to demonstrate that the value they bring to the organization exceeds the cost. 

I still believe that’s quite possible. In a perverse way, the pandemic provided an excellent opportunity for internal audit to demonstrate its value — because so much of the challenge for businesses confronting the pandemic has been to understand how your risk profile has changed. That’s what internal audit does.

For internal audit teams, however, your own challenge is how to keep your capabilities sharp, so you can keep pace with those rapidly changing risks. Investing in better technology is crucial to that… if you can make the business case, and get the budget. Which, according to Gartner, is a tricky task these days. 

Leave a Comment

You must be logged in to post a comment.