July 11, 2012 - Internal audit practitioners globally report that more visible and vocal support for the internal audit function is needed from senior management within their organizations as the changing demands of today's regulatory and risk environment are putting them under increasing pressure to do more with less, according to a new survey by Thomson Reuters.

A combination of increasing regulation, a renewed focus on fraud and corruption and heightened scrutiny around risk management from executives, corporate boards, shareholders and regulators are placing greater emphasis on how the internal audit function can play a role in evaluating and mitigating risk.

To help internal audit remain agile in times of shifting business requirements, Thomson Reuters today announced the launch of new enhancements to Accelus Enterprise GRC. This version contains significant customer driven enhancements that will greatly improve user experience for internal audit and regulatory event management. The release contains improved configuration options that will enable firms to more effectively address the requirements of integrating governance, risk and compliance with risk management and compliance & policy management to meet the changing demands of their business.

Smart Forms capabilities have been expanded to enable firms to configure and design forms with specific fields and layout options that will optimize the experience of users within the organization. Panel Editing functionality has also been introduced to allow users to enter or update information in a grid formatted panel, giving them a more efficient way to add or update information for a number of records without the need to navigate to each specific record form.

"Audit committee chairs and executive management alike need to understand and address the increasing scope and strain on internal audit," said Mark Schlageter, managing director, Governance, Risk and Compliance, Thomson Reuters. "A vital factor in easing the pressure on the internal audit function is the provision of adequately skilled resources and the ability to leverage off technology to meet the growing demands and challenges. The often under-valued task of internal auditing can be made substantially easier where senior managers visibly and vocally demonstrate support for the internal audit function and promote a culture of sound corporate governance. "

Survey results:

The Thomson Reuters survey covered more than 1,500 internal audit practitioners across Europe, the Americas, Australia, Asia, Africa and the Middle East.

Key findings from the report include:

• Over 57% of respondents indicated that increased focus on risk and control was the top challenge for the year ahead

• While risk management was seen as a top three priority for organizations and was one area where the internal audit function’s time and resources are primarily applied, only 12% of firms claimed to have robust and embedded risk management framework and resources in place

• Over 40% of respondents indicated that interactions with the compliance and risk management teams were ad-hoc or were unsure of the frequency of these meetings

• The self assessment on the maturity of audit business processes indicates that many see room for improvement and the opportunity to move to a more robust operating model

Changing Role of Internal Audit

As a result of changes in the business environment, the internal audit function’s role in the organization is continually evolving, based on stakeholder and management expectations. Shareholders, board members and management are placing a greater emphasis on how internal auditors can play a role in evaluating and mitigating risks, their involvement in IT and operations, managing fraud risk, and playing a greater role in corporate governance.

When asked about what areas the internal audit function’s time and resources were currently applied to, 83% of internal auditors surveyed listed assurance over internal control as a top three activity. IT risk and security was listed as the second priority with 44% of respondents.

However, when asked about what the top priorities should be for the internal audit function, the survey respondents listed a different set of activities. Thirty-eight percent of respondents listed strategic level risk management as a top three issue and 30% indicated corporate governance as a top area where resources needed to be focused. A broadening remit, coupled with the need to adapt to changing business models, has many internal audit departments looking for new processes and tools to help address these challenges.

Maturity of Business Processes

The maturity of standard business processes across a number of audit functions varied from firm to firm with more established processes such as reporting and issue tracking having robust programs in place in the majority of firms.

Even the most basic of audit processes however showed that there was room for improvement. In the case of the management of audit workpapers, only 28% of respondents described their process as robust or mature and almost half of the respondents (49%) indicated that they had a workpaper process in place but that it still needed work.

Of all of the business processes surveyed, respondents indicated that they had the highest level of maturity on reporting. Forty-one percent indicated that they had a robust, mature program in place for reporting while 48% indicated that their reporting processes were implemented but still need some work. Only 11 percent of respondents indicated that they had a relatively immature business process around reporting.

Risk management is one of the areas of most significant change for the audit profession and according to the survey is seen as a top three priority for organizations. Despite this, under one fifth of respondents indicated that robust and mature processes for risk assessment were in place at their firm.

The Connected Roles of Internal Audit, Risk, and Compliance

When asked about how they interacted with their counterparts in the compliance and risk management function, the practitioners surveyed showed an emerging yet immature connection to these other assurance functions. In the case of interacting with both teams, over 40% of respondents indicated that these interactions were ad-hoc or they were not sure on how frequently they met. In the case of internal audit working with risk management teams, only 21% of respondents indicated that they met on a weekly basis. The numbers for internal audit working with compliance departments were similar with only 24% of respondents responding that they met weekly with their compliance counterparts.