NEW YORK, May 16, 2007 (PRIME NEWSWIRE) -- According to the third annual study of current issues for the internal audit profession conducted by PricewaterhouseCoopers (PwC), a number of divergent and conflicting trends related to risk assessment are a concern among internal audit executives. Although there is growing interest in enterprise risk management (more than 80 percent of respondents reported they conduct an annual enterprise-wide risk assessment), only a handful of those surveyed said they update the internal audit risk assessment continuously, while 64 percent may be doing little or nothing between annual assessments.
The study found that there continues to be a lack of consistency around the assessment of risk. At one-third of the companies surveyed, multiple enterprise-wide risk assessments are being conducted across the organization. Of this group, only 20 percent consider these assessments "well" aligned, while 50 percent said they are "somewhat" aligned and 30 percent said they are "not well" aligned, with little or no coordination among the parties making the assessments.
"Audit committees are losing patience with multiple risk assessments that don't say the same thing," says Dick Anderson, partner, PricewaterhouseCoopers. "A company is inviting inefficiencies and possibly missing risks if its enterprise-wide risk assessments are not aligned or integrated."
The following six imperatives should be considered when strengthening the internal audit risk assessment process, as suggested by the study:
1. Adopt a process approach to risk assessment and planning.
2. Supplement annual risk assessments with quarterly or more frequent
updates.
3. Leverage your prior assessment results.
4. Align and leverage risk assessments.
5. Seek out the specialized talent you need.
6. Coordinate effectively with other risk management groups.
"Today, there is a growing awareness among chief audit executives of the importance of linking risk assessments and effective audit coverage," comments Richard Chambers, managing director with Internal Audit Services at PwC. "To help strengthen risk management within their companies, audit groups must focus on assessing risk on an ongoing basis and continue to monitor and update their enterprise-wide risk assessments."
In the areas of finance, compliance, and operations -- sectors that might be characterized as traditional areas of focus for internal audit -- respondents expressed fairly high degrees of confidence (64, 49, and 43 percent respectively) in their audit coverage of these types of risks. However, they were significantly less confident with their audit coverage when dealing with risks in the areas of technology, fraud, and strategic or business risks.
The 2007 study also found that internal audit groups reporting to the CFO organization devote more time to Sarbanes-Oxley compliance than groups that report directly to the audit committee or the CEO. According to the study, only 31 percent of internal audit functions reporting directly to the audit committee or the CEO devote more than 50 percent of their time to Sarbanes-Oxley compliance. By contrast, 46 percent of those who report directly to the CFO indicated that they dedicated more than 50 percent of their time to the Act during 2006. The study found that when internal audit reports to a level below the CFO in the finance organization, such as to the controller or treasurer, the time commitment to Sarbanes-Oxley compliance increases dramatically, with 69 percent of these internal audit functions reporting spending more than 50 percent of their time addressing compliance with the Act.
"Given the disparity of time dedicated to compliance with Sarbanes-Oxley depending on reporting relationships, these survey results naturally beg the question as to who is actually directing the focus and deployment of corporate audit resources," added Anderson.
Other key trends in this year's report include:
-- Audit report ratings are popular but present challenges for
internal audit. Audit ratings allow internal audit to communicate
the potential level of exposure or risk associated with not
implementing corrective actions emanating from audit findings.
However, more than half (56 percent) of respondents reported that
audit ratings are creating friction and slowing down the audit
process at their organizations.
-- Lack of capacity and capabilities is a top concern. Internal audit
leaders believe that their greatest challenge is finding enough
qualified talent to address the growing and increasingly complex
needs of their chief stakeholders.
-- Rotational staffing provides a key source of talent. Rotational
staffing is fast becoming the prevalent staffing model for large
corporate internal audit groups (more than 80 percent of the
Fortune 500 respondents have some form of rotational staffing in
place.)
-- Continuous auditing continues to generate interest. Forty-three
percent of respondents reported using some form of "continuous"
auditing or monitoring in their audit operations.
To download a full copy of the report, entitled "PricewaterhouseCoopers 2007 State of the Internal Audit Profession Study: Pressures Build for Continual Focus on Risk," visit www.pwc.com/internalaudit. The 2006 findings, entitled "PricewaterhouseCoopers 2006 State of the Internal Audit Profession Study: Continuous Auditing Gains Momentum" can be accessed on this site as well.
Methodology
The survey was conducted in the fourth quarter of 2006 and includes responses from 717 audit managers. Eighty percent are either chief audit executives or internal audit directors/managers and 59 percent are from companies with $1 billion or more in annual revenue.
About PricewaterhouseCoopers
PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 140,000 people in 149 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.
"PricewaterhouseCoopers" refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.