A new report from AuditBoard, Internal Audit’s Expanding Role: The Foundation for Connected Risk, written by an old friend (Tom O’Reilly), makes three important points:
- Internal audit functions are not efficient.
- Risk management practices are not effective when it comes to helping leaders make the strategic and tactical decisions necessary for success.
- Leaders are looking to internal audit to help them upgrade risk management practices.
Tom points out that while CAEs are being asked to do more about risk management, they have very little time to do that.
Taking each of these points in turn.
Here’s the highlight:
When asked to describe the full lifecycle of an internal audit project (i.e., planning, fieldwork, reporting, issue follow-up, ongoing interactions with audit customers):
- Only 13% of CAEs rate their processes as fully optimized.
- Another 11% admit that their processes are not optimized at all.
- Another 31% say their processes include “little optimization” but they’re actively working to optimize.
- Concerningly, nearly half (45%) of CAEs consider their processes only somewhat optimized — but are not actively working to optimize.
This is stunning but not surprising to me.
Far too much time is being wasted on:
- Auditing risks that don’t matter to the success of the enterprise, only to…