Internal Audit Risks: Changing Priorities & Impacts on Recruitment
It is common for media pundits to describe current industry conditions as ‘uncertain’ or ‘volatile’. We are used to hearing that the commercial landscape is ‘evolving rapidly’.
What’s perhaps unusual is for these remarks to be understatements rather than hyperbole. However, 2020 and 2021 proved to be periods of unprecedented change for UK businesses.
And Internal Audit’s role of providing assurance in the face of these numerous political, economic and social headwinds has perhaps never been more important.
Internal Audit: the state of play
The Internal Audit recruitment market is currently buoyant, having experienced prolonged periods of subdued activity after the EU Referendum and, more recently, during the Covid-19 pandemic.
Following the vaccine rollout and the end of lockdown restrictions, businesses are ramping up hiring into their Internal Audit departments and many candidates seem eager to take the next step in their careers.
The number of new jobs posted in the third quarter of 2021 was 215% higher than the corresponding period of 2020. There is also a similar, albeit smaller, rise in new candidates registering, up 39% year-on-year.
While a post-lockdown rebound was to be expected, the figures indicate Internal Audit recruitment activity is currently higher than the same period in 2019. For example, the number of new jobs registered in Q3 2021 is up 11% compared with Q3 2019.
More startling statistics include the number of CVs that were sent to these jobs over the same Q3 period. This figure was up 54%, with a corresponding 54% increase for first-interview requests. The biggest jump, however, was in the number of job offers made and accepted - a massive 155% higher in Q3 2021 when compared with Q3 2019.
This demonstrates the motivation of both candidates to find a new role and clients to hire into the Internal Audit profession. These figures have also likely been positively affected by the relative ease in which most interviews are now being conducted by video call rather than in-person.
More broadly, there is also a gradual but enduring change in how Internal Audit is viewed from a wider business perspective.
While auditors still retain their independence within organisations, they are nonetheless now expected to take a more collaborative, forward-looking approach to Risk Management and Governance. As a result, Internal Audit is increasingly seen as a value-add function rather than a cost centre.
This shift in perspective, in conjunction with the ongoing digitalisation of business systems, controls and processes, is changing what employers look for when recruiting Internal Auditors.
These trends will be explored in more detail later, but first let’s examine some of the risks facing organisations that Internal Audit departments must address.
Key risks for Internal Audit to consider
Risk #1: Climate change and ESG
Climate-related risks and Sustainability issues have become a top priority for governments worldwide, as nations strive to meet ambitious domestic and international targets aimed at tackling Environmental, Social and Governance (ESG) problems.
Businesses have a key role to play in meeting these goals, and many companies face growing pressure from regulators, customers and investors to effectively manage these risks.
For example, nearly half (49%) of Brits believe private companies should take responsibility, first and foremost, to address climate change. Meanwhile, investors are expected to double the amount they allocate to ESG assets within the next five years.
This is already beginning to have an impact on Internal Audit departments, with many CAEs now viewing climate change and sustainability as principal risks. Nearly a third of audit chiefs believe it is a top five concern. This has taken sustainability from an interesting talking point to a mainstay on risk maps and corporate risk registers within just a couple of years, according to the Chartered Institute of Internal Auditors (IIA).
However, there still appears to be a notable disconnect between the importance organisations say they are placing on climate risk and the amount of time and resources that Audit teams are allowed to allocate to these tasks.
IIA figures show that 52% of Auditors had done limited or zero work related to climate change as of November 2020. Furthermore, only one in ten Audit professionals are spending ‘significant’ time and effort preparing for climate change risks.
Research and discussions with Senior Audit professionals echo these findings, with firms at various stages in their climate change and sustainability journeys.
The Head of Internal Audit at a multinational telecommunications group said: “We’ve undertaken reviews across ESG, Ethics, Corporate Social Responsibility and Operational Resilience for a number of years, with many of these Audits forming core parts of our annual plan. In many instances, these are specific Audits to look at the design effectiveness and operational effectiveness of components of the wider process. As a result of this historical coverage, our Audit team is already equipped with the requisite background and skills.”
More commonly, organisations recognised the importance of climate change risks and sustainability, but they had only just begun to Audit these areas or were still planning the best ways of doing so.
Any skills gaps relating to ESG issues are currently usually addressed through in-house training and development, which is supplemented by co-sourcing solutions or support from external consultants.
Risk #2: Third-party supplier risk
The combined impact of Covid-19 and Brexit has created a uniquely challenging environment for UK companies. The pandemic in particular upended how many businesses operated overnight, if indeed they were able to operate at all during lockdown restrictions.
Globalisation, specialisation and just-in-time inventory management systems had underpinned and helped optimise the supply of goods and services for decades. However, as Covid-19 spread, the reliability of supply chains worldwide came under serious threat due to factory and business closures.
Business continuity, crisis management and ‘nth’ party risks all took on a new meaning, as organisations worldwide scrambled to move services online, shore up supply chains and shift employees to remote working set-ups. Brexit has only exacerbated many of these issues in the UK.
It’s therefore not surprising that Operational Resilience concerns, including third-party supplier risk, have since jumped to the top of boardroom agendas. Some 38% of CAEs believe business continuity and disaster response will be a top five risk in 2022.
Among the Heads of Internal Audit, third-party risk was cited frequently as an emerging area of heightened scrutiny for their departments. “Our previous priority to maintain sustainable quality supply at the lowest cost has been superseded by the need to secure more robust and resilient supply, even if at higher costs,” one Senior Audit professional said. “Despite all efforts, there remains a need not just to identify secondary suppliers, but also potentially third suppliers due to the significantly increased risk of interrupted or unreliable supply.”
The dangers of third-party risk
UK-based organisations faced at least one third-party risk incident during their Covid-19 response. Of these, 13% experienced ‘high-impact events’ that severely compromised financial performance, customer service or, in some instances, caused them to breach regulations.
The level of investment in third-party Risk Management prior to the pandemic had a significant effect on outcomes during the crisis. Over a quarter (27%) of businesses that failed to adequately invest suffered a high-impact incident, compared with just 2% of those that had prepared.
Internal Auditors are expected to play an increasingly active role in helping businesses identify gaps in their third-party Risk Management frameworks and offer recommendations on how best to overcome them.
Risk #3: Culture and conduct
There are many business benefits to maintaining a good company culture. Organisations with a distinctive culture are 80% more likely to have satisfied employees, as well as 48% more likely to have higher revenues.
And while culture and conduct are well-established risks within businesses, there is undoubtedly more attention on these areas following the large-scale workforce upheavals from Covid-19.
Many of the Heads of Audit emphasised how quickly their own departments had adapted to hybrid working models. One of them shared: “We always had an agile approach within Internal Audit, therefore lessening the impact of Covid-19 and the remote-working requirement. Going forwards, we will continue with our agile flexible working approach, which historically has been a great tool to both retain and attract Audit professionals, as it allows for a great work-life balance.”
Nevertheless, some firms are concerned that a lack of in-person social interaction could lead to staff feeling disconnected from their colleagues, resulting in poor creativity, problem-solving difficulties and limited management oversight.
IIA figures show 45% of CAEs think the Covid-19 crisis has exacerbated organisational culture problems. The good news is that culture and conduct Audits have become increasingly common in recent years, as well as more sophisticated.
“In Group Internal Audit, we have needed to be flexible, react rapidly to the changing environment, and deliver high-quality Audit activities at pace,” Stephen Licence, Group Chief Internal Auditor at Legal & General, told the IIA.
“This has been supported by our growing analytics capabilities, which have enabled us to provide insights around risk and control culture and highlight any changes that might be occurring as a result of remote and hybrid working.”
We feel there are opportunities for Internal Auditors to play an increasingly valuable role in helping organisations assess the culture and conduct risks that face their businesses.
One area where this could become especially important is Diversity and Inclusion (D&I). A recent PwC survey highlighted a significant perception gap between business leaders and their employees on D&I issues.
Risk #4: Cyber Security and Financial Crime
The threat of cyber-attacks has risen significantly in recent years. These dangers are not new by any means, but the events of the past 18 months have transformed how some businesses need to approach Cyber Security and Financial Crime.
UK organisations and individuals reported losing £1.3 billion due to fraud and cybercrime in the first six months of 2021. Over the same period, there was a staggering sevenfold increase in the number of cyber-crime incidents year on year, jumping from 39,160 to 289,437.
Unsurprisingly, Covid-19 has been cited as a major contributing factor to this surge. People are spending more of their work and leisure time online at home, creating security weaknesses for criminals to exploit.
Heads of Audit are keenly aware of the dangers of lax Cyber Security and Financial Crime measures. Many organisations already had robust policies in place prior to the pandemic, which were then supplemented as needed with additional training.
“The group’s IT policy has always prohibited BYOD, and remote access is already strictly controlled by IP address recognition to company laptops via the VPN only,” a Senior Audit professional explained.
“Awareness training for all employees on phishing risks was also stepped up when Covid-19 struck. This included a programme of controlled tests, with compulsory additional training for any employees who opened simulated phishing attack emails.”
It is worth noting that despite the evolving nature of cyber-crime threats, Audit departments remained confident in their ability to perform their duties.
In fact, for several Heads of Audit, widespread remote working had no material impact on the Auditing of policies or controls. On the contrary, some felt hybrid working models had enhanced Audit’s effectiveness.
As technology advances and cyber-crime threats increase, it is likely there will be greater expectations on Internal Audit departments to help the business better understand these risks. This will include an assessment of whether hybrid working models increase the risk of data leakage, fraud or other security breaches.
Risk #5: UK Sarbanes-Oxley (SOx)
In March 2021, the Department for Business, Energy and Industrial Strategy (BEIS) published a whitepaper named ‘Restoring Trust in Audit and Corporate Governance’.
It marked the culmination of several commissioned reviews into the country’s Audit regulations and practices following a series of damaging scandals that saw the collapse of big-name brands such as Carillion and BHS.
The UK Government is expected to implement many of the recommendations outlined in the BEIS Whitepaper, including a UK SOx Internal Control reporting regime. Indeed, John Thompson - Chief Executive of the Financial Reporting Council - recently confirmed that a UK version of the US SOx regime is likely to be adopted.
At the moment, it is unclear exactly what form this will take, although a SOx-lite approach that is less onerous than its US counterpart appears to be the preferred option among most businesses.
In a recent Barclay Simpson report the possible outcomes of a UK SOx included tips for how businesses can prepare for the changes that new regulations may bring.
Of the emerging risks in this report, UK SOx is seen as the furthest away on the horizon. As such, most Heads of Audit are still deciding what their role will be alongside colleagues working across the other lines of defence.
“UK SOx is certainly on our radar,” said one. “But at the moment we haven’t taken any significant steps. “When we start to develop our FY23 annual Audit plan, we’ll be revisiting UK SOx and the impact of Internal Audit.”
As the government provides more details on what a UK SOx framework looks like, the expectation is that more Internal Audit departments will begin prioritising preparations. While the reforms are at least two years away from being fully implemented, it will take time for businesses to bed in any complex changes to their Internal Control systems, reporting regimes and testing processes.
According to PwC, mature businesses could take up to 24 months to complete an implementation programme, with a one-year ‘dry run’ usually considered best-practice. Given these timelines, effective preparation for UK SOx may be a case of sooner rather than later.
The rise of IT Audit
Technology is at the heart of many emerging risks. Whether it’s Cyber Security, remote working cultures or maintaining Operational Resilience, businesses are increasingly reliant on the IT systems that keep many of their processes running.
Demand for IT Auditors has soared as a result. For example, smaller businesses that have never hired an IT Auditor before recruiting people into these roles for the first time, as many of the new and emerging risks they face are technology focused.
Larger organisations, meanwhile, are performing an increasing number of ‘integrated’ Audits, which involve both business and IT Auditors working together. This is because many workflows are now so intertwined with technology platforms that IT Auditors are becoming essential for providing assurance that processes and controls are functioning correctly.
There are no signs these trends are abating. We believe technical skills will continue to be sought-after among candidates, with demand for skilled IT Auditors already outstripping supply.
To fill these gaps, firms should consider upskilling their technologically savvy Auditors, or encouraging them to earn the Certified Information Systems Auditor (CISA) qualification.
Looking further into the future, it’s likely the distinction between ‘business’ and ‘IT’ Auditors will become increasingly blurred, possibly disappearing altogether. This is because technology will be so embedded throughout organisational processes that IT Audit skills could become essential, rather than just desirable, for most Internal Auditor roles.
Stakeholder influencing is key
The profile of Internal Audit within many businesses has been on the rise over recent years.
In the past, most Audit departments have sat below the C-suite, but CAEs are now slowly beginning to move into executive committee roles, which report directly to the CEO in addition to the Audit Committee Chair.
Internal Audit will always be expected to provide assurance, but it is expected that the function will take on an increasingly forward-looking, consultative role given the level of oversight it has across an organisation’s systems, processes and controls.
As one chief executive said: “We see our business as a race car. And race car drivers can only build up speed and get around the track faster if they have confidence in the brakes. Internal Audit are our brakes.”
Of course, for the brakes to work effectively, they need to be connected to (and able to communicate with) the rest of the vehicle.
Auditors who have excellent interpersonal skills, particularly the ability to influence key stakeholders within their business, will therefore be best placed to offer input on how organisations can prepare for emerging risks.
Put simply, Auditors are not just problem spotters, they are also problem solvers.
But their recommendations must be put forward convincingly if they are to receive senior management buy-in.
Co-sourcing to fill skills gaps
In an active and competitive recruitment market, finding the right people is always difficult. Even some of the world’s largest companies can struggle to attract and recruit skilled Internal Auditors.
One Head of Audit, who works for a company with over 100,000 staff worldwide, admitted financial pressures continue to be the main challenge when hiring. “While our salary ranges are competitive within the market, there are of course certain industries and locations that pay more. As a result, we can lose talent, as we simply can’t match other offers.”
Even within an organisation itself, there is competition for Internal Auditors. IT Auditors, for example, are often poached into first or second line of defence roles, such as Cyber Security or Technology Risk positions. This only exacerbates the IT Audit skills shortages that we mentioned earlier.
IR35 and interim Internal Audit
Recent changes to IR35 legislation continue to shape the recruitment landscape for interim staff. After the new rules came into force in April 2021, firms were reluctant to use personal service companies due to the additional compliance burden, and potential costs associated with off-payroll contractors falling ‘inside IR35’.
This initially led to a sharp rise in demand for staff on fixed-term contracts (FTCs) and PAYE temporary workers. However, experienced Internal Auditors with highly specialised skills, particularly in IT Audit, are already in short supply and few are available on FTC or PAYE arrangements.
So, while limited companies remain less popular than before the IR35 changes, a growing number of organisations recognise that the consultancy route remains one of the best ways to access the talent they need in a competitive market.
For many businesses, co-sourcing is an invaluable tool for ensuring Internal Audit departments have access to the right skills and experience to carry out its duties. Many companies interviewed were using co-sourcing partners, and a number of those that weren’t had plans to start.
“We are moving toward a global model that includes co-sourcing. Currently, we’re going through a trial period whereby we’re supplementing core staff with co-source headcount.” a Head of IT Audit said.
As the war for talent intensifies, a growing number of organisations are likely to turn to co-sourcing as a flexible, reliable solution to bridge the skills gaps in their Internal Audit departments.
Expectations of Internal Audit are rising. Technology is evolving, workplaces are transforming, and new regulations are always around the corner.
The twin headwinds of Brexit and Covid-19 have accelerated these trends, which has created new emerging risks, as well as added a different dimension to many familiar threats.
Nevertheless, it is clear that many organisations pivoted well during the pandemic and have continued to provide assurance in the midst of ongoing challenging conditions.
But as Internal Audit evolves into a more forward-looking function, demand for certain skillsets is already outpacing supply. Businesses must therefore successfully navigate a highly competitive recruitment market to secure the right staff and future-proof the Internal Audit function.
This report was published by Barclay Simpson. To read the full report and see more information on the Internal Audit Market, click here.