Employees are leaving the workforce and switching jobs at a rapid pace, and the Internal Audit profession is no exception.
Baby boomers are retiring, and the younger generations entering the workforce are not staying at the same company for as long as compared to just 20 years ago. Therefore, companies are having an increasingly difficult time retaining and replacing this experienced talent. Staff retention is becoming a bigger risk that many chief audit executives are facing. For example, companies are investing a lot of time and money on training audit staff, just to see them walk out the door. For audit departments composed of only a few financial, cyber and IT audit resources, it is becoming just not worth the risk to develop this talent in-house.
Many organizations are turning to large audit firms, such as Schneider Downs, who demand high-quality standards with deep talent pools as a co-source audit partner. The Schneider Downs Risk Advisory Services Department is not immune from losing key talent, either; however, with a large talent pool and a mature onboarding program, the firm can absorb these employee losses much easier.
Another benefit of selecting a trusted co-source audit partner is that these firms have a variety of other services that can benefit clients. For example, a company can outsource Sarbanes-Oxley management testing to an external firm, so their internal resources can focus on emerging projects, then in later years add supplemental IT audits and tax services. Many organizations start small then build trust and confidence with a co-source firm and later contract other services. Co-source firms also have the capability to complete the audit plan or perform cybersecurity services, such as an external penetration test, maturity assessment, or brainstorm audit committee communication strategy on demand. Companies can rest easy knowing that skilled resources are available for their current and future audit needs.
Audit budgets are increasing with cybersecurity and compliance requirements, and many Internal Audit departments do not have the expertise to satisfy these requirements. Internal Audit departments need to assess if they have the necessary skilled resources in-house to cover these risks.
Companies also need to measure and evaluate their strengths and weaknesses to identify improvements in their audit program. It is easy for companies to settle in and stay consistent year after year. Companies, though, need to maintain a holistic mindset and continue to improve, innovate, and transform their programs to maximize the most value. That is where firms like Schneider Downs excel by understanding the current risks through research and by seeing how other companies are solving the same business challenges to maximize value.
Companies should evaluate their strategy, resources, scope, risks, testing strategies and design of controls annually. Their programs should also be agile enough to react to changes in their business throughout the year. Examples that cause change includes auditor risk assessments, system implementations, system changes, acquisitions, compliance requirements, cybersecurity, and changes in the business.
Ask yourself these questions to see if your Internal Audit department is operating at its highest level:
Strategy and Vision
- Do you have the correct Internal Audit leadership and resources with a continuous improvement mindset that covers all company risks?
- Does your external auditor rely on Internal Audit’s testing?
- Do you have an agile program to adjust audits and management requests effectively and efficiently?
- Is Internal Audit viewed as the control expert throughout the organization?
- Is the C-suite satisfied with the quality in Internal Audit?
Operating Structure
- Is there adequate manager/leadership oversight and governance over Internal Audit?
- Are roles and responsibilities clearly defined and communicated to stakeholders/owners?
- Are processes standardized across Internal Audit?
- Is Internal Audit appropriately budgeted and funded to mitigate risk?
- Is there an effective risk assessment performed annually/continuously for the audit plan?
People
- Do you have an appropriate mix of Internal Audit resources to complete the audit plan? Resources include IT, financial, operational, compliance and cybersecurity.
- Is there a continuous learning and development model to improve Internal Audit’s knowledge of the business, technical and emerging risk areas?
- Is staff performance measured against criteria that reflects the mission and vision of Internal Audit and the organization?
- Do training plans include elements to improve business acumen, judgment, and perspective?
Technology and Innovation
- Is technology integrated in the program? Examples include automated workpapers/request systems, continuous auditing, and data analytics?
- Are innovation and continuous improvement embedded in the Internal Audit culture and are they consistently fostered and rewarded?
- Are robotics process automation (RPA) and application controls leveraged to reduce manual control reliance on key controls?
If your company is considering co-source services, contact a member of the Schneider Downs Risk Advisory Department.