Too many companies poor at managing risks, say their internal auditors

11 November 2013

New research from the Chartered Institute of Internal Auditors (IIA) suggests that almost half of large private sector organisations still do not have effective mechanisms in place to manage risk. 

45% of Heads of Internal Audit surveyed by the IIA rated their own organisation's awareness of risks to the business  and the effectiveness of its processes to manage them  as 'in the early stages', 'in development' or even 'non-existent'.  The IIA warns that this means a large proportion of businesses are more  vulnerable to serious financial, operational or regulatory failures than they should be, without adequate arrangements in place to spot potential dangers and put plans in place to minimise the impact on the business. 

Internal auditors help organisations to manage the wide range of risks facing them, including for example: financial and fraud risks; data security risks; health and safety risks; and risks related to non compliance with regulation. They help the board and management identify and address risk management, internal control and corporate governance issues before they become a problem.

Dr Ian Peters, Chief Executive of the IIA comments: "The financial crisis has prompted a major reassessment of how risks are managed in the financial services sector and internal audit's role in supporting better practices. But many organisations, particularly outside of financial services, are recognising too slowly the need to understand the full scope and nature of the risks facing their organisations."

Such risks include, for example, dangers relating to competition, innovation, mergers and acquisitions, strategy, culture and corporate governance. Also, the risks of failure to comply with regulation expose the organisation to reputational and operational threats. And fears about cyber crime have been heightened recently too.

The IIA's survey findings highlighted data privacy and security as one of the top risks that businesses are concerned about. However, the research suggests that private sector organisations are devoting far less effort to dealing with their vulnerability in this area than public sector organisations.  Outside of the financial services sector, just 48% of private sector internal audit teams make data privacy and security risk  a top priority in terms of the amount of time allocated, compared to 68% in the public sector.

The IIA points out that the Government and security agencies say data security is a growing risk for businesses, with the heads of MI5 and GCHQ now working with the country's top 350 listed companies on cyber governance health checks.  Almost 80% of large UK companies and 87% of smaller businesses experienced a data breach in the past year, according to the Department for Business, Innovation and Skills (BIS).  A Cabinet Office report also recently highlighted that the number of cyber-attacks has doubled to 35% over the last year.   

Ian Peters says: "Businesses is increasingly collecting and harnessing data for decision making and to enhance customer engagement.  But as digital technology advances ever faster, the risks of both accidental leaks of confidential information and malicious attacks also grow significantly." 

However, there are some signs that the scope given to internal audit to carry out its role in helping boards to improve the management of risk is increasing, particularly in the areas of strategy; corporate governance; and ethics and culture. The survey also suggests that Heads of Internal Audit are benefitting from better boardroom access to report their assessments of how effectively risks are being managed across the organisation. 

62% of Heads of Internal Audit now say that they have the opportunity to hold one to one meetings with the chairman of the board, compared to the 41% who said they had the opportunity for such meetings in a similar survey conducted by the Institute two years ago.  And 95% of Internal Audit chiefs across all sectors now have one-to-one meetings with the audit committee chair, compared to 85% in 2011. 

In addition, around one third of private sector respondents to the Institute's survey are expecting an increase in their budget, with fewer than 10% facing a decrease. 

Ian Peters adds: "While it seems that best practice in managing risk is not yet as embedded as it needs to be, we are starting to see signs that private sector boards are beginning to harness their internal audit functions more effectively as a result".

 

 ENDS

 

Access our executive summary, the full survey and  survey results briefing note for audit committees