Internal audit's shifting mandate: how the audit committee can help ensure that internal audit is properly focused, fully utilized, and delivers value.

• Author: Whalen, Dennis T.
• Position: ON THE GOVERNANCE AGENDA

THE PAST FEW YEARS have been a dynamic period for internal audit, with a significant shift taking place in internal audit's mandate: For many internal audit organizations, the focus is no longer limited to financial reporting and compliance risks but now includes key business risks and related controls--from cyber security and IT to key strategic and operational processes.

Yet, according to a recent survey by the Institute of Internal Auditors, for many--or perhaps most--internal audit organizations, audit coverage still lags in two key risk areas: business and strategic risks, and the overall effectiveness of the company's risk management processes.

In our own Audit Committee Institute surveys, audit committees consistently point to the need for internal audit to "deliver greater value" to the organization. How can audit committees help ensure that internal audit is properly focused and fully utilized--and delivers the value it should? We offer the following suggestions:

* Consider the need to redefine internal audit's mandate. Internal audit is most effective when it is focused on the critical risks to the business, including key strategic and operational risks and related controls, and not just compliance and financial reporting risks. Internal audit should constantly monitor how changes in the operating environment impact the business. In today's global, digitized environment, a broad range of critical risks need to be managed--from cyber security and social media, to risks posed by market expansion, M&A, and the global supply chain, to talent management and culture--and internal audit should be assessing these risks and associated controls.

Leading internal audit functions are also reviewing the company's overall risk management processes and working with management to continually improve these processes. We're even seeing internal audit being asked to take the lead in coordinating with other governance, risk, and compliance functions within the organization to identify duplication--and, more importantly, potential gaps--in coverage.

[ILLUSTRATION OMITTED]

[ILLUSTRATION OMITTED]

How involved can or should internal audit be in these areas while maintaining the requisite focus on financial reporting and internal controls? To answer this question, and to get the most value from internal audit, the audit committee should work with management to determine the right balance of coverage. Competing expectations of the audit committee, CEO...