In the wake of the uncertainty caused by the COVID-19 pandemic, the number of companies expanding their internal audit (IA) function is again rising. Many IA departments still face significant challenges in proactively adapting to an ever-changing risk landscape, as they must allocate a considerable portion of their capacity to Sarbanes-Oxley (SOX) requirements, creating a shortfall when budgeting resources for other areas (e.g., regulatory, cybersecurity or third-party). Audit committees continue to ask difficult questions and request more of their IA teams. While many IA departments have seen their budgets recover to pre-COVID levels, challenges with talent scarcity have provided a unique challenge in meeting the organization’s needs. Let’s look at a few ways that companies are tackling the issue.
Expanding Internal Audit Resources
IA departments continue their push to recruit and retain talent despite a challenging hiring environment. In addition to adding headcount to increase the department’s load capacity, IA leaders are also looking to expand their department’s technical expertise (e.g., cybersecurity, IT experts). Developing technical resources provides some much-needed flexibility as IA groups learn to adapt to today’s environment. Unfortunately, some emerging risks are here to stay, and organizations will continue to have to decide how best to meet those challenges head-on.
Engaging Co-Source Partners
Another method of increasing both the load capacity and technical capacity of an IA department is through engaging a third-party co-source partner. Engaging a co-source partner allows the company to quickly expand or retract its capacity to take on recurring work, free up internal capacity or provide technical assistance to address a specific focus area (e.g., cybersecurity risk assessments or fraud investigations). This has become a valuable method of ensuring the capacity exists to proactively address the needs of large and small organizations.
Investing in First- and Second- Line Risk Management
Companies more susceptible to certain risks (e.g., third-party, cybersecurity or compliance) have found value in strengthening the organization’s first line of defense by hiring individuals with a strong risk management background into crucial leadership positions. They may also elect to build out a separate risk management (second line) function dedicated to overseeing the company’s efforts in continuously evaluating and responding to these risks. For example, a company that utilizes many high-risk vendors may elect to establish a third-party risk management (TPRM) department charged with developing and providing oversight of the company’s TPRM program. By forming a centralized department that oversees the organization’s response to a critical risk area, management can ensure the organization is consistently and appropriately addressing these risks.
Each company must develop a strategy tailored to their organization’s specific needs. It’s important to remember no one size fits all. By deploying the right approach, IA leaders can enhance the organization’s adaptability in responding to emerging risks.