March 18, 2025 • 30 mins
The Institute of Internal Auditors Presents: All Things Internal Audit
In this episode, Deborah Poulalion and Andy Cook break down the 2025 North American Pulse of Internal Audit report. They discuss emerging trends, challenges, and opportunities for internal auditors, covering issues like strategy, funding, and artificial intelligence. The 2025 North American Pulse of Internal Audit report is sponsored by AuditBoard.
The public consultation for the Third-Party Topical Requirement is open! Review the draft and share your feedback by April 20, 2025. Visit this link to access the public consultation draft to have your say!
Host:
Deborah Poulalion, senior manager, Research & Insights, The IIA
Guests:
Andy Cook, CIA, director, Professional Guidance – Financial Services, The IIA
Key Points:
- Introduction (00:00-00:09)
- The North American Pulse of Internal Audit report (00:10-00:31)
- The impact of strategy and funding on internal audit (00:32-05:15)
- The shift toward advisory services (05:16-08:41)
- Technology risks and cybersecurity challenges (08:42-10:45)
- The growing importance of data analytics (10:46-13:31)
- The role of generative artificial Intelligence in internal audit (13:32-16:57)
- Expanding responsibilities of chief audit executives (16:58-19:10)
- Audit planning and resource allocation (19:11-22:36)
- Gender trends in internal audit leadership (22:37-24:10)
- Remote work trends in internal audit (24:11-28:41)
- The Global Internal Audit Standards and available resources (28:42-29:40)
- Final thoughts and closing remarks (29:41-30:25)
The IIA Related Content:
Interested in this topic? Visit the links below for more resources:
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
The Institute of Internal Auditors presents
all things internal audit.
In this episode, Deborah, Ian
and Andy Cook break down the 2025 North American Pulse
of Internal Audit Report.
They discuss emerging trends, challenges,
and opportunities for internal auditors
(00:24):
covering issues like strategy, funding,
and artificial intelligence.
Andy, thank you so much for joining me
to talk about the 2025 North American Pulse
of Internal Audit Report.
My pleasure, Deborah. Thank you for having me.
So I wanted to talk about what is Pulse of Internal Audit.
(00:48):
This is my 10 year anniversary working on Pulse.
So this was actually started by the I I A in 2008
as a snapshot of the procession.
And at that time we were getting into the great financial
crisis, so there was a lot going on.
The pulse of internal audit report is based on a survey
(01:10):
of the highest ranking internal auditors
throughout North America.
So we have hundreds of responses from big functions,
small functions, public sector, publicly traded, all kinds
of industries, and it gives us an amazing picture of
what internal auditors are doing that year.
(01:30):
The i i a wanted to monitor what was happening
with people's budgets and staffing levels and risk levels
and their audit plans.
And the i i a has been doing this survey
and report ever since.
So we're really proud of this
because it lets us do some really long-term trending
that you won't see anywhere else.
(01:53):
Yeah, it's definitely something
that I love seeing every year.
I always check it out and see
what the new trends are and what's going on.
The consistency of the survey has been great,
and I, I love checking what's, what,
what's going on in the industry
and what CAEs are thinking out there.
So it's very good. The other thing that we've kind
of incorporated this year, uh, suggestion from Deborah is
to incorporate the standards
(02:13):
and guidance that are new this year.
The global internal audit standards came effective in
January, so we thought providing some reference
or some spotlights to the standards would be a good thing,
as well as Vision 2035.
Again, something that just recently came out,
very worthwhile to, uh, provide some insights into that
and kind of attach it to Pulse, which was a,
(02:35):
a great idea from, from you, Deborah. Excellent.
Thank you. Yes.
Vision 2035 is interesting to add in
because it's forward looking
and so it helps us to think about the future, um, as well
as what's happening right now.
So I'm very excited today, uh, to look at some of the most
(02:56):
interesting and relevant findings this year.
And we've got four main areas we're looking at, strategy,
technology, responsibilities, and management.
So let's get started by talking about strategy.
One of the most interesting things that came out
(03:18):
of our research this year was a very strong connection
between funding levels for the internal audit function
and how well the function said they were aligned
with organizational strategy.
So I'm gonna give you an example.
People who said they were fully aligned
with organizational strategy, about 70%
(03:41):
of them also said they had sufficient funding,
which is great on the other side.
Among people who said they were only somewhat aligned
with organizational strategy, only 40% said they had
that sufficient level of funding.
So Andy, what do you think of this?
Yeah, this was a, a key insight, very interesting
(04:04):
that came out of this, this, uh, this survey this year.
The, the idea of aligning, uh, the organizational strategy
to funding
or correlating those two was, was, uh, a great find.
I, I really felt like it was supportive of a lot
of the stuff that came out of the,
the standards this year when we talked about governing
(04:24):
and managing the internal audit function, it had a lot to do
with making sure we have open lines of communication
with the board and with senior management, making sure all
that kind of aligns together,
and the idea of communicating to the board
and senior management
and working with them
as you develop your internal audit strategy is showing that
(04:46):
that pays dividends in the long run, uh,
in on the funding side.
So I felt like that insight was very, uh, interesting
and something I guess you would expect
because the more you communicate, the more you're talking
to individuals, the more you're able to kind
of see the value.
And I, I really feel like
that's part of what this is doing mm-hmm.
Is it's providing, uh, the board
(05:06):
and see your management with the idea of what sort
of value we're able to provide
and if it's worth investing in.
And I think that's kind of where we're coming down.
It seems like it definitely is. So a great find on this one.
And, you know, another, uh, piece of this information is
that about a little over half said that they feel fully
(05:27):
or almost fully aligned with organizational strategy.
So on the flip side, a little less than half said,
they are only somewhat aligned
or only minimally aligned with strategy.
So yeah, it's an opportunity and it's some good information.
Absolutely. So
We want to look now at our second big point,
(05:50):
which is looking to the services.
So there's two big types of services.
Internal auditors perform assurance services
and advisory services,
and we wanted to know the mix now and in the future.
So currently internal auditors say about 75%
(06:13):
of their time is assurance, and about 25% is advisory.
But if you ask those same folks what they would like
to do in the future, they'd rather do about 60% assurance
and, um, increase that advisory up to 40%.
So Andy, what do you think of that?
Yeah, I think this is, this is indicative of
(06:34):
what you would expect for internal audit shops out there.
The idea of kind
of a 75, 25 split right now made sense to me.
I, I felt like that was
what I would expect from a lot of organizations.
And the movement, the idea of moving that 25% to 40%
in the future is really, again, speaking to values.
(06:56):
I think the value that we can provide, uh, in that space
as well, I mean, internal auditors are really
risk control experts.
Uh, that's really what we are,
and we're able to provide a lot of that advisory
and guidance to the organization as we move forward.
So I really feel like that's, um,
it shows our starting point.
(07:16):
I suppose that 75, 25 split shows our starting point
and where we want to go, that 60 40 split is
really where we'd like to go.
Mm-hmm. Not, uh, getting rid of the idea
that we will continue to provide that key assurance piece,
but, uh, doing a little more advisory definitely provides
the benefit to the organization overall.
So I think it's, uh, it's a good indication
(07:38):
of directionally where everybody's going.
Mm-hmm. I agree.
And just another facet of
that is we also looked at the differences for this question
between functions that had just one
to three people versus functions more than 50 people,
and the answers are almost identical.
(07:58):
So whether you're a large function
or a small function, the idea of being able
to increase your advisory services is, is really felt
all across our survey respondents.
And that was one of the things that kind
of surprised me too, that those smaller shops would still be
providing that level of advisory service.
I mean, that's, that's a great thing that we're able to do
(08:20):
that even with those, those small organizations.
And I think that's, that's great.
And that's showing that, that we are concentrated on
that value proposition for sure.
So now we wanna go ahead
and look at some of our technology findings,
and we wanna start with the risk area.
So, um, we always ask for risk assessments
(08:41):
or risk levels for a large number of items.
And the top every single year
for a long time is cybersecurity.
So right now, 75%
of our survey respondents say cybersecurity is high
or very high risk at their organizations.
And the next area that is even close to
(09:02):
that is it risk at 54%.
So cybersecurity is the risk of concern.
And so how are CAEs dealing with this?
And I wanna throw out a couple more numbers
and then Andy will give us a perspective, is we find that
a lot of, or many organizations will outsource cybersecurity
(09:24):
services because they, they need the skillset,
or for a variety of reasons.
So that's one way.
Um, but then, uh,
almost half say they do wanna upskill their staff
to know more about cybersecurity.
So we've got the outsourcing
and the upskilling to deal with this risk.
So Andy, what do you think?
(09:46):
Yeah, a lot of this is, I, I think it's
what we would expect.
This is a scary spot when you start
talking about cybersecurity.
The idea of having a significant breach in your organization
or having a, a particular problem with, with IT
or, or systems.
Uh, they're far reaching, they're at times public.
(10:06):
Uh, so from an internal audit perspective, I think they're,
they're very much top of mind.
And that's what this indicates, you know, noting
that these are high or very high risks that we wanna address
the level of outsourcing that we'll do there, that tells you
that we really wanna make sure we get the expertise in
there, in the organization to do the kind of work
that we wanna do to make sure that we're comfortable
(10:27):
with the controls that are in place.
And the idea of, of constantly upskilling this space in
particular is, uh, you know, it's what I would expect,
but it definitely is something that requires a lot
of attention for our, for our, uh, auditors out there.
And I think it's something that's, that's, uh,
been indicated through the survey.
Thank you. So we started talking a little bit about
(10:50):
upskilling and, uh,
we have asked several questions in the pulse
of internal audit survey
and also in the Vision 2035 survey about competencies.
And a very interesting thing we found was
that when you ask someone,
when we asked our survey respondents
(11:12):
for the most important technology skill for the future,
so we said, what is the most important
technology skill for the future?
More than 90% said data analytics.
You don't get more than 90% hardly anything in this world
except maybe who, how many people like chocolate?
Like this is a high number, right?
(11:32):
So more than 92% said it's one
of the most important technology skills for the future.
However, if you ask people their use of
technology right now for internal audit,
and you said, you know,
looking specifically at data analytics,
only 28% said their functions had high
(11:53):
or advanced usage of data analytics.
So how do we reconcile this?
Yeah. So a lot of things happen here in data analytics
that, you know, has been evolving through the years.
I mean, when I started in industry here,
data analytics was, was top of mind.
And it continues to be top of mind making sure
that we're comfortable with that level of work.
(12:15):
And what's happening now is we have so much data now,
the data analytics work is very focused on identifying
what the key data is that we need to maintain
or we need to pull
and understanding what then are we going to do with it.
So having that skillset of an internal auditor
where they're able to identify the key data points
(12:38):
that they need to grab,
and then what sort of risks those are, identifying
and understanding what the audit performance
or the test step is going to be done
and how it's going to be done to, to be, uh,
effective and useful.
And I think that that kind of twofold approach
to data analytics is something that we continue to struggle
with, and it's definitely something that we continue
(13:00):
to focus on as, as we move forward.
So again, this is another one of those no surprises, uh,
but continued level of concentration for,
for organizations out there to make sure that we get better
and better at the data analytics piece.
Agreed. And I think we talked earlier,
or at some point, one
(13:21):
of the best combinations you can have is someone who's good
at data analytics and also someone
who understands the business very well
and makes a very valuable auditor.
Is that right?
Amen. Amen. Yes, absolutely.
I, I think, uh, the idea of having that person who's able
to understand the business
and understand the data that that business is using
(13:43):
and how they're using it along with that level
of risk focus, uh, the, the lens on the world
that the internal auditor is able to provide on top of that,
that's a winning combination,
and that's something that has been the unicorn
that we're all seeking at out there in,
in internal audit for sure. Yep. So
The last thing we wanna talk about for technology,
(14:04):
and it's the hot topic right now, is
how internal auditors are using ai
or specifically we wanna talk about gen ai.
So we asked our survey respondents this year, which,
by the way, um, our CAS
and directors in North America,
so we asked our survey respondents this year,
(14:24):
if they're using gen AI for internal audit activities,
and we had 41% said yes, they're,
and 65% say they are planning to do it in the future.
So what do you think about
that in the future of internal audit?
Yeah, this is definitely an area that, that all
of us are trying to figure out as we go.
(14:47):
And I think the internal auditors out there are trying
to figure out kind of a twofold understanding of it.
How is the organization using it?
And then how can I use it in my organization,
in the internal audit group, uh, to do internal audit work?
And I think we're trying to address that as quickly
as humanly possible, just
because this technology is moving at such a fast pace pace.
(15:09):
So really trying to, uh, jump into that pool as opposed
to dipping our toes in it, I think is something
that we're really trying to do more and more of,
and getting familiar with
what the capabilities are out there
and how we can utilize them effectively, I think is,
is definitely something, and this, this survey kind of bears
that as true that we really wanna make sure that we're,
(15:30):
we're playing in this space
and learning as we go, uh, to effectively use AI on our,
on our audits as well as how the organization is using it
and what sort of risks are out there on that front too.
Mm-hmm. Yeah,
another interesting thing we saw in the data on this survey
question was if we compared the answer, uh,
(15:53):
to the generation, we did find
that millennials were 52% using gen AI
for internal audit activities.
Gen X was 40% and the baby boomers were 31%.
So there was a difference by generation,
Even those baby boomers, I mean, from that percentage, I,
I feel like they're really, you know,
(16:14):
jumping in maybe more than I would anticipate.
So I think that's great. I think that's really directionally
where we wanna go for sure.
Agree. And I do wanna point out that for the question for
who wanted to increase Gen AI involvement across all ages,
it was over at two thirds, so everybody knows it has
(16:35):
to be done in the future.
And the one other thing we can go ahead
and just mention while we're talking about gen AI is, um,
much fewer, fewer CAEs are saying
that they're providing assurance in this area
right now, much fewer.
It's, it was 15% overall. So why might that?
(16:56):
Yeah, I think they're, they're just trying to get familiar
with, with what sort of usage is in
that org in the organization.
I think that's really something that they're trying
to, to understand more.
And I think the larger organizations may be adopting it a
little more quickly than some of the smaller ones
and understanding the implications of that and,
and how to go about testing it, uh, building test work out
(17:18):
of these things and, and, uh, that sort
of thing is definitely something that we need to work on.
And I think that is a big ask.
You know, this is a ever evolving landscape, this AI space,
and these AI systems are constantly learning as well.
The risks, the risks may shift as the AI is learning
(17:39):
and you need to shift
with it when you go about testing that.
So I think it's definitely something that we need
to keep in mind as we, uh, as we move forward.
But it is something that's, uh, newer to most,
and I think that's why that adoption rate is,
might be a little lower than maybe we would like.
Our next two topics are responsibilities,
and then we're ending with management.
(17:59):
So let's get into the different responsibilities that
CAEs can have.
So we know, uh, chief audit executives, of course,
their primary focus is internal audit,
but a lot of them have areas
of responsibilities in other areas.
Uh, so almost 90% say they have at least one area
(18:21):
of responsibility outside of internal audit.
So those top areas overall are fraud.
Almost 50%, almost half say
that Sarbanes Oxley almost a third,
but it's much higher in publicly traded organizations.
ERM about a third
and ethics whistleblower programs about a third.
(18:45):
So what is the impact for independence
and objectivity in this situation?
That's a great question, Deborah.
I, I think that's, that's the, the focal point.
We need to make sure that, that our guardrails
and our safeguards are set up
when we take on these additional responsibilities.
Take a look at the, uh,
(19:06):
standard 7.1 on organizational independence,
I think is a critical one here,
and understanding how
when we take on these responsibilities, how the
internal audit function has to shift.
So, uh, the general idea is if you are responsible
for an area you shouldn't be auditing yourself.
I don't think that's, uh, any sort of a revelation
(19:28):
for anybody, but we need to make sure that we have those,
those appropriate safeguards in place,
and we need to make sure that we're communicating up the
chain, whether that be through senior management as well
as the board to, uh, communicate with them to let them know
how we are structuring these outside
of internal audit functions and how the risk assessment
(19:50):
and audit process has to be effectively executed
to maintain those safeguards.
I think that's really the key point here.
It's okay to take on these additional responsibilities.
You just need to be setting up those safeguards to do
what they need to do to make sure that the,
the audit process is, uh, maintained.
(20:10):
Thank you. So also looking then at audit
planning, this is one of the questions in Pulse
that has been asked probably since 2008,
which is what proportion of time do you spend in each
of your audit topic areas?
So pretty consistently
(20:31):
for a long time operational auditing is the, the most, the,
the largest proportion of the audit plan,
and that's almost 20%.
And one thing that sort of stands out about
that is if you look at risk levels,
operations is not that high.
So how do we reconcile that?
(20:52):
Yeah, a lot of that information is, you know,
and I I think this goes for most
internal audit organizations.
Operational risk is definitely the thing that we are able to
execute reasonably well.
We've been doing it for years and years,
and it's always been operational focus on a lot
of the work that we're doing.
Auditing that space is kind of a, a known quantity
and we know how to do it
(21:13):
and we know how to, uh, scope
that work and execute that work.
It's something that we've,
we've really embraced through the years.
And the idea here of such a large percentage of our time,
19% of our time is spent on operations
while when we're looking at the associated risk
of these operations in our, in our estimation is,
(21:35):
is significantly lower than some of the other areas.
I think there is a level of shifting that we may wanna make,
uh, organizationally when we start executing our audits
that we, uh, should consider, um, and,
and maybe shift that percentage.
I don't think that we're ever gonna not
do operational audits.
That's a, a key component.
(21:56):
And you can also think, how did that risk go down?
You know, that risk level went down
because we are doing these audits on a regular basis,
you know, and, and, and making sure
that things are tight from a control standpoint.
So the idea
of abandoning operational risk will never happen,
will probably always be doing a
substantial percentage in that space.
(22:17):
But, you know, it was interesting to see those risk levels
that we determined was a little lower than maybe you might
anticipate for sure.
Yeah. So for comparison, we had about 75% saying
that cybersecurity was higher, very high risk compared
to only 30% for operations.
Yeah. So I, I do think it's interesting the idea that
(22:39):
because internal audit, or perhaps
because internal audit has been able
to monitor the controls well in operations, you know,
that brings down that risk. So
Ensure is a contributing factor, I would imagine a
Contributing factor that, that is the best way to say it.
So moving on to our last section about management here.
(23:02):
Um, and this is really just about the internal audit
function itself and kind of running the function.
So as you know, the pulse of internal audit survey is
for the, the highest ranking internal auditor in the
function, so CAEs and directors.
So one interesting thing is we can look at the, that group
(23:22):
and see the mix of men
and women at the tops of internal audit functions.
And so right now, uh,
it's 47% female on 53% male answered our survey this year.
And that this has changed over the years in many ways.
And one way we can see that is by asking people their age
(23:45):
and comparing it to male and female.
So for those over 60, it was reversed.
It was two thirds male
and one third female compared to those, uh,
in their thirties where we have more females
and and fewer males.
So how's this trend?
(24:05):
What, how may this trend impact the internal audit function?
Yeah, I think, I think this is, I, I, again, I don't know
how much of a big surprise this is.
The, the younger folks have more of a, a female slant
and the older folks have more of a male slant.
Uh, the balance is kind of coming to a 50 50 split.
(24:26):
The idea that women
and men both at these higher level, uh,
within the organization for the CAEs, I think the mix
and the ability to kind of provide
unique perspectives into the organization
and what's going on in the organization is, is critical.
And I think that having this kind of effective mix
(24:48):
between the female ver the female CAEs
and the male CAEs is a great trend.
And I really feel like that movement,
that split is a great thing.
If this, uh, generational breakdown is any indication,
I think we'll continue to move further
and further to that, uh, 50 50 split, which is, is great.
I think that's, uh, directionally where we should go.
(25:11):
It makes sense. Internal audit is a great
career for anyone.
Would you agree? Absolutely.
I'm a little biased, but yes, absolutely.
Well, so am I. So we have our
final subject,
and this is about remote work.
(25:32):
So as we all know, COVID-19 put us in new territory,
and we started asking our survey respondents if they were
more working remote, more working at, at home
or evenly, uh, split.
And so right now, uh, about a little over a third say
(25:52):
that's roughly, um, half at home, half in person,
32% say they're mostly in person.
And the same 32% say they are mostly remote.
So we saw just the slightest trend toward having more in
person, but it was just four percentage points.
So 28% to 32%. So what do you think about these numbers?
(26:18):
Yeah, that, this one was a bit of a surprise to me
because all I've been hearing from my peers and network
and that sort of thing has been, Hey, we're being instructed
that we need to go back to in-person,
uh, or at least a hybrid.
Uh, this percentage indicates that it isn't as,
as significant as maybe I've been feeling it from,
(26:38):
from a lot of my, a lot of my peers.
Uh, it just seems like I was expecting these percentages
to go more and more to in person than maybe this is,
this is indicating, I do feel like the, um,
trend will continue to move in this direction.
And it might be early, we might have caught depend,
you know, based on when we
(26:58):
provided the survey, we might be a little early in that
and we might see this, uh, trend pick up in the coming year.
I, I do think the idea of doing more hybrid work,
I think is, is being adopted more
and more, uh, by organizations that I'm aware of.
So I, I think that this trend will continue to go in
that direction and, uh, next year's survey may,
(27:18):
may be indicative of, of a more substantial shift.
Mm-hmm. Well, we'll keep asking the question, um,
so we can monitor what's happening, uh,
for the internal audit profession.
And it may be, you know, that there are some advantages to
remote work or hybrid work specifically
(27:39):
for internal audit activities.
So perhaps other, other industries
or other professions may have a different, um,
different amount of change than what we're seeing.
Yeah, the one thing that I will say is
during the Covid period, I think that all
of us at internal audit we're able to prove
that we were able to do our work on a remote basis and,
(28:00):
and maybe not, you know, a hundred percent remote,
but maybe, you know, if we could do some level
of hybrid, that would make sense.
But I think covid kind of forced our hand to say, okay,
we have to work remote.
And I think we came out the other side of that saying, well,
we are very capable of doing this and,
and working on a remote basis.
And, and I think that that was, that was some
(28:21):
of the takeaway from, from the covid period
when it comes to internal audit.
And I think the shift will continue to move kind of more to
that hybrid level, uh, because of, of what I just said.
I think that we're still able to work on the remote basis,
but maybe be back in person every now
and then, uh, to make sure
that we're effectively having good meetings.
And again, as we started out this discussion,
it's all about communication
(28:42):
and communication in person, uh,
provides a lot of value as well.
So it's something that we need to make sure we balance.
You know, I do also wanna encourage people
to get their resources on the new global internal
audit standards.
Can you tell us a little bit more about
what resources CAS have?
Yeah, so there's a, there's a location out there
(29:02):
and it is in the Pulse report, uh, the, uh,
standards knowledge center go there.
There's a lot of informa, a lot
of great information guidance, uh, as well as the standards.
You can really reference all of that information out there.
And it will hopefully, uh,
assist you in adopting the new standards as you,
as you progress through your, your audit process.
(29:23):
So definitely take a look at that.
Uh, the Global internal audit standards we're effective in
January, so hopefully we're all executing according
to those standards today.
Uh, but if not,
and if you have any questions, please reach out to guidance.
We are happy to help with
Andy. I have so
enjoyed talking about the Pulse
(29:43):
of Internal audit report with you today,
and I hope you have a great day.
And you too, Deborah, great talking to you.
The public consultation
for the third party topical requirement is open.
Review the draft and share your feedback by April 20th.
Visit the iia.org to have your say.
(30:08):
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube
or@theiia.org.
That's THE iia DO org.
The Institute of Internal Auditors presents
all things internal audit.
In this episode, Deborah, Ian
and Andy Cook break down the 2025 North American Pulse
of Internal Audit Report.
They discuss emerging trends, challenges,
and opportunities for internal auditors
(00:24):
covering issues like strategy, funding,
and artificial intelligence.
Andy, thank you so much for joining me
to talk about the 2025 North American Pulse
of Internal Audit Report.
My pleasure, Deborah. Thank you for having me.
So I wanted to talk about what is Pulse of Internal Audit.
(00:48):
This is my 10 year anniversary working on Pulse.
So this was actually started by the I I A in 2008
as a snapshot of the procession.
And at that time we were getting into the great financial
crisis, so there was a lot going on.
The pulse of internal audit report is based on a survey
(01:10):
of the highest ranking internal auditors
throughout North America.
So we have hundreds of responses from big functions,
small functions, public sector, publicly traded, all kinds
of industries, and it gives us an amazing picture of
what internal auditors are doing that year.
(01:30):
The i i a wanted to monitor what was happening
with people's budgets and staffing levels and risk levels
and their audit plans.
And the i i a has been doing this survey
and report ever since.
So we're really proud of this
because it lets us do some really long-term trending
that you won't see anywhere else.
(01:53):
Yeah, it's definitely something
that I love seeing every year.
I always check it out and see
what the new trends are and what's going on.
The consistency of the survey has been great,
and I, I love checking what's, what,
what's going on in the industry
and what CAEs are thinking out there.
So it's very good. The other thing that we've kind
of incorporated this year, uh, suggestion from Deborah is
to incorporate the standards
(02:13):
and guidance that are new this year.
The global internal audit standards came effective in
January, so we thought providing some reference
or some spotlights to the standards would be a good thing,
as well as Vision 2035.
Again, something that just recently came out,
very worthwhile to, uh, provide some insights into that
and kind of attach it to Pulse, which was a,
(02:35):
a great idea from, from you, Deborah. Excellent.
Thank you. Yes.
Vision 2035 is interesting to add in
because it's forward looking
and so it helps us to think about the future, um, as well
as what's happening right now.
So I'm very excited today, uh, to look at some of the most
(02:56):
interesting and relevant findings this year.
And we've got four main areas we're looking at, strategy,
technology, responsibilities, and management.
So let's get started by talking about strategy.
One of the most interesting things that came out
(03:18):
of our research this year was a very strong connection
between funding levels for the internal audit function
and how well the function said they were aligned
with organizational strategy.
So I'm gonna give you an example.
People who said they were fully aligned
with organizational strategy, about 70%
(03:41):
of them also said they had sufficient funding,
which is great on the other side.
Among people who said they were only somewhat aligned
with organizational strategy, only 40% said they had
that sufficient level of funding.
So Andy, what do you think of this?
Yeah, this was a, a key insight, very interesting
(04:04):
that came out of this, this, uh, this survey this year.
The, the idea of aligning, uh, the organizational strategy
to funding
or correlating those two was, was, uh, a great find.
I, I really felt like it was supportive of a lot
of the stuff that came out of the,
the standards this year when we talked about governing
(04:24):
and managing the internal audit function, it had a lot to do
with making sure we have open lines of communication
with the board and with senior management, making sure all
that kind of aligns together,
and the idea of communicating to the board
and senior management
and working with them
as you develop your internal audit strategy is showing that
(04:46):
that pays dividends in the long run, uh,
in on the funding side.
So I felt like that insight was very, uh, interesting
and something I guess you would expect
because the more you communicate, the more you're talking
to individuals, the more you're able to kind
of see the value.
And I, I really feel like
that's part of what this is doing mm-hmm.
Is it's providing, uh, the board
(05:06):
and see your management with the idea of what sort
of value we're able to provide
and if it's worth investing in.
And I think that's kind of where we're coming down.
It seems like it definitely is. So a great find on this one.
And, you know, another, uh, piece of this information is
that about a little over half said that they feel fully
(05:27):
or almost fully aligned with organizational strategy.
So on the flip side, a little less than half said,
they are only somewhat aligned
or only minimally aligned with strategy.
So yeah, it's an opportunity and it's some good information.
Absolutely. So
We want to look now at our second big point,
(05:50):
which is looking to the services.
So there's two big types of services.
Internal auditors perform assurance services
and advisory services,
and we wanted to know the mix now and in the future.
So currently internal auditors say about 75%
(06:13):
of their time is assurance, and about 25% is advisory.
But if you ask those same folks what they would like
to do in the future, they'd rather do about 60% assurance
and, um, increase that advisory up to 40%.
So Andy, what do you think of that?
Yeah, I think this is, this is indicative of
(06:34):
what you would expect for internal audit shops out there.
The idea of kind
of a 75, 25 split right now made sense to me.
I, I felt like that was
what I would expect from a lot of organizations.
And the movement, the idea of moving that 25% to 40%
in the future is really, again, speaking to values.
(06:56):
I think the value that we can provide, uh, in that space
as well, I mean, internal auditors are really
risk control experts.
Uh, that's really what we are,
and we're able to provide a lot of that advisory
and guidance to the organization as we move forward.
So I really feel like that's, um,
it shows our starting point.
(07:16):
I suppose that 75, 25 split shows our starting point
and where we want to go, that 60 40 split is
really where we'd like to go.
Mm-hmm. Not, uh, getting rid of the idea
that we will continue to provide that key assurance piece,
but, uh, doing a little more advisory definitely provides
the benefit to the organization overall.
So I think it's, uh, it's a good indication
(07:38):
of directionally where everybody's going.
Mm-hmm. I agree.
And just another facet of
that is we also looked at the differences for this question
between functions that had just one
to three people versus functions more than 50 people,
and the answers are almost identical.
(07:58):
So whether you're a large function
or a small function, the idea of being able
to increase your advisory services is, is really felt
all across our survey respondents.
And that was one of the things that kind
of surprised me too, that those smaller shops would still be
providing that level of advisory service.
I mean, that's, that's a great thing that we're able to do
(08:20):
that even with those, those small organizations.
And I think that's, that's great.
And that's showing that, that we are concentrated on
that value proposition for sure.
So now we wanna go ahead
and look at some of our technology findings,
and we wanna start with the risk area.
So, um, we always ask for risk assessments
(08:41):
or risk levels for a large number of items.
And the top every single year
for a long time is cybersecurity.
So right now, 75%
of our survey respondents say cybersecurity is high
or very high risk at their organizations.
And the next area that is even close to
(09:02):
that is it risk at 54%.
So cybersecurity is the risk of concern.
And so how are CAEs dealing with this?
And I wanna throw out a couple more numbers
and then Andy will give us a perspective, is we find that
a lot of, or many organizations will outsource cybersecurity
(09:24):
services because they, they need the skillset,
or for a variety of reasons.
So that's one way.
Um, but then, uh,
almost half say they do wanna upskill their staff
to know more about cybersecurity.
So we've got the outsourcing
and the upskilling to deal with this risk.
So Andy, what do you think?
(09:46):
Yeah, a lot of this is, I, I think it's
what we would expect.
This is a scary spot when you start
talking about cybersecurity.
The idea of having a significant breach in your organization
or having a, a particular problem with, with IT
or, or systems.
Uh, they're far reaching, they're at times public.
(10:06):
Uh, so from an internal audit perspective, I think they're,
they're very much top of mind.
And that's what this indicates, you know, noting
that these are high or very high risks that we wanna address
the level of outsourcing that we'll do there, that tells you
that we really wanna make sure we get the expertise in
there, in the organization to do the kind of work
that we wanna do to make sure that we're comfortable
(10:27):
with the controls that are in place.
And the idea of, of constantly upskilling this space in
particular is, uh, you know, it's what I would expect,
but it definitely is something that requires a lot
of attention for our, for our, uh, auditors out there.
And I think it's something that's, that's, uh,
been indicated through the survey.
Thank you. So we started talking a little bit about
(10:50):
upskilling and, uh,
we have asked several questions in the pulse
of internal audit survey
and also in the Vision 2035 survey about competencies.
And a very interesting thing we found was
that when you ask someone,
when we asked our survey respondents
(11:12):
for the most important technology skill for the future,
so we said, what is the most important
technology skill for the future?
More than 90% said data analytics.
You don't get more than 90% hardly anything in this world
except maybe who, how many people like chocolate?
Like this is a high number, right?
(11:32):
So more than 92% said it's one
of the most important technology skills for the future.
However, if you ask people their use of
technology right now for internal audit,
and you said, you know,
looking specifically at data analytics,
only 28% said their functions had high
(11:53):
or advanced usage of data analytics.
So how do we reconcile this?
Yeah. So a lot of things happen here in data analytics
that, you know, has been evolving through the years.
I mean, when I started in industry here,
data analytics was, was top of mind.
And it continues to be top of mind making sure
that we're comfortable with that level of work.
(12:15):
And what's happening now is we have so much data now,
the data analytics work is very focused on identifying
what the key data is that we need to maintain
or we need to pull
and understanding what then are we going to do with it.
So having that skillset of an internal auditor
where they're able to identify the key data points
(12:38):
that they need to grab,
and then what sort of risks those are, identifying
and understanding what the audit performance
or the test step is going to be done
and how it's going to be done to, to be, uh,
effective and useful.
And I think that that kind of twofold approach
to data analytics is something that we continue to struggle
with, and it's definitely something that we continue
(13:00):
to focus on as, as we move forward.
So again, this is another one of those no surprises, uh,
but continued level of concentration for,
for organizations out there to make sure that we get better
and better at the data analytics piece.
Agreed. And I think we talked earlier,
or at some point, one
(13:21):
of the best combinations you can have is someone who's good
at data analytics and also someone
who understands the business very well
and makes a very valuable auditor.
Is that right?
Amen. Amen. Yes, absolutely.
I, I think, uh, the idea of having that person who's able
to understand the business
and understand the data that that business is using
(13:43):
and how they're using it along with that level
of risk focus, uh, the, the lens on the world
that the internal auditor is able to provide on top of that,
that's a winning combination,
and that's something that has been the unicorn
that we're all seeking at out there in,
in internal audit for sure. Yep. So
The last thing we wanna talk about for technology,
(14:04):
and it's the hot topic right now, is
how internal auditors are using ai
or specifically we wanna talk about gen ai.
So we asked our survey respondents this year, which,
by the way, um, our CAS
and directors in North America,
so we asked our survey respondents this year,
(14:24):
if they're using gen AI for internal audit activities,
and we had 41% said yes, they're,
and 65% say they are planning to do it in the future.
So what do you think about
that in the future of internal audit?
Yeah, this is definitely an area that, that all
of us are trying to figure out as we go.
(14:47):
And I think the internal auditors out there are trying
to figure out kind of a twofold understanding of it.
How is the organization using it?
And then how can I use it in my organization,
in the internal audit group, uh, to do internal audit work?
And I think we're trying to address that as quickly
as humanly possible, just
because this technology is moving at such a fast pace pace.
(15:09):
So really trying to, uh, jump into that pool as opposed
to dipping our toes in it, I think is something
that we're really trying to do more and more of,
and getting familiar with
what the capabilities are out there
and how we can utilize them effectively, I think is,
is definitely something, and this, this survey kind of bears
that as true that we really wanna make sure that we're,
(15:30):
we're playing in this space
and learning as we go, uh, to effectively use AI on our,
on our audits as well as how the organization is using it
and what sort of risks are out there on that front too.
Mm-hmm. Yeah,
another interesting thing we saw in the data on this survey
question was if we compared the answer, uh,
(15:53):
to the generation, we did find
that millennials were 52% using gen AI
for internal audit activities.
Gen X was 40% and the baby boomers were 31%.
So there was a difference by generation,
Even those baby boomers, I mean, from that percentage, I,
I feel like they're really, you know,
(16:14):
jumping in maybe more than I would anticipate.
So I think that's great. I think that's really directionally
where we wanna go for sure.
Agree. And I do wanna point out that for the question for
who wanted to increase Gen AI involvement across all ages,
it was over at two thirds, so everybody knows it has
(16:35):
to be done in the future.
And the one other thing we can go ahead
and just mention while we're talking about gen AI is, um,
much fewer, fewer CAEs are saying
that they're providing assurance in this area
right now, much fewer.
It's, it was 15% overall. So why might that?
(16:56):
Yeah, I think they're, they're just trying to get familiar
with, with what sort of usage is in
that org in the organization.
I think that's really something that they're trying
to, to understand more.
And I think the larger organizations may be adopting it a
little more quickly than some of the smaller ones
and understanding the implications of that and,
and how to go about testing it, uh, building test work out
(17:18):
of these things and, and, uh, that sort
of thing is definitely something that we need to work on.
And I think that is a big ask.
You know, this is a ever evolving landscape, this AI space,
and these AI systems are constantly learning as well.
The risks, the risks may shift as the AI is learning
(17:39):
and you need to shift
with it when you go about testing that.
So I think it's definitely something that we need
to keep in mind as we, uh, as we move forward.
But it is something that's, uh, newer to most,
and I think that's why that adoption rate is,
might be a little lower than maybe we would like.
Our next two topics are responsibilities,
and then we're ending with management.
(17:59):
So let's get into the different responsibilities that
CAEs can have.
So we know, uh, chief audit executives, of course,
their primary focus is internal audit,
but a lot of them have areas
of responsibilities in other areas.
Uh, so almost 90% say they have at least one area
(18:21):
of responsibility outside of internal audit.
So those top areas overall are fraud.
Almost 50%, almost half say
that Sarbanes Oxley almost a third,
but it's much higher in publicly traded organizations.
ERM about a third
and ethics whistleblower programs about a third.
(18:45):
So what is the impact for independence
and objectivity in this situation?
That's a great question, Deborah.
I, I think that's, that's the, the focal point.
We need to make sure that, that our guardrails
and our safeguards are set up
when we take on these additional responsibilities.
Take a look at the, uh,
(19:06):
standard 7.1 on organizational independence,
I think is a critical one here,
and understanding how
when we take on these responsibilities, how the
internal audit function has to shift.
So, uh, the general idea is if you are responsible
for an area you shouldn't be auditing yourself.
I don't think that's, uh, any sort of a revelation
(19:28):
for anybody, but we need to make sure that we have those,
those appropriate safeguards in place,
and we need to make sure that we're communicating up the
chain, whether that be through senior management as well
as the board to, uh, communicate with them to let them know
how we are structuring these outside
of internal audit functions and how the risk assessment
(19:50):
and audit process has to be effectively executed
to maintain those safeguards.
I think that's really the key point here.
It's okay to take on these additional responsibilities.
You just need to be setting up those safeguards to do
what they need to do to make sure that the,
the audit process is, uh, maintained.
(20:10):
Thank you. So also looking then at audit
planning, this is one of the questions in Pulse
that has been asked probably since 2008,
which is what proportion of time do you spend in each
of your audit topic areas?
So pretty consistently
(20:31):
for a long time operational auditing is the, the most, the,
the largest proportion of the audit plan,
and that's almost 20%.
And one thing that sort of stands out about
that is if you look at risk levels,
operations is not that high.
So how do we reconcile that?
(20:52):
Yeah, a lot of that information is, you know,
and I I think this goes for most
internal audit organizations.
Operational risk is definitely the thing that we are able to
execute reasonably well.
We've been doing it for years and years,
and it's always been operational focus on a lot
of the work that we're doing.
Auditing that space is kind of a, a known quantity
and we know how to do it
(21:13):
and we know how to, uh, scope
that work and execute that work.
It's something that we've,
we've really embraced through the years.
And the idea here of such a large percentage of our time,
19% of our time is spent on operations
while when we're looking at the associated risk
of these operations in our, in our estimation is,
(21:35):
is significantly lower than some of the other areas.
I think there is a level of shifting that we may wanna make,
uh, organizationally when we start executing our audits
that we, uh, should consider, um, and,
and maybe shift that percentage.
I don't think that we're ever gonna not
do operational audits.
That's a, a key component.
(21:56):
And you can also think, how did that risk go down?
You know, that risk level went down
because we are doing these audits on a regular basis,
you know, and, and, and making sure
that things are tight from a control standpoint.
So the idea
of abandoning operational risk will never happen,
will probably always be doing a
substantial percentage in that space.
(22:17):
But, you know, it was interesting to see those risk levels
that we determined was a little lower than maybe you might
anticipate for sure.
Yeah. So for comparison, we had about 75% saying
that cybersecurity was higher, very high risk compared
to only 30% for operations.
Yeah. So I, I do think it's interesting the idea that
(22:39):
because internal audit, or perhaps
because internal audit has been able
to monitor the controls well in operations, you know,
that brings down that risk. So
Ensure is a contributing factor, I would imagine a
Contributing factor that, that is the best way to say it.
So moving on to our last section about management here.
(23:02):
Um, and this is really just about the internal audit
function itself and kind of running the function.
So as you know, the pulse of internal audit survey is
for the, the highest ranking internal auditor in the
function, so CAEs and directors.
So one interesting thing is we can look at the, that group
(23:22):
and see the mix of men
and women at the tops of internal audit functions.
And so right now, uh,
it's 47% female on 53% male answered our survey this year.
And that this has changed over the years in many ways.
And one way we can see that is by asking people their age
(23:45):
and comparing it to male and female.
So for those over 60, it was reversed.
It was two thirds male
and one third female compared to those, uh,
in their thirties where we have more females
and and fewer males.
So how's this trend?
(24:05):
What, how may this trend impact the internal audit function?
Yeah, I think, I think this is, I, I, again, I don't know
how much of a big surprise this is.
The, the younger folks have more of a, a female slant
and the older folks have more of a male slant.
Uh, the balance is kind of coming to a 50 50 split.
(24:26):
The idea that women
and men both at these higher level, uh,
within the organization for the CAEs, I think the mix
and the ability to kind of provide
unique perspectives into the organization
and what's going on in the organization is, is critical.
And I think that having this kind of effective mix
(24:48):
between the female ver the female CAEs
and the male CAEs is a great trend.
And I really feel like that movement,
that split is a great thing.
If this, uh, generational breakdown is any indication,
I think we'll continue to move further
and further to that, uh, 50 50 split, which is, is great.
I think that's, uh, directionally where we should go.
(25:11):
It makes sense. Internal audit is a great
career for anyone.
Would you agree? Absolutely.
I'm a little biased, but yes, absolutely.
Well, so am I. So we have our
final subject,
and this is about remote work.
(25:32):
So as we all know, COVID-19 put us in new territory,
and we started asking our survey respondents if they were
more working remote, more working at, at home
or evenly, uh, split.
And so right now, uh, about a little over a third say
(25:52):
that's roughly, um, half at home, half in person,
32% say they're mostly in person.
And the same 32% say they are mostly remote.
So we saw just the slightest trend toward having more in
person, but it was just four percentage points.
So 28% to 32%. So what do you think about these numbers?
(26:18):
Yeah, that, this one was a bit of a surprise to me
because all I've been hearing from my peers and network
and that sort of thing has been, Hey, we're being instructed
that we need to go back to in-person,
uh, or at least a hybrid.
Uh, this percentage indicates that it isn't as,
as significant as maybe I've been feeling it from,
(26:38):
from a lot of my, a lot of my peers.
Uh, it just seems like I was expecting these percentages
to go more and more to in person than maybe this is,
this is indicating, I do feel like the, um,
trend will continue to move in this direction.
And it might be early, we might have caught depend,
you know, based on when we
(26:58):
provided the survey, we might be a little early in that
and we might see this, uh, trend pick up in the coming year.
I, I do think the idea of doing more hybrid work,
I think is, is being adopted more
and more, uh, by organizations that I'm aware of.
So I, I think that this trend will continue to go in
that direction and, uh, next year's survey may,
(27:18):
may be indicative of, of a more substantial shift.
Mm-hmm. Well, we'll keep asking the question, um,
so we can monitor what's happening, uh,
for the internal audit profession.
And it may be, you know, that there are some advantages to
remote work or hybrid work specifically
(27:39):
for internal audit activities.
So perhaps other, other industries
or other professions may have a different, um,
different amount of change than what we're seeing.
Yeah, the one thing that I will say is
during the Covid period, I think that all
of us at internal audit we're able to prove
that we were able to do our work on a remote basis and,
(28:00):
and maybe not, you know, a hundred percent remote,
but maybe, you know, if we could do some level
of hybrid, that would make sense.
But I think covid kind of forced our hand to say, okay,
we have to work remote.
And I think we came out the other side of that saying, well,
we are very capable of doing this and,
and working on a remote basis.
And, and I think that that was, that was some
(28:21):
of the takeaway from, from the covid period
when it comes to internal audit.
And I think the shift will continue to move kind of more to
that hybrid level, uh, because of, of what I just said.
I think that we're still able to work on the remote basis,
but maybe be back in person every now
and then, uh, to make sure
that we're effectively having good meetings.
And again, as we started out this discussion,
it's all about communication
(28:42):
and communication in person, uh,
provides a lot of value as well.
So it's something that we need to make sure we balance.
You know, I do also wanna encourage people
to get their resources on the new global internal
audit standards.
Can you tell us a little bit more about
what resources CAS have?
Yeah, so there's a, there's a location out there
(29:02):
and it is in the Pulse report, uh, the, uh,
standards knowledge center go there.
There's a lot of informa, a lot
of great information guidance, uh, as well as the standards.
You can really reference all of that information out there.
And it will hopefully, uh,
assist you in adopting the new standards as you,
as you progress through your, your audit process.
(29:23):
So definitely take a look at that.
Uh, the Global internal audit standards we're effective in
January, so hopefully we're all executing according
to those standards today.
Uh, but if not,
and if you have any questions, please reach out to guidance.
We are happy to help with
Andy. I have so
enjoyed talking about the Pulse
(29:43):
of Internal audit report with you today,
and I hope you have a great day.
And you too, Deborah, great talking to you.
The public consultation
for the third party topical requirement is open.
Review the draft and share your feedback by April 20th.
Visit the iia.org to have your say.
(30:08):
If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts.
You can also catch other episodes on YouTube
or@theiia.org.
That's THE iia DO org.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.