The internal audit function faced both declining budgets and a significantly expanded workload in 2020, according to Gartner survey of 299 internal audit organisations in 2020.
For many heads of audit, it’s not clear where the extra capacity is going to come from, said Margaret Moore Porter, managing vice president in the Gartner Audit practice.
“It’s clear the pandemic has created and heightened risks that need audit oversight, but there is a real danger of the function being overwhelmed unless leaders can find ways to increase capacity without increasing budgets,” she warned.
Information security and information technology risks were the two areas where a majority of audit functions planned to spend more time, Gartner pointed out.
Yet there is a long tail of risk areas demanding more attention and not many that will require significantly fewer hours, the advisory firm added.
“At the moment this is very far from being a balanced equation,” said Porter. “The obvious implication, if the picture doesn’t become more balanced, is that audit leaders will have to make tough coverage trade-off decisions.”
Internal audit leaders have to find creative solutions
Internal audit function budgets enjoyed a period of growth of around 5% per year in the period between 2017-2019, according to Gartner.
However, that figure came in as a 1.5% decrease in 2020 while Gartner predicts it to be flat in 2021.
In addition, headcount also remained flat in 2020, and this is expected to continue in 2021, Gartner estimated.
“It doesn’t look like there will be a way to buy more capacity for most internal audit functions in 2021,” Porter pointed out. “Leaders will have to be creative and find ways to get more out of the resources they have.”
Survey results indicate that 66% of audit departments are in active discussions with other risk and control groups in their organisations on how they can better share resources, notably support for risk assessment and data analytics.
Many audit departments are looking to better align and rely on risk coverage from the second line to reduce duplication and improve efficiency, Gartner observed.
Given regulatory scrutiny, that approach is less prevalent in the financial services (FS) sector and banking audit departments, where 47% do not rely on the second line to provide assurance compared to 35% in non-FS and banking, Gartner added.