PricewaterhouseCoopers recently released its 6th annual “Global State of the Internal Audit Profession” survey. I chatted with Brian Brown, PwC’s IA advisory services leader, to get a taste for the survey results and to have him describe “Internal Audit 2.0.”

Eric Krell: What do you see as some of the key qualities, capabilities, and/or characteristics of Internal Audit 2.0?

Brian Brown: We use an analogy with Internet 2.0 as the logical next generation for internal audit. Internal Audit 2.0 it is more aligned, collaborative, and technology-enabled. By that we mean more aligned with critical risks and stakeholder expectations, more collaborative with other risk and compliance functions, and better able to leverage technology to drive efficiency in the audit process.

Eric Krell: Many internal auditors are wrestling a bit with the nature of their role within ERM initiatives … what are some of the key responsibilities – and boundaries, if any exist – for internal auditors with respect to formal ERM programs/initiatives?

Brian Brown: Risk management in general represents a tremendous opportunity for internal auditors and yet at the same time can be quite a challenge. The opportunity is that elected officials, regulators, directors, and CEOs are all saying they want to see improved risk management within the corporate world, but the devil is in the details. Risk management means different things to different people. Regardless of what form a risk management initiative takes, the primary responsibility relating to board oversight and management accountability is to develop a process that identifies, assesses, and monitors risks and the effort to manage risk.

Internal audit’s role in risk management can be thought of similarly to the way in which we think of the relationship with internal control. Internal audit should not own internal control, but they do play a key role in reviewing and assessing controls. The difference with enterprise risk management is that it is a concept that is just getting off the ground in many organizations; consequently, a traditional assurance approach to reviewing risk management might not be relevant. Thus we see many internal audit groups taking a lead, which we believe is appropriate, in getting ERM started in their organizations.

Eric Krell: Do you have any evidence that more companies are pursuing ERM efforts?

Brian Brown: Our survey results showed that 65 percent of respondents assist their boards of directors in the assessment of enterprise risk. However, this is not consistent with our observations among clients. Yes, risk assessments are being used to drive internal audit plans, but from our perspective, they frequently do not provide the type of insights into strategic risks that boards are seeking. And so the question remains, Is internal audit helping to assess key enterprise risk or not? The answer probably lies somewhere in the middle. And an internal audit risk assessment is part of ERM, but does not constitute all aspects of it. Our sense is that the majority of public companies are doing something about ERM, although for many it is only in its very early days. ###