Leaders need to find ways to increase internal audit capacity without increasing budgets

A study of 299 internal audit organizations showed that the function faced both declining budgets and a significantly expanded workload in 2020, according to Gartner.

internal audit

“For many heads of audit, it’s not clear where the extra capacity is going to come from,” said Margaret Moore Porter, managing vice president in the Gartner Audit practice.

“It’s clear the pandemic has created and heightened risks that need audit oversight, but there is a real danger of the function being overwhelmed unless leaders can find ways to increase capacity without increasing budgets.”

Information security and information technology risks were the two areas where a majority of audit functions planned to spend more time. Yet there is a long tail of risk areas demanding more attention and not many that will require significantly fewer hours.

“At the moment this is very far from being a balanced equation,” said Ms. Porter. “The obvious implication, if the picture doesn’t become more balanced, is that audit leaders will have to make tough coverage trade-off decisions.”

Internal audit function budgets to be flat in 2021

Internal audit function budgets enjoyed a period of growth of approximately 5% per year in the period between 2017-2019. In 2020 that figure came in as a 1.5% decrease, and it is predcted to be flat in 2021. Headcount also remained flat in 2020, and this is expected to continue in 2021.

“It doesn’t look like there will be a way to buy more capacity for most internal audit functions in 2021,” said Ms. Porter. “Leaders will have to be creative and find ways to get more out of the resources they have.”

Sixty-six percent of audit departments are in active discussions with other risk and control groups in their organizations on how they can better share resources, notably support for risk assessment and data analytics.

Many audit departments are looking to better align and rely on risk coverage from the second line to reduce duplication and improve efficiency. Given regulatory scrutiny, that approach is less prevalent in financial services and banking audit departments, where 47% do not rely on the second line to provide assurance compared to 35% in non-FS and banking.

Don't miss