As Well As Reducing Budgets, The COVID-19 Pandemic Has Heightened Organizational Risks and the Need for Audit Oversight
“For many heads of audit, it’s not clear where the extra capacity is going to come from,” said Margaret Moore Porter, managing vice president in the Gartner Audit practice. “It’s clear the pandemic has created and heightened risks that need audit oversight, but there is a real danger of the function being overwhelmed unless leaders can find ways to increase capacity without increasing budgets.”
Information security and information technology risks were the two areas where a majority of audit functions planned to spend more time. Yet there is a long tail of risk areas demanding more attention and not many that will require significantly fewer hours (see Figure 1).
Figure 1. Changes to Internal Audit Execution Hours in 2020, by Risk Area
Internal audit function budgets enjoyed a period of growth of approximately 5% per year in the period between 2017-2019. In 2020 that figure came in as a 1.5% decrease, and Gartner predicts it to be flat in 2021. Headcount also remained flat in 2020, and this is expected to continue in 2021.
“It doesn’t look like there will be a way to buy more capacity for most internal audit functions in 2021,” said Ms. Porter. “Leaders will have to be creative and find ways to get more out of the resources they have.”
Sixty-six percent of audit departments are in active discussions with other risk and control groups in their organizations on how they can better share resources, notably support for risk assessment and data analytics.
Many audit departments are looking to better align and rely on risk coverage from the second line to reduce duplication and improve efficiency. Given regulatory scrutiny, that approach is less prevalent in financial services (FS) and banking audit departments, where 47% do not rely on the second line to provide assurance compared to 35% in non-FS and banking.
