Does your audit plan tackle the risks that matter?

Navigating an increasingly complex risk landscape is a key function of internal audit (IA) teams, but are IA plans adequately addressing the risks that management feels most exposed to? The findings from PwC’s 2023 Global Internal Audit Study, which surveyed more than 4,600 business leaders in 81 countries, suggests there’s progress to be made. CEOs polled in a separate PwC survey said that they consider macroeconomic volatility and inflation the top threats to their company, for both the near and the medium term. Yet only 48% of respondents in the IA survey said their company’s IA plan has addressed those risks. This suggests a significant misalignment—but also a significant opportunity.

How can organisations address this? They should start by having better risk conversations between the first, second and third line to help break down barriers and find new opportunities together. The study points to several concrete steps for IA to take a lead role in doing this: 

• Offer a viewpoint and commentary on new or draft business strategies and plans. IA can maintain objectivity while still offering a perspective based on their cumulative experience and ability to see risk differently.
• Author discussion papers or presentations on emerging risk areas or topics—outside of regular audit reports—that can offer an early warning or spark discussion.
• Summarise findings from multiple audit reports into broader root causes and themes at a company level. This can also be mapped to trends in the industry.
• Bring in expertise from first- or second-line teams, or external advisors, to broaden debates and offer other perspectives—for example, in topical or risk workshops. 
• Share materials from industry or technical sources or communities of interest, which can help highlight industry-level trends or emerging risks.
• Agree on value-based metrics and key performance indicators for IA, so it can be measured against the value it adds to stakeholders.

With improved engagement, and a willingness to see risk differently, organisations can unlock the potential of IA, and better focus on the specific things companies can do—from alternative sourcing programs and pricing adjustments to macroeconomic risk assessments and supply chain resiliency plans—to address the threats that today’s CEOs are most concerned about.