A number of divergent and conflicting trends related to risk assessment are a concern among internal audit executives. Although there is growing interest in enterprise risk management (more than 80 percent of respondents reported they conduct an annual enterprise-wide risk assessment), only a handful of those surveyed said they update the internal audit risk assessment continuously, while 64 percent may be doing little or nothing between annual assessments.

At one-third of the companies surveyed, multiple enterprise-wide risk assessments are being conducted across the organization. Of this group, only 20 percent consider these assessments "well" aligned, while 50 percent said they are "somewhat" aligned and 30 percent said they are "not well" aligned, with little or no coordination among the parties making the assessments.

"Audit committees are losing patience with multiple risk assessments that don't say the same thing," said Dick Anderson, a partner at PricewaterhouseCoopers. "A company is inviting inefficiencies and possibly missing risks if its enterprise-wide risk assessments are not aligned or integrated."

PwC said six imperatives should be considered when strengthening the internal audit risk assessment process, as suggested by the study:

1. Adopt a process approach to risk assessment and planning.
2. Supplement annual risk assessments with quarterly or more frequent updates.
3. Leverage your prior assessment results.
4. Align and leverage risk assessments.
5. Seek out the specialized talent you need.
6. Coordinate effectively with other risk management groups.

"Today, there is a growing awareness among chief audit executives of the importance of linking risk assessments and effective audit coverage," said Richard Chambers, managing director with internal audit services at PwC. "To help strengthen risk management within their companies, audit groups must focus on assessing risk on an ongoing basis and continue to monitor and update their enterprise-wide risk assessments."

In the areas of finance, compliance, and operations -- sectors that might be characterized as traditional areas of focus for internal audit -- respondents expressed fairly high degrees of confidence (64, 49, and 43 percent respectively) in their audit coverage of these types of risks. However, they were significantly less confident with their audit coverage when dealing with risks in the areas of technology, fraud, and strategic or business risks.

The 2007 study also found that internal audit groups reporting to the CFO organization devote more time to Sarbanes-Oxley compliance than groups that report directly to the audit committee or the CEO. According to the study, only 31 percent of internal audit functions reporting directly to the audit committee or the CEO devote more than 50 percent of their time to Sarbanes-Oxley compliance. By contrast, 46 percent of those who report directly to the CFO indicated that they dedicated more than 50 percent of their time to the Act during 2006.

The study found that when internal audit reports to a level below the CFO in the finance organization, such as to the controller or treasurer, the time commitment to Sarbanes-Oxley compliance increases dramatically, with 69 percent of these internal audit functions reporting spending more than 50 percent of their time addressing compliance with the Act.

"Given the disparity of time dedicated to compliance with Sarbanes-Oxley depending on reporting relationships, these survey results naturally beg the question as to who is actually directing the focus and deployment of corporate audit resources," added Anderson.

Other trends in this year's report include:

• Audit report ratings are popular but present challenges for internal audit. Audit ratings allow internal audit to communicate the potential level of exposure or risk associated with not implementing corrective actions emanating from audit findings. However, more than half (56 percent) of respondents reported that audit ratings are creating friction and slowing down the audit process at their organizations.
• Lack of capacity and capabilities is a top concern. Internal audit leaders believe that their greatest challenge is finding enough qualified talent to address the growing and increasingly complex needs of their chief stakeholders.
• Rotational staffing provides a key source of talent. Rotational staffing is fast becoming the prevalent staffing model for large corporate internal audit groups (more than 80 percent of the Fortune 500 respondents have some form of rotational staffing in place.)
• Continuous auditing continues to generate interest. Forty-three percent of respondents reported using some form of "continuous" auditing or monitoring in their audit operations.

To download a full copy of the report, entitled "PricewaterhouseCoopers 2007 State of the Internal Audit Profession Study: Pressures Build for Continual Focus on Risk," visit www.pwc.com/internalaudit. 

The survey was conducted in the fourth quarter of 2006 and includes responses from 717 audit managers. Eighty percent are either chief audit executives or internal audit directors/managers and 59 percent are from companies with $1 billion or more in annual revenue.