'Historically, internal audit has been focused on what are assumed to be the main operating level controls, irrespective of changes in business strategy, reputation or acquisitions,' said PwC partner Duncan Fitzgerald. 'But it is necessary to take a more holistic view of risks, adopting enterprise-wide assessment and realising that if certain controls are working well then you don't need to keep testing them again.'

He emphasised that a new mindset was needed to get internal auditors thinking more about the consequential effects of what was happening outside their own organisations. In the market now, for example, they should automatically be considering the possible impact of tighter liquidity in inter-bank funding and how that might hit short-term credit, pricing and sales.

'Risk assessment is not just at the micro level,' Mr Fitzgerald said. 'Auditors need to understand external business risks in the broadest sense as well.'

Specifically, it is important to keep pace with changes in technology and to recognise the implications of business practices such as outsourcing and offshoring. The study showed that 77 per cent of the companies surveyed in Asia believed the auditing of IT security systems would assume a higher priority in the next five years. That meant in-depth knowledge of systems, programs, electronic fund transfers and data mining techniques was now vital.

'Every auditor needs to use relatively complicated systems to sift through financial and non-financial data and identify anomalies, quirks and unusual patterns to see if something is going awry.'

He added that subcontracting work to third-party providers, or off-site locations, also entailed new areas of risk. Depending on the terms and interpretation of the contract, the provider might limit the right of access to certain information or simply give unverifiable assurances about existing practices, internal controls, data security and privacy.

Other aspects to consider are what will happen if the agreement does not pan out, or if the expected benefits simply fail to materialise. How easy will it then be to take work back in-house, find an alternative service provider or renegotiate the original contract?

'Outsourcing a call centre, payroll or payment function to a third party is not drastically different from normal business risk. But you do need to tackle it immediately and get your vendor to provide a standard audit report on its internal controls.'

Such practices, he noted, were still not commonplace in Asia. In fact, many large organisations in the region had no internal audit function, or they only had one that looked at low-value activities. Fortunately, though, rising standards of corporate governance, investor expectations and peer pressure are obliging companies to reassess their position.

In doing this, Mr Fitzgerald suggested, organisations should give their head of internal audit status equivalent to a senior level executive, even if the function reported to the chairman of the audit committee rather than directly to the board. That would help to overcome persistent problems relating to attitude and approach. All too often in Asian companies, the audit function's findings were used to berate management or regarded as justification for docking bonuses.

'That's wrong,' he said. 'Operations management should welcome internal audit and use it in a constructive manner. It provides them with the assurance that there are no glaring control gaps.'

To give auditors the competencies to review risk at a strategic level and detect complex types of fraud, better training is needed. Ideally, this should include instruction in everything from business planning to brand management and operations to provide the necessary background and breadth of perspective.

Professional accountancy bodies will no doubt be willing to develop courses, but are likely to be behind the pace. So in principle, individual organisations should be ready to take responsibility for 'upskilling' their own audit teams.

Though there might be a certain amount of resistance to change, Mr Fitzgerald felt confident that the more dynamic members of the profession would recognise the career benefits of taking on a broader role.

'There has been a very cyclical type of approach to auditing,' he said. 'And while there is a need to visit the bigger risks more frequently, you should also have a 'dashboard' that allows responsive and flexible monitoring, and people who can detect what risks there are in significant spikes in receivables, outstandings or product lines.'