| Title |
Managing Internal Audit Cost, Effectiveness And Performance statement_of_directors.pdf |
| Issue No. | 3/2008 - Internal Audit |
| Details |
Managing Internal Audit Cost, Effectiveness And Performance
Overview Since the emergence of internal audit as a profession and the implementation of the Code of Corporate Governance in Singapore, demand for internal controls skills have increased exponentially. As local companies in Singapore were implementing changes to their corporate governance practices and strengthening their internal audit and internal controls systems, resourcing for skilled personnel became scarce as US Listed companies implemented their Sarbanes Oxley programs. In addition, internal audit costs increased as a result of significant “catch up” of salaries and rates due to the heightened demand over the past 5 years.
With much focus on cost and expenses amongst Singapore’s corporates, there is a need from a corporate governance perspective to ensure that cost is not the only focus when considering the level of internal audit resourcing. There is a need to ensure that the benefits of a broad program of risk based internal audit gets a fair hearing in this environment.
This article introduces a number of optional resourcing models that Directors could consider when developing the internal audit function as well as the key questions that should be asked by the Audit Committee in discharging their duties.
Resourcing Models Companies need to determine answers to the following questions regarding resourcing: • What should our total internal audit investment be? • What delivery model is best suited for us?
Both questions are inter-related as the answer to one will impact the other.
A number of companies have explored various resourcing options to deal with this dilemma. Resourcing models can take the form of recruiting full time employees (“insourcing”), engaging an external provider (“outsourcing”) or a hybrid model (“cosourcing”).
In deciding which model to select, the Audit Committee and management would be influenced by: • The degree of regulation: the heavier the regulation, the greater need for an in-house function (in many jurisdictions around the world, banks are required through central bank regulations to have an in-house team) • Whether start up needs to be fast tracked due to urgent requirements. Outsourced models tend to be favored as outsourced firms already have (or should have) pre-existing frameworks, methodologies and approaches that can be tailored for new clients. In the Singapore environment, a key question would be whether certain firms which do not specialize in internal audit are passing off their external audit practice as a generalist assurance practice under which internal audit is placed. Such firms often do not have the infrastructure such as the necessary technology, training, HR practices and enabling frameworks that ensure the delivery of high quality internal auditing. • Need for specialization for language or technical issues. For example, where operations are located in countries outside the home base, there will be a need for local language skills and understanding of local business practices and regulations.
Our experience with resourcing model decisions within Singapore for internal audit is that companies selecting the in-house model (and successfully sustaining this model) tend to be larger companies with expansive operations. In Singapore, Middle market companies and small companies have cited to us their difficulties in maintaining a full time and professional team.
Co-sourcing can be structured to suit the needs of a company with an existing internal audit department and addresses a range of different challenges. This can be developed using a number of alternatives under the co-sourcing model including strategic sourcing (such as for ad hoc projects of specialized skills) or one which is effectively partial outsourcing.
The diagram below describes the co-sourcing alternatives and examples. In addition to filling in gaps, co-sourcing provides an excellent means to extend the “reach” of internal audit into different geographies, different business processes and risks.
How much should internal audit cost? As with all corporate service budgets, the estimation and budgeting for internal audit cost is often a contentious area. After all, there is no strict minimum amount of expenditure or effort required under the SGX Code or Listing Rules.
This question should not be the first question that should be asked. The first question should be “How much internal audit do we need?”.
Companies with high levels of regulation, requiring wide geographical coverage and conducting different businesses will require more internal audit than a locally based company with one business model and low levels of regulation.
The following provides a framework when comparing internal audit investment between companies and entities:
While surveys are available showing internal audit benchmarks by company size and industry, such results should be treated carefully. Surveys show “what is” rather than “what should be”.
From our experience, such surveys miss important information which should factor into the decision of internal audit resourcing and budgeting such as: • Company risk management maturity • Productivity and internal audit efficiency • Scope and expectation of audit committee, management and other stakeholders • Unique and specific risks of the company • Business model complexity
Such factors need to be considered to ensure that the overall internal audit budget is reasonable.
A process to provide an appropriate budget for internal audit could be: A. Conduct an entity level risk assessment and evaluate the results • What key risks have been identified and how should internal audit be involved in those areas? • What level of effort does the risk assessment seem to indicate?
B. Understand internal audit investment made by comparable companies • What is the level of expenditure and effort of similarly sized companies in your industry? • Are there some obvious differences that would support spending less or more? (For example, obvious or significant differences in business model, organisation, degree of centralisation or decentralisation, regulation, scope of services, etc.)
C. The board and management’s preferences • What role and scope has management and the audit committee established for its internal audit function?
D. Past, present and future • Have there been, are there or will there be events, issues, risks or major changes that would warrant more or less investment in internal audit?
E. Other “complementary” functions • Are there other functions within the company that serve to evaluate key areas and risks objectively, such as: - Quality control and loss prevention? - Regulatory and legal compliance? - Risk management and insurance? - Operational and financial control units? • If so, are these risk mitigation and control efforts already performed to a degree that a professional internal audit function might otherwise perform? Is there inherent conflict of interest in performance feedback for existing functions? • Have we considered independence and objectivity?
The question of appropriate internal audit spend is not an easy one and is dependent on a variety of perceptions within the Company of the above criteria. Different stakeholders will have different views however the following key constraints should be kept in mind: • Are we doing enough internal audit to support our governance goals? • Are we properly covering our high risk areas, the key business processes and significant entities? • Do the internal audit team have enough time at the audit project level to conduct their reviews to identify major breakdowns or control design flaws?
As someone who has personally conducted and overseen various outsourced programs, I cannot think of a time where our team could be accused of “busy work” and low value reviews. Constant negotiation with the Finance department tends to result in lean programs very focused on major risks facing companies. In my personal experience, listed companies in other developed economies allow far broader risk based coverage and deeper reviews (with substantively more mandays to conduct work per specific audit project) and as well as reviews which touch on areas that local Directors may find rather “esoteric”. As a Protiviti Singapore practice, we often examine areas such as Spend Risk, Strategic Planning, Outsourced Vendors, Royalty Reviews, Business Continuity, IT Project Management, Governance and Fraud Risk Management. These are very different to those which are often considered the traditional domain such as procurement, inventory and revenue.
Once the internal audit investment has been established, it is necessary to determine what benchmarks are appropriate to assess the effectiveness of the internal audit function.
Measuring internal audit effectiveness While beauty may well be in the eye of the beholder, many executive and Company Directors have definitive views on how effective their internal audit function is, regardless of resourcing model or cost.
In measuring effectiveness of an internal auditing function it is worthwhile recalling what internal audit actually does (and what it does not).
The Institute of Internal Auditors, the recognized global body for professional internal auditors, defines internal audit as:
“Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
As a process within an organization, internal auditing should be managed professionally and competently.
There are dozens of qualitative and quantitative key performance indicators to measure internal audit which are beyond the scope of this article. It is important in assessing effectiveness that the underlying objective of the company’s internal audit function is kept front of mind: • Is it a compliance focused function? Is the orientation of the audit committee and management towards ensuring compliance to company policies and procedures as well as external regulation? • Is it a broad based and governance focused function? Is the expectation that internal audit should be reviewing across all areas of the enterprise with a focus of finding key breakdowns and deficiencies in risk management across all categories of risk including financial, commercial, reputation/branding etc? • Is it expected to find revenue leakages and be involved in loss prevention? A number of internal audit functions are heavily involved in revenue assurance activities, even to the extent of having trained and experienced resources dedicated to this goal.
There are no right or wrong answers to the above questions and may even differ widely across industries. Heavily regulated industries such as banking, would require their internal audit function to have a strong orientation towards regulatory compliance as opposed to taking an operational approach.
A Further Perspective From our perspective, the role of internal audit could be distinguished further along a continuum:
Ultimately when determining the answer to the question: “What is the Return on Investment?”, the objectives and orientation of the IA function – as outlined above should be kept in mind. For example, a compliance focused IA department may select measures such as the number of controls issues reported and closed with management, whereas an operationally focused audit department might include losses identified and revenue recovered as part of its KPI’s.
There are a number of methods to leverage the Internal Audit spend and to enhance the effectiveness of the internal audit department.
These include: • Self assessment by business units and subjecting these to validation by internal audit • Use of technology tools and data analytics • Use of outputs from the internal audit process such as flowcharts, risk control matrices into the company’s QA, Compliance or even Operational Risk Management programs • Enhanced scoping to allow focused reviews on identified risk areas within a business process • Use of internal auditors as training consultants for the rest of the business • Ensuring that management have a mindset that they own their controls Checklist for Audit Committee’s Agenda for Internal Audit
Audit Committees run a very full agenda in the current business environment.
However the effectiveness of internal audit is very closely aligned to the effectiveness of the Audit Committee.
The Audit Committee can play a very important role in ensuring that the internal audit function is effective by keeping in mind the following questions: • Is the level of resourcing allocated to internal audit appropriate and allow a reasonable program based on our collective understanding of its role and orientation? • Does the internal audit function have “sufficient standing” within the company? (while the term is used in the SGX Code of Corporate Governance, it is not specifically defined. Hence plain English interpretation would have to suffice and in this context, issues such as whether the internal audit function’s independence is respected, whether there is sufficient cooperation by management with the internal audit department, does the internal audit department have sufficient authority to all books and records etc) • Is the internal audit program and reporting line appropriate? (Accepted practice has moved from a sole reporting line to the CFO to one which is distinguished between administrative and functional reporting. The accepted reporting line is now administratively to the CEO/ CFO and a functional reporting line to the Audit Committee Chairman) • Are the audit report deliverables of sufficient quality? • How does management respond to issues raised by the internal audit function? • Is there clear understanding of the internal audit function as to its own responsibilities and obligations?
Conclusion The internal audit function in Singapore has evolved significantly over the past 5 years since the 2003 Code was brought into effect. It is now a high demand profession, and it is clear that the current level of demand is not going to decline anytime soon. In this environment, companies should re-evaluate their resourcing options and look to leverage the internal audit investment.
Audit Committees have an important role to play to ensure that the internal audit function is effective.
An effective and independent internal auditing function is now seen internationally by a wide range of institutions and agencies as an integral part of the supporting mechanisms for the Board to effectively discharge its responsibilities on internal control and risk management. It would be difficult for any Board to effectively meet its governance obligations without the support from a well functioning and independent internal audit function.
Phil Moulton
|
