Internal Audit – Is Outsourcing A Practical Consideration?

Overview

Internal Audit helps an organization accomplish its objectives by reviewing its risk management, internal control and corporate governance processes. Most organizations would have gone through the evaluation process to maintain an in-house Internal Audit (IA) team or consider the outsource option. The key considerations would include:

• The size of the organization and the complexity of its operations.

• The expectations of the Management and Board of Internal Audit – Is Outsourcing A Practical Consideration? Directors in terms of the scope and coverage by Internal Audit after due assessment in order to adequately assess the adequacy of company’s internal controls in line with the Singapore Code of Corporate Governance 2005 (CCG).

• The feasibility and cost efficiencies in maintaining a team that is adequately staffed with professional skills and expertise including various specialized areas.

Whether an organization has the resources or adequate workload to justify the employment of a team of Internal Auditors depends principally on the size of the organization. The workload is largely determined by the scope and the coverage of the annual audit plan as approved by the Audit Committee. There needs to be a balance in the seniority, experience and skills set of the IA staff to effectively execute the internal audit reviews and maintain the quality and professionalism of work performed.

Guideline 13.2 of Principle 13 of Singapore’s Code of Corporate Governance 2005 provides that “…the Internal Auditor should meet or exceed the standards set by nationally or internationally recognised professional bodies including the Standards for the Professional Practice of Internal Auditing set by the Institute of Internal Auditors.” It is necessary to consider how Management can ensure that their Internal Auditors are able to meet this requirement. Obviously where the Internal Auditors hold recognised professional certifications, such as the Certified Internal Auditor (CIA) or Certified Information System Auditor (CISA) certifications, the presumption would be that the Internal Auditors would meet the required standards. For staff without the required qualification, on-the-job training under the guidance of a CIA/CISA and attendance at courses, seminars and conferences by the IIA and other professional bodies would be necessary.

It is also necessary to consider the feasibility of maintaining a team that meets the competency requirements above. In addition, in order to attract the IA professionals to the organization, the organization must be able to provide opportunities for career advancement and professional development. The final assessment would be whether the organization would be able to realize the cost efficiencies of maintaining such a team.

In-House Internal Auditors Or Outsource?

What types of organizations then can afford to maintain a competent in-house IA team and what are those that need to consider the outsource option? Having had the opportunity to head the IA Department of a holding company, namely Singapore Technologies Pte Ltd (STPL) for 7+years, my considered view is that if an organization or group does not have the workload to justify the employment of a team of at least 10-12 Internal Auditors, with a quarter to a third specializing in IT audit, the organization or group should seriously consider outsourcing the IA function to a reputable service provider. Why at least 10-12 Auditors and the IT audit specialization?

The reasons are quite simple, namely that:

• There should be sufficient posts to justify at least a 3-tier hierarchy of Reviewer, Lead Auditors and Field Auditors.

• There should be sufficient opportunities for career advancement.

• Auditors can be sent for training without undue disruption to the execution of the audit plan.

• Auditors can be rotated between assignments to give them variety of work to maintain interest.

• IT systems and applications support most, if not all critical applications and processes in most organizations today. Hence, there is a need for IT audit review to assess whether the organization adequately manages IT risks to safeguard the integrity of information and the security of systems. Unfortunately it has been my experience that the majority of smaller organizations and some larger ones as well, accord low priority to IT audit as their Management and Board may not be aware of the risks and exposures in this area. As dependency on IT systems increase and critical business data are maintained on these systems, this is an area that merits higher priority and attention by the Management teams and the ACs of all listed entities.

Other than the Banks and larger business groups, most other listed companies and groups do not have the scale and complexity of operations to justify an IA team of 10-12 auditors. For these organizations, outsourcing of the IA function is clearly the more practical option for the following reasons:

• The best qualified team can be employed. The larger more established outsource service providers typically have staff experienced in audit of areas that smaller in-house team lack.

• The organization does not have to deal with staff retention and related professional development issues of a small in-house team.

• An outsourcer brings an independent perspective to the audit and is not prejudiced by any legacy issues.

Even for organizations and groups with their own IA team, there would be occasions and events that may necessitate the engagement of outsourced services to supplement in-house resources. In 2005 and 2006 when organizations and groups that needed to comply with Sarbanes-Oxley Act (SOX) requirements found themselves short of in-house resources and expertise, they supplemented with outsourced resources. There would also be occasions when due to staff resignations, reorganizations or other reasons, temporary outsource IA resources may be required by an in-house team. Also for payroll audit and fraud investigation which are sensitive in nature, outsourcing may be more appropriate in some instances.

Some arguments have been advanced for an in-house IA team, no matter how small, as opposed to outsourcing the function. In particular, that an in-house team has better knowledge of the business requirements and therefore better able to recommend practical solutions that will be accepted. My view is that such a small IA team will face limitations, especially in organizations with an autocratic Chief Executive Officer (CEO) or Senior Management team. In such situations, the in-house IA team may lack independence and not be sufficiently objective.

Conclusion

Ultimately whether the IA function (and indeed the whole framework of good corporate governance) in an organization is able to fulfill its role objectively and effectively depends on the culture of the organization and the tone from the top as demonstrated by the CEO and the Board of Directors. It is necessary not only to comply with the letter and form of good corporate governance, but also with its spirit and substance in its application, including in respect of the Internal Audit function.

Chris Liew
Managing Director
Ethos Advisory Pte Ltd
Email: chrisliew@ethos.com.sg