Establishing an effective internal audit function is hardly a revolutionary topic. Most if not all would agree that internal audit has a higher chance of success when it is structured on an organisation's risks and needs.
It is widely accepted that internal audit serves as the third-line of defence within an organisation's internal control framework. It provides independent, objective assurance and advises on activities that improve an organisation's operations and add value to the Board of Directors (Board) and senior management, who are positioned as the first-line of defence.
Internal audit, by convention, offers compliance and periodic audit on operations. However, such limited scope is no longer sustainable in today's business environment. To further enhance its relevance and value, internal audit needs to be involved in Enterprise Risk Management, Fraud, Cybersecurity and Information Technology security assessment. Risk management is forward-looking as compared to compliance where reviews are performed on past activities.
It is also in the Board's interest to push for internal audit to incorporate strategic and emerging business risks reviews in its scope, besides its contribution to good governance, especially given the heightened emphasis on corporate responsibility and accountability. When establishing an internal audit division strategy must drive tactics. Key strategic issues are sometimes overlooked. It is useful to look at cases where there have been internal audit-related shortcomings. Some of the key weaknesses found in SOX Section 404 internal control reports are: lack of a comprehensive or effective internal audit program/function; lack of independence in the internal audit function; staffing problems and inexperienced internal auditors.
Going beyond compliance
We increasingly see stakeholders asking, if not demanding, internal auditors to address strategic and emerging business risks. The Institute of Internal Auditors (IIA)' 2014 The Pulse of the Profession identifies strategies for advancing internal audit in a report titled "Enhancing Value Through Collaboration: A Call to Action." The report examines changing expectations from key internal audit stakeholders based on the findings of four major industry surveys conducted in the first half of 2014. A mutual set of actions to accommodate this changing landscape of internal audit is necessary. It takes two hands to clap after all. For a start, internal auditors need to manage expectations with their primary stakeholders, i.e., the Board, the Audit Committee and senior management and structure their activities accordingly. The Board, on the other hand, needs to encourage internal auditors to go beyond mere compliance audits and develop an increased focus on business value-added reviews.
Communication is key
A clear and open communication between both parties would help bridge the needs and expectations of the internal auditors' primary stakeholders. It is essential for the Board and senior management to keep the internal auditors updated with key developments concerning the company's business and strategic plans. To be highly regarded by the top management internal auditors need to develop effective communication process outside of the scheduled audits.
Moreover, the Board needs to provide the internal auditors with a mandate of an appropriate authority and of an applicable structure that supports its enlarged scope, besides independence and objectivity. The mandate which is typically set out in a written charter must be compatible with the charter of the Audit Committee and consistent with the standards of IIA.
Getting the right balance
To evolve from a function primarily focused on financial risks to one that covers a broad spectrum of risks, internal audit has to recruit staff with more diverse backgrounds and work experiences. Organisations are also increasingly more global than before. At the same time, the Board (or Audit Committee) has to play its role too. Having provided the mandate, the Board (or Audit Committee) should also be critically reviewing the composition of the internal audit function.
Internal audit's value proposition is only as good as the skills the function brings to the organisation. There has to be a right blend of capabilities or each of the internal audit assignments. Nonetheless, it has proven to be a challenging exercise. It depends on the availability of resources to form a team that is well-informed on the local rules and regulations paired with business acumen.
One option for the Board is to look internally to supplement the internal audit function. Experienced employees with specialised skill sets are an asset as they are familiar with the organisation's operations, structure, culture and internal control environment. Organisations could consider secondment of these experienced staff to the internal audit team, either on a project basis or for a period of time. For such an arrangement to be successful, appropriate on-the-job training for experienced staff is required to fill in the gaps of internal audit methodology. The Board should be mindful of the potential downside of this arrangement, i.e., the secondee cannot be involved in auditing the area that they worked in. Consequently, the Board needs to ensure proper structure in place to maintain objectivity and to avoid any possible perception of conflict of interest.
Establishing the suitable internal audit setup
Strengthening the internal audit function via secondment is not a sustainable solution in the long run. The Board may explore the option of co-sourcing or outsourcing internal audit arrangement. Multinational companies and government bodies tend to recruit an in-house team of internal auditors due to the size of operations as well as the number of rules and regulations to be complied with. However, even for these organisations, it remains a perennial challenge to recruit and form an internal audit team that can deal with diverse risks and subject matter expertise. Outsourcing or co-sourcing internal audit arrangement can help an organisation attain flexibility and reduce costs by complementing existing personnel and providing access to variable skill sets.
Some common types of co-sourcing or outsourcing audits are Information Technology, Enterprise Risk Management, Human Resources and Payroll audits. The primary rationale for such an arrangement ranges from being a cost efficient solution to also protecting your company's sensitive information. Furthermore, there is also a strong demand for specialisation and expertise in Enterprise Risk Management. Although the Board is not expected to be thoroughly well-informed about risk management, they should be aware of the risks and understand risk management. Particularly because Enterprise Risk Management implementation is still at its infancy in the business world of Singapore. Hence getting an external service provider would reap strategic value. Organisations with limited in-house specialists could also tap on internal audit firms.
The price tag
As good stewards of the organisation, the Board rightfully has to get the bang for the buck. There is no simple answer or formula to determine the internal audit budget. The budget should be driven by the complexity of risks an organisation faces. There are some crucial factors when planning the budget. Besides the internal audit plan and the scope of work, it should factor in employee competency and the availability of resources and the maturity of risk management. The organisation needs to ensure that its audits are performed efficiently and at a high quality as much as possible.
Not unlike any other business
The Board plays a critical role in establishing an effective internal audit function. Change is constant, and the evolution of internal audit is no exception. An internal auditor needs to constantly communicate with his/her stakeholders to ensure that he/she is focusing on areas of concern. Internal audit is often regarded as an extended arm of the Audit Committee to conduct ad hoc and routine internal control review in order to discharge Audit Committee's oversight responsibilities in risk management and internal control. A progressive Board will also engage internal auditors to focus on business value-added reviews to address strategic and emerging business risks. This requires the Board (or Audit Committee) to right-size the internal audit unit based on the organisation's risk profile. The internal audit division's human capital strategy should reflect its mission, role and required competencies.
Lastly, the key is to note that internal audit is agnate to any other business process. Its performance and value contribution can be measured if clear value drivers have been established at the start and effective measurement protocols are developed. Look beyond the organisation to identify leading practices that can improve process of internal audit performance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.