Internal Audit is an important function within an
organisation. In the present context of increasing emphasis on good governance,
the need for well-defined risks and controls framework, the focus on prevention
rather than detection and desire for a strong compliance culture, there is an
urgent need to ensure that the Internal Audit function has been set up with due
thought process.
This article highlights some of the key areas that require
attention while setting up the Internal Audit function in an organisation.
For organisations that already have such a function, there may be a need to
revisit the manner in which it has been set up and make suitable changes to
ensure that the Internal Audit function is engineered to perform effectively.
The management of the company while setting up the Internal
Audit function has to take a few key decisions:
- Organisational placement: Who will IA
report to?
- Structure: Will IA be an in-house
function, a totally outsourced function or a co-sourced function?
- Team composition and location: What
skill sets will be required for the IA team? How should the team be selected /
sourced?
- Scope: How will the scope of IA be
determined? What will be kept out of the scope?
- Budget and resources: What is a
reasonable budget and what resources need to be made available to IA?
ORGANISATIONAL PLACEMENT
The audit committee of the
Board (“ACB”) is required to take primary responsibility for ensuring an effective
Internal Audit function. In an ideal situation, internal auditors functionally
report to the ACB and administratively to the CEO. In organisations that do not
require to have an ACB, the responsibility for setting up and overseeing the
Internal Audit function rests with the Board or an equivalent Governing Body,
in case of non-corporate bodies.
In reality, in a large
number of cases, the Internal Audit function reports to the CFO, both
administratively and functionally. Even where it does not report to the CFO,
the CFO wields strong influence on the Internal Audit function. The word
“audit” is so strongly associated with the financial reporting process that it
is often wrongly presumed that anything to do with audit, including internal
audit, must have a dotted or a solid line to the CFO.
In the absence of a clear understanding of the important role
assigned to the Internal Audit function in the corporate governance framework,
the function is more often than not organisationally misplaced, thereby undermining
its very role.
There are also organisations where Internal Audit technically
reports to the ACB, but for all practical purposes that is only on paper. In
these cases, the Audit Committee plays virtually no role in ensuring the
effectiveness of the Internal Audit function, often spending minimal time on
Internal Audit matters. All decisions, such as appointment of internal
auditors, scope determination, access rights and budget for Internal Audit are
taken unilaterally by the CEO or the CFO.
It has been my experience that an effective Internal Audit
function has two levels of reporting lines:
- For operational audits, the first level of
reporting may be to the CEO or a committee comprising of senior executive
management. However, the key issues arising or areas of difference of opinions
from such audits need to be presented to the ACB periodically.
- For organisation-wide audits dealing with
governance matters (such as effectiveness of whistle-blower mechanism, related
party process audit and compliance function review) or for audits of functions
directly headed by the CEO, the reporting has to be to the ACB.
For Internal Audit function to play a meaningful role in
an organisation, the first step is to ensure correct organisational placement and
to provide meaningful access to those charged with governance, in this case the
ACB
IA Structure: In-house, Outsourced or Co-sourced? Or, is
there a fourth option?
A decision that requires deliberation by the management is
the structure of the Internal Audit Department. For a long time, discussions on
the structure have been limited to the three obvious options – that the
Internal Audit function be entirely an in-house function, or the entire
function be outsourced to an external agency, or the Internal Audit function be
partly in-house and partly outsourced.
What drives this decision? For some industries, the
regulators have mandated the structure. e.g., a bank is not allowed to
outsource its Internal Audit function, whereas an insurance company above a
certain size is mandatorily required to engage an external agency to perform
its internal and concurrent audit. For large corporate conglomerates and
multinational companies, there is often a Central Internal Audit team headed by
a “Group Head – Internal Audit”. This central team is supported either by a
team large enough to perform all internal audits across all group entities or
is supported by one or more professional firms, each one assigned to perform
internal audit of specific entities of the group or specific areas within
select entities. Increasingly, it is observed that large listed companies or
corporate conglomerates assign the position of “Chief Internal Auditor” to an
in-house person and the management, along with the Chief Internal Auditor,
determines the structure of the IA function.
Ideally, the management of the company, with guidance from
the members of the ACB, and in consultation with the Chief Internal Auditor,
should decide upon the structure of Internal Audit function in a manner that:
- Ensures transparency and fair reporting on the
status of risks and controls, and on the effectiveness of risk management
processes and governance processes;
- Encourages good talent and specialised skills,
as required, to be available to the Internal Audit function;
- Ensures that Internal Audit function remains a
relevant and focused function within the organisation, providing early alerts
and timely warnings where needed;
- Accelerates the use of technology for making
the Internal Audit function efficient and time-sensitive;
- Allows the organisation to optimise the costs,
e.g., by appointing local audit firms for remote / decentralised units, while
retaining the centralised function audits in-house.
Unfortunately, in many cases, the structure of the Internal
Audit function is selected in a casual manner based on past practices, without
much deliberation and with the primary objective of cost optimisation. This
needs to change significantly – so that the determination of the structure of
Internal Audit function is a conscious decision backed by serious thinking.
In the present dynamic
times, there is the emergence of a fourth option – multi-sourced internal audit
where, in addition to selecting one of the three basic structures described
above, specialist skills are brought in as team members on a need basis,
typically for areas very specific to the industry, or new emerging areas such
as blockchain, cyber security, data privacy, social media audits, etc. With a
fast increasing gig economy on the one hand and a fast changing world on the
other, Internal Audit function cannot be served well with static skills – hence
the emerging trend of seeking the support of specialists to supplement the
internal audit team, for select areas / activities. An effective Internal
Audit function can be designed based on a fine play between in-house talent,
outsourced support on a regular, recurring basis and specialised skills sourced
on a need basis.
Decisions for taking support through outsourcing must be
based on strategic thinking as to what is driving the outsourcing decisions –
(a) is it the need to have additional people, (b) the inability to recruit the
right talent, (c) the need for having people in the right geography, (d) the
need for specialised skills that are not available in-house, (e) the need to
bring in lateral experience of the outsourced firm, or (f) the need to optimise
cost as outsourced resources are cheaper than adding team members in-house? If
the structure is strategically decided and the rationale for outsourcing is
clearly understood, the selection of outsourcing partners would be far better
and more effective.
To summarise, while setting up the Internal Audit
Function, its structure must be determined based on serious, strategic thinking
and the decision must be revisited periodically to ensure that the structure
continues to be relevant.
TEAM COMPOSITION AND LOCATION
Once the decision about the structure of the Internal Audit
function is taken, next is the selection of the team leader, the team members
and / or the outsourcing partners. A good mix of competencies and qualities
needs to be brought together for an effective internal audit. The team leader
should have a clear vision, strong people skills, deep understanding of risks
and controls and of the business being audited, breadth of knowledge about the
external economic and competitive environment, and much more. The past practice
of appointing a “minister without a portfolio” as the Head of Internal Audit
must stop – the Head of Internal Audit must be committed and passionate about
the function and be able to inspire the team to think out of the box and
deliver beyond expectations.
Careful determination of the size, mix and composition of the
IA team and the identification of competencies and qualities required goes a
long way in selecting the right outsourcing partners. Gone are the days when
internal audit teams would comprise largely of chartered accountants. The
present-day IA team needs to come from different academic and experience
backgrounds – a good IA team for a large company or a corporate group would
include, in addition to finance and accounting persons, specialists in the
industry being audited, some functional specialists such as IT specialists,
engineers, legal and tax specialists and forensic experts.
In case of a multi-locational organisation it is important to
decide the location where the members of the IA team are to be stationed and to
ensure adequate infrastructure at such locations. With advance of technology, it
is not the mere physical location but the decision as to centralisation /
decentralisation of Internal Audit function that becomes relevant.
The management may devise suitable policies to encourage flow
of talent into the Internal Audit function – many organisations follow the
policy of placing new entrants first for a stint in internal audit and then
rotate them out based on demonstrated capabilities and interest. Similarly, at
the time of considering promotions from mid-management to senior level, organisations
give due weightage to those who have spent time as part of the internal audit
team for a certain tenure. These considerations, at an early stage, make the
internal audit teams vibrant, with a good mix of young entrants and experienced
functional experts.
IA SCOPE DETERMINATION
There has been a lot of
talk about “risk-based internal audit”, where the risk assessment of the
organisation should form the primary basis for scope determination. This is all
very well for organisations that have gone through a rigorous process of risk
assessment and make efforts to keep the same updated to reflect dynamic risks.
For such organisations, the internal audit scope would be determined by the
management in consultation with the internal auditors, based on the identified
risks and their severity after considering the impact of mitigating controls.
Many organisations,
however, do not have a mature Risk Management Function and their documented
Risk Management Framework is sketchy and not reflective of the real risks
comprehensively. In such cases, the determination of scope becomes an intuitive
exercise, driven by the areas covered in the past 2-3 years and by the areas
and risks that are apparent and significant. Many finer areas that merit
inclusion in the audit scope remain outside the purview. For internal audit
scope to be meaningful, there is a need for the Risk Management framework of
the organisation to be comprehensive and updated on a dynamic basis. An
internal audit scope designed based on a well-defined Risk Management framework
and after seeking inputs from senior executive management, audit committee
members and statutory auditors tends to be comprehensive and relevant.If
there is one area that needs to be overhauled, it is the manner of fixing the
scope of internal audit – in most cases, there is little creativity, hardly any
dynamism and no clear link between key risks and audit areas included in the
scope.
For a meaningful internal audit, the scope must reflect
the dynamic reality and the real concern areas of the organisation, it must
cover adequate ground for proving reasonable assurance on the effectiveness of
controls, and it must have flexibility to modify / enhance the scope to
accommodate newly-identified risks / activities that require attention.
IA BUDGET AND RESOURCES
Internal audit is an important management function that
requires a plan, a budget and a commitment for resources, just like any other
function. Management may do well to establish a comprehensive budget detailing
the various heads under which the IA function will need to spend and the
resources and infrastructural support that it would require.
The budget and resource planning needs to include:
- People cost for the in-house team;
- Outsourcing cost for the audits proposed to be
outsourced;
- Training needs for skill upgradation of the IA
team;
- Technology tools and equipment;
- Allocation for proper space and infrastructure
– access to work stations, meeting rooms, video conferencing and communication facilities,
etc.;
- Provision of support for development of IT
utilities and reports required for audit, administrative support, etc.
In this dynamic environment, very often the internal audit
budgets are static and the kind of resources allotted are outdated. The
investment made in training and upgrading the skills and knowledge of the IA
team leaves much to be desired and all this inevitably leads to an impoverished
IA function trying hard to “live within the budget”.
An effective IA function needs to be empowered with a
healthy budget for efficient execution and skill enhancement, the latest IT
tools and infrastructure and adequate resources for partnering with appropriate
outsourcing agencies and specialists. Expectations from internal audit need to
be aligned to the budget and resources provided for internal audit.
CONCLUDING REMARKS
Internal audit is one of the pillars of corporate governance
– lack of planning or mindless cost-cutting in building this pillar can bring
down the superstructure of corporate governance. The tone at the top where the
function is respected as a value adder and not merely as a statutory obligation
will help sustain a great Internal Audit function.
Many of the thoughts
expressed in this article may appear to be academic or theoretical – but these
are fundamental to the establishment of a robust Internal Audit function in any
organisation. Just as “well begun is half done”, in the case of Internal Audit
function – “Ill-begun is almost totally lost.”
In the present times, when Internal Audit function is
expected to perform audit at the speed of risk, ensuring that the foundation on
which the Internal Audit function is standing is strong and periodically
reinforced to stand the test of time is critical.
