BACKGROUND
If one looks for a common definition of ‘value add’, it is the
difference between the price of a product or service and the cost of producing
it. The price is determined by what customers are willing to pay based on their
perceived value. Value is added or created in different ways.
Historically, Internal Audit is treated as a ‘cost centre’ rather than a
‘value-added process’. That’s because the definition of ‘value add’ can vary
from one firm / audit department to another. Mostly, it means improving the
business rather than just looking at compliance with policies and procedures.
But what is ‘value add’ to one practitioner may be different to another practitioner
of internal audit. So how does one establish what is ‘value add’? This will be
different in every case and also for each organisation. It has become common
for most practitioners to claim that they deliver ‘value-added’ internal audit
services, and for most stakeholders to speak of availing of ‘value-added’
internal audit services. The question, therefore, is ‘how does an internal
auditor or internal audit team / department add value’ in a particular
assignment or to the organisation?
Broadly speaking, adding value would be based on the competencies and
personal qualities of the internal auditor and what is being delivered.
James Roth, who has done significant work in this area and published
papers and written books on the subject, in his paper How Do Internal
Auditors Add Value identified four factors that can help internal
auditors determine what will add value to their organisation –
1. A deep knowledge of the
organisation, including its culture, key players and competitive environment.
2. The courage to innovate in ways
stakeholders don’t expect and may not think they want.
3. A broad knowledge of those
practices that the profession, in general, considers value added.
4. The creativity to adapt
innovations to the organisation in ways that yield surprising results and
exceed stakeholders’ expectations.
Based on our experience in conducting internal audits in a number of
organisations in India and abroad and speaking to a number of Chief Audit
Executives, including 14 top CAEs in the country being interviewed and a book Best
Practices by Leading Chief Audit Executives – Making a Difference published
with respect to best practices in their respective departments, we are giving
here a few key practices which would go a long way in providing ‘value add’ to
organisations. The internal auditor would then be welcomed and respected by the
top management and treated as a trusted business adviser.
IMPROVING CONTROLS OR IMPROVING PERFORMANCE FOR THE ORGANISATION
Normally, internal audit would include examination of financial and
operational information and evaluation of internal controls of significant
processes (ICFR / ICoFR). In terms of presentation to management and the Audit
Committee, the internal auditor would be presenting the risks and controls
evaluated for significant processes and non-conformance thereof with an action
plan to mitigate the non-conformance.
The question arises whether in practice the
stakeholders would be happy to get an assurance on controls alone or would they
value improving performance for the organisation. Improving performance would
mean measurable revenue growth or cost savings due to the work carried out by
the internal audit service provider. This is always a point of debate, whether
an internal audit work should be gauged by the cost savings and / or revenue
growth due to work directly carried out by them. From numerous interviews with
CAEs and our practical work in the field with organisations, it is clear that
improving performance is considered a ‘value add’ by stakeholders and is much
appreciated and valued. This does not mean that the internal audit would not be
evaluating internal controls but would mean focus on improving performance to
enhance the value of the internal audit service being delivered.
Consider the following cases:
Improving performance –
cost savings in procurement (a pharmaceutical company case)
A medium-sized pharmaceutical company with a yearly turnover of around
Rs. 1,200 crores is facing tough times due to the current pandemic as its
revenue has fallen by 35%. The outsourced partner of the internal audit firm is
approached by the management and helps constitute a team consisting of two
senior procurement officials, a cost accountant, one senior production official
and a senior internal auditor who has been working with the firm and deputed to
this client and having experience in the company processes; together, they go
through all major procurement items to identify areas for cost savings /
rationalisation.
A number of questions are raised with the aim of cost savings:
(i) Are we buying from
authorised vendors, for example, bearings?
(ii) What would be the
profit margins of vendors from whom we buy imported material – could we work
with them to reduce the cost of procurement of such material?
(iii) Could we substitute some materials being procured to reduce costs
without affecting quality?
(iv) Who are the vendors supplying to our competitors and what material
is being sourced by them? Are their procurement costs cheaper or is their
quality better?
(v) Could we reduce our EOQ
without affecting costs and our production schedule – improve the working
capital and thereby reduce costs?
The team made a presentation on the progress to the top management every
fortnight. In an exercise over two and a half months, by analysing data,
raising the right questions and working on a number of parameters, the team was
able to effectively save Rs. 22 crores in procurement costs without compromising
on quality or service parameters. This was considered as a ‘value add’ for the
team, and especially for the partner of the outsourced chartered accountant
firm.
This may be considered as a special assignment but the point being made
is ‘what do the organisation / stakeholders require and is it being delivered
by the internal auditor / internal audit firm?’ In this particular case, the
internal audit was considered ‘value add’ and it would be welcomed and
respected by the stakeholders.
Improving performance –
mid-review of expansion project (an engineering company case)
In a new project expansion being executed by a large engineering
organisation, the internal auditor requested that the management allow his team
to carry out a mid-review of the project. Since the internal audit firm was
associated with the organisation for the last few years, the management liked
the idea of a mid-review as the costs for implementing the expansion were quite
high.
The internal audit team conducted the review – the estimates, project
plan including time and cost estimates, current time and cost incurred (all
purchase orders for materials and services, materials and services received to
date, consumption, all payments made, etc.), statutory compliances with respect
to procurement and site work, sanctions with respect to bank loans and current
utilisation (including all foreign loans and hedging).
The internal audit team highlighted a likely delay in procurement that
could lead to the overall project being delayed, higher costs in a few
procurement areas where similar work carried out in earlier years had been
executed at lower costs, and lapses in statutory compliances. This resulted in
the project being brought back on track in terms of time and cost. The
inspection schedule for outsourced fabricated items was increased, meetings
with vendors commissioning the project were handled at a higher level and some
re-negotiation on the procurement items was undertaken. Statutory compliances
were all competed.
Again, this was a value addition because of an independent review by the
internal auditor. Had this been done at the end, it would only have been a
post-mortem and provided ‘learnings’ for the future. In this case, the review
actually resulted in improving performance by having the project being executed
in time with minimal time and little cost overrun.
STRATEGIC ALLIANCE WITH OTHER FUNCTIONS
It is important for the internal auditor to forge an alliance with other
functions in the organisation rather than work in isolation. There are other
functions like HSE – Health, Safety & Environment, Risk Management, Legal
& Compliance, Quality, IS or Information Security. All these are also
support functions providing much-needed assurance and governance support to line
functions.
Why does the internal audit function have to ‘reinvent’ the wheel? A
strategic alliance with other assurance functions would enable the internal
auditor to
i) Benefit from work already
being carried out by other function/s and avoid repetition
ii) Have better understanding of
the risks and controls of the process under review
iii) Make the internal audit
review comprehensive, building and learning from the work carried out by other
functions
iv) Collaborate to jointly
carry out a review of the technical areas where the other assurance functions
would have better understanding of the process under review.
Consider the case where the internal auditor carrying out the review of
the production process first contacted the management representative for ISO
9000 Quality Standard and had a look at the number of non-conformities and
corrective action-taken reports of various issues highlighted by the ISO
auditor for the production process during the entire year.
THE INTERNAL AUDIT PROCESS – TRANSPARENCY AND
COMMUNICATION
The entire process from communicating objectives, field work – obtaining
data, analysing data, etc. and communicating final results should be a
transparent exercise. The internal auditor has to be working with auditees /
process owners throughout the life cycle of the internal audit project. There
is nothing to hide as the objectives for the auditee / process owner and the
internal auditor are the same.
To bring transparency in the process it will be necessary to communicate
continuously with the auditee team regarding
(a) what are the objectives
(b) what data is required
(c) what will be achieved at
the end
(d) how can performance of the business be improved due to the internal
audit exercise being carried out for the process under review
(e) what deviations / bottlenecks are being found which can be improved
upon
(f) what further data or
expert advice is required to form an opinion on the process under review.
These are just some aspects of the process but the idea is to
continuously communicate as if the internal auditor and the auditee / process
owner are working together on the project to improve the performance of the
business.
Except when the internal auditor suspects
that there are integrity issues which need to be separately reported and / or
investigated, there has to be complete transparency and the working of the
internal auditor needs to be integrated with that of the auditee / process team
under review.
An effective internal audit is the sum total
of a proactive auditor and a participative auditee. This
will be possible only when the auditor is experienced in business process, and
is also competent, skilled, professional and transparent in his approach. This
would enable the internal auditor to have a participative auditee (it will also
depend on the maturity of the organisation and its culture) which, in turn,
would lead to an effective internal audit.
NEGOTIATING THE ROLE OF INTERNAL AUDIT
It is very important for an internal auditor to negotiate the role of
internal audit. The idea is to work with management in the journey for business
improvement in terms of better technology for business, technological
upgradation, cost savings and other aspects of governance. For this, the internal
auditor has to negotiate his role and grab the opportunities which come his
way.
Let us consider the following cases:
(1) The internal auditor requests the management of a large
geographically-spread organisation to put up an exhibit at the annual event to
showcase the role and capabilities of the internal audit function. The
management was taken aback with this request but was pleasantly surprised with
the exhibit and it was much appreciated.
(2) A CAE feels the need to carry out an
energy audit throughout the organisation at its 22 plants in India. He inducts
an engineer with energy audit knowledge and helps with energy audit in many
plants, leading to tremendous savings in coal and improved efficiency in steam
generation.
(3) An internal audit function hires an
engineer with knowledge of transport trailers / trucks and ensures that a
technical audit is done for each trailer / truck in the organisation’s
transportation business segment where the organisation owned a fleet of trucks
/ trailers. This results in tremendous savings due to increase in the life of
tyres and less consumption of diesel and other consumables, etc.
(4) A mid-sized organisation wants to implement a new ERP and the
internal auditor gives one senior team member who has been with the
organisation for many years and has deep knowledge of the processes as the
internal ‘Project Manager’ for the project. The project is successful with most
requirements built into the new ERP to ease availability of data and
decision-making for the process owners.
TECHNOLOGY UPGRADATION AND EDUCATION / AWARENESS TO
BUSINESS
One clear area for ‘value addition’ by internal audit is continuous
education and awareness to process owners whenever the internal auditor engages
with others in the organisation. There would be a number of ways this could
happen – promote benchmarking, make others aware of compliances, speak about
best practices in other parts of the organisation, bring good / best practices
from other non-competing organisations to the process under review.
Technology is a great enabler for making available data for
decision-making in the way business is carried out and the internal auditor can
help make changes by spreading awareness for adoption of technology by the
organisation.
(I) An internal auditor worked as
a consultant to bring awareness about technology to Legal and Compliance and to
make the entire process of compliance totally automated with alerts for action
to be taken by the process owners for various compliances and breaches being
brought up in real time.
(II) Similarly, in another instance
they worked with Corporate Communications and Investor Relations in a public
listed organisation to install a system to get a feed from social media about
the company’s reputation / news on a real-time basis.
(III) Another example is an
internal auditor informing the management of a major hotel property and helping
install software which tracks information on day rates for guests with
competing properties and on popular hotel booking sites. Based on this runs an
algorithm to optimise the day rate for walk-in guests being offered. This
helped in increasing the revenue for the property.
CONCLUSION
Each and every practice given above for ‘value addition’ by internal
audit cannot be considered in a silo as a separate ‘to do’ but would overlap
with other practices.
It is now time to think afresh and work differently. The internal
auditor should be working with business, forging an alliance with other
processes / functions to improve performance, including productivity, for the
organisation and to bring new thought and innovation to every aspect of
business. There is need for the internal auditor to negotiate his role in the
organisation and be a part of the top management team.
Business disruption is leading to change which, in turn, is leading to
opportunity for the internal auditor as the process of internal audit is not
limited to any particular process or area unlike many other processes /
functions in the organisation. 
