Managing Internal , Effectiveness And Performance

Overview Since the emergence of internal their Sarbanes Oxley programs. a need to ensure that the benefits audit as a profession and the In addition, internal audit of a broad program of risk based implementation of the Code of increased as a result of significant internal audit gets a fair hearing in in Singapore, “catch up” of salaries and rates due this environment. demand for internal controls skills to the heightened demand over the have increased exponentially. past 5 years. This article introduces a number As local companies in Singapore of optional resourcing models were implementing changes With much focus on cost and that Directors could consider to their corporate governance amongst Singapore’s when developing the internal practices and strengthening their corporates, there is a need from a audit function as well as the key internal audit and internal controls corporate governance perspective questions that should be asked by systems, resourcing for skilled to ensure that cost is not the only the in discharging personnel became scarce as US focus when considering the level of their duties . Listed companies implemented internal audit resourcing. There is

21 Resourcing Models required through central bank be a need for local language regulations to have an in-house skills and understanding of Companies need to determine team) local business practices and answers to the following questions regulations. regarding resourcing: • Whether start up needs to be fast tracked due to urgent • What should our total internal requirements. Outsourced Our experience with resourcing audit investment be? models tend to be favored as model decisions within Singapore • What delivery model is best outsourced firms already have for internal audit is that companies suited for us? (or should have) pre-existing selecting the in-house model (and frameworks, methodologies successfully sustaining this model) Both questions are inter-related as and approaches that can be tend to be larger companies with the answer to one will impact the tailored for new clients. In the expansive operations. In Singapore, other. Singapore environment, a key Middle market companies and question would be whether small companies have cited to us A number of companies have certain firms which do not their difficulties in maintaining a explored various resourcing specialize in internal audit full time and professional team. options to deal with this dilemma. are passing off their external Resourcing models can take the form audit practice as a generalist Co-sourcing can be structured of recruiting full time employees assurance practice under to suit the needs of a company (“insourcing”), engaging an which internal audit is placed. with an existing internal audit external provider (“outsourcing”) Such firms often do not have department and addresses a range or a hybrid model (“cosourcing”). the infrastructure such as the of different challenges. This can necessary technology, training, be developed using a number of In deciding which model to HR practices and enabling alternatives under the cosourcing select, the Audit Committee and frameworks that ensure the model including strategic sourcing would be influenced delivery of high quality internal (such as for ad hoc projects of by: auditing. specialized skills) or one which is • The degree of regulation: the • Need for specialization for effectively partial outsourcing. heavier the regulation, the language or technical issues. greater need for an in-house For example, where operations The diagram below describes function (in many jurisdictions are located in countries outside the cosourcing alternatives and around the world, banks are the home base, there will examples.

• Ad hoc consulting work and execution of internal Limited audit projects on an “as needed” basis. Consulting/Ad Hoc • Examples: transformation/benchmarking, facilitation, IA training, Projects Strategic quality assurance reviews, selected internal , loan of personnel. Full In-House Outsourcing • Internal Audit leverages specialised skills/knowledge from Specialised Skills outsource provider for specific projects. Arrangement • Examples: IT, Fraud, International, Self Assessment. Co-Sourcing • Internal Audit Director manages internal audit function and reports to Director Model CFO and Audit Committee. • Director is responsible for implementing the internal audit plan using Full outsource partner resources to execute. Partial Outsourcing Recurring Outsourcing Co-Sourcing • Internal Audit department teams with outsource partner for resources on regular, ongoing basis, generally spanning multiple years.

Strategic • Internal Audit partners with outsource partner to manage and Planning execute the IA function, sharing all knowledge, proprietary tools, methodologies, and training, as well as providing substantial amount of resource on a recurring, long-term basis.

Figure 1: Internal Audit Co-sourcing Alternatives 22 In addition to filling in gaps, co- While surveys are available internal audit be involved in sourcing provides an excellent showing internal audit benchmarks those areas? means to extend the “reach” by company size and industry, • What level of effort does of internal audit into different such results should be treated the risk assessment seem to geographies, different business carefully. Surveys show “what is” indicate? processes and risks. rather than “what should be”. From our experience, such surveys B. Understand internal audit How much should internal miss important information which investment made by comparable audit cost? should factor into the decision companies of internal audit resourcing and As with all corporate service • What is the level of budgeting such as: , the estimation and expenditure and effort of budgeting for internal audit cost is • Company similarly sized companies in often a contentious area. After all, maturity your industry? there is no strict minimum amount • Productivity and internal audit • Are there some obvious of expenditure or effort required efficiency differences that would under the SGX Code or Listing support spending less or • Scope and expectation of audit Rules. more? (For example, obvious committee, management and or significant differences in other stakeholders This question should not be the business model, organisation, first question that should be asked. • Unique and specific risks of the degree of centralisation or The first question should be “How company decentralisation, regulation, much internal audit do we need?”. • Business model complexity scope of services, etc.)

Companies with high levels Such factors need to be considered C. The board and management’s of regulation, requiring wide to ensure that the overall internal preferences geographical coverage and audit is reasonable. • What role and scope has conducting different businesses management and the audit will require more internal audit A process to provide an appropriate committee established for its than a locally based company with budget for internal audit could be: internal audit function? one business model and low levels of regulation. A. Conduct an entity level risk D. Past, present and future assessment and evaluate the • Have there been, are there or results The following provides a framework will there be events, issues, when comparing internal audit • What key risks have been risks or major changes that investment between companies identified and how should would warrant more or less and entities: investment in internal audit?

Lower impact/ Higher impact/ E. Other “complementary” IA Spend Lower spend Higher spend functions • Are there other functions Factors within the company that serve to evaluate key areas and risks International Locations objectively, such as: Number of Locations Degree of Centralization ◦◦ Quality control and loss Control Environment prevention? Maturity of Business Processes Audit Program Scope & Plan ◦◦ Regulatory and legal Degree of Change in the Business compliance? Management’s Risk Tolerance Board’s/Audit Committee’s Risk Appetite ◦◦ Risk management and insurance? 23 different to those which are often considered the traditional domain such as procurement, and .

Once the internal audit investment has been established, it is necessary to determine what benchmarks are appropriate to assess the effectiveness of the internal audit function.

Measuring internal audit effectiveness While beauty may well be in the eye of the beholder, many executive and Company Directors have definitive views on how effective their internal ◦◦ Operational and financial have enough time at the audit audit function is, regardless of control units? project level to conduct their resourcing model or cost. • If so, are these risk mitigation reviews to identify major In measuring effectiveness of an and control efforts already breakdowns or control design internal auditing function it is performed to a degree that flaws? worthwhile recalling what internal a professional internal audit audit actually does (and what it As someone who has personally function might otherwise does not). perform? Is there inherent conducted and overseen various outsourced programs, I cannot in The Institute of Internal Auditors, think of a time where our team performance feedback for the recognized global body for could be accused of “busy work” existing functions? professional internal auditors, and low value reviews. Constant • Have we considered defines internal audit as: negotiation with the Finance independence and objectivity? department tends to result in lean “Internal Auditing is an programs very focused on major risks The question of appropriate independent, objective assurance facing companies. In my personal internal audit spend is not an easy and consulting activity designed experience, listed companies in one and is dependent on a variety to add value and improve an other developed economies allow of perceptions within the Company organization’s operations. It helps far broader risk based coverage and of the above criteria. Different an organization accomplish its deeper reviews (with substantively stakeholders will have different objectives by bringing a systematic, more mandays to conduct work views however the following key disciplined approach to evaluate per specific audit project) and as constraints should be kept in and improve the effectiveness of well as reviews which touch on mind: risk management, control, and areas that local Directors may find governance processes.” • Are we doing enough rather “esoteric”. As a Protiviti internal audit to support our Singapore practice, we often As a process within an organization, governance goals? examine areas such as Spend Risk, internal auditing should be managed • Are we properly covering , Outsourced professionally and competently. our high risk areas, the Vendors, Royalty Reviews, Business key business processes and Continuity, IT Project Management, There are dozens of qualitative significant entities? Governance and Fraud Risk and quantitative key performance • Do the internal audit team Management. These are very indicators to measure internal

24 audit which are beyond the scope of this article. It is important in assessing effectiveness that Protiviti Perspective on Internal Audit the underlying objective of the company’s internal audit function Oversight Insight Foresight is kept front of mind: • Is the process • How can • Where is this • Is it a compliance focused operating as the process, process going? function? Is the orientation planned? measurements • Can it scale as and controls of the audit committee and • Are the controls, the company resources and be modified or grows? management towards ensuring enhanced? performance • Will current compliance to company measures • What are other controls be policies and procedures as well adequate and companies adequate in the as external regulation? operating doing? future? effectively? • Are you missing • Is it a broad based and • What planned or • Are policies out on some best future changes governance focused being adhered to practices? need to be function? Is the expectation as intended? considered? that internal audit should be reviewing across all • Are we safe? • Are we effective • Are we thinking areas of the enterprise and efficient? ahead? with a focus of finding key breakdowns and deficiencies in risk management across all Ultimately when determining the as flowcharts, risk control categories of risk including answer to the question: “What is matrices into the company’s financial, commercial, the Return on Investment?”, the QA, Compliance or even reputation/branding etc? objectives and orientation of the IA Operational Risk Management • Is it expected to find revenue function – as outlined above should programs leakages and be involved in be kept in mind. For example, a • Enhanced scoping to allow loss prevention? A number of compliance focused IA department focused reviews on identified internal audit functions are may select measures such as the risk areas within a business heavily involved in revenue number of controls issues reported process assurance activities, even to and closed with management, • Use of internal auditors as the extent of having trained whereas an operationally focused training for the and experienced resources audit department might include rest of the business dedicated to this goal. losses identified and revenue • Ensuring that management recovered as part of its KPI’s. There are no right or wrong answers have a mindset that they own their controls to the above questions and may There are a number of methods to even differ widely across industries. leverage the Internal Audit spend Heavily regulated industries such and to enhance the effectiveness Checklist for Audit as banking, would require their of the internal audit department. Committee’s Agenda for internal audit function to have These include: Internal Audit a strong orientation towards Audit Committees run a very full regulatory compliance as opposed • Self assessment by business agenda in the current business to taking an operational approach. units and subjecting these to environment. validation by internal audit A Further Perspective • Use of technology tools and However the effectiveness of From our perspective, the role of data analytics internal audit is very closely internal audit could be distinguished • Use of outputs from the aligned to the effectiveness of the further along a continuum: internal audit process such Audit Committee.

25 audit function? The Audit Committee can play a • Is there clear understanding of very important role in ensuring the internal audit function as that the internal audit function is to its own responsibilities and effective by keeping in mind the obligations? following questions: Conclusion • Is the level of resourcing allocated to internal audit The internal audit function in appropriate and allow a Singapore has evolved significantly reasonable program based on over the past 5 years since the 2003 our collective understanding of Code was brought into effect. It is its role and orientation? now a high demand profession, and • Does the internal audit it is clear that the current level function have “sufficient of demand is not going to decline standing” within the company? anytime soon. In this environment, (while the term is used in companies should re-evaluate the SGX Code of Corporate their resourcing options and look Governance, it is not to leverage the internal audit specifically defined. Hence investment. plain English interpretation would have to suffice and in Audit Committees have an this context, issues such as important role to play to ensure whether the internal audit that the internal audit function is function’s independence is effective. respected, whether there is sufficient cooperation by An effective and independent management with the internal internal auditing function is audit department, does the now seen internationally by a internal audit department have wide range of institutions and sufficient authority to all books agencies as an integral part of the and records etc) supporting mechanisms for the Board to effectively discharge its • Is the internal audit responsibilities on program and reporting line and risk management. It would be appropriate? (Accepted difficult for any Board to effectively practice has moved from a meet its governance obligations sole reporting line to the CFO without the support from a well to one which is distinguished functioning and independent between administrative and internal audit function. functional reporting. The accepted reporting line is now Phil Moulton administratively to the CEO/ Managing Director CFO and a functional reporting Protiviti Singapore line to the Audit Committee ASEAN Leader for Protiviti’s Internal Chairman) Audit Solutions and Supply Chain • Are the audit report Management Practice deliverables of sufficient quality? • How does management respond to issues raised by the internal 26