Managing Internal Audit Cost, Effectiveness And Performance Overview Since the emergence of internal their Sarbanes Oxley programs. a need to ensure that the benefits audit as a profession and the In addition, internal audit costs of a broad program of risk based implementation of the Code of increased as a result of significant internal audit gets a fair hearing in Corporate Governance in Singapore, “catch up” of salaries and rates due this environment. demand for internal controls skills to the heightened demand over the have increased exponentially. past 5 years. This article introduces a number As local companies in Singapore of optional resourcing models were implementing changes With much focus on cost and that Directors could consider to their corporate governance expenses amongst Singapore’s when developing the internal practices and strengthening their corporates, there is a need from a audit function as well as the key internal audit and internal controls corporate governance perspective questions that should be asked by systems, resourcing for skilled to ensure that cost is not the only the Audit Committee in discharging personnel became scarce as US focus when considering the level of their duties . Listed companies implemented internal audit resourcing. There is 21 Resourcing Models required through central bank be a need for local language regulations to have an in-house skills and understanding of Companies need to determine team) local business practices and answers to the following questions regulations. regarding resourcing: • Whether start up needs to be fast tracked due to urgent • What should our total internal requirements. Outsourced Our experience with resourcing audit investment be? models tend to be favored as model decisions within Singapore • What delivery model is best outsourced firms already have for internal audit is that companies suited for us? (or should have) pre-existing selecting the in-house model (and frameworks, methodologies successfully sustaining this model) Both questions are inter-related as and approaches that can be tend to be larger companies with the answer to one will impact the tailored for new clients. In the expansive operations. In Singapore, other. Singapore environment, a key Middle market companies and question would be whether small companies have cited to us A number of companies have certain firms which do not their difficulties in maintaining a explored various resourcing specialize in internal audit full time and professional team. options to deal with this dilemma. are passing off their external Resourcing models can take the form audit practice as a generalist Co-sourcing can be structured of recruiting full time employees assurance practice under to suit the needs of a company (“insourcing”), engaging an which internal audit is placed. with an existing internal audit external provider (“outsourcing”) Such firms often do not have department and addresses a range or a hybrid model (“cosourcing”). the infrastructure such as the of different challenges. This can necessary technology, training, be developed using a number of In deciding which model to HR practices and enabling alternatives under the cosourcing select, the Audit Committee and frameworks that ensure the model including strategic sourcing management would be influenced delivery of high quality internal (such as for ad hoc projects of by: auditing. specialized skills) or one which is • The degree of regulation: the • Need for specialization for effectively partial outsourcing. heavier the regulation, the language or technical issues. greater need for an in-house For example, where operations The diagram below describes function (in many jurisdictions are located in countries outside the cosourcing alternatives and around the world, banks are the home base, there will examples. • Ad hoc consulting work and execution of internal Limited audit projects on an “as needed” basis. Consulting/Ad Hoc • Examples: transformation/benchmarking, facilitation, IA training, Projects Strategic quality assurance reviews, selected internal audits, loan of personnel. Full In-House Outsourcing • Internal Audit leverages specialised skills/knowledge from Specialised Skills outsource provider for specific projects. Arrangement • Examples: IT, Fraud, International, Self Assessment. Co-Sourcing Single Audit • Internal Audit Director manages internal audit function and reports to Director Model CFO and Audit Committee. • Director is responsible for implementing the internal audit plan using Full outsource partner resources to execute. Partial Outsourcing Recurring Outsourcing Co-Sourcing • Internal Audit department teams with outsource partner for resources on regular, ongoing basis, generally spanning multiple years. Strategic • Internal Audit partners with outsource partner to manage and Planning execute the IA function, sharing all knowledge, proprietary tools, methodologies, and training, as well as providing substantial amount of resource on a recurring, long-term basis. Figure 1: Internal Audit Co-sourcing Alternatives 22 In addition to filling in gaps, co- While surveys are available internal audit be involved in sourcing provides an excellent showing internal audit benchmarks those areas? means to extend the “reach” by company size and industry, • What level of effort does of internal audit into different such results should be treated the risk assessment seem to geographies, different business carefully. Surveys show “what is” indicate? processes and risks. rather than “what should be”. From our experience, such surveys B. Understand internal audit How much should internal miss important information which investment made by comparable audit cost? should factor into the decision companies of internal audit resourcing and As with all corporate service • What is the level of budgeting such as: budgets, the estimation and expenditure and effort of budgeting for internal audit cost is • Company risk management similarly sized companies in often a contentious area. After all, maturity your industry? there is no strict minimum amount • Productivity and internal audit • Are there some obvious of expenditure or effort required efficiency differences that would under the SGX Code or Listing support spending less or • Scope and expectation of audit Rules. more? (For example, obvious committee, management and or significant differences in other stakeholders This question should not be the business model, organisation, first question that should be asked. • Unique and specific risks of the degree of centralisation or The first question should be “How company decentralisation, regulation, much internal audit do we need?”. • Business model complexity scope of services, etc.) Companies with high levels Such factors need to be considered C. The board and management’s of regulation, requiring wide to ensure that the overall internal preferences geographical coverage and audit budget is reasonable. • What role and scope has conducting different businesses management and the audit will require more internal audit A process to provide an appropriate committee established for its than a locally based company with budget for internal audit could be: internal audit function? one business model and low levels of regulation. A. Conduct an entity level risk D. Past, present and future assessment and evaluate the • Have there been, are there or results The following provides a framework will there be events, issues, when comparing internal audit • What key risks have been risks or major changes that investment between companies identified and how should would warrant more or less and entities: investment in internal audit? Lower impact/ Higher impact/ E. Other “complementary” IA Spend Lower spend Higher spend functions • Are there other functions Factors within the company that serve to evaluate key areas and risks International Locations objectively, such as: Number of Locations Degree of Centralization ◦ Quality control and loss Control Environment prevention? Maturity of Business Processes Audit Program Scope & Plan ◦ Regulatory and legal Degree of Change in the Business compliance? Management’s Risk Tolerance Board’s/Audit Committee’s Risk Appetite ◦ Risk management and insurance? 23 different to those which are often considered the traditional domain such as procurement, inventory and revenue. Once the internal audit investment has been established, it is necessary to determine what benchmarks are appropriate to assess the effectiveness of the internal audit function. Measuring internal audit effectiveness While beauty may well be in the eye of the beholder, many executive and Company Directors have definitive views on how effective their internal ◦ Operational and financial have enough time at the audit audit function is, regardless of control units? project level to conduct their resourcing model or cost. • If so, are these risk mitigation reviews to identify major In measuring effectiveness of an and control efforts already breakdowns or control design internal auditing function it is performed to a degree that flaws? worthwhile recalling what internal a professional internal audit audit actually does (and what it As someone who has personally function might otherwise does not). perform? Is there inherent conducted and overseen various outsourced programs, I cannot conflict of interest in The Institute of Internal Auditors, think of a time where our team performance feedback for the recognized global body for could be accused of “busy