Management and audit committees are placing greater emphasis on enhancing shareholder value and their organization’s internal control and risk management functions. In order to maintain a competitive edge in serving organizations, internal auditors are expected to provide risk-focused and value-added solutions, in addition to the traditional duty of performing transaction-focused and compliance-based checking.
Corporate governance
Knowing that they are behind their UK and US counterparts in promoting corporate governance awareness, regulators in many Asian countries have been working hard to improve their respective corporate governance frameworks and are embarking on a series of measures designed to strengthen investor confidence. One of the main aspects of good governance practice is to require public listed companies to establish audit committees whose principal duties are to supervise the internal control, risk management and financial reporting processes. Many listed companies in Asia have not yet set up their audit committees.
The audit committee should comprise of independent non-executive directors and, to perform the role effectively, each committee member needs to understand the company's business, operations, and risks. A diverse background among members is desirable and although not essential, it is beneficial for at least one member to have accounting or related financial management expertise. In order to discharge their responsibilities, committee members have to be supported by a well-established internal audit function which reports on controls and risk management issues to the committee on a regular basis.
Investor protection is well developed in the UK and US and the importance of corporate governance is recognized. Much guidance to assist directors of listed companies in complying with internal control requirements has been issued; for example, the Cadbury and Turnbull Committees in the UK and the Blue Ribbon Committee in the US. In Asia, we expect that more and more guidance in this area will be issued and that it will place increasing focus on the activities of the internal audit function.
The changing role of internal audit and how it can add value
Unsophisticated internal audit functions are not risk-focused and work independently from other risk management functions. Although the way that internal audit professionals carry out their work has changed significantly during the past ten years, there are still some internal auditors following this traditional approach.
More sophisticated internal audit departments adopt a risk-based audit approach that identifies risks and prioritizes efforts to assess them. Very often, these internal audit departments, in addition to their main duties of performing risk-focused reviews, provide value to their organisations through:
- Conducting internal control and risk management training for line managers. As management accepts a more active role in risk management, internal audit provides an excellent platform for the transferring of knowledge and company experience.
- Assisting management on special projects. We have seen many incidents where internal auditors are assigned responsibilities beyond the realm of “traditional” internal audit. Management may involve their internal audit staff in projects such as investigations, benchmarking or business re-engineering.
- Developing future business leaders. Leading corporations are placing greater importance on internal audit as a platform for growing high potential employees. However, there is a significant investment necessary to make these programs successful. In this instance, there has to be clear agreement and support from senior management and the audit committee.
- Identifying opportunities to streamline processes and reduce operating costs. Internal audit should have a thorough understanding of an organization’s business processes because of its ability to look across all functions. A critical evaluation of the efficiency and effectiveness of current business processes can provide opportunities for the organization to streamline operations and improve its bottom line.
For leading-edge internal audit functions, we found that they have played a key and active role in the dynamic risk management process and are valuable contributors in identifying and mitigating risks. We are witnessing a closer relationship between these “most sophisticated” internal audit functions and senior management in managing enterprise-wide risks. They assist management in defining the enterprise-wide risk management strategy, developing risk management frameworks for the whole organization and work hand-in-hand with management on controls self-assessments.
Resourcing issues for internal audit
Given the pace of change in business and technology and the increasing demands on internal auditors, it is important to build an internal audit function with mixed skill sets and to keep them abreast of latest developments. Developing the requisite skills and keeping staff up to date is both time-consuming and expensive. In particular, resources are required with experience in different areas such as information technology, e-commerce, treasury management, credit management, industry practice and regulatory requirements to form a well-balanced internal audit team. As a result, we find many internal audit departments unable to fully staff their own function or with regular vacancies and significant efforts spent on ongoing recruitment.
In-house, outsource or a mixture of the two?
The internal audit functions of a number of UK and US leading companies have already teamed up with external professional firms to supplement their current skills and resources. This teaming which involves outsourcing of internal audit expertise is moving from being perceived as a threat to in-house internal audit departments, to becoming a best practice method to access support and expertise. We are seeing some Asian companies emulating their UK and US counterparts in this aspect.
There are a variety of scenarios for acquiring the right mix of internal audit resources and organisations need tailor-made solutions to fulfill their needs. Outsourcing is not the optimal solution for all situations – it is but one option.
Loretta Ching is senior manager, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]
Duncan Fitzgerald is partner, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]
