Since the emergence of internal audit as a profession and the implementation of the Code of Corporate Governance in Singapore, the demand for internal controls skills have increased exponentially. As local companies in Singapore implemented changes to their corporate governance practices and strengthened their internal audit and internal controls systems, resourcing for skilled personnel became scarce as U.S. listed companies also implemented their Sarbanes-Oxley programs. In addition, internal audit costs increased as a result of significant “catch up” in salaries and rates due to heightened demand.

With much focus on cost and expenses amongst Singapore’s corporates, there is a need from a corporate governance perspective to ensure that cost is not the only focus when considering the level of internal audit resourcing. There is a need to ensure that the benefits of a risk-based internal audit program get a fair hearing in this environment.

This article introduces a number of optional resourcing models that directors can consider when developing the internal audit function as well as key questions that should be asked by the audit committee when discharging their duties.

Resourcing Models
Companies need to determine answers to the following questions regarding resourcing.  Both questions are inter-related as the answer to one will impact the other.

1. What should our total internal audit investment be?
2. What delivery model is best suited for us?

A number of companies have explored various resourcing options to deal with this dilemma. Resourcing models can take the form of recruiting full time employees (“in-sourcing”), engaging an external provider (“outsourcing”), or a hybrid model (“co-sourcing”).

In deciding which model to select, the audit committee and management would be influenced by:

1. The degree of regulation: the heavier the regulation, the greater need for an in-house function (in many jurisdictions around the world, banks are required through central bank regulations to have an in-house team).
2. Whether or not a start-up function needs to be fast tracked due to urgent requirements. Outsourced models tend to be favored as the providing firms already have (or should have) pre-existing frameworks, methodologies and approaches that can be tailored for new clients. In the Singapore environment, a key question to ask is whether certain firms, which do not specialize in internal audit, are passing off their external audit practice as a generalist assurance practice under which internal audit is placed. Such firms often do not have the infrastructure, such as the necessary technology, training, HR practices and enabling frameworks, to ensure the delivery of high quality internal auditing.
3. The need for specialization in language or technical issues. For example, operations are located in countries outside the home base will often require local language skills and an understanding of local business practices and regulations.

Our experience with internal audit resourcing model within Singapore is that companies selecting the in-house model (and successfully sustaining this model) tend to be larger organizations with expansive operations.  In Singapore, middle market companies and small companies have cited to us their difficulties in retaining a full-time internal audit team. 

Co-sourcing can be structured to suit the needs of a company with an existing internal audit department and address a range of challenges. This can be developed using a number of alternatives under the co-sourcing model including strategic sourcing (such as for ad hoc projects of specialized skills) or one that is effectively partial outsourcing. The diagram below describes the co-sourcing alternatives and examples.



In addition to filling in gaps, co-sourcing provides an excellent means to extend the “reach” of internal audit into different geographies, different business processes and risks.

How Much Should Internal Audit Cost?
As with all corporate service budgets, estimating internal audit cost is often a contentious area. After all, there is no strict minimum amount of expenditure or effort required under the Singapore Exchange Code or Listing Rules.

This question should not be the first one asked. The first question should be “How much internal audit do we need?”

Companies with high levels of regulation, with wide geographical coverage and that conduct different businesses will require more internal audit than a locally based company with one business model and low levels of regulation.

The following provides a framework when comparing internal audit investment between different organizations:

While surveys are available that show internal audit benchmarks by company size and industry, such results should be treated carefully. Surveys show “what is” rather than “what should be.” From our experience, such surveys miss important information that should factor into the decision of internal audit resourcing and budgeting such as:

1. Company risk management maturity
2. Productivity and internal audit efficiency
3. Scope and expectation of audit committee, management and other stakeholders
4. Unique and specific company risks
5. Business model complexity

Such factors need to be considered to ensure that the overall internal audit budget is reasonable and appropriate.
 
A process to provide an appropriate internal audit budget could include:
    
    A. Conduct an entity level risk assessment and evaluate the results 

1. What key risks have been identified and how should internal audit be involved in those areas?
2. What level of effort does the risk assessment seem to indicate?

    B. Understand internal audit investments made by comparable companies

1. What is the level of expenditure and effort of similarly sized companies in your industry?
2. Are there some obvious differences that would support spending less or more?  For example, obvious or significant differences in business model, organization, degree of centralisation or decentralisation, regulation, scope of services, etc.

    C. The board and management’s preferences

1. What role and scope has management and the audit committee established for its internal audit function?

    D. Past, present and future

1. Have there been, are there or will there be events, issues, risks or major changes that would warrant more or less investment in internal audit?

    E. Other “complementary” functions

1. Are there other functions within the company that serve to evaluate key areas and risks objectively, such as:
   1. Quality control and loss prevention?
   2. Regulatory and legal compliance?
   3. Risk management and insurance?
   4. Operational and financial control units?          
2. If so, are these risk mitigation and control efforts already performed to a degree that a professional internal audit function might otherwise perform?  Is there an inherent conflict of interest in performance feedback for existing functions?
3. Have we considered independence and objectivity? 

The question of appropriate internal audit spend is not an easy one and is dependent on a variety of perceptions within the company of the above criteria. Different stakeholders will have different views however the following key constraints should be kept in mind:

1. Are we auditing enough to support our governance goals?
2. Are we properly covering our high risk areas, the key business processes and significant entities?
3. Do the internal audit teams have enough time at the project level to identify major breakdowns or control design flaws?

As someone who has personally conducted and overseen various outsourced programs, I cannot think of a time where our team could be accused of “busy work” and low value reviews. Constant negotiation with the finance department tends to result in lean programs very focused on major risks facing companies. In my personal experience, listed companies in other developed economies desire far broader risk-based coverage and deeper reviews (with substantively more mandays to conduct work per specific audit project) and as well as reviews which touch on areas that local directors may find rather “esoteric.” As a Protiviti Singapore practice, while we cover the traditional domain areas such as procurement, inventory management and revenue, we also often examine non traditional processes and areas from the results of our enterprise risk assessments. Such processes include enterprise spend risk, strategic planning, human resource management, outsourced vendor compliance, royalty reviews, business continuity, IT project management, governance and fraud risk management.

Once the internal audit investment has been established, it is necessary to determine what benchmarks are appropriate to assess the effectiveness of the internal audit function.

Measuring Internal Audit Effectiveness
While beauty may well be in the eye of the beholder, many executive and company directors have definitive views on how effective their internal audit function is, regardless of resourcing model or cost.
In measuring the effectiveness of an internal auditing function, it is worthwhile recalling what internal audit actually does (and what it does not).

The Institute of Internal Auditors, the recognized global body for professional internal auditors, defines internal audit as:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

As a process within an organization, internal auditing should be managed professionally and competently.

There are dozens of qualitative and quantitative key performance indicators to measure internal audit, which are beyond the scope of this article. It is important to assessing effectiveness that the underlying objective of the company’s internal audit function is kept front of mind:

1. Is it primarily a compliance-focused function? Is the orientation of the audit committee and management towards ensuring compliance to company policies and procedures as well as external regulation?
2. Is it a broad-based and governance focused function? Is the expectation that internal audit should be reviewing across all areas of the enterprise with a focus of finding key breakdowns and deficiencies in risk management across all categories of risk including financial, commercial, reputation/branding etc?
3. Is it expected to find revenue leakages and be involved in loss prevention? A number of internal audit functions are heavily involved in revenue assurance activities, even to the extent of having trained and experienced resources dedicated to this goal.

There are no right or wrong answers to the above questions and answers may even differ widely across industries. Heavily regulated industries such as banking often require their internal audit function to have a strong orientation towards regulatory compliance as opposed to taking a more operational approach.
 

From our perspective, the value proposition of internal audit could be distinguished further along a continuum:

Ultimately when answering the question: “What is the return on investment?”, the objectives and orientation of the internal audit function – as outlined above – should be kept in mind. For example, a compliance-focused internal audit department may select measures such as the number of control issues reported and closed with management, whereas an operationally focused audit department might include losses identified and revenue recovered as part of its KPI’s.

There are a number of methods to leverage internal audit spend and to enhance the effectiveness of the department. These include:

1. Self assessment by business units and subjecting these to validation by internal audit
2. Use of technology tools and data analytics
3. Use of outputs from the internal audit process such as flowcharts, risk control matrices into the company’s quality assurance, compliance or even operational risk management programs
4. Enhanced scoping to allow focused reviews on identified risk areas within a business process
5. Use of internal auditors as training consultants for the rest of the business
6. Ensuring that management has a mindset that they own their controls

A Checklist Summary for Audit Committee’s Agenda for Internal Audit
Audit committees run a very full agenda in the current business environment. However the effectiveness of internal audit is very closely aligned to the effectiveness of the audit committee. This committee can play a very important role in ensuring that the internal audit function is effective by keeping in mind the following questions:

1. Is the level of resourcing allocated to internal audit appropriate, and does it allow a reasonable program based on our collective understanding of its role and orientation?
2. Does the internal audit function have “sufficient standing” within the company? Although the term is used in the SGX Code of Corporate Governance, it is not specifically defined. Hence, the plain English interpretation would have to suffice, and in this context the following issues would need to be explored:  whether or not the internal audit function’s independence is respected; whether there is sufficient cooperation by management with the internal audit department; whether the internal audit department has sufficient authority to all books and records, etc.
3. Is the internal audit program and reporting line appropriate? Accepted practice has moved from a sole reporting line to the CFO to one which is distinguished between administrative and functional reporting. The accepted reporting lines are now reporting administratively to the CEO/CFO and reporting functionally to the audit committee chair.
4. Are the audit report deliverables of sufficient quality?
5. How does management respond to issues raised by the internal audit function?
6. Is there clear understanding of the internal audit function as to its own responsibilities and obligations?

Conclusion
The internal audit function in Singapore has evolved significantly since the Code was brought into effect. It is now a high demand profession, and it is clear that the current level of demand is not going to decline anytime soon. In this environment, companies should re-evaluate their resourcing options and look to leverage the internal audit investment.

Audit committees have an important role in ensuring the internal audit function is effective. An effective and independent internal auditing function is now seen internationally by a wide range of institutions and agencies as an integral part of the supporting mechanisms for the board to effectively discharge its responsibilities on internal control and risk management. It would be difficult for any board to meet its governance obligations without the support from a well functioning and independent internal audit department.

This article has been reprinted with permission from the Singapore Institute of Directors, and was originally published in The Directors’ Bulletin, Issue No. 2/2008.