Clifton Gunderson

Is the U.S. Headed for a Value Added Tax?

An Update on the Status of International Accounting Standards

Expanding Resources to Navigate the Complexity of International Business Opportunities

The Potential Impact of Employee Terminations

The Evolving Role of Internal Audit in Risk Management

Keeping Up with Technology

1-888-CPA-FIRM
e-mail
www.cliftoncpa.com
 
 
 

« Back  |  Summer 2010

The Evolving Role of Internal Audit in Risk Management

Risk is inherent in any business — without risk, there is no reward. The last two years, however, have sharply intensified the focus of organizations on their risk profile and how they are managing their risks.

One of the critical elements of a robust risk management system is an internal audit department that has a well-defined charter, supports the identification and monitoring of risks, and carefully allocates its resources to give the highest value to the organization.

There is no “best” way to operate an internal audit department; the charter and execution of the internal audit function must be tailored to each organization. However, every organization should:

  • Carefully consider how it staffs its department
  • Determine if it has the appropriate talent and resource levels to monitor risks
  • Develop an execution strategy that can evolve as the organization and its risk profile change over time
  • Do all of this in the context of our challenging financial times

Sourcing of Internal Audit

Internal audit functions can be sourced in a variety of ways. Perhaps the most common are:

  • Employee-Based Model – All members of the internal audit department are employees of the company.
  • Co-Sourced Model – The Chief Audit Executive and many members of the internal audit department are employees, but contractors are used for specific projects, skill sets or geographic locations.
  • Outsourced Model – An employee performs the Chief Audit Executive role, but all other resources are contracted to an outside firm.

Based on the results of surveys returned by over 9,000 respondents from 91 countries, the Institute of Internal Auditors Research Foundation published “A Global Summary of the Common Body of Knowledge 2006” in 2007. The survey concluded:

  • The typical internal audit organization is relatively small, with 44 percent of those organizations surveyed having two to five general audit staff members.
  • Sixty-one percent of organizations are required by law or regulation to have an internal audit function.
  • Seventy percent of respondents outsource at least some of their audit work.
  • Approximately 18 percent outsource 20 percent or more of their audit work.
  • Less than 5 percent outsource 60 percent or more of the internal audit work at their company.

One of the reasons that internal audit organizations use at least some contract help is the need for specialized skill sets to effectively audit some portions of their organization. This is especially true in areas that are seasonal, complex, highly automated and/or dependent on information technology internal controls. Hiring and retaining these specialized personnel, and then providing a career path for them, is difficult, especially for small organizations. Having a relationship with an outside audit provider allows access to these skills for the time needed, and may provide specialized skills at a more reasonable cost than trying to maintain them in-house.

Another reason that some audit organizations look to outside help is for specialized tools. The use of methodologies and tools tailored to the situation can lead to both more effective and efficient audits. Developing these in-house may be prohibitively expensive.

In some situations, it may be perceived that outside professionals bring a special degree of independence or expertise that lends credibility to the findings of the internal audit group.

Finally, the ability to expand and contract the staff almost at will through sourcing contracts allows an organization to use outsourcing or co-sourcing to help manage budgets. In today’s economy, outsourcing or co-sourcing may allow a company to maintain an audit function, while simultaneously reducing costs until the economic outlook improves.

Key Questions for CEOs to Ask About Risk Governance and Internal Audit

  • Do I know what key risks (financial, operational, regulatory, contractual) my organization faces?
  • Has the performance of the company been negatively impacted by a risk that was not anticipated?
  • Does the internal audit plan focus resources on the identified risks? Does internal audit reallocate resources to emerging risks as needed?
  • Does the internal audit department have the specialized resources needed to audit new technologies, complex areas or new business lines?
  • Is there a better way to staff the internal audit department in light of budget constraints?
  • Does the internal audit department have the tools it needs to do its work?
  • Does the internal audit department understand the digital risks the company is facing?
  • Have changes in information systems been adequately reviewed to make sure that adequate internal controls remain in place within the systems?
  • Do management and the board get adequate communication from the internal audit department?
  • Is the risk appetite adequately defined and monitored?
  • Are red flags occurring in business operations that need additional attention?
  • Have findings from prior internal audits been corrected and incorporated into the risk governance process as appropriate?
  • Does the risk identification and monitoring system look at emerging risks — not just those that are well-known?
Color bar