The Set-up of a New Internal Audit Function - Treuhänder
Transcription
The Set-up of a New Internal Audit Function - Treuhänder
INTERNE REVISION Hans Beumer The Set-up of a New Internal Audit Function Practical Experiences at a Swiss Quoted Company At the first AC meeting after the Due to the Corporate Governance requirements of the role. creation of the function, the IA charter SWX and other legislative pressure (such as Sarbanes- (#3) was defined and ratified, providing with its key responsibilities, scope Oxley) as well as the increased attention for Internal IA and authority, to continue to develop Audit (IA) functions in literature, companies which and to roll out its activities into operanot yet have an Internal Audit function either have tions. initiated such function or are considering this. Recent 3. Business Plan newspaper ads where recruitment agencies look The IA function is not different from for a Head of Internal Audit for such function to be any other part of the business, with to the way it should be run. created confirm this. This article shares the practical respect Hence, IA needs to be run like a busiexperiences and 15 critical success factors of an Inter- ness and needs to have a business plan. The business plan creates IA’s ability to nal Audit function which was recently set up. operate as a business enterprise, deter- 1. Audit Committee At our company, the Audit Committee (AC) has already been active for many years, so far overseeing the external auditor and their assurance responsibilities. By setting the appropriate reporting structure, i.e. IA reporting directly to the AC (#1), they secured one of the most important critical success factors. Consequently, the AC obtained the overall responsibility for the activities of the External Audit and the Internal Audit functions. These functions support the AC and the Board of Directors by providing independent assurance with respect to the annual financial statements, respectively to the quality of risk management processes. Both functions are considered an important component of Corporate Governance for our company. The AC determined that the overall strategy is to ensure adequate audit coverage and to minimise duplication of effort while fulfilling these responsibilities by the combined resources. The AC requested both audit functions to ensure that their assurance Der Schweizer Treuhänder 1–2/04 activities are coordinated with each other for which a combined audit strategy (#2) was developed (graph 1). 2. IA Charter Within the development of the audit strategy, the IA charter played a major mining its success and survival. It created the vision of the future of IA and how it will add value to the business. The plan was the basis for the detailed set-up of the audit function and outlined the future direction. The IA business plan (#4) covers the various business aspects of IA such as: strategy, costs, personnel, audit process, products, IT, performance measurement and marketing. 4. IA Strategy Hans Beumer, drs., Registeraccountant, Head of Internal Audit and Risk Management, Saurer Management AG, Winterthur/ZH [email protected] At our company, IA has a duality of roles: to protect shareholder value, through assurance activities with respect to the risk control structure of the organisation, and to enhance shareholder value, through recommendations for improvements. Internal Audit’s mission was defined as «providing independent business risk assessments and solutions». The value proposition of IA (#5) was worded as: to add value to the risk management environment in the following areas: • Review of risk management processes and internal control systems across the group. 45 INTERNE REVISION Hans Beumer, The Set-up of a New Internal Audit Function Graph 1 Overall Audit Assurance Responsible Participants Process Reporting Actions Internal audit Risk managment assurance Internal audit reports Specific action plans External audit Annual financial statement assurance External audit reports Specific action plans Audit Committee • Identification of business risks and assessment of internal controls designed to mitigate these risks in terms of reliability, integrity, compliance, protection, efficiency and effectiveness. • Education of the organisation with respect to the development and use of cost-efficient risk management and the promotion of best practice, through IA’s role as a change agent. As part of the IA methodology (#6), the types of audits which IA would perform were defined (consistent with the Charter) and the relevant standards were selected (graph 2). 5. Risk Model Managers put assets at risk to achieve their objectives. At the same time, managers have the responsibility to ensure that these risks are mitigated by controls. IA needs to allocate resources 15 Critical Success Factors for the set-up of a new Internal Audit function: 1. Reporting to the Audit Committee 2. Combined IA and EA strategy 3. IA charter 4. IA business plan 5. Value proposition of IA 6. IA methodology 7. Risk assessment process 8. Auditor profile 9. Show results from the initiation 10. Audit process 11. IA report 12. Distribution list 13. IA manual 14. Best practice 15. Prevent an expectation gap 46 to highest risk areas where the added value, from Group perspective, will be highest. A risk assessment process (#7) was established as basis for the audit selection for the annual plan. The objective of this risk assessment is to develop and utilise a risk model to formally and systematically prioritise the Group’s risks and, based on this prioritisation, develop the annual IA plan. The formal and systematic approach to risk assessment gives the following benefits: • Systematic definition of the audit universe. • Structured and consistent assessment of risks across all entities and their subsequent ranking. • Prioritisation of the use of IA’s limited resources in order to maximise the benefits arising from its work to the Group. • Documentation of the logic behind the risk model. • A model that can be relatively easily updated and rerun to reflect changes in the entities and risks. Since the business managers are responsible for establishing and maintaining risk measurement and control mechanisms as part of their daily duties, they were involved in this process. The outcome of this process was a risk model that ranks the auditable units within the Group in terms of risk and this ranking was utilised to develop the annual IA plan (graph 3). The creation of auditable units, thus subdividing larger companies of the Group into different units (covering one subject or process), leads to audit durations of one to a maximum of six man weeks. This ensures that ordinary business is not disturbed more than absolutely necessary. 6. Staffing The added value of IA is not only created by its systems but mostly by the quality of the staff using the systems. In this respect, the view is that a small team of high calibre auditors will create more value than a big team of mediocre performers. An auditor profile (#8) was established: • Internal audit is a business where staff must have the technical competence for executing an audit but also have the interpersonal relationship skills to manage the auditee. Hence, quality is defined by the professional qualifications, the experience and the character of a person. • IA staff must be qualified accountants (WP, CIA or equivalent) which have a reasonable experience in external auditing and additional experience in internal audit. Generally, the auditors must already have working experience between 6 and 8 years so that they are able to have broader business discussions with operational management and not just internal control discussions. To run IA like a business implies that staff should be there where the business is located. As it is our Group’s strategy to significantly build up operations in Asia, with focus on China, one auditor position in Hong Kong was created. As IA should support the Group in achieving its strategy, our focus on China will contribute to the set-up and enhanceDer Schweizer Treuhänder 1–2/04 INTERNE REVISION Hans Beumer, The Set-up of a New Internal Audit Function 7. Audit Process Graph 2 Type of Audits Type of audit Operational audits IT audits COSO COBIT Standard The audit process determines the way the audits are executed at the auditable unit. The audit process (#10) was developed and standardised as follows: Overall IA strategy Other audits Phase 1 The audit is started with a kick-off meeting on the first day. The internal audit department, the audit methodology, the reporting style, etc. are presented to local senior management. Phase 2 ment of local risk management practices and internal controls. Due to the specific cultural, regulatory and linguistic environment, it is important that this Asian auditor already has a broad operational auditing experience in China. The crucial aspect for the profile of the auditor for Asia is that such person, in addition, has a broader western/international view on business, auditing as well as internal controls. The often heard «but here we do things differently, you cannot compare it to Europe» is no reason not to maintain global best practices in risk management and internal controls, also in China. Based on the defined profile, the recruitment was performed with the support of specialised recruiting agencies. In order to already be able to perform audits while the recruitment was in process, temporary staff support was obtained from one of the big four audit firms. This way, IA was able to show results from the initiation (#9) and not only many months later when the vacancies were filled. Due to the small size of the IA team, it was considered impossible to find all required IT audit skills within one person. Therefore, it was more effective to purchase IT audit services, in the form of co-sourcing, from one of the external IT audit service providers. The external auditor of the Group was excluded from providing IA support services, for reasons of independence and possible conflicts of interest. The preparation of a detailed audit plan. The planning phase is important in order to understand the local operation and its business risks and to set the audit scope (if not done in advance). The end result is a risk map with a tailor-made audit approach, covering the highest business risks for the operation under review. Phase 3 The audit fieldwork includes the evaluation and testing of processes, internal controls, systems and procedures in the areas selected and the documentation of the results in working papers. Phase 4 Quality control is where IA management reviews the work of the auditor to ensure that it meets the quality standards. Graph 3 Phase 5 Risk Assessment Process Risk Assessment Risk Measurement Risk Prioritisation The audit report is written in the field throughout the audit process. Define audit universe of auditable units Define risk scale Calculate risk rating of auditable units Phase 6 Split audit universe in distinct categories Assign risk score Rank auditable units on risk profile Identify risk factors for each audit Define weights for each of the risks IA risk profile of auditable units The audit report is finalised by means of a formal closing meeting. The purpose of the closing meeting is to ensure commitment from responsible senior management and correct prioritisation of all actions. Aim is to issue the final report within a few days after the closing meeting. Phase 7 IA resources Annual IA plan Outcome of ERM self assessment process Der Schweizer Treuhänder 1–2/04 Post-audit monitoring of the implementation of the agreed actions is based on periodic progress reports submitted by the responsible management to IA. The monitoring can be supported by follow-up visits in cases considered necessary by IA management (particularly 47 INTERNE REVISION Hans Beumer, The Set-up of a New Internal Audit Function Graph 4 Operational Risk Review Report Executive Summary Riks Review Scope and Conclusion Company Background Risk Review Scope: Detailed level audit of Sales and Inventory processes. High level review of IT, Treasury, T&E expenses. Reason for Review: – Annual Audit Plan – AC/Board request – Management request Key Figures CHF 000 2002 P2 2002 2001 % Budget % Actual % Net Sales Gross Profit Operating Expenses Overall Conclusion on Risk Management Mgt Awareness High Moderate Operating Profit Low Inventories Significant weaknesses – Gross – Turns Inadequate Receivables – Gross Adequate X – DSO Strong FCCF Headcount (FTE) Root Causes: n/a General: The company sells Saurer Textile Machines type X mainly to the Turkish and Chinese markets. Strategy/Objectives: 1. The objective for 2002 is to increase sales by 10 % and to decrease inventories by 25%. Risk Review Scope and Conclusion Significant Issues # of Actions – High 1 – Moderate 1 – Low 1 3 Risk Map Group Risk Exposure: High Strategic: 1. There is a concentration of sales in two markets (Section 1.1). Operational: 2. Sales discounts are not being controlled (Section 2.1). 3. An annual stock count is not being performed (Section 3.1). 1 CHF 1 mio Significance 2 3 Low Low 48 Likelihood High Der Schweizer Treuhänder 1–2/04 INTERNE REVISION Hans Beumer, The Set-up of a New Internal Audit Function for audits where significant weaknesses were identified). A standardised IA report (#11) was developed, consisting of two parts: 1. the Executive Summary (limited to 1 page), designed to give top management and AC an overall assessment of the business risk exposures, and the risk management environment supporting it (graph 4); and 2. the Management Action Plan, a working document for local management providing a detailed action plan showing the agreed actions that will be taken to rectify any risk management weaknesses identified during the course of the review. The plan also identifies the due dates and persons responsible for the implementation (graph 5). The standardised audit report makes the product of IA very recognisable and efficient in use. With our standard distribution list (#12) it was ensured that the results of audits were brought to the attention of the appropriate levels: Chairman of the Board, Audit Committee, Group Management, Business Unit Management and other relevant functions, and the External Auditors. 8. IA Manual During the set-up phase of the IA function, an IA manual (#13) was created which documents the various processes as described before. Additionally, it includes chapters on topics such as: balanced scorecard, operating policy, IIA professional practices framework, etc. The manual further includes the IA tools: risk assessment maps, standard IA report format, guidelines on the interpretation of the overall audit conclusion, standard progress report format, standardised auditee satisfaction survey, etc. A short version of the manual is used to communicate (in advance of audits) the various aspects of IA to (auditee) management in order to create general transparency and awareness with respect to the IA function. 9. Best Practice From the start it was the intention to set up the function with best practice tools, policies, procedures, methodology, etc. Such best practice (#14) was derived from various sources, including: Graph 5 Management Action Plan Observation and Risk Exposure 1. Strategy 1.1 Strategic plan There is no strategic plan giving direction for current and future activities and priorities. The absence of such plan creates a high risk that the objectives for 2002 will not be achieved. 2. Sales 2.1 Discounts There are no controls over sales discounts given by the sales reps. This creates a risk of loss of margin without the appropriate approvals. 3. Inventory 3.1 Annual stock count Inventories are not counted on an annual basis (nor are there any cycle count procedures). As a result, the accuracy of the warehouse and inventory ledgers are not established. It has already resulted in a high backorder volume due to inaccurate data, causing customer dissatisfaction. Der Schweizer Treuhänder 1–2/04 Local Risk Rating Group Risk Rating C.Eo, 31 Dec 04 • • A product and customer profitability report will be created. It will be reviewed by sales management on a monthly basis. A. Bcde, 31 Jan 04 • • Annual stock counts procedures will be created. For this year the stock count will be performed as soon as possible. Z.Xyz, 31 Dec 03 • • Agreed Management Action for Mitigating Risks Responsibility and Deadline A strategic plan will be created with focus on the following elements: • Market approach • Product portfolio • Etc. The plan will be passed on to BU management for approval. 49 INTERNE REVISION Hans Beumer, The Set-up of a New Internal Audit Function • Professional practices framework from the Institute of Internal Auditors (IIA) and their Swiss Chapter (SVIR); • Best practice support as provided by one of the big four IA service providers (e. g. benchmark review of the IA manual); • Recent IA literature from the IIA, articles in professional magazines; • Attending best practice Internal Auditing seminars; • Past personal experience. 10. Conclusion Apart from the aforementioned 14 critical success factors there are many more factors which influence the success of the IA function. It can, however, be said that when these 14 factors have been accomplished within the first year of operation the foundation for the success is a very solid one. With all this, success is still dependent on the perceived added value of the audit results and the way auditors deal with auditees. Particularly when management and auditees have never been subjected to an Internal Audit, their expectations with respect to IA’s objectives, process and limitations need to be managed. Therefore, last but not least, a critical success factor is the ongoing feedback and communication to prevent an expectation gap (#15) between IA and AC/Board, Group management, Business Unit management and local management. ZUSAMMENFASSUNG Neuaufbau einer Internen Revision Aufgrund der Corporate-Governance-Richtlinie der SWX Swiss Exchange und sonstiger rechtlicher Erfordernisse (z.B. Sarbanes-Oxley Act) haben viele Unternehmen, die bisher keine Interne Revision besitzen, damit begonnen, eine Interne Revision aufzubauen oder ziehen den Aufbau in Betracht. Aktuelle Zeitungsanzeigen in denen Personalberater Revisionsleiter für die neu zu schaffende Position suchen, bestätigen dies. Dieser Artikel erläutert die praktische Erfahrung sowie 15 Erfolgsfaktoren, die während des Neuaufbaus einer Internen Revision gesammelt wurden: 1. Die Interne Revision (IR) muss direkt an den Prüfungsausschuss berichten. 2. Die IR und die externen Prüfer sollten eine gemeinsame Prüfungsstrategie entwickeln, um eine angemessene Prüfungsabdeckung zu gewährleisten und Doppelprüfungen zu vermeiden. 3. Eine Satzung sollte erstellt und durch den Prüfungsausschuss ratifiziert werden. Hierin werden die Hauptverantwortlichkeiten, der Aufgabenumfang sowie die Kompetenzen der IR festgelegt. 4. Ein Geschäftsplan für die IR wird benötigt, der die verschiedenen Perspektiven beinhaltet wie zum Beispiel: Strategie, Kosten, Personal, Prozess, Produkte, EDV, Performancemessung und Marketing. 50 5. Die Wertschöpfung der IR muss definiert werden, um dem Management sowie den Geprüften gegenüber eine eindeutige Aussage über den Zusatznutzen der IR abzugeben. 6. Als Teil der Vorgehensweise der IR müssen die Arten der Prüfungen (in Übereinstimmung mit der Satzung) und die relevanten Standards, z.B. COSO und COBIT, ausgewählt werden. 7. Die IR muss ihre Ressourcen auf die Prüfungsgebiete mit den grössten Risiken lenken, die die höchste Wertschöpfung aus Gruppensicht erwarten lassen. Eine Risikoermittlung und -einschätzung muss als Basis für die Auswahl der Prüfungen im Jahresprüfungsplan erfolgen. 8. Die Wertschöpfung der IR wird nicht alleine durch die verwendeten Methoden erzeugt, sondern überwiegend durch die Qualität der Mitarbeiter, die die Methoden anwenden. Ein Profil der Revisionsmitarbeiter muss als Basis für den Mitarbeiterauswahlprozess erstellt werden. 9. Um bereits während des Einstellungsprozesses in der Lage zu sein, Prüfungen durchzuführen, sollten Mitarbeiter einer der vier grossen Wirtschaftsprüfungsgesellschaften zur zeitlich begrenzten Unterstützung eingesetzt werden. Auf diese Weise kann die Revision bereits erste Resultate von Beginn an erbringen und nicht erst Monate später, wenn alle freien Stellen besetzt sind. 10. Der Revisionsprozess bestimmt, wie die eigentliche Prüfung bei der Prüfungseinheit durchgeführt wird. Dieser Prozess sollte entwickelt und standardisiert werden. 11. Ein standardisierter Prüfungsbericht wird benötigt, um das «Produkt» der IR effizient und sichtlich erkennbar zu machen. 12. Mit Hilfe eines standardisierten Verteilers wird sichergestellt, dass die Ergebnisse der Prüfung die Aufmerksamkeit der entsprechenden Managementebenen und des Verwaltungsrats bzw. des Vorstands erhalten. 13. Während der Aufbauphase der IR muss ein Revisionshandbuch erstellt werden, das die zuvor beschriebenen Prozesse dokumentiert. 14. Verwenden von vielfältigen Quellen, um sicherzustellen, dass die IR in Übereinstimmung mit Best-Practice-Grundsätzen aufgebaut wird. 15. Es sollte ein fortwährender Rückkopplungs- und Kommunikationsprozess stattfinden, um einer Lücke zwischen den Erwartungen der IR und dem Prüfungsausschuss bzw. dem Vorstand, dem Gruppenmanagement, dem Management der Geschäftseinheit und dem örtlichen Management vorzubeugen. HB Der Schweizer Treuhänder 1–2/04