The Set-up of a New Internal Audit Function - Treuhänder

INTERNE REVISION
Hans Beumer
The Set-up of a New
Internal Audit Function
Practical Experiences at a Swiss Quoted Company
At the first AC meeting after the
Due to the Corporate Governance requirements of the role.
creation of the function, the IA charter
SWX and other legislative pressure (such as Sarbanes- (#3) was defined and ratified, providing
with its key responsibilities, scope
Oxley) as well as the increased attention for Internal IA
and authority, to continue to develop
Audit (IA) functions in literature, companies which and to roll out its activities into operanot yet have an Internal Audit function either have tions.
initiated such function or are considering this. Recent 3. Business Plan
newspaper ads where recruitment agencies look The IA function is not different from
for a Head of Internal Audit for such function to be any other part of the business, with
to the way it should be run.
created confirm this. This article shares the practical respect
Hence, IA needs to be run like a busiexperiences and 15 critical success factors of an Inter- ness and needs to have a business plan.
The business plan creates IA’s ability to
nal Audit function which was recently set up.
operate as a business enterprise, deter-
1. Audit Committee
At our company, the Audit Committee
(AC) has already been active for many
years, so far overseeing the external auditor and their assurance responsibilities. By setting the appropriate reporting structure, i.e. IA reporting directly
to the AC (#1), they secured one of the
most important critical success factors.
Consequently, the AC obtained the
overall responsibility for the activities
of the External Audit and the Internal
Audit functions. These functions support the AC and the Board of Directors
by providing independent assurance
with respect to the annual financial
statements, respectively to the quality
of risk management processes. Both
functions are considered an important
component of Corporate Governance
for our company. The AC determined
that the overall strategy is to ensure adequate audit coverage and to minimise
duplication of effort while fulfilling
these responsibilities by the combined
resources. The AC requested both audit
functions to ensure that their assurance
Der Schweizer Treuhänder 1–2/04
activities are coordinated with each
other for which a combined audit strategy (#2) was developed (graph 1).
2. IA Charter
Within the development of the audit
strategy, the IA charter played a major
mining its success and survival. It created the vision of the future of IA and
how it will add value to the business.
The plan was the basis for the detailed
set-up of the audit function and outlined the future direction.
The IA business plan (#4) covers the
various business aspects of IA such as:
strategy, costs, personnel, audit process,
products, IT, performance measurement and marketing.
4. IA Strategy
Hans Beumer, drs., Registeraccountant,
Head of Internal Audit and Risk
Management, Saurer Management AG,
Winterthur/ZH
[email protected]
At our company, IA has a duality of
roles: to protect shareholder value,
through assurance activities with respect
to the risk control structure of the organisation, and to enhance shareholder
value, through recommendations for
improvements. Internal Audit’s mission
was defined as «providing independent
business risk assessments and solutions». The value proposition of IA (#5)
was worded as: to add value to the risk
management environment in the following areas:
• Review of risk management processes and internal control systems across
the group.
45
INTERNE REVISION
Hans Beumer, The Set-up of a New Internal Audit Function
Graph 1
Overall Audit Assurance
Responsible Participants
Process
Reporting
Actions
Internal
audit
Risk managment
assurance
Internal audit
reports
Specific action
plans
External
audit
Annual financial
statement
assurance
External audit
reports
Specific action
plans
Audit
Committee
• Identification of business risks and assessment of internal controls designed
to mitigate these risks in terms of
reliability, integrity, compliance, protection, efficiency and effectiveness.
• Education of the organisation with
respect to the development and use
of cost-efficient risk management
and the promotion of best practice,
through IA’s role as a change agent.
As part of the IA methodology (#6), the
types of audits which IA would perform were defined (consistent with the
Charter) and the relevant standards
were selected (graph 2).
5. Risk Model
Managers put assets at risk to achieve
their objectives. At the same time, managers have the responsibility to ensure
that these risks are mitigated by controls. IA needs to allocate resources
15 Critical Success Factors
for the set-up of a new Internal
Audit function:
1. Reporting to the Audit Committee
2. Combined IA and EA strategy
3. IA charter
4. IA business plan
5. Value proposition of IA
6. IA methodology
7. Risk assessment process
8. Auditor profile
9. Show results from the initiation
10. Audit process
11. IA report
12. Distribution list
13. IA manual
14. Best practice
15. Prevent an expectation gap
46
to highest risk areas where the added
value, from Group perspective, will be
highest. A risk assessment process (#7)
was established as basis for the audit
selection for the annual plan.
The objective of this risk assessment is
to develop and utilise a risk model to
formally and systematically prioritise
the Group’s risks and, based on this prioritisation, develop the annual IA plan.
The formal and systematic approach to
risk assessment gives the following benefits:
• Systematic definition of the audit
universe.
• Structured and consistent assessment
of risks across all entities and their
subsequent ranking.
• Prioritisation of the use of IA’s limited resources in order to maximise
the benefits arising from its work to
the Group.
• Documentation of the logic behind
the risk model.
• A model that can be relatively easily
updated and rerun to reflect changes
in the entities and risks.
Since the business managers are responsible for establishing and maintaining risk measurement and control
mechanisms as part of their daily duties, they were involved in this process.
The outcome of this process was a risk
model that ranks the auditable units
within the Group in terms of risk and
this ranking was utilised to develop the
annual IA plan (graph 3).
The creation of auditable units, thus
subdividing larger companies of the
Group into different units (covering
one subject or process), leads to audit
durations of one to a maximum of six
man weeks. This ensures that ordinary
business is not disturbed more than absolutely necessary.
6. Staffing
The added value of IA is not only
created by its systems but mostly by
the quality of the staff using the systems. In this respect, the view is that a
small team of high calibre auditors will
create more value than a big team of
mediocre performers. An auditor profile (#8) was established:
• Internal audit is a business where
staff must have the technical competence for executing an audit but also
have the interpersonal relationship
skills to manage the auditee. Hence,
quality is defined by the professional
qualifications, the experience and the
character of a person.
• IA staff must be qualified accountants (WP, CIA or equivalent) which
have a reasonable experience in external auditing and additional experience in internal audit. Generally,
the auditors must already have working experience between 6 and 8 years
so that they are able to have broader
business discussions with operational
management and not just internal
control discussions.
To run IA like a business implies that
staff should be there where the business
is located. As it is our Group’s strategy
to significantly build up operations in
Asia, with focus on China, one auditor
position in Hong Kong was created. As
IA should support the Group in achieving its strategy, our focus on China will
contribute to the set-up and enhanceDer Schweizer Treuhänder 1–2/04
INTERNE REVISION
Hans Beumer, The Set-up of a New Internal Audit Function
7. Audit Process
Graph 2
Type of Audits
Type of audit
Operational audits
IT audits
COSO
COBIT
Standard
The audit process determines the way
the audits are executed at the auditable
unit. The audit process (#10) was developed and standardised as follows:
Overall IA
strategy
Other audits
Phase 1
The audit is started with a kick-off
meeting on the first day. The internal
audit department, the audit methodology, the reporting style, etc. are presented to local senior management.
Phase 2
ment of local risk management practices and internal controls. Due to the
specific cultural, regulatory and linguistic environment, it is important that this
Asian auditor already has a broad operational auditing experience in China.
The crucial aspect for the profile of
the auditor for Asia is that such person,
in addition, has a broader western/international view on business, auditing
as well as internal controls. The often
heard «but here we do things differently,
you cannot compare it to Europe» is no
reason not to maintain global best practices in risk management and internal
controls, also in China.
Based on the defined profile, the recruitment was performed with the support of specialised recruiting agencies.
In order to already be able to perform
audits while the recruitment was in
process, temporary staff support was
obtained from one of the big four audit
firms. This way, IA was able to show results from the initiation (#9) and not
only many months later when the vacancies were filled.
Due to the small size of the IA team, it
was considered impossible to find all
required IT audit skills within one person. Therefore, it was more effective to
purchase IT audit services, in the form
of co-sourcing, from one of the external
IT audit service providers.
The external auditor of the Group was
excluded from providing IA support
services, for reasons of independence
and possible conflicts of interest.
The preparation of a detailed audit plan.
The planning phase is important in
order to understand the local operation
and its business risks and to set the
audit scope (if not done in advance).
The end result is a risk map with a tailor-made audit approach, covering the
highest business risks for the operation
under review.
Phase 3
The audit fieldwork includes the evaluation and testing of processes, internal
controls, systems and procedures in the
areas selected and the documentation
of the results in working papers.
Phase 4
Quality control is where IA management reviews the work of the auditor
to ensure that it meets the quality
standards.
Graph 3
Phase 5
Risk Assessment Process
Risk Assessment
Risk Measurement
Risk Prioritisation
The audit report is written in the field
throughout the audit process.
Define audit universe
of auditable units
Define risk scale
Calculate risk rating
of auditable units
Phase 6
Split audit universe in
distinct categories
Assign risk score
Rank auditable units
on risk profile
Identify risk factors
for each audit
Define weights for
each of the risks
IA risk profile of
auditable units
The audit report is finalised by means
of a formal closing meeting. The purpose of the closing meeting is to ensure
commitment from responsible senior
management and correct prioritisation
of all actions. Aim is to issue the final
report within a few days after the closing meeting.
Phase 7
IA resources
Annual IA plan
Outcome of ERM self
assessment process
Der Schweizer Treuhänder 1–2/04
Post-audit monitoring of the implementation of the agreed actions is based
on periodic progress reports submitted
by the responsible management to IA.
The monitoring can be supported by
follow-up visits in cases considered necessary by IA management (particularly
47
INTERNE REVISION
Hans Beumer, The Set-up of a New Internal Audit Function
Graph 4
Operational Risk Review Report
Executive Summary
Riks Review Scope and Conclusion
Company Background
Risk Review Scope:
Detailed level audit of Sales and Inventory processes.
High level review of IT, Treasury, T&E expenses.
Reason for Review:
– Annual Audit Plan
– AC/Board request
– Management request
Key Figures
CHF 000
2002
P2
2002
2001
% Budget % Actual %
Net Sales
Gross Profit
Operating Expenses
Overall Conclusion
on Risk Management
Mgt Awareness
High
Moderate
Operating Profit
Low
Inventories
Significant weaknesses
– Gross
– Turns
Inadequate
Receivables – Gross
Adequate
X
– DSO
Strong
FCCF
Headcount (FTE)
Root Causes:
n/a
General:
The company sells Saurer Textile Machines type X
mainly to the Turkish and Chinese markets.
Strategy/Objectives:
1. The objective for 2002 is to increase sales by 10 %
and to decrease inventories by 25%.
Risk Review Scope and Conclusion
Significant Issues
# of Actions
– High
1
– Moderate 1
– Low
1
3
Risk Map
Group Risk Exposure:
High
Strategic:
1. There is a concentration of sales in two markets
(Section 1.1).
Operational:
2. Sales discounts are not being controlled (Section 2.1).
3. An annual stock count is not being performed (Section 3.1).
1
CHF 1 mio
Significance
2
3
Low
Low
48
Likelihood
High
Der Schweizer Treuhänder 1–2/04
INTERNE REVISION
Hans Beumer, The Set-up of a New Internal Audit Function
for audits where significant weaknesses
were identified).
A standardised IA report (#11) was developed, consisting of two parts:
1. the Executive Summary (limited to
1 page), designed to give top management and AC an overall assessment
of the business risk exposures, and
the risk management environment
supporting it (graph 4); and
2. the Management Action Plan, a
working document for local management providing a detailed action plan
showing the agreed actions that will
be taken to rectify any risk management weaknesses identified during
the course of the review. The plan
also identifies the due dates and persons responsible for the implementation (graph 5).
The standardised audit report makes
the product of IA very recognisable
and efficient in use. With our standard
distribution list (#12) it was ensured
that the results of audits were brought
to the attention of the appropriate
levels: Chairman of the Board, Audit
Committee, Group Management, Business Unit Management and other relevant functions, and the External
Auditors.
8. IA Manual
During the set-up phase of the IA function, an IA manual (#13) was created
which documents the various processes
as described before. Additionally, it
includes chapters on topics such as:
balanced scorecard, operating policy,
IIA professional practices framework,
etc. The manual further includes the IA
tools: risk assessment maps, standard
IA report format, guidelines on the
interpretation of the overall audit
conclusion, standard progress report
format, standardised auditee satisfaction survey, etc.
A short version of the manual is used
to communicate (in advance of audits)
the various aspects of IA to (auditee)
management in order to create general
transparency and awareness with respect to the IA function.
9. Best Practice
From the start it was the intention to set
up the function with best practice tools,
policies, procedures, methodology, etc.
Such best practice (#14) was derived
from various sources, including:
Graph 5
Management Action Plan
Observation and Risk Exposure
1. Strategy
1.1 Strategic plan
There is no strategic plan giving direction
for current and future activities and
priorities. The absence of such plan
creates a high risk that the objectives
for 2002 will not be achieved.
2. Sales
2.1 Discounts
There are no controls over sales
discounts given by the sales reps.
This creates a risk of loss of margin
without the appropriate approvals.
3. Inventory
3.1 Annual stock count
Inventories are not counted on an annual
basis (nor are there any cycle count
procedures). As a result, the accuracy
of the warehouse and inventory ledgers
are not established. It has already
resulted in a high backorder volume due
to inaccurate data, causing customer
dissatisfaction.
Der Schweizer Treuhänder 1–2/04
Local
Risk
Rating
Group
Risk
Rating
C.Eo,
31 Dec 04
•
•
A product and customer profitability
report will be created. It will be reviewed
by sales management on a monthly
basis.
A. Bcde,
31 Jan 04
•
•
Annual stock counts procedures will
be created. For this year the stock count
will be performed as soon as possible.
Z.Xyz,
31 Dec 03
•
•
Agreed Management Action
for Mitigating Risks
Responsibility
and Deadline
A strategic plan will be created
with focus on the following elements:
• Market approach
• Product portfolio
• Etc.
The plan will be passed on to BU
management for approval.
49
INTERNE REVISION
Hans Beumer, The Set-up of a New Internal Audit Function
• Professional practices framework
from the Institute of Internal Auditors (IIA) and their Swiss Chapter
(SVIR);
• Best practice support as provided
by one of the big four IA service
providers (e. g. benchmark review of
the IA manual);
• Recent IA literature from the IIA,
articles in professional magazines;
• Attending best practice Internal
Auditing seminars;
• Past personal experience.
10. Conclusion
Apart from the aforementioned 14 critical success factors there are many more
factors which influence the success of
the IA function. It can, however, be said
that when these 14 factors have been
accomplished within the first year of
operation the foundation for the success is a very solid one.
With all this, success is still dependent
on the perceived added value of the
audit results and the way auditors deal
with auditees. Particularly when management and auditees have never been
subjected to an Internal Audit, their
expectations with respect to IA’s objectives, process and limitations need to be
managed. Therefore, last but not least,
a critical success factor is the ongoing
feedback and communication to prevent an expectation gap (#15) between
IA and AC/Board, Group management,
Business Unit management and local
management.
ZUSAMMENFASSUNG
Neuaufbau einer Internen Revision
Aufgrund der Corporate-Governance-Richtlinie der SWX Swiss Exchange und sonstiger rechtlicher Erfordernisse (z.B. Sarbanes-Oxley Act)
haben viele Unternehmen, die bisher
keine Interne Revision besitzen, damit begonnen, eine Interne Revision
aufzubauen oder ziehen den Aufbau
in Betracht. Aktuelle Zeitungsanzeigen in denen Personalberater Revisionsleiter für die neu zu schaffende Position suchen, bestätigen dies. Dieser
Artikel erläutert die praktische Erfahrung sowie 15 Erfolgsfaktoren, die
während des Neuaufbaus einer Internen Revision gesammelt wurden:
1. Die Interne Revision (IR) muss direkt an den Prüfungsausschuss berichten.
2. Die IR und die externen Prüfer
sollten eine gemeinsame Prüfungsstrategie entwickeln, um eine angemessene Prüfungsabdeckung zu
gewährleisten und Doppelprüfungen zu vermeiden.
3. Eine Satzung sollte erstellt und
durch den Prüfungsausschuss ratifiziert werden. Hierin werden
die Hauptverantwortlichkeiten, der
Aufgabenumfang sowie die Kompetenzen der IR festgelegt.
4. Ein Geschäftsplan für die IR wird
benötigt, der die verschiedenen
Perspektiven beinhaltet wie zum
Beispiel: Strategie, Kosten, Personal, Prozess, Produkte, EDV, Performancemessung und Marketing.
50
5. Die Wertschöpfung der IR muss definiert werden, um dem Management sowie den Geprüften gegenüber eine eindeutige Aussage über
den Zusatznutzen der IR abzugeben.
6. Als Teil der Vorgehensweise der
IR müssen die Arten der Prüfungen (in Übereinstimmung mit der
Satzung) und die relevanten Standards, z.B. COSO und COBIT,
ausgewählt werden.
7. Die IR muss ihre Ressourcen auf
die Prüfungsgebiete mit den grössten Risiken lenken, die die höchste
Wertschöpfung aus Gruppensicht
erwarten lassen. Eine Risikoermittlung und -einschätzung muss als Basis für die Auswahl der Prüfungen
im Jahresprüfungsplan erfolgen.
8. Die Wertschöpfung der IR wird
nicht alleine durch die verwendeten Methoden erzeugt, sondern
überwiegend durch die Qualität
der Mitarbeiter, die die Methoden
anwenden. Ein Profil der Revisionsmitarbeiter muss als Basis für
den Mitarbeiterauswahlprozess
erstellt werden.
9. Um bereits während des Einstellungsprozesses in der Lage zu
sein, Prüfungen durchzuführen,
sollten Mitarbeiter einer der vier
grossen Wirtschaftsprüfungsgesellschaften zur zeitlich begrenzten
Unterstützung eingesetzt werden.
Auf diese Weise kann die Revision
bereits erste Resultate von Beginn
an erbringen und nicht erst Monate später, wenn alle freien Stellen besetzt sind.
10. Der Revisionsprozess bestimmt,
wie die eigentliche Prüfung bei der
Prüfungseinheit durchgeführt wird.
Dieser Prozess sollte entwickelt
und standardisiert werden.
11. Ein standardisierter Prüfungsbericht wird benötigt, um das «Produkt» der IR effizient und sichtlich
erkennbar zu machen.
12. Mit Hilfe eines standardisierten
Verteilers wird sichergestellt, dass
die Ergebnisse der Prüfung die
Aufmerksamkeit der entsprechenden Managementebenen und des
Verwaltungsrats bzw. des Vorstands erhalten.
13. Während der Aufbauphase der IR
muss ein Revisionshandbuch erstellt werden, das die zuvor beschriebenen Prozesse dokumentiert.
14. Verwenden von vielfältigen Quellen, um sicherzustellen, dass die IR
in Übereinstimmung mit Best-Practice-Grundsätzen aufgebaut wird.
15. Es sollte ein fortwährender Rückkopplungs- und Kommunikationsprozess stattfinden, um einer
Lücke zwischen den Erwartungen
der IR und dem Prüfungsausschuss bzw. dem Vorstand, dem
Gruppenmanagement, dem Management der Geschäftseinheit
und dem örtlichen Management
vorzubeugen.
HB
Der Schweizer Treuhänder 1–2/04