Develop a structure and competencies to deliver results
Editor’s note: This is the second article in a limited series focused on the benefits of, and approach to, establishing an impactful internal audit function for private companies, including family-owned enterprises. To read the first article on building support for internal audit, click here.
When private companies decide to create an internal audit function, they take an important new step in their growth and maturity journey. Adding internal audit capabilities creates structure for risk management, adds rigor to compliance activities, and ultimately provides opportunities to take business performance to a higher level. After obtaining support for internal audit, taking the right steps to design and implement it is critical for private companies to get the highest return on their investment. While there are multiple paths that you can follow, these key activities will help you quickly get from idea to outcomes:
- Determine the internal audit operating model
- Conduct a risk assessment and develop a recommended internal audit plan
- Build infrastructure
- Obtain consensus
- Conduct a pilot internal audit
Determine the internal audit operating model
Support for internal auditors
There are multiple global professional organizations that support the development and advancement of internal audit professionals, capabilities and methods. The Institute of Internal Auditors has existed for more than 80 years and recently issued redesigned Global Internal Audit Standards to help organizations establish and operate internal audit in a consistent and impactful manner.
The Information Systems Audit and Control Association has been helping companies address IT governance, risk management, audit and control needs for more than 55 years. Many industries such as healthcare, higher education, insurance and life sciences also have internal audit professional organizations to help focus on topics that matter most to each industry.
There are many ways to get to the right internal audit answer for your company. Some of the questions that will reveal the right answer for you include:
- To whom should internal audit report?
- Who should lead internal audit?
- How should internal audit be staffed?
- Where should resources be located?
- What skills are needed?
Internal audit is most effective and aligns with professional standards when it has dual reporting to management and the board of directors (or comparable governing body):
- Functionally reports to a board committee, such as an audit committee, finance committee, risk committee or compliance committee
- Administratively reports to a senior executive within the organization such as the CEO, CFO or general counsel
This dual reporting model immediately establishes the company’s commitment to the function, and the authority for internal audit to operate independently across the enterprise. As mentioned in our first article, CFOs (or the equivalent role) are most often the executive sponsors for establishing internal audit. They are also the most common senior executives to whom internal audit administratively reports.
To hire or not to hire
Choosing a qualified resource to establish and lead internal audit is a critical early step. The right resource can be:
- An existing employee
- An external hire
- A qualified third-party provider (consultancy)
The key is to ensure the internal audit leader has the necessary skills (more on this later) and will be a cultural fit. This includes the organization’s comfort and experience working with third parties.
Staffing the function
Like other corporate functions, there are three primary staffing models:
- In-house: Fully staffed by employees
- Co-source: Staffed by a combination of employees and a third-party provider(s)
- Outsource: Staffed entirely by a third-party provider(s) (including the department head)
Each staffing model provides numerous advantages, while also presenting potential challenges, as seen in the chart below. The staffing model can take many different shapes and evolve over time as your needs change. For example, an organization may prefer an in-house model and start by hiring a chief audit executive to establish the function. However, after experiencing challenges hiring additional internal audit positions, the same organization might switch gears and decide to engage a third party to execute the audit plan while adding talent.
The function’s mandate and potential areas to be audited may also drive the decision. It’s difficult for a smaller internal audit function to possess the diverse skills necessary to audit customer experience processes one day and then network security the next. For this reason, many companies use co-sourced or outsourced models to provide the appropriate depth and breadth of experience necessary for an effective internal audit function.
Co-sourcing can take many different forms, and quickly evolve to address needs. This can include:
- Staff augmentation (also known as “loaned staff”) — Third-party personnel work under the direct supervision of company personnel.
- Subject matter specialist support — A third party provides experienced advice, insights, and guidance to company internal audit personnel as they perform internal audits in specific areas.
- “Carve out” — Specific internal audits are executed by a third party from start to finish. This is very common with IT audits and other topical areas where company internal audit personnel lack the skill, experience, or tools to perform the audit, or when the bandwidth of internal resources is limited.
- “Teaming” – A joint team of company internal audit and third-party personnel work together to execute individual internal audits.
Location, location, location!
Based on the company’s organizational structure, operating model, geographic footprint and growth expectations, determining where internal audit personnel should be physically located can be critical. This is especially true if you decide an in-house function is best for you. Some considerations include:
- Level of operations, processes and system centralization and standardization
- Geographic (domestic and international) locations, and size of operations at those locations
- Legal entity operating structure (parent or subsidiaries)
- Location(s) of other corporate functions
- Location(s) of individuals internal audit will be working with most frequently
- Location(s) of other risk management and assurance functions (if applicable)
- Company culture regarding in-person or remote work
For international organizations that partner with a third party, understanding their ability to deploy local, qualified teams is paramount. Often, local teams help improve audit quality and overall experiences given their knowledge of local languages, culture, customs and regulations, while helping to manage travel costs.
Incorporate the right capabilities
What skills are required for impactful internal auditors? Like other company functions, there is no “perfect résumé” or one-size-fits-all profile, although an understanding of IT and cyber risk, emerging risks (like artificial intelligence) and the use of analytics to gain insights and provide value to the company have quickly become core competencies given the rate of technological advancement. That said, those who excel in the profession typically demonstrate some core competencies and specialized skills:
In all cases, the key is bringing in people with a comprehensive understanding of internal audit to build the foundation. “You want to create a structure that will bring capabilities that are right for your organization,” said Matthew Lerner, Risk Advisory Services Principal for Grant Thornton.
Conduct a risk assessment and develop a recommended internal audit plan
An impactful internal audit function should be aligned with the company’s strategy and objectives, focus on areas of highest risk (that can be audited), and effectively consider other functions that are helping manage risk and improve business performance.
Critical to ensuring this alignment is conducting a risk assessment to develop a risk-based internal audit plan. Here are a few keys to success:
- Have a balanced business discussion. Understand business operations, processes, systems, challenges, changes, external forces and resource needs. Adam Ross, Grant Thornton Risk Advisory Services Principal, shared: “I learned years ago when working for a terrific partner that it’s not just about understanding what could go wrong. It’s equally important to learn about what must go right.”
- Bring perspectives. Long gone are the days of asking company leadership and department heads what keeps them up at night and taking notes. Make sure to do your homework. Review management reporting, understand what analysts are saying about your industry, research peer and aspirational organizations, understand adjacent industry challenges and expectations of vendors and customers, and use data to identify potential risk indicators.
- Don’t start with a blank sheet of paper. Odds are heavily in your favor that significant risks facing your organization have previously been identified and possibly documented. Connect with other risk management and assurance functions and programs (such as enterprise risk management, legal, compliance, quality, safety, controllership, information security and your external auditor) to understand what’s been done in the past. This will dramatically improve efficiency and increase alignment across the risk management landscape.
- Don’t let “great” get in the way of “good.” While the overall goal is to create a complete inventory of all auditable entities (processes, sub-processes and systems) and relevant risks, it is not reasonable or practical to identify and document every item to a granular level of detail. Remember that the risk assessment evolves over time and every iteration will become more thoughtful, comprehensive and focused. You will achieve tremendous results in a shorter time without achieving perfection.
- Embrace agility. Recognizing that the risk assessment will change over time and needs to be maintained is critical to developing a risk-based, value-added internal audit plan. The risk assessment and audit planning process should be agile and flexible to address changing business needs, emerging risks, new regulatory requirements, and requests of the board and management.
“In the long term, and sometimes even the short term, there will be changes to the risk landscape — regulatory changes, operational changes, growth of the organization,” Lerner said. “Those are all things that need to be considered on an ongoing basis to make sure you have the right complement of skills and resources.”
The timing for the risk assessment may vary, but it should be an early task the new internal audit function undertakes. The results of the risk assessment are used to create a risk-based, multiyear internal audit plan. The audit plan should be reasonable and pragmatic, balancing areas of highest risk with available resources and budget the company can commit. “You have to think through what makes the most sense for you,” Ross said. “There’s no one right answer that works for everyone.”
The internal audit plan often informs the staffing model (in-house, co-sourced model or outsourced) as well as the core and specialized skills needed to execute. For example, the internal audit plan may identify very technical areas that require specialized skills or certifications. It may be better to engage a business partner to help execute these audits in lieu of hiring personnel who may have broader experience.
Build infrastructure
Now it’s time to codify your vision for the function and develop tools and enablers to ensure consistent, high-quality execution. This is no different from how you would approach establishing an accounts payable process, information technology department, or any other activity that is expected to be repeatable and effective for an extended period. Formalizing and documenting some important elements will help hone internal audit’s message and value proposition.
To advance capabilities and impact over time, internal audit needs:
- A department charter approved by the audit committee or board that defines internal audit’s purpose, authority, responsibility, and position within the organization.
- Policies and procedures that standardize operating protocols for the internal audit organization.
- Templates that guide internal auditors through their procedures and reporting.
- Key performance indicators (KPIs) that will assist the audit committee in evaluating internal audit’s performance.
If you choose to co-source or outsource the function, qualified providers will have many of these important elements available for quick customization.
Obtain consensus
As we mentioned in our first article, obtaining buy-in is critical to success. This important step “takes your show on the road.” Meet with senior leaders and others to solicit input and talk about the risk assessment, recommended internal audit plan and your vision for the function. Talk about why certain audits were identified and review the draft report template. Even if changes aren’t made to the work performed thus far, giving others the opportunity to contribute will improve engagement and acceptance of this important function.
Some internal audit leaders have found success by holding introductory meetings with people in different functions, in “town hall” meetings. Ross recalled, “We were recently hired to become the outsourced internal audit provider for a health system. Many were skeptical because the prior audit function was very punitive.” Knowing that internal audit needed to change its brand and reputation, the team asked its executive sponsor (the CFO) to organize a town hall with all department heads. He quickly established a strong tone at the top by acknowledging the challenges of the prior function and why the company chose its new provider. “We then presented our internal audit philosophy and approach, shared stories of mutual success with other clients, and honestly addressed direct questions about their concerns. We gained many converts during that meeting, and then demonstrated to holdouts over time that we were different.”
Brian Shellito, Grant Thornton Risk Advisory Services Director, agreed. “Doing road shows with the key business stakeholders can be very helpful in establishing the internal audit function and breaking down walls right from the start. It’s a good chance to explain what internal audit’s objectives will be and how internal audit will work with business leaders to help accomplish their objectives.”
The last step before executing the audit plan is obtaining approval from relevant stakeholders. This can be company senior leadership and/or the audit committee of the board of directors. IIA Global Internal Auditing Standards expect that the following be formally approved, at a minimum:
- Internal audit strategy
- Internal audit charter
- Internal audit risk assessment and audit plan
- Internal audit resource plan and budget (including organization design and staffing model)
Conduct a pilot audit
Consider starting with one internal audit, or pilot, with a supportive business leader. While it can be any audit on the approved audit plan, focus on those in areas that are not overly complex and do not require transformational change to address known issues. This allows internal audit to test its newly formalized approach and templates in a safe space. It also enables those new to internal audit to experience an audit.
Specific care should be given to establishing good practices in project management and communications. As the audit is performed and ultimately completed, incorporate learnings into internal audit methods and templates.
“You don’t want your first audit to be a struggle,” Lerner said. “Stress testing these new templates and capabilities in a place where you have support and cooperation is a good way to make sure the first audit is successful and helps drive momentum for the internal audit function going forward.”
With the structure built and the pilot complete, the organization is ready to begin experiencing the benefits that internal audit can provide. Whether internal audit professionals are employed in-house, co-sourced or outsourced, they can add rigor to organizational processes and strengthen risk management, leading to improved business results. The exact structure of internal audit is unique to every company but, when implementation is complete, private companies begin experiencing the benefits immediately.
Contacts:
Adam Ross
Principal, Risk Advisory Services
Grant Thornton Advisors LLC
Adam Ross is a managing director in Grant Thornton’s Business Advisory Services practice in our Philadelphia office. He has 15 years of experience helping public and private companies enhance the efficiency and effectiveness of their business and IT environment, operations and organization structure, as well as increase awareness on risk, improve internal controls, and manage compliance with applicable laws and regulations.
Philadelphia, Pennsylvania
Industries
- Life sciences
- Healthcare
- Manufacturing, Transportation & Distribution
- Technology, media & telecommunications
- Media & entertainment
- Not-for-profit & higher education
- Services
- Transportation & distribution
- Energy
- Retail & consumer brands
- Private equity
- Hospitality & Restaurants
Service Experience
- Risk advisory
Matthew Lerner
Principal, Not-for-Profit and Higher Education, Risk Advisory Services
Grant Thornton Advisors LLC
Matthew is a Principal within Grant Thornton’s Not-for-Profit and Higher Education Advisory Services practice.
New York, NY
Industries
- Not-for-profit & higher education
- Healthcare
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Our featured insights
No Results Found. Please search again using different keywords and/or filters.