Ask the Experts, December 2006

Establishing a New Shop

An internal audit manager looks to set priorities for his recently formed department.

Jason has just started his new job as audit manager with Ericksen, a privately owned furniture manufacturer with annual revenues of just over US $200 million. The company is currently subject to U.S. Sarbanes-Oxley Act of 2002 regulations, but only as they apply to issuers of public debt. Ericksen hired Jason to create an internal audit function, even though the company does not face any regulatory mandates to establish one. Ericksen’s founder and chief executive officer (CEO) wants an audit function in place as the firm prepares for an initial public offering (IPO).

Jason realizes that starting an audit department in any organization can be fraught with challenges. Nonetheless, he experienced significant culture shock upon arrival at Ericksen. The company maintains a very informal culture and has few documented policies and procedures in place. Moreover, Jason has already run into considerable resistance to any changes he’s proposed.

Jason is unsure where to begin his work on establishing the new department. He can’t decide whether to lead a Sarbanes-Oxley-like documentation effort before starting any audits or to focus on building an audit process to help formalize the company’s policies, processes, and procedures. What steps should Jason consider as he grows the department? How can he increase the audit function’s reach without breaking the bank? What other issues should he keep in mind as he proceeds?

Leticia Herrera-Price, CIA, CFE
Director, Internal Audit
H-E-B Grocer

Internal controls are critical to ensuring corporate governance, whether a company is public or private. Jason must obtain the full support of Ericksen’s CEO, chief financial officer, and chief operating officer before embarking on any initiatives. Moreover, the CEO must be willing to give Jason the authority to establish an audit department based on the company’s risk appetite.

Because Ericksen is privately owned and may not have an independent board in place, Jason might want to consider soliciting the executives’ support to establish an audit committee comprising the organization’s senior leaders. The committee members could help establish the company’s risk appetite, define the audit plan and charter, and lend their support and authority to internal auditing’s financial and operational audits. Furthermore, having company executives on the committee would help ensure that audit results and trends — such as Ericksen’s lack of formal processes and procedures — would receive the level of awareness necessary to effect change.

A private company may not embrace a structured Sarbanes-Oxley-like documentation effort due to the costs and human resources required. An unstructured organization might find such an effort overwhelming as a companywide initiative and may be more receptive to a value-added audit department. By establishing an audit process first, rather than beginning his efforts with a Sarbanes-Oxley project, Jason can educate management on the importance of risk management via controls to help ensure operational effectiveness and efficiency, financial reporting accuracy, and asset security. Jason should also seek executive management’s support in reinforcing the value of a control model such as The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework.

During his first two years of leadership, Jason should develop annual audit plans cautiously. He should identify the audit universe and closely examine the major operational manufacturing cycles, revenue cycles, and so on. He will then be in a much better position to risk rank business processes, develop an audit plan consistent with the organization’s risk appetite, and request appropriate resources.

Lastly, Jason should be attentive to any financial risks identified. Private companies often do not receive the same level of scrutiny as their larger counterparts and consequently may experience greater unknown financial risks. Jason must align audit efforts with the organization’s enterprise risk management program and corporate governance structure.

Robert Hirth
Managing Director, Internal Audit Services
Protiviti Inc.

Jason faces a unique set of circumstances: The audit function is sponsored by the CEO, the company is privately owned yet publicly indebted, and management aims to position the firm for a public offering. Establishing a new audit shop under these conditions would likely prove difficult for any audit professional. But in reality, all internal audit start-up projects involve major challenges.

Regardless of individual circumstances, auditors charged with establishing a new shop should always start with a charter and a risk assessment. An effective audit charter will help Jason focus his efforts and rebut any resistance, assuming that his recommendations are well-founded, supported, and appropriate. Jason already has an appropriate sponsor — the company’s CEO.

Jason should also determine whether a risk assessment has been performed. What risks do senior management and the board consider most significant? How do they think internal auditing should help ensure those risks are managed appropriately? The answers to these questions will help guide Jason’s efforts.

Most likely, Jason can easily identify opportunities for significant dollar and cycle time savings by examining the company’s compliance processes. Helping management ensure the company can comply with Sarbanes-Oxley and does so cost effectively will enable Ericksen to improve its internal controls over financial reporting. However, Jason should be careful not to focus solely on this effort — financial reporting comprises only one facet of control, and the department’s overall objectives encompass a much broader scope of activities.

No one said internal auditing was an easy job. Clearly, Jason has many challenges ahead of him. But with CEO support, a focused charter, and a sound risk assessment, he will be well on his way toward establishing a successful department.

Fred Hower
Senior Director, Internal Audit
IHS Inc.

To make sure the new audit function succeeds, Jason needs to obtain buy-in from both senior management and the board. He also needs to determine the anticipated timing of Ericksen’s IPO so that he can prioritize and focus his efforts. Above all, however, Jason has four main tasks to accomplish: complete an operational and financial assessment of the organization, determine senior management and the board’s priorities and level of risk acceptance, recruit qualified staff, and sell the internal audit function.

Assessment

First, Jason needs to gain an understanding of the company. What does Ericksen do, and where does it conduct business? To what extent is the organization decentralized? Where does the company perform accounting and finance functions? What is the complexity of Ericksen’s legal and equity structures? The answers to these questions will affect the audit universe and Jason’s approach to audit planning.

Ericksen’s Sarbanes-Oxley effort does not seem sufficiently robust for a public company. Jason needs to assess compliance efforts to date and determine where the company falls short. He cannot afford to underestimate the cost or the time required to document controls and remedy weaknesses.

Jason also needs to develop an effective working relationship with Ericksen’s external auditor. The audit firm likely has a good understanding of the organization’s business risks, which can be of value to his department. Moreover, external auditors typically play a critical role during IPOs, and Jason will need their assistance to prepare the company for public ownership.

Risk Appetite

Jason risks taking on too much responsibility. Before establishing priorities, he needs to understand the degree of risk the board and management are willing to take. If the IPO will occur relatively soon, then Sarbanes-Oxley readiness and compliance auditing will constitute a higher priority. Even so, Jason cannot afford to ignore either operational or fraud risks.

Recruiting

Staff members form the building blocks of an effective audit function. Jason’s success with management and the overall business will hinge largely on the quality of his staff. He should focus on attracting a balanced mix of experienced auditors, preferably with specialized expertise in the risk areas of the company, as well as junior staff who can help provide adequate coverage at a lower cost.

Marketing the Department

In most companies, employees have a genuine interest in improving the business. Auditors should listen carefully to their clients and advocate for change. Performing quality work and achieving results will serve as Jason’s best sales tool.

How would you handle this scenario? Continue the discussion by sharing your comments below.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 On-site Training

 

 Write for FSA Times

  

 

 Twitter

facebook IAO 

IA APP