August 2004

Starting From Scratch

At Swiss company Saurer Ltd. the chief audit executive focused on best practices to create a successful new internal audit function.

Hans Beumer, PHD, CIA, RA
Head of Internal Audit and Risk Management
Saurer Ltd.

Due to the corporate governance requirements of the SWX Swiss Exchange and other legislative pressure, such as the U.S. Sarbanes-Oxley Act of 2002, many Swiss companies currently without internal audit functions are initiating or considering creating them. At Swiss-quoted company Saurer Ltd., a worldwide provider of textile machinery and transmission systems, changes in senior management and nonexecutive directors of the board also contributed to a stronger internal requirement for a corporate audit function. Thus, I was hired as chief audit executive (CAE) in July 2002 to create an internal audit department at the company. Before I joined the organization, there was no such function and no internal audits were being performed.

BEST PRACTICES

From the start, it was my intention to set up the internal audit function using best practice tools, policies, procedures, and methodologies. Such best practices were derived from various sources, including:

  • The IIA’s Professional Practices Framework and guidance from The Institute’s Swiss chapter.
  • Benchmark review of our internal audit manual by an outside service provider.
  • Recent IIA literature and articles in professional magazines.
  • Best practice internal audit seminars.
  • Personal experience.

AUDIT CHARTER

At my first meeting with the audit committee, the internal audit charter was defined and ratified, providing internal auditing with its key responsibilities and scope, as well as the authority to develop and roll out its activities into operations. The charter requires internal auditing to function in accordance with The IIA’s Professional Practices Framework. It defines internal auditing’s mission as supporting the company’s mission by providing independent, value-added business risk assessment and solutions. Internal auditing is independent of the client, and internal audit activities focus on the operational areas of the business where the risks are the highest. The audit function is a proactive change agent, providing impartial opinions on the processes reviewed, actions that are workable, and cost-effective solutions that help mitigate business risks.

REPORTING TO THE AUDIT COMMITTEE

At Saurer Ltd., the audit committee has actively overseen the external auditor and its assurance responsibilities for many years. With the creation of the internal audit function, the audit committee obtained overall responsibility for the activities of the internal auditors, as well. As CAE, I report directly to the audit committee to ensure internal auditing’s independence from management and operations.

The internal and external auditors support the audit committee and the board of directors by providing independent assurance. The external auditors provide assurance with respect to the annual financial statements, and the internal auditors provide assurance with respect to the quality of business risk management processes. Both functions are considered an important component of corporate governance at the company.

The audit committee determined that the overall audit strategy should be to ensure adequate audit coverage and to minimize duplication of effort, while fulfilling these responsibilities with the combined resources of the internal and external audit functions. The committee requested that the audit functions ensure that their assurance activities are coordinated by creating a combined audit strategy (see “Audit Assurance Structure”).

AUDIT STRATEGY

Saurer’s internal audit function has a dual role: to protect shareholder value through assurance activities with respect to the organization’s risk and control structure and to enhance shareholder value through recommendations for improvements to the risk management and control structure (see “Internal Audit Strategy”). Internal auditing adds value to the risk management environment by:

  • Reviewing risk management processes and internal control systems across the organization.
  • Identifying business risks and assessing internal controls designed to mitigate those risks in terms of reliability, integrity, compliance, protection, efficiency, and effectiveness.
  • Educating the organization with respect to the development and use of cost-efficient risk management processes and the promotion of best practices through internal auditing’s role as a change agent.

The internal audit function established a risk assessment process to formally and systematically prioritize Saurer’s risks for internal audit purposes. The benefits of this type of approach to internal auditing’s risk assessment include:

  • A systematic definition of the audit universe.
  • A structured and consistent assessment and ranking of risk across all entities.
  • Prioritization of the use of internal auditing’s limited resources to maximize the benefits arising from its work for Saurer.
  • Documentation of the logic behind the risk model.
  • A model that can be updated relatively easily and rerun to reflect changes in the entities and risks.

Because the business managers are responsible for establishing and maintaining risk measurement and control mechanisms, they were involved in the risk assessment process. The outcome was a model that ranks the auditable units within Saurer in terms of risk, and this ranking is used to develop the annual internal audit plan (see “Internal Audit Risk Assessment Process”).

BUSINESS PLAN

The internal audit function’s business plan enables it to operate as a business enterprise. The plan was the basis for the set-up of the audit function and outlines its future direction, while addressing questions related to:

  • Strategy. What is internal auditing’s role within Saurer, and what is the stakeholder value proposition of internal auditing?
  • Costs. What are the planned costs for the function in the coming years, divided into personnel, co-sourcing, travel, and other expenses?
  • Personnel. What capacity and experience of audit staff is needed to reach internal auditing’s objectives? What does the internal audit organization look like at its different locations? What is the importance of continuing education and half-yearly internal audit conferences?
  • Audit process. How is the audit process defined regarding annual risk assessment to audit scheduling, type of audits, documentation requirements, audit methodology, and process control?
  • Products. What are internal auditing’s products, and how can they be developed and standardized?
  • Information technology (IT). What audit automation and data interrogation tools will internal auditing use?
  • Performance measurement. How will the performance of the function be measured? What is needed to develop a balanced scorecard for the internal audit function?
  • Key relationships. What is internal auditing’s expected relationship with the audit committee, management, and the external auditor?
  • Marketing. What marketing tools should internal auditing use?

As input for the business plan, discussions were held with the company’s chief executive officer and chief financial officer, as well as the chairman of the board and the audit committee.

AUDIT MANUAL

During the set-up phase of the internal audit function, a manual was created that documents the department’s various audit processes. Additionally, the manual includes chapters on topics such as balanced scorecards, operating policy, and The IIA’s Professional Practices Framework. The manual also includes internal audit tools such as risk assessment maps, a standard internal audit report format, guidelines on the interpretation of the overall audit conclusion, a standard progress report format, and a standard client satisfaction survey.

A short version of the manual is used to communicate — in advance of audits — the various aspects of internal auditing to the client. Distributing this short version, together with the internal audit charter, helps create general transparency and awareness with respect to the audit function.

STAFFING

Internal auditing adds value not only through its systems but also through the quality of the staff using the systems. Thus, with the belief that a small team of high caliber auditors would create more value than a large team of mediocre performers, I established the following auditor profile:

  • Internal audit staff must have the technical competence for executing an audit, as well as the interpersonal relationship skills to manage the client. Staff quality is defined by the professional qualifications, experience, and character.
  • Internal audit employees must be qualified accountants who have experience in both external and internal auditing. They must have earned the certified internal auditor or certified public accountant designation, or equivalent. Generally, the auditor must have between six and eight years of combined external and internal audit experience. This gives them the knowledge to have broader business discussions — not just on internal controls — with operational management.

Based on the defined profile, specialized recruitment agencies were engaged to help with the search for appropriate candidates. Temporary staff support was obtained from an outside audit firm to perform audits during the recruitment process. Thus, internal auditing was able to show results from the start — not months later when vacancies were filled.

Due to the internal audit team’s small size and problems with finding one person with all of the required it audit skills, it was decided to purchase co-sourced it audit services from an external it audit service provider. Saurer’s external auditor was excluded from providing internal audit support services for reasons of independence and possible conflicts of interest.

For internal auditing to be run like a business, it must be located where our core business operations are located. Saurer’s strategy is to build up operations significantly in Asia, with a focus on China. Thus, we created an internal auditor position in Hong Kong. Because internal auditing should support the Saurer business in achieving its strategy, our focus in China will be to contribute to the set-up and enhancement of local risk management practices and internal controls.

Due to the specific cultural, regulatory, and linguistic environment, it is important that the auditor has broad operational audit experience in China. In addition, the auditor must have a broad Western/international view on business, auditing, and internal controls. The often heard “but we do things differently here, you can not compare us to Europe,” is no reason not to maintain global best practices in risk management and internal controls in China.

AUDIT PROCESS

The audit process determines the way the audits are executed at the auditable unit. It was developed and standardized as follows:

  • Phase one. The audit begins with a kick-off meeting. The internal audit department, the audit methodology, the reporting style, etc., are presented to local senior management.
  • Phase two. A detailed audit plan is prepared. The planning phase is necessary to understand the local operation and its business risks and to set the audit scope — if not done in advance. The end result is a preliminary risk map with a tailor-made audit approach, covering the highest business risks for the operation under review.
  • Phase three. The audit fieldwork includes the evaluation and testing of processes, internal controls, and systems and procedures in the selected areas, as well as workpaper documentation of the results.
  • Phase four. As part of quality control, internal audit management reviews the work of the auditor to ensure that it meets the quality standards.
  • Phase five. The audit report is written in the field throughout the audit process.
  • Phase six. The audit report is finalized by means of a formal closing meeting. The purpose of the closing meeting is to ensure commitment from responsible senior management and correct prioritization of all actions. The aim is to issue the final report within a few days after the closing meeting.
  • Phase seven. Post-audit monitoring of the implementation of agreed actions is based on periodic progress reports submitted by responsible management to internal auditing. The monitoring can be supported by follow-up visits in cases considered necessary by internal audit management, particularly for audits where significant weaknesses were identified.

A standardized internal audit report was developed, consisting of two parts: 1) a one-page executive summary designed to give top management and the audit committee an overall assessment of the business risk exposures and the risk management environment and 2) the management action plan, a working document for local management that shows, in detail, the agreed actions that will be taken to rectify any risk management weaknesses identified during the review. The plan also identifies the due dates and persons responsible for the implementation.

Internal auditing’s standardized audit report is recognizable and efficient in use (see “Executive Summary Example” and “Management Action Plan Example”). Our standard distribution list helped ensure that the results of audits were brought to the attention of the appropriate levels: chairman of the board, audit committee, group management, business unit management and other relevant functions, and the external auditors.

THE EXPECTATION GAP

A successful internal audit function is dependent on the perceived added value of the audit results and the way auditors deal with clients. Particularly when management and clients have never been subjected to an internal audit, their expectations with respect to the function’s objectives, processes, and limitations must be managed. Therefore, ongoing feedback and communication is needed to prevent an expectation gap between internal auditing and the audit committee, board, group management, business unit management, and local management. This is accomplished using marketing tools, carefully providing information in advance of audit projects about the audit scope and operational management expected involvement during the audit, clearly communicating the role of internal auditing, etc. Networking with operations management and building good relationships is key to the acceptance of internal auditing by business management. Generating good results and audit reports helps build the function’s credibility.

CHALLENGES

During the set-up of the internal audit function, we encountered several challenges. One significant challenge was to find high caliber, experienced auditors. Because Saurer is not a well-known international brand name and the job requires 80 percent travel, there was a lengthy recruitment process. Other challenges were:

  • Shortage of company-specific knowledge. During the first year, the auditors had limited industry and company process knowledge. However, after more than a year of performing internal projects, we are now able to benchmark processes and operations, internal controls, and risk management standards.
  • Customers’ fear of corporate audit. Our customers often expected a “police function” or a spy from head office. Up-front and clear communication about audit expectations and our audit approach have overcome such worries.

On occasion, our authority was challenged during audits, but this could be addressed easily by explaining our reporting line directly to the audit committee and the content of our audit charter.

CREATING A SOLID FOUNDATION

There are many factors beyond those mentioned in this article that influence the success of a newly established internal audit function. However, accomplishing the previously mentioned tasks within the first year of operation creates a solid foundation for a successful audit department.

From the CAE perspective, it has been quite rewarding to see Saurer’s attitude toward internal auditing change from “Why do we need it?” to recognition of the added value it provides. Although internal auditing usually still needs to invite itself to do the assurance work, we now regularly receive requests from management and the board to perform special work. Management is exhibiting an increased awareness of internal controls and risk management.

To comment on this article, e-mail the author at hbeumer@theiia.org.

 

start up IA Function for NPO/NGO
I found the article very helpful. By the way as beginner, with theory kwnowledge on this issue,I find difficulty to move the first practical steps. I would kindly ask to refer to practical esamples, guidelines, audit manuals, etc. All the advices related to Audit in NPO sector will be taken in consideration. Thanks a lot.
Posted By: Ettore Boles
2011-10-06 6:07 AM
comment
please it would also be better when communicating a valuable information like to include sample of audit manuals,reports and etc so as to new audit beginners to understand better how auditing is being done a professional way.thanks
Posted By: nobert oduodi musina
2011-05-11 10:09 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 On-site Training

 

 Write for FSA Times

  

 

 Twitter

facebook IAO 

IA APP