The skill sets and industry insight needed to help organisations mitigate risk is vast, requiring a careful consideration of the Internal Audit model engaged.
Organisations of all sizes can benefit from Internal Audit (IA), however the decision to use an in-house team of IA staff, external consultants or a combination of both can impact how much value IA can deliver.
Carmel Mortell, Partner in Charge, Internal Audit at KPMG Australia says choosing the right IA model should begin with assessing the size, complexity and needs of the organisation. In addition, it must also have independence so that it can make accurate, objective assessments – a critical factor in its success.
Mortell says it is common for large organisations to have their own IA function, which for complex, listed, global businesses could comprise hundreds to thousands of people.
“You need a lot of different skills within or available to an Internal Audit team for it to be effective. You can do it in-house or in a co-source model as long as you have got all of the skills and a team size and budget that allows for those skills,” Mortell says.
Fully outsourced IA is often only the domain of small, complex organisations, explains Mortell.
“The business may have a cost base that only supports a very small group of IA staff full time, but they may need five or six different specialist skill sets to be effective. Outsourcing means you can get each of those skill sets for 10 or 20 percent of their time.”
Whether an IA function is insourced, outsourced or co-sourced, it is essential that the skills of the team align with the specific needs of the business. As IA expands from traditional compliance auditing to reviewing how a company’s strategic goals could be influenced by risk, having an array of skills to assess all aspects of the business is vital.
“In a pharmaceutical company you need people that can understand research, manufacturing, design and selling. You need people that understand the underlying business and its risks, and also you need people who are experts in risk, risk management controls and processes,” Mortell says.
Communication and influencing skills are also essential. The IA process can uncover countless issues in an organisation that could impact strategy, but unless they are communicated well, they could be dismissed by management or the board.
“It’s important for the IA function to have a rapport with the business and that they can put the audit findings forward in a way that can influence the organisation to want to take action on the advice,” Mortell says.
As organisations surge into the technology age, the need for the IA function to have an understanding of new technologies and awareness of the potential for cybercrime is also vital.
Each approach to IA can have advantages and challenges. Organisations that have an in-house IA function enables management to retain full control over their IA approach, and have immediate knowledge of the issues at hand. However, as a critical component of IA is independence, “the structure and reporting line of an in-house IA function requires careful consideration”, Mortell explains.
The positives of a fully outsourced IA can be access to valuable expertise, flexibility of cost and an independent viewpoint that could see things that employees do not. It can bring third-party assurance, as well as fresh industry or global perspectives. Conversely, there could be a lack of internal knowledge, or it could take longer to grasp processes.
Sharni Zoch, Partner, Internal Audit at KPMG Australia says after weighing up each model, many organisations arrive at the decision to co-source.
“A combination of a core in-house team boosted by external specialist skills sets or extra resources to backfill gaps in the core team can bring in the strategic elements,” Zoch says.
Zoch says co-sourcing can be particularly beneficial if the organisation has a continued relationship with the external IA supplier, so they can grow to understand the business. Co-sourcing can enable an organisation to top up skill sets, fill staff shortages, or perform work in various locations. An organisation could gain access to innovation in tools, audit techniques, thought leadership and benchmarking.
The challenges with co-sourcing can include the potential for confusion about responsibility and accountability, and a lack of cultural fit if the external provider isn’t aligned.
Whatever combination of IA that is settled upon, it must be judged according to whether it is satisfying expectations of stakeholders. It must demonstrate an awareness of the processes of the business and the risks it faces.
Organisations that outsource IA can maximise the opportunity with a few key steps. Zoch says to have a clear vision of what you need from IA and to keep coming back to that throughout the process.
“It is easy to spend money that is not on ‘value add’, so understanding what the purpose is and how you structure your internal audit around that is important. For example, if you want an IA function that focuses on key risks and more strategic initiatives, then you a need a more senior team with deeper subject matter experience.”
Being honest and open with IA teams, and allowing them access to the required levels of the business, data and information will help result in recommendations that should enhance the future of the business.
Internal Audit delves deep into organisations to assess company culture. Find out more in our article – Company culture and Internal Audit – why soft controls make a difference.