In an environment of increasing emphasis on corporate accountability, cost management accuracy, transparent financial reporting, and ethical business practices, companies are more intent than ever on maximising their internal control, risk management and corporate governance processes. While few would debate the necessity to include internal audit, it does raise an interesting question: how do businesses determine the appropriate level of resources to devote to these efforts? Just how much internal audit is enough?
Given the stakes, it’s an important consideration. But it is not an easy question to answer. Without any strict guidelines, heads of internal audit, management and audit committees can have a difficult time deciding exactly what constitutes a reasonable outlay for internal audit. Should you spend the same amount as other companies in your industry? Or is a business’ size a more precise determinant? If you find you’re budgeting less than your competitors, does this place you in an advantageous — or a dangerous — position? What if you’re spending more?
Before you can begin to address these questions and make meaningful comparisons, you’ll need to take a look inside your own organisation and accurately assess what you’re currently spending on internal audit. It’s important to capture your total internal audit expenses, including “fully loaded” employee costs as well as budgets for travel, training and IT. Corporate overhead allocations may also need to be considered, as well as any third-party payments.
As you size up your operation, try to view your internal audit expenditures as an investment rather than simply a cost. As with any investment, there must be a measurable return. What level of assurance were you able to provide? What potential problems exposures were identified? What problems were avoided? What is the perceived value of your team’s work? Were the audit committee, management and internal audit customers satisfied? How much money did you save the organisation based on what you spent? And how do you know if your return on investment (ROI) is fair and reasonable? Are there other factors you should consider in measuring it?
To help you determine if your basic investment is at an appropriate level, it’s instructive to compare it to that of other companies. There are a number of sources that can assist you in benchmarking your operation. The largest of these is GAIN (Global Auditing Information Network), a database created by the Institute used for comparing one audit function against the average aggregate data of a group of companies. Other sources for example include your audit committee members, external auditors and internal audit service providers – all of whom may have visibility across other organisations.
However, beware of making hasty comparisons that are too simplistic. While it’s helpful to have empirical data on which to base an evaluation of your own situation, don’t forget that averages can be misleading. It’s critical to remember that this represents only one data point in a complex equation, and what’s right for one company may not be right for you. Your actual costs and investment in internal audit should reflect your unique situation.
In making comparisons, there are other factors you need to consider, different companies — even seemingly similar ones — can have quite different needs and, therefore, require different levels of internal audit investment to help them achieve their goals and effectively manage their significant business risks.
Based on your particular characteristics, determine how — and if — you should increase or decrease what you spend on internal audit. For example, using the “comparable properties” approach of estate agent valuers can help you more accurately compare your set of circumstances to those of other companies. Select three or four organisations that, outwardly at least, seem to be similar to yours, then add or subtract funding for your function in categories that require a different amount of attention. These can include: number of locations; international locations; degree of centralisation; control environment; maturity of business processes; internal audit remit and audit scope; degree of change in the business; and management’s risk tolerance.
A decentralised company, for example, would require more resources to cover its operation than a highly centralised one. Likewise, if your business has fine-tuned and optimised its internal processes over the years, it would need fewer internal audit resources than a company that relies largely on ad hoc processes or perhaps one that has new management. New systems, acquisitions and, of course, new regulations will also need to be considered. When you’ve calculated the areas in which you could spend less and those where you’ll need to budget more, add each component to come up with an investment level that is better suited to your situation.
Deciding how to tailor your investment is a big step forward, but it still doesn’t tell the whole story. That’s because the risks and events a business experiences are not static challenges. There is an ebb and flow to their occurrence, which calls for a nimble and flexible internal audit function. To keep pace with today’s dynamic needs, internal audit perhaps should become more of a variable cost.
However, this is not how most internal audit functions are currently managed or funded. Changes in risks and operations, such as potential IPO’s, new regulations, new software launch, management transition, spin-off or drop in revenue, will affect the nature of the risk and corporate governance issues a company faces. Some of the resulting workload that comes your way may be permanent, but some may be temporary or periodic. New risks from an acquisition, for example, may stabilise once the new unit is effectively established. Unless you’re able to adjust your team’s strength and skills to accommodate these shifts, you’ll end up with periods of over and under-used resources.
However, as you resource and fund your internal audit function, "risk" should be the primary determinant. An effectively executed, regularly updated and properly communicated risk assessment should be at the core of an internal audit activities driving its configuration, size, skill base and focus (and therefore its cost). It is “risk” that should clarify the skills needed, resources to be hired, timing and depth of audit work undertaken. Many heads of internal audit would question the robustness of their companies risk management processes.
Internal audit is a key component of the governance, risk and control framework and the value that it delivers is becoming more important than ever. By effectively matching the level of resources at your disposal to changes in company priorities and, most importantly, key business risks, internal audit has a greater chance of living up to these heightened expectations.