By Darlene Brown, Director, Risk Advisory Services
Prior to Enron’s issues and the passage of Sarbanes-Oxley, many companies decided to outsource their internal audit function. That trend was reversed starting with the control issues of 2001 and 2002. However, over the last two years the pendulum is swinging back, and I have seen several companies again outsource their internal audit function. While there could be many good and not so good reasons to outsource, in each of these cases, someone had done a formal or informal cost benefit analysis and decided there was not enough benefit for the cost.
I believe the easier issue to solve is the cost side of the equation. There are a number of areas which can be considered when reviewing the cost side of internal audit and most consider how we do less work. Assuming no co-sourcing, in general, no matter how one looks at internal audit, the biggest cost driver is people and their related costs: travel, training, space, equipment, etc. So, one needs fewer people to save costs. That can be achieved by doing less work or applying technology (CAAT, continuous auditing, etc.)
However, I am going to assume you have already applied technology and have already coordinated with the security, legal compliance, environmental, quality, and other “auditors” and process people within the company; and you still want to consider how you can survive and even thrive by doing “less” work.
I will start with the most obvious choice – your risk assessment. We have all been doing some form of risk assessment to determine the level of work that is needed for 20 years. However, it is my belief, the number of hours we need always seems to grow. There are exceptions (e.g., cutting back on Sox testing over the last several years.) However, just as the external auditor always has a reason to increase the budget (you bought a new company, you put in a new system, the stress of financial conditions), I think we as a group have also fallen in the trap of adjusting up from the prior year.
I suggest the risk assessment be done as a “zero based budgeting” exercise. In an attempt to save some time, some of us have increased the period between audits at several locations or for several processes. That is a start. However, I think there is more to do. My list includes:
- Work of External Auditor – We always want the external auditor to consider the level of internal audit work in planning and executing their work. However, have you considered the work of the external auditor in the level of your work? The external auditor is completing substantial levels of process, control and substantive testing on many of the same items you are testing. Since Sox started, they even test more. I still see internal audit groups spending some level of work on financial accounting and reporting issues. Are you duplicating effort?
- SOX Consideration – Your external auditor has to consider the level of SOX testing performed by the company. Are you considering the level of SOX testing you or another department is doing when planning your work? Even after the reductions over the last several years, that testing is substantial and could probably replace 30% of the work internal audit completed prior to SOX.
- Audit Entities – I still see internal audit departments listing locations or departments to visit instead of processes to test, or listing and doing both. Many companies have systems and records documentation where the internal auditor could audit a revenue system and documents, or a “procure to pay” system and documents for the entire company instead of testing it at each location. From an audit standpoint, it may provide greater coverage to do that. And, it would surely save time.
- Reliance on Materiality – I believe the biggest flaw in most of our risk assessment models is the reliance on materiality. In many, I see materiality being the driver no matter the input in other areas. Many multinational organizations have numerous locations. Some are large and sophisticated and others are small, remote and inadequately staffed for proper segregation of duties. In general, I do not see the problems at the European headquarters; I see the problems in the 5 person office in a specific country or small region. Yet many risk assessment models would suggest 16 total weeks a year visiting the European headquarters and perhaps a visit to the isolated location every five years. We are spending too much time in London or Switzerland.
- Reduce the Hours – In many risk assessments, we spent 160 hour the last time we completed an audit in a particular area, so we plan to spend the same amount of time this year. Think through doing it in less time. What would be cut? Is it really that important? When you get your next QAR, specifically ask where you could reduce scope or cut hours. Ask someone from another location, function or process where you could cut time. What have they observed that seems to be inefficient or that could be reviewed more simply?
The second biggest issue with time (and also timeliness, but that is a different subject) revolves around report writing. My two best suggestions are eliminating and shortening reports, and utilizing workpapers. Although communications is the key to proving value, no one suggests a detailed written report is the best way to communicate to various levels of management. Over and over again I see detailed reports that are written and rewritten by different levels within an internal audit function and by various levels of management involved in receiving the reports. I have seen CFOs in large companies rewriting draft audit reports. Is it any wonder I see reports taking up as much as 30% of the entire IA budget.
So, start using workpapers to present findings to the auditee and have something very short or a checklist that goes to upper management or the audit committee. Like newspapers, audit committees, CEOs and CFOs need documents written in language a fifth grader can understand. What one sentence can explain each issue or what two sentences can explain each audit? What columns with checkmarks can indicate the auditee agrees, has a plan for corrective action and IA is supportive of their plans?
And, last I want to suggest something simple that works wonders – not allowing people to go over budget. If the budget is 160 hours, unless something significant comes up, no one should be allowed to go over budget. The biggest issue I see at the staff, senior and manager level is stopping. There is always a reason to spend more time. But, there is generally a better reason to stop. Of course, your quality control will have to make sure the leader in the field recognizes the need to leave time to finish and understands working on important issues first. After the first year of enforcing this constraint, you may find out there are one or two other steps that are not important, and the budget could be cut another 10%. Always have your staff remember the 80/20 rule.
In summary, one of the issues you face is your cost. Cost savings can best be achieved in coordinating with others, utilizing technology, rethinking your risk assessment, rethinking your report writing and living within budgets. I would appreciate hearing from you about other things you have done to reduce cost without reducing the perceived benefit you provide.