Internal audit: A strategic partner

A time that has presented great challenges for companies, has in turn provided abundant opportunity for internal auditors and the flagship event of the Institute of Internal Auditors Sri Lanka – the Fifth National Conference on Internal Audit 2012 – addressed how internal auditors have to play an increasingly important role in corporate governance.

From left: KPMG Sri Lanka Partner/Head of Audit Suren Rajakarier, IIA Sri Lanka Conference Chairman Nimal Gunawardana, Central Bank Governor Ajith Nivard Cabraal, IIA Sri Lanka President Ashane Jayasekara, CA Sri Lanka President Sujeewa Rajapakse and IIA Past President Sri Lanka Dharshana De Silva

Aptly themed ‘Internal Audit – A Strategic Partner’, the conference featured a line-up of Sri Lankan experts in the profession to address the gathering on a wide range of subjects, stressing on the importance of embracing technology and emerging IT trends and the need for a paradigm shift in the way businesses think to reduce the errors and misappropriations through proper risk management and governance structures.

Focus on risks that matter

In his opening remarks, IIA Sri Lanka President Ashane Jayasekara noted that the global crises over the past couple of years has taught businesses that managing risk in today’s global economy means managing reputation, and in a world being defined and shaped by new technologies, the oldest values of trust, honesty and integrity are more important than before.

“Ultimately, what we are seeing in today’s marketplace is that successful companies will be those who not only increase profits by maintaining the highest standards but those who increase social value at the same time. This inevitably requires organisations to have a greater and a holistic focus on governance, risk management, compliance and corporate social responsibility to ensure their strategies and business models remain viable given the endlessly changing business and regulatory landscape,” he stated.

Jayasekara revealed that a survey by Ernst & Young confirms the view that internal audit can no longer continue to operate as it always has. While acknowledging that there is no one-size-fits-all approach, the survey suggests that internal audit should focus on risks that matter, have greater clarity on the scope or mandate and put in place teams with the right experience and competence to deliver the mandate.

Meeting stakeholder expectations is essential to enhancing the credibility and value of internal audit efforts, and to do so, internal auditors must match internal audit coverage to stakeholder risk areas as much as possible. The profile of today’s successful internal auditor is one that demonstrates an understanding of the key issues of relevance to the organisation.

He added that like other professions, the internal audit profession needs to nurture a healthy ecosystem which would then provide the support for its further development.

“In this regard, I would like to stress that market recognition and acceptance which is attained through effective and consistent performance by internal auditors is better than any other form of recognition. While regulation could create some exclusivity, it does not necessarily guarantee respect and recognition towards the profession. The values upheld by internal auditors will also shape how the internal auditing professionals will be perceived in the market.”

“We are now entering a new phase, and must go beyond rule reforms to create the conditions for good governance to flourish – developing a conducive ecosystem for market discipline, building up the competencies of our boards of directors, and instilling a culture of ethical conduct and values,” Jayasekara said.

The new corporate world order

While the country aims of doubling its GDP by 2016, the keynote speaker, KPMG Sri Lanka Partner/Head of Audit Suren Rajakarier, questioned if the country is equipped with enough professionals and resources to face the changing landscape.

“Are companies going to share the same resources in such a scenario? That’s a challenge. How do we increase the number of internal auditors? Furthermore, a lot of people who are locally based only focus on checking transactions. How do we make them look at risk management, governance, structures so that they reduce the amount of errors and misappropriations?”

He raised these questions while delivering a presentation titled ‘The New Corporate World Order: How Does Internal Audit Fit In?’ Outlining some challenges faced by internal audit departments, Rajakarier identified the frequent changes in the regulatory compliance requirements and the Institute of Internal Auditors standards and cost containment, reduction in headcounts, and pressure to do more with less as some of the more prevalent challenges.

Others included aligning internal audit coverage to meet new expectations, moving beyond traditional internal audit projects to demonstrate value add to the bottom line, the lack of necessary resources and skill sets needed to meet responsibilities, leveraging technology to achieve greater efficiencies, and managing audit committee and management requests for ad-hoc audits and investigations.

Rajakarier went on to say that internal audit reports need to shift into a more preventive mode by looking at emerging trends and for this, technology has to be leveraged. Technology is vital due to the increasing complexities and volumes of transactions.  

He added: “The training of internal auditors is another aspect that needs to be looked into. I hear the Institute is making some headway in this direction. We also need to try to make people understand prevention versus detection.

“Prevention is so many times better than finding a cure. Global companies lose nearly six per cent of revenue to fraud. You need to take that amount and show the management to get them to understand the concept of prevention. You need to be able to articulate your importance – communicate how much you are saving for the company through preventive measures.”

He also noted that while earlier, auditing was an independent role, it has now evolved to an integrated risk management and corporate governance role.

Emerging trends

Internal audit should be able to deliver an objective and systematic evaluation of risk – IT systems are going to have a very important role here, Rajakarier asserted. However, he admitted that it is nearly impossible for an internal audit department in an organisation to have all the required skills to deploy such systems.

“This is where strategic sourcing should be used where companies only focus on core activities in the company and source whatever else they need. It also ensures cost effective delivery because when you source what you need, you are able to manage costs in a better way. I don’t mean that internal audit should be outsourced completely but just the special skills required,” he explained. This also gives companies access to specialised and global resources.

He also revealed that when looking for skills required for new hires, accounting, which people would generally see as a top requirement, is low down on the list, and it is analytical and critical thinking, communication skills, and data mining and analytics skills that ranks much higher.

Rajakarier also recommended conducting a more responsive and flexible risk-based audit plan in order to deal with global or local changes that may take place over the year.

“Don’t leave IT projects to IT people – auditors have a role to play there. Leverage audit technology and tools. If you do not have the necessary tools and skills within your organisation, you need to be able to communicate how important it is to the management and audit committees and source it.”

Another upcoming trend is data analytics, the science of examining raw data to draw conclusions. Many large corporate have taken the step to embrace data analytics. He pointed out that banks use this on a frequent basis to identify common frauds.

“Things we used to manually cannot be done so anymore because there are too many transactions and complexities. Data analytics is another good method to use to improve your internal audit. If you give findings of this nature to companies, the audit committees and management will be really impressed by what the internal audit department is putting on their table. Identify trends and issues that will affect the company in the long term – this is what managements now want.”

Read early warning signs

The Chief Guest at the conference, the Central Bank Governor Ajith Nivard Cabraal, while addressing the gathering highlighted the importance of the internal audit function in organisations.

“While internal auditors are generally the most unpopular people in an organisation, they play an extremely important and useful role and no one will ever want to challenge that. Internal auditors have an indirect benefit as they serve as a buffer between the management and other departments. You also create a huge deterrent effect on people who know that the work will be reviewed that is why I believe the profession has survived and is thriving, especially in such challenging times.”

He stated that internal auditors need to have a complete understanding of the business, for if they are to access risk, they need to know what exactly the business is about and what an organisation would face in different scenarios.

“In order to do that, you need to do a comprehensive risk assessment of all the departments as there could be risks lurking under other risks. You need to have in-depth discussions with other departments in order to find these,” Cabraal added.

He went on to say that there are several functions that organisations carry out that don’t really have any material use and those need to be identified. A careful assessment needs to done to select the areas that would require further attention – this will improve an organisation’s overall activity.

“In all professions today, you need to follow global and national standards. There needs to be a recognition and understanding that processes have been carried out according to a certain standard and value proposition. Give attention to risk assessment systems. Understand the governance systems – this is highly important.”

For any system to be functional, it has to be efficient in design and effective in operation. “We at the CBSL also rely on the assessments made to a great extent. We expect the internal audit function to be fair and I believe that the chartered accountants have shown that they are able to have systems in place to bring about this objectivity and this is something that is needed all the time. Your message has to be packaged in a way that people will believe it and understand that it will bring value to the organisation.”

He advised the internal auditors to couch the critical message in language that shows that they are being objective as it will then be absorbed better by the management.

“Internal auditors need to be proactive – you don’t need to wait for the fraud to be highlighted to go after it – learn to read early warning signs. Being a strategic partner is very important in this day and age. The internal audit function should not look like one that is there because it has been proposed in the corporate governance code, instead internal auditors should prove that they add value to the organisation,” Cabraal said.

Pix by Lasantha Kumara