Internal Audits - A New Strategic Position
Helen Mallovy Hicks
Mike Harris, leader of the Corporate Governance practice and Matthew Wetmore, a partner in the Internal Audit practice of PwC, discuss how to make internal audits work for you in a time of crisis.
Dean: Welcome to Strategy Talks with Dean and Helen, part of the PricewaterhouseCoopers Managing in a Downturn podcast series. I'm Dean Mullett, co-head of our Restructuring and Distress Strategy Group, and a member of our Credit Crisis Task Force.
Helen: And I'm Helen Mallovy Hicks, a Partner in the Advisory Practice of PricewaterhouseCoopers in the Dispute Analysis & Valuations group.
Dean: The current state of the economy is understandably of great concern for most Canadian businesses. This series of audio podcast discussions with a variety of subject matter and industry guests are designed to help your business weather the storm by exploring some of today's hottest issues related to the economic crisis.
Helen: Joining us today are Mike Harris, leader of the internal audit practice in Toronto and Matthew Wetmore, a leader in the of the western Canada Internal Audit practice of PwC. Matthew is joining us via telephone today, welcome Mike and Matthew.
Dean: So today we're going to talk about internal audit and internal audit function and how it's evolving. So I thought perhaps we can start with the basics. Maybe tell our listening audience what internal audit is and what an internal auditor does.
Mike: Sure thing Dean, great to be here this morning. The interesting thing between internal audit and external audit, obviously there is some misconception to the word audit and their name and most people think about audit probably more inclined to think about external audit which is the giving assurance over the financial statements.
It's a very focused on the numbers on the financial statements, providing assurance on them; there is obviously a lot of work behind that in both what they call substantive work, trying to understand the numbers and comfort on them. As well as the controls to support the process that generates those numbers. That's where you start to see the crossover to the internal audit. Internal audit is very focused on controls of processes but not just on the financial controls. Just one example, looking how effective you plan projects, whether it's capital projects for instance. Certainly it drives financial numbers but what management is more interested in is do those projects come in on budget? How are they managing it with the contractors? Those kinds of controls and processes to basically to have a successful business in place, internal audit will look at those; where traditionally the financial audit would just be, 'Are the numbers right?' You can have those right numbers and not necessarily have the most strategic business processes in place.
Dean: So some real potential value to have. I've run into a lot of companies where they get into a project, big spend and they realize that they're making money or not making money on it. And because perhaps they didn't have that right planning upfront as you talk about so that can catch some things in the early stages.
Matthew: I will just interject there that internal audit, the discipline, probably has been around for as long as external audit and what we've seen especially in the last five to ten years is a bit of an evolution in what internal audit focuses on. It's not just focusing on some of those financial processes and controls but it is trying to get more of the value added to strategic areas of the business and we'll talk about that more later.
Helen: And Matthew, obviously all companies don't have an internal control function, but what sort of size of company would likely have one and what are those smaller companies do without a separate internal audit function?
Matthew: That's a good question. Now companies that are listed in the US on the New York stock exchange are actually required to have an internal audit function, whether that's internal or whether they've outsourced that externally. So Fortune 500 companies, most of them, would have this internal audit function, within Canada if you look for many of the companies on the TSX would have an internal function and smaller companies that are only Canadian listed not registered, they'll have varying degrees.
It depends a lot on the complexion of their business. If it's just a small head office function, if they have just one line of business they may not have an internal audit function, however they may have specific projects that they do each year that will look like internal audit projects. So there's variety, but generally the larger the company the more need, the risk for internal audit especially as their business becomes more complex or they have a number of different strategic objects, then you'll see that they have a larger or more of an internal audit function.
Dean: So it's not required by the exchanges here in Canada, if you're just listed in Canada to have an internal audit function. So the companies that do it are some of the major ones that you've talked about, and they see it as a good business practice. I guess that's the rationale for it?
Mike: Right, there is certainly there is governance and risk controls related regulations. Canada, which requires you to have a look at your risk and control framework, can ensure that you are complying with that, and many companies look to the internal audit function to support that.
Helen: So Mike and Matthew here's a burning question, maybe this is a bit of a 20/20 hindsight but question, could a more value added or improved internal audit function have helped many companies like the financial institutions of the US avoid the impact of the current financial crisis or the meltdown that we saw in late 2008 and 2009?
Mike: Sounds like a pretty easy question, maybe Matthew I'll take a crack at that. I guess to really answer you need to understand what was the root cause of the financial crisis and obviously it's not any one particular issue and even if you look at the areas that broke down it wasn't just internal controls that broke down it was a risk management failure, it was corporate governance failure and a controls failure. So there is no doubt in my mind that internal audit plays an important role in all those areas and certainly has something to do with mitigating the risk that lead to the financial crisis. If you think about there is a lot of talk about the value risk models that failed. Internal audits would typically look at those kinds of models. One of the issues that could be a factor would be even if internal audit looked at it would anybody listen?
That's where I look why they're all intertwined. Even in internal audit does do their job in this day in age with some additional activities that they're doing, they can uncover these issues. But if nobody listens it's a real problem and I think in the past, the historical view of internal audit it was something that was left alone, had a traditional approach to it and frankly they used to just focus on financial controls people in the board room and senior management didn't pay a lot of attention to them.
So I would say that even if they did discover it I'm not sure if it would have solved the problem. I think where internal audit is going today more value added and focused more on risks and the business not just the financial controls that people are listening more so I think it's not just the control side of it. If you could get the governance and other areas surrounding internal audit all work together hopefully we can avoid the next financial crisis.
Dean: So can we talk a little bit about the voice of internal audit for a second, as you were saying in the past perhaps people were not listening even though there were raising these issues. Do you potentially see a strong internal audit function that is integrated into the business as perhaps a competitive advantage for some of these big complex companies and if they run it appropriately, to help them mind the problems that could be out there or for the opportunities for that matter?
Mike: Absolutely, they should be a business partner, they're there to assess controls and provide oversight at the same time that they're there to support the business and to make sure these issues are covered and business could improve. One of the key factors is for more traditional internal audit group that just focus on financial controls they may and likely don't have the skills to do some of that value added stuff. If they've just been working on just a financial side they may not have the operational skills in house.
They may not have the IT skills in house to focus on some of these new areas. If you think about the financial crisis, did they have people who really had deep understanding and knowledge about these financial models? And they are very, very complex; the boards didn't understand them so for internal audit to provide value they have to understand in a lot of the depth. There's people out there that are starting to join internal audit groups, but that change needs to take place, I believe, for senior management, the board step up and say, 'Hey, we want to listen to these people and they have something of value to add to the process'.
Helen: So what is then happening with the internal audit function and how will it change or evolve to focus more on the right risks today?
Matthew: Well one thing that we're certainly seeing is that boards are asking the questions. What am I getting from my internal audit function? Especially in this time of cost containment and they look at the dollar that they're spending. If internal audit is just duplicating or doing similar things that I'm already have covered with the controls group or maybe even from the external auditors from the financial controls why do I need such a function?
So what you're seeing is and it ties in a bit with what Mike was saying, around getting that quality of people that can really add value to the organization. But it's also a bit of chicken and egg because senior management or board don't value the input that internal audit can bring to them in turns of business advice, then internal audit isn't going to be in a place where they understand what are those key strategic areas of the company that they should focus on. So really what you're looking for is internal audit needs to take it on themselves to really understand what are these key risks within the business, what's the key strategy within the business, so then how can we align our plan as an internal audit around those things to provide that value and then that next step would be how do we get the right people then to execute against that?
Dean: So Matthew, are we seeing then these forward thinking organizations investing in and making sure that they have this talent? That's required for a strong internal audit function going forward.
Matthew: Well it's interesting, because in my travels, and I'm sure Mike would say the same thing, to see the spectrum there. There are certainly companies that are thinking about this, that as their business is changing or they fight for survival in this current climate, all the departments are looking at how do we become better?
Including internal audit, so in many cases you'll see executives in that internal audit, chief internal audit role and they're looking at that very thing. What do we need to do within our department to help this company survive, to help this company get better? Then on the other hand, especially sometimes within government agencies, within some really regulated companies, it may be a bit more this is what we've done last year, but the past 50 years this is what we'll continue to because this is what the board wants.
Mike: I agree totally Matthew. From what I've seen it's about the change management process. In the end it's the internal audit, its people doing tests and work around current business processes and design to assess if there's opportunities for improvements and some people are great at instituting change and others are slower to respond and there is a need for a change right now. We can thank some of the financial advisors that have got people more risk adverse, focusing on the nitty gritty financial controls, they don't want another fraud, they don't want another scandal and they haven't thought about the value added.
So now they're thinking more about it but its one thing to think about and its one thing to institute the change. As an example if you look at the technology and tools that internal audit groups have used say in the last 4 or 5 years, the focus is on a working paper package or how to make the audits go faster, communicate with each other in the field.
That's great but that's really just basic line stuff, the focus now we're seeing in a lot of leading edge thinking internal audit groups is what tools can they use to audit greater volumes of data? What kind of data management and data analytics can I employ which requires not just tools but people really understand how to use these to now go through, if you went through five thousand transactions trends, how can I analyze trends ten thousand transactions and really uncover some of the business issues out there in multi locations in various geographies and what not. That's much more complex to do but when you do it's obviously much more powerful.
Dean: It's definitely sounds like it with some of the areas that internal audit is now focused on versus where it focused on in the past and some of these tools and technologies that you refereed to that internal audit of tomorrow will have no resemblance of what it was in the past in a lot of regards in the smart companies will be at the front end.
Helen: What is all this going to cost? And how are organizations paying for this or prioritizing this cost?
Matthew: What we're seeing is that many companies had to build up a function or they had to certainly strengthen a function that they had, so there was a level of cost that's built up within internal audit and in many companies what we're seeing is that you can take that cost that they have today, you could probably reduce the cost of many of the departments but at the same time refocus the efforts to add value.
So let's just take an example, if a company had an internal audit function that cost them today $3 million but they looked at it and they say that it wasn't really focusing on the strategic areas of the company. It's really a very compliant focused function, it's very backwards looking rather than providing value to the business and some of the prostheses going forward, they can look it and say if we were to take that same $3 million and let's say that across the board G&A is being cut by 10 percent, so for $2,700,000 what can we do with this function?
We many need to change out some of the people but let's maybe do less audits but more high impact audits and maybe we can break it down in three areas, we do some compliance because the board still wants that. We need to focus there, but maybe compliance outside of the financial areas, let's look at some of the operational compliance areas. The other thing that we're seeing many companies do to assist with staying within their budgets or even to neutralize the cost of the function is looking at third party, big contracts. How can we add value going into the determined function on some existing spends or even finding process improvements on future spend?
Procurement is an example; there are other examples where you can demonstrate where internal audit can actually recover costs for the organization. Then the other areas are how we just identify areas of improvements by using best practices from other industries and other companies. So we're certainly seeing that as well, but what we've found is that many organizations in order to make that transformation is that may shrink the size of their department internally and look for outside service providers for some cohorts' assistance and for subject matter assistance.
Dean: You know Matthew it's interesting, I think you're on to something. I think you can get organizations to look at internal audit as profit centers; you can get a lot more of them following good process and good procedure on a consistent basis.
Matthew: It's interesting because the concept of having an internal audit is profit center has been around for a while and you will find two camps out, there will be some people that will be very resistant to it and saying that if internal audit is just being measured by the money that is returned then they're really not a tool for effective governance. But then on the other side you're going to have people that say yes, that's what you should be doing and they should pay for themselves and that's it. What I would say and it would be interesting to get Mike's perspective, is that the high performing functions observed within organization tend to be a combination of both. So it's not only fully on one camp, where they're just a profit center and that's all they focus on or the other side where it's just focused on compliance, no worries about how they're tracking how they're adding value to the organization but it's a mixture of each.
Mike: I agree Matthew and I think a good way to look at it is, we saw this in a research that PwC undertook of where the profession is going or it's been in recently and where it's going right now. We see on the compliance side the leading edge; a lot of groups are cutting the costs there. Not cutting the work necessarily, just working smarter, making sure they're focused on the right risks and many are cutting as much as 25 percent to 35 percent of the cost of their core compliance activities out of it and still giving it the same level of comfort to the boards and senior management. I think the internal audit groups and companies that think that way, it's more productive because you still want to think in a cost, every company is focused on a cost, and you want to focus on those areas where it makes sense to take costs out. But to your point Dean, if there are opportunities to add value and more than pay for yourselves as an internal audit group and these value added areas you want to take on more of those which may increase overall costs in the internal audit group, but save the company money over all.
Helen: Mike and Matthew you and PwC have done a study of internal audit functions, can you tell us a little bit about what that study was and what were some of your key findings?
Matthew: We each year do a survey of companies around the world on their internal audit functions. We ask questions like what is internal audit focusing on, how much of it is value focused, how much of it is compliance focused? And what we really have seen is shifts from being purely a compliance function to more of a value added forward thinking function. So that shift is definitely occurred and what we can do is go back and look at surveys and studies that we've done each year going back, take five years and you can definitely see that shift that's occurred.
Mike: One of the interesting findings there is what we should put a link to the readers, listeners, to the study that's on our website. Rough numbers, it was well over 50 percent I believe it was, of internal audit activities would be on financial and 20 percent on compliance. The majority of the work on financial controls and compliance and that number is almost flipped around. The leading edge in internal audit groups now surveyed more like 5 percent on compliance and 50 percent on financial and the rest of it is strategic business operationally focused.
Dean: Dramatic change.
Helen: While we're on the subject of the study, the study actually focused a lot on shareholder value and how internal audit function is changing from maybe controls focus or financial focus to shareholder value focus, can you explain to us what we mean by that?
Mike: Sure, we talked a little about the internal audit plan and how we've focused on risks the old way of looking at internal audit was just to focus on the financial risks. Granted financial risks also drive shareholder value but they're just one small thin edge of the wedge so to speak.
So it's taking a broader business risk approach of which business risks drives shareholder value, and obviously that's going to vary for every business. We talked a bit about the project risk and the issue on capital projects. While in many organizations capital intensive ones of course that would drive shareholder values but really the key to a newer approach in this, is that in that risk assessment, looking at that business from what drives shareholder value, we actually see internal audit groups now looking at it and doing an actual business driver analysis as part of the risk assessment, not just what can go wrong with financial controls. So that very deep dive into the business strategy, what drives value and extracting out there your internal audit plan to make sure you're focused on the right areas that drive shareholder value.
Matthew: To add to that what we're seeing is that if companies if they are taking shareholder or even stakeholders because when you're looking at governmental organizations they're worried more about the stakeholders. Senior management and the board, they're looking to maximize stakeholder value. Internal audit should be linked into that so that the same key areas that the board and senior management are worried about, internal audit should be thinking about and looking at to see where they can contribute and they can add value, whether it's from a compliance perspective, whether it's from a process improvement perspective or whether it's from a cost recovery perspective.
Helen: That makes a lot of sense, to refocus on shareholder value, but does that traditional internal audit function actually have the skills and capabilities of addressing things like business value drivers and business strategy?
Mike: Certainly enough the old style of internal audit but the new one does and it really goes back to having the right skill sets on your team. Matthew brought up a good point about stakeholder value; if you're going to look at say a client's corporate social responsibility or sustainability program, raw stakeholder analysis that's required for that, many internal audit groups aren't equipped to do that. But we see more and more internal audit groups, the ones for instance that were involved doing co-sourcing requiring us to bring in sustainability subject matter experts to do the value driver analysis up front.
To understand what drives value in the organization, what are the reputational risks to those organizations and then once you've selected it for internal audit review doing a deep dive on the processes and programs around that area with those subject matter experts. So, to answer your question by all means it's a new territory but with the talent and the right processes in place internal audit can definitely rise to the occasion.
Matthew: One thing that we're certainly having discussions around and maybe this almost encapsulates the shift that we're seeing. Historically you would look at internal audit functions, they would look at their people and their plan would be what can we do with the people we have? Where as a leading internal audit function would look at it to say what do we need to do, what's in the best interest of our stakeholders, which includes senior management and the board; then after they look at end of the plan they start to focus on how can we execute this plan?
Helen: So Mike, I asked you at the beginning: was there anything in internal audit to prevent or reduce the economic melt down that we just went through and you asked did anybody listen. So going forward what is your sense? Is anybody going to listen?
Mike: I think they will, what's really driving it is the risk side of the equation. We know for the first time we see board member saying I need to understand more about the risks in the organization, the risk management. I was on a podcast that we did a few months ago and this exact topic and we had John Clappison here talking about that issue. Of course we need to understand more about it, that's an organizational wide challenge for them to understand their business risks and articulate it to the board. But internal audit I think as we heard today plays a very significant role. The more roles they do play and they show that value to the board I think people will listen more.
Dean: Yeah, we're pretty well out of time here today. Mike and Matthew I did want to thank you for sharing your insights of internal audit with us. Again, I speak on behalf of Helen and myself and say that we probably now look at internal audit differently before we had this dialogue, so thank you for that. To our listeners, for more on this topic please download the publication and this strategic position 'Redefining Internal Audit in an economic Downturn' from our website at www.pwc.com/ca/internalaudit. Thank you.
Dean: This concludes this episode of Strategy Talks, part of the PricewaterhouseCoopers Managing in a Downturn podcast series. I'm Dean Mullett, thank you for listening.
Helen: And I'm Helen Mallovy Hicks. We hope you'll join us again soon for another episode. To download or to subscribe to this podcast series or to find more information on this topic, please visit our Managing in a Downturn website at www.pwc.com/ca/managinginadownturn.
The information in this podcast is provided with the understanding that the authors and publishes are not herein engaged in rendering legal accounting, tax or other professional advice or services. The audience should discuss with professional advisors how the information may apply to their specific situation. Copyright 2009, PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, an Ontario limited liability partnership, or as the context requires, the PricewaterhouseCoopers global network or other member firms of the network. Each of which is a separate and independent legal entity.