c




   


 

 

One of the more interesting reengineering stories in internal audit is that of Minneapolis-based
Cargill Inc., an international marketer, processor and distributor of agricultural, financial and
industrial products that has more than 82,000 employees in 59 countries. One of the first steps in
Cargill¶s reengineering efforts was to acquire software that allowed the company to greatly
reduce its staff size and travel costs for risk-based audits. At the same time, the internal audit
department emphasized the value of experience and began to hire auditors with well-rounded
business backgrounds.

"Having people with an average of 18 months of experience did not help our credibility at all,"
says Rich Peters, vice president and director of worldwide audit for Cargill. "A lot of our
customers never saw the same auditor twice. But we¶ve been able to reduce the number of
auditors from 150 to 75 people by doing a good risk assessment up front and knowing how to
allocate our resources."

Cargill has defined approximately 25 business processes within the organization and has trained
one or two auditors to become specialists in each of those processes. Twelve auditors do nothing
but risk assessments. These business process specialists concentrate on management and the
business in terms of acquisitions and divestitures, new business models, and anything that might
impact overall business risk.

The transformation has taken almost seven years, during which time the average experience of
auditors at Cargill has increased from 18 months to 12 years. The average time to issue an audit
report has decreased from 25 days to nine days. Success is measured by reviewing responses to
customer surveys that are distributed via e-mail after every audit. The surveys ask whether the
scope of the audit was well-explained, whether it covered the critical aspects of the business, and
whether the auditors were disruptive. The end result? Cargill¶s internal auditors consistently rate
in the mid-90 percent range in terms of adding value and having the right skill set.

"Business units didn¶t like to see internal audit come in," says Jorge Sarria, manager of CFO
solutions for AnswerThink Consulting Group, Miami. "But due to the value they¶ve been adding,
they¶ve been getting involved in projects to reduce inventory costs and cycle time to the extent
that companies are asking internal audit to get involved at the very outset."

Adds Jeff Rosengard, managing director of CFO solutions at AnswerThink Consulting Group in
Hudson, Ohio, "Companies are viewing their internal audit department more like an internal
consulting department. They¶re bringing people in from human resources and engineering to
address the whole value chain. Whenever we put a project team together with a client, we insist
that there¶s someone from internal audit on board because they have a very good knowledge of
the business itself and the processes and have a very good knowledge of the systems."

In his report "Best Practices in Internal Audit," Lawrence A. Reiger focuses on four main
components of internal audit: people, processes, technology and knowledge. Reiger, global
managing director of business process risk consulting for Chicago-based Arthur Andersen, says
the real power of creating a world-class internal audit department is melding all four
components.

1.    "We see people trying to create a competency-based organization," Reiger says.

"Rather than hiring the classic internal auditor, they¶re recognizing that if they look at the
universe of things they have to do, they need a variety of competencies." Reiger cites one
example as Intel Corp., which recognizes that it needs a variety of engineers in its
internal audit process.
2. 


 Companies have started to create a risk language that¶s common throughout
the organization. "Entergy, an energy company in New Orleans, has created a risk
language by identifying 35 or 40 different business risks that exist in their organization
and are transparent," Reiger says. "A lot of companies are struggling with the common
process language because it forces you to look beyond organizational boundaries, and
that¶s difficult to do."
3.    "Internal auditors need to use technology to understand the processes they
have to follow," Reiger says. "It¶s important to embed the methodology you¶re using into
a technology-based platform that all of the internal auditors in an organization can have
access to."
4.      Companies such as Cargill send out customer satisfaction surveys at the end
of every audit to determine the amount of added value. One of the ways to make certain
an auditor is active and involved is to ask customers for feedback. And in order for an
auditor to do his or her job effectively, he or she must have access to knowledge. "Zurich
Insurance, based in Switzerland, has about 400 internal auditors all over the world who
have access to a centralized knowledge base to determine what the best practices are in
various business units," Reiger says. "The purpose of the knowledge base is to help the
business unit you¶re auditing reduce their current business problems."
Internal audit in the early part of the 21st century will focus less on being a traffic cop; however,
no one is ready to speculate that the compliance aspect of internal auditing will become a totally
lost art. The ongoing challenge for most companies trying to reengineer their internal audit
department will be to balance compliance with value-added activity.

   c


Here are some of the best practices in internal audit, according to Susan J. Leandri, director of
global best practices for Arthur Andersen, Chicago.

u Develop a value-added customer focus.

Building a clear customer focus is likely the most important element in building a
successful internal audit organization. The benefits that a value-added customer focus
brings include a higher value placed on internal auditing, a better ability to measure the
internal audit organization¶s output against customer expectations and, ultimately,
higher audit-customer satisfaction. By developing methods to identify and profile audit
customers, internal auditors take the first step in forging a shared vision of what the
audit should entail. Once the audit customer profile is complete, determining customer
needs and expectations, and prioritizing customer needs will naturally occur. As all this
happens, internal auditors should continually pursue the role of operations consultant
and business partner, not simply risk inspector. "If you can get your business
processes in order, you can free up the kind of resources you need to transform your
business and focus on what¶s going to be effective in your marketplace," Leandri says.
u croaden the definition of risk, and develop an audit plan that significantly
improves business process performance.
Risk associated with critical business processes is the reason an internal audit
organization exists at all. Identifying risks through a solid risk-focused approach
ensures that the audit findings will be not only relevant but also critical to the
operations of the business. Leading companies develop audit plans that bring optimum
value to the company by focusing on comprehensive business risks. When the
definition of risk is broadened, a greater number of business risks are identified and
mitigated, and controls in business processes increase. As a result, more value is
added to the company, and internal auditors grow in their role as business partners.
u *se communication strategies that improve audit reports and encourage
knowledge sharing and organizational learning.
The most important form of communication between internal auditors and the audit
customer is the audit report. Effective communication strategies, such as writing
clearly and effectively, will improve the audit report process and ensure that more audit
recommendations are implemented. Using technology strategically to facilitate
information exchange is another important aspect of communication. Technology-
enhanced information exchange is crucial for knowledge sharing and organizational
learning, which improve business process performance by leveraging individual
knowledge, reducing duplicated work and eliminating errors. In addition, better
knowledge sharing builds a more powerful internal audit organization and a more
successful company. "It¶s all about how you create a more effective audit report that¶s
utilized," Leandri says.
 u Ônsure that internal auditors have traditional and nontraditional audit
backgrounds.

Successful internal audit organizations recognize that the way to build a first-rate
internal audit group is not to limit its staff to those with traditional auditing backgrounds.
Instead, these progressive internal audit groups are made up of professionals with
varied resumes. People with expertise in areas such as law, accounting, marketing
and supply planning bring special talents and focuses to the internal audit
organization. When their tenure with the internal audit organization is complete, these
auditors are typically transferred to other departments within the company. When this
happens, they bring their knowledge of business risks and controls with them, adding
tremendous value wherever they go.
u _eengineer the internal audit organization to continuously improve the audit
process.
"In the early days, it was very challenging for companies to think along process lines
and see the benefit of looking outside their industry for insight," Leandri says. "But
we¶re in a best practices era. You cannot pick up a journal these days and not find an
article about best practices." Leandri cites AirTouch Communications Inc., a wireless
communications company, as an example of one company that uses this best practice.
AirTouch has a $400 million wireless business with an internal audit department of 10
people, who do most of their work through what they call joint-venture auditing, Leandri
says. "They actually partner with others in the firm to conduct all aspects of this
evolutionary approach to auditing. But the most unusual aspect of the internal audit
function at AirTouch is a model that has developed over the past three years that
offers a combination of consulting and internal control analysis. As a result, the
company can create a diagnostic tool to help assess what¶s going on and then
implement the best practices. Reengineering the audit function for continuous
improvement strengthens internal auditing procedures, reduces audit-report cycle time,
increases the likelihood of consistently meeting the customers¶ objectives, and helps
reduce or eliminate non-value-added or unnecessary control steps.
u „ntegrate technology into all aspects of the audit process to increase efficiency.

Like any business process, internal auditing is greatly enhanced by the strategic use of
technology. Time-saving, work-enhancing technology helps internal auditors complete
the audit process faster and with more accurate results, thereby bringing more value to
the customer and increasing customer satisfaction. In addition to creating faster audit
process and reporting cycle times, technology expands the audit scope and increases
findings. Integrating computer-aided auditing techniques (CAAT) and using technology
to improve communication within the audit function and between auditors and their
customers are two important ways technology improves the audit process. "Part of this
best practice depends on how quickly your organization embraces technology,"
Leandri says. "The faster you adapt to technology, the more leverage you¶ll have to
compete in the marketplace now or in the future."