Internal audit and benefits of

outsourcing -

Morison Menon
Introduction
The internal audit function is one of the fundamental “checks and balances” for
sound corporate governance. A question that agitates the Board of Directors of
any organization is how competent and independent is the internal audit team in
the organization.

Corporate governance has been under a strong and critical public spotlight in
recent years, in the wake of a succession of blows to market confidence and
integrity, particularly in the United States and other countries as well. The
investor community’s expectations of boards and senior management, and of
those charged with providing an independent review of a company’s operations
and financial accounts, have been raised.

To meet the expectations of investing community, the governments and

regulatory authorities around the globe have been trying to synchronization of
accounting standards, strengthening the corporate governance principles, lifting
the bar on “criteria’s and propriety “of directors and introducing improved
market disclosure standards.

In this demanding environment, boards and senior management need quality

advice from sources that can be trusted and that can offer an objective view
about the systems and processes and adequacy of internal controls that helps
the company to be on the right track. In contrast to external audit, internal audit
function still needs to attain the maturity levels. Internal auditors need to focus
beyond compliance activities and should be smart enough to detect loopholes at
systemic levels and bring improvement in systems and processes that helps
companies to improve the bottom-line.

I would cover in brief the role of internal audit versus risk management,
expectations of regulators, and my assessment of internal audit functions based
on our experience with clients and lastly why it makes sense to outsource
internal audit.

Internal audit versus risk management

There are several definitions of internal audit as per standards followed by
different countries. My favorite pick would be “Internal auditing is an
independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organisation accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance
processes.”
 Many industry leaders are unable to distinguish between internal audit and risk
management. The basic function of internal audit is independent appraisal of
organizations internal controls, including controls over financial reporting. The
by-product of internal audit will be recommendations on internal control and
process improvements. Risk management, on the other hand, is about
identifying

and assessing inherent risks in the systems and processes, having appropriate
risk thresholds, having control mechanisms and mitigation strategies in place to
contain risk within the organizations risk thresholds. Risk management is critical
in helping an institution plan its strategic response to its changing risk profile
and ensuring effective risk management processes are in place to respond
quickly. A checking function (similar to internal audit) is often involved to ensure
that the risk control framework is in place and risk thresholds are not breached.
Internal audit also plays a complementary role in evaluating whether the controls
are practical, whether they are functional and how they might be circumvented.

The distinction is that risk management is on continuous basis carried out to

understand the changing risk perception day-by-day or on weekly basis and have
mitigation in place if necessary. Also risk management is better done by the
internal stakeholders themselves since they only understand the changing risk
profile and its impact on the organization.
Internal audit on other hand is a planned activity based on inputs of risk
management and other management inputs.

Regulators expectations
According to Basel Committee’s “recommendations (for banking sector) essential
criteria” for the internal audit function is:
● have unfettered access to all the bank’s business lines and support departments;
● have appropriate independence, including reporting lines to the board of
directors and status within the bank to ensure that senior management reacts to
and acts upon its recommendations;
● have sufficient resources, and staff that are suitably trained and have relevant
experience, to understand and evaluate the business it is auditing; and
● Employ a methodology that identifies the key risks run by the bank and allocates
its resources accordingly.
●
The language of the Insurance Core Principles and Methodology, developed by
International Association of Insurance Supervisors (IAIS), is almost identical on
the role of internal audit in insurance companies.

The Basel Committee has set out many important principles for the internal audit
function. A few of them are:
● Internal audit function must be independent of the activities audited and
independent from the everyday internal control process. This implies there has
to be objectivity and impartiality in the functioning of internal audit; and
● Every activity and every entity of the institution should fall within the scope of
the internal audit. This means there should be no scope for exclusions
permissible though extent and frequency of internal audit of each function in an
organization may vary.
●
Assessment of internal audit function
In many organizations internal audit function is an additional responsibility and
often leads to conflict of interest. Also where we have noticed that internal audit
department is independent, people are routinely drawn from functional role into
the internal audit department. In such scenarios the internal auditor often need
to asses functions wherein they have worked earlier. Objective audit in such
cases are not practical.

Establishing the authority of internal audit department and internal auditor

cannot be set by the management. The authority of the internal audit function
has to be earned by the auditors through their conduct and reporting of the
audit. Lack of required skill sets acts as dampener to the individual auditor
gaining respect and authority leading to the function becoming ineffective.

Also in many instances we have noticed CEO’s putting up pliant internal auditors
thereby negating the objective of the function as well as the Board of Directors.

In small and medium organizations in-house internal auditors don’t have full time
role and end up being idle or assigned other operational role along with the
internal audit function. Such appointments are sure recipe for ineffective internal
audit function.

Benefits of outsourcing internal audit

Since internal auditor needs to be a professional who is not only independent but
also competent to carry out the audit effectively it is in the organizations interest
to outsource the internal audit function. The benefits of outsourcing the function
far outweigh the prospect of having an in-house person. Few of the benefits of
outsourcing internal audit role are as follows:
a. Easy to establish authority and independence;
b. Avoiding conflict situations;
c. Having specialist person whose core competency is performing internal
audit role;
d. Getting internal auditors with specific knowledge of departments and
functions from business services provider based on function being
audited;
e. Ensuring internal audits go as per plan;
f. Better utilization of internal audit resource since internal audit unlike risk
management is not a continuous activity;
g. Easy replacement of internal auditor in case of results not being achieved;
h. Effective reduction is surprises during external audits
i.
Conclusion
Based on our experience with organizations, I am fully convinced that small and
medium enterprises should fully outsource the internal audit function, whereas
large ones may have a core team of internal audit function supported by
outsourced internal audit team with skills that are complementary to in-house
team. There is no harm in trying outsourcing of internal audit function since the
risks involved is negligible or nonexistent.

About Author : Sathya (Morison UAE Consulting)

Morison Menon Chartered Accountants provides professional advisory services in
the areas of Accounting Dubai,internal audit,business consulting,business
services,business valuation,due diligence,HR consulting,incorporation
help,performance consulting, process consulting ,company set ups,incorporate in
UAE,company formation & set up services in Dubai, UAE.
Company Website : http://www.morisonmenon.com