Internal audit departments come in all sizes, and one of the most impactful presentations at GRC Summit 2019 focused on practical ways smaller audit functions can increase their risk coverage. In this article based on his presentation, John Sidwell, Senior Director of Internal Audit at Cypress Semiconductor Corporation, breaks down his tactics to get the Audit Committee on board with covering more risks (and providing the resources to do so), suggests clever ways to obtain resources to increase coverage, and shares the slide that helped convince executive management to start an ERM program.
A small audit shop is often understood to mean small staff, small budget, small risk coverage, and small value add—but it doesn’t have to be this way. Smaller audit functions have the ability to transform their direction to create more risk coverage and, as a result, more value for the organization.
One common thread that unites audit departments of all sizes is that internal audit will always be looking for ways to cover more ground with fewer resources. In this article you’ll learn concrete tips and techniques including how a CAE can steer the Audit Committee toward expecting more and supplying more resources, how to sell ERM as a basis for measuring risk coverage, and creative ways to increase resources to strengthen broader risk coverage.
1. Make the Business Case for More Resources
Start a Dialogue with the Audit Committee and CFO
It’s the CAE’s responsibility to sell the Audit Committee on what is needed to fully cover the risks for their benefit. The first step is to start a conversation with the Audit Committee and the CFO to understand what they expect from you, and how to deliver on those expectations. If they only expect SOX coverage, it’s your job to steer them toward what they should expect from a risk coverage. This doesn’t need to happen overnight — it will probably be a process that can be advanced using these next steps.
Benchmark Against Peers
Once you start the conversation and learn what the Audit Committee wants, a good next step is to benchmark to level set your department versus your peers. Instead of using generic data, you’ll want to leverage your network and professional organizations to gather data on companies that are similar in terms of industry, size, age, and geographic footprint. Four useful categories to measure your department and comparable companies are budget percentage to revenue dollars, annual internal audit department budget, company revenue per headcount of the internal audit department, and a total headcount of full-time equivalent and co-sourced employees. Showing a benchmark comparison to the Audit Committee can convince them that internal audit is undersourced compared to similar companies, which can be a step toward increased investment in internal audit.
Assess Team Performance
After benchmarking, the next step is to critically and honestly assess your team performance and conditions over the past year. Talk about the root causes of why performance wasn’t perfect and limitations that you had, then use that data to drive forward changes. One particularly important place to review is your Net Promoter Score (NPS), which is a useful vehicle to show how your audit customers think your team is functioning. When you review these results internally within the department, work on making recommendations for places to improve.
Develop a Get Well Plan and Track Progress
Once you have data on benchmarking, team assessment, and areas to improve, discuss the results with the Audit Committee and the CFO. This is not the time to say, “I need more money. I need more headcount.” If you need additional resources to develop the internal audit department properly, it will be obvious to the Audit Committee if you’ve completed these steps. You want the recommendation that the audit department needs more resources to come from them, not from you.
In anticipation of this and subsequent discussions, you’ll want to develop a get well plan to proactively take to the Audit Committee. Your plan should include where you currently are, where you want to be, and the time period to get from point A to point B (consider a three year roadmap). This agreed-upon strategic roadmap of your department allows you to measure your progress against your plan, and share it with the Audit Committee each quarter so they can see the progress internal audit is making.
2. Sell ERM as a Basis for Measuring Risk Coverage
Enterprise Risk Management (ERM) can be a strong tool for measuring risk coverage, and more importantly, risks you’re not covering.
Download this chart showing root causes of share price decline by risk type to communicate the importance of an ERM program and strategic risk coverage
The chart above has been a valuable aid in selling the importance of an ERM program when talking to executive management, and in convincing them that some risk areas are not being adequately addressed. This study was initially conducted by Corporate Executive Board when ERM was just starting to attract attention, and was updated fairly recently by Deloitte since ERM gained widespread acceptance. It was a study looking at companies whose market cap declined by more than 40% during a year, and examining what caused the market cap decline or bankruptcy. The study identified through public information that 80% of the risks that caused the market cap decline and/or bankruptcy were strategic-oriented, not compliance-oriented — and only 9% were operational, with very few financial and legal risks affecting the decline.
This is concerning if, as is common, your audit plan focuses on finance and compliance risks, with perhaps some operations and hardly any strategic risks. A compelling case can be developed if you use an actual case of bankruptcy within your specific industry and map the public information to this chart. This slide can help the Audit Committee, CFO, and CEO understand the importance of strategic coverage versus other risk coverage as being the type of risk that causes companies to fail. Using a chart like this can help to drive home the point that even if your company doesn’t have a formal ERM program in place, you should at least do an enterprise risk assessment (ERA) once a year to help determine audit coverage—and that risk assessment should include strategic risks.
3. Innovate to Increase Resources to Improve Risk Coverage
No matter the budget situation, a smaller audit function will likely always need to get creative to obtain audit resources to help cover risks. There are many opportunities to increase your coverage without having to request a lot of additional budget and headcount.
Internal audit can gain budget by cross charging services for investigations to the department being investigated instead of taking the investigation cost out of your limited budget. You might consider outsourcing statutory or other specialty audits otherwise requiring travel.
Memberships like The Internal Audit Peer Group (IAPG) from The Neu Group can save time and costs by providing you with information so you don’t have to recreate the wheel for audit coverage.
There are several ways to gain budget with SOX, including outsourcing or co-sourcing with specialty firms to transfer the risk of resource peaks and valleys. If you negotiate multi-year fixed fee contracts, your company won’t need to worry about hourly rates. There’s also an opportunity to save big by donating a few of your lower-cost team members to reduce testing hours with the provider.
If you’re looking to gain access to additional subject matter expertise, consider pulling guest auditors from other departments for 2–3 week projects or IT specialty audits, or bringing in college interns with in-demand skill sets like computer science and data analytics. Internal audit can also team up with internal groups who already are using advanced analytics or AI to give internal auditors on-the-job experience in cutting-edge technology.
Finally, there is an additional opportunity to effectively strengthen broader risk coverage by assessing the Three Lines of Defense model within your company. You will likely find many “audit” type of functions buried within most organizations that contain significant resources. By definition, these resources will be working on very focused subject areas, which normally will not register in the top 25 risks of the company. There is an opportunity to sell the fact that the company is spending money and time addressing lower level risks, when with internal audit department collaboration, the spending could have a much higher return on investment. Leveraging these hidden resources can help cover global risks of importance.
Internal audit may continually struggle with low budget, but there are many opportunities for smaller audit functions to provide more and better coverage. No matter the size of the department, it’s the CAE’s responsibility to steer the Audit Committee and executive management in the right direction regarding their expectations for risk. When they understand the importance of global risk coverage and what is needed to provide it, internal audit will be in a stronger position to increase its budget. At the same time, a smaller audit department needs to stay innovative to obtain and stretch their resources. With these measures, a small internal audit function can break the stereotypes to provide comprehensive risk coverage while adding value to the organization.