Small Audit Functions, Big Ideas

Audit departments of limited size can learn a lot from their larger counterparts, but they have much to teach as well.​

Comments Views

​ When Denis Bergevin stepped into the role of deputy director in charge of the Internal Audit Division at Caribbean Development Bank, Barbados, in May 2014, he knew it would be a challenge. The bank had already upgraded its risk management function and some of its compliance activities. Now it wanted to achieve the same with internal audit — a move fully supported by the organization’s senior management.

“They had never had an experienced internal auditor at the helm of the department before,” he says. “They did have a very solid charter, so that was my starting point — to sit down with them and explain to them what internal audit should do.”

But with a team of just four people — including Bergevin — resources and time are tight. Not only that, but for the past 40 years internal audit at the bank has focused largely on compliance. One of his first moves was to ensure that other compliance functions and management took on that role to free up his team.

Communicating these changes to management has been key, says Bergevin, who has allocated two or three days a month to this task. In addition, he has devoted about three of the past eight months to developing a list of relevant audits as well as the criteria he will use for audit selection. With limited resources, it is crucial to
get the focus, depth, and duration of each audit right, he says.

Modernizing a small function in this way depends on taking the best practices larger audit functions use and making them work in an alien environment — where people and time are extremely limited. For Bergevin, working at the bank is a world away from previous roles — including more than seven years spent in Audit and Risk Management Services at the Canadian telecom giant Bell, which at one time boasted a team of 135 internal auditors. But he is optimistic that the practices he learned at Bell and elsewhere can be used to transform his department.

Bergevin also says that the way small audit functions operate can provide useful lessons for larger functions. He says smaller departments eliminate the narrow skill specialization of staff in larger departments because every person on his team has to be capable of taking on most audits. Auditors also have closer contact with senior management, something that seldom occurs in a larger function. And, he says, auditors in smaller teams develop better business acumen because they are close to the action.

“In a small audit function, the internal auditor who did the work is the one presenting the findings to the highest level of the organization,” he says. “That helps the auditor build relationships and understand how management thinks.”

Even if small audit functions often face larger hurdles, the truth is that functions on both ends of the size spectrum have a lot to learn from each other. Differences in the way small departments are funded and trained, and how they operate, offer fertile suggestions for improvement for large functions, and vice versa.

Cutting the Waste

Because resources are constrained in small audit functions, they have to be accurately and parsimoniously employed so that waste is reduced to a minimum. That does not always happen, of course. Many small functions do not have the leadership, experience, and skills to implement such initiatives. Many are stuck in a compliance rut. And many small function audit executives are low down the business’ leadership hierarchy, without authority to make the sort of sweeping, strategic changes that Bergevin is introducing.

A Matter of Size

Most internal auditors work in small audit functions. In its State of Internal Audit Survey 2012, Thomson Reuters estimated that 67 percent of functions have fewer than 10 people working in them and 80 percent have fewer than 20. But defining what constitutes a small audit function can be tricky, according to David O’Regan, author of Strategies for Small Audit Shops, now in its second edition.

“Whether one approaches this matter in either absolute or relative terms, it tends to be difficult to avoid a certain amount of ambiguity,” he says. “In absolute terms, an audit department that consists of one to three auditors is certainly small in most circumstances, yet a 30-strong team might also be considered small in some contexts.”

He says there are comparative metrics that can be useful in determining how small a function is in relation to its peers — for example, the ratio of the number of auditors to revenues or assets and the size of the audit budget as a percentage of the organization’s total budget. “In the end, I think a definition is dependent on organizational and sector context, and it should take into account the head count, the levels of experience of individual auditors, and the amount of budgetary resources at the disposal of the audit department,” he says.

But that does not mean they cannot adopt big function best practices if they remain focused and selective. James Paterson has used his experience at large audit functions — including a stint as vice president of Internal Audit at the global pharmaceutical company AstraZeneca — to develop a “lean approach” to internal auditing, which he says could help small functions concentrate on the fundamentals of best practice.

Now a director of the consultancy Risk and Assurance Insights in Manchester, U.K., and author of the book Lean Auditing: Driving Added Value and Efficiency in Internal Audit, Paterson says he believes in focusing rigorously on driving value and productivity. Key to that strategy is developing close relationships with senior management and the function’s other stakeholders to ensure that the work performed has real value to them. In many ways, that is something small audit functions are as equally well-placed to achieve as their larger counterparts, he says, because the head of audit is often the one performing the work and talking directly to the clients.

“Small audit functions need to be the most plugged in to management and smart at making choices about what to do,” he says. “That’s key because when they devote resources to something, it is always going to be a significant proportion of their budget, so effort has to be directed at the right thing.”

As well as ensuring that any other compliance and assurance functions are producing quality work , he says the function’s job is to drive accountability for management and fix its problems. For example, he sees little point in auditing a known issue unless management has already started work on fixing it and the value from any audit work is clear. For example, audit’s value might come from helping to identify the root cause of a problem, or to review the progress management has made in fixing it.

In addition, Paterson says assignment planning should, in most instances, be approached like a mini-project, with clear deadlines and a sense of the value that will be created. That can often entail prioritizing the scope of the work and being clear about what a helpful result might be. “This approach tries to avoid coming up with audit findings that are simply housekeeping points, or within management’s risk appetite,” he says.

He adds that lean auditing can encourage greater flexibility in assignment types. “A small audit function may be much more likely to generate value from, say, two 25-day assignments than from one 50-day assignment,” he says. “If stakeholders want more on the issue after a 20- or 25-day assignment, you can then identify another specific area to look at next, rather than just using up 50 days in a scattergun way.”

He admits that lean auditing requires much more planning and information gathering at the beginning of the process to identify the right areas of focus and the key areas where value can be added. The upsides are that the audit will often progress in a more purposeful way and, when audit work is produced, it has a far greater chance of being valued by the client.

Taking Time With Standards

To small audit functions, compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) may be seen as prohibitively time-consuming. “The main challenge that small functions face on the Standards is finding the time to take account of the different constituencies you serve in the organization and determine where your focus needs to be,” says Charles Windeknecht, vice president of Internal Audit at the global airfreight business Atlas Air Worldwide in Purchase, N.Y.

Bypassing this step is a false economy. When he took over the reins at Atlas Air more than seven years ago, his first priority was to carry out a current state assessment against the Standards to see how well internal audit was performing.

“I shared the initial results with the chief financial officer,” he recalls. “The assessment gave us a framework, some definable standards to work to, and a roadmap for us to improve in specific areas where we knew we could do better.” He also says that it gave him an opportunity to educate senior management about the Standards and provide transparency and honesty about the function’s current performance. Without taking the time to go through the process, the function would have lacked direction and been less engaged with senior management.

The 2015 head count for Atlas Air’s internal audit department is eight full-time posts. So, Windeknecht knows from experience that performing a self-assessment can be tough while trying to keep the function working. He says heads of audit at small functions can manage it by staying practical and organized, and by keeping the process as simple as possible.

Looking for Capacity

Windeknecht says one major challenge of running a small audit function is ensuring a high degree of collaboration among team members and with the business owners. The challenge is more daunting with smaller teams, as there is often only one person conducting each audit. “A mistake that smaller functions can make is to hunker down, lose sight of the broader picture, and focus only on one major audit,” he says. “But IIA members have set up some great networks to plug into and share knowledge and information in an informal and collaborative way, which can save a lot of time.” He says that he has benefited numerous times from his participation in the Airlines 4 America internal audit networking group, for example, and local IIA chapters.

Windeknecht says small firms often have a surprising amount to offer their larger counterparts in terms of sharing information in these networks. He recently shared his function’s entire quality assurance program with a department five times larger than his own, and he has also passed on advice about how to update an audit charter to another large function. “You can’t be shy to reach out to the big functions and the forums,” he says, “because you will find the way you work is likely to be of interest to them — it cuts both ways.”

One advantage small functions have over their large counterparts is their ability to be closer to management and understand their needs thoroughly, which can make their processes practical and relevant to the industry they serve. “Large audit functions don’t always get the pulse of their organization from the perspective of its entrepreneurial spirit, or from a strategic growth standpoint,” says Alyssa Martin, advisory partner at the independent accounting firm Weaver in Dallas. “Large functions become a little bit more isolated from the nerve center of the organization.”

She says this knowledge can make smaller audit functions more nimble and responsive to management plans and better able to keep close to the business’ strategy. In addition, small audit teams, when working well, tend to focus more on making the business better, rather than on compliance — a lesson large functions could do well to learn, she says.

Yet even the most plugged-in, highly focused small audit function can suffer from lack of capacity, something that is made worse because of the limited range of staff that work in such functions. “Every small function is at the mercy of the background and expertise of the individuals on the team,” Martin says. She says a team of three to five auditors is unlikely to have the in-house expertise to cover every financial, operational, strategic, and IT issue in depth. And while hiring staff to deal with IT risk, for example, is a problem for the entire profession, the budget needed to buy such expertise for a small function could be prohibitive.

Martin says audit functions can work with their peers in noncompetitive industries to plug some of that gap — a practice common in larger organizations. In the retail and banking sector, for example, she knows of CAEs who peer review noncompeting businesses in quality assessment exercises. It is a form of skills bartering and exchange.

“Of course, you have to be sure that from a strategic and intellectual property perspective those peers are truly noncompetitive,” she says, “but it can be a much better option than buying that expertise on the high street.”

As a provider of cosourced internal audit services, Martin supports the idea of hiring skills where they are needed — a strategy followed by audit functions of all sizes. But she warns that on a per-hour basis, cosourced hours are always likely to be more expensive than those spent by in-house staff.

Recruiting in-house presents challenges as well, and Martin urges heads of small functions to balance their needs realistically: “I think you have some that you know are going to be highly ambitious and critical thinking and you might be able to keep them, from a retention standpoint, for a year or two,” she says. “You have others who you want to keep long-term, and they perform consistently and have good auditing skills.”

Making the Most of IT

While large audit functions have bigger budgets for hiring staff, they also have more money to spend on audit software tools and IT training. That means staff in small functions are most likely to be trained on IT tools in-house, but that has had some surprising results.

When the technology services company Wolters Kluwer Audit Risk and Compliance conducted a survey of nearly 300 small function internal auditors — Audit Technology Insights 2013 — it found that small functions were 20 percent less likely to be using data analytic tools, and only 35 percent of small functions said that their IT budgets would increase (compared to 42 percent overall). Smaller departments were using cheaper solutions — such as Excel and Access — for data analysis. But 28 percent of small audit function respondents said all staff members on their teams were “fully proficient” with their audit technology tools, compared with only 18 percent of large-function respondents.

“We were surprised by the degree of technology use by the small functions,” says Mike Gowell, general manager and vice president of TeamMate, an operating unit of Wolters. “Those who can afford the technology and acquire it want to wring a lot out of it.”

He says small audit functions need to take an incremental approach to their IT acquisition and training. “Go for one process, one tool, even just a few features within that tool, so you fully master what you are implementing,” he says. This helps selling the benefits of IT spending to senior management, who can see incremental improvements to the efficiency of audit work, he adds.

Sharing Knowledge

It would probably surprise some that with their limited resources, small functions can teach their larger counterparts lessons — but the very existence of those constraints have lead to efficient practices that bigger departments would do well to emulate. Similarly, larger functions’ broader range of industry knowledge and up-to-date best practices can be of great benefit to small function heads of audit and their staff. Sharing such experiences and knowledge should be a priority for both groups of auditors.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

 

 

Comment on this article

comments powered by Disqus
  • IIA AuditBoard_Nov 2019_Premium 1
  • IIA GAM_Nov 2019_Premium 2
  • IIA OnRisk_Nov_Premium 3