This article was first published in the September 2011 Singapore edition of Accounting and Business magazine.
Delegates at the recent Institute of Internal Auditors (IIA) 2011 International Conference in Kuala Lumpur, Malaysia, were urged to embrace change and add value to their organisations in order to live up to evolving expectations in the post-financial crisis landscape. More than 2,200 delegates from 94 countries converged on the city to hear insights from more than 100 key opinion leaders during July’s four-day conference, of which ACCA was a Gold Sponsor.
The conference theme, Standing Tall, symbolised the aspirations of internal auditors to become forerunners in governance leadership. ‘In the post-financial crisis, business leaders expect internal auditors to take on a more strategic role, and move from being compliance-focused to co-navigators for their boards and audit committees on governance standards and practices,’ said Wee Hock Kee FCCA, chartered fellow of IIA Malaysia and organising chairman of the host conference committee.
While the issues of risk management and governance will increasingly gain acceptance, the internal audit (IA) function will have to transform its mindset and modus operandi in order to deliver effective value in these areas. Speaking from the CEO’s perspective, Tengku Dato’ Sri Azmil Zahruddin, managing director and CEO of Malaysia Airlines (MAS), argued that weak governance and risk management was ‘not a process problem but a people problem’. ‘If IA focuses on processes, you won’t find anything wrong,’ he said. ‘But do the people running risk management understand the types and complexities of risk they are taking on?’
According to Azmil, the IA function at MAS has been transformed from a traditional unit with ‘lots of checklists and sign-offs’ to one which uses the enterprise risk management framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Business Assurance and Control Assessment initiative. These strengthen cultures of risk and control and instil the practice of self-assessment, ‘which is still getting to the maturity stage’. (COSO’s objective is to provide thought leadership dealing with internal control, enterprise risk management and fraud deterrence.)
Azmil explained that while the ‘bread-and-butter stuff must still be there, such as compliance with internal controls, we need IA to comment on issues like “do we have the right people? Are we getting the desired results from processes?”’ The IA function at MAS also ‘works hard’ to add value – for instance, in assessing the savings that can be gained following strategy recommendations. But Azmil stressed that getting returns on investment in IA is secondary to the critical role of assurance on internal controls and risk management.
Although IA is increasingly being called on to perform strategy audits, comments from the floor indicated that some auditors are uncomfortable with shouldering such expanded responsibilities. ‘How do you do a strategy audit? It’s a kamikaze assignment – imagine telling the board that your strategy sucks,’ said one delegate. ‘Strategy review is the role of the chief audit executive,’ replied Günther Meggeneder, the 2010–11 chairman of the IIA board. ‘We must challenge strategy in all the assignments we are doing.’
Azmil explained that MAS doesn’t conduct dedicated or special audits to strategy; rather, these higher-value recommendations are by-products of vanilla checks. ‘Auditors should pay attention to details, but also go up to 30,000 feet. The challenge for IA is to be able to go down to the ground, but to go up high as well,’ quipped Azmil.
Strategic issues are also important for banks, said Dato’ Haji Zainal Abidin Putih, chairman of CIMB Bank Malaysia. ‘IA has these insights into strategic issues, which add value, apart from day-to-day observations and bread-and-butter issues of compliance,’ he noted. ‘IA should be assessing and matching resources and growth. For example, if a division is growing, IA can assess if back-office support is sufficient and report on it. Or IA can pick up on the erosion of profit margins within business units and make the necessary recommendations to address this.’
Zainal also remarked that with hindsight he would have invested much more in the IA function when he was chief audit executive, since spending RM1m on assurance and risk could have saved millions more. In response, Azmil said that MAS management does not constrain IA resources.
‘Although there is a hiring freeze, the only department allowed complete free rein in hiring is IA. The resources that IA needs are discussed directly with the board audit committee. The CEO gets told afterwards by the board and I always comply!’
In the same vein, Zainal commented that CIMB builds very big IA functions staffed by nationals in each country it operates in as it expands its Association of Southeast Asian Nations footprint.
Since good governance is irrevocably linked with good corporate culture, should IA be attempting to evaluate the risks and impacts of organisational culture? This is related to ethics audits, predicted to be one of the key focus areas for the profession going forward. ‘It is not easy to define what culture is, and there is no bulletproof solution for cultural auditing,’ said Armand Lumens, chief internal auditor of Royal Dutch Shell.
‘But IA has the opportunity to assess the overall ethical culture and the opportunity to periodically assess the adequacy of the code of ethics,’ said IIA president and CEO, Richard F Chambers.
Ultimately, ‘corporate culture is set by the tone at the top.
Management culture is usually influenced by CEO behaviour,’ noted Devanesan Evanson FCCA, a member of the IIA Malaysia board of governors and president of the ACCA Malaysia Advisory Committee. ‘However, IA by virtue of its position and interactions with everybody is perhaps the best ambassador of integrity.’
‘We are the conscience of the organisation and are there to foster ethical culture within the organisation,’ added Meggeneder. Lumens concurred: ‘IA staff should be role models and have the highest level of integrity. And IA should flag perceived incidents of non-compliance with corporate culture to management.’
Meanwhile, information security is mostly unknown territory for internal auditors, even though cyberthreats pose major risks. ‘Trends in cybersecurity show that the sophistication of threats is increasing and attacks are being commercialised,’ noted Jason Yuen, industry adviser at CyberSecurity Malaysia. ‘The sources of threats and attacks are well-organised and well-funded.’ Despite deploying endpoint defences, perimeter defences, and intrusion detection and prevention systems, breaches are still happening. ‘We are still getting hacked and we will continue to be hacked,’ he said.
Structural issues contribute to cybersecurity risks, Yuen argued. ‘Information security is parked under IT, which is focused on operations and implementing technological solutions. IT doesn’t think much about risk management and compliance.’
On the other hand, ‘audit and compliance at this point in time is focused on health checks using outdated tools and technologies. We are not keeping up with technologies; we are lagging behind. There is insufficient coordination with the security process and a mismatch of skills and expertise.’
To address cyber risks, Yuen urged that internal auditors must ‘acquire knowledge of technology and understand where these technologies fit within the security puzzle.
‘Treat security as a process that continually identifies risk,’ he continued. ‘The key thing to remember is that you will get compromised, so you need to focus on network intelligence, incident detection and response. What will you do about it when it happens? Will you even recognise it when it happens?’
Nazatul Izma Abdullah, journalist
New roles, new skills
Like other financial professionals, internal auditors are being urged to change their mindsets in order to be relevant and add value to their organisations.
According to the IIA Research Foundation’s Common Body of Knowledge (CBOK) 2010 global survey results, the major focus areas for internal audit (IA) going forward are corporate governance reviews, audits of enterprise risk management processes, reviews addressing linkage of strategy and company performance, ethics audits, and migration to International Financial Reporting Standards (IFRS).
To deliver these elements, internal auditors will have to enhance core competencies and technical skills. Three of the top competencies are communication skills (including oral, written, report writing and presentation), problem identification and solution skills (including core, conceptual and analytical thinking), and keeping up to date with industry and regulatory changes and professional standards.
Meanwhile, understanding the organisation ranked as the most important overall technical skill, since a solid understanding of the business is essential for internal auditing to effectively identify emerging risk and control issues. Effective internal auditors should also possess knowledge of auditing, internal audit standards, ethics and fraud awareness and enterprise risk management (ERM). In addition, internal auditors should keep abreast of the latest technologies. The top three tools that look likely to be used most in the next five years are computer-assisted audit techniques, electronic working papers and continuous auditing.
Because IA functions are key assurance providers, the maintenance of independence and objectivity is viewed as vital to their ability to add value to organisations. IA will also have to take on a bigger role in training audit committee members, as well as advising on strategy development and educating the organisation’s personnel.