Whether working in-house or in an outsourced team, internal auditors have moved away from just looking for problems and instead are using their holistic view of business processes and controls to help improve organizations at a deeper level. Nicky Burridge finds out how CPAs in this specialist area work to ensure companies operate well in an increasingly complex business environment
Illustrations by Gianfranco Bonadies
From a compliance checker to an independent advisor, the role of internal auditors has evolved in recent years as companies recognize the value the function brings to their business. Sean Cheng CPA, Senior Manager of Group Audit and Management Services at a leading conglomerate based in Hong Kong, explains that the main role of internal auditors is to offer an independent view on an organization’s risk management and internal controls, offering assurance that the business is operating within the boundaries and risk appetite of the company. Or, as Henry Lo CPA, Head of Internal Audit at Nan Fung Group, puts it: “Our main goal is to help the executive management team sleep well at night.”
But the work of internal auditors does not end there, and a key aspect of their function is to protect and add value to a company through being a trusted partner who can offer impartial advice. Corwin Kwong CPA, Internal Auditor at The Salvation Army, explains: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Alva Lee FCPA, KPMG Partner and Head of Governance, Risk and Compliance Services Practice Hong Kong, agrees, pointing out that because internal auditors’ work covers the entire organization, they have a more holistic view of the controls and processes than those who work in just one area of a business, or management who may be more focused on driving performance. “Companies are increasingly turning to internal auditors to provide insights, based on the data they gather. They can identify different themes and critical issues. Expectations have increased in this area.”
The work of internal auditors is very different to that of external auditors. Cheng explains that while external auditors are mostly focusing on the numbers in a company’s financial statements and ensuring they are prepared in a fair and transparent way, internal auditors have to really understand the business operations and strategic direction. “We have to provide recommendations that are practical and cost effective to help organizations properly manage their risks. External auditors have to apply auditing standards, while internal auditors have to apply more critical thinking and business acumen.”
Kwong agrees: “Internal auditors are not just focused on the annual report and financial performance, we also check qualitative matters, such as systems, procedures and workflow. External auditors are concerned with whether there are any material misstatements in the financial statements, while internal auditors help the company to maintain good internal controls, governance and risk management. We help the company to meet its goals and objectives.”
Lee adds that while external auditors typically work closely with the chief financial officer or finance department of a company, internal auditors may have more opportunities to work with different departments in a company and are not just limited to the finance function.
To illustrate the difference between the work of internal auditors and external auditors, Helen Li FCPA, Group Chief Auditor at The Bank of East Asia Ltd. (BEA) and President of The Institute of Internal Auditors (IIA) Hong Kong (read her profile here), gives the example of reviewing inventory. “If the inventory balance is down to zero, for an external auditor there is no financial reporting risk, but for the internal auditor there could be problems in the inventory management process because we focus on the control process instead of the end result,” she says.
Lo describes internal auditors as being the third line of defence in an organization. He explains that the first line of defence is the operation management, while the second line is the risk control or compliance function. “The third line of defence is us. We have to make sure the first and second lines are working in the right way, that they know their roles and responsibilities, and follow their risk assessment and risk prevention processes,” he says.
Kwong adds that alongside ensuring a company’s risk management systems and processes are working effectively, internal auditors also help uphold ethical standards and integrity. “The existence of a well-established internal audit department helps companies maintain a good checks and balances mechanism. Internal audit is particularly important to regulated and compliance-intensive industries.”
An expanding role
Internal auditors have evolved from something that is nice to have to a must-have for many companies. Lo says internal auditors are no longer regarded as being watchdogs but are now seen as trusted partners.
Li adds that the function has changed from doing the “very mechanical work of checking adherence to procedures and regulations,” to taking a holistic view of the business. “Given that internal audit represents a very small percentage of the total workforce, it is not effective assurance to check what other people are doing. Instead, we challenge the robustness of overall control mechanisms, including how management responds to changing risks. We take a high-level view on end-to-end processes and do a deep dive when necessary.”
Kwong points out that the importance of the work done by internal auditors has been recognized by the Hong Kong Stock Exchange, with listed companies required to have either an internal or outsourced internal audit function. He adds that the internal audit functions must have independent organizational status to provide confidence to investors.
Cheng agrees that internal auditors have an important role to play in offering assurance that a company is run with good corporate governance. “Nowadays, the business environment is more complex than in the past, and investors, the public and other stakeholders are not just focusing on financial performance, but also on the whole governance of an organization, and whether business decisions and operations are aligned with the vision, mission and values of the company.”
But despite the listing requirement that the issuer should have an internal audit function having been in place for years, Li says there is no requirement regarding the certification of internal auditors or conformance with the IIA’s international standards. At the same time, the internal audit function in many Hong Kong-listed companies still focuses on checking the operational compliance of historic transactions. “Internal audit is an important part of governance because we offer an independent, fresh perspective, but our positioning is not just determined by internal auditors themselves but by other stakeholders, regulators and the board and senior management, so we also have to demonstrate the value we bring to the table,” she says.
Cheng adds that it is important for internal auditors to educate company management about what internal auditors really do and how they can also create value.
“We challenge the robustness of overall control mechanisms, including how management responds to changing risks.”
In-house versus outsourced
Every company is different in terms of having in-house, partially co-sourcing or a fully outsourced internal audit team, according to Li. She adds that despite the fact BEA has a large internal team, she is still very open to co-sourcing. “It is really about what helps you to achieve your objectives in the most cost-efficient way. I am a strong supporter of co-sourcing. Banking is a heavily regulated industry so we cannot fully outsource, but by doing co-sourcing we can tap into external resources when necessary. This is also good to benchmark industry best practices.”
Lo favours having an internal team, pointing out that internal auditors need to have a good understanding of the company’s operations, culture and individual businesses. “For a long-term relationship, it is better idea to have an in-house team.” But he adds it can be beneficial and more cost-effective to outsource or co-source specialist expertise to carry out a one-off exercise, such as ethical hacking.
Cheng points out that for companies with global operations, outsourcing may make sense considering the cost, as it may be expensive to set up an in-house internal audit function with a global reach. “If you outsource to one of the Big Four you can utilize their resources globally, so it is quite cost effective.” Although he adds that with an in-house team, the internal auditors are also the employees of the company, so other staff, particularly the senior management, may be more willing to share what is happening and view them as a business partner. “It is difficult for an outsourced function to build the dynamics with the senior management. An internal team can also be more agile in responding to ad-hoc and urgent requests from the senior management,” he says.
Kwong points out that setting up an internal audit function from scratch can be costly, so companies may decide to outsource it initially, while gradually hiring their own talent and building up their own in-house team.
Smaller organizations or companies in sectors and industries that are less appealing to talent may also face challenges recruiting and retaining an in-house internal audit team, according to Lee of KPMG. She adds that for small teams, staff turnover could also lead to a significant loss of knowledge. “If organizations choose to outsource, although there may still be some turnover at the outsource firm, there will be a mechanism to ensure proper retention of knowledge and information,” she says. An outsourced team would also have greater access to market trends and best practices across the sector because of their exposure to more companies, Lee adds.
She also points out that there are differences for internal auditors themselves between being members of an in-house team and an outsourced one. “Members of an in-house team would be more focused in one corporate environment versus an outsourced one which would gain wider exposure to different companies and business environments.”
Internal audit engagements vary from sector to sector, but may include an audit of leasing operations for a mall operator or production processes for a manufacturer. Lo of Nan Fung says an internal auditor at a property developer may conduct a Safety, Health and Environment (SHE) audit. “The objective of this audit is to evaluate the adequacy and effectiveness of controls employed by the project team with respect to the safety, health and environmental management processes in a construction project.” For a highly performing internal audit function, Cheng says it is important for internal auditors to set the tone at the top and ensure they are aligned with senior management’s expectations. “You have to understand the expectations and get their buy-in, for example, whether they expect you to have a pure compliance checking role only or to go beyond that to add value and provide insights or assurance on strategic initiatives.”
Once this is clear, the next step is for internal auditors to carry out an assessment to devise a risk-based audit and allocate resources to priority areas, based on the level of risk they pose. Kwong of The Salvation Army points out that having a sound understanding of a company’s operations and the function of different business units is also important. “Internal auditors have to study the company’s objectives and associated risks, as they develop their audit plan with reference to a company’s risk register and risk appetite,” he says. Taking the time to understand an organization’s business operations, strategy and risk, as well as any recent developments, is particularly important if you are an outsourced team, according to Lee of KPMG. “You have to understand what is unique about a business and whether there are any organization-specific projects we need to consider when we develop our plan.”
Lo breaks down an internal auditor’s work into four Ps: purpose, process, product and people. He explains that the first step is for internal auditors to define the purpose of the internal audit, which includes the vision, mission and values of the internal audit team. He describes the second step, process, as being internal audit management, which includes planning, fieldwork, reporting and the follow up phases. The product of internal auditors could include the audit report containing their findings, potential risks they have identified and recommendations to address these.
Lo stresses that throughout the process, it is important that internal auditors focus on people. “You need to define who your stakeholders are and have regular meetings with them,” he says. Lo adds that alongside having formal meetings during an audit engagement, he also has informal coffees and lunches with the heads of business units at his company. “If we want to be their trusted partner, we can’t just turn up every one to two years and issue a report. We need to have a long-term relationship,” he says.
“You have to understand the expectations... whether they expect you to have a pure compliance checking role only or to go beyond that to add value.”
New technology has had a significant impact on the work of internal auditors. Li of BEA explains that artificial intelligence (AI) and data analytics enables internal auditors to review the whole population of something, rather than relying on random sampling. These technologies can also detect anomalies or areas that require further investigation.
She gives the example of sampling the work of staff selling investments in a bank’s call centre. “If staff are selling investment products, and an internal auditor wants to make sure there is no misselling, and staff are not overstating investment returns etc, they would traditionally sample 3 to 5 percent of the calls, maximum. Now with speech recognition technology, we can easily convert speech into text and cover the full population of calls. We can also measure the duration of calls and their emotional tone, and use data analytics to identify patterns or pick out anomalies.”
She adds that technology not only gives internal auditors better coverage for compliance checking, but it also drives a change in staff behaviour. “People realize they won’t get lucky and be the 95 percent that is not sampled any more,” she says.
Lo agrees: “Data analytics has made our work a lot easier. In the past we had to review a lot of documents, but now we can use IT systems to review the data in the documents for us.” He adds that automating this aspect of their work means internal auditors have more time to spend investigating potential anomalies, while they can also use the results of data analytics to provide recommendations to improve the efficiency and effectiveness of the business operations.
Cheng says technology has also played a significant impact on audit procedures. “Take robotic process automation as an example. The bots can do tedious or repetitive work, like pulling data out from a general ledger and doing reconciliations with a pre-set schedule. This saves you a lot of time as an internal auditor, enabling you to focus on other things, such as offering insights from a governance perspective for the company’s strategic initiatives, or participating in more executive meetings to understand more about what is going on in the company, so that you can allocate your resources more effectively.”
But alongside assisting internal auditors in their work, Cheng says technology has also created challenges. He points out that as companies undergo digital transformation, internal auditors have a role to ensure no critical issues or new risks arise, and that the company is still achieving its business objectives.
Li expects technology to play an increasingly important role in the work of internal auditors, and as result, she says it is essential that internal auditors are competent in this area and keep up to date with the latest developments.
Cheng adds that with technology increasingly being used in business processes, internal auditors need to keep themselves up-to-date on the technology application and ensure proper controls are in place to manage the emerging risks. Lo goes even further and predicts that in five to 10 years’ time, there will no longer be specialist IT auditors, but all internal auditors will have to be technology experts as part of their skill set.
Unsurprisingly, internal auditors have a significant role to play in helping companies identify and minimize fraud risks. One way in which they can do this is by using data analytics to review the transactions and identify any abnormal patterns, according to Cheng who works at a conglomerate. “The traditional sampling approach cannot meet the business needs to perform more focused and in-depth reviews on high risk transactions,” he says.
Lee of KPMG points out that internal auditors’ knowledge enables them to identify areas or transactions that are most at risk from fraud, while they can also use data analytics to highlight any potential issues that require more in-depth investigation.
Internal audit reviews can also identify when processes are not working as they should. Kwong says: “Three years ago, I found that an employee misappropriated our company’s cash income. I found it through several tests, including trend analysis, reviewing the segregation of duties, and reviewing income records and bank-in records.” But he adds that there is no standard operating procedure for internal auditors to use to detect fraud risk. Instead, he says the most important thing is to maintain professional scepticism. “Internal auditors should not be expected to find out all frauds. We are not police or forensic accountants. However, we should be able to identify fraud risk and be alerted to potential fraud.”
Lo points out that under the three lines of defence, it is the role of the first and second lines to monitor and prevent fraud, while the internal auditor should focus on the overall fraud management and mechanisms that are in place. He adds that they should also promote fraud awareness training and help companies develop whistleblowing policies.
Li of BEA agrees that internal auditors can contribute by reviewing a company’s overall fraud risk management framework. “Fraud is very difficult to preempt, but should be managed to an acceptable level. To help prevent it, we look at both hard controls, such as systems, policies and procedures, and the soft side of controls, such as the tone from the top.”
She adds that some of the warning signs internal auditors need to look out for include people cutting corners as conduct is contentious. “It may not have an immediate financial impact but could cost an organization dearly if such undesirable behaviour is not rectified in a timely manner. The really hot topic for internal auditors is conduct risk, culture and ethics, which are much harder to audit.”
“We are not police or forensic accountants. However, we should be able to identify fraud risk and be alerted to potential fraud.”
Cheng thinks the biggest obstacle is getting management buy-in for the internal audit function. “If senior management does not see internal audit as a business partner, they will not give you the resources you need to carry out your work, and they will be quite defensive and treat you as a policeman looking for problems. If that happens it can be quite difficult for an internal auditor to add value. Yet this culture is quite common in Hong Kong,” he says.
Kwong considers advancements in technology to be the biggest challenge that internal auditors currently face. “New systems and technology are being innovated every day, which companies use to enhance their operating efficiency. Internal auditors have to be quick learners and be responsive.”
Lo thinks the main challenge is remaining up-to-date in the changing business world. “My company used to be focused on property development, so some people in my team came from engineering and surveyor backgrounds. Now we have expanded into property leasing, such as malls, as well as finance and life science investments. As an internal auditor you need to stay relevant and on top of all of these businesses.”
Lee agrees: “From the impact of COVID-19 to business transformation and new technology, the business environment is changing very quickly. Stakeholders have an expectation that we will keep up to date with these changes,” she says.
Courage and scepticism
While internal auditors may need some of the same technical competencies as external ones, they do not have to come from an accounting background. Instead, it is more important for them to have good business acumen and a range of soft skills. “To effectively carry out the internal audit function, internal auditors must understand their company and different departments, and business functions well. Good listening and communication skills are important,” Kwong says.
He adds that while there is no absolute “skill set package” for internal auditors, and the skills they need will vary according to the industry and the operations of their company, they do need sound financial and accounting knowledge, strong writing and presentation skills, and professional scepticism. “It is also important that they are a quick learner and are flexible so they can adapt to changes,” he says.
Cheng agrees: “Internal auditors need critical thinking and business acumen to understand the business context and identify any control deficiencies, inefficiencies and make practical recommendations balancing the cost and controls. They also need to be tech-savvy to understand how the adoption of different technologies is impacting the business and identify the relevant risks.”
Lo also thinks it is important that internal auditors have good soft skills, particularly those in persuasion and collaboration. “If you highlight an issue to a site manager who may have been there for 30 years, you may need a lot of persuasion to help them see why something needs to be changed, especially when you have been in and out and for only a few weeks,” he says. Lo adds that collaboration is also important because a lot of issues cannot be fixed by just one person or one team. “Sometimes you need help from the IT team, the human resources team and the project team. You need to ensure all of these parties collaborate,” he says.
“We need good communicators with the courage to speak out. We have to be candid but in a diplomatic manner.”
Lee thinks it is essential that internal auditors are good communicators and are able to write succinct reports that clearly convey their findings, the implications of any issues they have uncovered and their recommendations to remedy them in order to get buy-in from management. “The ability to adapt and learn quickly is also important for internal auditors, as we look at such diverse processes and functions. Even if we specialize in one industry, different organizations have different set ups.”
Li points out that the top skills in demand are business acumen, critical thinking, data analytics, and IT knowledge. In terms of soft skills, she says: “We need good communicators with the courage to speak out. We have to be candid but in a diplomatic manner. Internal auditors also need good interpersonal skills as we are dealing with people all the time.”
Accountants interested in becoming internal auditors could consider obtaining The Certified Internal Auditor (CIA), a professional designation issued by the IIA, the global professional body for the industry. “Taking the exam and getting the CIA designation can provide you some basic knowledge on internal audit. In fact, IIA has organized a number of CIA Challenge Exams with other professional accounting bodies like Hong Kong Institute of CPAs to provide a fast track route for those with a CPA designation to gain the CIA designation,” Lee says.
Cheng suggests working in an audit or consulting firm would be a good place to start, while Li suggests taking advantage of the rotational programmes some companies offer, such as taking part in a guest audit programme. “A short-term secondment as an internal auditor is used as a training ground for talent development in many organizations. People may consider such programme to get a taste of being an internal auditor.”
A day in the life
The typical day of an internal auditor involves doing testing, analysis and evaluation, having discussions with business units, and writing reports, according to Corwin Kwong CPA, Internal Auditor at The Salvation Army. “It may sound boring or routine, but the content and focus point of each audit assignment could be very different. For example, while testing in one assignment could focus on purchase of materials, testing in another assignment could focus on the protection of personal data,” he says.
Helen Li FCPA, Group Chief Auditor at The Bank of East Asia Ltd., describes her typical day as containing lots of meetings. “Internal auditors have a seat on many management committee meetings as an observer. I also have a lot of meetings with my team, brainstorming, planning and having checkpoint meetings discussing what we are going to do, our work approach and focus areas, as well as reviewing results.” She adds that there are also lots of interactions with different business units to understand key changes including the challenges they face. “Internal auditors can provide timely advice on governance and control matters as a result,” she says.
Sean Cheng CPA, Senior Manager of Group Audit and Management Services at a leading conglomerate based in Hong Kong, says most of an internal auditor’s time is spent talking to people and understanding business processes. “To perform an internal audit, we usually review the policy and procedures, perform data analytics on business transactions and check on the supporting documents. But the more interesting part of our work is talking to people to understand the exact challenges they face in the business, what issues they come across and how they manage them, and whether proper controls are in place. You really have to put yourself into their shoes and critically assess the practicality on the recommendations you are going to make.”
Internal auditors working in an out-sourced team may have multiple projects on hand at the same time, according to Alva Lee FCPA, KPMG Partner and Head of Governance, Risk and Compliance Services Practice Hong Kong. “You might be focused on the execution of one project, but still be waiting for follow up from the client on another one, and planning for the next engagement at the same time, so you have to multi-task,” she says.
Alongside doing their day-to-day work, Henry Lo CPA, Head of Internal Audit at Nan Fung Group, stresses that it is also important that internal auditors find the time to keep track of the latest industry developments, regulatory changes and any news, such as court cases, that may have implications for their organization. “All of these are relevant to us if we position ourselves as a trusted partner of the company and we are helping them on the risk and controls,” he says.
Gaining the most out of internal auditors
Internal auditors should be viewed as trusted advisors if companies are to gain the most benefit from them. “Organizations need to really appreciate the internal audit function and feel comfortable accepting an independent view on how their business is operating and which areas could be improved,” Alva Lee FCPA, KPMG Partner and Head of Governance, Risk and Compliance Services Practice Hong Kong, says. She adds that it is also important that management share their business strategy and plan with internal auditors to ensure their focus is aligned with that of the board’s.
Sean Cheng CPA, Senior Manager of Group Audit and Management Services at a leading conglomerate based in Hong Kong, suggests internal auditors should work closely with senior management, get themselves a seat in executive meetings to understand the business strategy. “We need to understand the strategic direction of the company so that we know what is important to the company. If we don’t have management buy-in, the internal auditor can only review past transactions or review operations, they do not add value.”
Corwin Kwong CPA, Internal Auditor at The Salvation Army, thinks that for a company to get the most from its internal audit function, the organizational status of the internal auditor must be clearly established and respected. He adds that setting the right tone from the top is also critical to enable the internal audit function to be effective.
He points out that internal auditor administratively report to the CEO, but functionally report to the audit committee. “Managers or business units may be hostile to internal audit. Some may also complain that internal auditors disrupt their money-making operations. It is important the leaders and management stay neutral at such moments.”
Henry Lo CPA, Head of Internal Audit at Nan Fung Group, stresses that it is important that management trust internal auditors and understand they are on the same team. “We are not there to pick out errors and mistakes. We are part of the team to help them solve problems and achieve their business objects,” he says.
Helen Li FCPA, Group Chief Auditor at The Bank of East Asia Ltd., suggests organizations should continuously adapt to the changing environment instead of operating in a hierarchical way. “I believe in teamwork and collaboration. There are always better ways of doing things. I think everyone has to be really open minded including challenging their own thinking and practices to embrace change,” she says.
Li also encourages internal auditors to be seconded to different departments to gain an insight into their operations, as well as to have talent from other departments join the internal audit function as guest auditors. “It is very easy to criticize, especially with hindsight, but you have to be constructive and forward-looking. I think that exchange of experience really helps,” she says.
Read more about internal audit in this month’s Accountant Plus on Helen Li FCPA, President of The Institute of Internal Auditors Hong Kong, and Group Chief Auditor at The Bank of East Asia Ltd.