the outsourcing

the outsourcing 16 perspective Spring 2007 features value ■ Traditionally, companies establish internal audit function to ensure that relevant built-in internal control policies and procedures are complied with throughout the company’s operations. As such, internal auditors are perceived as a watchdog for identifying wrong doings and pertaining an important role within a check-and-balance system to prevent irregularities. Following the changes of rules and general acceptance of corporate governance regime throughout the world in recent years, apart from being a regulatory requirement, many listed companies recognise the needs for establishing and maintaining an internal audit function as one of the ways to strengthen their corporate governance measures. Some of these companies may take further steps to equip their internal audit function with the capabilities to participate in enterprise risk management1 (ERM) process. CREATING VALUE With the introduction of the ERM framework, the role of an internal audit function is becoming more prominent to create value for an organisation. Not necessarily in financial terms, value that may be brought to an organisation includes, for examples: Providing reasonable assurance on achieving company’s strategic and operational objectives; Ensuring business processes are operating in an efficient and effective manner; and More importantly, safeguarding the interests of stakeholders. features To meet this end, an effective internal audit function should be independently positioned in an organisation, having its comprehensive risk-based auditing methodology and more importantly, an adequate team of competent professionals. As the latter has a great impact on the success or not of an internal audit function, the rest of this article will focus on the alternative options one can pursue when setting up an internal audit function, ie to outsource internal audit function rather than establishing an in-house one. HOW MANY OPTIONS DO YOU HAVE? Recently, both commercial organisations and professional firms are facing difficulties in getting internal audit resources from the market. Companies are considering outsourcing (either partially or fully) its internal audit function to professional firms. Before making such decision, the following table shows the options available: There is no one best solution for establishing an internal audit function. The structure of an internal audit function must evolve with the growth of an organisation, management’s needs and expectations. For example, the management of a large multinational corporation wants to conduct regular process review over high-risk areas, outsourcing may be selected as more resources may be required to fulfill such needs. FACTORS TO CONSIDER To ensure that the internal audit function can carry out its activities in a costeffective manner and deliver the required services, management may take the following factors into consideration when determining its appropriate resources structure: at in establishing an internal audit function. It will weigh between the staffing costs and outsourcing service fees to determine which is more suitable to the company’s budget. According to a survey2 we conducted in 2006, the results indicated that over 90% of the responding companies spent over HK$180,000 per month on maintaining their in-house internal audit team. In recent years, due to keen competitions, the professional service fees have been driven down significantly. Although it would be difficult to judge which is more costly than the other, outsourcing would definitely be an attractive alternative for the management to consider. Costs Cost-effectiveness is always one of the major factors that management must look Competency To ensure the quality of internal audit activities’ deliverables, an internal audit function should possess an appropriate mix of professionals in terms of skills, experience and qualifications, for examples, interpersonal skills, industrial Options 1. In-house internal audit team Main Features The team consists only of employed staff Head or manager of internal audit is usually appointed and is reporting to both the Audit Committee and senior management Suitable for small to medium-sized organisations Carry out internal audit activities with their own resources Apart from having a team of employed staff, an organisation may seek resources from outside resources such as professional firms, contracting staff, etc. Internal audit activities are partially contracted out on a need basis The head or manager of internal audit is usually appointed and is reporting to both the Audit Committee and senior management Carry out internal audit activities on a joint basis Suitable for organisations of all size The head or manager of internal audit is not usually appointed Internal audit activities are contracted out to professional firms on a regular basis or yearly basis The outsourced professional firm may serve the organisation as internal auditors and report directly to the Audit Committee Manage the project and provide resources when carrying out internal audit activities Suitable for organisations of all size 2. Partial or co-sourcing Outsourcing 3. Fully outsourcing Spring 2007 perspective 17 related experience and recognised internal audit certifications. As information system and computer equipments are extensively applied in present business environment, almost most companies’ internal audit functions will need to consist of IT specialists for carrying out IT controls related reviews. Flexibility Apart from regularly planned internal audit activities, management may require the internal audit function to conduct surprise ad-hoc investigations or reviews over potential irregularities or high-risk areas. Under such circumstance, the internal audit function may assess whether buffer resources can be squeezed from the existing resource pool or seek assistance from the outside. BENEFITS OF OUTSOURCING While there are merits associated with establishing an in-house internal audit function such as the in-house team may be more familiarised with the operational specifications and structure of the organisation, outsourcing has its advantages including: Cost-effective By using the co-sourcing approach, the organisation can easily alter the size of the internal audit function by seeking extra resources from outside source to cope with different ad-hoc projects on a need basis instead of carrying in-house a team 18 perspective Spring 2007 features of permanent staff, which may not be fully utilised throughout the year. Expertise An organisation can benefit from obtaining resources from outside professional firms as competency mix can be adjusted to the specific need of the project that is in question. Besides, this can save the organisation’s time in providing training as compared with the case of recruiting new staff with less relevant experience. Besides, professional firms may provide an organisation with access to updated knowledge on risk management practices development, sharing of global industrial experience via their international network, technology assistance such as risk management and internal audit tools, tested methodology, etc. Independence Although funded by the organisation, the outsourced internal audit function is more independent in nature as it does not belong to the organisation. Being a critical success factor of an effective internal audit function, greater independence can ensure that the objectivity of their internal audit reviews and reporting of findings are preserved. Finally, an organisation has to weigh the costs and benefits of all relevant factors and determine the right balance for its specific situation in determining whether outsourcing its internal audit function or establishing an in-house one. Regardless of the resources structure of an internal audit function, it should: Fit the organisation’s needs; Be operating cost-effective; and Be able to create value for the organisation. ■ Clement Chan Managing Director Horwath Hong Kong CPA Ltd Ricky Cheng Director Horwath Risk Advisory Services Ltd Reference 1 2 Referring to the Enterprise Risk Management Framework issued by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in 2004. Quantitative surveys were distributed to 34 constituency companies of the Hong Kong Hang Seng Index in early 2006 and 35% of the population took part in the study.