One company narrowed its focus and raised staff experience requirements in a successful ...

The steps to success in lowering costs and boosting quality.

Problem: Minimize expenses while keeping a close watch on internal controls and producing valuable business advice.
Solution: Dont audit history; narrow the audit focus; hire experienced staff.

    What are the keys to running a lean, proactive internal audit department? At Tosco, a petroleum refining and marketing company, Norman Marks, general auditor, has developed an approach that adds value while reining in costs. His strategy can help to provide a model for other internal auditors seeking to enhance their departments contributions.

    When Marks joined Tosco in 1990, the audit committees chairman said to him, Ive got about $6 million worth of stock in this company. Make sure there are no surprises. Marks has taken it as his charge to protect all the stakeholders in the company from a variety of unpleasant surprises that can result from failures in internal controls. We have to consider the integrity of financial reporting, custody of assets, environmental and safety issues, and the efficiency and effectiveness of operations, Marks says, in addition to what he calls the 60 Minutes test. I try to protect us from doing anything that would embarrass us if it ever turned up on 60 Minutes .

    The challenges of his job have grown along with the company, which went from a $2 billion operation in 1990 to an organization today with $15 billion in sales. Despite its size, its a very small company. In 1997, we had sales of $13.3 billion, but our pretax earnings were $381 million, just 2.9% of sales. Thats not a function of writeoffs but of the fact that the petroleum industry has very thin margins. In terms of revenue per thousand employees, this industry has one of the highest ratios, which means we have very few people for a very large amount of dollars. Since our margins are thin, to survive in the industry you must be one of lowest cost operators, which we have become. At the same time, companies in the industry face financial uncertainties in a number of transactions. Tosco, for example, buys $10 billion worth of crude every year, which is subject to market price shifts; at a single refinery, operating costs can run $100 million per year, or one-fourth of its pretax earnings. That gives me a lot to worry about. Not only must I consider outside forces but also I must provide the audit committee with assurance about controls and I have to be careful about how much money I spend.

    When Marks came to the company, he had worked in public accounting and in industry. Having been audited and having done auditing, I saw how painful and disruptive it could be. I wanted to do something that was more like a service. To achieve his goals, Marks has crafted an approach to make the most of his 22-person audit staff. To measure efficiency, he relies on benchmarks to compare his operations against those in the industry and in manufacturing as a whole. For example, his company has 1.3 auditors per billion dollars of gross sales, while the industry average is 4.35 per billion. While Tosco has 0.67 auditors per 1,000 employees, the industry average is 3.05 employees per 1,000. However, he considers the most important benchmark to be internal audit cost as a percentage of sales. For his company, that number is 0.017%; for the industry, it is 0.044%.

    How can the audit department maintain these numbers while providing high-quality audits as well as offering worthwhile solutions to company problems? His blueprint is one that may serve as a recommendation for other internal audit departments seeking leaner operations:

    Stop auditing history. Our general routine is not to go back and audit whats happened in the past, Marks says. Many companies will take a months or even a years past transactions and verify them. All thats doing is auditing the past. My job is to audit the present and to provide protection for the future. Our emphasis is on the controls we have today rather than on what might have taken place.

    Narrow the focus. In a step he calls using a laser rather than a shotgun, Marks department focuses exclusively on key risks. For example, Toscos Linden, New Jersey, refinery could be considered the top risk area in the company based on the volume of its operations and the money involved. While some internal auditors might audit the total refinery, I am interested only in certain business risks within that operation, Marks says. We decide where, if controls fail, we are likely to have a problem. Areas to audit are chosen based on a subjective assessment of risk to the company and value of the audit. Each audit has a value (to management and the board) in its assessment of controls and in the positive changes it effects. The changes could have a direct contribution to the bottom line (such as cost savings, revenue enhancements) or an indirect contribution (risk reduction, fraud deterrence). We work with management at all levels to define those areas. In a given year, Marks may determine that the biggest risk in accounts payable is payments to maintenance contractors, so the auditors will target just that segment of accounts payable. In the following year, observations of the refinery operations and experience in other audits may lead the auditors to examine payments to utilities. Although the internal auditors perform a number of audits at the refinery, they concentrate on selected risk areas rather than blanketing an entire department.

    Dispense with lower level staff positions. While some audit departments have a hierarchy of positions ranging from neophyte to manager, Tosco hires mainly manager-level staff and some seniors. If you ask managers how much time they spend supervising, training, reviewing workpapers and rewriting the audit report, you find they are probably spending as much time as if they were doing all the work themselves, Marks says. The department seeks a blend of experience, from people whove worked with large and midsize accounting firms to former controllers, treasurers and internal auditors in the oil and other industries. Because Tosco has cut out an entire level of staff, our cost per auditor is higher, but total audit costs are lower. Productivity also is enhanced. Our people are so much more experienced that the quality of the audit tends to be higher. We are able to explain to people in other departments what we are doing and focus quickly on the significant business risks. Since we dont go in and ask silly questions, the work is received better by people in other departments.

    Company Profile

    Name: Tosco Corp.
    Locations: Phoenix. Refineries in Linden, New Jersey; Ferndale, Washington; Los Angeles; San Francisco; Trainer, Pennsylvania. Retail outlets in 38 states.
    Sales: $15 billion.
    Number of Employees: 27,000
    Form of ownership: Corporation.
    What we do/produce: Largest independent oil refiner and marketer of petroleum products in the United States. Nation's largest operator of company-owned convenience stores. Major brands include Union 76 and Circle K.
    Our main customers: The general public and independent petroleum marketers

    Employ stop-and-go auditing. In this technique, auditors go into an area and determine on the job whether the risk is so low that an audit isnt needed or whether greater resources should be devoted to the audit because of questions uncovered. With experienced people and a narrowed focus, this technique can greatly boost efficiency, but companies dont always employ it. When the company acquired a wholesale terminal, Marks was told that the previous owner had sent two internal auditors to perform a month-long audit; the Marks team, however, sent one person for four days. Our managers know every unnecessary hour spent auditing an area costs the company money and takes time away from another project we could do that has value. On most jobs, auditors go in with an estimate of 250 to 300 hours to perform the work, but they are encouraged to use their discretion to spend more or less time as needed. We hire people who are proficient enough to make those decisions.

    Position auditors throughout operations. Toscos auditors work alongside other staff members in locations throughout the companys operations, which include refining and marketing. Marks believes this enables them to understand a business area and its risks and to add value in the eyes of the audit committee and management by, for example, becoming familiar enough with an area to offer useful suggestions. We dont want to be seen as outsiders coming in from corporate management but, rather, as part of the local management team.

    Marks has not experienced resistance to the changes he has made in his area because of the quality of the people in his department and the value that they add to processes throughout the company.

    Marks believes his approach is justified by the fact that well over 90% of the recommendations made by the internal audit department are implemented. For example, some of the companys audits may cover a business risk that spans many departments, such as the one performed recently on travel expenses. The companys travel agent forwarded to management any reports about travel items that departed from policy. Those reports were then sent to two vice-presidents for follow-up. The internal auditors suggested the reports be sent to the relevant department manager instead, since it seemed unnecessary to tie up senior executives time over travel expenses. The person doing the audit who made that suggestion is an ex-controller, and he knows how to run a business, Marks says. Because I run the audit department as a business, were always trying to make sure were adding value.


    • TO CREATE A LEAN, PROACTIVE internal audit department at an oil refining and marketing company, Norman Marks has developed an approach that adds value while reining in costs. Tosco, a $15 billion company, has a very thin margin, so it must be a low-cost operator to survive.

    • AUDITING THE PRESENT rather than the past is one of Mark's strategies. The company emphasizes control in place today rather than past transactions.

    • RATHER THAN AUDITING an entire operation, Mark's department focuses exclusively on key risks. While the internal auditors may perform a number of audits at a given operation, they concentrate on selected risk areas, rather than blanketing an entire department.

    • TOSCO'S INTERNAL AUDIT DEPARTMENT HIRES mainly manager-level staff and some seniors. As a result, its costs per auditor are higher than average, but total costs are lower.

    • STOP-AND-GO AUDITING enables experience staff to determine onsite whether a job should take more or less time than was budgeted. Anita Dennis is a Journal contributing editor


    Keeping client information safe in an age of scams and security threats

    A look at the Dirty Dozen tax scams and ways to protect taxpayer information.


    More R&D tax help

    "Can I use the R&D credit?" PATH Act enhancements make the credit more attractive to a wider range of taxpayers.


    Learn to choose between ‘who’ and ‘whom’

    Writers can stumble over who and whom (or whoever and whomever). If you write for business, this quiz can help make your copy above reproach.