Jump-Start Success

How to set up a world-class internal audit function.
BY BRUCE CAPLAIN

EXECUTIVE SUMMARY
MANY OF THE CPAs WHO ARE HIRED AS chief audit executives for public companies will have the opportunity to start a new internal audit function or reshape an existing department in the wake of the Sarbanes-Oxley Act of 2002.

BEFORE ACCEPTING THE OFFER, candidates should interview the management team and the chair of the audit committee, determine management’s motivation in establishing an internal audit department and establish a timetable for the audit work to be done, taking into account any possible constraints.

IN THE FIRST 30 DAYS ON THE JOB, a new chief audit executive should try to show progress quickly. He or she also should scope the audit universe and develop an audit cycle, educate management about what to expect from internal audit, develop an audit plan and, most important, recruit the staff that will be necessary to carry out these functions.

AS THE DEPARTMENT BEGINS TO CONDUCT AUDITS, the chief audit executive will be performing an entity-level control assessment, making his or her first audit committee appearance and taking steps to begin a day-to-day life in the new position.

THE CONTENT AND SUBJECT OF INITIAL AUDIT REPORTS will depend on management’s goals for internal audit. The chief audit executive must factor in the responsibilities brought about by Sarbanes-Oxley, be careful consulting projects don’t eat up too much time and begin to create value for the company.

BRUCE CAPLAIN, CPA, is senior vice-president of corporate audit and fraud at First Marblehead in Boston. He previously served as the general director of corporate audit at John Hancock Financial Services.

ongratulations! You got your dream job—chief audit executive of an NYSE-listed company that just went public. You’re charged with starting your own internal audit function. Or perhaps you’ve received an offer to rebuild an existing department following the enactment of the Sarbanes-Oxley Act of 2002. While both are great opportunities, what you do next can mean the difference between success and failure. CPAs who find themselves in this position should read on to learn about some of the decisions I made to help change an existing audit function several years ago at John Hancock Financial Services and more recently as I started a new department at First Marblehead, a provider of integrated services for student loan programs headquartered in Boston.

LOOK BEFORE YOU LEAP
Once you have a job offer in hand, the first thing to do is pause and take a step back. Your efforts so far have concentrated on selling yourself to the company and learning enough about it to know you are interested in the position. Now you need to gather some additional information to make sure it’s the right company and management team with the right attitude toward internal audit.

Interview the management team. Ask the company for additional meetings beyond the regular interviews so you can determine whether your prospective employer is ready for a world-class audit department. Does the company understand your need for independence and give it to you in the proposed reporting structure? Meet with the chair of the audit committee to make sure you have the board’s support. During my interviews at First Marblehead it was clear that everyone I talked to was committed to establishing a top-quality internal audit function for all the right reasons. Don’t worry if you find management doesn’t have a good understanding of internal audit. That’s an easier problem to solve than a lack of commitment; a little education on your part will resolve the issue.

A Busy Auditor’s Universe
Number of audit units or activities in your audit universe

Source: Survey of chief audit executives, Institute of Internal Auditors, www.theIIA.org , 2004.

Determine management’s motivation. Finding out why management is starting an internal audit department will help CPAs understand how the company perceives the audit function. If the company had a past control deficiency, it may be creating an internal audit department to show the board it is taking action. It may not be committed to the process for the long term. If it had an internal audit function in the past but outsourced or eliminated it, the company may be starting one now only because it is required to do so. It may have had a bad experience with internal audit previously and thus is not fully prepared for the consequences of having a thorough and active department. If management is adding an internal audit department to “paper the files” for compliance purposes, it may not want a department that raises issues and pushes hard to resolve them—perhaps, even if it means bringing them to the audit committee.

First Marblehead was a company that had experienced tremendous growth while at the same time going public. In the end I was very comfortable management saw the internal audit function as a vital component of its expanding corporate structure. First Marblehead started its internal audit department not only because NYSE rules required it to do so but also because it believed internal audit to be a vital part of its culture, given its growth and the complexities of its business.

A colleague of mine interviewed with a company that had reported a material weakness in its internal controls the previous year. There was not a lot to cover in the audit universe (all of the areas within the business that can be audited) as it was a pure services company, but management clearly wanted to show shareholders and the board it had taken action. Management promised the auditor she could get involved in some “great nonaudit projects” after the first year—a good indication the company thought internal audit was not important.

Establish your timetable. Make sure management realizes you can’t give a clean opinion on the company’s internal control environment the day after you walk in the door. Find out their expectations but lay out a clear timetable of when you can realistically be up and running. This means different things to different people. It can mean fully staffed and just starting audits or it can mean issuing audit reports. (There is often a three-month or more lag between the two.) It also might mean the time when you can opine on the company’s control environment, which may be as much as two years away. The best strategy when setting expectations is to make sure you can beat them.

Know your constraints. Find out up front what kind of problems you might encounter. Will you face staff or budget restrictions? Will line management resist your recommendations even if senior management supports them? Can you hire the level and type of people you want? Will the company be attractive to potential candidates? When trying to attract top-quality candidates, it can be very important to differentiate your work environment and create an atmosphere that’s different from other audit shops.

FIRST THINGS FIRST
Now that you’ve done your preacceptance due diligence and know it’s the right place for you, how do you get started? Clearly, the first 30 days are the most important. First impressions are difficult to change. There are several things you need to do right away, including educating management, recruiting staff and scoping and developing the audit universe.

Show progress quickly. This important goal is often challenging, as a thorough audit can take several months to complete, not to mention the difficulties of getting the department properly staffed. Some early quick hits can be as simple as communicating your mission statement, scope of work and the type of services you’ll provide (audits, system development reviews, consulting and the like).

Scope the audit universe and develop an audit cycle. You can’t do much without establishing an audit universe. Accomplish this by meeting with management, starting at the top of the organization chart and working your way down to the level needed to give you sufficient understanding of an area to allow you to “risk rate” it and make a preliminary estimate of how many hours it will take to audit. (A risk rating is assigned based on the inherent risk of the function, factoring in things such as transaction volume, asset liquidity, regulatory oversight and management ability.) Don’t share the audit time estimates with management—it may not have the same perceptions. While a 300-hour audit may sound small to an experienced professional, management may not understand what you are going to do in an eight-week time frame.

Once you have this information you can begin considering audit cycles to gauge the risk tolerance of management and the audit committee. At my previous employer, John Hancock, the control environment was established and stable; therefore, auditing high-risk areas every three years was sufficient. Amid all the rapid growth and change at First Marblehead, the risk tolerance wasn’t the same and management felt a cycle of 18 to 24 months was necessary for high-risk audits. While I made my recommendation to the audit committee, in the end, the audit cycle was their decision; fortunately, in this case we agreed. Chief audit executives need to make sure they can live with what the committee decides.

Recruit the necessary staff. This is clearly the hardest and most time-consuming part of the job, but it’s also the most important. The chairman of our audit committee has an acronym for the type of person he always looks for—SWAN (smart, works hard, ambitious and nice). All are key traits your team will need and this strategy has worked very well for us. But, in a start-up function, you also need experienced self-starters and “ambassadors” who can represent the department well. All of our new staff members were so well-versed in Sarbanes-Oxley they took turns training other employees, impressing management in the process. Internal audit directors cannot hire staff straight out of college anymore—the stakes are too high and a new department cannot afford to spend the time training.

Educate management. Everyone has his or her own view of internal audit; some may be valid while others may be way off base. You need to quickly educate management on your view of the audit function. A good time to do this is while meeting with managers to scope their areas. Over the years I discovered many misconceptions:

Internal auditors act as assistants to the external auditors.

We monitor controls on behalf of management. (Sorry, that’s management’s role. Even Sarbanes-Oxley says so.)

We provide resources to management when they identify an issue, or we go to third-party providers and tell management how they are doing. (Again, sorry, that’s management’s role.)

These are actual comments I’ve heard over the years as I’ve introduced myself to management at various companies.

Develop an audit plan. At this point, putting together an audit plan should be easy. With all the knowledge you’ve gained, the first-year audit plan should roll right onto your newly created administrative systems.

Internal Audit Fallout
A strong internal audit function can be instrumental in helping a company avoid having to report a weakness in its internal controls. When a company does report such a weakness the consequences can be significant.

At companies that disclose a material weakness in internal controls, 62% of CFOs either leave or are pushed out immediately before the announcement or within three months afterwards.

More than half of the internal control weaknesses were related to fraud and 65% of companies that disclosed the weaknesses subsequently had to restate their earnings.

Companies with a material weakness saw their auditor fees grow by 150% compared to between 30% and 50% for companies without a weakness.

Source: Survey of 500 SEC registrants, A.R.C. Morgan, The Netherlands, www.arcmorgan.com , 2004

A WORK IN PROGRESS
Now that you’ve gotten through the first month, you need to begin looking forward to the rest of the quarter. How do you keep the momentum going and continue to demonstrate to management that work is progressing—even if you can’t show any tangible results in the form of completed audits? Once you have staff on board, focus on starting audits. Perform an entity-level control and risk assessment and present it at your first audit committee meeting.

Begin audits. How quickly you get staff on board will determine how fast and how many audits you can start. Of course the big question is which audit to do first. Should you go after an easy audit you can complete quickly—one that may reap some fast benefits such as cost savings or revenue enhancements—or choose the highest risk audit, which in our case was the most complicated? I chose the ones with high impact (risk) to the company, as well as audits that everyone would easily understand (controls over financial reporting, loan disbursements, product set-up and IT security administration). My initial thought was to go after IT procurement as I was sure I could put some savings on the table, but the company’s appetite was to test controls, not look for savings, so I quickly shifted gears. We’re still looking for both, but keeping our primary focus where it should be, on controls. The moral of the story is to understand your environment and let it guide your actions.

Entity-level control assessment. While the staff is starting its audits, the chief audit executive should expand the intelligence gathered during the scoping phase by learning more about the company’s environment and culture. The best way to do this is to perform an entity-level control assessment. The results of this exercise are great to present to the audit committee as it gives them a high-level assessment of the company’s control environment. The results also provide management with some direction backed by an “official” document and dovetail nicely with Sarbanes-Oxley requirements. At First Marblehead we used a COSO-based outline. But with the advent of Sarbanes-Oxley, your public accounting firm no doubt has a format you can use to make this assessment.

First audit committee appearance. The timing of the first meeting will dictate how much information you have to share with committee members. Establish your credibility by walking them through your background and experience. Also explain your mission, objectives and timetable and what you’ve accomplished so far. Use the meeting to get the committee’s buy-in to your audit program so there’s no questioning your direction in the future.

PRACTICAL TIPS TO REMEMBER
A top priority for a new chief audit executive is to educate management and the audit committee about what an internal audit function does and what they can expect—and when. There are many misconceptions and unrealistic expectations about the role of internal audit. The sooner they are corrected the easier the department’s job will be.

In deciding which audits to do first, CPAs should let the company environment guide their actions. Businesses that want fast results will appreciate audits that yield cost savings or revenue enhancements; those that are interested in controls will favor audits that focus on high-risk areas.

When making your first appearance before the audit committee, describe your background and experience as well as your mission and objectives. Get the committee’s buy-in on the audit program so there is no question on the audit function’s future direction.

Be careful taking on consulting projects; they can be time consuming and detract from internal audit’s true mission. They also can be an indication management believes your role to be broader than it really is.

Make an agreement with management that you will advise them ahead of time if an area is in trouble without waiting to create a written report. This will lessen their fear of finding unpleasant surprises in the reports.

ESTABLISHING NORMALCY
A transition from start-up to normalcy will take shape during your second quarter on the job. However, what happens may depend somewhat on your ability to find the right staff. If you are still having difficulty recruiting auditors at this point, don’t lower your standards—you’ll regret it later. Instead, get creative: Consider expanding the number of recruiters you use or running a “special” with them—offer a 5% higher fee for a month and the rsums will overwhelm you.

At this point in the process you will begin issuing reports, doing system development reviews and consulting projects and creating value in the eyes of management and the audit committee.

Audit reports. Before issuing a report, take the temperature of management. How will it react to your recommendations? Will it understand their impact and support your findings—even if they cost money? There are many such questions you need to consider, but the bottom line is one of the main tenets I mentioned earlier—education. At First Marblehead, management was so concerned about doing the right thing it had little tolerance for problems. I had to stress to them there’s always room for improvement and that every internal audit issue doesn’t signify a crisis. We agreed if an area was in trouble, I would let management know immediately, without waiting to create a written report. This gave management the comfort level it needed when reviewing audit reports.

Consulting projects. This is otherwise known as the area that can swallow an audit department! Be careful taking on consulting projects, especially in the beginning, as management often believes your role to be larger and more encompassing than it is. For example, risk management is a common buzz word these days and management often wants internal audit to oversee risk management functions. To me it seems incompatible to run a risk management function, which makes corporate decisions, and audit all areas of the company. You could end up auditing yourself—not a good situation. Sarbanes-Oxley compliance is another good example. This is not an area internal audit should own or run as it needs to be a management function. If an internal audit director isn’t careful, Sarbanes-Oxley can consume all of a department’s resources in no time.

Sarbanes-Oxley. This legislation clearly changes internal audit’s role for the foreseeable future. But what role do you want your team to play? We chose to play adviser, educator and, through our normal audits, assessor. We did not want to be the ones to do the documentation or testing each quarter—that is management’s role and would create a conflict for us going forward. Our goal is to make sure the external auditors can rely on our audits as much as possible. If we also did the documentation and testing, the outside auditors wouldn’t be able to rely on our assessments—they’d have to do their own. Therefore, we incorporate Sarbanes-Oxley’s requirements into each audit as we assess management’s documentation of its control environment, testing, conclusions and process-flow documentation.

I spend a lot of time meeting with the company’s clients, though, to explain our control environment and internal-control structure; I do this jointly with the compliance and client development staffs. With controls and Sarbanes-Oxley on everyone’s mind, more and more clients want to be comfortable with our environment—as we are a company that provides processing services for others. One of our requirements for the Sarbanes-Oxley software we are implementing was to make sure we could give clients access to limited areas of the company—for limited periods of time—essentially allowing them a peek under our tent at our control environment. The reaction has been very positive, as clients feel we have nothing to hide, which fits perfectly with the transparency mantra so common today.

Create value. Management and the audit committee need to see clearly your value to the company. That can mean many things, such as insightful audit recommendations, operational improvements that enhance the company’s bottom line, your ability to assess the big picture as well as knowledge of the detailed issues and, of course, your expertise in identifying and addressing key risks and reacting to ongoing challenges in the business environment.

THE LEADING EDGE
In the end, CPAs who accept positions as chief audit executives need to be comfortable the company’s environment is right for their approach, hire quality audit staff who can hit the ground running and be ambassadors for their department, educate management at every opportunity and demonstrate the value they add to the company—all in a short amount of time. Internal audit is an exciting opportunity, but it takes a lot of orchestrating to go from zero to a leading-edge department in just a few months. Good luck.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.