Internal audit: harnessing its full potential
Internal audit is not a one-size-fits-all function, and typically not everyone in the organisation agrees on what its primary focus should be. If you ask yourself as an audit committee member what you see as internal audit’s primary function—assurance and value protection, strategic focus and value creation, business risk insights and risk mitigation, or some combination thereof—and compare your response to those of other key stakeholders in the organisation, you may be surprised at the range of views you encounter.
The key activities of leading-edge internal audit functions align with the expectations of the audit committee and management, and are flexible enough to meet the changing business strategies and needs of the organisation. Often, internal audit primarily concentrates on financial and compliance areas; however, in some organisations, more of an enterprise risk focus may be adopted—one that considers strategic and operational risks as well as financial and regulatory risks, with internal audit serving as a strategic adviser.
To continue to enhance the expected performance of the internal audit function and its value to the organisation, audit committees should periodically assess whether internal audit is performing the appropriate activities, has adequate resources and is proactively identifying risks and monitoring critical controls. This article explores the audit committee’s role and offers leading practices to consider in evaluating internal audit and the chief audit executive (CAE).
Aligning and measuring internal audit expectations
In many organisations, audit committees and management have differing expectations of internal audit. An optimised internal audit function can provide a balance between protecting and enhancing enterprise value by taking a holistic approach to risk management across the enterprise and providing independent and objective assurance with value added advice.
For internal audit to be successful, it is important for the CAE to clearly understand the following from the audit committee and management:
• the specific expectations for internal audit
• the perception of the value that internal audit adds to the organisation and the audit committee, as well as how the success of
internal audit activities is measured.
An effective relationship between the audit committee and internal audit is fundamental to internal audit’s success, with the audit committee clearly setting and articulating expectations of strategic focus, providing the appropriate level of support for achievement and holding internal audit accountable. Key performance measures will vary significantly depending on internal audit’s strategic emphasis, although an evaluative approach that measures quantitative and qualitative factors should be considered.
In addition to regularly reviewing performance metrics and recalibrating internal audit’s activities when appropriate, the audit committee and internal audit may consider periodically revisiting the alignment of expectations and how internal audit supports the strategic and operational objectives of the organisation. Because risks and opportunities constantly emerge, it is important for internal audit’s charter, risk assessment process and audit plan to be dynamic enough to allow internal audit to take a proactive and
If you were to look back at your organisation’s internal audit plan from a few years ago, you would probably not find audit areas such as corporate responsibility and sustainability, cyber threat management, ethics, cloud computing or social media. The more dynamic the internal audit function and its activities, the more effectively internal audit can support the organisation in adapting to emerging
issues and respond, based on a changing risk profile. It is important that the audit committee, as well as management, have full visibility into the activities of internal audit, and that it be involved in the development of the function’s objectives, audit plan
An essential component of the relationship with internal audit is the audit committee’s monitoring of the results of internal audit’s quality assurance and improvement programme. Such a programme, which includes both internal and external assessments, is required for compliance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, and is designed to enable an evaluation of the internal audit function, assess its efficiency and effectiveness and identify
opportunities for improvement. The results of these assessments, often referred to as a peer review, should be discussed on a timely basis with the audit committee.
Audit committees may also consider engaging an experienced external party to perform a strategic assessment of internal audit that considers areas beyond the peer review, to aid in challenging and setting internal audit’s role in the organisation. This assessment primarily focuses on optimizing internal audit to bring the most value to the company and the audit committee. It can help the audit
committee answer tough questions about internal audit’s performance and practices and align internal audit’s activities with the organisation’s strategic objectives and priorities.
Securing the appropriate resources for internal audit to meet expectations.
In many organisations, the audit committee is responsible for approving the internal audit budget, and this approval is typically based on management’s recommendation. How often does the audit committee challenge there commended internal audit budget?
In some organisations, internal audit, like many other areas of the organisation, may be under pressure to contain or decrease its expenses, while responding to emerging risks and the expectations of audit committees and management to expand coverage.
There are certainly opportunities for internal audit to challenge its historical budget and do more with less. Greater use of technology, such as effectively leveraging data analytics and the utilisation of outside service providers as a cost-effective
means of performing internal audit projects, are just two considerations for doing so.
While the audit committee may first consider whether internal audit is effectively using available resources, it may also want to assess whether the function is appropriately funded and staffed to meet expectations. One consideration is whether internal audit
has the appropriate mix of skills and certifications to achieve strategic objectives and proactively identify and address current and emerging risks. An effective evaluation by the audit committee of the appropriateness of resources is not limited to the internal audit team, but also includes the CAE.
The reporting structure of the CAE can also be considered in evaluating the effectiveness of internal audit. In many organisations, the CAE reports functionally to the audit committee and administratively to the CFO or CEO. This dual reporting structure particularly when considered with the effects of rotational models and performance and compensation processes driven by the CFO or CEO, can present real or perceived issues in terms of independence and effectiveness.
Audit committees can help mitigate this challenge through having an open and transparent relationship with internal audit that allows the CAE to regularly and freely discuss issues and concerns outside the presence of management, and through actively participating in the CAE’s performance evaluation and compensation process. The perception of the experience and knowledge
of the CAE and the internal audit team can also affect how internal audit is regarded and respected in the organisation.
If the CAE is viewed as not having the appropriate stature in the organisation, or if the CAE or the internal auditors are viewed as lacking the necessary business acumen, internal audit may not have the respect and visibility needed to be effective.
Understanding internal audit’s role in the Organisation.
In assessing the effectiveness of internal audit, it is critical that the audit committee understand how internal audit relates to, and interacts with, other risk management-related functions, such as enterprise risk management, legal, security, environmental, health and safety, loss prevention and compliance.
This includes evaluating who is doing what and whether there are any gaps or duplications between internal audit and these groups regarding the assurance being provided.
It is also important that the audit committee be cognisant of how internal audit interacts with the external audit provider. Greater efficiencies and effectiveness can be achieved if the two work together to discuss risk assessments, the scope and execution of procedures and other opportunities to coordinate effectively. In addition, the external auditor’s perception of an organisation’s internal audit function can be an important indicator to the audit committee.
Fostering a mutually beneficial relationship with internal audit
Communication is an important component in maintaining an effective relationship between the audit committee and internal audit. Clear articulation by the audit committee of its expectations regarding both formal and informal communications can help facilitate a successful relationship and support internal audit in meeting its objectives. Internal audit’s communications should be timely, actionable, and relevant, with a priority on the implementation of recommendations and resolution of issues. In some organisations, inadequate focus is placed on reporting, follow-up and resolution activities.
This can result in information not being reported timeously to the audit committee or not being presented at the appropriate level of detail. Just as importantly, known issues may not be timely or effectively addressed. In addition, it is important that the audit committee understands the depth and breadth of coverage by internal audit to avoid having a false sense of assurance regarding the scope of internal audit’s activities.
A CAE with executive presence and strong communication skills who provides ongoing communications that are direct, relevant, frequent, timely, and that demonstrate the appropriate level of rigour in confirming the resolution of audit issues, will have greater authority and credibility with both the audit committee and management.
Effective internal audit communication with the audit committee can also foster the ability of the audit committee to use the CAE as an internal source of information and insight on evolving business strengths and challenges, as well as the climate of internal controls in the organisation.
It has become increasingly important for audit committees to assess whether internal audit is performing the appropriate activities, has adequate resources and is proactively identifying risks and monitoring critical controls. The specific expectations for internal audit functions vary by organisation, but audit committees can facilitate a mutually beneficial relationship by setting high expectations, clearly communicating these expectations and holding internal audit accountable for meeting them.
By performing a periodic assessment of internal audit, audit committees can help align expectations with other key stakeholders, support the CAE in assessing the function’s ability to meet expectations and secure resources as needed. This assessment
can help the audit committee to confirm that internal audit meets the needs of the organisation, both today and in the future. ❐
Author: George Cavaleros, CFA, CIA is Partner at Deloitte.
Exempting temporary differences: Last Kicks of the ‘Matching’ Concepts?
When temporary differences on assets do not lead to the recognition of a deferred tax liability (the initial recognition exemption).
Remember ‘matching’, that accounting concept so beloved by high school accounting teachers? It seemed to go out of the window years ago when all reference to ‘matching’ disappeared from the financial reporting standards. Perhaps it hasn’t disappeared
completely – it may be lurking in the shadows of IAS 12 (see if you agree).
Para 15 of IAS 12 provides for an exemption to the rule that deferred tax be provided for on all temporary differences: “A deferred tax liability shall be recognised for all taxable temporary differences, except to the extent that the deferred tax liability arises from:
• the initial recognition of goodwill; or
• the initial recognition of an asset or liability in a transaction which:
• is not a business combination; and
• at the time of the transaction, affects neither accounting profit nor taxable profit (tax loss).”
Why is this exemption necessary?
Consider the following scenario:
An entity acquires an item of property, plant and equipment for R10 million. The deferred tax position on that date depends on whether the tax authorities grant an allowance on the asset or not:
This transaction affects neither accounting profit nor taxable income. Since the above transaction gives rise to a taxable temporary difference, a deferred tax liability would (without the exemption) need to be raised. This is easy. Credit the liability. The question is, what to debit? Since the transaction results in an increase in liabilities, the debit would be an expense in terms of the Conceptual Framework.
Is it appropriate to create an income tax expense when the original transaction did not result in income? The standard setters felt not, and so the exemption was born. Analysing the logic behind the exemption may prove controversial. For an old dog like me it appears to simply be a matter of applying the now redundant matching concept (matching relevant income to relevant expenses). In this case there is no income, so it is inappropriate to raise the expense.
Contemporary accounting thinking in contrast supports the predominance of the recognition principles for assets and liabilities over the matching of income and expenses. Applying this train of thought would surely result in the recognition of a deferred tax liability.
The reason for the exemption is perhaps a moot point. What is important is that we apply it in the right circumstances. The most common situation to which the exemption applies is the acquisition of a capital asset on which no tax allowances are granted. Perhaps the next revision of IAS 12 will bury the matching concept once and for all. ❐
Author: Charles Forbes CA(SA) is the Chairman at Tabaldi Accounting Intelligence.
XBRL heads for adoption in South Africa
The XBRL computer language is rapidly becoming the de facto global standard for sharing financial information.
It took 14 years to carve a place for itself in the world of business but today, more companies than ever are talking about the financial reporting phenomenon called XBRL. As its adoption rate accelerates among regulators, analysts and enterprises worldwide, South African businesses are joining the discussion about what XBRL is, what it will mean to them and what they need to do about it right now.
According to the Deloitte 2012 CFO Survey, only 3% of South African companies voluntarily implemented the standard in 2012. A further 9% will consider doing so in 2013. The main reason reported by 60% of CFOs for the slow uptake is a lack of information. Not enough is known about XBRL to make an informed decision about the prudence or necessity of embracing it.
Like every ‘overnight success’, XBRL is not new. Back in 1998, Charles Hoffman, a certified public accountant (CPA) from Washington, USA, created a method for labelling financial data (called “tagging”) so it could be read and processed by
computer systems. Since then, XBRL International, an independent, non-profit body of accountants and companies, has worked tirelessly to make it the global standard for exchanging financial information.
What is XBRL?
XBRL stands for eXtensible Business Reporting Language. It is a global standard for exchanging business information, based on XML (eXtensible Mark-up Language), which is used to encode financial documents in a format that both humans and computers are able to read and analyse. Many countries are putting XBRL to practical use, with the numbers of implementations growing rapidly around the world.
What problems does XBRL solve?
Companies traditionally transmit their financial information in a printed or electronic format (such as PDF). The recipients either read the information or, if wanting to use computer assisted analysis or electronic storage, manually transfer the data from the document into their systems. Of course, this process is time-consuming, laborious and prone to error. When processing information from hundreds of companies, the task becomes highly impractical. Often information might be discarded in favour of expediency.
XBRL removes the need for manual input, as XBRL-enabled software can read XBRL-tagged data and import the information directly. So data can be passed between disparate computer systems with human intervention needed only in the case of exceptions. The resulting efficiency reduces the cost of communicating and maintaining financial data, while improving its usability, integrity and compliance. In addition, if XBRL is used as the standard, data can be retransmitted without specially transforming it to other formats required by further recipients.
What are the advantages of XBRL?
Because XBRL-tagged financial reports can be read by computers, software can be used to validate them for accuracy, making them more reliable, compliant and auditable. This can be done with little effort by both the issuer and recipients. Being XML-based, XBRL inherits various methods for searching, querying and analysing data, meaning that companies and their stakeholders will be able to analyse financials more effectively. A fundamental feature of XBRL is that it is fully internationalised. In other words, documents created in one country can be viewed in another language by recipients at a different geographic location. This is because XBRL provides online dictionaries of its tags and common terminology in all major languages.
These can be invoked automatically when a document is displayed by software. An XBRL document can be used across international boundaries with no loss of meaning. In a world in which companies routinely communicate with global partners, investors and stakeholders, XBRL provides a common platform for reviewing standardised information. Companies can also gain worldwide access to the financials of their foreign divisions as often as required. Furthermore, XBRL helps companies to improve
compliance to standards.
Once tagged, financials will remain compliant to the chosen standard (e.g. IFRS), without constant auditing for compliance, as often needed with printed reports. Apart from the benefits afforded to companies, XBRL is growing in popularity among consumers of financial data, such as regulators, analysts and financial institutions which can achieve greater productivity and offer improved services because of the standard.
For example, in the USA, the Securities Exchange Commission (SEC) finalized implementation of its XBRL-based submissions
system in 2009, requiring all listed US companies to provided financial information in XBRL format. The project aims to empower investor analysis while reducing the burden of capturing and maintaining thousands of submissions.
Also, in the UK, Her Majesty’s Revenue and Customs (HMRC) implemented its system for receiving XBRL submissions for company tax two years ago. Again, the goal was to alleviate the effort of data capture, but also to improve turnaround of collections and provide analysis for auditors seeking out non-compliant businesses. Locally, the JSE offers an online portal that allows listed companies to voluntarily submit their financials in XBRL. This makes it easier for investors to analyse and compare stocks and make informed investment decisions. In the long run, this will benefit companies seeking capital, as their potential becomes more immediately apparent to investors.
What is the future of XBRL in South Africa?
XBRL SA, the South African jurisdiction of XBRL International, was formed in 2005 to promote and advance the use of XBRL in the country. Currently, the body is working with the Companies and Intellectual Property Commission (CIPC) to develop the systems, skills and local standards that will adequately address the nation’s unique accounting and legislative requirements. These organisations envision having a fully mandated standard in place by December 2015, which would make the submission of financials in XBRL mandatory for all registered companies. It is expected that a successful outcome would encourage the rapid adoption of the standard by other regulators as well as organisations in the private sector.
So what do South African companies have to do to prepare themselves for XBRL?
In the examples of the SEC and HRMC mentioned above, companies were given three years and two years respectively to become completely XBRL compliant. They were also afforded leeway for mistakes made in their initial submissions, with the HRMC still only issuing penalties as a last resort. In the same way, South African firms, as well as their financial consultants, could expect a period of adjustment to allow them to sharpen their XBRL skills and correctly implement the standard.
However, as XBRL implementation becomes more imminent than optional, local companies need to educate themselves about its requirements and what resources are available to them. Since XBRL is a computer dependant format, it makes sense to identify suitable XBRL-enabled software packages up front, otherwise using XBRL can be a time consuming and costly process. Internationally, software packages like CaseWare are already automating the tagging process, to ease the way to migrating to XBRL. ❐
Author: Ross Hampton, BCom (Acc), is a Divisional Director at CQS Technology Holdings.