Corresponding author: Gijs Hendrix ( gijshendrix@gmail.com ) Academic editor: Peter Hartog
© 2020 Gijs Hendrix, Jack Wai, Judith Tjin A Sioe, Martina Hener-Schaminée , Wim Ottema.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
Hendrix G, Wai J, Tjin A Sioe J, Hener-Schaminée M, Ottema W (2020) Non-auditors in the internal audit function: better practices for successful implementation. Maandblad Voor Accountancy en Bedrijfseconomie 94(3/4): 103-112. https://doi.org/10.5117/mab.94.48602
|
To bring a high level of expertise on-board Internal Audit Functions (IAFs) increasingly include persons that are not trained as auditor in internal audits. These non-auditors (rotational auditors, guest auditors or subject matter experts) function as part of the IAF for a specific period. This practice ensures the IAF has the expertise and skills required to meet today’s challenges of organizations and their IAFs. However, it provides (professional practice) challenges as these auditors usually have limited experience and knowledge around internal audits and might be conflicted in their objectivity and independence. This article provides better practices to optimize the use of non-auditors and mitigate its risks.
Internal audit, internal auditing, guest auditors, rotational auditors, subject matter experts, better practices, non-auditors
This article shares better practices regarding the use of non-auditors in the IAF, proven methods that can be used to optimize the use of non-auditors.
The purpose of this article is to share better practices as described in literature and actually experienced regarding the use of non-auditors in the IAF, practices that will support IAFs to both mitigate the risks around using non-auditors and maximize the benefits of using non-auditors in the IAF. Better practices are real-life examples of the recommended protocols put in place to get the best out of non-auditors and ensure their valuable inputs contribute to the objectives of the audit function without compromising the quality of the audit process and its outputs.
First definitions are provided of (the different types of) non-auditors. Afterwards we present advantages of the use of non-auditors and identify three main topics of interest in the use of non-auditors in the IAF (section 2). The topics have been identified by studying academic literature, the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) and input gathered during a IIA Netherlands’ Committee of Professional Practices (CPP) event held in November 2018. During this event 24 professional practice representatives of IAFs discussed their experiences with non-auditors in internal audits. The design of this research is shared in section 3. Better practices for each of these topics are provided based on interviews conducted and a study of literature (section 4). Conclusions and limitations are provided in section 5.
Neither literature nor the IIA’s IPPF provide a clear definition of the concept of non-auditors. Therefore, we developed definitions to be used in this research based on the project groups’ experience in the internal audit field and validated these with part of IIA Netherlands’ network of internal auditors responsible for professional practices (during a IIA Netherlands’ CPP event held on the 8th of November 2018).
Prior to defining a non-auditor it is considered what defines an auditor in the context of this research:
An auditor is a person working for an internal audit department with an educational background in auditing.
In The Netherlands an educational background in auditing often entails a RA (Registered Accountant), RO (Registered Operational auditor), RE (Registered EDP auditor) or CIA certification. There is also a variety of post-HBO studies as well as internal audit education provided by commercial organizations. This leads to the definition of a non-auditor:
Non-auditors are all persons that do not have an educational background in auditing yet work for an internal audit department.
Throughout the academic literature and IIA’s IPPF
Clear and coherent definitions for the different types of non-auditors are not always provided within literature. In line with
Based on literature and the authors’ own experience an additional dimension is added to the different types of non-auditors: internal versus external. Academic research shows that (part of) Internal Audit services are increasingly sourced through third parties (
Within this study only externals that qualify as non-auditors are considered. Trained auditors from an external organization joining an IAF do not qualify as non-auditors according to the definition above, even though different IAFs consider these auditors to be a ‘guest’ to the IAF.
Table
Types of non-auditors.
Types of non-auditors | Expected contribution | |||
---|---|---|---|---|
Audit execution support | Subject matter expertise | |||
Source | Internal | Internal guest auditor | Internal rotational auditor | Guest SME |
External | Hired guest auditor | Hired rotational auditor | Hired SME |
The use of non-auditors within the IAF brings benefits to the IAF, the organization as well as the organization. Table
Advantages of using non-auditors.
Advantages of using non-auditors | For the non-auditor | For the IAF | For the organization |
---|---|---|---|
Exports an appreciation of governance, risks, and controls throughout the organization. | X | X | |
Acquisition of more in-depth knowledge of the respective business area | X | ||
Cultivation of better customer relations | X | X | |
Heightened awareness of organizational sensitivity and business acumen | X | ||
Improvement of personal and career development | X | X | |
Infusion of fresh ideas and perspectives, motivation to current internal auditors | X | X | |
Creates an appreciation of the role of the internal audit function | X | X | |
Enhancement of specific internal audit skills and competencies | X | X | |
Evolving view of internal audit as a potential source of talent for the enterprise | X | X |
Throughout academic literature, the IIA’s IPPF and based on IIA Netherlands’ CPP event of November 2018 three main topics of interest are derived when using non-auditors in the IAF:
These topics are explained in detail below.
The IIA’s Standard 1210 states that ‘Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities’. Therefore, competence is an important requirement for IAFs. Literature indicates that competence may be a challenge for non-auditors. Internal auditors that view internal audit positions as a stepping stone or temporary step in their career are less likely than career auditors to pursue training and certifications that improve their internal audit competence (
Literature mentions quality compromises in relation to rotational auditors (
Most of the literature focuses on internal audit work related to financial reporting and does not specify the effect on internal audit quality of internal audit work not related to financial reporting.
For guest auditors and SMEs we assume similar risks as these non-auditors similarly have limited internal audit experience, certifications and training. Research is not conclusive on the effects on quality when comparing in-house internal audit departments versus outsourced internal audit departments (
Interviewees stated that when (internal/external) non-auditors with different backgrounds and/or specific knowledge are combined with auditors within the IAF a mix of competences is created. The interaction between these auditors and non-auditors can be valuable and of added value and will not only improve the IA-quality based on competences but also the quality of the audits. For example, subject matter expertise, understanding of processes, risk management, and other, can contribute to IAFs being seen as a ‘trusted advisor’.
Literature indicates that the use of non-auditors has the potential to impair independence of the IAF and impair objectivity of the (non-) internal auditor (
“ Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.”
“ Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.”
The concept of independence is tied to the IAF whereas the concept of objectivity is tied to the Internal Auditor.
Non-auditors (specifically rotational auditors) work in the IAF for a specific period with the goal of moving on in a different (possible managerial) position in the organization. As part of their internal audit assignment they might have to audit the managers that are considering them for a future role. It can open the non-auditor to social pressures and economic interest threatening objectivity. Prior research using experiments has demonstrated this for rotational auditors (
Regarding external non-auditors different dynamics are in play (Mukabo 2019). As they are not employees of the organization, they do not face the same social pressure and economic interest, thereby being more independent than in-house internal auditors (
Other research demonstrates independence impairments of internal auditors’ risk assessments. IAFs without rotational auditors perform risk assessments that do not significantly differ when sending reports to senior management versus sending reports to the audit committee. A difference does occur when the IAF contains rotational auditors: internal auditors’ risk assessments contain significantly lower risks when the IAF reports to senior management than when the IAF reports to the audit committee. Additionally, when the IAF does contain rotational auditors, the internal auditor provides judgments more aligned with management’s preferences than when no rotational auditors are present (
A third topic briefly coming forward in both literature and IIA’s IPPF and IIA NL’s CPP event is the selection and reward of non-auditors. Prior research has been conducted around the factors influencing the recruitment of business professionals into internal audit (
The central question answered in this research is
“What are better practices in working with non-auditors in the internal audit function, to benefit the IAF, non-auditor and organization?”
Based on the three topics identified above three sub-questions are formulated:
This study is an explorative one, it aims to explore the Internal Audit field and present better practices around using non-auditors in the IAF. The better practices have been gathered using two sources:
The results of the study of academic research were combined to develop the literature analysis presented in section 2 and to develop an interview guide to structure the interviews. Both the academic research as well as the interviews brought forward better practices in working with non-auditors.
We searched SSRN and Google Scholar databases with a wide range of search terms around internal auditing and the different kinds of auditors. The search resulted in a series of articles found in different publications related to business, organizations and (management) accounting. We have carefully studied the articles and used relevant elements in both section 2 and section 4.
The goal of the interviews was to provide real-life examples when engaging non-auditors. Qualitative data was collected using a semi-structured interview approach with an interview guide prepared to provide focus during the interviews. This approach allowed for rich data to be collected. The interviews have been transcribed in a summarized form and validated with the interviewees to ensure correctness. The interviews have thereafter been coded and analyzed. The results of the interviews and analysis are presented in anonymous form on request of (several of) the interviewees.
We have approached IAFs that make use of non-auditors. The IAFs were found via personal connections of the authors as well as via IIA Netherlands and its committee of professional practices. We were introduced either via intermediaries or by contacting interviewees directly (by e-mail / LinkedIn).
Interviewees all worked as internal auditors within IAFs or recently (within the last six months) left an IAF. A majority of the interviewees were Chief Audit Executives, others were mostly working as professional practice representatives.
A total of 19 interviews were conducted within 17 different organizations. We deliberately targeted organizations in a diverse range of sectors (including but not limited to financial services, manufacturing, professional services, fast-moving consumer goods, semi-governmental, construction and natural resources). The size of the IAFs ranged from less than 10 FTE’s up to several hundreds of FTE’s employed. In our interviews we found examples of all types of non-auditors active. We noted a relatively even split between the use of rotational auditors, guest auditors, and subject matter experts.
Interviews offered insight into the practices IAFs developed to manage non-auditors and the associated risks and to ensure that non-auditors are value adding to the audit function. The research shows there is no ‘one-size-fits-all’ approach. Size of the IAF seems to matter: bigger IAFs have more formalized ways of working than smaller ones. No clear differences between industries were identified.
Literature studied showed a negative link between the use of non-auditors (rotational auditors) and the effectiveness and quality of the internal audits performed. Interviewees consistently had an opposite perception of this link, they indicated the use of non-auditors increases the quality and effectiveness of the IAF. They stated that the increase in organizational knowledge and internal audit team expertise ensures the internal audit team includes the relevant organizational/business context, provides useful recommendations to findings and thereby improves acceptance of the internal audit work. A possible explanation can be found in kind and scope of internal audit work performed: the literature focused around financial reporting while the interviews in this study focused on operational audits.
The literature review revealed the following measures used to mitigate competency and quality related risks:
During the interviews respondents shared the practices and controls they put in place when engaging non-auditors to mitigate these risks and overcome the associated challenges. The five measures identified are shown in Table
Better Practices around competence and quality of non-auditors.
Better practice | Rotational auditor | Guest auditor | SME |
---|---|---|---|
Consistency and continuity of IA supervision* | X | X | X |
Limiting the use of non-auditors to specific phases of the audit* | X | X | X |
On-boarding training and welcome packs | X | X | X |
Training courses (ongoing) | X | X | |
Knowledge sharing and on-the-job learning | X | X | X |
Each of these five measures is equally applicable for rotational, guest, and SME non-auditors. Regarding training courses (ongoing) for SME’s differences arise: some IAFs make use of it while others don’t. Due to the specialized nature of their contribution, and relative (expensive) cost, it may not be cost effective for all IAFs to require SMEs to follow training courses.
The literature review reveals that supervision, including quality review, training, as well as training and mentoring on job all contribute to improved audit competency and quality of audit outputs by non-auditors. These factors were confirmed by our interviews as well. Key elements of IA supervision mentioned during the interviews include the following tips:
To reduce the risk of compromises to audit quality some IAFs allocate non-auditors specifically to specific audit activities such as audit execution (fieldwork). Other audit activities were taken on by core internal auditors. Such activities include: final say on audit scoping, communications with higher profile stakeholders, report editing and drafting, and remediation monitoring. Some interviewees stated that guest auditors best be allocated to tasks and responsibilities in line with their strengths which may include key language skills, business knowledge and subject matter expertise rather than the full spectrum of audit activities. Typically these strengths are more used in direct interactions with auditees, for example in interviews and closing/report meetings rather than in ‘behind-the-scenes’ work such as internal audit file work or testing of documentation.
The most commonly cited means to improve non-auditor audit competency and thereby mitigate quality risks is to deploy on-boarding training for non-auditors. Interviews cited the following topics to typically be covered in on-boarding classroom trainings:
Such on-boardings are designed to provide a crash course to non-auditors and ensure that the most critical elements of audit techniques are covered prior to handing over responsibilities to the non-auditors. The length of on-boarding training differs between IAFs from (part of) a day up until a week.
The amount of formalization differs per IAF, with larger IAFs having a more structural training developed and held on fixed periods in time, while smaller IAFs use less formalized methods.
Similar to the on-boarding packs, interviewees also shared examples of ongoing training, particularly for rotational auditors and guest auditors that are engaged for longer periods of time (longer than 1 year). Examples of such trainings include summer training programs, annual team learning events, and IIA hosted events. Here again the primary aim of these training courses for non-auditors is to bring them up to speed on the latest and most critical Internal Audit techniques required for the non-auditors to deliver quality audit outputs. The length of the training course again differs per IAFs ranging from (part of) a day up until a week.
Interviewees also cited the use of SharePoint and other knowledge sharing portals specifically established for non-auditors to share knowledge, tips and tricks with each other. Such portals aim to provide non-auditors with a forum to collaborate and share better practices. Non-auditors are often well placed to provide training to each other given the similarity of their circumstances, and may, in some cases, be the ideal candidates to know what information is most helpful to another non-auditor at a given stage in their IA development.
This section provides the answer to the second research question: What are the better practice controls to mitigate the risk of impaired independence/objectivity of the IAF and non-auditors in the audit?
Based on our literature review we identified the following mitigating measures:
During our interviews we identified the measures included in Table
Better Practices around independence and objectivity of non-auditors.
Better practice | Rotational auditor | Guest auditor | SME |
---|---|---|---|
Creation of awareness | X | X | X |
Openness about career developments | X | X | X (internal) |
IAF leadership involvement | X | X | X |
Supervision / review by lead auditor* | X | X | X |
Explicit adaption of IIA Code of Ethics | X | X | X |
(Annual) Independence declarations* | X | ||
Independence confirmation letter per audit* | X | X | |
Application of cooling-off period* | X | ||
Limitation of audit areas/locations* | X | X | |
Clear communication on role models | X | ||
Audit evaluations | X | ||
External sourcing * | X | X |
Audit Committee oversight and limiting the use of non-auditors to specific phases of the audit were not mentioned during our interviews, probably as IAFs are less aware of the mitigating effect of these measures. Specifically with respect to the involvement of non-auditors in the audit execution most interviewees indicated that they do not apply restrictions, on the contrary, non-auditors are usually used throughout the entire internal audit process to harmonize ways of working and optimize the outcome of the internal audit.
During our interviews we identified mitigating measures applying to all types of non-auditors, as well as measures specifically applying to rotational auditors on the one hand or guest auditors and SMEs on the other hand.
We identified several better practices that can be used to prevent the impairment of independence or objectivity of non-auditors independent of the type of non-auditor (see Table
Several interviewees indicated the importance of continuous and open discussions to be held to ensure adequate mindset regarding objectivity and independence. They require audit team members to challenge each other on an independent and objective mindset and behavior during all phases of the audit. It needs to be clear to all team members that no close relations or career perspectives may be at play to adequately ensure independence and objectivity.
In another IAF open and regular communication about the (non)auditor’s next envisioned career steps outside of the IAF is used to prevent impairment of independence and objectivity. Such measure may be less effective in case of external guest auditors and/or SMEs.
One IAF representative stressed that an independent and objective mindset is not only an individual responsibility; ensuring independence and objectivity ultimately is leadership’s responsibility. Therefore staff should be encouraged to approach leadership in case they encounter potential independence issues. It takes a joined effort from the CAE and each (non)auditor to adequately manage objectivity/independence issues.
Literature as well as our interviews revealed that possible impairment to objectivity may be prevented by having the lead auditor, who is part of the IAFs core team respectively a permanent IAF staff member, reviewing the work performed by the non-auditor. Keeping the overall responsibility for the audit not with the (temporary) non-auditor may be a good measure to mitigate possible independence/objectivity impairments.
Some interviewees indicated that they prevent limitations to independence/objectivity by requiring non-auditors to explicitly confirm that they will adopt the IIA Code of Ethics.
The following better practices have been identified specifically with respect to rotational auditors.
Literature as well as interviews indicate that independence/objectivity may be ensured by requesting rotational auditors to sign an independence declaration when starting within the IAF as well as asking for a periodic (for example annual) reconfirmation and/or an ad hoc reconfirmation in case of any changes. By these declarations rotational auditors explicitly confirm that their objectivity and independence is not at stake due to prior work and/or close relationships.
Strict application of a general rule prohibiting rotational auditors to audit the area where they have been working previously for a certain period of time (for example 1 year) may ensure independence/objectivity according to literature, the IPPF (1 year) and information provided during our interviews.
A better practice was identified with respect to open communication on the fact that rotational auditors that critically challenged the status quo during their audits respectively performed audits with great impact more likely than not were able to obtain desirable management positions after rotating back into the business. This better practice may mitigate the risk that rotational auditors may be tempted to be less objective during their audits in order to not endanger future career opportunities.
One IAF prevents impairment of independence/objectivity by conducting feedback sessions after every audit. In these sessions rotational auditors are challenged on their decisions by their peers.
We noted that often the same better practices applied with respect to guest auditors and SMEs, probably as both types of non-auditors are working within the IAF for only a short period of time.
Several interviewees stated that guest auditors and SMEs are requested to sign a letter declaring that no conflict of interest applies with respect to the audit they will be involved in, for example no prior work history and/or personal relationships etc. in order to safeguard independence/objectivity.
Strict application of a general rule prohibiting guest auditors and/or SMEs to participate in audits of the department or processes they work for may ensure independence/objectivity was mentioned by several IAF representatives.
IAF representatives of smaller organizations indicated that internal staffing with guest auditors or SMEs often cannot be arranged for due to independence and objectivity limitations. Their solution to this problem was hiring external resources (external guest auditors and/or external SMEs). A fresh pair of eyes from an outsider, not involved in the processes or departments to be audited can operate more independent and objective.
In this section we will answer the third research question: What are better practices around the selection and evaluation of non-auditors in the IAF?
For many IAFs attracting suitable candidates is a challenge. In literature hiring practices are described. The different better practices that were mentioned during our interviews are summarized in Table
Better Practices around selection and reward of non-auditors.
Better practice | Rotational auditor | Guest auditor | SME |
---|---|---|---|
Structural implementation of a rotational audit model | x | ||
Close relationships throughout the organization | x | x | x |
Leadership commitment | x | ||
Offer good roles in the business | x | ||
Maintain an actual knowledge-expertise matrix | x | x | x |
Align recruitment of non-auditors with organizations’ practices | x | x | x |
Internalize subject matter expertise in the IAF | x | ||
Evaluate rotational auditors in the same way as auditors | x | ||
Define criteria to evaluate guest auditors and SMEs on a case-by-case basis | x | x |
During our interviews we noted a limited number of IAFs that applied rotational auditors as a general way of working (100% rotational internal auditors). The majority of IAFs interviewed engaged rotational auditors more on an occasional basis driven by career paths of individuals. Some IAF representatives indicated that a more structural application of a rotation model could be beneficial, even if this would mean ‘accepting’ a higher turnover rate. To make the rotational model work one should consider the ‘inflow’ as well as the ‘outflow’.
To select and recruit capable non-auditor to join the IAF, several interviewees indicated that keeping close relationships within the organization is a key factor for success. Future guest auditors, SMEs or rotational auditors can come from these audited departments. A better practice identified is the sharing of IAF vacancies with these departments.
Interviews revealed that commitment from senior leadership is important to the successful implementation of a rotational auditor program.
Other IAF representatives indicated that it is important to adequately manage the outflow from IAF after the rotational period, in order to attract good candidates. Maintaining good relationships with HR and the business ensures that rotational auditors leave the IAF into roles in line with their career path.
Another better practice identified relates to the establishment of a knowledge-expertise matrix. By this the IAF can clearly communicate what kind of SME areas are required. This instrument is considered very helpful for recruitment and back-up purposes.
IAF representatives indicated that it is considered important to have a formalized process in place with the involvement of HR when engaging non-auditors.
Some IAFs we have interviewed had internalized SMEs permanently into the IAF. This better practice might be feasible for larger IAFs only. This holds for both expert knowledge (for example about the applicable regulations) and business knowledge (for example about the applicable markets for the organization).
Most interviewees stated that they evaluate rotational auditors in the same way as auditors by using common evaluation processes and KPI’s. Some IAFs vary based on the role of the non-auditor during the audit, for example if non-auditors are not involved throughout the entire audit.
IAF representatives indicated that transparency about what contribution is expected of the non-auditor should be clarified before the start of the audit. The related evaluation criterion should be defined on a case-by-case basis and evaluated at the end of the audit.
Internal audit functions globally increasingly include non-auditors in audit teams to increase quality and to be able to quickly adapt to organizational developments. This brings several advantages to the IAF, the non-auditor as well as the organization (see Table
This research providers better practices around the use of non-auditors in internal audits, measures that can support IAFs in successfully implementing a non-auditor model. The measures are based on academic literature and real-life examples of IAFs successfully working with a non-auditor model.
The measures were presented around three topics: competence and quality, independence and objectivity and selection and reward. Supervision, specific use of non-auditors and classroom training are examples of better practices around competence and quality. To ensure independence and objectivity multiple better practices were shared, including openly addressing the topics, clear supervision by explicit adaptation of the IIA’s code of ethics. Other measures were identified related to specific types of non-auditors (rotational auditors, guest auditors and subject matter experts). Finally, to optimize selection and reward of non-auditors IAFs use both formal (aligning recruitment practices with the organizations’ practices) as informal (maintaining close relationships with leaders across the organization) methods. Additionally specific measures can be used for specific kinds of non-auditors.
The research is partly based on interviews with representatives of IAFs. The information provided in these interviews was not validated by studying additional documentation such as Internal Audit Charters or Internal Audit Manuals. Further research could add this to validate and enrich the measures included in this article.
While the project team has attempted to ensure a broad applicability of results by selecting a diverse range of IAFs, time and resources constraints limited the team to 17 organizations. A larger sample of organizations could further validate and extend the results.
The IAFs interviewed were all (partially) based within The Netherlands, though multiple of the selected organizations also operate abroad. Selecting a different geography might impact results.
The goal of the research was to provide better practices regarding the use of non-auditors and did not intent to extensively research when and why non-auditors are used. This too could be an interesting area for further research.
The definition of non-auditors used in this study led to discussions with several interviewees and revealed there is no clear consensus between IAFs on how to define non-auditors. The topics of rotational, guest and SME auditors are widely known and in use by internal audit functions, yet often mean different things. While the definitions used in this research attempt to be exhaustive and complete, we noted several examples of non-auditors used during the interviews that challenge the definitions used in here. Further work could be done to detail/finetune the definitions.
Mr. drs. G. Hendrix RO is Internal Audit Leader at IKEA and member of the IIA Netherlands’ committee of Professional Practices (CPP).
Drs. J. Wai RO is a manager in EY’s Internal Audit & Risk Analytics Team and ex-committee member of the IIA Young Professionals.
Drs. J. Tjin A Sioe AAG is working as Internal Auditor at Audit a.s.r. Nederland N.V.
Drs. M. Hener-Schaminée RA EMC is working as Senior Manager at KPMG Advisory, Internal Audit, Risk & Compliance Services.
Drs. W. Ottema RC RO CIA is working as Auditor in the expertise pool Risk Management & Treasury at Rabobank.
See for example the Implementation Guidance for Standard 2030 and 2230.
IIA’s International Standards for the Professional Practice of Internal Auditing, Standard 1100.