Applying internal audit resources Internal audit needs to make sure that the resources it has are sufficient to meet the expectations of the audit committee. This requires careful planning and a realistic view of the budget and skills that the audit function has. BT 4 Telecoms provider BT's director of internal audit and enterprise risk management James Grigor sets out how he ensures the function's activities are properly resourced British Telecom (BT) is the UK's largest communications service company. It has an annual revenue of 20bn and employs over 90,000 people, with customers in more than 170 countries. Over 60% of Fortune 500 companies including Google, Microsoft and Pepsi use BT's networked IT services. James Grigor joined BT as director of internal audit in 2007. He has a team of 67 internal auditors who are all based in the UK. They carry out operational audits and review work primarily in the UK, Europe, and North America, while Big Four accountancy firm Ernst & Young performs much of the internal audit work for the group's operations in Latin America, Middle East and Africa, and Asia Pacific through three regionally based co-sourcing agreements. These reviews are overseen by BT internal audit and follow the same methodology that the function employs in all its reviews. Over the past five years the number of BT internal auditors has reduced slightly, though the use of co-sourcing has risen. Two years ago BT's internal audit department changed its operating structure. Previously, the internal audit function had been aligned "vertically" with each of BT's six lines of business (Openreach, Retail, Global Services, Wholesale, BT Innovate and Design, and BT Operate). This meant that the function was effectively split into six different sections so that there was a dedicated - and separate - internal audit team for each of these business areas, plus a "It would be impossible to allocate internal audit resources to every project in BT" - James Grigor, BT finance team and a general internal audit team that carried out reviews across the group. A potential problem with such an approach was that internal audit's expertise could become "siloed", meaning that operational expertise and key skills were not being shared between the different internal audit teams. It also meant that work was being duplicated, and resources were being mis-spent. Grigor rearranged the internal audit function's structure so that it was aligned "horizontally" across the organisation. For example, the same internal audit team now conducts all reviews of billing systems in any of the lines of business: in the past this would have involved several teams each reviewing their own discrete area. Grigor has also overhauled the function's "audit universe" to provide a clearer idea of each of the auditable entities that internal audit should be covering and the extent of coverage, as well as risks that may be emerging. Grigor found that due to the way it had been designed and maintained, the previous audit universe was not working effectively, had become unwieldy, and had a lot of duplication of work. "BT had been through a major acquisition drive in the decade before I joined, and internal audit had not kept pace with all the overseas assets that the company had bought. As a result, audit coverage in some areas was not good enough," says Grigor. "We didn't seem to have an overall perspective of what entities needed reviewing, Practical advice for applying internal audit's resources 1 Ensure that the internal audit function has the right development practices and the right mix of people-headcount is just a number. 2 Ensure that sound recruitment processes for the internal audit team are in place. Be clear about the skills that are required and that the people recruited have them: recruitment is the most important management activity that any head of internal audit will carry out. 3 Equip the people in the function with the right tools to do the job. Are they working efficiently and effectively? What controls and procedures are in place to check? 4 Minimise areas of duplication in the work that internal audit does, as well as other assurance providers to the business. 5 Learn from the best practices being used by external or other assurance providers, such as external consultants and the Big Four accounting firms. 6 Internal audit must check its own performance as well as the departments it audits: is the feedback from customers and stakeholders good? Does the executive team value internal audit's contribution? How is feedback monitored, measured and reported? what their prioritisation should be, and what the Budgeting work days emerging risks were. Since reviewing our audit universe we have found that we have identified around 600 entities - before the review, due to duplication, it was 6,000," says Grigor. According to Grigor, the re-organisation of the internal audit function has improved coverage and led to a better use of resources, even with a slightly reduced headcount. Given the global reach of BT's activities, its six lines of business, and the number of projects that the group is involved in, the internal audit function's resources have to be budgeted and accounted for carefully. "It would be impossible to allocate internal audit resources to every project in BT," says Grigor. "Instead, we audit the overarching processes for the delivery systems and check the over-riding governance behind these decision-making processes rather than attempt to review the execution of each individual project," he adds. Internal audit's work - which follows a risk- based approach - is planned annually and is subject to quarterly review. This allows Grigor to review the audit plan and to re- balance resources if necessary, including additional co-sourcing arrangements. Presently, 54% of the function's time is aligned with the organisation's key risks. Of that, around 20% of internal audit's budgeted days are spent on reviewing financial, governance and regulatory risks: 15% of the function's allocated days is spent looking at contract management and how customer complaints and delivery failures are dealt with, and controls preventing information security breaches and service interruption. Compliance with the US Sarbanes-Oxley Act (SOX) which aims to improve corporate governance and foster better internal control and which is a regulatory requirement for companies with a US-listing-remains a key area for internal audit: about 10% of 5 6 the function's resource is spent on SOX reviews, and that is unlikely to decrease. A significant focus of BT's internal audit resource strategy is devoted to training and development. "When I joined BT in 2007 the internal audit team was largely made up of 'generalists' with around one quarter of the team holding a professional qualification. Since then, we have established a strong IT and technology capability and a strong finance team. We have made a firm commitment to train and upskill our people: presently, 60% of the team have professional qualifications in either internal auditing (Chartered Institute of Internal Auditors), or IT or accountancy," says Grigor. The investment in training means that it is quite rare that the internal audit function requires a skillset that it does not have in- house. "If we need other expertise, then we will look for it inside the business first or buy it in from one of our co-sourcers," says Grigor. "We have not historically seconded internal auditors and put them into the business to learn skills: the opportunity for such short- term roles does not often arise. However, we see increasing numbers of our team moving into permanent roles elsewhere within BT where their risk and control disciplines can be used to great effect," he says. Assurance vs consultancy In recent years the internal audit function has been asked to provide assurance Useful professional guidance The general principles regarding what resources are needed and how to apply them are set out in Standard 2030: Resource Management in the International Standards for the Professional Practice of Internal Auditing (http://bit.ly/LxM19A). Practice Advisory 2030-1 states that the level of resource should be related to the nature and extent of assurance the audit committee and senior managers want (http://bit.ly/K7NMNh). The Chartered Institute of Internal Auditors' professional qualifications also highlight issues surrounding assurance needs and consultancy services, as does its learning materials. For example, M3 Learning Text-Topic 8 (on internal audit's varied roles) - includes a section on the scope of consultancy work. Visit www.iia.org.uk for more information, including the "Knowledge Centre", which contains a wide range of resources on risk management and internal auditing. "It is important to understand how internal audit functions in other organisations operate, including how they apply their resources, so that we can learn from their best practices" - James Grigor, BT on a wider range of risks and business areas as the executive team has realised the value of the work it carries out. However - with the agreement of the audit committee Grigor says that the function's primary role is to serve the business as assurance providers; any consultancy work that internal audit carries out is secondary to its core focus. "We have three criteria that need to be satisfied if we are going to carry out consultancy work," says Grigor. "Firstly, the work we are being asked to do needs to materially impact the business. Secondly, we must have the skills within the team to be able to carry out the work. And thirdly, we must be able to have the time to do the work without jeopardising our activities in the core assurance programme," he adds. Grigor says that the key to maximising one's resources properly is about using the skills of the team rather than just following an approach. He also says that it is also important that the internal audit team learns from its own experience; not just from changes or challenges team members have faced in BT, but from the organisations where they were previously employed and the best practices that they adopted there. It is also important to learn from external sources, says Grigor. This can include the practices that the Big Four accountancy firms carry out, professional guidance issued by the Chartered Institute of Internal Auditors and other bodies, as well as presentations given by other heads of internal audit at conferences. BT's internal audit function has a Practice Office of five people that regularly reviews best practice in its own operations, but also reviews what other internal audit departments and external assurers are doing, as well as ensuring that the guidance and standards of the CIIA are observed. This team also undertakes the quality assurance review of the internal audit team's own output. "It is important to understand how internal audit functions in other organisations operate, including how they apply their resources, so that we can learn from their best practices. This will help foster a culture. of continuous improvement," says Grigor.