Since 2002, when Congress passed the Sarbanes-Oxley Act (widely known as SOX) in the wake of several high-profile corporate accounting scandals, the size of companies’ internal audit functions—the number of employees and amount of resources they devote to internal auditing—has grown considerably. As a result of SOX, top management must certify the accuracy of their companies’ financial reports, penalties for fraudulent financial activity are more severe, and the outside auditors who review the accuracy of corporate financial statements have more independence.
In the first few years, the learning curve was steep as companies adapted to this new era in financial reporting, developing new processes and working to determine the optimal staff size for their internal audit functions going forward. Now, a decade later, this field has reached an equilibrium that allowed us to study best practices in internal auditing.
With collaborators, I developed a model for determining the ideal size for a company’s internal audit function. The Institute of Internal Auditors (IIA) now sells a Web-based utility that uses our model. Companies can plug in facts and figures from their organizational profile and get a recommendation for how many internal auditors they should have on staff.
In a recently published study, we investigated what factors seemed to go along with optimal internal audit size: for companies that had found their optimal internal audit function size, how were they conducting their internal audits? We sought to develop a list of best practices that went beyond the mere number of people working on internal audit tasks.
In interviews with the chief audit executives of 12 organizations and in a survey of the IIA membership, we asked about factors we believed to be related to the size of the internal audit function, including experience level and qualifications of audit staff, the scope of auditing activities a company carries out, and the use of technology in internal auditing. Our analysis led us to the following main findings.
The optimal internal audit size for a company depends in part on company characteristics. As expected, we found that larger companies had larger internal audit functions. We also found that the more foreign subsidiaries a company had, the larger its auditing function—understandable, since having these foreign subsidiaries introduces complexity and risk.
We also expected that audit function size would depend on the experience and qualifications of the employees working in that function. Indeed, we found that for companies where a high percentage of employees in this department were Certified Internal Auditors, the audit function was smaller, reflecting the efficiencies created by the certified auditors’ expertise. In companies that used a rotational staffing model in which employees work as internal auditors for a limited time as part of organizational leadership training, the internal audit function was larger. Companies sometimes hire outside help to conduct part of their assurance and compliance activities, and, as expected, companies that used outsourcing in this way had fewer permanent internal audit employees.
When a company’s leadership believes compliance is important, then more resources will be devoted to it. We found that companies that hired more experienced chief audit executives—indicating a commitment to quality—also had larger internal audit functions. We predicted, and found, that companies that invest in auditing technology would also have more internal audit employees. In addition, we found that the companies whose audit committees (a subcommittee of the board of directors) had the best governance practices—larger committee size, more frequent meetings, and direct authority to approve the internal audit budget—also had larger internal audit functions.
Lastly, the scope of the audit itself makes a difference. Some companies conduct information technology auditing, such as compliance with confidentiality and privacy practices; as we expected, companies that included this additional function had more employees working to conduct their internal audits.
With my colleagues (who include Professor Emeritus Larry Rittenberg), I am proud to say that this study won the Best Paper Award for 2013 from Accounting Horizons, a journal of the American Accounting Association. I believe this is because our study helps companies to determine not only the ideal number of internal auditing employees for their company, but also how to structure those employees’ jobs, as well as other organizational reforms that strengthen internal controls for corporate governance that functions well in protecting against fraud or acting quickly and ethically to expose it.
Categories: