Summary
Many companies are asking more of their internal auditors, particularly in with risk assessment and process improvement, and internal audit departments often lack expertise in those areas. Unfortunately, the article fails to address three key issues:1. Even when internal auditors possess process improvement, risk assessment or fraud detection skills, they often lack the industry or sub-industry expertise necessary to allow them to identify red flags or know best practices.2. Many firms have no internal audit function whatsoever, nor do they engage any external providers to assist with such reviews. This is particularly true in the hedge fund business, one of the leading industries to hit the headlines this year.3. Staff turnover with internal and external auditors increases the chances that risk points are missed.
Analysis
Particularly within financial services, though I am confident this extends to other sectors, instruments, processes, systems and regulations have become so complex that it is unrealistic to expect that an internal audit department will possess the skills necessary to make enterprise risk assessments or process improvement recommendations. Not only do such auditors require specialized experience and skills in areas such a fraud detection, process improvement or risk assessment, but to be effective, they need significant domain experience in the area under review. So, for example, to have an internal auditor for a bank review the investment management subsidiary is an invitation to ensure process improvements will be marginal at best. Even if one were to utilize an investment management specialist, often the internal auditor lacks the requisite skills and expertise to improve both trade settlement processes, disaster recovery procedures and investment guideline compliance monitoring.
As a specialist in operations and technology for investment managers and hedge funds, I can say with first-hand knowledge that many such firms have no internal audit function whatsoever and that external auditing often is limited to funds (mutual funds, private equity funds and hedge funds) and the corporate books of the firm. This leaves out separate accounts (choice du jour for many institutions seeking to make investments with hedge funds) and SMA ('wrap') accounts. Furthermore, these organizations often lack a culture that would support an internal audit function.
Finally, high levels of staff turnover with large external audit firms (and often internal audit departments) increases auditing timelines and costs (when each new crop of auditors must be re-trained in current process and procedure), allows potential issues to fall between the cracks from one year to the next and contributes to auditors' failure to provide value.
All this speaks to increased use of external, specialist firms to provide operational and risk audits. Greater demand for operational due diligence is only beginning. Any due diligence review performed on one's own organization should include a risk assessment and process improvement recommendations. Insurance coverage issues are likely to arise for those performing due diligence, as well as those who engage (or elect not to engage) an appropriate audit of their operations by qualified staff. Further implementation (or failure) to follow such recommendations will become risk points as well.
And for those who think SAS 70 already addresses this, think again. A SAS 70 will describe one's processes - good or bad. It does not indicate whether processes necessarily are effective or best practice.
Analyses are solely the work of the authors and have not been edited or endorsed by GLG.
