What is the Correct Level of Resources for Your Team? - A Guide for Internal Audit Leaders

As internal audit professionals, we understand the critical role we play in providing independent assurance and advisory services to our organisations. But how do we ensure our teams are adequately equipped to fulfil this mandate effectively? The Institute of Internal Auditors (IIA) Standard provides a clear starting point, stating that the internal audit activity's resources should be "appropriate to the nature and complexity of the organisation, the risks inherent in its activities, and the size of the organisation."

This guidance, while fundamental, leaves room for interpretation. Determining the "correct" level of resources – be it headcount, budget for technology, training, or external expertise – requires careful consideration and a collaborative approach between the Head of Internal Audit (HIA) and the Audit Committee.

So, how should the HIA and the Audit Committee navigate this crucial decision? Let's delve into the key factors and steps involved.

Understanding the Foundation: Nature, Complexity, Size, and Risk

The IIA Standard rightly emphasises these four pillars. Before even considering numbers, the HIA must thoroughly understand:

• Nature of the Organisation: What industry does the organisation operate in? What are the key regulatory requirements it faces? Are there any unique operational characteristics that demand specific audit expertise? For example, a highly regulated financial institution will likely require a larger and more specialised internal audit team than a small, privately held manufacturing company.

• Complexity of Operations: How geographically dispersed is the organisation? How intricate are its business processes and IT systems? Does it engage in complex financial instruments or international transactions? Higher complexity often translates to a broader scope of potential risks and a greater need for diverse skill sets within the internal audit team.

• Organisation Size: While seemingly straightforward, size encompasses various aspects like revenue, number of employees, number of locations, and the volume of transactions. A larger organisation inherently has more activities to audit, demanding a correspondingly larger internal audit function.

• Key Risks Identified by Internal Audit and Management: This is perhaps the most critical factor. The internal audit plan should be risk-based, focusing resources on the areas that pose the greatest threat to the organisation's objectives. This requires a robust risk assessment process involving both internal audit and management.

The Head of Internal Audit's Role in Determining Resource Needs

The HIA plays a pivotal role in assessing the appropriate resource level. This involves several key steps:

1. Conducting a Comprehensive Risk Assessment: The HIA, in collaboration with management, must lead a thorough risk assessment process to identify and prioritise the organisation's key risks. This assessment should consider strategic, operational, financial, compliance, and reputational risks.

2. Developing a Risk-Based Audit Plan: Based on the risk assessment, the HIA develops an audit plan outlining the specific audits and projects to be undertaken over a defined period. This plan should clearly articulate the scope and objectives of each engagement.

3. Assessing Current Team Capabilities and Identifying Gaps: The HIA needs to evaluate the existing skills and expertise within the internal audit team against the requirements of the audit plan. This includes identifying any skills gaps or the need for specialised knowledge in areas like IT audit, forensic accounting, or specific industry regulations.

4. Benchmarking Against Peers: The HIA should consider benchmarking the internal audit function's size and budget against comparable organisations in the same industry and of similar size and complexity. While not a definitive answer, benchmarking can provide valuable insights into typical resourcing levels.

5. Quantifying Resource Requirements: Based on the audit plan, skills assessment, and benchmarking, the HIA needs to quantify the required resources. This includes the number and level of internal auditors, the need for external consultants or co-sourcing arrangements, budget for audit software and technology, training and professional development, and travel expenses.

6. Articulating the Resource Request to the Audit Committee: The HIA must clearly and persuasively communicate the rationale behind the resource request to the Audit Committee. This should include a detailed explanation of how the requested resources will enable the internal audit team to effectively execute the risk-based audit plan and provide adequate assurance to the organisation.

The Audit Committee's Role in Overseeing Resource Allocation

The Audit Committee has a crucial oversight responsibility in ensuring the internal audit function is adequately resourced. Their role involves:

1. Understanding the Organisation's Risk Profile: The Audit Committee should have a strong understanding of the organisation's key risks and how internal audit contributes to mitigating those risks.

2. Evaluating the Adequacy of the Audit Plan: The Audit Committee should review and challenge the risk-based audit plan to ensure it appropriately addresses the identified key risks and aligns with the organisation's strategic objectives.

3. Challenging and Approving the Resource Request: The Audit Committee should critically evaluate the HIA's resource request, asking probing questions to understand the justification for the proposed resources. They need to balance the need for adequate resourcing with the organisation's overall financial constraints.

4. Monitoring the Performance of Internal Audit: The Audit Committee should regularly monitor the performance of the internal audit function, including its ability to execute the audit plan and provide valuable insights and recommendations. This can help identify if the current resource level is sufficient or if adjustments are needed.

5. Ensuring Independence and Objectivity: Adequate resourcing is crucial for maintaining the independence and objectivity of the internal audit function. The Audit Committee plays a key role in ensuring the HIA has the necessary resources to operate without undue influence or limitations.

A Collaborative Approach is Key: Determining the correct level of resources is not a unilateral decision. It requires open communication and collaboration between the HIA and the Audit Committee. The HIA should proactively engage with the Audit Committee throughout the process, providing regular updates on the risk assessment, audit plan, and resource needs. The Audit Committee, in turn, should provide constructive feedback and support the HIA in advocating for the necessary resources.

Conclusion: A Dynamic and Evolving Process: Ultimately, there is no magic formula for determining the "correct" level of resources for an internal audit team. It's a dynamic and evolving process that requires ongoing assessment and adjustment based on changes in the organisation's nature, complexity, size, and risk profile. By working collaboratively and thoughtfully considering the factors outlined in the IIA Standard, the HIA and the Audit Committee can ensure the internal audit function is adequately equipped to deliver its crucial mandate and contribute to the organisation's success.

Defining organisational complexity is crucial for effective risk management. It's not a single metric, but a multi-faceted assessment. Here's a framework:

1. Structural Complexity:

• Hierarchy: Number of layers, span of control, and centralisation/decentralisation. A tall, highly centralised structure is complex in one way, while a flat, decentralised one presents different complexities.

• Divisionalisation: Number and type of business units, geographic distribution, and interdependencies.

• Formalisation: Extent of rules, procedures, and documentation. High formalisation can add complexity through bureaucracy.  

• Network Structure: The degree to which the organisation relies on external partnerships, alliances, or supply chain networks.

2. Operational Complexity:

• Process Interdependencies: How tightly coupled are different processes? A highly interconnected system is more vulnerable to cascading failures.

• Technology Integration: The number and diversity of IT systems, their integration, and reliance on technology. Legacy systems increase complexity.  

• Information Flows: The volume, velocity, and variety of information flowing through the organisation. Complex information flows can obscure risks.

• Product/Service Portfolio: The diversity and complexity of products or services offered. A wider, more technically complex portfolio increases operational risk.

3. Dynamic Complexity:

• Rate of Change: How rapidly is the organisation adapting to market changes, technological advancements, or regulatory shifts? Rapid change increases uncertainty.

• External Environment: The volatility, uncertainty, complexity, and ambiguity (VUCA) of the industry and market.

• Stakeholder Diversity: The number and variety of stakeholders, their conflicting interests, and the organisation's reliance on them.

• Organisational Culture: The degree to which the culture encourages or discourages risk-taking, innovation, and adaptation.

4. Human/Social Complexity:

• Workforce Diversity: The range of skills, experience, and cultural backgrounds within the workforce.

• Communication Channels: The effectiveness of communication, both formal and informal.

• Power Dynamics: The distribution of power and influence within the organisation.  

• Knowledge Management: How effectively the organisation captures, shares, and utilises knowledge.