News
The Ideal Number of Employees of Internal Audit Departments
24-Feb-2022
By: Alaa Abdul Aziz Abu Naba’a
MACC, CIA, CPA, CRMA, CICP / Expert in Internal Auditing, Control, and Governance
Kuwait
Every now and then, I receive inquiries from board members, committee members, executives, and colleagues working in internal auditing or HR consultations about the ideal number of employees in the internal audit departments. As far as I know, this topic was not addressed in any Arab studies before, however, there are periodic statistical studies about the number of auditors in specific sectors published by associations specialized in internal auditing, such as the Association of College and University Auditors (ACUA), and the Association of Healthcare Internal Auditors (AHIA) in the USA. Certainly, the presence of specialized professional associations in internal auditing for a certain sector, and the studies such associations conduct to address various professional aspects, will be positively reflected on the internal auditing practices in that specific sector.
In this article, I will highlight the issues that should be considered in making decisions about the number of employees of internal audit departments.
The cart before the horse, but!
Typically, the need for internal audit assurance services and consultation services stems from stakeholders; it is expected that the activity of the internal auditing will add value by fulfilling the needs of the stakeholders. However, the complexities of the institutional work might make it difficult to find an objective measure to translate these needs, and certainly, the success of provision of such services is linked to the competence of internal auditors (their practical expertise, knowledge, and skills) and the tools and means available to the auditors rather than their number. Nevertheless, there are some direct and indirect factors that could- in my opinion- affect the decision of determining the number of the employees in the internal audit department, such as:
-
The level of complexity and diversity of the operations of the organization and its products/ services, the level of maturity of the administrative work (planning, organization, direction, and control), and the organization’s responsiveness to the changes in its internal and external work environment.
-
The phase in which the organization is, in the lifecycle of organizations, as the lifecycle of organizations includes the following five stages: The establishment and construction stage, the growth stage, the stability and maturity stage, the renovation and innovation stage, and the stage of decline.
-
The organizational level of the sector in which the organization operates (a central bank or a stock market institution, etc.).
-
The maturity level of the corporate governance system in the organization and the regulatory requirements imposed on it, as well as the level of the stakeholders’ expectations from the internal audit activity.
-
The organizational structure of the organization and the centralization or decentralization of authorities and responsibilities. Generally, the centralization or decentralization level in the organization depends on the geographical location of the organization’s operations, and the concentration of jobs in one or more departments.
-
The level of maturity of the internal audit activities and the level of the previous experience of the employees in the work of the organization. The Institute of Internal Auditors (IIA) defined five levels of maturity of the internal audit activities: Initial, repeatable, defined, managed, and optimized.
-
The level of maturity and effectiveness of the risk management processes in the organization, the level of internal and external risks to which the organization is exposed, and the risk appetite of the senior management of the organization.
-
The level of maturity and effectiveness of the internal audit system in the organization, and the level of effectiveness of the tools that the organization uses to prevent and detect internal and external fraud. In my opinion, investing in an internal audit system will reduce the costs of internal control activities (such as the internal audit activities, compliance, and risk management) and external activities (such as accounts auditing).
-
The existence of other internal control departments within the organization, and the level of coordination between the external consultation bodies and the internal control departments that provide assurance and consultation services to the organization, to provide the needed coverage to the work performed and avoid the duplication of efforts. Usually, the coordination process differs from one organization to another, in small businesses; the coordination may be less formal, while in large organizations, which are subject to robust disciplinary rules, the coordination may be formal and complex.
-
The level of maturity and integration of the IT systems used in the organization, and the level of intelligence that is built on the data analysis.
-
The competencies and the number of members of the audit committee, the effectiveness level of the committee, and the frequency of its annual meetings.
-
The alternatives available for the senior management of the organization to provide the human resources needed for the internal audit, for example, full outsourcing, co-sourcing, or the full dependence on the internal employees of the organization (in-house). Each alternative has its own pros and cons that should be periodically and objectively assessed because what was suitable in the past might not be suitable today, and what is suitable today may not be suitable for the future.
-
The documentation level of all the systems, policies, and procedures of the organization and providing training courses to all employees on them.
The Factors that Do Not Materially Affect the Number of Employees in the Internal Audit Departments
In my opinion, the direct and indirect factors that are expected to not materially affect the determination of the number of internal audit department’s employees include:
-
The size of the organization.
-
The profitability level or the soundness of the financial position of the organization. Some may think that sacrificing assurance activities is appropriate to save costs; this is a common mistake because these activities may produce recommendations that increase the efficiency of operations and/or reduce or detect undue waste.
-
The absence of an audit committee and/or the presence of other oversight committees of the Board of Directors, such as the Risk Management Committee and the Compliance Committee.
-
The number of employees of the organization, and the average ratio of the number of employees of internal audit departments to the total number of employees of the organization in the sector in which the organization operates.
The internal audit standard No. 2030 indicated that the chief audit executive must ensure that internal audit resources are appropriate, (i.e., he/she has a combination of the necessary competencies to implement the approved internal audit plan); sufficient (regarding the amount of the resources needed to implement the plan), and effectively deployed to achieve the approved plan, (i.e., adopts the optimal method to implement the plan).
In conclusion, for researchers who wish to obtain a higher degree or a promotion, I recommend choosing a research topic about internal auditing or corporate governance. Regarding the control and supervisory bodies, such as central banks and capital markets authorities, I recommend that they should not only focus on the competencies of the chief executive internal auditor and the members of internal audit committees as they mostly do, or on the outsourcing contracts of the internal audit departments (if any) as some of these bodies do, but rather focus on the competencies of the rest of the internal audit members, and on the suitability of their numbers for the organizations that are subject to the control and/or supervision of such authorities.