Useful Tips
DO WE NEED AN INTERNAL AUDIT?
If your turnover is 100 million TL or more, the number of employees is 100 or more, your operations are carried out in more than one location, the managers of your HR, finance, IT, operations, purchasing, sales and marketing departments are separate and professional people, it is useful to get internal audit services.
SHOULD WE CREATE INTERNAL AUDIT INTERNALLY OR OUTSOURCE?
Getting external internal audit services is called outsourcing, creating internally is called in-house, and getting services with both an internal and external team is called cosourcing. You benefit from all three approaches; What is decisive here is your structure, needs, budget and capabilities.
The most important thing to consider when outsourcing services is whether the consultants/internal auditors who will provide the service have industry and professional experience and international certificates.
SHOULD WE RECRUIT INTERNAL AUDITORS FROM OUTSIDE OR ASSIGN THEM FROM DIFFERENT POSITIONS INTERNALLY?
The following three characteristics should be sought in internal auditor candidates who will be preferred internally; analytical thinking skills, communication skills and honesty. In addition, good financial management and/or operational experience should also be an important factor.
DO WE NEED INTERNAL CONTROL AND RISK MANAGEMENT, SHOULD WE ESTABLISH THESE SYSTEMS, WHAT KIND OF MODEL SHOULD WE APPLY IN THIS REGARD?
Every organization, from a one-person sole proprietorship to a multinational company of 390,000 people, should establish internal control and risk management processes. As the scales grow in the context of the factors I mentioned above, these processes need to be systematically considered around an international model (such as COSO). Internal control and risk management are among the basic business processes that need to be established and executed independently of scale. In other words, they are not optional, they are the basis of good governance.
The fact that you have internal control elements in your organization does not mean that you have an internal control system. This is often the main argument presented to us; "We have outputs of management systems, then we have an internal control system!" Having written procedures, job descriptions, organizational charts throughout the company does not mean that you have an internal control system. A COSO-based internal control system and related processes point to much more than what we have mentioned. Especially in the context of the control environment and the information & communication components.
Without fully establishing the triple line, that is, without activating internal control and risk management, it is difficult to benefit from internal audit.
WHICH ONE SHOULD WE CREATE FIRST; INTERNAL CONTROL OR INTERNAL AUDIT?
Small and medium-sized companies should definitely start with internal control. If necessary, the internal audit can also be outsourced. Even if there is no COSO-based internal control at medium, upper and large scales, since there are internal control structures or elements, we recommend that they start with internal audit and carry internal control and risk management to a systematic dimension under the guidance and leadership of internal audit.
Of course, we also have companies that approach and project that we will create both at the same time. We are carrying out the work very successfully. As long as there is awareness, desire and support in the board of directors and senior management.
Boards of Directors should know the difference between internal control and internal audit and define their needs correctly.
SHOULD WE CREATE THESE SYSTEMS BY TRAINING OR HIRING A PROFESSIONAL IN THE SUBJECT, OR SHOULD WE GET EXTERNAL EXPERT SUPPORT?
The clear answer to this question is; If your budget allows, be sure to get consultancy support from an external expert. However, not working with the right expert is risky. Your expectation from your consultant should be to have experience as the main consultant in the creation of these systems in at least 7-8 companies of your scale or above and to have certifications such as CIA, CICS, CICP, CISA.
The contribution of the right consultant is not only to enable you to install these systems at low cost and with great efficiency, but also to involve senior management, accelerate corporate acceptance, integrate these systems with management practice and be a reliable reference point.
Handling internal audit, internal control and risk management with a triple line logic and integrating management systems into this business requires knowledge, skill, communication skills and experience. In order to obtain all of these elements, a total of 20-25 years of accumulation is required.
Getting external expert support ensures that the systems are designed correctly from the very beginning. With the right consultant, you provide an implementation model, internal regulations, trainings, implementation studies, pilots, software support and monitoring tools. The rate of internalization increases.
IS IT COSTLY TO BUILD THESE SYSTEMS?
These systems are not costly to build, as they will constitute a very small proportion (perhaps on a thousandth scale) of the overall management expenses for mid-cap and large-sized companies. Or the apparent costs will be small, considering the company's gains. The operational order, efficiency, loss and leakage prevention, reputation and legal gains that the company will provide from these systems within 1 year generally affect EBITDA on a percentage basis. Yes, this is a serious allegation, but it is based on my experience. In many companies, the investment in these systems has paid off in the first year. Of course, provided that you work with the right consultant, provide the right management support and create a team.
At this point, the costs you will face are the wages of the experts who will work if you go to internal structuring in internal control and internal audit, the time to be allocated by people working in different positions if the expert is not employed and the shares to be distributed to the work from their wages, the consultant fees if you receive consultancy and the software costs if you want to manage the issue through a software. All of them are extremely small amounts considering the gains.
The biggest cost is that you don't have a tripartite line and you lack a good governance mechanism against risks.
IS SOFTWARE ESSENTIAL FOR INTERNAL AUDIT, INTERNAL CONTROL AND RISK MANAGEMENT?
In the age of digital transformation, it is of course not rational and profitable to carry out these processes manually.
Triple line software, which allows you to manage internal control, risk management and internal audit integrated, will transform these systems from being specialized works carried out on paper and in their own office, to internalized operations in which all employees of the company will be involved, with the features of talking to your company's ERP systems and integrating with company operations. In addition, the process, risk, control, self-assessment, findings and action data transferred to these systems will serve as your corporate memory, supporting your business continuity. It will also speed up the alignment of new managers and staff with the job and controls.
QGRC is also extremely cost-effective compared to its domestic alternatives and foreign counterparts.
TO WHOM SHOULD THESE SYSTEMS REPORT, TO WHICH MANAGERIAL LEVEL SHOULD THEY BE AFFILIATED?
In principle, if we consider the three-line model of the International Institute of Internal Auditors IIA, it is best practice for the units that will coordinate the internal control practices in operations and the internal control and risk management systems to be subordinate to the executive (preferably the top executive manager such as the CEO or General Manager). On the other hand, internal audit should work under the board of directors, which is the highest governing body. This is due to the fact that internal audit is a more independent assurance function than internal control and risk management.
The main problem here arises; In family businesses where the board of directors and executive board structures are mixed, that is, organizational structures where the members are on both sides, it is difficult to ensure the full independence of internal audit. In corporate companies where the Board of Directors and the Executive are separated, this independence is more easily achieved. So what should such family businesses do to benefit from internal audit?
Independent Board Member makes a great contribution to the corporate governance of the company.
The best solution is to separate the Board of Directors and executive responsibilities if possible, and to go to the structures of the Board of Directors and the Executive Board. At the point where this cannot be achieved, the board of directors should be supported by independent members or members, and the internal audit should be connected to the Audit Committee, which consists of the Board of Directors, where these members are in the majority, almost like a guide/impartial authority. Internal audit departments that report to the executive are under influence and cannot function fully independently.
IS IT NECESSARY TO ESTABLISH COMMITTEES (AUDIT COMMITTEE, RISK COMMITTEE, ETC.) TO GET EFFICIENCY FROM THESE SYSTEMS?
Yes. If you intend to establish a tripartite line, you must also strengthen your corporate governance structure. Especially for fast-growing companies in Anatolia that have reached a medium-sized scale and continue their journey towards mid-upper levels, the Board of Directors should be structured correctly and Committees should be formed. The correct structuring of the Board of Directors and Committees does not only ensure efficiency from the triple line. At the same time, the institutionalization of the company and the 2. or 3. It also provides a great preparation and practice to the generations at the point of transition of management. Family businesses 1. In order for their children and grandchildren to manage the company better, the founders and leaders of the generation should first take the necessary steps to establish this tripartite line and then to strengthen the Board of Directors and Executive structures, with the support of external experts with knowledge and experience in this field.
Committees not only ensure the effectiveness and independence of internal audit, but also act as arbitrators in matters that are controversial or difficult to decide between the Board of Directors and the Executive. Again, it mediates in such matters with an objective and scientific stance, by making data-based analyzes. It acts as an advisor to the Executive and oversight to the Board of Directors.
Committees, including independent members, act as a bridge between the Board of Directors and the Executive Function. He is also an independent and impartial internal conciliator.
WHICH COMMITTEES SHOULD WE CREATE?
The Audit Committee is responsible for the oversight, healthy functioning, independence of internal control and internal audit, and for resolving disputes and differences of opinion with the executive in favor of the company.
The Risk Committee evaluates whether the company's necessary risk management authorities or managers have taken the necessary actions for the early detection and management of risk, whether they have established the right systems, and whether the right risk responses are given institutionally to the risk within the framework of the institution's appetite, and provides guidance to the Executive and the Board of Directors. Risk Committees monitor strategic, i.e. corporate high-level risks rather than operational risks, and act as an incentive and guide to take necessary actions. For the management of operational risks, it evaluates whether the systems are working effectively and efficiently. It also closely monitors the company's CRI, or key risk indicators.
The Audit Committee and the Risk Committee should meet regularly, record the meetings, and inform the Board of Directors about the issues discussed.
WHERE DO WE FIND THE RIGHT INDEPENDENT MEMBER TO STRENGTHEN THE BOARD OF DIRECTORS IN THE LIGHT OF CORPORATE GOVERNANCE PRINCIPLES AND TO FORM AND OPERATE THE COMMITTEES?
The subject of independent membership is an institution that has been present for many years in public companies subject to the CMB and banks subject to the BRSA. If the right member selection is made, of course, it is very beneficial. But companies are making a fundamental mistake here. As an independent member, they either make an experienced business person or professional from their sector or people with a finance background as independent members. These people do not have sufficient experience in internal control, risk management, internal audit, management systems or corporate governance. They form committees with these members, who lack experience, have a career and reputation in their field, and unfortunately they cannot get efficiency. Another mistake is to include spouses, friends, relatives or other business people as independent members on the board of directors.
Essentially, the triple line and its full implementation and efficiency within the company is a matter of expertise. It requires a separate expertise. For this reason, in the profile I mentioned above, a member with triple line experience should be replaced as an independent member. Of course, it is an understandable choice to prefer academics who have industry experience or who are famous in the field of economics/finance, which we see in common practice in Turkey, but instead of hiring two members in this way, one member who has triple line experience, can operate these systems within the company, is experienced in Executive relations, has a good command of conflict management in family companies, has strong communication, has the strategies and tools to make the Board of Directors and the Executive work together efficiently should be preferred.
The correct formula should be one member with economy/finance/industry experience and one member with the profile mentioned above. If we are going to recruit a single independent member, it is useful to prefer the member who is experienced in the fields of tripartite line, family business dynamics, management systems and corporate governance and to entrust the Committees to these experienced experts.
WHAT DOES AN INDEPENDENT MEMBER CONTRIBUTE TO US?
First of all, we can count the effectiveness of internal audit and internal control within the company, the functional and beneficial operation of risk management, the monitoring and management of strategic risks, the guidance of the Executive and the Board of Directors, ensuring the compliance of the Board and the Executive and contributing to the resolution of conflicts. Without an independent member, it is difficult to benefit from internal auditing, especially in mid-upper and large-scale family businesses. That should be added.
After fulfilling these duties, we can of course expect them to contribute to issues such as the interpretation of the economy, financing, investment, acquisition, tax strategies, accounting policies, mergers or international expansions. Since it is difficult to find independent members who provide all the features together, we recommend strengthening the Board of Directors with at least 2 independent members, and doing this in accordance with the CMB's Corporate Governance Principles.
The independent membership system encourages the Board of Directors to work effectively and institutionally.
It is important not to use independent Board members as executive or executive directors. These members must be independent of the executive in order to observe, evaluate and guide the performance from the outside. If you are going to give them executive roles, position the "brand" people who have industry experience and who you find useful to have on your board of directors as normal board members, not independent.