Useful Tips
DO WE NEED INTERNAL AUDIT?
If your turnover is 100 million TL or more, the number of your employees is 100 or more, your operations are carried out in more than one location, if the managers of your HR, finance, IT, operations, purchasing, sales and marketing departments are separate and professional people, it is beneficial to get internal audit service.
SHOULD WE CREATE INTERNAL AUDIT INTERNALLY OR OUTSOURCE?
Outsourcing is outsourcing to outsourcing internal audit services, in-house to create internal services, and cosourcing to receive services with both internal and external teams. You benefit from all three approaches; The decisive factor here is your structure, needs, budget and capabilities.
The most important thing to consider when outsourcing is whether the consultants/internal auditors who will provide the service have sector and professional experience and international certificates.
SHOULD WE RECRUIT INTERNAL AUDITORS FROM OUTSIDE OR FROM DIFFERENT POSITIONS WHILE CREATING THE INTERNAL AUDIT?
The following three characteristics should be sought in internal auditor candidates to be preferred from within; analytical thinking skills, communication skills and honesty. In addition, good financial management and/or operational experience should be an important factor.
DO WE NEED INTERNAL CONTROL AND RISK MANAGEMENT, SHOULD WE INSTALL THESE SYSTEMS, WHAT KIND OF MODEL SHOULD WE APPLY IN THIS REGARD?
Every organization, from a one-person sole proprietorship to a multinational company of 390 thousand people, should establish internal control and risk management processes. As scales grow in the context of the factors I mentioned above, these processes need to be systematically addressed around an international model (such as COSO). Internal control and risk management are among the basic business processes that should be created and carried out independently of scale. In other words, they are not optional, they are the basis of good management.
The fact that you have internal control elements in your organization does not mean that you have an internal control system. This is often the main argument presented to us; "We have outputs on management systems, then we have an internal control system!" Just because you have written procedures, job descriptions, and organizational charts throughout the company does not mean that you have an internal control system. A COSO-based internal control system and related processes point to much more than what we have mentioned. Especially in the context of the control environment and information & communication components.
Without fully establishing the tripartite line, that is, without putting internal control and risk management into effect, it is difficult to benefit from internal audit.
WHICH ONE SHOULD WE CREATE FIRST; INTERNAL CONTROL OR INTERNAL AUDIT?
Small and medium-sized companies should definitely start with internal control. If necessary, it can also take internal audit as an external service. Even if there is no COSO-based internal control at medium, upper medium and large scales, since there are internal control structures or elements, we recommend that they start with internal audit and move internal control and risk management to a systemic dimension under the guidance and leadership of internal audit.
Of course, we also have companies that we approach and project as we will create both at the same time. We are carrying out the work very successfully. As long as there is awareness, desire and support in the board of directors and senior management.
Boards of Directors should know the difference between internal control and internal audit and define their needs correctly.
SHOULD WE BUILD THESE SYSTEMS BY TRAINING OR HIRING PROFESSIONALS IN THE SUBJECT, OR SHOULD WE GET EXTERNAL EXPERT SUPPORT?
The clear answer to this question is; If your budget allows, be sure to get consultancy support from an external expert. However, it is risky not to work with the right specialist. Your expectation from your consultant should be to have experience as a main consultant in the creation of these systems in at least 7-8 companies of your scale or above and to have certifications such as CIA, CICS, CICP, CISA.
The contribution of the right consultant is not only to enable you to install these systems at low cost and with great efficiency, but also to involve senior management, accelerate corporate acceptance, integrate these systems with management practice and be a reliable reference point.
Handling internal audit, internal control and risk management with a triple line logic and integrating management systems into this work requires knowledge, skill, communication skills and experience. In order to obtain all of these elements, a total of 20-25 years of experience is required.
Getting expert support from outside ensures that the systems are designed correctly from the very beginning. With the right consultant, you provide implementation model, internal regulations, trainings, implementation studies, pilot studies, software support and monitoring tools. The internalization rate increases.
IS IT COSTLY TO BUILD THESE SYSTEMS?
Creating these systems is not costly for mid-to-upper and large-sized companies, as it will constitute a very small proportion of the general administrative expenses \ (perhaps on a thousandth scale). Or the apparent costs will remain small considering the company's gains. The operational order, efficiency, loss and leakage prevention, reputation and legal gains that the company will provide from these systems within 1 year generally affect EBITDA on a percentage basis. Yes, this is a serious claim, but it is based on my experience. In many companies, the investment in these systems has been rewarded in the first year. Of course, provided that we work with the right consultant, provide the right management support and form a team.
At this point, the costs you will face are the wages of the experts who will work if you go to internal structuring in internal control and internal audit, the time to be allocated by people working in different positions if no experts are employed and the shares to be distributed from their wages, the consultant fees if you get consultancy, and the software costs if you want to manage the issue through software. All of them are extremely small amounts considering the gains.
The biggest cost is that you don't have a tripartite line and you lack a good governance mechanism against risks.
IS SOFTWARE ESSENTIAL FOR INTERNAL AUDIT, INTERNAL CONTROL AND RISK MANAGEMENT?
In the age of digital transformation, it is of course not rational and profitable to carry out these processes manually.
Triple-line software, which allows you to manage internal control, risk management and internal audit in an integrated manner, will transform these systems from being specialized jobs carried out on paper and in their own office, into internalized operations in which all employees of the company will be involved, with the features of talking to your company's ERP systems and integrating with company operations. In addition, process, risk, control, self-assessment, findings and action data transferred to these systems will function as your corporate memory and support your business continuity. Again, it will also speed up the adaptation of new managers and your staff to work and controls.
QGRC is also extremely cost-effective compared to its domestic alternatives and foreign counterparts.
TO WHOM SHOULD THESE SYSTEMS REPORT AND TO WHICH MANAGERIAL LEVEL SHOULD THEY BE AFFILIATED?
In principle, if we consider the three-line model of the International Institute of Internal Auditors (IIA), it is the best practice for the units that will coordinate the internal control practices in operations and the internal control and risk management systems to be subordinate to the executive (preferably the top executive manager such as the CEO or General Manager). On the other hand, internal audit should work under the board of directors, which is the highest management body. This is due to the fact that internal audit is a more independent assurance function compared to internal control and risk management.
The main problem here arises here; In family businesses where the board of directors and executive board structures are mixed, that is, in organizational structures where members are on both sides, it is difficult to ensure the full independence of internal audit. In corporate companies where the Board of Directors and the Executive are separated, this independence is provided more easily. So what should such family businesses do to benefit from internal audit?
Independent Board Member makes a great contribution to the corporate governance of the company.
The best solution is to separate the Board of Directors and executive responsibilities if possible, and to go to the board of directors and executive board structures. At the point where this cannot be achieved, the board of directors should be supported by independent members or members, and internal audit should be connected to the Audit Committee, which is formed from the Board of Directors, where these members are in the majority, almost like a guide/impartial authority. Internal audit departments that report under the executive are affected and cannot work fully independently.
IS IT NECESSARY TO ESTABLISH COMMITTEES (AUDIT COMMITTEE, RISK COMMITTEE, ETC.) IN ORDER TO GET EFFICIENCY FROM THESE SYSTEMS?
Yes. If you intend to establish a triple line, you should also strengthen your corporate governance structure. Especially for fast-growing companies in Anatolia that have reached medium scale and continue their journey towards upper middle levels, the Board of Directors must be structured correctly and Committees must be formed. Correct structuring of the Board of Directors and Committees does not only ensure efficiency from the tripartite line. At the same time, the institutionalization of the company and the 2. or 3. It also provides generations with great preparation and practice at the point of transition of administration. 1. In order for the founders and leaders of the generation to better manage the company, their children and grandchildren should first take the necessary steps to establish this tripartite line and then to strengthen the Board and Executive structures, with the support of experts who have knowledge and experience in this field.
Committees not only ensure the effectiveness and independence of internal audit, but also act as arbitrators in controversial or difficult to decide issues between the Board of Directors and the Executive. Again, in such matters, it mediates with an objective and scientific stance, by making data-based analyses. It assumes the role of advisor for execution and oversight for the Board of Directors.
Committees, including independent members, act as a bridge between the Board of Directors and the Executive Function. He is also an independent and impartial in-house conciliator.
WHICH COMMITTEES SHOULD WE FORM?
The Audit Committee is responsible for the supervision of internal control and internal audit, its healthy functioning, independence, and the resolution of discussions and differences of opinion with the executive in favor of the company.
The Risk Committee evaluates whether the necessary risk management authorities or managers of the company take the necessary actions for early detection and management of risk, whether they have established the right systems and whether the right risk reactions are given to the risk institutionally within the framework of the appetite of the institution, and guides the Executive and the Board of Directors. Risk Committees monitor strategic, that is, corporate high-level risks rather than operational risks, and play an encouraging role and guide the necessary actions to be taken. For the management of operational risks, it evaluates whether the systems work effectively and efficiently. It also closely monitors the company's KRI, or key risk indicators.
The Audit Committee and the Risk Committee should meet regularly, record meetings, and inform the Board of Directors about the issues discussed.
WHERE WILL WE FIND THE RIGHT INDEPENDENT MEMBER TO STRENGTHEN THE BOARD OF DIRECTORS IN THE LIGHT OF CORPORATE GOVERNANCE PRINCIPLES AND TO FORM AND OPERATE COMMITTEES?
The issue of independent membership is an institution that has already existed for many years in public companies subject to the CMB and banks subject to the BRSA. If the right member selection is made, of course, it is very beneficial. However, companies are making a fundamental mistake here. As independent members, they make either an experienced business person or professional from their own sector or people with a financial background as independent members. These people do not have sufficient experience in areas such as internal control, risk management, internal audit, management systems or corporate governance. They form committees with these members, who lack experience, have careers and reputations in their field, and unfortunately they cannot get efficiency. Another mistake is to include spouses, friends, relatives or other familiar business people as independent members of the board of directors.
Essentially, the triple line and its full implementation and efficiency within the company is a matter of expertise. It requires a separate expertise. For this reason, members in the profile I mentioned above must be replaced by a member with triple line experience as an independent member. Of course, it is also understandable to prefer academics who have industry experience or a reputation in the field of economics/finance, which we see in common practice in Turkey, but instead of recruiting two members in this manner, one member with triple line experience, who can operate these systems within the company, who is experienced in Board of Directors executive relations, has a good command of conflict management in family businesses, has strong communication, and has strategies and tools to work the Board of Directors and the Executive together efficiently. should be preferred.
The correct formula should be a member with economy/finance/sector experience and one member in the profile mentioned above. If we are going to recruit a single independent member, it is useful to prefer a member who is experienced in the fields of tripartite line, family business dynamics, management systems and corporate governance, and to entrust the Committees to these experienced experts.
WHAT DOES AN INDEPENDENT MEMBER CONTRIBUTE TO US?
First of all, we can count making internal audit and internal control effective within the company, working risk management in a functional and beneficial manner, guiding the Executive and BoD in monitoring and managing strategic risks, ensuring the harmony of the BoD and the Executive and contributing to the resolution of conflicts. It is difficult to benefit from internal audit without independent members, especially in medium-upper and large-sized family businesses. This should also be added.
After fulfilling these duties, of course, we can expect them to contribute to issues such as the interpretation of the economy, financing, investment, purchasing, tax strategies, accounting policies, mergers or international expansions. Since it is difficult to find independent members who meet all the features together, we recommend strengthening the Board of Directors with at least 2 independent members, and doing this in accordance with the Corporate Governance Principles of the CMB.
The independent membership system encourages the Board of Directors to work in an effective and institutional structure.
It is important not to use independent members of the Board of Directors as executive or executive members. These members must be positioned independently of the executive in order to observe, evaluate and guide the execution from the outside. If you are going to assign executive roles to "brand" people with industry experience and who you find beneficial to have on your board of directors, position them as normal board members, not independents.