Internal auditing
26 August 2012
From police
to partner
August 2012 27
W
hen Keith Stephenson
started work in an in-
ternal auditing depart-
ment, he thought it was a
backwater. “I think back and it seemed that
internal audit was the place you put people
when there was nowhere else to put them,”
he recalls. “Internal audit was a function
that didn’t have great visibility.”
Stephenson, now a risk advisory part-
ner with PricewaterhouseCoopers in Hong
Kong, says times have changed dramati-
cally since the 1990s. “It’s been a remark-
able transformation. The internal auditor
has been pulled out of effective obscurity 20
years ago into a high profile position.”
That transformation was evident in a
recent PwC survey of 1,500 stakeholders
worldwide, which focused on the rising
importance of risk management and the in-
creasing expectations of internal audit’s con-
tribution to the effort. The survey showed
that company executives are calling upon
internal auditors to identify and mitigate
risks outside traditional internal audit core

competencies. Monitoring fraud, ethics,
data privacy and security have always been
the duties of internal auditors. Now business
continuity, large project risk, mergers and
acquisitions, regulations and government
policy, and reputation and branding have
been added as areas that respondents said
they expect internal auditors to oversee.
Those tasks mark a departure from the
old view of internal auditors as monitors –
or worse. “Internal auditors were regarded
as guard dogs,” says Kim Chong, the head of
the internal audit division at the Hong Kong
Monetary Authority and a member of the
Hong Kong Institute of CPAs’ standards and
quality accountability board. “But I think ex-
pectations have changed.”
For the most part, internal auditors have
welcomed not only a shift in expectations, but
also the change in perceptions. “I think – and
I hope from our profession’s side – that we no
longer want to be perceived solely as police,”
says Winifred Ng, internal audit director at
Hopewell Holdings and an Institute member.
“We want to be seen as a consultant and busi-
ness partner to the management team.”
Stepping up
The impetuses for this evolution were the
landmark 1992 Cadbury Report into cor-
porate governance in the United Kingdom,

commissioned following a series of high
profile corporate collapses – including those
of Maxwell Communications and Bank of
Credit and Commerce International – and, a
Internal auditing has broadened from passive monitoring to the
vital role of analysing and managing risk. George W. Russell
asks internal audit experts about changing perceptions and
what it means for the accounting profession
Illustrations by Harry Harrison
From police
to partner
28 August 2012
Internal auditing
decade later, the aftermath of the Enron and
WorldCom collapses in the United States.
Both events had international repercus-
sions. Today, internal auditors say concerns
over the continuing worldwide economic
slowdown and the never-ending string of
corporate scandals such as the recent rev-
elations of money laundering at HSBC are
among the reasons that they have been
thrust to the fore once more. “Everyone is
worried about compliance and control, giv-
en the global economy,” says Ng.
Once more, internal auditors are finding
themselves stepping up to an ever more cen-
tral role in company supervision.
Terence Chow, head of group internal
audit at equipment packaging manufacturer

ASM Pacific Technology and an Institute
member, points to supply chain manage-
ment – a significant risk area – as an example
of a company function that internal auditors
have been called on actively to participate.
Chow adds: “In the past, you just needed
to see whether there was a separation of du-
ties or whether there was sufficient control
to avoid fraud. But now since you are a busi-
ness partner of the operation, you also want
to tell them how well the control is working
and give them some analysis.”
Internal auditors say they are more antic-
ipatory than before in all areas of their work.
“I think one of the most important roles for
internal auditors is to make sure they do add
value to their organization,” says Barry Ho,
group chief internal auditor at Great Eagle
Holdings, the Hong Kong-listed Chinese real
estate company, and a member of the Insti-
tute. “The way they try to do that is not only
to audit something that’s already happened
in the past, but also to consider what will be
happening in the future.”
Chow’s internal audit department boasts
its own motto: “Insight, integrity, indepen-
dence.” While integrity and independence
are cornerstones of successful internal audi-
tors, insight is a relatively recent addition, he
says. “It’s about how you can give the man-

agement insight from an independent party’s
view on how well the operation is working.”
Chow says his objective is still examining
risk controls, but “looking in a deeper way
rather than just a high level of compliance.”
He says he wants to provide management
with information they can use, rather than
something that merely assures them. “It’s
different from 10 years ago. Then you met
the minimum requirements and gave them a
general health report,” he says. “Now man-
agers want to see specifically how opera-
tions are affected.”
New responsibilities mean continuous
professional development. “Our CPA [quali-
fication] gives us accounting and analysis
skills but we also need risk management
skills and how to apply this to day-to-day
business,” says Ng at Hopewell. “Principles
“Companies – even
the Institute – find it
increasingly difficult
to recruit internal
auditors.”
August 2012 29
and guidelines are provided by the Institute
and Hong Kong Exchanges and Clearing, and
we use international benchmarks as well.”
At the same time, internal auditors are
faced with increased regulation that changes

rapidly. Those at multinational corporations,
in particular, must keep up with a raft of both
international statutory and self-regulating
standards.
“For example, ASM has just complied
with an audit for the EICC code of conduct,”
Chow says, referring to the Washington-
based Electronic Industry Citizenship Co-
alition, an industry lobby group. “It’s new to
us. The point is that you need to be very alert
about what is going on in your industry as
well as the accounting profession.”
Chances of conflict
To be sure, not all internal auditors are com-
fortable with their new responsibilities, sug-
gesting that an advisory role conflicts with
their auditing duties. “We need to balance be-
tween auditing and consulting,” says Ronnie
Wong, director of internal audit at the Uni-
versity of Hong Kong and an Institute mem-
ber. “We do not want to be thought of taking a
dominating role in deciding what the depart-
ments should do in particular situations.”
Stephenson suggests the truth might lie
in the middle. “There is this debate about
whether you are a policeman or a consultant,”
he says. “I think you need to be a ‘smart police-
man.’ You’re giving warmth and comfort on
control structures, and where possible you’re
giving smart answers on how these can be ob-

tained more effectively and efficiently.”
To achieve that, internal auditors need to
improve their abilities outside technical ac-
counting skills, they say. “One key skill is com-
munication and another is business sense,”
says Ng. “You’re trying to sell an idea not
purely from an internal control side or docu-
mentation issue but by applying a business
perspective. That way the management team
can more easily understand and accept it.”
Audit committees
In Hong Kong, all listed companies must estab-
lish an audit committee, comprising of non-
executive directors only and having at least
three members. “The internal auditor and the
company audit committee have to work very
closely together,” says Chow at ASM.
“They [non-executive directors] are the
external directors, not from inside the com-
pany, so the internal audit group is filling a
gap between them and management,” he
adds. “We supply them with information
and keep them updated on the company, on
what the risk areas are, on what the controls
are, on what our concerns are, and then they
also feed back to us about their concerns.”
There are some obstacles, however, to
effective interaction between the internal
audit department and the audit committee.
“It’s about how

you can give the
management insight
from an independent
party’s view on how
well the operation is
working.”
30 August 2012
Internal auditing
“Sometimes the head of internal audit is in
awe of the audit committee chairman and
sometimes the audit chairs don’t feel com-
fortable with the internal auditing head,”
observes Stephenson at PwC.
Part of the problem, he says, is a lack of
finesse on the part of some internal audi-
tors. “If you’ve got smart ideas but if you can’t
present or you don’t have gravitas you will be
struggling,” he says. “You need boardroom
presence. You need to match the CFO, if not
the CEO. You can’t look weak or apologetic.”
One benefit of the improved image of in-
ternal auditors is that the field is attracting
high calibre, senior recruits. “You’re now
seeing Big Four partners going into internal
audit, which wouldn’t have even been con-
sidered 20 years ago. You need that polish at
the top,” says Stephenson.
Having more experienced accountants as
internal auditors, he says, can make for bet-
ter interactions with audit committees. “The

head of internal audit should be comfortable
enough to ring up the audit chair and have
one or two meetings a year outside the au-
dit committee setting,” Stephenson advises.
“He should be the extended right arm of the
audit chair when it works well.”
While most agree that internal auditors
should act as a partner to the company man-
agement and the audit committee, there
are potential pitfalls. “The inevitable risk of
conflict arises as the internal auditor and au-
dit committee are both remunerated by the
company that they are reporting on,” warns
Lionel Choong, an Institute member who is
CFO of sourcing company Global Regency
and who served on the audit committee of
garment maker Tack Fat Group during re-
structuring after its 2008 bankruptcy.
He adds that internal auditors should put
their core role – internal audit – first. “The
internal auditor is an extension of theaudit
committee’s execution of their supervisory
responsibilities with respect to confirming
the effectiveness, or otherwise, of the com-
pany’s sound ethical practices and participa-
tion from all ranks.”
Recruitment woes
Despite the role’s higher profile, many com-
panies have difficulty attracting internal au-
ditors. While senior accountants do switch

to high level internal auditing roles, CPAs
on their way up are reluctant to join internal
audit departments.
“Companies – even the Institute – find
it increasingly difficult to recruit internal
auditors,” says Raphael Ding, the Institute’s
chief executive and registrar. “Auditors start
their career by visiting different clients and
not a lot of them want to settle in by just do-
ing one single business.”
Private sector professionals confirm a
shortfall. “I have always an opening,” says
Chow at ASM. “We’ve already received hun-
“There is this debate about whether you
are a policeman or a consultant. I think
you need to be a ‘smart policeman.’ ”
August 2012 31
dreds of applications [but] most applicants
are from pure accounting firms, whether Big
Four or second-tier or local companies,” he
says. “This is not exactly the right mix that
we want to have. We want people who have
at least two or three years of working experi-
ence in the commercial area so that they can
understand how a real business is running.”
One solution for companies short of in-
ternal auditors is to outsource all or part of
their internal auditing functions to third
parties, such as accounting firms. “Increas-
ingly, companies are engaging an external

firm as internal auditor, selected by the audit
committee, to ensure independence, trans-
parency and corporate governance,” says
Choong at Global Regency.
But while this is common globally and in
certain Asia Pacific countries such as Austra-
lia and Singapore, the idea is yet to catch on
in Hong Kong in a big way.
Stephenson at PwC, which has a substan-
tial third-party internal audit business, says
there are three types of contracts. “There
are one-off pieces of work, there is co-sourc-
ing where the head of internal audit needs
support in specialist areas – such as health
and safety, treasury and information tech-
nology – or outsourcing the whole thing.”
He says Hong Kong is becoming more
aware of the advantages of third-party inter-
nal audit. “You blend the commercial exper-
tise of internal audit with the discipline of ex-
ternal audit and that works very well indeed.”
Further developments
The growing sophistication of internal audit-
ing in Hong Kong is yet to be matched in the
mainland – although there are encouraging
signs. Financial institutions, for example,
say mainland regulators are particularly
aware of the importance of internal auditing.
“The effectiveness of the internal audit
function within the bank is closely monitored

by the China Banking Regulatory Commis-
sion,” says Telly Chan, head of China audit
and group internal audit at Standard Char-
tered Bank China and an Institute member.
Stephenson, who has studied internal au-
diting issues in China, says the performance
of internal auditors in Chinese companies
can depend on an organization’s size. The
heads of internal auditing at larger organiza-
tions in China are very modern and proac-
tive in their approach, he says, but internal
auditors are far tamer at smaller companies.
Both Hong Kong and the mainland pres-
ent plenty of new opportunities for internal
auditors. Overall, and despite some reserva-
tions, internal auditors are embracing their
new-found popularity and ability to provide
practical advice.
As Ng at Hopewell says of her expanded
role: “You are no longer just talking about
theory or documents but the real world of
business.”
“You are no longer just talking about
theory or documents but the real
world of business.”