Tag Archives: assurance

Internal audit can be an invaluable tool to provide assurance during mergers and acquisitions

31 Dec

Audit & Risk

Internal audit can be an invaluable tool to provide assurance during mergers and acquisitions, but management may not always be aware of the profession’s skills.


While the deals market is still far less active than it was before the financial crisis, organisations are always on the lookout for suitable targets to acquire or merge with to increase their market share. But mergers and acquisitions (M&As) have been notoriously difficult to get right once the money has changed hands. Studies and anecdotal evidence suggest that most M&A transactions fail to deliver their stated goals or achieve value.

Such deals would therefore seem to be ripe for internal audit’s input, but an international survey conducted in 2002 for IIA Global found a low level of involvement from internal auditors at the various stages of M&As – despite their willingness to help from the start of the process. The research found that internal audit’s contribution was limited to the due-diligence phase and the post-acquisition audit.

Ten years later, it appears that little has changed: internal audit would like to be more involved in the M&A process from start to finish, but rarely is. Why is this the case? A typical barrier is that internal audit lacks hands-on M&A experience and so it’s involved only at certain times and in specific roles.

“Internal audit has a strong case to argue for its involvement from the very outset of an M&A,” says David Coombs, an internal audit and risk management consultant. “But management is unlikely to include internal audit unless it has a proven record of adding value through the audit process or of being actively engaged in M&A work. In reality, how many organisations are there where internal audit can put its hand up and say it has that kind of reputation?”

Prove yourself

Some internal auditors have successfully forged that reputation. Rainer Lenz CMIIA is vice-president of internal audit at pharmaceuticals company Actavis – an organisation, he says, that has grown by acquisition since it was founded. “M&A is a core business process as far as we are concerned,” he says.

Lenz says that he gets involved in providing risk assessments when Actavis identifies companies to acquire, adding that he has a strong background in M&As because he used to work in finance. He agrees with Coombs that, while internal audit definitely has valuable expertise to contribute to the M&A process, the function will not be asked to participate unless it has a proven record of earlier involvement.

“Management wants advice from people who have been involved at all stages of the M&A process,” Lenz says. “More often than not, internal audit does not have that experience, so it lacks credibility. The only way that internal auditors can really convince management that they should be part of the project from an early stage is to show that they understand what’s involved and what the inherent risks are – and that they realise that most mergers fail.”

Adding value

Other heads of internal audit say that their teams can take positive steps to increase their involvement in their organisations’ M&A strategies, while also demonstrating the value they can add throughout the process. David Finch CMIIA, director of group business risk and assurance at building supplies retailer Travis Perkins and a member of the IIA’s Heads of Internal Audit Service, explains that internal audit has a valuable role to play at several points along the M&A path.

“Before any M&A activity starts, internal audit can review the process that an acquisitive company might go through when undertaking a theoretical takeover,” he says. “This would include a consideration of funding potential – for example, does the organisation have the means to execute a M&A should the opportunity arise? It’s useless wanting to buy a business but not having the cash deposit available or the support of shareholders for the issuing of shares before you even start,” he says.

Finch also thinks that a review of the valuation modelling techniques used by the business to set its acquisition price is another important area for internal audit involvement. “Asset values, earnings multiples, discounted future cash flows and so on will all provide a different answer about the business’s value,” he warns. “This might affect whether the company decides to go ahead with the acquisition, because it may deem the target organisation too expensive or decide that the business does not hold the commercial value first thought.”

Finch says internal audit may also have a role in the validation of assets and liabilities. “Stock may physically exist, but does it hold a value? For example, surplus promotional stocks relating to a campaign run six months ago, obsolete packaging, time-expired stock and so on all hold a material value, but not quite the degree of value first thought,” he says.

Seal the deal

There are also competition issues that internal audit could investigate or highlight to management, Finch says, particularly if a merger of two dominant players in a market could adversely affect consumer choice. “Where an organisation is a leading part of its sector, the Office of Fair Trading will no doubt get involved. An appreciation of whether the regulator will refer the acquisition to the Competition Commission or require a compulsory divestment can influence the M&A strategy. This should be considered by the organisation before making a bid,” he says.

Neale Andrews, head of the corporate and commercial practice at law firm Mundays, which undertakes M&A work, also believes that internal audit can add real value by getting involved in the process before the acquisition. For example, internal auditors can help to identify how long the process might last. “Effective timetabling is an invaluable asset and can be a deal-breaker if management wants to capitalise on the merger quickly,” he says.

There are other areas where internal audit’s skills can be used to great effect. Andrews says that internal audit can identify potential hidden costs, such as legal liabilities, and help to arrange indemnities to ring-fence the acquirer from having to pay for them or to reduce the purchase price of the target.

The profession can also show its value during the implementation. “At particular stages in the acquisition, management should be stepping back and taking stock of what it planned to achieve by certain dates and whether those plans have crystallised,” Finch says. “Days one, 30, 60, 90 180 and 365 are the normal points. As with any project, there’s a danger that the benefits will be overstated and the costs understated. So internal audit can work with the M&A project manager to give some validity to statements that are made. Detailed planning for these milestone dates will give credibility to the M&A, so assessing the extent by which each activity has progressed can add real value,” he says.

Internal audit is also well placed to assess the M&A’s success when it’s completed. “Once the dust has settled, internal audit can clearly conduct a post-investment review,” Finch says. “This might be in the remit of internal audit, or line management could do it, with internal audit reviewing the effectiveness of the M&A itself. The purpose should be to see what could be done better in the future, rather than identifying victims of the activity.”

Yet, despite the skills that internal audit has to offer, some believe the status quo will remain: the catch being that, without experience, internal audit lacks credibility and so cannot gain the experience it needs in order to prove itself. David Coombs believes that whether internal audit actually gets more deeply involved in the M&A process or not depends on management’s viewpoint and the structure of the organisation.

“Management may call on internal audit for assurance and advice on specific aspects when it feels that the function can add value, but not necessarily call on it to have an ongoing role throughout,” Coombs says.

“If you already have skills in-house that can help to ensure success, these should be used,” he adds. “But internal audit is also a function that’s accustomed to challenging the thinking behind business strategy and standing up to management – and it’s certainly useful to have an independent voice that can take a more detached view of how the deal is going, the risks involved and the controls needed – and of what should happen after implementation.”


Source: Audit & Risk, Insights from the Chartered Institute of Internal Auditors, September/October 2012

Internal Audit. Effective? Questions!

9 Dec



Rainer Lenz, Ulrich Hahn (2015), A synthesis of empirical internal audit effectiveness literature pointing to new research opportunities, Managerial Auditing Journal, Vol. 30 Iss: 1, pp. –


Ten years after Bailey, Gramling and Ramamoorti (2003) presented research opportunities in Internal Audit (IA) this paper provides a synopsis of what academic literature says about IA effectiveness. A new set of research questions that may help to bring the best out of IA is proposed.


Empirical studies based on internal auditors’ self-assessments (“inside-out”) and empirical studies based on other stakeholders’ perspectives (“outside-in”) are reviewed through an “effectiveness lens”. The “outside-in” perspective is regarded as particularly valuable.


First, we identify common themes in the empirical literature. Second, we synthesize the main threads into a model comprising macro and micro factors that influence IA effectiveness. Third, we derive promising future research paths that may enhance IA’s value proposition.

Practical implications

The “outside-in” perspective indicates a disposition to stakeholders’ disappointment in IA: IA is either running a risk of marginalization (IIA, 2013; PWC, 2013) or has to embrace the challenge to emerge as a recognized and stronger profession. The suggested research agenda identifies empirical research threads that can help IA practitioners to make a difference for their organization, be recognized, respected and trusted, and help the IA profession in its pursuit of creating a unique identity. This paper wishes to motivate researchers to explore innovative research strategies and probing new theories as well as benefitting from cross-fertilization with other research streams.


This paper summarizes the state of research on IA effectiveness and proposes a guide for future IA research. It provides pointed questions that may further advance the understanding of what constitutes IA and how IA can enhance its value proposition.

Reflections on the internal auditing profession: what might have gone wrong?

21 Mar

The marginalized role of Internal Audit (IA) in the aftermath of the financial crisis that began in 2007 serves as the starting point of this paper, which reviews the profession’s situation between that time and 2010. The absence of IA from the governance debate has been marked and the relevance of IA has become a contentious issue in practice. In having no one clear boss and no single clear role, IA is exposed as trying to be many things to many people, to the point where no one is really sure who it is for and what it delivers. The analysis suggests that, to become a more relevant stakeholder in the corporate governance arena, the IA profession should consider clarifying both the perspective and the purpose of IA, that is, determining to whom IA should be accountable (the perspective from which its added value is judged) and clarifying/concentrating the IA’s service offering (its purpose).

It is striking that the IA profession has hardly been considered by other governance stakeholders as a source of solutions to the problems that led to the financial crisis. Post-financial-crisis activities have remained almost completely silent about IA’s role. Thus, the IA profession has been marginalized in the corporate governance debate since the financial crisis that started in 2007. IA is still searching for an identity and a unique selling proposition in order to play a more important role in that governance arena. There are limitations, some self-inflicted, regarding the role of IA as a core principle of good corporate governance: IA has multiple customers to serve and IA aspires to render both assurance and consulting services.

IA has no clear chief stakeholder: The IIA recommends a dual reporting relationship in which the CAE reports functionally to the board (or the audit committee of the board) and administratively to a senior management executive, and the IIA acknowledges that there may be conflicts when IA tries to “serve two masters” . When IA serves two masters, senior management and the board, what IA reports to the board may be filtered by management, such that only what is palatable to management is communicated.

Value of IA questioned: Having an IA function (IAF) is not the same as having a value-adding and effective IAF, as several stakeholder surveys have indicated. There are big gaps in practice when comparing factual and targeted scope of IA services. There is an absence of clear conveyance of the value added to major stakeholders. There are overly optimistic self-assessments by internal auditors.

This paper suggests viewing the oversight authority (board/audit committee) more clearly as the prime customer group, which abandons the IIA’s traditional view of IA as an “agent of the board”, and at the same time positions IA as a “partner to management”. Following that path may be the way IA can leverage the governance opportunity. The aspiration to broaden the scope of IA beyond the assurance arena may not be helpful in establishing IA as a profession, as doing so may move IA farther away from what matters most to boards and audit committee. There is significant room for improvement for IA in the arena of assurance, which is to be exploited, as otherwise other professions may fill the gap.

The two key conclusions of this paper are first that positioning IA as the agent to the board/audit committee and, at the same time, as partner to management is challenging in practice. The IA function should clarify the customer dimension in its organizational context. Second, assurance and consulting may be a confusing combination in practice that dilutes the value proposition. Consolidating IA around its core function of providing assurance is argued as the way forward.

Rainer Lenz, Gerrit Sarens, (2012), Reflections on the internal auditing profession: what might have gone wrong?, Managerial Auditing Journal, Vol. 27 Iss. 6, pp. 532 – 549