In 1998, the magazine of the American Institute of Certified Public Accountants (AICPA), the Journal of Accountancy, approached the IIA. They said they wanted to write an article about progressive internal auditing leaders and (I thank them) the IIA pointed them to me.
I was the CAE of Tosco Corporation. I had been in that position for 8 years and had seen the company grow from $2 billion in revenue to $15 billion. It was still growing rapidly and profitably. Tosco would reach its peak in 2001 when it recorded $28 billion in revenue and was about #50 in the Fortune 500 list of US companies. Sadly, the board decided to take advantage of the market and sold the company to Phillips Petroleum for $7.5 billion.
Today, I want to share the piece they wrote.
Looking back, I haven’t changed my thinking a great deal in the 20+ years since then.
I will let you read it and then comment on what I might say differently if interviewed today.
Rethinking internal audits
By Anita Dennis
Journal of Accountancy, November 1998
What are the keys to running a lean, proactive internal audit department? At Tosco, a petroleum refining and marketing company, Norman Marks, general auditor, has developed an approach that adds value while reining in costs. His strategy can help to provide a model for other internal auditors seeking to enhance their departments’ contributions.
When Marks joined Tosco in 1990, the audit committee’s chairman said to him, “I’ve got about $6 million worth of stock in this company. Make sure there are no surprises.” Marks has taken it as his charge to protect all the stakeholders in the company from a variety of unpleasant surprises that can result from failures in internal controls. “We have to consider the integrity of financial reporting, custody of assets, environmental and safety issues, and the efficiency and effectiveness of operations,” Marks says, in addition to what he calls “the 60 Minutes test.” “I try to protect us from doing anything that would embarrass us if it ever turned up on 60 Minutes.”
The challenges of his job have grown along with the company, which went from a $2 billion operation in 1990 to an organization today with $15 billion in sales. Despite its size, “it’s a very small company. In 1997, we had sales of $13.3 billion, but our pretax earnings were $381 million, just 2.9% of sales. That’s not a function of write-offs but of the fact that the petroleum industry has very thin margins. In terms of revenue per thousand employees, this industry has one of the highest ratios, which means we have very few people for a very large amount of dollars. Since our margins are thin, to survive in the industry you must be one of lowest cost operators, which we have become.” At the same time, companies in the industry face financial uncertainties in a number of transactions. Tosco, for example, buys $10 billion worth of crude every year, which is subject to market price shifts; at a single refinery, operating costs can run $100 million per year, or one-fourth of its pretax earnings. “That gives me a lot to worry about. Not only must I consider outside forces but also I must provide the audit committee with assurance about controls and I have to be careful about how much money I spend.”
When Marks came to the company, he had worked in public accounting and in industry. “Having been audited and having done auditing, I saw how painful and disruptive it could be. I wanted to do something that was more like a service.” To achieve his goals, Marks has crafted an approach to make the most of his 22-person audit staff. To measure efficiency, he relies on benchmarks to compare his operations against those in the industry and in manufacturing as a whole. For example, his company has 1.3 auditors per billion dollars of gross sales, while the industry average is 4.35 per billion. While Tosco has 0.67 auditors per 1,000 employees, the industry average is 3.05 employees per 1,000. However, he considers the most important Benchmark to be internal audit cost as a percentage of sales. For his company, that number is 0.017%; for the industry, it is 0.044%.
How can the audit department maintain these numbers while providing high-quality audits as well as offering worthwhile solutions to company problems? His blueprint is one that may serve as a recommendation for other internal audit departments seeking leaner operations:
Stop auditing history. “Our general routine is not to go back and audit what’s happened in the past,” Marks says. “Many companies will take a month’s or even a year’s past transactions and verify them. All that’s doing is auditing the past. My job is to audit the present and to provide protection for the future. Our emphasis is on the controls we have today rather than on what might have taken place.”
Narrow the focus. In a step he calls using a laser rather than a shotgun, Marks’ department focuses exclusively on key risks. For example, Tosco’s Linden, New Jersey, refinery could be considered the top risk area in the company based on the volume of its operations and the money. While some internal auditors might audit the total refinery, “I am interested only in certain business risks within that operation,” Marks says. “We decide where, if controls fail, we are likely to have a problem.” Areas to audit are chosen based on a subjective assessment of risk to the company and value of the audit. “Each audit has a value (to management and the board) in its assessment of controls and in the positive changes it effects. The changes could have a direct contribution to the bottom line (such as cost savings, revenue enhancements) or an indirect contribution (risk reduction, fraud deterrence). We work with management at all levels to define those areas.” In a given year, Marks may determine that the biggest risk in accounts payable is payments to maintenance contractors, so the auditors will target just that segment of accounts payable. In the following year, observations of the refinery operations and experience in other audits may lead the auditors to examine payments to utilities. Although the internal auditors perform a number of audits at the refinery, they concentrate on selected risk areas rather than blanketing an entire department.
Dispense with lower level staff positions. While some audit departments have a hierarchy of positions ranging from neophyte to manager, Tosco hires mainly manager-level staff and some seniors. “If you ask managers how much time they spend supervising, training, reviewing workpapers and rewriting the audit report, you find they are probably spending as much time as if they were doing all the work themselves,” Marks says. The department seeks a blend of experience, from people who’ve worked with large and midsize accounting firms to former controllers, treasurers and internal auditors in the oil and other industries. Because Tosco has cut out an entire level of staff, “our cost per auditor is higher, but total audit costs are lower.” Productivity also is enhanced. “Our people are so much more experienced that the quality of the audit tends to be higher. We are able to explain to people in other departments what we are doing and focus quickly on the significant business risks. Since we don’t go in and ask silly questions, the work is received better by people in other departments.”
Employ stop-and-go auditing. In this technique, auditors go into an area and determine on the job whether the risk is so low that an audit isn’t needed or whether greater resources should be devoted to the audit because of questions uncovered. With experienced people and a narrowed focus, this technique can greatly boost efficiency, but companies don’t always employ it. When the company acquired a wholesale terminal, Marks was told that the previous owner had sent two internal auditors to perform a month-long audit; the Marks team, however, sent one person for four days. “Our managers know every unnecessary hour spent auditing an area costs the company money and takes time away from another project we could do that has value.” On most jobs, auditors go in with an estimate of 250 to 300 hours to perform the work, but they are encouraged to use their discretion to spend more or less time as needed. “We hire people who are proficient enough to make those decisions.”
Position auditors throughout operations. Tosco’s auditors work alongside other staff members in locations throughout the company’s operations, which include refining and marketing. Marks believes this enables them to understand a business area and its risks and to add value in the eyes of the audit committee and management by, for example, becoming familiar enough with an area to offer useful suggestions. “We don’t want to be seen as outsiders coming in from corporate management but, rather, as part of the local management team.”
Marks has not experienced resistance to the changes he has made in his area because of the quality of the people in his department and the value that they add to processes throughout the company.
Marks believes his approach is justified by the fact that well over 90% of the recommendations made by the internal audit department are implemented. For example, some of the company’s audits may cover a business risk that spans many departments, such as the one performed recently on travel expenses. The company’s travel agent forwarded to management any reports about travel items that departed from policy. Those reports were then sent to two vice-presidents for follow-up. The internal auditors suggested the reports be sent to the relevant department manager instead, since it seemed unnecessary to tie up senior executives’ time over travel expenses. “The person doing the audit who made that suggestion is an ex-controller, and he knows how to run a business,” Marks says. “Because I run the audit department as a business, we’re always trying to make sure we’re adding value.”
The fundamentals have not changed in my approach. I would change some of the language, but the practices I developed for Tosco endure.
- I would talk more about assurance and its positive value for our leaders. That’s more of a language change, since even then I knew that telling people that “everything is OK and there is nothing to worry about” has huge value to board members and top executives.
- Instead of talking about not auditing history but today, I would talk about the need to audit today and tomorrow: what might happen over the next year or so. Change is where the greatest risk and opportunities lie, and where controls are more likely to be in need of improvement.
- I would emphasize that when I talk about risk-based auditing, I am talking about risks to the enterprise as a whole. I worry about risks to a process or business operation if and only if it is a source of risk to the enterprise as a whole.
- At Tosco, I was more concerned with things that might go wrong as our margins were thin. But that changed as I moved from Tosco to other organizations. I included in my audit plan controls that provided assurance that we would take advantage of possibilities that would benefit us, the creation of value, whether in sales or even in procurement.
- I would also make every effort to avoid using the 4-letter “r” word, as it has negative implications and triggers less than an enthusiastic response from management.
- The article doesn’t say anything about reporting. This is an area where I made a lot of innovations at Tosco that I carried on in my later positions. Basically, it’s the idea that you “tell them what they need to know, not what you want to say, and do it in as few words as possible”.
- I would also say something about the people on my team. They were the source of any success I had. I learned a lot as a leader and would bring those out – as I did in my books.
Questions for you:
- How have the profession and its practice moved on from what I was doing in 1998? Or have many still to catch up?
- The idea of not hiring junior staff was highly controversial in the 1990’s. It was before SOX, so there was little need for that level of internal auditor. Do you agree with the basic principle explained in the article?
- Do you audit controls over the creation of value?
- The article doesn’t talk about technology, although I used it when it had value. Do you agree with me that the use of technology has to be dependent on its value? In other words, if we really have a dynamic audit plan, you should make sure there is value in spending the money to develop internal audit software and analytics that may only be used once.
- What other comments do you have?
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023