Whether driven by the demands of potential or existing investors, regulators or a new strategic direction, hedge fund and private equity firms are moving beyond their historically entrepreneurial outlooks to enhance their operational risk management, financial controls (SOX and SAS 70) and internal audit.
Above-average returns in recent years attracted increased attention from institutional investors looking to diversify. Institutional asset flows exceeded $734 billion into hedge funds and $494 billion into private equity funds in 2007. With the onset of the credit crisis and continuing challenging market conditions, alternative asset managers must work harder to retain these clients. The pressures for transparency, further disclosure and greater scrutiny of risk management procedures are mounting.
As an example, firms continue to receive inquiries from potential investors around the globe for information on compliance programs, structure of boards and internal control structures. The pressures have also led to standard-setting bodies proposing adoption of leading practices for hedge fund governance.
In fact, many organizations have begun to mature and adopt more "institutionalized" structures and formalized internal operations. Alternative firms on the forefront of this new environment have started building monitoring and governance structures, including audit committees and compliance departments, and they have also begun to build operational risk management and internal audit functions that did not exist before.
In addition, third-party reporting (for example, SAS 70), which has historically been the domain of the industry's service providers, is gaining in momentum as investors are looking for independent assurance on a fund manager's control environment. Some firms are using SAS 70 as a first step to an internal audit.
A number of factors are raising the level of risk exposure, including: pressure on traditional prime brokers and use of alternate relationships, new products and channels, valuation challenges, expansion to international markets, increasingly complex and costly IT investments, expanding third-party relationships, additional regulatory requirements and transaction activity. Strategic direction, such as a public offering or launch of listed funds, also introduces additional regulatory complexities and requirements that internal audit is well positioned to support.
Internal audit can provide a level of assurance to management on the adequacy of processes and controls in the firm to address the broad spectrum of risk beyond just investment risk. According to the Institute of Internal Auditors, "Internal auditing is an independent, objective assurance [that takes] a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance."
Through its dual consulting and assurance roles, internal audit can provide tremendous value to a dynamic organization by focusing on areas of greatest exposure, complex operations and key business initiatives, to validate that the organization is well controlled and operating effectively and efficiently.
The structure of an internal audit function may look and act differently from firm to firm. Clearly, one size will not fit all. However there are some key factors that all firms wishing to establish an internal audit function should consider in the areas of organizational structure, people and infrastructure.
The process typically begins with hiring an internal audit director (IAD), who may also serve as the head of operational risk management. This is an executive-level position and should be filled by someone with the right balance of industry experience, internal audit and risk background. IADs generally report directly to the audit committee of the board, as well as functionally to the chief financial officer, chief operational office or general counsel. This helps to establish the significance of the position, especially where internal audit may be new to the firm's culture and collective experience.
The scope of responsibility for internal audit may also vary but, frequently, leading functions include: global coverage of operation risk, financial risk/SOX compliance, information technology risk, and support for regulatory compliance and strategic risk at the management company level in their mandate. This scope of coverage is developed through conducting at least an annual enterprise-wide risk assessment with significant interaction and input from all aspects of the business to identify where the areas of highest risk are and where greatest value can be gained.
From the 2008 Ernst & Young Global Internal Audit Survey, resources are still the foremost challenge for internal audit functions around the globe. There is a "war for talent" among firms of all sizes. Even in an era of financial downturn, challenges include not only recruiting, but also developing core audit and industry skills and knowledge and retaining a team with the right skills to provide both assurance and consulting activities.
There is also the question of critical mass. How large and diverse of a function would you need to build to support the complexities of your organization, and how much of an investment are you willing to make to build and sustain internal audit? The majority of alternative firms have chosen a teaming model. They have selected a third-party service provider that can bring deep technical, risk and industry experience and fully trained internal audit teams to either serve as or supplement the internal audit group and any internal staff. This model is particularly relevant to complex products and strategies, systems development, information security and IT general controls, and resources to support large-scale programs such as valuation processes and SOX compliance.
Establishing an internal audit function requires investments to both establish and sustain the group. Such investments include implementing a consistent methodology and disciplined approach in line with professional standards. Internal auditors also must document their work to support conclusions and recommendations. This requires software tools with functionality to house work papers, knowledge management, coordinate reports and issue tracking, as well as workflow and resource management.
There are many packages available on the market, but they must be compatible with and supported by the firm's IT infrastructure. Many third-party internal audit service providers are experienced using multiple internal audit tools.
Clearly, despite the troubled economy, asset outflows and pressure to produce returns, alternative asset managers will need to build robust governance structures in order to meet the future expectations of investors and regulators when the tides turn.
(c) 2009 Money Management Executive and SourceMedia, Inc. All Rights Reserved.