Hedge Funds' Next Act: Internal Audits
April 20, 2009
Whether driven by the demands of potential or existing investors, regulators or a new strategic direction, hedge fund and private equity firms are moving beyond their historically entrepreneurial outlooks to enhance their operational risk management, financial controls (SOX and SAS 70) and internal audit.
Above-average returns in recent years attracted increased attention from institutional investors looking to diversify. Institutional asset flows exceeded $734 billion into hedge funds and $494 billion into private equity funds in 2007. With the onset of the credit crisis and continuing challenging market conditions, alternative asset managers must work harder to retain these clients. The pressures for transparency, further disclosure and greater scrutiny of risk management procedures are mounting.
As an example, firms continue to receive inquiries from potential investors around the globe for information on compliance programs, structure of boards and internal control structures. The pressures have also led to standard-setting bodies proposing adoption of leading practices for hedge fund governance.
In fact, many organizations have begun to mature and adopt more "institutionalized" structures and formalized internal operations. Alternative firms on the forefront of this new environment have started building monitoring and governance structures, including audit committees and compliance departments, and they have also begun to build operational risk management and internal audit functions that did not exist before.
In addition, third-party reporting (for example, SAS 70), which has historically been the domain of the industry's service providers, is gaining in momentum as investors are looking for independent assurance on a fund manager's control environment. Some firms are using SAS 70 as a first step to an internal audit.
A number of factors are raising the level of risk exposure, including: pressure on traditional prime brokers and use of alternate relationships, new products and channels, valuation challenges, expansion to international markets, increasingly complex and costly IT investments, expanding third-party relationships, additional regulatory requirements and transaction activity. Strategic direction, such as a public offering or launch of listed funds, also introduces additional regulatory complexities and requirements that internal audit is well positioned to support.
Internal audit can provide a level of assurance to management on the adequacy of processes and controls in the firm to address the broad spectrum of risk beyond just investment risk. According to the Institute of Internal Auditors, "Internal auditing is an independent, objective assurance [that takes] a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance."
Through its dual consulting and assurance roles, internal audit can provide tremendous value to a dynamic organization by focusing on areas of greatest exposure, complex operations and key business initiatives, to validate that the organization is well controlled and operating effectively and efficiently.
The structure of an internal audit function may look and act differently from firm to firm. Clearly, one size will not fit all. However there are some key factors that all firms wishing to establish an internal audit function should consider in the areas of organizational structure, people and infrastructure.
The process typically begins with hiring an internal audit director (IAD), who may also serve as the head of operational risk management. This is an executive-level position and should be filled by someone with the right balance of industry experience, internal audit and risk background. IADs generally report directly to the audit committee of the board, as well as functionally to the chief financial officer, chief operational office or general counsel. This helps to establish the significance of the position, especially where internal audit may be new to the firm's culture and collective experience.
The scope of responsibility for internal audit may also vary but, frequently, leading functions include: global coverage of operation risk, financial risk/SOX compliance, information technology risk, and support for regulatory compliance and strategic risk at the management company level in their mandate. This scope of coverage is developed through conducting at least an annual enterprise-wide risk assessment with significant interaction and input from all aspects of the business to identify where the areas of highest risk are and where greatest value can be gained.
From the 2008 Ernst & Young Global Internal Audit Survey, resources are still the foremost challenge for internal audit functions around the globe. There is a "war for talent" among firms of all sizes. Even in an era of financial downturn, challenges include not only recruiting, but also developing core audit and industry skills and knowledge and retaining a team with the right skills to provide both assurance and consulting activities.