Director: BDO Risk Advisory Services
The traditional annual three-year audit plan has become stagnant. Instead, an agile audit plan that adjusts to the risk profile of an organisation now provides the best value to clients. What’s led to this shift?
For Real Estate it is a host of emerging risks including the pandemic, hike in interest rates which prompted organisations to change their approach to managing risks. This has led to a refocus of internal audit plans to areas that matter. Emerging risks by nature will always change, shifting a REIT’s risk profile and meaning that internal audit plans need to remain agile.
There are seven current key areas an agile internal audit plan should consider in adding value to a REIT’s emerging risk profile.
Capital expenditure
The recent interest rate hikes impact property valuations and a REIT’s ability to raise capital and fund capital expenditure.
This affects an REIT’s spending ability, something internal auditors can manage by assessing the end-to-end Capital Expenditure process to ensure sound controls are in place to mitigate significant risks such as Delegation of Authority, budgeting, supplier and payment management, emergency expenditure and the accuracy of financial reporting.
Power crisis
The ongoing power crisis means REITs have had to invest in alternative energy sources such as generators. Internal auditors, in turn, should factor this in when accounting for the increased risks around utilities and fuel usage and management.
These include the validity, accuracy and completeness of recoveries from tenants, approval of vendors supplying fuel, protocols in place to guide the procurement of fuel, monitoring controls to avoid fuel shortages, and monitoring the useful life of generators.
Debtor management
As inflation and impending recession impact household spending, retail outlets experience a decline in foot traffic, impacting tenants who rely on daily business to afford rent.
Internal auditors can add value by reviewing the REIT’s contract management and renewal process with tenants, attraction of new tenants, debt and recovery policies, and management’s proactive reporting around potential bad debts.
Image By: Nastuh Abootalebi via Unsplash
Non-financial reporting
Internal audits have traditionally focused on assuring financial Information. But in recent years, boards and other stakeholders have placed greater emphasis on the need for internal controls to supply accurate and sustainable non-financial information.
In cases then where it’s needed, internal auditors should work with management and ESG specialists for assistance with non-financial reporting assurance, as well as considerations around managements maturity and needs when it comes to ESG.
Alternative income
Alternative income has become important for REITs to manage. Some of the risk areas REITs face around alternative income include: the nature of the income, low-valued transactions within a short period increasing chance of collusion, correct contract management, completeness of overall revenue reporting for the REIT, and general opportunities for fraud and relaxed processes and procedures.
To offset this, internal audit plans should consider REIT’s alternative income processes and ensure value through the review of key risk areas such as parking, gift cards, kiosks and exhibitions. Where materiality does not justify in-depth reviews of these areas, internal audit can review combined assurance activities to ensure adequate assurance coverage through other lines of defence such as management control self-assessment processes, and third party assurance activities etc.
Digital transformation
The adoption of AI technology is rapidly increasing across all industries, including retail and real estate. In addition to pure AI technology adoption, businesses are focused on automation and streamlining processes in order to improve operations.
Internal audit can play a vital role in the maturity of an organisation’s digital journey over time. This means, as REITs implement more technology alongside internal audit functions, its plans must consider pre- and post-implementation reviews, review management’s intended process controls (recommending improvements too), embed data analytics in the internal audit plan, and explore opportunities to optimise data and data analytics.
As digital transformation strategies are implemented, the internal audit plan can be consistently aligned to ensure the internal audit functions’ digital maturity also improves.
Combined assurance
Internal audit plays a vital role in any organisation’s combined assurance model as its third line of defence. When an organisation’s risk profile changes due to emerging risks or change in strategic direction, the updated risk profile should be reflected on the combined assurance plan.
Internal audit should review the combined assurance plans quarterly to provide comfort to the management and the risk committee. Internal auditors should also understand the client’s risk profile to ensure that areas that are not necessarily part of the internal audit universe but should be covered in the combined assurance plan — such as valuations and tax — are included.
Agility is important
An organisation’s internal audit function needs to remain agile and adapt to the changing risk profile of the REIT if we are to continue to add value to any business. We have highlighted some areas of consideration for internal audit plans pertaining to REITS.
Internal audit plans on the whole however should consistently be reviewed to ensure that our work targets the risks that matter in an organisation.
Farhana Hassim is a Director at BDO for Risk Advisory Services.
