Internal Auditors at Baidu Look to Data Analysis to Help Make Risk Assessments Less Subjective

Internal Auditors at Baidu Look to Data Analysis to Help Make Risk Assessments Less Subjective

Internal Auditors at Baidu Look to Data Analysis to Help Make Risk Assessments Less Subjective

Company Headquarters — China

Number of Countries Operates in — 6

Number of Employees in Company — 31,000

Industry — Internet Services

Annual Revenues — US$5.3 billion (as of Dec. 31, 2013)

Number in IA Function — 30

Number of Years IA Function Has Been in Place — 10

IA Director/CAE Reports to — Chief Financial Officer and Audit Committee


“ I feel it is very important for internal auditors today to understand the business – what it really does, what its objectives are, and what people in the business are concerned about. You cannot understand risk if you do not understand the business.”

Kangping (Kevin) Shi


Baidu operates, the most widely used Chinese Internet search engine in China – and in the world. Headquartered at the Baidu Campus in the Haidian district of Beijing, Baidu is the largest Internet provider in China and employs 31,000 people around the globe. The company’s name was inspired by a poem about the persistent search for the ideal, written more than 800 years ago during the Song Dynasty; the literal meaning of the word “Baidu” is “hundreds of times.”

Baidu was founded in 2000 by Internet pioneer Robin Li, who is now the company’s chief executive officer. Li started Baidu with a mission to create an Internet search engine that provides intelligent, relevant search results specifically for a Chinese audience. According to Baidu’s website, the company attributes its success largely to its “deep understanding of Chinese language and culture.”1 It underscores the extreme complexity of the Chinese language, and the challenge of serving the more than 560 million Internet users in that country effectively, by noting that there are at least 38 ways of saying “I.”

In addition to China, Baidu operates in Brazil, Egypt, Japan, Indonesia and Thailand. It offers more than 50 Internet and web search services, as well as the world’s largest user-generated Chinese-language encyclopedia (similar to Wikipedia). The company also offers Wireless Application Protocol and PDA-based mobile search. Baidu listed on NASDAQ in August 2005 and in December 2007 became the first Chinese company to be included in the NASDAQ 100 Index. It reported 2013 revenues of US$5.3 billion – a 43 percent increase from 2012

Kangping (Kevin) Shi is head of internal audit, control and compliance for Baidu; he joined the company in 2011 after working as a financial controller for a leading global software company. He reports directly to the company’s chief financial officer, with a soft line to the board audit committee. Shi has 30 direct reports in the internal audit department, and all are based in China

Moving toward a consulting role

Internal auditors at Baidu are organized into three teams: One team is responsible for traditional audits, such as financial and process audits; another handles all information technology (IT) audits, including audits of Baidu’s infrastructure and internal systems; and the third is responsible for construction audits. The company established the third internal audit team because the business has taken charge of building its own facilities to keep pace with its rapid growth; as of April 2013, Baidu had four major construction projects under way in China.

According to Shi, the internal audit team’s short-term goals are to help Baidu balance risks, and improve processes throughout the organization so it can save costs and increase efficiency even as the company grows rapidly. Longer term, Shi says the internal audit function looks to assume a more strategic role, providing consultation to the management team and helping to facilitate more informed business decision-making.

The internal audit function at Baidu has been in place since 2004; initially, the department had only two auditors performing basic audit work. In 2005, the team was expanded to help Baidu meet compliance demands related to Section 404 of the U.S. Sarbanes-Oxley Act (SOX). Under Shi’s direction, the internal audit staff has more than doubled from 12 to 30 since 2011.

“The risk landscape for Baidu is growing just as fast as the company is,” says Shi. “We need more people in the department specifically so we can cover more risks, especially as Baidu makes more acquisitions and builds its presence in markets around the world.”

Baidu has been in a strong acquisition mode of late, starting with the purchase of video portal iQiyi in 2012. In 2013, the company acquired Android app store 91 Wireless, group buying site Nuomi, video portal PPS, and e-bookstore Zongheng. Baidu has plans for more acquisitions in the near future as it looks to expand its presence in three target regions: Southeast Asia, the Middle East, and North Africa.

Watchdog and partner

While compliance work still consumes a significant amount of the internal audit function’s time at Baidu, Shi also credits SOX demands with helping to raise internal audit’s profile in the business. “Another benefit of SOX work is that it helps new auditors to learn the business very quickly because they have to interact with many people and groups across the organization,” he explains.

Shi says he believes more people at Baidu are starting to view the internal audit function as an objective consultant to the business, although his team must still devote a lot of time to explaining their purpose to others. “I think the internal audit function is viewed as both a watchdog and a partner – it depends on which people you ask,” says Shi. “Ideally, we would like to reach a point where we can spend half of our time on traditional audit work, and the other half on consulting to the business.”

Baidu’s internal audit team is currently trying to add value to the company in three specific ways, says Shi. One is by staying apprised of technology trends and developments, both inside and outside of Baidu. “We need to focus on technology risks because every day there are new ideas and innovations emerging. And for a business like Baidu, any new advancement in technology could have a significant impact on our structure, strategy and profitability,” says Shi.

Second, the internal audit function is proactive about sharing best practices throughout the business – particularly with newly acquired companies that need to adapt to Baidu’s approach to risk and control. Shi says, “Internal audit has a broader view of the company than other functions, so we can more easily see opportunities to apply knowledge and processes that can benefit different parts of the business.”

The third way internal audit is working to add value at Baidu is by consulting to management and the board. This is not the same level of consulting Shi envisions for internal audit in the future. Internal audit is working its way toward that goal by encouraging proactive discussions with management and the board about risks. Shi says this dialogue is helping to build awareness at senior levels within Baidu that the function can offer much more than just traditional auditing work.

Data analysis and the modern auditor

Baidu’s internal audit department is much larger than functions in most Chinese companies, according to Shi. He says that in China, the typical role for internal audit is essentially a “policeman,” with a strong focus on SOX work. In these types of functions, he says, “traditional thinking prevails” as most auditors typically come from an accounting background and think of themselves primarily as “financial people.”

Shi says these types of auditors cannot help companies navigate risk and move forward: “I feel it is very important for internal auditors today to understand the business – what it really does, what its objectives are, and what people in the business are concerned about. You cannot understand risk if you do not understand the business.”

The biggest trend in internal auditing during the past decade, according to Shi, has been the transformation in many countries and organizations of the traditional auditor into a “modern auditor.” The modern auditor has a more risk-based perspective toward the business and to their auditing approach, Shi says. This type of auditor also relies on data analysis to help identify risk – which is what internal auditors at Baidu are doing now. “Risk is somewhat subjective, but data is objective,” Shi explains. “I expect to see more internal auditors using data analysis more often in the future to determine potential risks and issues.”

To succeed in the coming decade, Shi says internal auditors will need the ability to learn the business fast; communicate issues effectively, like consultants; and identify risks and opportunities for their organizations. If they can do all three, they can break away from their traditional role.

“Management will not pay much attention to the function otherwise,” says Shi. “So, the biggest challenge for the internal audit profession in the next decade, in China and elsewhere, is doing a better job of demonstrating our ability to help businesses grow and reduce risk, so they can be healthier.”

Of course, as internal audit expands its role, maintaining objectivity will remain an imperative. “There is a red line internal auditors cannot step over,” says Shi. “We will always need to be mindful of striking the right balance between building stronger relationships with the business and maintaining our independence.”.