Internal Audit Embraces Role of Change Agent in National University of Singapore’s Vision to Be a World-Class Teaching and Research University

Internal Audit Embraces Role of Change Agent in National University of Singapore’s Vision to Be a World-Class Teaching and Research University

Internal Audit - National University of Singapore

Company Headquarters — Singapore

Number of Countries Operates in — 6

Number of Employees in Company — 10,000

Industry — Education

Annual Revenues — US$1.7 billion (as of March 31, 2013)

Number in IA Function — 12

Number of Years IA Function Has Been in Place — 30+

IA Director/CAE Reports to — Chairman of the Audit Committee


“ Work that is termed as ‘value-adding’ today will be the norm in the profession in the next decade.”

Audrey Han


The National University of Singapore (NUS) is the oldest and largest higher-learning institution in Singapore. It employs about 10,000 faculty and staff, and has a student population of 37,000 from 100 countries. NUS was founded in 1980 following a merger between the University of Singapore and Nanyang University, although it can trace its roots back to the Straits Settlements and Federated Malay States Government Medical School in 1905.

In 2006, NUS was corporatized as a nonprofit organization so it could have more autonomy to develop into a leading teaching institution on the global stage and a world-class center for research. NUS operates 16 schools and faculties and 26 research centers and institutes, including partnerships with U.S. universities such as Yale University, Duke University, Harvard University, and Johns Hopkins University. As part of the NUS Overseas Colleges program, the university also has offices in three countries where it collaborates with partner universities such as Stanford University and the University of Pennsylvania (United States); Fudan University and Tsinghua University (China); and the Royal Institute of Technology (Sweden).

The internal audit department at NUS is headed by the chief audit officer, Audrey Han, who oversees a staff of 12 and reports directly to the chairman of the audit committee of the NUS Board of Trustees. NUS brought in a new internal audit team as part of its process to transform from a government agency into a corporatized nonprofit organization.

“The audit team has played the role of a change agent to help build up the university’s governance and control environment,” says Han. “To prepare for this role, research into the education industry was carried out to gather knowledge so that we could conduct audits effectively, and add value and offer best practice recommendations as NUS entered this new era.”

Engaging the specialists

The internal audit team benchmarked its department’s practices against internal audit functions at well-established universities in the United Kingdom and United States. The benchmarking exercise is one reason why Han decided to round up expertise in her department by designating internal auditors to serve as “domain experts.” These specialists have in-depth knowledge in areas such as fundraising and research, which have become important to NUS since its change in status. For highly specialized areas where the department does not have the necessary skill set, external consultants are engaged on a co-sourcing basis to address these areas.

“As NUS transitions into a research-intensive university with an international student population, there is greater emphasis on accountability and performance,” says Han. “For example, besides the need to comply with various fundraising and research regulations, there is also the need to ensure proper utilization of research funds to achieve research output and to fulfill donors’ intent. So, we need to have subject-matter expertise in our department to be effective to ensure achievement of those intentions.”

Promoting risk management and controls to university staff

As the control environment matures at NUS, Han says the internal audit department intends to introduce self-sustaining programs to help maintain that environment. Programs under consideration include cross-faculty/department audits, peer auditing, and staff rotation into internal audit, so management staff can build risk management and control skills.

The internal audit function at NUS also maintains a department website that features industry best practices and articles and papers – many created by Han and her team – so that NUS staff members are kept aware of risk and control issues. Internal audit also collaborated with the human resources function to incorporate governance, risk and compliance information into the orientation program for new hires.

“All these little efforts help to create value and raise the profile of internal audit as a valued partner in the management of risk and control,” says Han. “We want to be a one-stop shop, providing real-time advice and useful resources to the NUS community so that problems are addressed up front rather than waiting for traditional audits to determine where the organization may be falling short. We promote our services so that staff needing advice on risk and governance matters can come readily to us for consultation.”

Once NUS has reached a steady state with its governance environment, Han says she looks to further extend internal audit’s present advisory services so that the team can become an effective partner in the management of NUS. In fact, with this vision in mind, the internal audit staff adopted the tagline, “Internal Audit, Your Partner in Management,” when the new function was established. Han says internal audit has been gaining management’s recognition and making “steady progress” toward that vision ever since.

“Managing an academic environment is a lot less top-down compared to the private sector and there is a greater emphasis on consultation,” she explains. “The pace in which value-adding initiatives are under-taken needs management’s trust and buy-in, which also takes time.”

Proactively seeking ways to add value

According to Han, internal audit’s institutional knowledge of the university’s operations and its direct reporting line to the audit committee have allowed it to objectively address issues that cut across different functions or are not presently addressed by any other function in NUS. For example, the team instituted and operates a whistleblowing hotline. It also established a fraud risk universe and database and now conducts fraud investigations. Additionally, internal audit initiated the adoption of an enterprise risk management (ERM) framework at NUS.

“By driving the ERM exercise when risk management was not formally overseen by any department at NUS, we not only increased the awareness of risk and controls in the university, but also enabled everyone in the organization to speak a common risk language,” says Han. “This effort has allowed us to gain a better understanding of the risks involved in running a world-class university; in turn, this shapes how we select and perform certain audits.”

The risk management function has since been formalized at NUS. Han has also introduced continuous auditing and data analytics to address specific areas of risk on a real-time basis.

Han says implementing value-adding activities has been “a journey” for her team and advises internal audit leaders eyeing a similar path to start targeting areas where internal audit is best able to add value. Quick wins can help gain the trust and confidence of management so they will be receptive to internal audit undertaking bigger and more complex projects, she explains.

Becoming a source of future business leaders

Over the past decade, Han says she has watched the required skill sets of audit leaders change as the responsibilities of the internal audit function have expanded – and she expects they will continue to evolve. “The next generation of audit leaders will need to be multi-skilled, and have a good understanding of business, finance, accounting, and information technology. They also will need to be comfortable moving further away from the traditional ‘back room’ role to engage management in addressing emerging risks on a real-time basis.”

Han expects the internal audit profession to see fewer audit leaders coming from a traditional source: external auditing firms. Instead, she predicts more will emerge from within the organization because of the need for their institutional knowledge and their business and operational experience.

Internal auditors, generally, will need to take a more proactive role in partnering with management to provide assurance and consulting services in the areas of risk and control. Although traditional audits will still be carried out, the manner in which they are performed will be more innovative in order to achieve efficiency.”

Already highly selective in her hiring practices, Han anticipates it will be an ongoing challenge for almost all audit leaders to find internal auditors with the right skills and mindset. This is why Han is now looking for talented professionals who may not have an accounting background, like engineers, but can be taught to audit and can bring fresh perspectives to the organization.

Promoting the internal audit function

For internal audit to achieve its full potential in any organization, internal auditors, and especially audit leaders, need to “promote” their expertise so people understand how the team can offer help and advice, says Han.

“The Institute of Internal Auditors has done a lot to help leverage internal auditors’ profile in the organization,” she says. “But for internal audit to progress to the next level, we have to improve ourselves by continuously reinventing to stay relevant.”