Speeches

Mr. Koh Chin Beng, President of the Institute of Internal Auditors Singapore,

Ladies and Gentlemen,

1. Good afternoon. 

2. Thank you for inviting me to speak at the Institute of Internal Auditors (IIA) Annual Conference. 

3. The world is currently facing many challenges – a recent article in the Straits Times used the phrase “polycrisis” to describe the situation. We have to marshal resources and strengthen international collaboration to collectively mitigate the effects of climate change. Geopolitical tensions and Covid-19 have led to inflationary pressures and supply chain disruptions. Besides these, we can expect other new risks and threats to emerge, and unfortunately at a faster pace. 

4. Organisations will need to prepare their stakeholders and to build new muscles to deal with these uncertainties, because some of our previous approaches may no longer be adequate or relevant. 

5. This year’s theme of “Anticipating and Mitigating Risks in an Era of Disruption” is thus very apt, as it reflects the impetus for the internal audit profession to reflect on your role and to identify what are the new capabilities, networks and skillsets required, to be ready for a more uncertain operating environment.  

6. As internal auditors, you have an important responsibility. Your expertise is required to help your organisation innovate and seize new opportunities, while safeguarding good governance and effective controls to manage downside risks. 

7. You are also called upon to go beyond your traditional role of ensuring compliance to being a trusted advisor and strategic partner to your colleagues from the frontline and operational departments. 

8. In my speech today, I would like to talk about some ongoing areas of review and share with you how I believe the internal audit profession can support these changes. I will draw on examples and learning points from the public sector, and hope that some of these would be relevant to our friends from the private and people sectors.  

Evolving role of internal auditors 

9. A good risk culture and strong governance are essential, as organisations pursue new opportunities or overcome challenges with speed and agility. Internal auditors have an important role to strengthen risk management practices, by having a good understanding of operational and policy requirements and supporting your colleagues in the organisation to identify the key risks and calibrate the risk tolerance levels.  

10. We can maximise the chances of achieving good outcomes by having internal audit work together with the frontline departments preferably in a collaborative manner, instead of working against each other in a confrontational approach.    

11. For example, the Ministry of Social and Family Development (MSF) had to roll out the Covid-19 Support Grant (CSG) in May 2020. It was a crisis, so they had to do this at very short notice to provide temporary support to Singaporeans whose jobs were affected by the pandemic. The internal audit team of the Ministry of Social and Family Development worked with its grant directorate to use data from agencies such as HDB, CPF Board and IRAS, and designed controls to help Social Service Office staff verify the eligibility of applicants before disbursing the grants. This – working together - enabled the expedient rollout of support measures with strong governance and controls in place.  

12. In the public sector, we have been building up our capabilities in enterprise risk management, or ERM, in an effort that is jointly led by ​the Ministry of Finance, the Accountant-General’s Department, and the Prime Minister’s Office – Strategy Group. We disseminated a Practice Guide on implementing ERM to all agencies and will continue to look at ways to facilitate mutual learning and sharing of best practices amongst our agencies.

13. We are adopting a risk-management approach that is more principle-based rather than rules-based. This is to facilitate our day-to-day operations. We do not want our colleagues from the frontline and operational departments to be bogged down by too many internal procedures, without appreciating the underlying principles and intent. It is important for our officers to know what to do, but even more important for them to understand why we do it.  

14. In addition, our rules and processes must not become overly prescriptive and restrictive, as that will take away the flexibility for officers to exercise judgment and manage cases which require exception-handling because they do not fit neatly into the scenarios we anticipated when we wrote our rules. This will become increasingly important in a fast-changing and uncertain environment, as we will have more occasions when our officers will need to use their discretion to deal with unforeseen situations.  

15. I would also like to encourage public sector agencies, including our colleagues who are holding leadership positions, not to react to audit queries by simply adding more and more rules. When we introduce more rules, both the auditor and our officers will have more processes to check for compliance in future rounds of audit. We must resist the temptation of adding more rules as a knee-jerk reaction to audit queries, as this could become counter-productive if it increases the workload for everyone without improving governance or reducing risks.  

16. Worse, doing so may take away the sense of ownership from our frontline officers and they may just shrug their shoulders and go through with it even though they disagree. Some of them could respond by sticking closely to the prescriptive rules to avoid deviation, even when they think some of the rules do not make sense, because they may not feel sufficiently empowered to propose changes to the rules. 

17. This is a lose-lose outcome for everyone. The organisation will become less responsive and innovative, and the staff who are affected by outdated rules will feel frustrated. No one benefits, and everyone is worse off in such a situation. Therefore, we must prevent this from happening.  

18. Across the public service, agencies are building up their competencies in enterprise risk management and applying a principle-based approach in drafting their rules and policies. This is something we will encourage agencies to continue to press on. It is an ongoing effort - not yet where we want to be, but this is a journey we want to continue. For example, MOF has done so for the Instruction Manual on Grants Governance instead of laying out prescribed administrative practices. This allows agencies flexibility and efficiency in grants administration, while establishing a baseline standard of governance and rigour.

19. Our end in mind is not to aim for zero risk or aim for zero audit queries, as that will impose too many restrictions on the organisation and discourage staff from trying new ideas. If we have zero tolerance for errors and failure, we will end up with zero scope for innovation. 

20. From our experience dealing with the pandemic, we know it is better to manage the risks to protect both lives and livelihoods, than to pursue a zero-Covid strategy. The same rationale applies to enterprise risk management. 

21. Over the past two and a half years, our public officers had to deal with multiple waves of infections and confront unexpected curveballs from the Covid-19 pandemic. Public agencies and officers had to respond swiftly to protect lives and livelihoods, especially at the height of the crisis where the situation was uncertain and rapidly evolving. I want to thank our agencies and officers for their sacrifices and their hard work during this very difficult period. 

22. For example, we had to grapple with a global shortage of surgical masks during the beginning part of the pandemic, and there were unexpected supply chain disruptions over essential items like vaccines and food, and a demand surge for quarantine facilities, just to name a few of the challenges that our agencies and officers had to go through.

23. There was also a shortage of accommodation facilities to act as quarantine, isolation, recovery, or temporary dormitory facilities. To address the urgent needs, the Singapore Land Authority (SLA) directly contracted with the hotels, instead of following the usual process of calling open tenders. This is allowed under the Emergency Procurement Procedures, which take a risk-based approach to provide flexibilities in procurement processes to facilitate expediency. When the situation was more stabilised, SLA conducted a re-quote exercise to ask the hotels to review their rates and obtained lower contract rates.   

Strengthening capabilities to be future-ready 

24. Next, organisations need to leverage a sound data strategy and synthesise insights across key processes. Internal auditors are well placed to tap on your expertise in data analytics and your understanding of the organisation’s requirements to be a valued partner for frontline and operational departments in the organisation.

25. The internal audit profession must also continue to focus on ongoing professional development to attract and retain talent.  

26. Within the public sector, the Ministry of Finance has embarked on transformation efforts to build up a professional and collaborative internal audit function. We want to strengthen our internal audit capabilities in different government agencies, as well as facilitate knowledge sharing and collaboration across the internal audit teams in the Public Service. Some of our agencies may have small internal audit teams, so rather than having individual teams that are working as standalones, we thought one way is to link them up through this network, so that certain capabilities and resources can be developed centrally and shared across all the different teams in the different agencies. 

27. For example, the Accountant-General’s Department is implementing a central audit management system that will digitalise audit processes, allow agencies to share audit data securely and draw audit insights to further strengthen governance. Public sector internal auditors are also equipped with audit analytics toolkits and dashboards to harness the power of Big Data in planning and conducting their audits. Not so easy if you only have a small team to do this by yourself, but by tapping on AGD, we can then have the critical mass and resources to do this, which will benefit everybody. 

28. Another important area is talent development. To strengthen talent and capability development for public sector internal auditors, we are moving towards clustering internal audit functions across various public agencies at the ministry family level. This will help the internal audit function be more resilient and better focus on upskilling and developing deeper skillsets in specialised areas, such as data analytics and risk management. 

29. MSF, which I mentioned earlier whose the internal audit team collaborated with the frontline and operational departments, is one such example whereby the internal audit functions in both its HQ and its statutory board, National Council of Social Service have been clustered.  

30. Preparing the organisation to be future-ready is not just about deepening skillsets. The rules under which the organisation works, also need to be relevant. Earlier, I talked about the role that internal auditors can play in helping to identify key risks and calibrate risk tolerance levels. Extending from this, I believe that internal auditors can also work with the frontline and operational departments to identify existing rules and processes that may need to be reviewed. Rules that made sense in the past can become an obstacle for the organisation if they are no longer relevant.

31. Using the public sector as an example, all our regulations start with good intentions. However, for every new rule created, organisations and individuals will change their behaviours to optimise around the new regulations, sometimes leading to unintended consequences or what economists refer to as “perverse effects”.  

32. So we must have a balance. We need some rules so people know what they can and cannot do, and to deter and enforce against errant behaviours.  However, it is not just about adding more rules or having overly complex regulation, as that could lead to its own set of problems - gaming behaviours in even more sophisticated and sometimes, unpredictable ways.

33. Governments will need to think through how to have smarter regulations – rules that are effective; that mitigate market failures; and at the same that do not stifle genuine innovation and ground-up initiatives. It is not easy, but it is a challenge that I hope we can do together.

34. Let me conclude by sharing a quote from Sir Winston Churchill: who said, “We shape our buildings; thereafter they shape us”.

    a.The same applies to our rules, “We shape our rules, thereafter they shape us”. 

    b. The way we set our rules can have a significant impact on how we think, how we act and how we make decisions. 

35. Our rules reflect our mindset and organisational culture. They affect how we deal with risks and whether we encourage people to try new ideas and accept that there will be some failure along the way. They impact how we collaborate with our colleagues, and whether we promote or discourage certain values and behaviours in the organisation.  

36. The way we review and refresh our rules will demonstrate our collective commitment to build a Public Service which is innovative, adaptable, and future-ready.  

    a. A Public Service which empowers our officers to make judgment calls guided by sound principles, and to be change-agents to enhance our systems and processes when we come across areas that need improvement. 

    b. As former Head of Civil Service Mr Peter Ong said, “a first-class Public Service, worthy of Singapore”.  

37. I hope the discussions at this forum will inspire and encourage our participants to reflect on your important role as internal auditors; how you can leverage on your expertise in risk management, data analytics and rules review to add value to your colleagues; and how you can help your organisation to better innovate and adapt to a fast-changing and uncertain future.  

38. Thank you.