One of the ways for organisations to maintain competitive advantage is to look towards innovative ways to improve and grow the business and its services, products and ways of working. Research and development is a valuable tool to support this.
This guide provides an introduction to research and development to help you plan an internal audit in this area.
What is research and development?
Why is research and development important?
Research and development strategy
How does research and development work?
Potential risks to the success of research and development activity
Potential risks and responses
What can internal audit do?
Research and development (R&D) is a set of investigative activities that a business conducts to acquire new knowledge, create new products or services and improve existing products or services (University College London).
R&D can arise from two main areas. Firstly, potential for the creation or improvement of products, processes or knowledge. For example, the product or service may be the first of its kind in the world. Secondly, R&D can also arise when substantial improvements are made to an existing, maturing technology or product, for example Mark II or III of a car, one simple refinement to an existing product to improve its saleability, or creating a new way of operating that brings significant benefits (such as speed, cost, safety) to a business process.
According to the UK Office of National Statistics, the expenditure on R&D performed in the UK reached £30.6 billion in 2014 in current prices, up from £29.3 billion in 2013 and £11.8 billion in 1990. R&D expenditure has increased by 5% since 2013, while the average annual growth rate since 1990 was 4.1%.
As such, R&D spending provides benefits not only to organisations undertaking the activities, but also to the economy at large in the form of lower prices, improved products and access to new technologies.
In terms of the wider economy, there are many spin-off benefits from R&D which may include new jobs creation, development of the infrastructure that supports R&D activities, advancement of the manufacturing and service businesses that benefit from the R&D activities. New and better-paying jobs enable workers to move up the value chain and support the growth of the manufacturing and service businesses. As a result, the government’s revenue tax base will possibly increase which could allow the government to invest more in the country and in R&D activities.
To incentivise businesses to set up operations in the host country, governments around the world provide grants, loans, tax advantages and R&D infrastructure for organisations. A range of factors will be considered by organisations in choosing the location of R&D centres, including:
In view of the importance of R&D, internal auditors need to understand the risks to the organisation if R&D initiatives are not undertaken as well as the risks inherent in R&D activity and in a business being at the forefront of a technology.
As with other parts of the organisation a strategy needs to be prepared for the R&D function. This will define the direction of the function, driven by the organisations wider business strategy. Its appetite may be to lead, working with newer products or technologies subject to important shifts, or change and improve products in support of other organisational strategies for example. It is also important to understand the significance of R&D to the organisation and the economy at large.
The strategy should include:
Based on the definition derived from University College London, organisations generally undertake a Systematic, Investigative and Experimental (SIE) study as a basis for R&D projects. This study is a series of planned activities to test or find out something that is not known in the field of science or technology.
The diagram below provides an overview of the SIE study in the R&D process:
There must be a systematic approach on the steps or activities that are undertaken in the study. The steps must be executed in a planned or orderly manner.
There must be activities undertaken to explore and uncover information to help in understanding of the problem and to find out how to close the gap between the desired outcome and the state of scientific knowledge prior to the commencement of the study. The study cannot simply confirm information that is already a known fact.
The study comprises of steps to test the potential solution in solving a technical problem or creating a new product. An iterative process is often needed because the outcome is unknown and results from each round of testing would provide you with more knowledge than before.
In conducting a SIE study, an organisation will typically:
Risks will be dependent upon the nature of the organisation. The table below provides details of some generic risks. However, discussions with stakeholders will highlight risks specific to the industry in which they operate and tolerance levels that would be deemed acceptable, for example:
1. There is no vision or clear direction to undertake R&D in the organisation.
2. Ineffective leadership and/or uncoordinated R&D activity.
3. Insufficient investment in R&D.
4. R&D projects take too long with escalating costs.
5. Insufficient staff and/or staff do not have the right skills and experience to undertake the work.
6. R&D activity that is unsuccessful and leads nowhere.
7. The technical feasibility of the product or service. (e.g. whether the quality of the product or service meets the expectations of the buyer).
Unnecessary costs incurred.
8. Breach of another organisations Intellectual Property (IP) or compromise of own IP.
9. Leakage of commercially sensitive information to competitors by employees or third parties involved in the development.
Clues are given to competitor(s) who then launch similar updated/new products to market earlier.
10. Breach of taxation laws.
This may be a high risk area according to the nature of the organisation and the sector in which it operates. Conversely, R&D can be an activity which an organisation undertakes to help mitigate or manage competition risks – i.e. to help it stay ahead of the competition. Internal audit should have discussions with stakeholders to obtain their views on what assurances are needed and how they can be provided.
It is important for the internal auditor undertaking an audit engagement in the area to be competent, have sufficient knowledge, experience and appreciation of research and development processes to perform the review. This does not mean that the internal auditor should be expert in research and development but should be able to recognise the existence of risks or potential risks.
Internal audit can provide independent and objective assurance by ensuring that where management have undertaken their own reviews any actions that have been identified are appropriately recorded, verify that the actions are relevant to the findings, that the timescales for implementation of the actions are reasonable and that they are being implemented as well as considering the following areas:
The internal auditor should review supporting evidence to ascertain that the above is in place – e.g. approved terms of reference, R&D plans/roadmap, research inventory, management framework and minutes of meetings of the governance committee. A discussion with senior management should be held in order to understand in greater detail the governance areas.
The internal auditor can consult with the organisation’s risk management department to obtain the company-wide risk register and the individual risk registers for the different R&D projects. The risk registers for the R&D projects can also be obtained from the R&D project team.
The internal auditor should review and inspect supporting evidence to ascertain that the above is in place – e.g. a documented procedure on the monitoring of the accountability of funds allocated to each phase of the R&D projects; a documented procedure on the process to capture the costs and charges to substantiate on the R&D tax incentives and to optimise the tax incentive schemes.
The internal auditor should consult the finance department as a first point of contact to understand the processes and the in-house tax advisor to find out more about the tax processes.
The internal auditor should review supporting evidence to ascertain that the above is in place – e.g. documented policies and procedures to retain documentation in support of the scientific data and track the desired outcomes of the research project; documented procedures on the KPIs to monitor the progress of the R&D projects and on how financial incentives and reward structure are used to tie the R&D activities to the goals of the organisation.
The internal auditor should talk to the R&D project manager to find out more about the performance measurement process.
Review and inspect supporting evidence to ascertain that the above is in place – e.g. documented policies and procedures on the recruitment and retention of staff for the research posts; approved job role requisition forms; reporting on staff turnover and staff training.
The internal auditor should talk to HR staff to understand how the recruitment and retention and training process operates.Download PDF