22 March 2018

Recruitment and selection

Chartered Institute of Internal Auditors

Plan a review of your organisation's recruitment and selection processes with our guide.

What is recruitment and selection?

Why is recruitment and selection important?
Potential risks and responses
What can internal audit do?
Data protection considerations for internal auditors

What is recruitment and selection?

Recruitment is about acquiring new staff and appointing existing staff to new roles. This could be
due to growth and diversification or simply replacing people who have left the organisation.

In both cases recruitment should take place in the context of a manpower plan that forecasts
staffing requirements based upon strategic objectives and development plans. It is all about
acquiring the right number of people with the right skills, experience and competencies in the right
jobs at the right time.

The manpower plan helps to establish whether new staff will be temporary or permanent and the
extent to which existing staff need to be trained and redeployed. Planning therefore impacts the
approach to recruitment such as the appointment of full or part time positions, permanent or fixed
term contracts.

In some organisations it is possible for the manpower plan to anticipate recruitment in some areas
of the organisation with reductions in others. This means staffing costs can be projected and built
into financial forecasts and budgets enabling recruitment and training to be controlled at an
organisational, subsidiary and department level.

Many organisations, both public and private, have developed models for manpower planning but the
processes are very much alike:

• Analysis of competencies of the present workforce.

• Identification of competencies needed in the future.
• Comparison of the present workforce to future needs to identify competency gaps and surpluses.
• Preparation of plans for building the workforce needed in the future.
• An evaluation process to assure that the workforce competency model remains valid and that
objectives are being met.

Selection is that part of the recruitment process that matches candidates to the specific
requirements of individual positions. This has a number of recognisable stages as illustrated in the
diagram below:

1
© Chartered Institute of Internal Auditors
 Effective recruitment and selection ensures that the organisation has the necessary knowledge,
skills and experience to fulfil its responsibilities and achieve its objectives.

2
© Chartered Institute of Internal Auditors
 Expand this diagram

Why is recruitment and selection important?

Recruitment and selection generally forms part of the organisation's strategic management of
human resources, which has a number of interrelated elements designed to deliver long term
sustainable success.

Effective recruitment and selection ensures that the organisation has the necessary knowledge,
skills and experience to fulfil its responsibilities and achieve its objectives.

It also ensures that the organisation's culture, ethic values and expectation on behaviour are
compatible with those of its employees so that there is unity of direction and purpose.

Equally there are a number of potentially high-impact, high-likelihood risks associated with
recruitment and selection. It is all about acquiring the right number of people with the right skills,
experience and competencies in the right jobs at the right time.

Organisations face a wide variety of risks in relation to recruitment and selection. The nature of
these risks will vary depending upon circumstances; however, we have compiled a short list of
potentially high impact, high likelihood risks below along with the possible responses that
management may take.

Potential risks and responses

1. Not having the right people in the right place at the right time.

Potential impact
• Inappropriate and inadequate resource to achieve objectives, expansions plans, project delivery
and market opportunities.
• Recruitment numbers not controlled resulting in excessive spending against budgets and/or
reduced profits.

Possible response
• Requiring business plans and initiatives to include staff projections with financial forecasts that
are consolidated.
• Staffing structure in place with total numbers of staff in each department that is reviewed
periodically to take account of changing business needs and linked to business objectives.
• Additional staff requests approved by senior management and structure updated and linked to the
budget.

2. Employing staff who do not have the required competencies and/or cultural fit with the

3
© Chartered Institute of Internal Auditors
 organisation.

Potential impact
• Failure to achieve strategic and operational responsibilities and objectives.
• Poor staff morale, high levels of absenteeism, excessive staff turnover.

Possible response
• Regular review and update of policies and procedures.
• All managers involved in recruitment to undertake regular recruitment and selection training.
• HR involved in the preparation and agreement of job descriptions, person specifications, terms
and conditions.
• HR involved in the recruitment process to ensure application of policy and procedures.
• Using a variety of assessment methods - interviews, case studies, presentations, psychometric
testing.
• The establishment of KPI's and monitoring arrangements.

3. A failure to comply with employment legislation.

Potential impact
• Legal prosecution leading to fines and compensation.
• Damage to the organisation's reputation.

Possible response
• HR define and update policies and procedures that are legally compliant.
• HR monitor changes in legislation assess impact, communicating and implement changes to
policy and procedures.
• Using employment law advisors and experts to clarify the need for compliance, as appropriate.
• Regular training and re-training of staff who are involved in the interview process.
• HR involved in the recruitment process to ensure application of policy and procedures.

4. Gaining employment to the organisation by deception

Potential impact
• Failure to achieve strategic and operational responsibilities and objectives.
• Legal prosecution leading to the payment of fines and compensation.
• Financial loss through fraud.
• Damage to the organisation's reputation.

Possible response
• Applying strict vetting procedures such as disclosure and debarring service (DBS) checks
(previously CRB checks), use of vetting agents.
• Insist on seeing original qualification documents.
• Require candidates to demonstrate their competency during interview process.

5. Inconsistency in the recruitment process

Potential impact

4
© Chartered Institute of Internal Auditors
 • Legal prosecution leading to fines and compensation.
• Inability to attract the talented and experienced staff.

Possible response
• Documentation of policies and procedures supported by service level agreements.
• The establishment of KPI's and monitoring arrangements.

What can internal audit do?

Finding, developing and retaining talented people is more important than ever in today's highly
competitive and rapidly changing world. People issues, such as recruitment and selection are
therefore likely to feature on the organisation's risk register and the internal audit activity should
think about including these on the internal audit plan. The level of priority will depend upon the
relative significance of human resource risks compared to others on the strategic risk map or
register.

Review assurance providers

Internal audit may find that there are other parts of the organisation, including HR management who
are providing assurance and information upon the mitigation of risks. Where this takes place
internal audit can review the reliability of the assurances and reports that are given.

For example HR services may report on how well departments are applying recruitment procedures
and report against key performance indicators. Internal audit can provide an independent opinion on
whether senior management can depend upon the statements being made and scope their work
accordingly. Practice advisory 2050-3 provides detailed guidance on how to rely on the work of other
assurance providers.

Provide assurance
In addition internal audit can provide independent and objective assurance that the content of
policies and design of procedures for recruitment and selection are supporting the organisation's
needs and objectives.

Sometimes recruitment and selection can be regarded as a matter of routine with the focus of
attention on applying the procedure without reflection on whether or not it is achieving the desired
outcome - selecting the right people for the right jobs.

Internal audit can evaluate the whole process by conducting a 'walk through' of the procedure with
consideration of the overall efficiency and effectiveness. This should include reviewing the extent to
which risks are being identified and managed.

In a process audit of this nature it is worth considering the way:

• Policies and procedures are updated and refined to take account of lessons learnt, complaints,
legislative changes and cost effective measures.
• Recruitment is delivering against wider initiatives, for example in relation to diversity and anti-
discriminatory policies.
• Changes in policies and procedures are communicated and implemented across the
organisation.

5
© Chartered Institute of Internal Auditors
 • Managers and those involved in recruitment have been given adequate training and re-training
when legislative requirements change.
• Flexibility is built into procedures through the delegated powers and authority given to various
managers across the organisation.
• Appropriate vetting checks are carried out to obtain proof of identity, qualifications and disclosure
of convictions. Vetting should be commensurate with the nature of the business and proportionate
to the role being advertised.
• Approaches to advertising and recruitment agencies are reviewed for their effectiveness.
• Personal data is kept complete, up-to-date and secure from unauthorised access.
• Standards and KPIs have been set out by HR (Service Level Agreements) and these are
resourced, maintained and developed to ensure delivery.
• Manpower plans are successfully projecting resource requirements and are being delivered.
• Vacancy levels, turnover rates, staff and recruitment costs are monitored and controlled.
• Managers regard recruitment and selection in terms of successes, difficulties and issues.

Internal audit can also carry out detailed testing on the controls that reduce high impact, high
likelihood risks. Every organisation is different but here is a short list of issues to consider during
testing.

• Managers who recruit new members of staff on the basis of future income projections that fail to
materialise.
• Organisation charts and budgets that do not reflect the actual number of people in a service,
department, subsidiary or section.
• Over reliance on temporary members of staff that sees constant renewal of contracts.
• Excessive periods between the point of advertising posts and making an appointment that often
results in good candidates going elsewhere.
• Using DBS and other vetting methods but with little or no action once the results are received due
to the pressure to fill vacant posts.
• Little or no analysis of the cost and effectiveness of advertising methods and recruitment
agencies that leads to over reliance on particular organisations.
• Inconsistencies in salary for the same role and responsibilities in different parts of the
organisation or in the market place in general.
• No division of duties between the creation and amendment of information on the human resources
system and input to the payroll system, so that there is no checking on the validity and accuracy
of data.
• The job advertisement and job description do not match the day to day role.

Data protection considerations for internal audit

Most organisations are very aware of the need to maintain security over personal data and rightly
restrict access in accordance with data protection legislation. This may mean that the HR service
may be resistant to internal audit gaining access to the information it needs to complete an audit
review, especially where the internal audit activity is an outsourced provider.

To avoid problems, a number of actions can be taken:

1. Ensure that the internal audit Charter authorises access to records and personnel necessary to
carry out the work and that this is routinely communicated to staff.
2. Discuss the code of ethics, aims and objectives of internal audit with the person responsible for

6
© Chartered Institute of Internal Auditors
 data protection registration and check/make arrangements that allow internal audit of personnel
records.
3. Discuss the objectives and scope of the audit engagement well in advance with senior
management and the person responsible for HR. Place emphasis on verifying risk mitigation,
compliance with policies, procedures and controls rather than looking at personal data (where
possible, consider using with data with personal identifiers removed).
4. Conduct internal audit work only within the HR offices so that personal files and documentation
are kept within the secure environment.
5. Agree not to photocopy personal details and use reference numbers rather than names in
compiling audit working papers.
6. Be prepared to sign confidentiality agreements.

If all else fails, it may be necessary to escalate to senior management or the audit committee to
allow access to information in line with the internal audit charter or to reflect the reduced scope in
relation to the provision of an assurance.

Further reading

Standards
2050 Coordination

Practice advisories
PA2050-3 Relying on the work of other assurance providers

External resources
The Chartered Institute of Personnel and Development (CIPD)
The Advisory, Conciliation and Advisory Service (ACAS)
The Times 100 business case studies
The Citizens Information section of the Government of Ireland
The UK Government’s website Directgov

7
© Chartered Institute of Internal Auditors