There is no easy way to assess the value internal audit adds to its organization. The function’s worth can be different from business to business, and the expectations placed on it change — often rapidly — over time. And while quality assessments are useful, they can miss the less tangible benefits the function provides to the business and fail to distinguish how different stakeholders assess the worth of the services they receive.
Perhaps one of the best ways for practitioners to gauge their value, then, is through the lens of these stakeholders — particularly those tasked with organizational management and oversight. Seeing how internal audit is perceived by its primary clients provides a unique window on what the profession means to the organization and how its services are viewed.
The impressions shared by these individuals are revealing and informative. Stakeholders highlight several key areas of perceived value, including internal audit’s advisory work, assurance services, and ability to help identify new opportunities. They also cite the function’s ability to serve as the audit committee’s eyes and ears, and offer advice on how internal audit can best meet their needs. These observations offer an objective look at the profession that helps shed light on what’s important to the organization from the vantage point of those most dependent on its work.
View of the Enterprise
Since the enterprisewide failings that contributed to the 2007–2008 financial crisis, the task for many internal auditors and their stakeholders has been to redefine the value of internal audit to take account of a growing holistic approach to risk management. Spanning the entire organization during the course of its work, prying into every operational business area and process, internal audit is ideally placed for that role. Not only is it much more knowledgeable about the business than the external auditor, internal audit’s uniquely independent status enables it to take an in-depth but objective view of how well the company is performing. Gerry Czarnecki, chairman and CEO of the leadership and corporate governance consultancy the Deltennium Group, as well as audit committee chairman at State Farm Insurance Co., says providing this perspective to the board is one of the key ways the function adds value to its organization.
“Internal audit represents the board’s ability to know that we’re getting an unvarnished perspective on what’s happening in the financial accounting and internal control systems of the organization,” he says. “In fact, the most valuable service an internal auditor can provide is to protect the audit committee from its own ignorance, which is, quite candidly, a lack of knowledge of what’s really going on in the business.”
The key mechanism that provides this unique overview is the internal audit plan. “It represents to the audit committee its best shot at knowing what we ought to be looking at,” he says. He explains that the opportunity to sit down with the CAE and review, add to, and question the audit plan is the surest way for the board to understand whether the data generated by the financial accounting systems and operating processes are reliable. Flexibility in the planning process is crucial, he says, if the schedule of audits is to retain relevance during the sometimes-sudden challenges an organization faces.
But achieving the potential value from the audits listed in the plan takes both courage and tact from the internal auditor, he says. Quite often, he or she needs to question and challenge the risk controls that have been designed and implemented by, say, the chief financial officer, or chief information officer — the very people they are auditing. In addition, if the risks are material enough, where the manager who is being audited blocks the audit process, the head of internal audit must be prepared to take the problem directly to the board.
“If the auditor fails to have that courage, then the system of internal controls oversight that the auditor is supposed to help the audit committee with is going to fail,” he says.
Marty Coyne, CEO of the Learning Network leadership consultancy, says he believes the most valuable internal audit calendars project audits over a two- or three-year period. He says that such long-term planning provides the audit committee with assurance that the major risk factors facing the organization are being audited. As the audits come in, the committee’s job is to assess how well the controls are implemented and to pick up on any common failings in the business’s operations.
“Combining the data points provided by the internal audit function on where controls are weak gives the audit committee a sense of the culture of the company, the way it is run, and its ability to adhere to policies,” he says. “Internal audit helps surface these issues and gives experienced audit committee members the opportunity to connect the dots.”
While the internal audit function must be independent from management to provide value in this way, its work loses its force if the CAE follows his or her own agenda. Coyne says internal audit should seek feedback from a wide range of stakeholders to ensure its work is relevant and timely. Feedback can come from a range of sources, including informal dialogue with the audit committee chair, formal evaluation templates provided to management and the audit committee, post-audit meetings to discuss how well the work was performed, and views shared by the external auditor.
“Evaluate the internal audit function, its leadership, and resources proactively,” Coyne says. “Track it over time and, where there are opportunities for improvement, make sure they happen. That keeps the function aligned with its key stakeholders and ensures that it is operating in a way that fits with what the business requires.”
The Value of Assurance
Carolyn Dittmeier, chair of the statutory audit committee at Assicurazioni Generali Group, one of Europe’s largest insurers, has the responsibility of providing the board with an opinion, or judgment, about the effectiveness of the organization’s overall risk management and internal control systems. This is a requirement of the Italian corporate governance code and, while common in Italy and the public sector in Europe, it is less common in the United States.
“It’s a challenging job,” says Dittmeier, who also serves on the audit committees for Italy-based multinationals Autogrill and Italmobiliare. Many corporate governance functions — risk, compliance, and so on — contribute to this process by explaining the role they play in managing risk and control within the overall business. Internal audit’s unique contribution is to show them how risk management and internal control systems provide adequate governance across the key business processes. In that sense, the responsibilities of internal audit and the audit committee are closely aligned, putting internal audit in the position of the “right hand man” to the chair of the audit committee, Dittmeier says.
While giving such global assurance is one of the two primary services internal audit provides — the other is to act as the audit committee’s eyes and ears across the business — it is difficult to do well. She says the assurance has to be comprehensive and clear. If internal auditors cannot illustrate how they are truly covering the audit universe, the value of the service they provide is diminished. Their criteria for objective and not subjective professional judgment is also vital.
Dittmeier says the value of individual audit reports to the audit committee resides more in what the auditor says about the design of the control system than about whether it is in conformity with procedures. “There is often a lack of clarity on whether the auditors are truly addressing the architecture, the design of the control system, even though that is the most valuable part of the report to nonexecutives,” she says. “It tells them whether the controls are sound and what can be done to improve them.”
One neglected aspect of assurance, she says, is the quality, timeliness, and concision of the information that comes to the board for review. “That would be a valuable comfort area, wouldn’t it?” she asks rhetorically. “If internal audit assessed that area, you would be confident that you were getting the right kind of information at the right time.”
As well as assessing the architecture of controls, Joel Dobbs, CEO of Compass Talent Management Group, says that he values both the bread-and-butter assurance that internal audit can provide and its ability to identify new opportunities. For example, one company where Dobbs worked had been consolidated from seven different organizations.
“It was very inefficient,” he says, “and we were particularly concerned with the amount of money we were spending, especially on telephones.” Internal audit identified several opportunities to cut costs by untangling the mess of contracts that the different businesses had brought with them into the new venture. In addition, it found there was a strategic opportunity for the new company to introduce better competitive bidding processes for its future telecommunications contracts.
While he says internal audit adds value from its tactical audits, the potential for it to operate at this more strategic level across the business can be missed. “Internal audit can provide a lot of value in helping you understand what you need to know to have the comfort that you’re going in the right strategic direction, or whether you need to adjust something to get back on track,” he says. The tactical and strategic levels of assurance do not need to be treated as separate tasks, he adds, but should be seen as two distinctive ways of looking at the audit plan and its outcomes.
Dobbs says that the audit process itself can add value to executive management, if it is structured appropriately. That means good communication with management. “The rule is, don’t drop bombshells on people,” he says. If internal audit involves management in a series of discussions during the audit process, he says, the audit can have better results for all concerned. Regular, structured meetings between the internal audit team and the management function being audited, for example, can iron out misconceptions over the nature of any problem, what remedial action needs to be taken, and how best that might be achieved.
“It’s not that you’re sweeping things under the table and minimizing problems, but making sure the executive sponsor knows what’s going on,” Dobbs says. “In some instances, issues can be corrected by the time the audit report comes out, and those are some of the best things that the head of audit can do because everyone is satisfied with the results.”
Advising on Change
Melvyn Neate, an independent audit committee member at the U.K.’s Office of Rail Regulation and former head of audit at a major U.K. government department, says internal audit can add a lot of value by becoming deeply involved in organizational change projects. Some heads of audit worry that providing such consulting activities compromises the function’s independence.
“I don’t think that’s an issue as long as you’ve made clear what internal audit’s role is and that you know you are still acting in an independent capacity,” he says. If internal audit is not involved at an early stage, he adds, the business may have to build controls into the new development systems retrospectively, which can be time consuming, very expensive, and less efficient.
Historically, Neate says, internal audit has tended to be backward looking — evaluating the past performance of the company’s controls and commenting on their effectiveness. This narrow compliance view has been encouraged by the U.S. Sarbanes-Oxley Act of 2002, but Neate says that internal auditors stuck in that paradigm often fail to add value. “I want internal audit to look forward and think about what’s coming, what the emerging risks are, what the situation is likely to be,” he says. “That means looking at the business strategies, looking at the business plans ahead, and being proactive in getting involved in the key initiatives.”
Many nonexecutive directors share Neate’s view, not least because there are big challenges on the horizon — some of which threaten to undermine the value internal audit can provide. Mary Cranston, a director of Visa and former chair and CEO of the law firm Pillsbury Winthrop Pittman in San Francisco, says these developments include increased regulation, such as the wide range of provisions contained in the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act for financial services organizations; the pace of change brought about in the business world by technological disintermediation; and cybersecurity risk.
“One of the real changes in many companies is that internal audit is asked to evaluate the whole scope of enterprise risk,” she says. “That has required a great expansion of the technical skills in the internal audit department. The job has become a lot more intense and the skill level that you need to do the job has increased as well.”
She says these risks are pushing change in the skill sets of internal audit functions, but many departments find it difficult to keep up with the speed of change. Although the profession has expanded greatly over the last 20 years, there is a shortage of highly skilled and experienced heads of audit outside of major companies and organizations.
“Internal audit is in great demand, and the best companies are getting the best people,” she says. “As you go down the food chain, companies have to do more internal development to get good people into those jobs.”
She says companies need to make sure they meet this challenge if they are going to get the most out of their internal audit functions. “Once they have done that, internal audit will not only be a second pair of eyes, but really a creative part of the whole evolution of business solutions within the company,” she says. “There’s huge benefit for those companies that continue to upgrade their internal audit teams and invest in their expertise.”