At some point in almost every chief audit executive’s (CAE’s) career, he or she is asked to assess and justify the organization’s level of internal audit resources. The number of variables and organization-specific considerations can make this a formidable task because there is no rule or standard to determine the appropriate amount of audit spending. Because judgment and subjectivity are required, CAEs run the risk of being seen as self-serving if the benchmarking exercise is used to advocate increased head count or spending, or to resist internal audit budget reductions in conjunction with broader cost-cutting initiatives.
Considerable judgment is left to the CAE to ensure the audit plan covers the appropriate level of risk. In actual practice, audit committees frequently ask CAEs whether internal audit is sufficiently staffed with respect to number of people and skill. The starting point then, to facilitate “right-sizing” the internal audit function, is to clearly establish and understand internal audit responsibilities, scope, and coverage, as well as stakeholder expectations. To aid this assessment, internal auditors can follow a six-step benchmarking approach aimed at answering the age-old question: How much is enough?
Establish the Purpose for Benchmarking
When internal audit is asked to rationalize budget and head count, stakeholders should consider the current state of the organization and its risk appetite. During times of economic stress, some organizations may be tempted to reduce centralized overhead functions and the corresponding semi-independent oversight of risk, internal control, and business processes. Downsizing also may eliminate administrative and control processes, increase workload, and curtail oversight functions while expanding autonomy and levels of authority. Unfortunately, intense revenue pressure and cost cutting can heighten the risk of inappropriate behavior and shortcuts in controls and business processes. Consequently, right-sizing internal audit should go beyond arbitrary across-the-board reductions. That is why benchmarking should encompass the resources required to meet stakeholder and regulatory expectations, within the agreed-upon risk appetite for the organization.
Other reasons for benchmarking the internal audit function may be to examine use of outsourced vs. in-house resources, centralized vs. decentralized audit resources, career vs. rotational audit staffing, and frequency of audit coverage, as well as to identify differences in the level of audit services provided compared to other organizations in the same industry.
Inventory Internal Audit’s Principal Activities
Next, the CAE should inventory the principal activities performed by internal audit that may be handled differently within other organizations. For example, does internal audit run the U.S. Sarbanes-Oxley Act of 2002 project management office or perform independent testing to support required management Section 404 assertions? Does the internal audit function provide direct support to external auditing, including substantive testing not required for the organization’s Sarbanes-Oxley assessment on internal control? Does the organization operate in a heavily regulated environment with prescriptive requirements for the internal audit function?
Internal audit is regarded as an organization’s third line of defense, responsible for providing independent assurance. The three lines of defense model establishes responsibility for internal controls and how organizations can best establish and coordinate duties related to risk and control. It also states that the individual lines of defense should not be combined in a way that reduces effectiveness. Coordination helps minimize gaps and eliminate duplication of assigned duties. Understanding the makeup of responsibilities within the three lines of defense is an important first step in benchmarking the internal audit function.
When inventorying an internal audit department’s activities, CAEs should include all discrete activities that require 10 percent or more of total available internal audit resources. Getting too granular makes effective benchmarking difficult.
Know and Define the Industry
For some organizations this is relatively straightforward. For others it may be more difficult, particularly if the organization is engaged in disparate lines of business. For example, a technology manufacturing company may also own broadcast media. Auditors should choose the most representative industry or consider benchmarking against two or more separate industries if this seems more appropriate. Next, they should identify key competitors and industry trends that may impact the benchmarking exercise.
One of the best means of understanding industry culture is through industry-specific benchmarking groups. Formal and informal groups focused on internal audit and Sarbanes-Oxley benchmarking exist in several industries, including aviation, engineering and construction, financial services, manufacturing, news media, and retail. Participation in networking groups and reading industry-specific publications provides insight to the organization’s industry and its culture. This is valuable to understand commonalities and differences to be considered in the benchmarking exercise. For example, are most competitors privately held when the organization is publicly traded? Does the organization operate internationally compared to competitors that operate primarily in the U.S. and Canada? Is the organization’s industry expanding or contracting or deploying administrative functions off shore? What is the cultural expectation for internal audit? Does the industry see internal audit as a policing activity or the function that runs the Sarbanes-Oxley program? Is internal audit viewed as a source of talent and a business partner or a necessary evil and corporate overhead?
Identify Benchmarking Alternatives
There are numerous approaches to benchmarking the internal audit department. Each of these has advantages and disadvantages, and some are easier than others to develop and execute.
Simple Approach The most common and easiest approach is to use a basic metric such as total revenue per auditor or number of employees per auditor. Generally, the numerator in the ratio is publicly available (for public companies) and requires only determining the number of auditors in an organization to complete the benchmark ratio. It’s a quick and easy way to approximate audit coverage with others. Comparisons in this basic approach also are included in other benchmark approaches with richer data. Usefulness is relatively limited, however, as differences in audit coverage or business operations are not identified. At best, it can serve as a minimum guideline in establishing a base level of resources compared to other companies.
Internal Audit Benchmarking Report The IIA’s benchmarking tool compares audit department size, experience, and other metrics against the averages of similar organizations in chosen peer groups. Benchmark metrics include employee compensation; organizational statistics; department staffing and costs; oversight, including audit committee information; operational measures, including audit life cycles; performance measures; and risk assessment and audit planning information.
Data is confidential and reported only in aggregate form. Identifying information is not publicly disclosed, although a list of participating companies within each industry is provided. Once internal audit and the CAE make their benchmark metrics selections, the Audit Intelligence Suite compares the audit activity against comparable departments and creates a tailored benchmark report. Principal limitations are the fee and whether sufficient representation exists with companies of the same size and characteristics within the same industry.
Private Benchmark Survey Industry-focused and private benchmark surveys also provide relevance and credibility. An alternative is to use the peer group of organizations cited in most proxy statements for U.S. publicly listed companies. For example, the 2018 Fluor Corp. proxy listed 22 companies considered direct competitors and other peers in the engineering and construction industry. This is the perfect group to enlist for a private benchmark survey. To preserve anonymity and confidentiality, it may be useful to mask specific organization responses. An independent third party can facilitate collection and dissemination of results; specific categories can be banded to preserve confidentiality of individual responses.
Revenue can be grouped in broad categories and a similar approach can be used for internal audit budget amounts, number of employees, and other benchmark data. Audit committee members and executive management tend to view peer surveys as the most relevant as they compare companies with much of the same risks, industry constraints, culture, and regulatory requirements. The approach takes effort to execute and typically requires assistance from an independent third party to facilitate. Consequently, this benchmark exercise often takes longer than other approaches.
Third-party Surveys Most of the Big Four accounting firms, professional service providers, and recruiters publish annual or periodic surveys covering internal auditing. It is worthwhile to research current publications and consider whether these can be used to benchmark the organization’s internal audit function. However, it is sometimes difficult to apply broad surveys to satisfy the data requirements for a specific benchmarking exercise. In addition, third-party surveys often are thematic in focus, and do not provide sufficient demographic detail or include the necessary data to facilitate benchmarking internal audit resources and head count.
Appraisal Approach The appraisal (or market adjusted) approach starts with basic survey data from another benchmark survey. Adjustments are then made to account for differences in the organization’s inventory of audit services compared to others included in the basic survey. This concept is similar to the technique used by real estate appraisers where the individual property value is appraised based on the comparable value of nearby existing homes and adjusted upward or downward for such things as a pool, finished patio, and high street traffic.
When conducting an appraisal approach survey, CAEs should try to accumulate data on services that may not be comparable based on their knowledge of the industry, competitors, or the uniqueness of their organization. For example, if other organizations do not provide external audit direct assistance and the organization provides three full-time exempt (FTE) employees, the CAE should subtract three FTEs from the head count comparisons in the benchmark survey, along with appropriate footnotes. This approach recognizes unique differences in audit services and attempts to provide a balanced, apples-to-apples comparison. It requires judgment and data to execute and can be subject to criticism by stakeholders if additions or subtractions appear arbitrary or not well-supported.
External Audit Fee Comparison There also is no standard to determine the appropriate amount to spend on external audit fees. These fees vary widely among organizations of equal size and are driven by the same organization control environment characteristics applicable to internal audit. This relationship holds true when external audit fees are market-driven (based on hours to complete the audit), which reflects complexities in the availability, quality, and reliability of data and the organization’s control environment. Consequently, internal audit fees compared to external audit fees can be extrapolated across peer organizations to develop a range of expected internal audit spending for the organization.
This approach provides the most useful metric that reflects the unique characteristics and differences in organization control environments. External audit fees, along with organization revenue information, are available from U.S. publicly listed companies. Completion of this benchmark analysis requires obtaining the cost or head count for the internal audit function. Audit committees tend to like this comparison because it provides a snapshot of both internal and external audit fees, particularly if focused on organizations in the same industry.
Summarize and Interpret Results
Once data has been collected, CAEs should summarize and apply results for the organization to the external benchmark survey. Stakeholders appreciate the insight of multiple perspectives that add credibility to the thoroughness of the exercise. Accordingly, CAEs should use as many approaches for obtaining benchmarking data as possible. This will provide a comprehensive snapshot of the organization’s internal audit function and resources compared to others.
Stakeholders can compare spending in the organization’s industry to other industries or organizations with similar revenue, and see differences in external audit fees and the categories of services provided by internal audit functions.
CAEs also can consolidate individual surveys to establish a range of acceptable internal audit resources and coverage that facilitates flexibility and judgment for making resource or staffing decisions. If the internal audit function is well above or below the range established by triangulating multiple surveys, compelling data now exists for recommending specific changes.
Report Benchmark Results to Stakeholders
The CAE should approach reporting the results of a benchmark analysis with the same objectivity and rigor applied to internal audit reports. It’s important to consider the assessment from the perspective of recipients, stakeholders, and decision-makers on the audit committee and in executive management. After the study is prepared, the preliminary results should be vetted with stakeholders to ensure key perspectives have not been overlooked. Invariably, audit committees also will ask the external auditor for input, so he or she should be included in the vetting process.
The benchmark report from the CAE should describe the objectives of the exercise and the survey approaches used, along with any assumptions and exclusions. Transparency is imperative for the report to be viewed as objective and credible. CAEs should summarize relevant industry trends, cultural differences, variations in audit services provided by their function compared to others, and other data points stakeholders should be aware of. They should conclude with recommended changes based on benchmark data in line with stakeholder expectations for internal audit.
Frequently, the survey supports the current level of resources and head count without the need for substantive changes. Such a conclusion also provides value to the audit committee by independently corroborating the appropriateness of resources. Finally, CAEs should summarize survey results and disseminate them to other participants if industry or private benchmark surveys were conducted.
Opportunity for Dialogue
All CAEs should right-size the internal audit function periodically to satisfy IIA Standard 2030: Resource Management. Benchmarking and comparison with other organizations also helps ensure the function provides reasonable value and coverage for the industry and company risk profile. It also affords an opportunity for insight and dialogue with the audit committee and management to sustain and grow investment in internal audit resources.