In 2010, I became chief audit executive (CAE) of Central Bank of Armenia, an independent institution that oversees and regulates the country's financial sector. During that time, the internal audit department was in a state of flux — the former CAE had been promoted to a board-level role, and many capable internal auditors had left the team. I quickly began reshaping the function by hiring and training new staff members, aligning our methodology to The IIA's International Professional Practices Framework, automating processes, and devising our strategy.
The IIA Practice Guide, Measuring Internal Audit Effectiveness and Efficiency, released that same year, prompted me to also start thinking about performance assessment. At the time, Central Bank used a one-size-fits-all approach to measure performance based on the number of planned versus actual hours for tasks — a somewhat bureaucratic activity that added little value. Our department chose to abandon this system in favor of a customized performance assessment approach, triggering a change that soon led the entire organization to follow suit.
My idea was to link performance assessments to staff motivation so that we hire and develop people consistent with our vision of the function. We sought to encompass both short- and long-term objectives and to keep the process simple yet comprehensive. Perhaps more importantly, we aimed to establish what those objectives would mean for individual staff members. With these ideas in mind, we developed an assessment process — comprising five main elements — that looks to identify and leverage employees' strengths while also determining opportunities for improvement through training, coaching and mentoring, and, most importantly, self-development.
Defining Objectives, Performance Elements
We began by referencing the IIA Practice Guide and other literature on performance assessment to help establish objectives that would satisfy stakeholder needs and provide high-quality work. Our efforts resulted in four main performance objectives:
- Perform value-adding activity, which is linked to the quality of our recommendations and insights.
- Successfully execute the annual internal audit plan, where deadlines are met without sacrificing quality.
- Deliver high-quality reports and documentation, including regular audit reports, summary and other reports, and workpapers.
- Provide sound and effective communication, both written and oral.
Next, we began thinking about how employee performance would connect to the four objectives. We wanted to help give direction to staff members and motivate them to behave, perform, communicate, and grow in a way that would move toward achieving these objectives. Toward this end, we established five performance elements: collaboration, efficiency, professional development, visibility, and responsibility.
For each of these elements, we devised several measurement criteria. Because every engagement is unique, using simple quantitative criteria — such as number of risks identified, recommendations given, and open follow-up issues — would have been ineffective. We instead chose primarily qualitative criteria that rely on collective input across the audit function. In other words, everyone contributes to the performance assessment exercise by providing feedback on other members of the team via a questionnaire form and in-person discussion.
Collaboration Internal audit performs best when it operates cohesively as a team and leverages collective knowledge, rather than working in silos. As part of our teamwork philosophy, and unlike the rest of the organization, everyone in the internal audit function works together under one roof as a means of facilitating team collaboration.
Per our criteria, an effective collaborator is:
- An Active Listener — participates in discussions and presents opinions.
- A Fair-minded Debater —remains open to debate and separates issues from people.
- A Desired Team Member — someone with whom colleagues would like to work on audit or other projects.
- A Supporter — supports colleagues on both audit-specific assignments and on projects outside his or her primary work responsibilities.
Assessments of collaboration skills are performed as a 360-degree exercise — everyone assesses everyone else anonymously, and generalized results are then discussed with the team. We encourage feedback and stress that the assessment is meant to serve as a professional development tool rather than a means of punishment. The process also provides an incentive to maintain healthy working relationships across the team, as any self-focused outlier can be identified easily through the assessment. Moreover, all auditors are asked to include the CAE in their assessments, ensuring that everyone, including team leadership, participates in the process.
Maintaining an open and honest environment is key to effective collaboration. The process starts with hiring the right people and continues as we integrate them into the team. Our assessment process then reinforces the importance of collaboration and fosters employee buy-in. And as an added measure, we anonymously select a Knowledge Champion of the Year to promote learning and sharing among the team.
Efficiency Auditor efficiency is about delivering quality work to our stakeholders cost-effectively and on time. We measure efficiency by determining whether our team's practitioners:
- Provide valuable recommendations both within and outside audit engagements.
- Meet audit and other project deadlines.
- Deliver high-quality reports and workpapers.
- Maintain sound relationships and communication with clients.
These criteria replicate the department's internal audit performance objectives described earlier. Members of the managerial team — composed of the CAE; deputy CAE; and financial, operational, and IT audit unit managers — discuss staff performance across all four of these areas and provide assessments based on their experience with each individual. They also review self-assessments completed by every team member. Moreover, all staff members provide a peer assessment for those colleagues with whom they worked in the period under review.
Professional Development We expect all team members to pursue professional development, even after receiving certifications. With The IIA Global Internal Audit Competency Framework in mind, professional development is defined across four criteria:
- Interpersonal skills, including verbal and nonverbal communication, listening and negotiation, and teamwork.
- Technical knowledge and tools, such as data collection and analysis, working with spreadsheets, problem solving, and slide preparation.
- Knowledge of the International Standards for the Professional Practice of Internal Auditing, as well as internal audit theory, methodology, and application.
- Specialized areas of expertise, such as International Financial Reporting Standards; governance, risk, and control; risk management frameworks; IT auditing; COBIT; and fraud.
We look for each internal auditor to obtain at least one international certification — such as the Certified Internal Auditor (CIA), Chartered Certified Accountant (ACCA), Certified Information Security Auditor (CISA), Certification in Risk Management Assurance (CRMA), and Certified in Risk and Information Systems Control (CRISC) — relevant to his or her specialty unit and duties. Auditors may pursue other certifications or qualifications from The IIA, ISACA, or the Association of Certified Fraud Examiners. We also consider practitioners' backgrounds — such as whether our financial auditors
have Big 4 experience and to what extent our IT auditors possess technology experience.
Development becomes more subtle after someone achieves certification. Evaluation measures include training events attended, presentations delivered, and knowledge and skills developed.
Visibility We regard visibility as a key practitioner attribute. Each member of the team should ideally be recognized not only for his or her personal character and ethical behavior, but also for subject matter expertise.
Our assessment criteria for visibility comprise two main areas. First, the internal auditor should be expanding his or her visibility across the organization through participation in bankwide discussions and working groups and by establishing and maintaining professional relationships with colleagues.
Second, we look for practitioners to expand beyond the boundaries of the organization and become a well-known expert in the industry. This effort may involve volunteering with IIA–Armenia, teaching at local universities or training centers, presenting at conferences, writing articles for professional publications, and serving on audit committees and boards. Further visibility can be obtained by traveling outside the country to speak at conferences, facilitate roundtable discussions, deliver training sessions, and participate in external quality assessment teams. We assess visibility during the period under review against each individual's potential using feedback from colleagues and examining identifiable achievements such as presentations, training engagements, and published articles.
Responsibility We measure internal auditors' responsibility by how well they perform their duties. Responsibility is gauged according to performance on top-down assignments — carrying out tasks assigned by audit management — and by work performed from the bottom up, where auditors take additional responsibility through personal initiatives. The latter type of work is important to becoming a true professional and a valued member of the team. Examples include creating a newsletter, developing new training courses, building relationships, and writing articles. However, gaining the ability to perform bottom-up initiatives can take time, especially with new hires, as it often requires extensive knowledge, expertise, and visibility. Some start sooner with small initiatives at the department level, such as developing new designs for presentations, whereas others need more time to begin making bottom-up contributions.
We conduct performance assessments twice a year. And while each follows a rigorous process, the year-end review involves more thorough assessment. Moreover, the collaboration assessments are limited to once annually, to avoid overburdening the team and to allow auditors sufficient time to change behavior if needed.
The managerial team shares feedback directly with each team member via three spider charts. The first two charts depict 360-degree collaboration assessment results, showing the individual's ratings against the average for the four criteria within this measurement (active listener, fair-minded debater, desired team member, supporter) and the average rating for the individual by every assessor against the assessors' average rating for everyone (see "Collaboration Assessment by Quality" and "Collaboration Assessment by Assessor" below).
A third chart shows the individuals' ratings for all five elements of the assessment (see "Performance Assessment Summary Chart" below). The chart's blue line represents the managerial average rating, the red line depicts the average for the overall team, and the green line shows the self-assessment.
Our managerial team discusses every element of the assessment with each member of the team. Managers also are assessed. The individual under review is free to join or forgo the discussion. During our most recent assessment exercise, everyone chose to be present at his or her own assessment to hear positive feedback as well as opportunities for improvement.
Following the year-end assessment, we devise a development plan for each team member for the coming year. The plan includes visibility and initiative strategies, certification goals, and knowledge and skill development through audit engagements where teams are mixed via integrated auditing.
Since implementing our assessment process, we've received two "generally conform" ratings from external quality assessments performed by Dutch Central Bank colleagues — one in 2012 and another in 2017 — as well as mission-positive conclusions from an International Monetary Fund safeguards assessment. Collectively, our team has a portfolio of numerous certifications, including five CIAs, three CRMAs, four ACCAs, one CISA, and three CRISCs. Several staff members are teaching at local universities and many volunteer for IIA–Armenia by helping organize conferences and other events, developing and maintaining website content and quarterly bulletins, and promoting membership. Outside the country, some of our staff members have spoken at conferences and other events, delivered training, and participated in external quality assessments.
These results stem from the direction provided by our assessments. We see new team members developing new skills and experienced auditors continuing development beyond certification. Our audit reports receive praise — including best-practice kudos from our external assessors — and relationships with audit clients are balanced. Lastly, our internal auditors are respected as professionals, due in part to their international qualifications and visibility both inside and outside the organization. The assessment process has strengthened our team, expanded its capabilities, and made us an even greater asset to organizational stakeholders.