There are some interesting discussions on LinkedIn (including this one and
this one) and elsewhere about the value of internal audit and even calculating a return on investment in internal audit.
As you might expect from me, I don't like the traditional measures or KPI that many use. I just don't see them as indicators of effectiveness.
I believe that in order to establish how we measure the effectiveness of internal audit, you have to start with agreement among the head of the function (CAE) and his stakeholders (primarily the audit committee) on the role and the objectives of the activity.
As explained in the IIA's definition of internal auditing, the role — and therefore the objective — of the activity should be as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
Internal auditing is effective if it provides the audit committee and executive management with the assurance they need, namely that they can rely on the organization's processes and systems to manage risks to the achievement of the organization's objectives. That means providing assurance on the risks that matter to the organization today, in a form and timeframe that is useful.
Additional value is provided through the role of internal audit as a change agent, making recommendations for improvement that are embraced and acted on by management.
How do you put a value on assurance? You don't worry about the quality of the water you drink (at least where I live) because you know that the company providing the water has to comply with strict regulations, and the water is tested frequently to ensure it is safe and to standards.
How much would you then pay, as a board member or top executive, for assurance that the processes and systems that you rely on to run the business are working properly? Assurance that is so reliable that you don't even think about it?
It's hard to put a value on "peace of mind," but in my mind (pun intended) that is the greatest value an effective internal audit function can provide.
I believe that the only way to determine whether internal audit is effective is to ask the stakeholders whether they are comfortable that they are receiving the assurance they need, when they need it, and in a useful form on the risks that matter to them and to the organization. Only then do you start looking at additional value that is provided.
For a moment, let's examine some traditional measures and discuss their value and relevance. The table below is for a hypothetical organization. At first glance, this looks like an effective internal audit department.
|Percentage of audit plan completed||98%|
|Number of audit findings||Up 10%|
|Recommendations accepted and implemented||90%|
|Auditee survey results (average from 0 to 5)||4.3|
|Cost savings (duplicate payments, vendor overcharges)||$3,000,000|
|Internal audit budget||2% below budget|
|IIA Quality Assurance Review||Generally complies|
This department completed 98% of the engagements in its audit plan. But, if that was (as most are) an annual audit plan then this may be an indication that they continued to remain glued to their plan even when risks changed. They failed to audit what matters now; instead they blindly continued to audit what used to matter. When you have a flexible audit planning process that adjusts to changes in the organization's risk profile, percentage completion is meaningless.
An increase in audit "findings" does not indicate productivity. If the audit department has been around for a while, this is an indication that they haven't been getting their message across, addressing the root causes of issues and effecting lasting change. An effective internal audit department will, over time, contribute to the improved maturity of governance, risk management, and internal control systems — such that, in time, exceptions and so-called "findings" will diminish.
When 90% of recommendations are accepted and implemented, 10% are not. A 10% defect rate is abysmal. Was internal audit getting the recommendations wrong? Were they not accepted because they didn't make good business sense? Or was internal audit not able to persuade management to effect the change? When you have a defect rate of 10%, the quality of the audits and reports are called into question. Frankly, the acceptance rate should be above 99%.
Cost savings of $3,000,000 are excellent, but only if they are not delivered by diverting resources from essential assurance activities to efforts to demonstrate that internal audit "adds value." Too many organizations have focused on the latter but failed to address critical risk areas such as ineffective risk management, poor information to support decision-making, and governance issues.
Staying within budget is, at least on the surface, very good. But, internal audit should be prepared to go to the audit committee for additional funds if new or changed risks emerge. Budget limitations are not a valid excuse for failing to engage and address unanticipated high risk areas.
Passing the IIA's quality assurance review (QAR) is all well and good, but it is not a guarantee that the department has delivered the necessary assurance and consulting services. Many departments have passed the QAR but failed to audit risk management, or to report the lack of risk management to the audit committee.
Where does this all leave us?
Going back to the objectives of providing assurance that matters on what matters, the CAE should propose measures and metrics that support an assessment by the audit committee and top management that internal audit has been effective.
I would ask these questions of my stakeholders at least annually:
- Do you believe internal audit has provided you with the assurance you need, in a useful way, when you need it, on what matters?
- Do you have the assurance you need that management has effective and efficient processes and systems to manage the more significant risks to the success of the organization and the achievement of its goals and strategies?
- Has internal audit been sufficiently responsive to changes in risk, ensuring it remains relevant and on point?
- Has internal audit been an effective agent for change, improving business efficiency and effectiveness?
- Are you satisfied that the cost of internal audit is less than the value of the assurance and consulting services it provides?
- Are there activities that internal audit should stop performing? Have there been activities you would have preferred not to pay for?
- How can internal audit improve its services to the audit committee, management, and the organization as a whole?
I welcome your comments, stories, and opinions.