Another report based on The IIA's Global Internal Audit Common Body of Knowledge (CBOK) study (see here for my comments on the report on
Internal Audit and Fraud) has been published. This one focuses on how the value of the internal audit function should be measured.
Delivering the Promise: Measuring Internal Audit Value and Performance is probably the best the author, Jane Seago, could do given two huge limitations:
- Only internal auditors contributed to the survey and only 26 percent of those were at the CAE level.
- Her analysis and report is limited to the questions asked in the CBOK study.
The first constraint is critical.
The value of internal audit can only be measured in the eyes of our customer — and the audit committee is (for almost all of us) the primary customer.
Yet, the study is not asking our customer how they measure the value of internal audit; it is asking internal auditors — and most of the respondents are staff-level auditors.
The second constraint is also a huge limitation. When it comes to ways in which the value of internal audit can be measured, the survey only offered respondents nine options. While a couple come close ("client satisfaction," when "client" typically refers to management of the areas audited; and "fulfillment of stakeholder expectations," when I assume "stakeholder" refers to some combination of management and audit committee members), there is no option for "assessment of performance by the audit committee."
The audit committee's assessment of internal audit performance is not limited to specific goals and targets that can be measured by the CAE. Their assessment should include intangibles such as:
- The level of confidence they have in the CAE and his or her staff.
- The ability of the CAE to communicate with them.
- The CAE's understanding of the business and its strategies.
- The audit committee's view of the relationships that the CAE has with management and the external auditor.
I remember how the chairman of the audit committee at Tosco (my first CAE position) answered when I asked him to rate my team's performance. He told me that we "helped him sleep through the night." In other words, our assurance and advisory services not only gave him assurance that the management of risk, including the design and operation of related controls, was as desired, but that when improvements were necessary, we were able to work effectively with management to get them addressed promptly.
World-Class Internal Audit: Tales From My Journey, I share two other stories from my time at Tosco, the largest U.S. independent oil refining and marketing company at the time. There were two divisions, the Refining division (which managed the various refineries, pipelines, and wholesale distribution activities) and the Marketing division (which managed the company's several thousand Circle K convenience stores and gas stations).
The president of the Refining division told the governor of New Jersey that internal audit gave Tosco a "competitive advantage." I wasn't there at the time, but I found out later that he meant that our work gave him and his team the confidence in the management of risk and performance of internal control that he needed to run the company aggressively and with success.
The president of the Marketing division told a candidate for Attorney General of Arizona (and I was there for this) that internal audit helped Tosco "stay efficient."
There's a theme to these three stories: Internal audit was satisfying the customer, although each wanted and needed something different from us.
The audit committee is responsible for governance and oversight. We helped them be successful in that mission by providing them the assurance they needed.
Top management is responsible for running the business and delivering results. We helped them be successful in that mission. In one case, we provided them assurance that their systems, processes, organization, and people were at a level that would support the growth of the business and the entrepreneurial activities of its leaders. In the other, we helped this low-margin operation ensure that its controls and activities were efficient.
So, what did the respondents to the survey say they did to measure value?
- The majority (66%) said they measured "percentage of audit plan completed." This is hogwash! If the CAE is using a dynamic, enterprise risk-based approach to planning, then the audit plan is being updated throughout the year. What does "percentage completion" of a dynamic plan mean? Nothing at all! In fact, a high level of completion probably indicates that the CAE was blindly adhering to an annual plan even though risks were changing.
- 42% measure "timely closure of audit issues." This is more a measure of management than internal audit. I would prefer to look at acceptance by management of internal audit suggestions – or, rather, measure the level of failure by internal audit to convince management that change was both necessary and appropriate.
- Other metrics such as cycle time and budget compliance, which are not measurements of audit value but of efficiency, took other slots.
There's one more story to tell.
When I asked the chief financial officer at Tosco how I was doing, he said "Keep it up or you're fired!" I was still recovering from this when he told me what my bonus would be. My reaction to the figure was to put the phone down for a second, then thank him profusely. Once we disconnected, I did the dance of joy.
Isn't that the greatest indicator of value and success?
By the way, I love Exhibit 1 in the report. It points out that value is provided through a combination of assurance and insight, delivered with objectivity.
I welcome your comments.