In my presentations and training sessions, I point out why many of the metrics used by the board, management, and CAEs to assess internal audit effectiveness are problematic – at best. At worst, they may lead internal audit departments to focus on the wrong things.
For example, some use "percentage completion of the audit plan." But that only really applies if the audit plan is not dynamic and responsive to changing business conditions and risks. If the audit plan is dynamic, then almost by definition you will complete the audit plan. But, if the audit plan is static and unchanging, so that you audit what used to be the risks that matter, then a high level of completion reflects poor and not quality performance.
Another metric used is "value created," which they measure by placing a value on the recommendations they have made to upgrade systems and processes as well as any monies recovered from audits of vendors and contractors. The trouble is that this leads CAEs to focus on finding things rather than providing assurance. It fails to recognize the immense value of reassuring the board and management that, in fact, risks are managed as they desire.
I talked to one CAE who trumpeted the millions of dollars his team found; when I asked him about auditing risk management, he hadn't even considered it because he was finding so much "value." In addition, there is an evil temptation to allow the process defects that lead to defects to continue so internal audit can continue to find them.
Talking of findings, some measure the number of audit findings. But is a high number, an increasing number, good or bad? If we audit a business unit for several years, should we not expect to see the number of issues diminish? If not, does this reflect a failure by internal audit to influence effective internal control and management of risk?
Following one of my training sessions, an attendee wrote and asked me what metrics I would use. This is what I told him. These are all satisfaction levels, measured by answers to survey or interview questions.
- Board (or audit committee of the board) satisfaction that we are assessing the risks that matter to the achievement of the organization's objectives.
- Executive and senior management satisfaction that we are assessing the risks that matter to the achievement of the organization's objectives.
- Board satisfaction that we are providing them with assurance on those risks that helps them discharge their governance and oversight responsibilities.
- Executive and senior management satisfaction that we are providing them with assurance on those risks that help them manage the organization to success.
- An assessment by executive and senior management whether internal audit is an effective change agent that enables improvement to the organization's processes for governance, management of risk, and internal controls.
How does your internal audit department rate using these measures?
I welcome your comments.