While the profession adapts to the changing business environment, the same fundamental question continues to be asked: How can internal audit add value beyond providing assurance? Each internal audit function is unique and must operate as a business to ensure it stays relevant.
Internal audit is a professional services business within a business (or organization) and should be run like one. Each internal audit department serves its organization in different ways, based on the needs and wants of the board and executive management team. The chief audit executive (CAE) essentially is the CEO of the department and is responsible for creating its vision and bringing that vision to life. To better understand the dynamic role the CAE plays in the process of value creation through internal audit, consider the argument from the late management expert Peter Drucker, who said every successful CEO must be able to answer five key questions about his or her organization: 1) What’s your mission? 2) Who is your customer? 3) What does your customer value? 4) What results do you want? and 5) What’s your plan? To be effective in the role of internal audit CEO, CAEs also should be able to answer these questions.
1. What’s Your Mission?
The IIA defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
CAEs, working with limited resources and within unique cultural environments, must consider numerous trade-offs embedded in this broad definition, including: What is the balance between assurance and consulting? On which company objectives should internal audit focus? What should internal audit’s role be, specific to risk management and governance?
The answer to these questions should be inherent in the audit department’s mission statement. Different from a definition, a mission statement should state the purpose of the function and spell out its overall goal, which then will guide actions and decision-making at all levels to attain that goal. The mission is unique to each organization and, ideally, inspirational to its members.
An example of an internal audit mission statement might be: “We combine great people with leading audit practices to support management and the board in assuring key processes are under control.” This one sentence expresses:
Having “great people” requires hiring, developing, and retaining highly qualified professionals. It may include partnerships with the business to provide career paths outside of audit.
“Leading audit practices” means the function will follow The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) and stay attuned to emerging best practices and technologies, such as continuous auditing and predictive analytics.
“Supporting” management and the board establishes responsibility for internal control with management and the board. However, support is a strong verb that implies internal audit is there to promote the objectives of these principals. Both assurance and consulting services would fit this statement.
“Key processes” means internal audit focuses only on things that are important. Presumably, this would be driven by the concept of relative risk.
“Under control” is where the value of internal audit is derived. By definition, if a process is under control, it is meeting its operational, reporting, and compliance objectives.
Moreover, the mission statement is a guide to making the necessary decisions required to manage an internal audit department. For instance, how great people are defined is the result of many factors, including 1) the nature of the business; 2) a blend of auditing focused on operational, reporting, and compliance objectives; 3) a mix of assurance and consulting services; and 4) a desired combination of career auditors vs. professionals rotating through the department. As a department CEO, the CAE’s fundamental responsibility is to communicate a clear mission and be able to explain why the function exists and for whose benefit.
2. Who Is Your Customer?
A customer typically is defined as someone who purchases a product or service. Given that internal audit does not sell its services and there are few practical substitutes (e.g., outsourcing), it does not have customers within the usual definition. Internal audit can be more accurately described as having constituents, or consumers, of the services it provides. The three key internal audit constituents are the audit committee, executive management, and line management.
Internal audit’s respective relationships with these constituents are dissimilar. One of the significant CAE challenges is to keep the potential disparate interests of the constituents in balance. It’s dangerous to fall into the trap of defining any one constituent as more important than another — they all are important. For example, an internal audit function may elect to focus on more consultative work for line management that is of less value to an audit committee whose interest may be to gain additional assurance coverage. Obviously, it is not in the best interests of a CAE to have the audit committee dissatisfied with the value it is receiving from internal audit. Maintaining an appropriate balance is a primary CAE challenge.
3. What Does Your Customer Value?
Internal audit departments are judged on subjective terms by their three key constituents (customers). Audit committees primarily value audit’s independence from management and rely on the CAE to give them an independent reading on the control environment. However, they may not fully understand the audit work performed and how to interpret the results. They may even request work that is objectively of low value, but is of concern through conversations with peers or reading an article (e.g., regarding firm or personal reputational risk).
On the other hand, executive management likely is seeking three things from internal audit:
- Effectively planned and organized audit committee meetings from the CAE. Moreover, management expects no surprises during these meetings.
- Positive reports from middle managers about audit’s work.
- Comfort that internal audit is assuring there are no significant breakdowns in internal control.
Executive management respects internal audit’s independence primarily because it knows the importance placed on it by the audit committee. In a best-case scenario, executive management requests reviews of areas within the organization that have them concerned.
Lastly, line management feels the direct impact of internal audit’s work. Wedged between expecting help from internal audit with risk and control management, and not wanting negative audit results that reflect badly on their leadership, line management expects four specific outcomes:
- Audits that are effectively planned and executed.
- Regular audit status reports.
- The opportunity to discuss issues before they are communicated broadly.
- Specific suggestions about how to improve the effectiveness of operations.
While these broadly described expectations may apply across many industries and settings, it is the CAE’s role to understand and manage the constituency expectations specific to his or her organization (see “Managing Expectations” below). For functions to perform optimally and satisfy all constituents, there should be agreement on the value the enterprise expects from internal audit over time. Differences of opinion must be discussed in an open forum and reconciled timely. It is the CAE’s responsibility to ensure constituent agreement because highly successful internal audit departments depend on it.
Because line management typically is allocated a cost for internal audit, some generally believe auditors are there to serve them. Even if line managers are aware of the audit committee’s request for auditor independence, they often are unsympathetic. Several items should explicitly be discussed with all customers to ensure internal audit gets the full support it needs to be highly effective, including:
Is the CAE comfortable with the adequacy of internal audit resources?
- What would be the result of a budget cut (e.g., 10 percent)?
- What additional value could be derived from a budget increase (e.g., 10 percent)?
What standards does internal audit follow and how does it apply risk in deciding what and how to audit?
- What is the process for deciding which areas will be audited and achieving the balance among auditing operational, financial reporting, and compliance control objectives?
- Is the audit plan responsive to change?
- Why is it important for internal audit to follow the International Standards for the Professional Practice of Internal Auditing (Standards), and how does the function ensure the Standards are applied consistently?
What is internal audit’s philosophy regarding consulting?
- How many resources are devoted to consulting services?
- What type of consulting is acceptable?
- How does the department ensure its consulting activities are adding more value than its more traditional assurance role?
- What is the balance between independence and consulting?
What is internal audit’s role in the broader governance, risk, and compliance (GRC) activities, if any?
What is internal audit’s human resource philosophy?
- Are audit positions considered rotational? Is one of the values of internal audit to train future leaders? If so, how?
- What are internal audit’s hiring, training, and development practices?
- Does internal audit use cosourcing and, if so, how is this managed?
How does internal audit balance and maintain its overall objectivity and independence?
The CAE must have clear and complete answers to these and other questions to ensure the primary customers are in harmony regarding the philosophy and activities of internal audit.
4. What Results Do You Want?
Drucker also is credited with coining the now ubiquitous phrase: “What gets measured gets done.” This describes a primary challenge internal audit departments face because they have no competition and there may be silent confusion or disagreement about the value they bring to the organization. This lack of competition and open discussion about value can create a false sense of satisfaction with the delivery of services. The question the CAE should ask is: If given a choice, would internal audit’s constituents choose differently?
Businesses have the comparative benefit of receiving clear responses to the actions they take in the marketplace. New products sell or they don’t. Gross margins are healthy or below par. Market share is increasing or decreasing. Internal audit departments, on the other hand, lack natural feedback mechanisms that ensure they are creating value. By design, internal audit plays a unique role that keeps it separate from any operation. It essentially is a professional organization sitting within an enterprise that is its sole customer.
To hold itself accountable and create the appearance of a competitive environment, internal audit can create “self competition” by developing the right metrics. Some metrics that can be used for developing a results-oriented internal audit department that adds value include:
- The number of requests by executive management or the audit committee to perform specific audits or projects.
- A one-question survey to line management that includes the market value cost of the audit (e.g., 400 hours multiplied by the estimated market rate of US $125 per hour or US $50,000) following each audit asking management if it added commensurate value. By adding the price tag, internal audit should obtain more accurate feedback. One caveat is that unlike the audit committee and executive management, line management may not see value in being given assurance that processes are meeting control objectives. Unfortunately, there also can be a correlation between line management’s perception of audit value and the results of the audit (i.e., a negative audit opinion results in a negative survey result).
- Quarterly scorecard monitoring of internal audit’s core activities: number of audit reports issued; number of audit issues opened, closed, pending, and overdue; post-audit survey results; undesirable turnover reports; number of people promoted out of the department into the business; and metrics representing any other desired result.
Every metric would be compared to a planned result and prior periods. Metrics must carefully be monitored and challenged because of the subjective nature of internal audit (e.g., survey results). However, by comparing actual to planned amounts and tracking trends over time, valuable information can be gleaned to keep the department on track. Metrics should cautiously be used as the basis for the CAE and audit management team’s performance evaluations with executive management and the audit committee, creating the appropriate external pressure of a “marketplace” to ensure continuous improvement.
5. What’s Your Plan?
Closely correlated to achieving desired results is having a strategic plan detailing the path to achieve intended outcomes. Like any business, an internal audit strategic plan will have marketing, financial, operational, technology, and human resource components. It is important to remember that there is a difference between a strategic plan and an annual audit plan. The strategic plan requires critical thinking to look several years into the future and ask:
- What does internal audit need to look like in three years?
- What does it look like today?
- What do we need to do to fill in any gaps?
Businesses routinely use the strategic planning process to help ensure they stay relevant to the markets they serve. An annual strategic planning process inclusive of internal audit’s key constituents will ensure the function remains relevant to those it serves.
Ready for Business
Running internal audit like a business results in a function that is responsive to the needs of the organization and is seen by management and the audit committee as adding value. Having management and the audit committee explicitly in agreement on internal audit’s value definition enables the CAE to confidently move internal audit forward in improving and expanding its work. Continuously updating a three-year strategic plan assures the CAE that internal audit remains relevant to the success of the larger organization it serves.