In an era of cost cutting and economic uncertainty, internal audit needs to be a valuable contributor to its organization. It's not enough for auditors to just say they are adding value. Today's auditors need to define key performance indicators (KPI) that measure the value they are adding.
To determine how internal audit departments add and measure their value, the authors interviewed internal audit executives at six organizations: Paul Sobel, chief audit executive (CAE) of Georgia-Pacific; Doug Hathhorn, chief internal auditor of the Illinois Department of Revenue; Betty McPhilimy, associate vice president, Office for Audit & Advisory Services at Northwestern University; Andy Moore, audit director of State Farm Insurance; Barbara Zack, vice president, internal audit of Veeco Instruments; and the director of internal audit of a large U.S. manufacturer (referred to as USM), who requested to remain anonymous.
These interviews reveal that internal audit metrics can be divided roughly into two categories: 1) those that pertain to the operations of the internal audit department and 2) those that pertain to the reactions of the organization to the internal audit department.
Internal Audit Operations
There are numerous KPIs internal auditors can use to measure the effectiveness of their department's activities. Some of these metrics are quantitative and easily measured, while others are subjective and more difficult to capture. Many KPIs can be communicated to the audit committee, the chief financial officer (CFO), and the CEO to document the value internal audit adds to the organization.
The Audit Plan
All of those interviewed commented on the audit plan as a performance metric. Internal auditors can measure the number of audits completed versus the audit plan. According to State Farm's Moore, "We ask ourselves if we have the right number of audits completed and in progress, relative to where we are during the year." Similarly, USM reports this same metric at each of its six meetings with the audit committee during the year. USM's audit executive asks himself, "Are we on target to be x percent done with the audit plan by each audit committee meeting?"
In addition to the number of audits completed, the total pool of internal audit hours can be analyzed. How many hours are spent on audits versus other tasks? It is important to have a goal for how hours are used. For example, USM budgets 75 percent to 85 percent of its hours for audits. Likewise, State Farm tracks how many hours are spent on audits, consulting, and special assignments, with goals for each category.
Although number-of-audits-completed and hours-used can be measured easily, the participants cautioned against blindly using these metrics. For example, if an audit plan calls for 12 audits of low-risk areas and the auditors complete all of these audits, then the percent-complete statistic is not helpful. Thus, USM tracks the number of audit hours spent on high-risk corporate projects.
Georgia-Pacific's Sobel points out, "You can measure the number of audits completed, but are you auditing the right things? And are you auditing those things correctly?" He explains, "The percentage-of-audit-plan-completed statistic could drive the wrong behavior." For example, internal auditors should not prematurely close out an audit and fail to ask important questions just to stay on schedule.
McPhilimy says her department at Northwestern University usually does not totally complete its audit plan. "If, during a scheduled audit, we find a significant issue that merits our attention, we pay attention to it," she says. Likewise, Zack of Veeco Instruments says, "I view the audit plan as flexible and change focus as need be, based on the need to focus on higher-risk issues that are identified during an audit, without overly worrying about whether I am over or under budget on a specific audit." While number-of-audits-completed and audit-hours-used can be easily measured, they should not drive internal audit behavior.
High-risk Auditable Entities
The ability to audit high-risk areas can be a powerful metric. USM's goal is to audit 100 percent of new facilities acquired each year, and it reports this metric to the audit committee. Similarly, at Hathhorn's former employer, a U.S. manufacturer, every high-risk auditable entity had to be assessed at least every three years. When the board saw that internal audit did not have enough personnel to get this done, it allowed the department to hire more auditors.
Internal audit departments can track the certifications of their auditors and report this KPI to upper management and the board. State Farm, in addition to Certified Internal Auditor (CIA) and Certified Public Accountant (CPA) designations, tracks the insurance-related designations (e.g., Chartered Property Casualty Underwriter) of its internal auditors. USM gives its team members one year to become CIAs once they rotate into the internal audit group, but also tracks other designations such as the CPA, Certified Management Accountant, and Certified Information Systems Auditor.
Networking and Benchmarking
By networking with colleagues at similar organizations, internal auditors can learn best practices and compare their organization against peer organizations. For example, McPhilimy says, "The higher education industry is highly collegial in terms of benchmarking staffing levels and job descriptions." She also uses The IIA's GAIN survey to see how her internal audit department compares to departments at similar institutions. Benchmark metrics can be used to justify requests for enhanced resources.
Fieldwork to Audit Report
A common metric used to assess an internal audit department's efficiency is the number of days from completion of the fieldwork to the issuance of the audit report. Timely audit reports communicate audit findings to the client before the report becomes stale. Obviously, it is important to get the audit report to the audit client timely, but this metric should be used cautiously. "Auditors need to be diligent, but this metric can drive the wrong behavior if the auditor pushes out a poor report to meet a deadline," Sobel says. A sloppy audit report can fail to communicate key audit findings and hurt the professionalism of the internal audit department. Hathhorn notes, "You don't want your audit staff to start closing out audits, no matter what, because they are being evaluated on how quickly they finish the fieldwork and issue the report."
Organizational Reactions to Internal Audit
Internal auditors should be good at what they do and well respected within the organization. They should be viewed as essential, helpful, and valued colleagues. Auditors can use some KPIs to determine how others in the organization view them.
Management's Attention to the Internal Audit Report
How does management respond to the internal audit report? The interview participants' audit committees were very interested in this metric. Both State Farm and USM measure how many audit action plans were outstanding 30, 60, and 90 days after the action plan completion date. USM's auditors get the unit president involved after 30 days, involve the group president after 60 days, and then report the matter to the audit committee after 90 days. At State Farm, if an audit client decides to accept a risk, internal audit provides a report to the audit committee on how much risk is being accepted.
The participants indicated that their audit committees were most interested in significant audit findings and, in particular, repeat findings. The audit committees also wanted to know what was being done to resolve audit recommendations. To facilitate communicating this information to the audit committee, participants recommended a succinct reporting format. State Farm uses a red-yellow-green stoplight format. For yellow or red findings, internal audit creates a key metric response form that goes to the audit committee. The form details the cause of the problem, the implications, and the plan to get the issue back to green.
Another area to consider is trend reporting. USM's audit committee, in addition to seeing the current year's internal audit metrics, recently asked to see trend reporting. By looking at several years of audit metrics, the audit committee can see the types of audit issues occurring each year, as well as the root causes of those issues.
One way to gauge how internal audit is doing and how it is perceived by its clients is to conduct client-satisfaction surveys. USM's internal audit department surveys the CFO and vice presidents of all business units once a year. The 10-question survey helps the internal audit department learn how valuable it is in helping the business units manage their risks. The survey questions address internal audit's professionalism, its business knowledge, the meaningfulness of the audit findings, and the client's satisfaction with the department.
Zack also surveys Veeco Instruments' vice presidents and management about the performance of each internal audit. Her client satisfaction survey focuses on three areas: the audit quality, the audit report, and the audit team. The survey helps Zack determine whether the audits were focused on high-risk areas and added value; whether the audit report was clear, organized, and received timely; and whether the auditors understood the business, were respectful, and communicated effectively. In its surveys, State Farm's internal audit department asks audit clients to rate it on various matters using a five-point scale. In turn, internal audit has a numerical rating goal that it's hoping to attain.
Sobel urges caution in relying on surveys. "When using a survey scale, one person's '4' may be another person's '5,'" he says. "And a poorly designed survey will not get you helpful information." As an alternative, he recommends sitting down and talking with the CFOs or vice presidents after the audit, which may be more helpful than quantitative survey data.
A Good Place to Go
At USM, certain employees are designated as high-potential individuals who may be able to move up to an executive position. Of these people, what percentage list internal audit as one of the next three places they want to go? This metric helps the department gauge how it is perceived within the organization.
Similarly, internal audit employee turnover is another indicator of how the department is viewed. If someone leaves internal audit, does he or she stay within the organization or go to a new employer? For those who stay within the organization, do they make a lateral move or are they promoted? For example, although promotions make up about one-third of employee moves at USM, three-fourths of those moving out of internal audit are promoted.
How many special requests does internal audit get? "Special requests can be a good metric if they deal with really high-risk situations," Sobel explains. "The downside to special requests is that not every request will involve high risk." Therefore, internal audit should not accept every special request. McPhilimy sums it up when she asks, "Is it worth our time to track down a problem with a US $1,000 airplane ticket vs. spending our time working on an audit of a US $1 billion medical school?"
A Seat at the Table
Perhaps the best metric of how internal audit adds value is how often executive management includes the department in its decisions. If internal audit is called into the executive boardroom to discuss important company initiatives, it is a good sign that it is highly regarded within the organization.
Use Metrics With Good Judgment
Measuring the performance of the internal audit function is important, so the department needs to develop performance metrics carefully and use them with good judgment — auditors do not want their metrics to drive the wrong behaviors. Such performance measures can demonstrate internal audit's value to management, the board, and the organization, as directed by The IIA's International Professional Practices Framework.