How to assess internal audit effectiveness and value
How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer.
I am not one of those people.
While I agree that procedures performed by the CAE and his team to assure quality are important, and that an independent quality assurance review should be performed every so often, I am not persuaded that they do enough to assess effectiveness – and especially whether internal audit is provided all the value it should.
Who receives the value from internal audit? The answer is that the board (perhaps via the audit committee) and top management are the primary customers. Other customers include operating management, the external auditors, and (often) the regulators.
The only way that effectiveness and value should be measured is through the eyes of the primary customer.
Do we simply ask them whether internal audit is effective and providing value? Do they even know what internal audit should be delivering?
Maybe they have heard that internal audit provides assurance and value-added advisory/consulting services. But what does that mean? How much should they expect?
Some years ago, I asked the chair of the audit committee how we were doing. His answer was that we “helped him sleep through the night”. I believe that’s a clue.
Later, I asked the two presidents of our major divisions the same question. The first said that “you have yet to perform an audit that I wouldn’t gladly pay for”; he also told a visiting state governor that “internal audit gives the company a competitive advantage”. The second president told a visiting state attorney general that “internal audit helps keep the company efficient”.[1]
These are also clues.
Others lie in work by Deloitte and Ernst & Young with respect to risk management. Deloitte asked board members and executives whether risk management “helps then set and execute on strategy”. That is a very perceptive question that strikes to the core value of risk management. Ernst & Young says that “effective risk management gives leaders the confidence to take risk”. I like that very much as well!
So what is the question that we should ask board members and executives about internal audit?
How about this?
Does internal audit provide you with the assurance you need to have confidence in the ability of the organization’s people, processes, and systems to lead the company to success? Where there are opportunities to improve, do they provide actionable information that enables you to make the appropriate changes?
Note that I didn’t mention either risk management or internal controls. Both are included, essential enablers, of effective systems, processes, and so on.
I don’t want to ask them questions about risk and controls. I want to ask whether our work helps them be more successful.
What is the question you would ask?
Do you like mine?
What do you think the typical answer would be from board members and executives?
Is there a similar question that the board should be asked about the CEO and CFO?
[1] For more internal audit stories and how I came to my views about internal audit effectiveness, please consider World-Class Internal Auditing: Tales from my Journey
Leave a reply to Norman Marks Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
At last count, the sleep is costing VW $18 billion.
Internal auditors are required by 1010 to discuss with senior management and the board the mandatory IPPF guidance, which includes the definition of internal auditing, which definition articulates the fundamental purpose, nature and scope of internal auditing.
Whose fault is it then if senior management and the board do not know what to expect from internal auditing?
2100 says that internal auditing should provide assurance and advice, as is appropriate, on governance, risk management and control processes. If these processes are adequate and effective, an organisational unit will be able to deal with whatever situation they encounter. If not, through the consulting required by 2100, we will equip them to do so.
It is these processes, then, when adequate and effective, that provide reasonable assurance that organisational objectives will be achieved. Or maybe the achievement of organisational objectives is not what senior management and boards are primarily measured on?
I am amazed that, having been presented the Core Principles as a measure of effectiveness of internal audit effectiveness last year, instead of those Core Principles the appropriate measures are now whichever one fancies of:
1. An audit committee chair sleeps through the night
2. A divisional president would willingly pay for an “audit”
3. Internal auditing, which has no management responsibility, is the one that gives the company a competitive advantage.
4. Internal auditing, which has no management responsibility, is the one that keeps the company efficient.
I have no problem with better advice than is provided in the IA Standards, but worse advice is killing the profession.
The effectiveness of internal audit should be measured by an analysis of the amount of attacks from external sources or from internal employees that have been thwarted, set against the number of successful attempts to penetrate company systems. This data may then be used, if the results of the analysis are positive, to help senior management to sleep at night. Too many internal audits go through the motions without asking pertinent questions.
Are our people, processes and systems sufficient to stop data loss, attack and compromise by employees?
What can we do to be more proactive, rather than reactive?
Can we successfully spot vulnerabilities and react to them?
The purpose of audit should be to address these issues to keep the company from serious compromise and ruin. Senior executives come and go and whether they can sleep at night is a secondary issue to whether there will be a company in existence for them to worry about.
Actually success like beauty, lies in the mind of the person. There cannot be a standard bench mark to see if the Audit has been delivering or giving a return on investment. That is why everyone has a benchmark to evaluate the success of Audit. e.g. Some think that sleeping through the night of CEO and Board is good, some might be measuring against competitive advantages that business has in last years ( it may not be Audit that is responsible) or the amount of operational Loss booked. On the other hand some might be worried on the ever growing budget of Audit and concerned on the opportunity cost of that amount. In fact both views can be good for Audit if (1) use the good ones as sounding board and move on and (2) use the contrary views to find options of making Audit more effective and efficient i.e. Audit does not let the information to be lost.
Number of surprises that the business receives from time to time for people, process and systems do not augur well for Audit in any business. The minimum the better. So Audit cannot remove the eyes from the windshield even if the AC Chairman is sleeping well for the time being.
Quality assurance cuts through all these and helps the organisation to get a hold of what needs to be fixed in Audit. It is expected to be an in depth understanding of what Audit is doing and why. Views of internal customers, plays a vial role on the top of Q A Report to get an understanding of whether Audit is moving in the right direction. The Q A Auditor can also evaluate the failures of Audit in the right perspective instead of getting carried away by the turn of events.
The Audit Budget should be commensurate with the size of the business and absolute numbers are not really a worry if as long as it is matching with the business growth, the nature of risks taken by business and any expected performance from Audit.
To me it is a mix of both i.e. to have the Q A done at regular interval (as a formal process) and also to get the views from the corridor discussion ( informal process) that provides comfort or discomfort as the case maybe. Both processes carry value, provided Audit is interested to receive a feedback.
I would ask a similar question to each person I interview during an audit – what value do you add to the company? Each person may be needed but, like a cog in a gear, each may not absolutely valuable. Does that mean they should be fired or reassigned? Of course not, because just like that cog the operation depends on everyone doing their part.
The audits we perform should be based on the risks to the company’s goals and strategy. But in some cases, those risks are going to be well defined and effectively managed, with few issues or opportunities identified by the audit. The value is in providing assurance to management that the processes are effective as is — but is that enough value to justify the audit?
Maybe not in every case, but the value proposition of Internal Audit is not in the individual audits. Rather, it is in the total value provided throughout the year and over several years in identifying problems, working with management to resolve those problems, and following up to verify the issues have been remediated. The value is in the constant review across the entire operation that known risks are being mitigated, new risks are being identified, and that controls are being effectively implemented. Our skills focus on risk assessment and independent analysis, and we are very good at providing a new set of eyes to see where improvements can be made. And there is value in that, value that not only helps the entire operation but can also help the cogs work a bit better.
Very well articulated.
I think Fowler has summarized it rather well. No matter how good an IA Function or CAE is, it can’t compensate for dysfunctional management. I have just been briefed on how management of a large financial institution can sabotage itself. It all boils down to the CEO and COO’s poor leadership which led to a dysfunctional corporate culture of dodging accountability and politicking.
On the other hand, I have served as a CAE of another financial institution which is led by a very capable and honest CEO who is assisted by an equally honest and hardworking AC. The point I am making is this: when a dishonest company meets a capable CAE and team, the former retains its reputation.
Like any service or product, value is defined by the customer. For internal audit the customer is the board. I have seen too many times where auditors define value in the tools that are being used, such as risk assessments & audits, rather than knowing intimately what the board finds of value.
Some thoughts:
There are many good internal audit functions reporting to weak and incompetent boards. There are no weak or incompetent internal audit functions reporting to good boards.
The value of internal audit will only be fully recognized when directors receive training in their accountabilities and start to discharge them. Most are weak but don’t know it.
How any board member of a medium to large firm can have assurance without a competent internal audit function is beyond me and playing Russian roulette with the company’s future and effectiveness.
I think Internal Auditors will add more value to the organization if they do any of the following: help solve an important problem by solving it or pointing out its root cause, identify an enterprise risk and advise on how to mitigate it, identify an operational or financial process where Best Practices are not being used and discuss its ramifications.
These and other audit objectives will support the goals and objectives of private or public entity.
Also, I believe that the the latest COSO documentation does not help internal auditors perform audits that add value to our entity.