Home > Risk > How do you measure the value of internal audit?

How do you measure the value of internal audit?

This is the title of a recent article in the IIA’s Internal Auditor (Ia) magazine. (Membership is required to unlock the article.)

The authors are two lauded members of the profession that I have known for many years: Patricia Miller and Larry Rittenberg. Patti was a partner with Deloitte in my part of California and is a former chair of the IIA. Larry, a professor of accounting at the University of Wisconsin, has also been very active with the IIA; he is a former chair of COSO and chairs the audit committee of Woodward, Inc.

Any article by these individuals merits our attention, and they have a number of things to say with which I totally agree:

Internal audit is not the only profession that struggles with the value question. For example, in the medical field, value — or quality of care rendered — is certainly a goal. But quality of care is hard to objectively measure, so doctors often are evaluated by process measures, such as the number of patients treated in a day. Unfortunately, this may reduce the ability to achieve the value goal, as doctors motivated to see more patients may spend less time with each one, resulting in less ability to understand and deliver the quality of care required.

Similarly, CAEs who focus on process metrics such as completion of the approved audit plan may undermine their value delivery goal by focusing on finishing audits, rather than considering extending an audit to deliver better assurance or more focused recommendations. Or consider the risk of perfectly executing the wrong plan that delivers zero value, but results in a high metric. Clearly, completion of the audit plan does not measure value delivered.

They then ask, “what metric does or could [measure value delivered]?”

Patti and Larry are on the right track when they say (with my emphasis added):

  • Internal auditors must first understand what their stakeholders want and how they view value, and then measure against those wants and expectations. But the reality is that some stakeholders may not understand the breadth of capabilities a modern internal audit function has, or may even want a less aggressive function that doesn’t challenge the status quo. In such a situation, stakeholder expectations may be significantly lower than the role described in the Mission and Definition of internal auditing. The opposite is also possible, with stakeholder expectations far exceeding a reasonable performance level. And to make it even more challenging, expectations might vary for the board versus senior management. Audit research has shown that boards focus more on assurance while management primarily seeks new insights from internal audit.
  • Value is often in the eye of the beholder and not easily quantified.
  • Many CAEs presume they can measure value by asking clients if they have received value from audit work performed. The challenge is that client responses may be skewed by their emotional reaction to a recent audit. Or they may not have a reasonable or best-in-class expectation so their feedback may be based on flawed criteria. Finally, surveys may be asking the wrong questions by inquiring about audit processes rather than value received.
  • Organizations are changing at warp speed. To keep up, internal audit needs to be agile, responsive, and focused on value delivery — and the right metrics can reinforce the desired value-based behaviors. 

XX

However, having said all of this they don’t (IMHO) provide the answers that will work well in practice.

XX

They start the article with:

Today, value can only be delivered when internal audit innovates in who it hires, what it assesses, and how it executes and communicates; understands and aligns with organizational strategies; and has a laser focus on critical and emerging risk areas.

Innovation is not required to deliver value – unless you are talking about upgrading an ineffective and inefficient activity.

However, they are correct when they imply that internal audit needs to:

The key is in the second bullet item above (removing the qualifier, ‘often’):

Perceived-Value

While there are ways to measure your capability to deliver value (such as some of the metrics discussed in the article – and I prefer the maturity model in my book), our customers are the ‘beholders’ we have to satisfy.

They assume (and we know what that word means) that it is vital to measure the value of internal audit. They talk about quantifying it.

But why is that necessary?

XX

I prefer a business-oriented perspective: does the value provided by internal audit exceed its cost and is it the greatest value that can and should be delivered?

XX

Ehab Saif has an interesting background: CAE, board member, and former external auditor (with Grant Thornton, EY, and Deloitte). He recently shared an interesting article on Internal Audit 360, whose editor is Joe McCafferty). Ehab’s article is To Move Ahead, Internal Audit Should Get Back to Basics.

I like what he says (emphasis added):

  • With the increased focus on adding value and using more technology in internal audits, the lines have been blurred somewhat on the role internal audit should play in the organization.
  • …we can all agree that the primary responsibility of internal audit is to provide assurance on the effectiveness of the internal control system to the board of directors, audit committee, and executive management. It must also evaluate and suggest improvements to the risk management and governance systems in the organization. Furthermore, internal audit should provide advisory services that are targeted to enhance value creating activities.
  • There is a big gap between what internal auditors believe they are achieving and what they are actually achieving or how the governing body perceives that work.
  • According to the results of a Deloitte survey of audit committee chairs and members conducted last year, more than one-third of respondents said internal audit is not as impactful as it could be. 
  • providing comprehensive assurance requires telling a complete story to the stakeholders and not only one side. It is not acceptable or reasonable to communicate the exceptions or the negative side and ignore the internal control environment’s healthy or positive aspects. The same should happen in internal audit reports, where internal auditors need to tell a full story that describes the internal control environment, highlights the positive side in the implemented controls, and highlights the gaps or improvement areas in the internal control system. Internal auditors tend to highlight the negative side only and usually avoid any comments on the internal controls system using unacceptable justifications, such as we are not qualified to evaluate the positive side. In my opinion, the person who is tasked to highlight the negative side should be qualified by default to highlight the positive side as well.
  • Internal auditors should listen more often to their clients and understand their concerns. There is no harm in giving credit to the best performers and the process owners who consistently implement strong internal control measures and comply with them. Furthermore, internal audit reports should always focus on the key organizational objectives and provide explicit positive assurance on the internal control system’s effectiveness under review. 
  • …we can start talking about the role of the internal audit function in providing a “macro opinion” on the overall adequacy of governance, risk management, and control within the organization on an annual basis which is being increasingly required by the board, management, and other stakeholders.

I prefer what Ehab is saying to Patti and Larry’s comments.

X

Returning to my earlier point: does the value provided by internal audit exceed its cost and is it the greatest value that can and should be delivered?

How do we find out?

Value is in the eyes of the beholder, so what do they behold?

Ask questions like these:

  • Does internal audit provide you with the assurance, advice, and insight that you need?
  • Do you trust internal audit’s assessments?
  • Is internal audit focusing on what matters to you and to the success of the organization?
  • Has internal audit done work you didn’t think was valuable? What was that?
  • Has internal audit done work you wouldn’t pay for?
  • When internal audit makes suggestions, are they constructive, practical, and of value? Do they help you and the organization succeed?
  • Is it easy to understand internal audit’s communications? Do they work constructively with you, listening effectively, to achieve your shared goals for the organization?
  • Does internal audit have the people they need to deliver the greatest value to you and the organization that is possible?
  • Do you trust the leader and staff of internal audit?
  • Would you consider hiring them?
  • Would you prefer to cut, increase, or maintain internal audit’s budget at current levels?
  • How can internal audit help you and the organization more?

XXX

Is it necessary to quantify the value delivered by internal audit? I don’t think so. I think these questions are far more revealing (and trusted) than any number.

XX

I welcome your thoughts.

  1. April 3, 2021 at 1:17 PM

    What is the internal control system in a company you talk about? Where is it written down? How can IA provide assurance on something that does not exist? Are you making this all up?

  2. April 4, 2021 at 1:52 AM

    Norman, I’m concerned that I don’t see the word ‘Objective’ above (although it’s possibly covered by alternative phrases). Any function within an organisation should be ‘adding value’ by working to ensure that the organisation is achieving its objectives as efficiently and effectively as possible. IA is no different.

    I believe IA’s specific role is to provide an opinion as to whether opportunities and risks are being managed to achieve the organisation’s objectives.

    How is the effectiveness of this role to measured? I agree you can’t (and shouldn’t) try to quantify it. The best measure is probably Audit Committee satisfaction. After all, any IA shortcomings will ultimately fall on their heads.
    So I would agree in using the questions posed at the end of your blog.

    • April 4, 2021 at 1:58 AM

      Sorry, just had a re-read and seen it mentioned with regard to reports!

      • Umesh Gupta
        April 4, 2021 at 11:51 PM

        Norman, what you have mentioned in internal Audit, is something like evaluating the “Standard” with respect to “Achievement”.
        What is the country rules on Internal Audit and how you could quantify these results in numbers.
        What is the need of carrying out this internal audit – as per the law applicable to specific industry in a country.

        • Norman Marks
          April 5, 2021 at 6:56 AM

          I am not aware of any country requiring that internal audit justify its existence by quantifying its value.

          However, it is important than internal audit ensure it is providing all the value to its customers that it can.

  3. Dr. Gürol Baloğlu, CPA, CIA, CRMA, CCSA
    April 4, 2021 at 4:41 AM

    Personally I prefer to use “understanding and managing shareholders’ expectations” rather than using just “understanding”.

  4. Michael Beukes
    April 6, 2021 at 6:40 AM

    Thank you for the valuable question and answers. It would be useful in a year or so to come to a point where we can actually have some form of measurement. The absence thereof might be an indication for some research work to be done. I have a similar question on how to measure the value of risk management. Also how to measure on a metric basis the value of IT to the business – I’m looking at various metrics that can indicate the return on investment of investments into development projects, it infrastructure, software and licensing, information security, cyber security, etc. I hope someone one could be of assistance. Thank you. Michael

    • Michael Howell
      April 6, 2021 at 2:15 PM

      You may find Doug hubbards books useful. How to measure anything, and how to measure anything in cyber risk (I may have the title slightly incorrect) and some of the techniques therein.

      The question is what decision it supports. How will quantifying it help someone make a decision? You may already have a need, but I’ve fallen into the trap of wanting to measure things for the sake of measuring them, rather than it fulfilling a genuine need (which is a focal point of Norman’s article).

    • Norman Marks
      April 6, 2021 at 2:18 PM

      See my next post for a discussion of measuring the value of risk management.

      • Michael
        April 6, 2021 at 10:55 PM

        Thank you for the feedback Norman.

  1. April 3, 2021 at 11:08 AM
  2. April 5, 2021 at 12:31 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: