WeiserMazars LLP is an independent member firm of Mazars Group.

MEASURING INTERNAL AUDIT PERFORMANCE - WHAT ARE THE IMPORTANT METRICS?

Measuring Internal Audit Performance - WeiserMazars LLP’s Governance, Risk and Compliance (GRC) Group

GRC

1

BACKGROUNDIn today’s environment of increased regulation and focus

on governance and risk management, the true “value add”

of the Internal Audit (IA) function is very much a topic of

scrutiny for Boards, audit committee members, senior

executives (Chief Executive Officer, Chief Financial Officer)

and virtually all IA stakeholders. In many instances, the

IA function is also being asked to do more with fewer

personnel and to leverage technology in all their activities.

While many Chief Audit Executives (CAEs) regularly report

the number of audits completed vs. planned, the number of

high risk issues identified, actual audit hours vs. budgeted

hours, and actual function costs vs. budgeted costs, the

question remains whether these measures are truly the

most meaningful. Are they enough to show that consistent

value is provided to a company?

In order to arrive at meaningful metrics, the first step is to

gain an understanding of the true “mission” of IA. While this

may be described in an IA mission statement, it is critical

for the function to adhere to best practices, generally

governed by the Institute of Internal Auditors International

Professional Practices Framework (IPPF). The IPPF, which

includes the International Standards for the Professional

Practice of Internal Auditing (Standards,) is a conceptual

framework which organizes authoritative guidance

promulgated by the Institute of Internal Auditors (IIA).

While adoption of the IPPF is not mandatory, adherence to

it indicates an IA function is following the best practices

in internal auditing. In addition to including the Standards

and requiring internal auditor adherence to the IIA Code of

Ethics, the IPPF includes a Definition of Internal Auditing.

This Definition and/or its key components is generally

included in the audit charter and/or mission statement of IA

functions.

This Definition states:

“Internal auditing is an independent, objective assurance and

consulting activity designed to add value and improve an

organization’s operations. It helps an organization accomplish

its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of the risk

management, control and governance processes.”

While the Definition generally drives the focus of many

IA functions, in today’s regulatory environment - and for

global organizations - there are additional requirements

that IA examine specific areas of a company and, in some

instances, report out their overall results. It is these

additional requirements, as well as other areas to which the

audit committee and senior management may direct IA’s

focus, which drives actual and perceived IA value.

As many recent IA surveys have shown, audit committees

and senior management struggle with gaining comfort

that true “value” is consistently provided by IA functions.

It is imperative that the true mission of IA is understood

and communication of the results of IA activities be aligned

to that mission. In this regard, identifying the “assurance”

and consulting/advisory role of IA is imperative. For many

stakeholders, it is in the consulting/advisory role that they

believe most IA value is provided. While other stakeholders

may see IA as primarily an “assurance” provider that may

not have the skills to provide consulting/advisory services.

2

GRC

In today’s environment, while the IA assurance function is

still important and will always continue, there is a growing

trend of IA also providing consulting/advisory services.

In short, no matter how the IA function is perceived -

as assurance provider and/or consultant/advisor, it is

imperative that the CAE communicate key metrics that are

aligned in these areas.

RECOGNIZING STAKEHOLDERSWith the mission of the IA function clearly understood in

order to determine what metrics will assist in showing IA

value, the various stakeholders of IA must be identified.

While we have previously alluded to audit committee

and senior executives figure 1.1 below depicts the many

stakeholders of IA.

Because the CAE is clearly a stakeholder, he or she wants

to make sure that the metrics show that the IA function

has a clear mission, includes best practices in the field

of internal auditing and the IA output will be perceived to

provide consistent value to stakeholders. While the audit

committee’s goals should be aligned to the CAE, as with

management there may be specific areas where it believes

a great deal of value resides. These can include feedback

and focus on Information Technology and emerging risks,

the review of an organization’s risk management processes,

or the ability to have risk-focused IA personnel move into

other areas of an organization. Individual auditees are often

focused on having consistent recommendations that will

assist in meeting their operational and strategic objectives.

In addition, the external auditor is generally concerned that

competent IA personnel will assist not only in completing

key control audits, but also in completing external audit

assistance work – which helps with their attestation needs.

When we recently discussed expected IA value with audit

committee members, executive management and auditees,

all responses included important aspects of an IA function’s

mission. Just some of these included:

§ “The value of Internal Audit to me is I don’t want

surprises, Internal Audit assists in reducing

regulatory, reputational and financial surprises.”

§ “Internal Audit helps set a tone of accountability

throughout the organization.”

§ “Internal Audit helps reduce the external audit fee

and provides a level of assurance that we have

proper controls in place and that they are operating

effectively.”

“A successful InternAl AudIt functIon Is mAde up of people wIth the rIght skIlls, who Are busIness pArtners wIth mAnAgement And provIde InsIght Into IdentIfyIng And AddressIng rIsks of the compAny, IncludIng emergIng rIsks. It Is thIs IncubAtor of rIsk-focused people who we Also look to enter the busIness And AssIst the compAny In AchIevIng Its long term objectIves.”

GRC

3

§ “A key value Internal Audit provides is the issues they identify and how they partner with management to arrive at

viable actions to address those issues.”

§ “In today’s world, I look not only for Internal Audit to provide assurance over controls but to also provide input to help

our organization achieve our objectives and overall strategy.”

§ “A successful Internal Audit function is made up of people with the right skills, who are business partners with

management and provide insight into identifying and addressing risks of the company, including emerging risks. It is

this incubator of risk-focused people who we also look to enter the business and assist the company in achieving its

long term objectives.”

KEY METRICSWhile there may be different areas of focus and corresponding priorities for various stakeholders, a common measure for IA

value should also address:

§ Presence of robust IA policies and procedures which drive IA activities

§ Skillsets, abilities and relationships of IA personnel

§ Evidence that the IA focus and results are aligned to the organizational primary risks

Having a true “Balanced Scorecard” which addresses the areas noted, shows IA focus, and one that is used to communicate

results, helps demonstrate the consistent value of IA. Some of the key measures in each of the three areas are summarized

in figures 1.2, 1.3 and 1.4.

Figure 1.2-Robust Internal Audit Policies and Procedures

*In the below charts – X represents a prIorIty area for the applIcable stakeholder.

4

GRC

Figure 1.3-Skillsets, Abilities and Relationships of Internal Audit Personnel

Figure 1.4-Alignment of Internal Audit to Organizational Primary Risks

GRC

5

presence of robust Internal audIt polIcIes and procedures whIch drIve Internal audIt actIvItIes

For CAEs it is imperative that they have written policies

and procedures that are aligned to the IPPF, including

internal quality control procedures, and the completion of

an External Quality Assessment Review (QAR). While the

QAR has been a requirement for many years, a number of

organizations have either not had QARs completed, or they

are not always completed within the required 5 year time

frame. Another key area is assuring that all regulatory IA

requirements are memorialized and completed on a timely

basis.

Other core metrics include having an established process

under which any “High” rate audit issues/recommendations

are addressed within a reasonable timeframe (e.g. 60 days

of report issuance) and that all report issues are addressed

with management actions within no longer than 30 days

from target completion date.

One item many auditees, senior management and audit

committee personnel look at is the number of audit issues

addressed before the final report is issued. When this is

done, evidence of true partnering by IA with management is

evident.

There is also an increased focus on being able to deliver

methods and tools that the organization will be able to

re-use independently moving forward. Generally in these

instances, using automated tools and/or a designed

program, IA establishes a process to identify/analyze risks

to an organization (review and analysis of third party data,

etc.) that can be implemented by the business and therefore

allowing the “process” to be examined by IA in the future.

Some other key metrics include;

§ Reports issued within XX days (e.g. 45 days) of

fieldwork

§ Actual annual audit plan hours vs. budgeted hours

§ Number of completed audits vs. planned audits

§ Consistent use of surveys at the completion of each

audit to obtain and report on auditee management

feedback

§ Consistent use of Computer Assisted Audit

Techniques (CAATs), continuous auditing and related

reports produced to show value in identifying

anomalies within entire populations

skIllsets, abIlItIes and relatIonshIps of Internal audIt personnel

Two highly useful means of helping CAEs in carrying

out IA activities include not only having personnel with

various certifications (CIA, CISA, CRMA, CFE, etc.), but

also maintaining a matrix of areas of expertise by person

and a related gap analysis. This gap analysis is a driver

for filling internal audit positions and it uncovers any

need to seek outsourcing of Subject Matter Experts.

Moreover, an important value add to organizations is the

development of relationships between IA personnel and

company management. This enhances the IA personnel’s

understanding of the business and their ability to add value.

Measurement of formal feedback from management on

each auditor is obtained on an annual basis.

An excellent measure of IA value is the number of

personnel that have been transferred from IA to other

positions in an organization. Having IA serve as a talent

incubator for the organization as a whole is a consistent

positive for many organizations. Also gaining momentum

in many organizations are rotation programs where

specialized, skilled personnel from other departments

transfer into the IA function for 12 to 24 months. In many

organizations, another value indicator is the number of

“special requests” relating to key initiatives on which

management asks for IA involvement.

Finally other key metrics include the number of auditors

per number of employees as well as the number of auditors

per annual revenue dollars.

evIdence that Ia focus and results are alIgned to the prImary organIzatIonal rIsks

The final area for measuring IA value is the daily focus of

the IA function. That is, helping an organization accomplish

its objectives by assisting management in improving the

effectiveness of the risk management by focusing on the

primary risks of an organization, while at times might not

be easily measured, should be a key driver of IA activities.

While this may be difficult to quantify, given IA’s technical

abilities and their forum to drive change in an organization

it is imperative that IA consistently communicates to all

stakeholders how they contribute to identifying risks and

assuring they are sufficiently addressed.

6

GRC

One of the main deliverables that assist in this process

is a formal reconciliation of Internal Audit, Sarbanes

Oxley, Risk Management, Compliance and external audit

risks and coverage. Some companies complete this via

a formal document which is updated on a regular basis.

This document details organizational risks, as well the

processes in place to address the risks. Linking each IA

report finding to major risk areas of the organization is a

clear indication of value received. This linkage may include

highlighting the impact of the audit issue and overall audit

result to the risk as a whole. This includes identifying risks

that exist in attaining an organization’s strategic objectives.

Since IA is uniquely qualified in that they understand the

risks of the organization, any audits that directly review an

organization’s risk management process or Information

Technology risks (cybersecurity, etc.) should be highlighted

to all stakeholders. Moreover, with the increased emphasis

on emerging risks and fraud, any audit committee or senior

management update on emerging risks and statistics on

number of fraud related report findings is also a value add

to key IA stakeholders.

SUMMARYWhile many IA functions provide consistent value

to organizations, the process of measuring and

communicating this value is not “one size fits all.” As such,

to ensure both the reality and perception of consistent

value being provided, IA needs to be focused on their

mission as well as how they serve and report results to

their various stakeholders. Attending to the needs of the

stakeholders should assist in the communication and level

of detail showing consistent IA value. A balanced approach

is recommended where updates and related statistics are

maintained and communicated, focusing on measures that

relate to adherence to robust IA policies and procedures,

the abilities of IA personnel and IA’s focus on the company’s

primary risks. If this is done, evidencing IA value will surely

be more straightforward and better measured!

WeiserMazars LLP is an independent member firm of Mazars Group.

About WeiserMazarsWeiserMazars LLP provides insight and specialized

experience in accounting, tax and advisory services.

Since 1921, our skilled professionals have leveraged

technical expertise and industry familiarity to create

customized solutions to overcome client challenges.

As the independent U.S. member firm of Mazars Group – the

11th largest accounting organization in the world – we have

a global reach of nearly 14,000 professionals in more than

70 countries.

Locally and internationally, we build lasting relationships

with our clients by addressing their particular needs,

creating value and optimizing their organizational

performance.

For more information visit us at www.weisermazars.com

Follow us on

CONTACT Michael Flagiello | Partner(P) 212.375.6639Michael.Flagiello@WeiserMazars.com

Robert Cummings | Partner(P) 212.375.6522Robert.Cummings@WeiserMazars.com

Bill Mellon, Partner(P) 267.532.4328 (C) 215.287.0468(E) Bill.Mellon@WeiserMazars.com

Nicolas Quairel, Principal(P) 646.225.5983(E) Nicolas.Quairel@WeiserMazars.com