measuring internal audit performance - wmledger.com · in addition, the external auditor is...
TRANSCRIPT
WeiserMazars LLP is an independent member firm of Mazars Group.
MEASURING INTERNAL AUDIT PERFORMANCE - WHAT ARE THE IMPORTANT METRICS?
Measuring Internal Audit Performance - WeiserMazars LLP’s Governance, Risk and Compliance (GRC) Group
GRC
1
BACKGROUNDIn today’s environment of increased regulation and focus
on governance and risk management, the true “value add”
of the Internal Audit (IA) function is very much a topic of
scrutiny for Boards, audit committee members, senior
executives (Chief Executive Officer, Chief Financial Officer)
and virtually all IA stakeholders. In many instances, the
IA function is also being asked to do more with fewer
personnel and to leverage technology in all their activities.
While many Chief Audit Executives (CAEs) regularly report
the number of audits completed vs. planned, the number of
high risk issues identified, actual audit hours vs. budgeted
hours, and actual function costs vs. budgeted costs, the
question remains whether these measures are truly the
most meaningful. Are they enough to show that consistent
value is provided to a company?
In order to arrive at meaningful metrics, the first step is to
gain an understanding of the true “mission” of IA. While this
may be described in an IA mission statement, it is critical
for the function to adhere to best practices, generally
governed by the Institute of Internal Auditors International
Professional Practices Framework (IPPF). The IPPF, which
includes the International Standards for the Professional
Practice of Internal Auditing (Standards,) is a conceptual
framework which organizes authoritative guidance
promulgated by the Institute of Internal Auditors (IIA).
While adoption of the IPPF is not mandatory, adherence to
it indicates an IA function is following the best practices
in internal auditing. In addition to including the Standards
and requiring internal auditor adherence to the IIA Code of
Ethics, the IPPF includes a Definition of Internal Auditing.
This Definition and/or its key components is generally
included in the audit charter and/or mission statement of IA
functions.
This Definition states:
“Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of the risk
management, control and governance processes.”
While the Definition generally drives the focus of many
IA functions, in today’s regulatory environment - and for
global organizations - there are additional requirements
that IA examine specific areas of a company and, in some
instances, report out their overall results. It is these
additional requirements, as well as other areas to which the
audit committee and senior management may direct IA’s
focus, which drives actual and perceived IA value.
As many recent IA surveys have shown, audit committees
and senior management struggle with gaining comfort
that true “value” is consistently provided by IA functions.
It is imperative that the true mission of IA is understood
and communication of the results of IA activities be aligned
to that mission. In this regard, identifying the “assurance”
and consulting/advisory role of IA is imperative. For many
stakeholders, it is in the consulting/advisory role that they
believe most IA value is provided. While other stakeholders
may see IA as primarily an “assurance” provider that may
not have the skills to provide consulting/advisory services.
2
GRC
In today’s environment, while the IA assurance function is
still important and will always continue, there is a growing
trend of IA also providing consulting/advisory services.
In short, no matter how the IA function is perceived -
as assurance provider and/or consultant/advisor, it is
imperative that the CAE communicate key metrics that are
aligned in these areas.
RECOGNIZING STAKEHOLDERSWith the mission of the IA function clearly understood in
order to determine what metrics will assist in showing IA
value, the various stakeholders of IA must be identified.
While we have previously alluded to audit committee
and senior executives figure 1.1 below depicts the many
stakeholders of IA.
Because the CAE is clearly a stakeholder, he or she wants
to make sure that the metrics show that the IA function
has a clear mission, includes best practices in the field
of internal auditing and the IA output will be perceived to
provide consistent value to stakeholders. While the audit
committee’s goals should be aligned to the CAE, as with
management there may be specific areas where it believes
a great deal of value resides. These can include feedback
and focus on Information Technology and emerging risks,
the review of an organization’s risk management processes,
or the ability to have risk-focused IA personnel move into
other areas of an organization. Individual auditees are often
focused on having consistent recommendations that will
assist in meeting their operational and strategic objectives.
In addition, the external auditor is generally concerned that
competent IA personnel will assist not only in completing
key control audits, but also in completing external audit
assistance work – which helps with their attestation needs.
When we recently discussed expected IA value with audit
committee members, executive management and auditees,
all responses included important aspects of an IA function’s
mission. Just some of these included:
§ “The value of Internal Audit to me is I don’t want
surprises, Internal Audit assists in reducing
regulatory, reputational and financial surprises.”
§ “Internal Audit helps set a tone of accountability
throughout the organization.”
§ “Internal Audit helps reduce the external audit fee
and provides a level of assurance that we have
proper controls in place and that they are operating
effectively.”
“A successful InternAl AudIt functIon Is mAde up of people wIth the rIght skIlls, who Are busIness pArtners wIth mAnAgement And provIde InsIght Into IdentIfyIng And AddressIng rIsks of the compAny, IncludIng emergIng rIsks. It Is thIs IncubAtor of rIsk-focused people who we Also look to enter the busIness And AssIst the compAny In AchIevIng Its long term objectIves.”
GRC
3
§ “A key value Internal Audit provides is the issues they identify and how they partner with management to arrive at
viable actions to address those issues.”
§ “In today’s world, I look not only for Internal Audit to provide assurance over controls but to also provide input to help
our organization achieve our objectives and overall strategy.”
§ “A successful Internal Audit function is made up of people with the right skills, who are business partners with
management and provide insight into identifying and addressing risks of the company, including emerging risks. It is
this incubator of risk-focused people who we also look to enter the business and assist the company in achieving its
long term objectives.”
KEY METRICSWhile there may be different areas of focus and corresponding priorities for various stakeholders, a common measure for IA
value should also address:
§ Presence of robust IA policies and procedures which drive IA activities
§ Skillsets, abilities and relationships of IA personnel
§ Evidence that the IA focus and results are aligned to the organizational primary risks
Having a true “Balanced Scorecard” which addresses the areas noted, shows IA focus, and one that is used to communicate
results, helps demonstrate the consistent value of IA. Some of the key measures in each of the three areas are summarized
in figures 1.2, 1.3 and 1.4.
Figure 1.2-Robust Internal Audit Policies and Procedures
*In the below charts – X represents a prIorIty area for the applIcable stakeholder.
4
GRC
Figure 1.3-Skillsets, Abilities and Relationships of Internal Audit Personnel
Figure 1.4-Alignment of Internal Audit to Organizational Primary Risks
GRC
5
presence of robust Internal audIt polIcIes and procedures whIch drIve Internal audIt actIvItIes
For CAEs it is imperative that they have written policies
and procedures that are aligned to the IPPF, including
internal quality control procedures, and the completion of
an External Quality Assessment Review (QAR). While the
QAR has been a requirement for many years, a number of
organizations have either not had QARs completed, or they
are not always completed within the required 5 year time
frame. Another key area is assuring that all regulatory IA
requirements are memorialized and completed on a timely
basis.
Other core metrics include having an established process
under which any “High” rate audit issues/recommendations
are addressed within a reasonable timeframe (e.g. 60 days
of report issuance) and that all report issues are addressed
with management actions within no longer than 30 days
from target completion date.
One item many auditees, senior management and audit
committee personnel look at is the number of audit issues
addressed before the final report is issued. When this is
done, evidence of true partnering by IA with management is
evident.
There is also an increased focus on being able to deliver
methods and tools that the organization will be able to
re-use independently moving forward. Generally in these
instances, using automated tools and/or a designed
program, IA establishes a process to identify/analyze risks
to an organization (review and analysis of third party data,
etc.) that can be implemented by the business and therefore
allowing the “process” to be examined by IA in the future.
Some other key metrics include;
§ Reports issued within XX days (e.g. 45 days) of
fieldwork
§ Actual annual audit plan hours vs. budgeted hours
§ Number of completed audits vs. planned audits
§ Consistent use of surveys at the completion of each
audit to obtain and report on auditee management
feedback
§ Consistent use of Computer Assisted Audit
Techniques (CAATs), continuous auditing and related
reports produced to show value in identifying
anomalies within entire populations
skIllsets, abIlItIes and relatIonshIps of Internal audIt personnel
Two highly useful means of helping CAEs in carrying
out IA activities include not only having personnel with
various certifications (CIA, CISA, CRMA, CFE, etc.), but
also maintaining a matrix of areas of expertise by person
and a related gap analysis. This gap analysis is a driver
for filling internal audit positions and it uncovers any
need to seek outsourcing of Subject Matter Experts.
Moreover, an important value add to organizations is the
development of relationships between IA personnel and
company management. This enhances the IA personnel’s
understanding of the business and their ability to add value.
Measurement of formal feedback from management on
each auditor is obtained on an annual basis.
An excellent measure of IA value is the number of
personnel that have been transferred from IA to other
positions in an organization. Having IA serve as a talent
incubator for the organization as a whole is a consistent
positive for many organizations. Also gaining momentum
in many organizations are rotation programs where
specialized, skilled personnel from other departments
transfer into the IA function for 12 to 24 months. In many
organizations, another value indicator is the number of
“special requests” relating to key initiatives on which
management asks for IA involvement.
Finally other key metrics include the number of auditors
per number of employees as well as the number of auditors
per annual revenue dollars.
evIdence that Ia focus and results are alIgned to the prImary organIzatIonal rIsks
The final area for measuring IA value is the daily focus of
the IA function. That is, helping an organization accomplish
its objectives by assisting management in improving the
effectiveness of the risk management by focusing on the
primary risks of an organization, while at times might not
be easily measured, should be a key driver of IA activities.
While this may be difficult to quantify, given IA’s technical
abilities and their forum to drive change in an organization
it is imperative that IA consistently communicates to all
stakeholders how they contribute to identifying risks and
assuring they are sufficiently addressed.
6
GRC
One of the main deliverables that assist in this process
is a formal reconciliation of Internal Audit, Sarbanes
Oxley, Risk Management, Compliance and external audit
risks and coverage. Some companies complete this via
a formal document which is updated on a regular basis.
This document details organizational risks, as well the
processes in place to address the risks. Linking each IA
report finding to major risk areas of the organization is a
clear indication of value received. This linkage may include
highlighting the impact of the audit issue and overall audit
result to the risk as a whole. This includes identifying risks
that exist in attaining an organization’s strategic objectives.
Since IA is uniquely qualified in that they understand the
risks of the organization, any audits that directly review an
organization’s risk management process or Information
Technology risks (cybersecurity, etc.) should be highlighted
to all stakeholders. Moreover, with the increased emphasis
on emerging risks and fraud, any audit committee or senior
management update on emerging risks and statistics on
number of fraud related report findings is also a value add
to key IA stakeholders.
SUMMARYWhile many IA functions provide consistent value
to organizations, the process of measuring and
communicating this value is not “one size fits all.” As such,
to ensure both the reality and perception of consistent
value being provided, IA needs to be focused on their
mission as well as how they serve and report results to
their various stakeholders. Attending to the needs of the
stakeholders should assist in the communication and level
of detail showing consistent IA value. A balanced approach
is recommended where updates and related statistics are
maintained and communicated, focusing on measures that
relate to adherence to robust IA policies and procedures,
the abilities of IA personnel and IA’s focus on the company’s
primary risks. If this is done, evidencing IA value will surely
be more straightforward and better measured!
WeiserMazars LLP is an independent member firm of Mazars Group.
About WeiserMazarsWeiserMazars LLP provides insight and specialized
experience in accounting, tax and advisory services.
Since 1921, our skilled professionals have leveraged
technical expertise and industry familiarity to create
customized solutions to overcome client challenges.
As the independent U.S. member firm of Mazars Group – the
11th largest accounting organization in the world – we have
a global reach of nearly 14,000 professionals in more than
70 countries.
Locally and internationally, we build lasting relationships
with our clients by addressing their particular needs,
creating value and optimizing their organizational
performance.
For more information visit us at www.weisermazars.com
Follow us on
CONTACT Michael Flagiello | Partner(P) [email protected]
Robert Cummings | Partner(P) [email protected]
Bill Mellon, Partner(P) 267.532.4328 (C) 215.287.0468(E) [email protected]
Nicolas Quairel, Principal(P) 646.225.5983(E) [email protected]