Norman Marks on Governance, Risk Management, and Internal Audit

To answer this question, we must first decide why we have an internal audit function. What value does it provide for any organization?

My answer is that:

An effective internal audit function provides the risk-based assurance, advice, and insight[1] that leadership needs for success[2].

Adding to that:

• “Risk-based” refers to a focus on the more significant risks to the achievement of enterprise objectives[3].
• “Risk-based” implies that internal audit does not waste its limited resources providing assurance on sources of risk that don’t matter to leadership because they have minimal, if any, effect on the likelihood of achieving enterprise objectives.
• Assurance, advice, and insight are actionable[4] and delivered when they are needed[5], with appropriate speed. They are relevant, business-practical[6], and deliver what leadership needs to know when they need to know.
• Internal audit is focused on the risks of today and tomorrow[7].
• The function is agile, able to change direction and focus as risk and/or the business change[8].
• Information provided is concise and readily consumed and acted upon.
• An effective, quality internal audit function listens and learns. For example, it listens to management when assessing risk and considering responses to control weaknesses.
• Works well with others, such as other assurance providers, the risk function, and operating management.
• It requires a team of intelligent, curious, dedicated, and driven professionals with an understanding of the business, its processes, systems, and organization.
• They deploy the technology and tools appropriate for the task[9].

How do you assess whether an internal audit function is effective and is providing the quality services the organization needs?

Let me first dismiss the idea that an External Quality Assurance Review (EQA) from the IIA is the answer. The IIA explains why it is important:

• To demonstrate and certify conformance to The IIA’s International Standards for the Professional Practice of Internal Auditing and Code of Ethics, which require an EQA at least once every five years.
• To enhance stakeholder confidence in the internal audit activity’s credibility and effectiveness in meeting their needs and expectations.
• To assess whether the internal audit activity has the right skills and strategies to meet future organization needs.
• To evaluate the effectiveness of the Quality Assurance and Improvement Program (QAIP) in meeting the requirements of continuous improvement; and to appraise and measure the efficiency and effectiveness of the internal audit activity.
• Provides recommendations and a road map for implementing best practices to enhance internal audit conformance and performance in the future.
• Gain valuable insight on department perceptions and reputation through in-depth interviews and surveys of stakeholders and internal audit department staff.
• Assessment of the internal audit department alignment with Organization strategies, objectives, risks, and plans

The focus is on conformance, not whether the function delivers the assurance, advice, and insight the organization needs, when it needs it.

Conformance to the Standards (whether the existing IIA Standards or the new GIAS) does not indicate quality internal audit services.

My friend Clarissa Lucas has shared an interesting article on Measuring (the) Effectiveness and Efficiency of Internal Audit.

I like how she added “efficiency” to the question. With so many sources of significant risk to the enterprise, and so few internal audit resources, it is vital to eliminate the unnecessary and be efficient in delivering quality services.

Clarissa tears down, as she should, traditional measures such as the number of audits performed, or (worse) the number of significant issues identified.

She asked her network how they assess the quality of internal audit. Fortunately, none (as far as I can see) suggested an EQA!

I thank her for including a précis of my thoughts:

Feedback from management and the Board on helping the organization be efficient, focusing on assurance over more significant risks, helping management sleep at night, doing work management would pay for, and contributing to the organization’s success.

I suggest a couple of approaches to assessing whether your internal audit function is “An effective internal audit function [that] provides the risk-based assurance, advice, and insight[10] that leadership needs for success”.

1. Agree on its mission or purpose, then assess whether that is being achieved. Use my list of attributes (shown above), modified as you need. Build on that by identifying risks to that mission and whether they are at acceptable or desired levels.
2. Use a maturity model like the one I provided[11] (at low cost) in Is your internal audit world-class? A maturity model for internal audit?

Remember that value can only be measured through the eyes of your customer, in this case the eyes of management and the board.

I welcome your thoughts.

====================================================================

[1] An important and valuable service provided by an effective internal audit, although dropped by the IIA Standards Board.

[2] Unfortunately, the IIA Standards Board has placed an artificial limit on the number of words in their Purpose statement, so they have not included “risk-based” or a focus on what the organization needs.

[3] In other words, not on risks to auditable entities or their processes.

[4] Readily translated by leadership into action, whether that is control improvement, changes in strategy, replacement of managers, delays to project implementation, or other strategic or tactical action.

[5] Effective internal auditors audit at the speed of the business. They have limited wasted motion or effort. They use communication methods that deliver what is needed to the right people at the right time. They are not hung up on protocol when it delays vital information.

[6] Quality auditors suggest actions they would take if they were in leadership. They do not recommend actions just because of theory or what is considered “best practice”.

[7] Auditing the past is what gives internal auditors a bad reputation.

[8] This requires keeping audits short. When projects are a month or more in length, they inhibit agility.

[9] They use technology when there is an appropriate ROI. They don’t get it just because everybody says they should.

[10] An important and valuable service provided by an effective internal audit, although dropped by the IIA Standards Board.

[11] I recommend the paperback version, so it can be marked up, copied, etc.