In today’s environment of increased regulation and focus on governance and risk management, the true “value add” of the Internal Audit (IA) function is very much a topic of scrutiny for Boards, audit committee members, senior executives (Chief Executive Officer, Chief Financial Officer) and virtually all IA stakeholders. In many instances, the IA function is also being asked to do more with fewer personnel and to leverage technology in all their activities. While many Chief Audit Executives (CAEs) regularly report the number of audits completed vs. planned, the number of high risk issues identified, actual audit hours vs. budgeted hours, and actual function costs vs. budgeted costs, the question remains whether these measures are truly the most meaningful. Are they enough to show that consistent value is provided to a company?
In order to arrive at meaningful metrics, the first step is to gain an understanding of the true “mission” of IA. While this may be described in an IA mission statement, it is critical for the function to adhere to best practices, generally governed by the Institute of Internal Auditors International Professional Practices Framework (IPPF). The IPPF, which includes the International Standards for the Professional Practice of Internal Auditing (Standards,) is a conceptual framework which organizes authoritative guidance promulgated by the Institute of Internal Auditors (IIA). While adoption of the IPPF is not mandatory, adherence to it indicates an IA function is following the best practices in internal auditing. In addition to including the Standards and requiring internal auditor adherence to the IIA Code of Ethics, the IPPF includes a Definition of Internal Auditing. This Definition and/or its key components is generally included in the audit charter and/or mission statement of IA functions.
This Definition states: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of the risk management, control and governance processes.”
While the Definition generally drives the focus of many IA functions, in today’s regulatory environment – and for global organizations – there are additional requirements that IA examine specific areas of a company and, in some instances, report out their overall results. It is these additional requirements, as well as other areas to which the audit committee and senior management may direct IA’s focus, which drives actual and perceived IA value. As many recent IA surveys have shown, audit committees and senior management struggle with gaining comfort that true “value” is consistently provided by IA functions. It is imperative that the true mission of IA is understood and communication of the results of IA activities be aligned to that mission. In this regard, identifying the “assurance” and consulting/advisory role of IA is imperative. For many stakeholders, it is in the consulting/advisory role that they believe most IA value is provided. While other stakeholders may see IA as primarily an “assurance” provider that may not have the skills to provide consulting/advisory services.
In today’s environment, while the IA assurance function is still important and will always continue, there is a growing trend of IA also providing consulting/advisory services. In short, no matter how the IA function is perceived – as assurance provider and/or consultant/advisor, it is imperative that the CAE communicate key metrics that are aligned in these areas.