How Effective Is Your Internal Audit Function?

GUEST BLOG
The Institute of Internal Auditors (IIA) recommends that a quality assessment of the internal audit function be made at least every five years, but most chief audit executives want to know how well they are doing every year.

When I became a CAE, I started by benchmarking internal audit against firms that had a great reputation, either for their business practices or internal audit departments. That is still a good idea and I recommend it. But in my case I found so many practices that disturbed me that after a couple of years I only met with CAEs whose presentations at conferences indicated they led practices I would admire. For example, one major company’s auditors spent 60 percent of their audit time on documentation, which is far too much, and would continue to perform audit work until their allocated time ran out, even if they had completed the defined scope. Another CAE said his organization took a risk-based approach; but then went on to say that every function and process is audited at least once every five years on a cyclical basis. That is not risk-based internal auditing.

I highly recommend attending conferences and seminars to keep up to date, build and maintain a network, and learn from your peers and thought-leaders. However, always listen with both an open and questioning mind. Not all so-called thought leaders should, in my humble opintion, be considered up to world-class levels. Indeed, this blog is quite active in criticizing some of the guidance that is published!

External Quality Reviews
One approach is to have an external quality assurance review (QAR). That can be done through the IIA, who will assign a team of experienced auditors to follow IIA QAR guidance and methodologies. The primary focus is typically compliance with IIA Standards and the Code of Ethics, although the better review leaders will also interview stakeholders and provide more of a qualitative assessment of performance. You can also engage one of the consulting firms to perform a QAR.

The value of external reviews is limited to the experience and quality of the QAR team. If team members are conversant with leading practices, then you may get a review of high quality. Unfortunately, not every experienced auditor, even veteran CAEs, has reached world-class levels in their own practices.

If you engage a consultancy firm, they may focus unnecessarily on the quality of your tools (such as analytics and RPA) instead of the value of your assurance and insight. They often rely on a list of so-called best practices rather than taking the time to understand the needs of your organization and the potential value internal audit can deliver.

I believe that the only assessment that makes sense is that of the customer: the audit committee of the board and the senior management of the organization.

Using a Maturity Model
I also believe that it is immensely valuable to use a maturity model. The IIA has a practice guide on how to use one for other processes and I have one in my books for risk management. But there aren’t any that I could find for internal audit that reflect leading thinking and practices.

One of the values of a maturity model is that if helps both CAEs and audit committees understand and then discuss leading practices. Many audit committees are complacent, and accept what they are receiving because they don’t realize more value can be obtained.

I have tried to fill the gap with a new book. Is your Internal Audit world-class: a Maturity Model for Internal Audit includes both a set of questions that can be used as a basis for obtaining internal audit stakeholders’ assessments and a detailed maturity model. It is based on the leading practices discussed in Auditing that Matters.

The guidance can (and probably should) be used in any QAR, but can also be used by CAEs and their audit committees simply to see where they stand on an annual basis. If you engage a team of reviewers to perform a QAR, I suggest asking them to use my maturity model (modified as appropriate) and consider my questions.

Knowing how you compare to world-class practices and understanding the added value of moving up the maturity curve can, itself, have great value. I hope you find this guide useful and I look forward to your comments.  Internal audit end slug


Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.

One Reply to “How Effective Is Your Internal Audit Function?”

Leave a Reply

Your email address will not be published. Required fields are marked *