As the saying—attributed to management guru Peter Drucker—goes, “You can’t manage what you don’t measure.” To drive performance, most functions need to measure their operations.
In internal audit, some metrics, like the percent of the audit plan completed, often act as a starting point for assessing performance. At the same time, many internal audit departments are expanding their list of the metrics they track. “I want clients to think differently and to articulate the value delivered by internal audit,” says Sarah Fedele, U.S. internal audit leader and principal at Deloitte Risk and Financial Advisory.
To be sure, measuring an audit department’s value typically isn’t as straightforward as, say, tracking the output of employees on a production line, says Glenn Sumners, director of the Center for Internal Auditing and Cybersecurity Risk Management at Louisiana State University. “Still, you need some way to evaluate performance,” he says. Identifying metrics that strive to assess the department’s value and then measuring performance against them can “drive greater effort,” he adds.
The Basic Internal Audit Metrics
As a starting point, metrics should be tied to the organization’s overall strategy or mission. “A first step is being clear on your purpose,” says Sophie Campbell-Smith, partner in enterprise risk at EY. The organization’s purpose should inform what’s measured and the metrics used. So, for example, at a company committed to a strategy of digitalization, internal audit will typically want to track adoption of digital technology.
The following audit metrics, while not exhaustive, can help most audit departments measure and improve performance. They’re grouped into two broad categories: efficiency and effectiveness.
Internal Audit Metrics that Measure Efficiency
Percent of Audit Plan Completed:
“Measuring the percentage of the plan completed helps evaluate how well the internal function is sticking to its plan and effectively managing its resources,” says Dawn Williford, market managing partner, risk advisory services at BDO. To be sure, progress should be monitored and calculated on an ongoing basis, as the plan may change as priorities evolve, she adds.
“The goal is to complete what we said we were going to complete,” says Thomas Sanglier, chief audit executive at Leidos, a Fortune 500 company operating in the defense, intelligence, and aviation markets. If the audit team isn’t able to finish all planned audits within the time frame set, it should be transparent about the need to carry over projects and explain why. “But the goal is promises made, promises kept,” says Sanglier.
Budgeted to Actual Hours:
Similarly, the Leidos audit team establishes budgeted hours for each project, and then measures actual hours against the budget. This provides a solid understanding of the time required for each project and helps track the audit team’s utilization. “The two together helps us know how many projects we can get done in a year,” Sanglier says. Tracking team utilization also helps ensure work is balanced between team members, he adds.
Audit Cycle Times:
Audits that drag on can lead to audit fatigue, Campbell-Smith says. Conversely, measuring audit cycle time can help drive efficiency, she adds.
At Leidos, the goal is to issue the audit report within fifteen business days after the last day of initially planned field work. “It really forces the team to be efficient and focused,” Sanglier says. This also helps reduce wrap-up overlap with planning the next project, which can be burdensome and stressful to the staff.
To reach this goal, the audit team and the audit customer discuss potential issues immediately when identified, and within 24 hours with Sanglier. The audit team also escalates the written issue as quickly as possible with stakeholders and up the chain of command.
Ideally, by the time the report is completed, everyone who has a stake in the issue has seen it in writing, agreed, and developed a management action plan, Sanglier says, noting that this both expedites the report creation and increases transparency. “It allows us to get the facts right, understand mitigating factors, and get the rating right,” he says.
Sanglier and his team communicate this during the kickoff meeting, explaining how paying attention to potential issues as they arise eliminates extra work and reduces the likelihood an audit customer is caught off guard by an issue. “When we identify an issue, they’re as motivated to get to the bottom of it as we are,” he adds.
Auditor and Technology Utilization Rates:
Measuring auditor utilization rates helps show whether auditors are being appropriately used. It generally doesn’t make sense to have multiple auditors “on the bench” and not working on assignments, Campbell-Smith says.
The Leidos audit team also tracks the data analytics it employs on its audits. “We’re trying to drive data analytics in everything we do,” Sanglier says.
Internal Audit Metrics that Measure Effectiveness
Value of Recommendations Implemented:
Many internal audit departments conduct audits, develop recommendations, and then management comes up with plans for implementation. Often, however, no one tracks the benefit to the organization, Campbell-Smith notes. Internal audit departments that do can better articulate the value they’re providing the organization, she adds. They also can help ensure the business units follow through on their implementation plans.
The value of the recommendations can include hard dollar recoveries, such as identifying duplicate payments which can show immediate value, Sumners says. Soft dollar improvements might include a recommendation to, for instance, streamline a process and eliminate unnecessary steps, freeing up employees’ time and saving money, Sumners says.
The Level of Automation in Recommendations:
“If we make a recommendation, we strive to make sure that the recommendation includes automation,” Sanglier says. This helps the company continue to streamline its processes, he adds.
Observations Closed:
Another important, if fundamental, measurement is tracking how well the organization is closing any observations the auditors raised during field work, says Stacey Schabel, chief audit executive at Jackson Financial, which offers retirement savings solutions. “Especially if you’re raising issues related to open risks, you want to track and make sure the items are closed,” she says.
To confirm closure, her team returns to the area and tests the design and operational effectiveness of the solution. “Management can mitigate the risk in a way that makes the most sense for the organization, but it needs to pass testing and be sustainable,” she notes.
Management Requests:
A business unit’s request for internal audit’s assistance with a project or problem also speaks to the value internal audit can offer, Deloitte’s Fedele says. In addition, working together on requests helps forge better relationships, she adds.
Sanglier tracks how often management in the business units requests the audit team’s assistance with different projects. “This is a good sign that they’re viewing us as a valued partner to the business,” he notes. Similarly, he monitors the extent to which members of the audit team transfer into a business unit.
Peer Internal Audit Metrics and Benchmarking:
Schabel and her team benchmark their own operational metrics against peer audit departments in the financial services sector, using industry studies. For instance, she’ll check how their work over the top organizational risks compares to those of other industry leaders. “We’ll see how other teams are covering them and how we line up,” she says.
Auditee Satisfaction:
Auditee surveys can help internal audit check that they’re conducting their internal audits in an appropriate manner, says Seth Schrank, managing director at global consulting firm Protiviti. For instance, do the auditors come to the audit prepared with a basic knowledge of the process they are assessing? “This really speaks to if internal audit is coming to the table having done their homework,” Schrank adds.
It’s also critical that survey responses help inform change, says Mark Ruppert, chief audit executive at Northern Arizona University. Noticing that clients were responding less and less to a standard, ongoing set of questions, he asked them about the surveys. “All noted a sense of survey fatigue and indicated that if they could see the surveys resulting in some positive change, they’d be more likely to answer,” he says.
So, Ruppert and his team periodically update the surveys to highlight the audit process changes they’d made, such as working with clients during the planning stage to identify and score risks. They’d then assess how well the changes were accepted and tweak those processes as necessary to address any constructive criticism from clients.
Risk Coverage:
When executing against the internal audit plan, it’s important to assess coverage of the organization’s financial, operational, strategic, and compliance risks, Campbell-Smith says. The goal is ensuring each category is appropriately covered, she adds.
Along with regularly assessing how internal audit is covering key organizational risks, it’s critical to look at its coverage of emerging and changing risks, Schabel says. For instance, cyber security continues to increase in significance, she adds.
Covering these risks is not only key to the organization’s health, but it shows internal audit is engaged and knows what’s going on in the company, Fedele says.
Managing Internal Audit Metrics
Tracking metrics requires an investment of time and energy. As with any initiative, audit departments need to weigh the value of the insight provided against the work needed to assemble the information, Ruppert says. This can be especially critical in small shops, where administrative burdens tend to have a greater impact in reducing the time available for audits, which can boost the need for overtime, he adds.
Larger departments may be able to delegate some responsibility. At Leidos, the executive assistant has responsibility for compiling and reporting data on metrics. This has provided her with new challenges, while allowing the audit team to concentrate on executing projects, Sanglier says.
It’s also critical to focus on metrics that matter over time, especially at the board level, Ruppert says. For instance, focusing on cost savings or revenue enhancements can have a negative impact if the board becomes too focused on this type of metric. “An ongoing expectation of meeting or exceeding prior year results for such a measure would not be appropriate,” he says.
When used effectively, metrics can help increase efficiency and improve performance, benefiting both the organization and the internal audit department. Many audit departments are regularly challenged from a budget and headcount standpoint, Fedele says. Departments can use metrics to respond to challenges and articulate the value they’re delivering.
Karen Kroll is a finance and business writer based in Minneapolis, Minnesota.
One Reply to “Metrics that Matter: Measuring Internal Audit’s Performance”