How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer.
I am not one of those people.
While I agree that procedures performed by the CAE and his team to assure quality are important, and that an independent quality assurance review should be performed every so often, I am not persuaded that they do enough to assess effectiveness—and especially whether internal audit is provided all the value it should.
Who receives the value from internal audit? The answer is that the board (perhaps via the audit committee) and top management are the primary customers. Other customers include operating management, the external auditors, and (often) the regulators.
The only way that effectiveness and value should be measured is through the eyes of the primary customer.
Do we simply ask them whether internal audit is effective and providing value? Do they even know what internal audit should be delivering?
Maybe they have heard that internal audit provides assurance and value–added advisory/consulting services. But what does that mean? How much should they expect?
Some years ago, I asked the chair of the audit committee how we were doing. His answer was that we “helped him sleep through the night”. I believe that’s a clue.
Later, I asked the two presidents of our major divisions the same question. The first said that “you have yet to perform an audit that I wouldn’t gladly pay for”; he also told a visiting state governor that “internal audit gives the company a competitive advantage”. The second president told a visiting state attorney general that “internal audit helps keep the company efficient”.[1]
These are also clues.
Others lie in work by Deloitte and Ernst & Young with respect to risk management. Deloitte asked board members and executives whether risk management “helps then set and execute on strategy”. That is a very perceptive question that strikes to the core value of risk management. Ernst & Young says that “effective risk management gives leaders the confidence to take risk”. I like that very much as well!
So what is the question that we should ask board members and executives about internal audit?
Does internal audit provide you with the assurance you need to have confidence in the ability of the organization’s people, processes, and systems to lead the company to success? Where there are opportunities to improve, do they provide actionable information that enables you to make the appropriate changes?
Note that I didn’t mention either risk management or internal controls. Both are included, essential enablers, of effective systems, processes, and so on.
I don’t want to ask them questions about risk and controls. I want to ask whether our work helps them be more successful.
What is the question you would ask?
Do you like mine?
What do you think the typical answer would be from board members and executives?
Is there a similar question that the board should be asked about the CEO and CFO?
[1] For more internal audit stories and how I came to my views about internal audit effectiveness, please consider World-Class Internal Auditing: Tales from my Journey
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
Occasional Contributors
