How to assess effectiveness of internal audits

Le Khanh Lam - Partner and head of Tax and Consulting Services RSM Vietnam

In order to establish how to measure this, you have to start with agreement among the head of the function (the chief audit executive or CAE) and stakeholders (primarily the audit committee) on the role and the objectives of the audit.

According to the Institute of Internal Auditors (IIA), the definition of internal auditing is “an independent, objective assurance and consulting activity designed to add value and improve operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Internal auditing is effective if it provides the audit committee and executive management with the assurance they need, namely that they can rely on the organisation's processes and systems to manage risks to the achievement of its objectives. That means providing assurance on the risks that matter to the company today, in a form and timeframe that is useful. Additional value is provided through the role of internal auditing as a change agent, making recommendations for improvement that are embraced and acted on by management.

How do you put a value on assurance? You will be less worried about the difference in quality and taste of the food at King BBQ restaurants in different places because you know that each restaurant must strictly follow the quality process and ensure the consistency of the taste of food when joining the franchise of the King BBQ restaurant chain.

How much would you then pay, as a board member or top executive, for assurance that the processes and systems that you rely on to run the business are working properly – assurance that is so reliable that you don’t even think about it?

It is hard to put a value on peace of mind, but that is the greatest value an effective internal audit function can provide. The only way to determine whether an internal audit is effective is to ask the stakeholders whether they are comfortable that they are receiving the assurance they need on the risks that matter to them and to the organisation. Then you start looking at additional value that is provided.

Let’s examine some traditional measures and discuss their value and relevance for a hypothetical group (see table). At first glance, this looks like an effective internal audit department.

This department completed 95 per cent of the engagements in its audit plan. But, if that was an annual audit plan then this may be an indication that they continued to remain glued to their plan even when risks changed. They failed to audit what matters now. Instead they blindly continued to audit what used to matter.

When you have a flexible audit planning process that adjusts to changes in the organisation’s risk profile, percentage completion is meaningless.

An increase in audit findings does not indicate productivity. An effective internal audit department will, over time, contribute to the improved maturity of governance, risk management, and internal control systems – such that exceptions and so-called findings will diminish.

When 80 per cent of recommendations are accepted and implemented, 20 per cent are not. A 20 per cent defect rate is abysmal. Was the audit getting the recommendations wrong? Were they not accepted because they didn’t make good business sense? Or was the internal audit not able to persuade management to effect the change?

When you have a defect rate of 20 per cent, the quality of the audits and reports are called into question. Frankly, the acceptance rate should be above 99 per cent.

Cost savings of VND5 billion (nearly $217,400) are excellent, but only if they are not delivered by diverting resources from essential assurance activities to efforts to demonstrate that the internal audit adds value. Too many businesses have focused on the latter but failed to address critical risk areas such as ineffective risk management, poor information to support decision-making, and governance issues.

Staying within budget is very good. But, internal audits should be prepared to go to the audit committee for additional funds if new or changed risks emerge. Budget limitations are not a valid excuse for failing to engage and address unanticipated high risk areas.

Passing the IIA’s quality assurance review (QAR) is all well and good, but it is not a guarantee that the department has delivered the necessary assurance and consulting services. Many departments have passed the QAR but failed to audit risk management, or to report the lack of risk management to the audit committee.

The CAE should propose measures and metrics that support an assessment by the audit committee and top management that internal audit has been effective.

There are several questions that should be asked to stakeholders at least annually:

* Do you believe the internal audit has provided you with the assurance you need?

* Has the internal audit been sufficiently responsive to changes in risk, ensuring it remains relevant?

* Has it been a positive agent for change, improving business efficiency and effectiveness?

* Are you satisfied that the cost of the internal audit is less than the value of the assurance and consulting services it provides?

* Are there activities that the audit should stop performing and have there been activities you would have preferred not to pay for?

* How can an internal audit improve its services to the audit committee, management, and the organisation as a whole?

In general, assessing the effectiveness of internal auditing should not only focus on the figures achieved and the key performance indicators set; you need to review, consider the changes and maturity of the business, and take into account the needs of stakeholders.