Must the continuous and periodic internal assessments be done?
Yes, the continuous and periodic assessment of the internal audit function should be done to help the internal auditors avoid big surprises that often come with the external independent assessments. The assessments help the internal audit function o achieve the following:
- be well prepared for their job with the require knowledge, skills and experiences,
- proactively identify the gaps, strengths and improvement opportunities within the internal audit operations and take appropriate actions to addressing the issues quickly,
- have constructive engagement with the senior management, executives, board committees and the independent external assessors.
What are the common statistics that are used for measuring Internal Audit effectiveness and efficiency?
Based on my field work experience on delivering GRC solutions across many industries and jurisdictions and discussion with other professional colleagues, my observations are as follows:
Most organizations capture some statistics relating to their internal audit engagements for certain periods and include in their audit reports. The most popular of the statistics collected and reported are:
- Percentage of audits completed versus number of audits planned for the period in scope.
- Percentage of audit hours spent per internal audit staff on the specific internal audit categories such as fraud investigation, process audit, ICT audit, Data analytics). Each organisation classifies its own audit strictly based on priorities and preferences.
- Number of professional certifications, training and hours achieved during the periods. This can be expressed in percentages against planned or absolute values.
- Number of audit findings closed or recommendations Implemented versus total number of findings made
- total number of findings outstanding versus total number of findings made and age outstanding
Few organisations include other measurement metrics that reflect the alignment of the impacts and contributions of the Internal Audit work activities and products to the achievement of the overall corporate strategic goals and objectives. The key drivers for the assessments are the business needs, stakeholders’ expectations and the internal audit mandate as approved by the Board Audit Committee to ensure that the balanced score card principles are deployed for developing quantifiable and measurable Key Performance Indicators (KPI) for the assessments.
What are the key problems associated with reporting the statistics of the Internal Audit effectiveness and efficiency?
- Most internal audit work activities are driven by control-based ad-hoc plans rather than robust risk-based operational and strategic plans. The Risk Control Self-Assessment Model (RCSA) is not often applied for conducting risk assessments (identification and computation of sizes) to ensure extensive involvement and engagement of the process, risk and control owners or core business functions for real total ownership. This limits maximum impact and contributions by the process, risk and control owners and the assurance providers.
- Lack of common use of a well understood risk taxonomy across the business to ensure consistency of operations across board. Risk definitions and interpretations are often misunderstood, and different measurement parameters are used by different assurance providers and the core business functions. A large number of the assurance providers and others perceive risks to be consequences and absence of controls while controls are defined as activities.
- Non-adherence to the SMART principles of reporting audit findings and solutions. Robust root-cause analysis are not often done on the critical findings to ensure that the best fit recommendations and actions are taken to address the real issues. Most reported issues address symptoms and this makes know big issues to keep reoccurring in the business while the emerging ones with high potential impacts are totally missed or neglected.
- Most do not collect accurate and complete verifiable data on the financial values attributed to actual losses caused or future losses preventable by the findings and recommendations proffered.
- Most do not collect accurate and complete verifiable data on the financial values attributed to actual losses caused or future losses preventable by the findings and recommendations proffered.
- Most risk and control ratings, appetite and tolerance are based on simple descriptive rating scales that are mostly verbose.
- Most audits are not commenced and completed with a focus on the organization’s vision mission, strategic goals and intents of the company and core values or strategic thrusts of the company.
- Quantifying perceptions becomes an issue, particularly where a weak company Board with a large number of the Non-Executive Directors are not well informed of their organization’s risk exposures, responses and the effective management concepts.
The major implication of the above problems is that the statistics reported by the auditors may have indicated impressive performance, but lacking real value add. When auditors work with audit plans that are faulty, a lot of time will be spent doing mundane things that are just eating up the company’s precious and scarce resources without adding the much needed value. Computing the correct values for cost savings and audit findings significance will become a big challenge.