internal audit’s contribution to value

The decline in the economy is impacting most organizations. Tough economic times are causing the ‘value’ question to be asked about many aspects of and groups within an organization. It is always a good practice for management to evaluate its organization and to understand the role and criticality of its people, processes and technology. It is a potentially time consuming and expensive exercise and the cost/benefit of performing this exercise has to be carefully weighed. Scarce resources force the hand to make this exercise necessary.  It can be akin to a zero based budgeting exercise or an effort to lean a process and remove unnecessary areas. 

Naturally, the value question will also be asked about the internal audit department. Some in the organization will jump at this opportunity to say “off with their heads!” All joking aside, in my experience I have seen this resistance and aversion to internal audit and have strived to not take this personally. Thankfully the stereotypical auditor is not innately a people pleaser. A comment was recently made to me during an audit that implied I needed to make good recommendations in order to justify my existence in the organization. I won’t tell you what my response was to that comment. You can fill in the blank. 

So, what do internal auditors bring to the table?

Are internal auditors 

a) enforcers, 

b) evaluators, or 

c) collaborators

Often we are seen as enforcers – making people do things they don’t necessarily want to do; or evaluators – the more extreme term being that of ‘judge’. Our role is seen as those that make judgments on someone else’s work and this judgment can come across as critical, potentially damaging and at its extreme, condemning. By nature of internal audit, we have to make judgment, or the technical term of forming an ‘opinion’ of the process we are evaluating. 

With such a perception even often prior to the start of any internal audit work, it is natural for a first response to audit to be self-preservation and protection, and it can be challenging to gain trust. The inclusiveness of being invited into a conversation and to the table prior to management decision making is even more of a stretch. Can internal audit hand in hand ‘judge’ what has happened in the past and add value to future decision making? In addition to being viewed as enforcers and evaluators, what would it look like if internal auditors were also seen as collaborators?

Technically, internal audit is an objective assurance and consulting activity. One of the definitions of assurance by Merriam-Webster is something that inspires or tends to inspire confidence. Simply, I like to think of it as helping to ‘make sure’ that internal controls and processes are right. We are providing assurance that internal controls are in place and working. Audit’s focus should be on controls that facilitate management’s achievement of objectives.

As auditors, if we focus first on objectives, and not risk and not controls; we will be focused on what the business is focused on – their goals, what they are trying to achieve. The risk and control assessment will be a natural secondary consideration when objectives are considered first.

An internal auditor’s work should be aligned with business objectives. As stated in the IIA’s international standards for the professional practice of internal auditing (IPPF), the purpose of an audit is (i) effectiveness and efficiency of operations, (ii) compliance, (iii) safeguarding of assets and (iv) reliability and (v) integrity of financial and operational information. It is a foundational aspect of doing business to comply with applicable laws and to have financial and operational information that are reasonably accurate. Additionally, any reasonable manager will naturally strive to safeguard their assets. The component of effectiveness and efficiency of operations is a more subjective measure but typically corresponds to effectiveness of meeting organizational goals/objectives and doing so in a manner that provides the best value for the resource expended. 

Compliance, reasonably accurate financial and operational information and safeguarding of assets are necessary foundations for doing business. They are basic building blocks for good governance. However, these factors alone are typically not the critical success factors or unique characteristics that set a business or organization apart from its peers or give it a competitive advantage. Often, these criteria are components of effectiveness and efficiency of operations, which are driven by key organizational goals. 

The question then from an auditing standpoint is – how would you evaluate the effectiveness and efficiency of operations given the often subjective nature of this aspect of a business? It is typically in this area of effectiveness and efficiency of operations that auditors can provide the most value to management. 

An example is provided below:

-Management desires to enter into a partnership that has potential to bring in significant revenue to the organization

-The recording of this revenue is straightforward: if the money is received revenue is recorded, but if it is not received, revenue cannot be recognized. Therefore in this example compliance with GAAP is not a concern

-Other types of compliance are specific to any contracts and agreements that might exist between the parties

-Safeguarding of assets is also not a high risk due to few cash based transactions

-What are management’s drivers for decision making in this situation and related risks? A few things that come first to mind are (i) revenue, (ii) ability to deliver on the contractual promises, (iii) reputation, and (iv) potential for this partnership to open doors for future opportunities 

-How can audit contribute to this transaction? The first obvious answer is that we cannot make the decision – that is management’s role. If we were involved in assessing the decision, which is typical of audit efforts, we could start with the typical compliance related aspects such as (i) ensuring revenue recorded is actual revenue, (ii) ensuring the contract was properly executed with all the appropriate approvals, and (iii) ensuring that it is an arms-length transaction. 

-However, what about other aspects of the organization such as consistency of the decision making with organizational objectives? How would we evaluate management’s assessment and balancing of the risk and opportunity? If some aspects of the potential partnership further the organization’s objectives while other aspects potentially hinder the organization’s objectives, what factors will be weighted higher to strongly influence the decision? How does management formally or informally set risk tolerances? Are processes in place to fulfill on the promises made as part of the partnership? These are some questions that an auditor could ask and assess when evaluating this potential partnership that could add value from the perspective of helping the organization gain clarity on their stated objectives, help ensure alignment of internal decision making with organizational objectives and facilitate organizational cohesion and unity around objectives.

There is a diagram on page 4 in PWC’s excellent article – Building a strategic internal audit function. This diagram has been a great visual aid for me in my role and provides greater clarity on the range of internal audit roles and contribution within an organization. 

In summary, internal auditors are risk and control experts. First and foremost we provide value specific to the foundational aspects of business – compliance, reasonably accurate information and safeguarding of assets – if it is lacking. In more mature organizations, we also contribute to product and process improvement and ideally will also influence improved governance and risk management.


2 Responses to “internal audit’s contribution to value”

  1. March 16, 2012 at 12:08 pm

    Eline! Thanks for the detailed post on value addition of internal audit function to an organization. Resistance to internal audit activity is a global phenomenon. And we here in India are no exception.

    I liked your thoughts on enforcers, evaluators, and collaborators which made me think hard. Here in India, we (our internal audit function) are working intentionally on scaling up our services provided to the management.

    Rather than performing mere compliance audit, we have decided to focus on providing advisory services like value for money audits, performance audits, process audits, etc. Instead of embracing policing attitude, we strive to provide overall assurance on governance, risk management, and control. And, we are building our team members’ capacity in that direction. In simple terms, our ultimate objective is to become the trusted advisors to the management. We would love to seen as key agents of change in the organization. In that level, ideally the CAE will be advising and influencing the top level management in their decisions (be it business or administrative). I feel that will be a true sign of Internal Audit’s success.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


March 2012
« Feb   Apr »



Online Accounting Degree blog feature

%d bloggers like this: