Norman Marks on Governance, Risk Management, and Internal Audit

I have recently seen a few articles that discuss this issue, including:

• Metrics that Matter: Measuring Internal Audit’s Performance by Karen Kroll
• Report: Risk Orientation is Critical to Chief Audit Executive Effectiveness from the staff of IA360
• The biggest secrets to being a great internal auditor in 2024 and beyond by Hal Garyn
• Are Internal Auditors as Efficient as They Expect Others to Be? By Richard Chambers

X

Before diving into these pieces, I want to recommend the use of a maturity model to assess an internal audit function. While there is huge value in asking our customers to assess our value to them and their success, it is also hugely valuable to assess the structure, process, and staffing of the internal audit department – and I believe a maturity model is the best way. One can be found (mine) in Is your internal audit world-class? A maturity model for internal audit.

Also before considering these articles, I want to make another very important point:

Compliance (or conformance) with the IIA’s Standards is neither an indication nor a guarantee of quality internal audit practices and the delivery of the valuable assurance, advice, and insight our leaders need in driving the organization to success.

I am not saying that we should ignore the Standards or deliberately violate them. They are useful food for thought. I have written elsewhere about their shortcomings and will not repeat them here. (OK, I lie; they provide guidance on auditing risks to a process or auditable entity rather than risks to enterprise objectives (true risk-based auditing) and confuse an audit universe with a risk universe; they fail to talk about insight; they mandate excessive red tape requirements of low value; and more.)

X

Now let’s review the first of these four articles. It’s a good place to start as it discusses metrics that many have used for ages – even though they are totally useless (I’m not pulling any punches today) and even point departments in the wrong direction.

It identifies:

• Measuring the percentage of the plan completed. In these days of dynamic change, internal audit departments should be updating the audit plan (at the speed of risk and the business) continuously to address the more significant sources of risk to enterprise objectives. 100% completion of an annual audit plan that was developed at the beginning of the year (or even late in the prior year) is an indication of fragile rigidity instead of agility. Almost certainly, audits have been performed of areas that are no longer a significant source of risk, and new or changed sources of risk have been overlooked.
• Measuring actual hours against budge We need to spend the time necessary to deliver optimal value. If that is not in line with the budget, change the budget. Again, we need to be agile instead of having our heads stuck in the mud of bureaucracy.
• Measure audit cycle times and issue reports within 15 days of completing fieldwork. Where is the focus on providing the valuable assurance, advice, and insight our customers need when they need it? Take the time to work with management to get the right changes and controls in place, not just to issue a report with recommendations.
• Measure auditor and technology utilization rates. I will agree there is value in knowing that the team is being efficiently deployed, but why the rush to deploy analytics? When you are agile and auditing controls over the risks of today and tomorrow, you rarely audit the same area annually – and the ROI of single-use analytics can be questionable. (It requires easy and fast-to-use tools, without a significant investment in building the routines.)
• Put a dollar value on audit recommendations. There are few ideas that will create as much conflict with management! So much better to simply ask management whether IA has helped them do their job. See my questions at the end of this post.
• Measure the level of automation in recommendations. This is a very strange idea, that including automation in recommendations (setting aside the issue that we should have agreed action items and not recommendations) is a measure of internal audit effectiveness!
• Tracking the percentage of audit recommendations that are closed. It should be 100% if internal audit is listening to and working with management to agree on the corrective actions where management believes it is in their own best interest to effect the agreed changes. However, the article talks about performing audits to confirm the change has been made – a low value activity when there are so many risks of significance that could be audited instead.
• Surveys of auditee satisfaction. This is #1, #2, #3, and more – in fact, the only way to measure the value of internal audit is through the eyes of our customers in management and on the board. Surveys are of questionable value, but open discussions and interviews are invaluable.
• Risk coverage ignores the whole concept of agile, enterprise risk-based auditing.

X

Next is a piece from the staff of IA360 on risk orientation. It quotes Tim Berichon, an analyst with Gartner. (Tim tells me that they just reposted Gartner’s press release.) He says (and I agree with him):

“Risk orientation was the single biggest factor driving high CAE personal effectiveness scores in our study…. CAEs with high-risk orientation improved their personal effectiveness by up to 47%.”

Risk orientation results in the CAE’s audit plan aligning with top enterprise risks, and audit’s risk assessment aligning with other functions. Further, audit recommendations are well-aligned to enterprise risk appetite.

“Everything internal audit does should be oriented to risk… Given the importance of risk orientation, it’s also interesting to note that effective CAEs are more likely to actively participate in enterprise risk management (ERM).”

X

The third article is by an experienced practitioner and thought leader, Hal Garyn. I expect more and he delivers.

I like his ideas, which I will summarize as:

• Pay attention and prioritize your relationships throughout the organization. This is especially difficult if you are unable to meet people face-to-face.
• Lean forward to the risks (and opportunities) of tomorrow and be ready to help management navigate them, especially those involving new technologies.
• Have a business focus and see your value as helping each manager and the business as a whole succeed.
• Don’t forget the need for root cause analysis. When there is a problem, work with management to fix more than the symptoms.
• Pay attention to your professional development (even as CAE).
• Share information as a team.
• Help your team and your teammates succeed.

X

Richard Chambers has the last word, or at least I am covering his piece last.

I like this part of his blog post:

The longer that I led internal audit departments, the more that I came to realize that efficiency reviews of internal audit shouldn’t wait until the chief financial officer is knocking at the door with pink slips to hand out. Instead, we should maintain a continuous focus on our processes and procedures. There is comfort in having a deep understanding and trust in processes that have been used and perfected over the years. These tried-and-true processes and techniques are taught to new practitioners and offer valuable benchmarks for comparing performance over time. But reliance on this kind of thinking leads us to the punchline of a meme.

Q: How many internal auditors does it take to change a light bulb?

A: It depends. How many did it take last year?

In a dynamic business atmosphere where risks emerge and mature at lightning speed, we as a profession cannot afford this meme mentality. For many internal audit teams, something has to change!

He quotes Toby DeRoche on agile auditing. I have added some language (sorry Toby).

Much has been written in recent years about “Agile Auditing.” My friend Toby DeRoche is one of the foremost experts on the subject, and he defines agile auditing as “… an iterative approach to developing and executing audits, based on a shorter audit lifecycle from assessment to reporting, which focuses on gaining and sharing insights with management related to the most urgent risks in an organization…Agile auditing focuses on the risks that matter most to management right now and will matter tomorrow.”

As Richard indicates, internal auditors must be constantly looking to be more efficient as well as more effective, providing the assurance, advice, and insight the organization needs to succeed, when it needs it. (For an explanation of “assurance” and what it really means, see my latest video.)

They need assurance about the more significant sources of risk (including opportunity) of today and tomorrow.

Any metric must take that into account.

X

We need to make sure we are measuring the value we provide, not how quickly we can issue a report.

The only way to know is to ask the customer and get an honest answer.

Ask them:

• Are we helping you and your team succeed?
• Are we wasting any of your time?
• What can we do better?
• Is our work so valuable that you would willingly pay for it out of your own budget?
• Are you thinking of hiring any of the audit staff?

You should also ask yourself:

• What activities can I eliminate without adversely affecting the value of our work to our customers (i.e., are we Lean)?
• Do we have the right people to do the work and deliver the quality product our customers need?
• Are we addressing the risks of yesterday, or the risks of today and tomorrow?
• Are we working with management or perceived as something other than a partner? Do they embrace our advice and insights?
• Is their welcome honest and sincere?
• Do we have the budget we need? If not, why not? Is it because our value is not what we think it is?
• Have we earned a seat at their table?
• What can I change today for better value services tomorrow?

I welcome your thoughts.