Hold internal audit to the same standards of continuous improvement to which operational functions are held.
Internal audit needs to operate like other facets of the business, holding itself accountable for operational excellence, continuous improvement and tracking impact.
Internal audit functions should use define, plan, execute and evaluate drivers to:
- Design the value charter and scorecard
- Determine an optimal operating structure
- Conduct real-time risk assessments
- Execute a focused, dynamic audit plan
- Evaluate successes and monitor KPIs defined on the value scorecard
Design the value charter and scorecard
The value charter should include a vision statement and commit internal audit to:
- Delivering consistent, seamless and high-quality service to the organization
- Being recognized as the catalyst for strengthening the organization’s control performance
- Serving as a catalyst for the enhanced efficiency of the organization’s control environment
Developing a value charter enables internal audit to effectively measure the value it delivers to the organization. In addition to the value charter, developing a value scorecard is essential for measuring internal audit’s success.
Traditional KPIs have focused on internal audit’s productivity, such as utilization or completing the audit plan — as cited by 41% of survey respondents. However, more effective KPIs focus on the value internal audit is delivering to the organization.
Measureable value-drivers can include:
- Business unit cost savings realized
- Leading practices implemented
- Benchmarking and business insights internal audit brings to the business
- Percentage of subject-matter resources that increase an audit’s depth or value
Determine an optimal operating structure
There is no “one-size-fits-all” organization structure for every internal audit function. An organization could be centralized, decentralized or a hybrid hub. When we asked respondents how their internal audit function was structured, there was an almost 50-50 split between functions that were centralized in one location and functions that were structured another way.
When selecting an internal audit structure, CAEs need to make a confident choice on internal audit’s structure — centralized, decentralized or a hybrid — based on organizational alignment, risk tolerance and the culture of the organization.
Conduct real-time risk assessments
Improving the risk assessment process is the number one priority of CAEs and stakeholders alike. Identifying risks that are truly significant to the business is the first step to effective risk management and monitoring.
Risks are always changing. An annual risk assessment is no longer enough if internal audit wants to remain relevant to the business.
Focus regular risk assessments on enterprise-wide coverage, management participation and a direct link back to the company’s overall strategy.
Evaluate successes and monitor KPIs defined on the value scorecard
Becoming more relevant to the business was cited as a key priority for CAEs in our survey. And yet, only 18% of respondents use support of key business initiatives as a metric to measure internal audit’s effectiveness.
To help internal audit execute effectively and achieve the objectives established in the internal audit strategy, the function needs to be able to regularly track its performance.
<< Previous | Next >>