The value of internal audit (IA) and the benefits it provides may not always be readily apparent to those undergoing an audit or to organizational decision makers. This varying perception of contributed value has led to a disparity in the ways that internal audit exists within different organizations, further complicating the role of this critical function. Some organizations maintain an established, mature internal audit function, while others outsource the management and completion of their internal audit plan. Still others perform periodic internal audit projects on an ad-hoc basis – generally in response to specific risks or negative events that have occurred.
While internal audit may not have always been perceived as adding value to organizations beyond checking a regulatory box, it can play a vital role in overall operational enhancement. Internal audit has become an important component of proactive, forward-thinking organizations that strive for continuous process improvement while seeking to reduce organizational risk.
Internal audit is not a one size-fits-all solution and will not mean the same thing to all organizations. Decision makers may ask, “Why should I subject my organization to additional audits?” A well-performed internal audit can add value to an organization that greatly exceeds the temporary effort of undergoing the audit process.
The concept of adding value is a primary goal of IA. The Institute of Internal Auditors (IIA) defines internal auditing as the following:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Through adherence to this definition and the standards and best practices of the profession, internal auditors consistently seek to add value for the clients they assist.
When is Value Added by IA?
Internal audit’s role in an organization is to provide an independent assessment of the processes and controls under audit and provide recommendations for enhancement. Value is realized when the benefits of those recommendations exceed the costs or efforts of their implementation. Examples of areas where value is added either directly or indirectly as a result of internal audit include:
- Improvement in business operations (e.g. reduction in errors, improved quality)
- Increased efficiency/process simplification (e.g. elimination of redundancies, reduction of manual process, reduced time to accomplish tasks/objectives)
- Decreased cost, increased profit, increased cost recovery (e.g. identification of overpayment, analysis of potential cost savings)
- Reduced risks and exposure (e.g. enhanced control environment)
- Enhancement of policy and procedures (e.g. formalization of documentation, inclusion of necessary detail)
- Increased organizational/process communication and transparency (e.g. defined communication lines, formalization of communication frequency)
- Increased regulatory compliance (e.g. identification of compliance gaps, process enhancement to ensure compliance coverage)
- Enhanced oversight (e.g. formalization of reporting and approval workflows)
In order to provide the greatest value to an organization, IA seeks to make the most significant, high impact, high quality, practical recommendations that can reduce risk, improve operations, decrease costs, and increase profits. The value of an internal audit function diminishes when auditors focus on insignificant, low impact, surface-level observations and recommendations.
Overall, however, the realization of IA’s value is not added until recommendations are accepted and implemented.
How Do I Know If My Organization is Realizing Value from IA?
Organizations should periodically assess the value they are receiving from their internal audit function. This assessment should be independent of those conducting audits. A method of evaluating value is through the Pareto principle, also known as the 80/20 rule. This rule can be interpreted in internal audit to mean that audit recommendations should be limited to the “vital few” that add real value (20%), rather than the “trivial many” that add no meaningful value (80%).
Internal audit clients should prepare a return on value metric for audit recommendations which considers the costs for implementation against the associated benefits. An internal audit client who is consistently finding the benefits of recommendations to outweigh the costs can feel confident in the value received from IA.
For additional, detailed examples of how value may be added through internal audit, please contact our Risk Management team.