Measuring the effectiveness of internal audit function

Internal audit, as per the IIA Global Internal Audit Standards, serves as an independent, objective, and value-adding assurance and advisory function within organizations. To effectively convey the value of internal audit (IA) efforts to key stakeholders — including audit committees, boards of directors, management, and audit clients — the IIA has introduced a straightforward messaging tool. This tool underscores the core elements of value delivered by IA: assurance, insight, and objectivity.

IA offers assurance on governance, risk management, and control processes, aiding organizations in achieving strategic, operational, financial, and compliance objectives. Moreover, it serves as a catalyst for enhancing organizational effectiveness and efficiency by providing actionable insights derived from data analysis and process assessments. With a commitment to integrity and accountability, IA serves as an independent source of advice for governing bodies and senior management.

The continuing discussion and dialogue for IA and company management revolves around measuring IA performance value. Drawing from extensive experience in international firms, various KPIs have been explored. These include monetary assessments of IA findings, which are deemed inadequate by some, and metrics such as the number of audits per auditor, timely implementation of IA annual audit plan, fulfillment of IA transformation projects, and enhancements in IA team caliber. The market also uses such KPIs as decrease in issues, decrease of financial losses due to fraud, and others dictated by industry specifics. While customer feedback and increase IA satisfaction score are also considered, challenges persist in its calculation.

The implementation of an IA plan is questioned as an effective KPI, as its execution does not always correlate with high-quality audit engagement work. Monetary evaluation of risks and savings opportunities identified during audits faces limitations, particularly in non-quantifiable risk domains such as cyber risk or compliance-related risks.

While enhancing IA team caliber and tools is crucial, concerns arise regarding the effectiveness of setting these as KPIs.

Stakeholders, particularly CEOs, emphasize the need for IA to not only meet business expectations but also report unrecognized emerging risks comprehensively.

Recent discussions with management highlight the expectation for internal auditors to provide deeper insights into business process effectiveness, integrating best international practices and benchmarks. Aligning with IA’s value proposition and management expectations, KPIs for the IA team now prioritize those that best reflect IA performance, incorporating management feedback and customer voices.

For our Company, the following four key KPIs (all are independently calculated based on respective questionnaires, up to 30 questions) have been identified, focusing on stakeholder satisfaction, proactive identification of significant risks, post-audit engagement assessment, and alignment with strategic objectives. While alignment and agreement on these KPIs mark progress, the importance of considering stakeholder maturity and IA’s role in fostering stakeholder awareness cannot be overstated.

KPI-1, Post-Audit Engagement Assessment: Delving into the nuances of audit engagements, this KPI evaluates IA’s liaison with auditees, comprehension of business details, value of observations, and tangible progress exhibited since the last engagement.

KPI-2, (CEO and CXOs) and KPI-3, (Audit Commitee) Satisfaction Index: Reflecting the contentment levels of audit clients, management, and audit committees, this indexes measure perceptions on IA strategy, governance, team quality, process effectiveness, and overall IA results delivery.

KPI-4. High-Risk (above the risk-appetite) Identification: A pioneering KPI aimed at forecasting significant risks poised to materialize, this metric fosters proactive risk identification and mitigation strategies. Collaborative dialogues between IA and management facilitate the delineation of risk descriptions and measurement thresholds, spanning operational, financial, compliance, legal, and strategic domains.

In summary, the effectiveness of IA is now measured through a refined set of KPIs, underscoring the alignment between IA efforts and organizational goals. Moving forward, continuous adaptation and awareness-building efforts are essential to harnessing IA’s full potential in safeguarding organizational assets and reputation while driving strategic success.

Hayk Karamyan