Skip to main content

Although internal audit (IA) has been around for more than 80 years, many organizations may not fully appreciate the value IA brings—or know how to optimize that value. Too often, even responsible executives may take a “check-the-box” approach to this third line of defense, missing out on the full potential it can deliver. By widening the aperture for how you assess IA quality, you can also expand IA’s value proposition in the eyes of your audit committee.

It’s practically a given that a strong internal audit (IA) function is critically important—and a cornerstone of good corporate governance. It’s legally required for public companies listed on the NYSE and strongly encouraged for those on Nasdaq, and even companies that are privately held.

But in today’s complex risk environment, chief audit executives (CAEs) need to go beyond regulatory mandates and traditional expectations. As Richard Chambers, former CEO of the Institute of Internal Auditors (IIA), said in a 2020 interview with the Wall Street Journal, internal audit is embracing a broader risk advisory role to help companies better manage an array of non-financial risks.

By providing valuable insights about the risks that are most important to their audit committee chairs, forward-thinking CAEs can expand the value of the IA function and elevate their position within the corporate governance structure.

Quality Assurance vs. Assurance Quality: Taking a Multi-Dimensional Approach

One way to demonstrate IA’s value to the audit committee is through a multi-dimensional assessment, meaning you’re not just evaluating quality assurance but also assurance quality. What’s the difference?

Quality assurance refers to the external review of the Quality Assurance and Improvement Program (QAIP) program, which is required for IA departments to conform with IIA standards. External recommendations—known as external quality assessments (EQAs)—are commonly conducted every five years through independent IA evaluations.

Assurance quality, on the other hand, expands on the external assessment by tracking and quantifying key quality indicators (KQIs). This considers the assurance quality IA provides from the perspective of the audit committee, focusing on value and the ROI of time and resources.

Two-dimensional IA “assurance quality” concepts and metrics combined with traditional one-dimensional IIA quality assurance of conformity with the IIA Standards measurements can transform IA value to audit committee customers. That should be the contemporary focus of future IA quality assurance and assurance quality.

Evaluation of Internal Audit: Going Beyond the Standards

The core purpose of an external quality assessment is to assess and validate that the CAE’s management of the IA function conforms with IIA standards. However, a comprehensive independent IA assessment goes well beyond that and may include:

Assessing IA’s long-term investment and contributions to the audit committee’s governance strategy and the CAE’s measurable impact on governance KQIs.

By measuring the quantitative extent of assurance quality, the CAE can highlight gaps and opportunities for improvement in IA coverage that add further independent assurance value to the audit committee and the organization. For example: To what extent are complete data populations assessed through data analytics to determine compliance with internal policies and procedures for accounts payable, revenue and pricing, inventory or fixed assets?

Evaluating the CAE’s IA strategic plan and its alignment with audit committee expectations to optimize and quantify assurance KQIs against the risk and audit universe.

Comprehensive evaluations of IA functions often result in a recommendation to provide an illustrated road map of improvement in terms of cost-benefit, coverage, and impact from the audit committee’s point of view. For example, the CAE could align and demonstrate the linkage between transactional, process, and strategic risks to reveal gaps or overlaps within IA project investments that impact assurance quality insights.

Assessing the skills of IA team members against the audit plan.

Think “Moneyball” (the application of analytics to improve outcomes). Is it just coincidence or good luck that your team has the process-level knowledge and skills to conduct all the audits on the audit plan competently? Or, maybe you don’t have the necessary skills on board. In that case, co-sourcing can provide a deeper bench to help you create a “winning IA assurance team.”

Need help making your case to the audit committee? Create a graphic mapping the skills you have to the skills you need to quickly show how co-sourcing fills critical gaps in specific internal process-level expertise.

Evaluating the IA team’s written IA methodology, with emphasis on benchmarking the thoroughness of the six phases of an IA project:
  1. Planning
  2. Fieldwork
  3. Reporting
  4. Close-Out
  5. Follow-Up
  6. Quality Assurance and Continuous Improvement

Variability between each IA project manager could uncover hard-to-detect exposure to assurance quality shortcomings.

Reviewing IA’s ability to adapt and be agile and relevant in the way it provides assurance quality on an ongoing basis.

This would represent a quantum leap forward in quality assurance and how the audit committee looks at IA.

Consider the Impacts and Benefits of Cost Accounting Econometrics for Internal Audit Assurance Quality

Each year, as audit committee chairs evaluate the value IA brings to the third line of defense, they should consider to what extent they have insight into internal audit’s assurance quality. Audit committee chairs focused on expanding their expectations for more governance insight should consider the following econometrics:

  • What if you could use a simple, standard cost accounting formula to calculate the “IA cost of goods sold” to price the cost of the internal audit value they provide to stakeholders? Cost considerations may span each of the six phases of an IA project. And additional standard costing could be applied to other services provided by IA, such as SOX, consulting projects, administrative downtime, and training and development, including time away from the IA audit process as well as the cost of training, data mining/analytics and data visualization, etc. A view into this approach to costing could give real insight into the ROI from IA economic activities.
  • What if you could use simple cost-accounting calculations on each phase of an internal audit project to measure the density of time and cost variances between each IA project manager by IA audit phase, including performance insight, comparability, and measurable QA improvement? Such a view could help you apply the methodology more consistently and provide more insights into performance improvement opportunities.
  • What if CAE peer groups could benchmark the cost accounting performance econometrics between companies as a comparative analytic to validate the soundness and completeness of their IA methodology vs. peer companies and present this to the audit committee?

Econometric data focused on internal audit’s “cost of goods sold” would provide an interesting opportunity to compare the “price” that auditees and/or stakeholders would pay for IA insights. CAEs should consider how auditees would respond if asked, “What would you pay for the value provided by this audit?”

As a practical matter, most organizations will probably not implement formal IA costing or place a specific dollar value on IA reports. But it’s worth analyzing the value IA provides.

Is your IA department providing optimal value to your organization?

RGP’s Internal Audit consultants have decades of experience and expertise with internal audits and assurance quality assessments. We can help with outsourcing or co-sourcing as well as fractional CAE services to help you develop assurance quality KQIs. Need support in these areas? Let’s talk.