Audit Department Excellence Model


Published on

I’ve created a model that enables audit leaders to determine where their group falls across a range of performance levels. The Audit Department Excellence Model, is intended primarily as a means to help guide audit functions toward improved practices, though it can also be used to facilitate dialog with senior management and the audit committee.

Published in: Business

Audit Department Excellence Model

  1. 1. audit performance Manny RosenfeldFramework forExcellenceA multi-dimensional Tassessment tool canhelp audit practitionersdetermine how theirdepartment ratesalong a spectrum ofperformance levels. rue leaders strive to create world-class organizations. Regardless of the profession, world-class perfor- mance maximizes our ability to contribute, pleases our stakeholders, and helps fulfill our mission. This principle certainly applies to internal auditing. However, the path to a world-class audit department is not always clear or easy. To facilitate efforts toward enhancing the audit function, I’ve created an assessment tool — intended for audit shops of any size or industry — that enables audit leaders to deter- mine where their group falls across a range of performance levels. This framework, the Audit Department Excellence Model, is intended primarily as a means to help guide audit functions toward improved practices, though it can also be used to facilitate dialogue with senior management and theFebruary 2013 Internal Auditor 53
  2. 2. Framework for Excellenceaudit committee when seeking their higher level of performance. To deter- of points from selections in the firstsupport for improvement. Practices mine which stage their audit depart- two tables plus the sum of all pointswithin the model draw from numerous ment falls within, auditors complete in the third table will generate a grandprofessional white papers, operational a series of tables with itemized point total. Matching this total to the rangesimprovement and audit leadership values. The first two tables highlight provided reveals the audit shop’s overallexperience with Fortune 500 compa- critical aspects of audit performance. level of performance, as well as prac-nies, IIA recommended practices, For each of these, audit practitioners tices that can help move the depart-and chief audit executive (CAE) round- choose the one statement that best ment toward the World-class portiontable discussions. describes their department. The third of the spectrum. The Excellence Model includes table contains a list of possible auditfour stages — Lagging, Professional, best practices — auditors should select AssessmentAdvanced, and World-class — with from these all practices that are appli- Once the point total from the threeeach stage designating a progressively cable to their department. The sum tables has been tabulated, it can be 1. Mission of Audit Department as Described in the Internal Audit Point Charter Choose one “best fit” statement and circle the appropriate point value for that selection. Value Broadly risk focused as listed below; plus the strategic risks and opportunities for internal audit are fully integrated with the company’s enterprise risk management (ERM) program. Additionally, internal audit pursues substantial operational improvement opportunities, 25 and significant audit resources are allocated toward consultative projects based on management’s requests for assistance. Broadly risk focused; if a business risk can be mitigated by a process or control, then the area is subject to possible audit assessment and improvement. Risk types would include financial, 15 IT, compliance, assurance, fraud, and operational. Mostly focused on assessing internal controls over financial reporting, assurance controls in financial business processes, and important compliance and operational controls (e.g., 10 inventory management, capital project justification, and order fulfillment). Mostly focused on assessing internal controls over financial reporting and assurance controls in traditional financial audit process (e.g., accounts payable, accounts receivable, payroll, 5 fixed assets, payroll, inventory accounting, and ledger accounting). 2. Audit Staffing Practices Point Choose one “best fit” statement and circle the corresponding point value. Value Most staff members have more than 3 years of audit experience and several years of non- For more audit work experience, including operational and other financial/accounting/IT roles. Some information of the auditors have deep expertise in particular areas such as operations, compliance, andon audit function 25 technology and may be serving a stint in the audit department for developmental purposes. performance, Auditors must be certified — or actively pursuing certification — to maintain employment, andsee the The IIA’s more than half possess pertinent advanced degrees. Internal Audit Competency Most staff members have more than 3 years of audit experience (senior auditors and above) Framework at as well as some non-audit work experience, including operational, financial, accounting, and IT backgrounds. Audit management communicates support for certifications, and more than 15 80% of the auditors are professionally certified or actively pursuing a certification. More than half the auditors have pertinent advanced degrees. Most staff members have 2-3 years of audit experience. Some of the auditors have business experience, including operational and accounting backgrounds. Professional certifications are 10 desired, but not a requirement. Most audit staff members have less than 2 years of audit experience and little business 5 experience. Professional certifications (CIA, CISA, CPA, etc.) are not a requirement.54 Internal Auditor February 2013
  3. 3. A recent IIA Audit Executive Center survey notes that only 5 percent 2013 of audit plans will bedevoted to providing assurance on the effectiveness of risk management efforts, a “notably weak” proportion. 3. General Audit Practices Point Choose all that apply and circle the point value for each. Value An independent quality assurance review has concluded that the internal audit function generally meets The IIA’s International Standards for the Professional 25 Practice of Internal Auditing. The CAE has regular and frequent private discussions with the audit committee chair or 20 other audit committee members. The CAE reports functionally to the audit committee and administratively to a top-level authority — ideally the CEO. The CAE has a “seat at the table” and routinely participates in 15 the CEO’s executive meetings. Internal audit is consistently represented on other critical business and functional committees. The audit department uses computer-assisted audit techniques as part of most audits. It 15 also uses data analytics extensively and monitors selected key risks/controls continuously. Functional and business management discuss their areas with the audit staff periodically, expanding the auditors’ knowledge and more closely aligning audit coverage to the most 10 important business drivers and concerns. The department maintains a database of historical audit observations and uses analytics capabilities to identify audit-issue trends for specific businesses and processes, categorize 5 the audit issues, identify common root causes of problems, and provide a mechanism for issue tracking and follow-up. The department’s electronic workpaper tool is integrated with the organization’s ERM tool 5 and methodology. Established metrics/targets for the audit staff are in place (i.e., a balanced scorecard). The Excellence For example: 10 days to issue the final audit report following the exit conference; 60 days Model appears 5 to announce an audit prior to fieldwork; and 95% of remediation steps are completed as in succinct form promised and on time. here due to space limitations. A more A client satisfaction survey is requested following each audit, with a goal of 90% or higher comprehensive 5 favorable average responses (target may vary). model is certainly A “guest auditor” program is in place, where functional experts from within the possible, with organization (non-auditors) routinely join a specific audit engagement under the direction 5 additional tables of an experienced auditor or manager. for categories of audit practices. A training and development program is established that includes traditional technical audit skills training as well as interpersonal or soft skills (e.g., communications, conflict 5 management, team dynamics, and cultural awareness). Auditors are required to have at least 60 hours/year of relevant training. The audit group keeps abreast of emerging best practices by, for example, participating in CAE roundtables, attending seminars, reading professional white papers, and using 5 benchmarking studies such as The IIA’s annual GAIN program. Bonus Points: The department engages in at least one other practice that could be 5 considered World-class. Total Points: To obtain rating, add the circled point values for all three tables.compared to the following ranges to and many of the practices in the third departments have a passion for beingcategorize the audit department’s perfor- table have to be selected. at the forefront of the profession andmance level. There are a variety of ways continually implement best prac-to earn points, but to reach the World- From 140 to 170 Audit shops fall- tices. This stage is difficult to achieveclass range of performance, the highest ing within this range are considered unless the underlying organization ispoint practices of the first two tables, World-class. These visionary audit also striving for operational excellenceFebruary 2013 Internal Auditor 55
  4. 4. To comment on this article,Framework for Excellence email the author at manny.rosenfeld@theiia.organd views internal audit as a full meeting The IIA’s professional stan- An Evolving Modelpartner in improving processes, add- dards, has a limited mission, and has Of course, the internal audit professioning value, managing risk, and helping not kept up with modern audit prac- needs to adapt and improve constantlyachieve strategic objectives. In my tices. Audit groups with insufficient based on external pressures, chang-experience, relatively few audit func- organizational support have a hard time ing business objectives, and advancingtions perform at this level. Because breaking out of this stage. technologies. Accordingly, the Excel-maintaining World-class performance Lagging departments are mostly lence Model will need to evolve as newrequires continual effort, departments geared toward compliance and basic audit practices and tools emerge, andthat achieve it must be careful to assurance and focus little on rec- as new external events/risks occur. Theavoid complacency. ommending improvements. If the U.S. Foreign Corrupt Practices Act andFrom 110 to 139 A total in this rangeclassifies the audit function as Advanced.The advanced audit function not only Ultimately, an audit department canmeets professional standards, but withsupport from senior management and only be as advanced as the board andthe board it works to implement mod-ern audit practices. The department senior management want it to be.focuses not only on providing assurance,compliance, and risk assessment, but department is in the early stages of the Sarbanes Oxley Act of 2002, foralso on process improvement via opera- formation, there are many practices it example, both drove massive changestional and consultative audits. As such, can implement to improve. If senior in the direction and function of auditit exhibits noteworthy performance management and the board do not departments. The immense global haz-but should nonetheless keep striving support improving the audit func- ards experienced in the last decade havefor improvement. tion, the CAE could try to encourage driven companies to implement ERM them to reconsider by providing con- programs, and high-performing internalFrom 80 to 109 Scores within this crete examples of how internal audit audit functions have actively champi-range merit a rating of Professional. has contributed to the success of oned this effort. New challenges inevi-This type of audit department is well- the organization. tably will arise, requiring audit shops toestablished, has a broader mission Ultimately, an audit department respond and model criteria to adapt.than a Lagging department, and meets can only be as advanced as the board But regardless of the methodol-The IIA’s professional standards. It has and senior management want it to ogy used to assess performance, thenot kept up with current best audit be. If the overall organization strives most important factors in determin-practices, perhaps because of limited to be operationally excellent and pro- ing an audit function’s success areorganizational support vides appropriate support for internal organizational support and relentlessand encouragement. audit, then audit leaders are well- effort to drive improvement. With Although Professional is the mini- positioned to advance their depart- these key elements in place, even low-mum level an audit function should ment to World-class levels. Without performing audit departments canpossess, those who take the time to sufficient support and encourage- progress to serve their stakeholderscomplete this assessment likely have a ment, however, audit departments effectively and add value to the orga-desire to improve. Audit management will struggle to get beyond a basic nization. World-class performance is aprobably needs to convince senior level of performance. If the organiza- journey, not a final destination. Oncemanagement and the board to increase tion has limited or low expectations the path toward improvement hastheir support of internal audit so it can for the audit function, then World- begun, it should be pursued continu-better serve the organization. class status cannot be achieved even ally and with great rigor. if the audit department fully meetsBelow 80 Audit groups scoring less those limited expectations. Moreover, Manny Rosenfeld, CIA, CRMA, is anthan 80 points are considered Lag- a CAE who cannot get support to internal audit and operational excellenceging in performance. A Lagging audit improve a Lagging audit function is leader with CAE-level experience at sev-department generally falls short of assuming high professional risk. eral Fortune 500 organizations.56 Internal Auditor February 2013