1) The CAE must run internal audit like a business in order to ensure it adds value and remains responsive to executive management and the audit committee.
2) To add value beyond assurance, the CAE should be able to answer five key questions about internal audit: what is its mission, who are its customers, what do customers value, what results are wanted, and what is the plan.
3) It is the CAE's role to understand and manage the unique expectations of internal audit's three key constituents - the audit committee, executive management, and line management.
CAE as CEO: Leading Internal Audit Like a Business
1. December 201354 Internal Auditor
Dennis Drent
By running the audit
department like a
business, CAEs ensure
responsiveness to
the marketplace that
matters — executive
management and the
audit committee.
the
CAEas
CEO
2. December 2013 55Internal Auditor
Adding value
hile the profession adapts to the changing
business environment, the same funda-
mental question continues to be asked:
How can internal audit add value beyond
providing assurance? Each internal audit
function is unique and must operate as a business to
ensure it stays relevant.
Internal audit is a professional services business
within a business (or organization) and should be run
like one. Each internal audit department serves its orga-
nization in different ways, based on the needs and wants
of the board and executive management team. The
chief audit executive (CAE) essentially is the CEO of
the department and is responsible for creating its vision
and bringing that vision to life. To better understand
the dynamic role the CAE plays in the process of value
creation through internal audit, consider the argument
from the late management expert Peter Drucker, who
said every successful CEO must be able to answer five
key questions about his or her organization: 1) What’s
your mission? 2) Who is your customer? 3) What does
your customer value? 4) What results do you want?
and 5) What’s your plan? To be effective in the role of
internal audit CEO, CAEs also should be able to answer
these questions.
W
3. December 201356 Internal Auditor
1
2
What’s Your
Mission?
The IIA defines internal auditing as
“an independent, objective assurance
and consulting activity designed to add
value and improve an organization’s
operations. It helps an organization
accomplish its objectives by bringing
a systematic, disciplined approach to
evaluate and improve the effectiveness
of risk management, control, and gov-
ernance processes.”
CAEs, working with limited
resources and within unique cultural
environments, must consider numer-
ous trade-offs embedded in this broad
definition, including: What is the bal-
ance between assurance and consult-
ing? On which company objectives
should internal audit focus? What
should internal audit’s role be, specific
to risk management and governance?
The answer to these questions
should be inherent in the audit depart-
ment’s mission statement. Different
from a definition, a mission statement
should state the purpose of the func-
tion and spell out its overall goal,
which then will guide actions and
decision-making at all levels to attain
that goal. The mission is unique to
each organization and, ideally, inspira-
tional to its members.
An example of an internal audit
mission statement might be: “We
combine great people with leading
audit practices to support manage-
ment and the board in assuring key
processes are under control.” This one
sentence expresses:
Having “great people” requires hir-
ing, developing, and retaining highly
qualified professionals. It may include
partnerships with the business to pro-
vide career paths outside of audit.
“Leading audit practices” means
the function will follow The IIA’s
International Standards for the Profes-
sional Practice of Internal Auditing
(Standards) and stay attuned to emerg-
ing best practices and technologies,
such as continuous auditing and pre-
dictive analytics.
“Supporting” management and the
board establishes responsibility for
internal control with management
and the board. However, support is a
strong verb that implies internal audit is
there to promote the objectives of these
principals. Both assurance and consult-
ing services would fit this statement.
“Key processes” means internal
audit focuses only on things that are
important. Presumably, this would be
driven by the concept of relative risk.
“Under control” is where the value
of internal audit is derived. By defini-
tion, if a process is under control, it is
meeting its operational, reporting, and
compliance objectives.
Moreover, the mission statement
is a guide to making the necessary deci-
sions required to manage an internal
audit department. For instance, how
great people are defined is the result of
many factors, including 1) the nature
of the business; 2) a blend of auditing
focused on operational, reporting, and
compliance objectives; 3) a mix of assur-
ance and consulting services; and 4) a
desired combination of career auditors
vs. professionals rotating through the
department. As a department CEO, the
CAE’s fundamental responsibility is to
communicate a clear mission and be able
to explain why the function exists and for
whose benefit.
Who Is
Your
Customer?
A customer typi-
cally is defined
as someone
who purchases a
product or ser-
vice. Given that
internal audit
does not sell its
services and there
are few practical
substitutes (e.g.,
outsourcing), it
does not have cus-
tomers within the
usual definition.
Internal audit can
be more accu-
rately described as
having constitu-
ents, or consum-
ers, of the services
it provides. The
three key internal
audit constituents
are the audit com-
mittee, executive
management, and
line management.
Internal
audit’s respective
relationships with
these constituents
are dissimilar. One
of the significant
CAE challenges
is to keep the
potential disparate
interests of the
constituents in
balance. It’s dan-
gerous to fall into
the trap of defin-
ing any one con-
stituent as more
important than
another — they
all are important.
For example, an
internal audit
function may elect
to focus on more
consultative work
for line manage-
ment that is of less
value to an audit
committee whose
interest may be
to gain additional
assurance cover-
age. Obviously, it
is not in the best
interests of a CAE
to have the audit
committee dis-
satisfied with the
value it is receiv-
ing from internal
audit. Maintaining
an appropriate bal-
ance is a primary
CAE challenge.
To comment on this article,
email the author at dennis.drent@theiia.org
4. December 2013 57Internal Auditor
The CAE as CEO
What Does Your Customer Value?
Internal audit departments are judged on subjective terms by their three key
constituents (customers). Audit committees primarily value audit’s independence
from management and rely on the CAE to give them an independent reading on
the control environment. However, they may not fully understand the audit work per-
formed and how to interpret the results. They may even request work that is objectively
of low value, but is of concern through conversations with peers or reading an article
(e.g., regarding firm or personal reputational risk).
On the other hand, executive management likely is seeking three things from inter-
nal audit:
ɅɅ Effectively planned and organized audit committee meetings from the CAE. More-
over, management expects no surprises during these meetings.
ɅɅ Positive reports from middle managers about audit’s work.
ɅɅ Comfort that internal audit is assuring there are no significant breakdowns in inter-
nal control.
Executive management respects internal audit’s independence primarily because it knows
the importance placed on it by the audit committee. In a best-case scenario, executive
management requests reviews of areas within the organization that have them concerned.
Lastly, line management feels the direct impact of internal audit’s work. Wedged
between expecting help from internal audit with risk and control management, and not
wanting negative audit results that reflect badly on their leadership, line management
expects four specific outcomes:
ɅɅ Audits that are effectively planned and executed.
ɅɅ Regular audit status reports.
ɅɅ The opportunity to discuss issues before they are communicated broadly.
ɅɅ Specific suggestions about how to improve the effectiveness of operations.
While these broadly described expectations may apply across many industries and set-
tings, it is the CAE’s role to understand and manage the constituency expectations spe-
cific to his or her organization (see “Managing Expectations” on page 61). For functions
to perform optimally and satisfy all constituents, there should be agreement on the value
the enterprise expects from internal audit over time. Differences of opinion must be dis-
cussed in an open forum and reconciled timely. It is the CAE’s responsibility to ensure
constituent agreement because highly successful internal audit departments depend on it.
3
ItistheCAE’sroletounderstandandmanage
theconstituencyexpectationsspecifictohisor
herorganization.
5. December 2013 59Internal Auditor
The CAE as CEO
What Results
Do You Want?
Drucker also is credited with coining
the now ubiquitous phrase: “What gets measured gets
done.” This describes a primary challenge internal audit
departments face because they have no competition and
there may be silent confusion or disagreement about
the value they bring to the organization. This lack of
competition and open discussion about value can create
a false sense of satisfaction with the delivery of services.
The question the CAE should ask is: If given a choice,
would internal audit’s constituents choose differently?
Businesses have the comparative benefit of receiving
clear responses to the actions they take in the market-
place. New products sell or they don’t. Gross margins
are healthy or below par. Market share is increasing or
decreasing. Internal audit departments, on the other
hand, lack natural feedback mechanisms that ensure
they are creating value. By design, internal audit plays a
unique role that keeps it separate from any operation. It
essentially is a professional organization sitting within an
enterprise that is its sole customer.
To hold itself accountable and create the appear-
ance of a competitive environment, internal audit
can create “self competition” by developing the right
metrics. Some metrics that can be used for developing
a results-oriented internal audit department that adds
value include:
ɅɅ The number of requests by executive manage-
ment or the audit committee to perform specific
audits or projects.
ɅɅ A one-question survey to line management that
includes the market value cost of the audit (e.g.,
400 hours multiplied by the estimated market
rate of US $125 per hour or US $50,000) fol-
lowing each audit asking management if it added
commensurate value. By adding the price tag,
internal audit should obtain more accurate feed-
back. One caveat is that unlike the audit commit-
tee and executive management, line management
may not see value in being given assurance that
processes are meeting control objectives. Unfor-
tunately, there also can be a correlation between
line management’s perception of audit value and
the results of the audit (i.e., a negative audit opin-
ion results in a negative survey result).
ɅɅ Quarterly scorecard monitoring of internal
audit’s core activities: number of audit reports
issued; number of audit issues opened, closed,
pending, and overdue; post-audit survey
results; undesirable turnover reports; number
of people promoted out of the department
into the business; and metrics representing any
other desired result.
Every metric would be compared to a planned result
and prior periods. Metrics must carefully be monitored
and challenged because of the subjective nature of
internal audit (e.g., survey results). However, by com-
paring actual to planned amounts and tracking trends
over time, valuable information can be gleaned to keep
the department on track. Metrics should cautiously be
used as the basis for the CAE and audit management
team’s performance evaluations with executive manage-
ment and the audit committee, creating the appro-
priate external pressure of a “marketplace” to ensure
continuous improvement.
4
What’s Your Plan?
Closely correlated to achiev-
ing desired results is having
a strategic plan detailing the
path to achieve intended
outcomes. Like any business,
an internal audit strategic plan will
have marketing, financial, operational,
technology, and human resource
components. It is important to
remember that there is a difference
between a strategic plan and an annual
audit plan. The strategic plan requires
critical thinking to look several years
into the future and ask:
ɅɅ What does internal audit need to
look like in three years?
ɅɅ What does it look like today?
ɅɅ What do we need to do to fill in
any gaps?
Businesses routinely use the strategic
planning process to help ensure they
stay relevant to the markets they serve.
An annual strategic planning process
inclusive of internal audit’s key constit-
uents will ensure the function remains
relevant to those it serves.
5
6. December 2013 61Internal Auditor
The CAE as CEO
Ready for
Business
Running internal
audit like a busi-
ness results in
a function that
is responsive to
the needs of the
organization and
is seen by manage-
ment and the audit
committee as add-
ing value. Having
management and
the audit com-
mittee explicitly
in agreement on
internal audit’s
value definition
enables the CAE to
confidently move
internal audit for-
ward in improv-
ing and expanding
its work. Con-
tinuously updat-
ing a three-year
strategic plan
assures the CAE
that internal audit
remains relevant
to the success of
the larger organi-
zation it serves.
Managing Expectations
Because line management typically is allo-
cated a cost for internal audit, some gener-
ally believe auditors are there to serve them.
Even if line managers are aware of the audit
committee’s request for auditor indepen-
dence, they often are unsympathetic. Sev-
eral items should explicitly be discussed with
all customers to ensure internal audit gets
the full support it needs to be highly effec-
tive, including:
Is the CAE comfortable with the adequacy
of internal audit resources?
»» What would be the result of a budget cut
(e.g., 10 percent)?
»» What additional value could be derived
from a budget increase (e.g., 10 percent)?
What standards does internal audit fol-
low and how does it apply risk in deciding
what and how to audit?
»» What is the process for deciding which
areas will be audited and achieving the
balance among auditing operational,
financial reporting, and compliance con-
trol objectives?
»» Is the audit plan responsive to change?
»» Why is it important for internal audit
to follow the International Standards
for the Professional Practice of Internal
Auditing (Standards), and how does
the function ensure the Standards are
applied consistently?
What is internal audit’s philosophy
regarding consulting?
»» How many resources are devoted to con-
sulting services?
»» What type of consulting is acceptable?
»» How does the department ensure its con-
sulting activities are adding more value
than its more traditional assurance role?
»» What is the balance between indepen-
dence and consulting?
What is internal audit’s role in the
broader governance, risk, and compliance
(GRC) activities, if any?
What is internal audit’s human resource
philosophy?
»» Are audit positions considered rotational?
Is one of the values of internal audit to
train future leaders? If so, how?
»» What are internal audit’s hiring, training,
and development practices?
»» Does internal audit use cosourcing and, if
so, how is this managed?
How does internal audit balance and
maintain its overall objectivity and
independence?
The CAE must have clear and complete
answers to these and other questions to
ensure the primary customers are in har-
mony regarding the philosophy and activities
of internal audit.
Dennis Drent is founder and CEO of Drent Advisory Services LLC in Yorba Linda, Calif.
“This article was reprinted with permission from the December 2013 issue of Internal
Auditor (Ia), published by The Institute of Internal Auditors, Inc., www.theiia.org.”