I’ve created a model that enables audit leaders to determine where their group falls across a range of performance levels. The Audit Department Excellence Model, is intended primarily as a means to help guide audit functions toward improved practices, though it can also be used to facilitate dialog with senior management and the audit committee.
1. audit performance
Manny Rosenfeld
Framework for
Excellence
A multi-dimensional
T
assessment tool can
help audit practitioners
determine how their
department rates
along a spectrum of
performance levels.
rue leaders strive to create world-class organizations.
Regardless of the profession, world-class perfor-
mance maximizes our ability to contribute, pleases
our stakeholders, and helps fulfill our mission. This principle
certainly applies to internal auditing. However, the path to a
world-class audit department is not always clear or easy.
To facilitate efforts toward enhancing the audit function,
I’ve created an assessment tool — intended for audit shops
of any size or industry — that enables audit leaders to deter-
mine where their group falls across a range of performance
levels. This framework, the Audit Department Excellence
Model, is intended primarily as a means to help guide audit
functions toward improved practices, though it can also be
used to facilitate dialogue with senior management and the
February 2013 Internal Auditor 53
2. Framework for Excellence
audit committee when seeking their higher level of performance. To deter- of points from selections in the first
support for improvement. Practices mine which stage their audit depart- two tables plus the sum of all points
within the model draw from numerous ment falls within, auditors complete in the third table will generate a grand
professional white papers, operational a series of tables with itemized point total. Matching this total to the ranges
improvement and audit leadership values. The first two tables highlight provided reveals the audit shop’s overall
experience with Fortune 500 compa- critical aspects of audit performance. level of performance, as well as prac-
nies, IIA recommended practices, For each of these, audit practitioners tices that can help move the depart-
and chief audit executive (CAE) round- choose the one statement that best ment toward the World-class portion
table discussions. describes their department. The third of the spectrum.
The Excellence Model includes table contains a list of possible audit
four stages — Lagging, Professional, best practices — auditors should select Assessment
Advanced, and World-class — with from these all practices that are appli- Once the point total from the three
each stage designating a progressively cable to their department. The sum tables has been tabulated, it can be
1. Mission of Audit Department as Described in the Internal Audit Point
Charter Choose one “best fit” statement and circle the appropriate point value for that selection. Value
Broadly risk focused as listed below; plus the strategic risks and opportunities for internal
audit are fully integrated with the company’s enterprise risk management (ERM) program.
Additionally, internal audit pursues substantial operational improvement opportunities, 25
and significant audit resources are allocated toward consultative projects based on
management’s requests for assistance.
Broadly risk focused; if a business risk can be mitigated by a process or control, then the area
is subject to possible audit assessment and improvement. Risk types would include financial, 15
IT, compliance, assurance, fraud, and operational.
Mostly focused on assessing internal controls over financial reporting, assurance controls
in financial business processes, and important compliance and operational controls (e.g., 10
inventory management, capital project justification, and order fulfillment).
Mostly focused on assessing internal controls over financial reporting and assurance controls
in traditional financial audit process (e.g., accounts payable, accounts receivable, payroll, 5
fixed assets, payroll, inventory accounting, and ledger accounting).
2. Audit Staffing Practices Point
Choose one “best fit” statement and circle the corresponding point value. Value
Most staff members have more than 3 years of audit experience and several years of non-
For more audit work experience, including operational and other financial/accounting/IT roles. Some
information of the auditors have deep expertise in particular areas such as operations, compliance, and
on audit function 25
technology and may be serving a stint in the audit department for developmental purposes.
performance, Auditors must be certified — or actively pursuing certification — to maintain employment, and
see the The IIA’s more than half possess pertinent advanced degrees.
Internal Audit
Competency Most staff members have more than 3 years of audit experience (senior auditors and above)
Framework at as well as some non-audit work experience, including operational, financial, accounting, and
www.theiia.org. IT backgrounds. Audit management communicates support for certifications, and more than 15
80% of the auditors are professionally certified or actively pursuing a certification. More than
half the auditors have pertinent advanced degrees.
Most staff members have 2-3 years of audit experience. Some of the auditors have business
experience, including operational and accounting backgrounds. Professional certifications are 10
desired, but not a requirement.
Most audit staff members have less than 2 years of audit experience and little business
5
experience. Professional certifications (CIA, CISA, CPA, etc.) are not a requirement.
54 Internal Auditor February 2013
3. A recent IIA Audit Executive Center survey notes that only 5 percent 2013
of audit plans will be
devoted to providing assurance on the effectiveness of risk management efforts, a “notably weak” proportion.
3. General Audit Practices Point
Choose all that apply and circle the point value for each. Value
An independent quality assurance review has concluded that the internal audit
function generally meets The IIA’s International Standards for the Professional 25
Practice of Internal Auditing.
The CAE has regular and frequent private discussions with the audit committee chair or
20
other audit committee members.
The CAE reports functionally to the audit committee and administratively to a top-level
authority — ideally the CEO. The CAE has a “seat at the table” and routinely participates in
15
the CEO’s executive meetings. Internal audit is consistently represented on other critical
business and functional committees.
The audit department uses computer-assisted audit techniques as part of most audits. It
15
also uses data analytics extensively and monitors selected key risks/controls continuously.
Functional and business management discuss their areas with the audit staff periodically,
expanding the auditors’ knowledge and more closely aligning audit coverage to the most 10
important business drivers and concerns.
The department maintains a database of historical audit observations and uses analytics
capabilities to identify audit-issue trends for specific businesses and processes, categorize
5
the audit issues, identify common root causes of problems, and provide a mechanism for
issue tracking and follow-up.
The department’s electronic workpaper tool is integrated with the organization’s ERM tool
5
and methodology.
Established metrics/targets for the audit staff are in place (i.e., a balanced scorecard). The Excellence
For example: 10 days to issue the final audit report following the exit conference; 60 days Model appears
5
to announce an audit prior to fieldwork; and 95% of remediation steps are completed as in succinct form
promised and on time. here due to space
limitations. A more
A client satisfaction survey is requested following each audit, with a goal of 90% or higher comprehensive
5
favorable average responses (target may vary). model is certainly
A “guest auditor” program is in place, where functional experts from within the possible, with
organization (non-auditors) routinely join a specific audit engagement under the direction 5 additional tables
of an experienced auditor or manager. for categories of
audit practices.
A training and development program is established that includes traditional technical
audit skills training as well as interpersonal or soft skills (e.g., communications, conflict
5
management, team dynamics, and cultural awareness). Auditors are required to have at
least 60 hours/year of relevant training.
The audit group keeps abreast of emerging best practices by, for example, participating
in CAE roundtables, attending seminars, reading professional white papers, and using 5
benchmarking studies such as The IIA’s annual GAIN program.
Bonus Points: The department engages in at least one other practice that could be
5
considered World-class.
Total Points: To obtain rating, add the circled point values for all three tables.
compared to the following ranges to and many of the practices in the third departments have a passion for being
categorize the audit department’s perfor- table have to be selected. at the forefront of the profession and
mance level. There are a variety of ways continually implement best prac-
to earn points, but to reach the World- From 140 to 170 Audit shops fall- tices. This stage is difficult to achieve
class range of performance, the highest ing within this range are considered unless the underlying organization is
point practices of the first two tables, World-class. These visionary audit also striving for operational excellence
February 2013 Internal Auditor 55
4. To comment on this article,
Framework for Excellence email the author at manny.rosenfeld@theiia.org
and views internal audit as a full meeting The IIA’s professional stan- An Evolving Model
partner in improving processes, add- dards, has a limited mission, and has Of course, the internal audit profession
ing value, managing risk, and helping not kept up with modern audit prac- needs to adapt and improve constantly
achieve strategic objectives. In my tices. Audit groups with insufficient based on external pressures, chang-
experience, relatively few audit func- organizational support have a hard time ing business objectives, and advancing
tions perform at this level. Because breaking out of this stage. technologies. Accordingly, the Excel-
maintaining World-class performance Lagging departments are mostly lence Model will need to evolve as new
requires continual effort, departments geared toward compliance and basic audit practices and tools emerge, and
that achieve it must be careful to assurance and focus little on rec- as new external events/risks occur. The
avoid complacency. ommending improvements. If the U.S. Foreign Corrupt Practices Act and
From 110 to 139 A total in this range
classifies the audit function as Advanced.
The advanced audit function not only
Ultimately, an audit department can
meets professional standards, but with
support from senior management and
only be as advanced as the board and
the board it works to implement mod-
ern audit practices. The department
senior management want it to be.
focuses not only on providing assurance,
compliance, and risk assessment, but department is in the early stages of the Sarbanes Oxley Act of 2002, for
also on process improvement via opera- formation, there are many practices it example, both drove massive changes
tional and consultative audits. As such, can implement to improve. If senior in the direction and function of audit
it exhibits noteworthy performance management and the board do not departments. The immense global haz-
but should nonetheless keep striving support improving the audit func- ards experienced in the last decade have
for improvement. tion, the CAE could try to encourage driven companies to implement ERM
them to reconsider by providing con- programs, and high-performing internal
From 80 to 109 Scores within this crete examples of how internal audit audit functions have actively champi-
range merit a rating of Professional. has contributed to the success of oned this effort. New challenges inevi-
This type of audit department is well- the organization. tably will arise, requiring audit shops to
established, has a broader mission Ultimately, an audit department respond and model criteria to adapt.
than a Lagging department, and meets can only be as advanced as the board But regardless of the methodol-
The IIA’s professional standards. It has and senior management want it to ogy used to assess performance, the
not kept up with current best audit be. If the overall organization strives most important factors in determin-
practices, perhaps because of limited to be operationally excellent and pro- ing an audit function’s success are
organizational support vides appropriate support for internal organizational support and relentless
and encouragement. audit, then audit leaders are well- effort to drive improvement. With
Although Professional is the mini- positioned to advance their depart- these key elements in place, even low-
mum level an audit function should ment to World-class levels. Without performing audit departments can
possess, those who take the time to sufficient support and encourage- progress to serve their stakeholders
complete this assessment likely have a ment, however, audit departments effectively and add value to the orga-
desire to improve. Audit management will struggle to get beyond a basic nization. World-class performance is a
probably needs to convince senior level of performance. If the organiza- journey, not a final destination. Once
management and the board to increase tion has limited or low expectations the path toward improvement has
their support of internal audit so it can for the audit function, then World- begun, it should be pursued continu-
better serve the organization. class status cannot be achieved even ally and with great rigor.
if the audit department fully meets
Below 80 Audit groups scoring less those limited expectations. Moreover, Manny Rosenfeld, CIA, CRMA, is an
than 80 points are considered Lag- a CAE who cannot get support to internal audit and operational excellence
ging in performance. A Lagging audit improve a Lagging audit function is leader with CAE-level experience at sev-
department generally falls short of assuming high professional risk. eral Fortune 500 organizations.
56 Internal Auditor February 2013