Too Much Value-add Can Destroy Internal Audit - Maybe My Most Controversial Post to Date

In a recent discussion in a network group, an experienced practitioner advocated focusing on a value-add approach to internal audit rather than one that is risk-based. I can understand the desire to demonstrate value through internal audit activities.

  1. It makes friends and builds support for the internal audit function. When internal audit is able to point to savings that come close to or even surpass its cost, management (and generally the board) will be cheerleaders. Some years ago, my contracts audit team made so much money that during a period of layoffs management found funds for it to add staff.
  2. IIA Standards support value-added activities. For example, Standard 2000 states: “The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.”
  3. It is satisfying, both for the staff and IA management. Just look at any internal auditing conference program and you are bound to see sessions on adding value through audits of healthcare providers, contractors, and duplicate payments.

But, at what cost are we adding value?

This is how I replied to the group:

I am not persuaded that value based auditing is the way to go. That will result in all efforts being put on auditing contractors, finding duplicate payments, improving process efficiency, etc. We will be polishing the trees while the forest is burning.
Let me propose that internal audit should be providing assurance to the governing body and executive leadership that the organization’s processes and practices provide reasonable assurance that value creation opportunities are realized, risks to objectives managed, and operations are in compliance.
There is tremendous value in that assurance. Once that is delivered, any resources left can be focused on value-based audits.
Our primary mission is to provide assurance. Period.

But what is "assurance"?

If you hear your young child cry out in the night because he is afraid of the thunder, you go to him and assure him that he is safe, you are there, and everything is all right. The roof is sound and the house strong enough to protect him from the thunder, lightning, and hail.

Providing assurance to the governing body (the board and/or audit committee) and executive leadership is very similar. You tell them that the organization’s processes and practices (and related controls) provide reasonable assurance that they can sleep through the business storm. The governance processes, risk management program, and the related controls are adequately designed and are operating effectively to deliver value, manage risks to objectives, and keep the organization in compliance.

But what if you can’t do that? What if you have been out making money for the family and have not tended to the structure of the house? You haven’t made sure the structure and roof are in good condition and any necessary maintenance and repairs have been completed? Can you reassure your child he will be safe?

So what does this mean?

Before you do any value-add work make sure you have the resources and plan that will enable you to provide assurance

Only take on projects such as the following if they will not interfere with your ability to provide an assessment of governance processes, the risk management program, and the related controls:

  • Audits of contractors
  • Healthcare audits
  • Duplicate payment reviews
  • Fraud detection (this is ideally a management function)
  • SOX testing (this is a value-add activity)

Do you agree with me? Can you add to the list of value-add work that might interfere with the primary mission of assurance? In fact, do you agree that our primary mission is assurance?

Posted on Jul 15, 2011 by Norman Marks

Share This Article:    

  1. Norman, excellent piece of insight with which I fully agree, Internal Audit (IA) should provide assurance first in order to allow for adding value activities. Otherwise IA will add value and ignoring the gorilla in the room that can destroy everything. To me adding value by IA is as well increased risk awareness and more efficient or controlled processes, which is not immediately measurable in monetary terms. Marcel
  1. Hi Norman,

    You have the first critical task of internal auditing covered fairly well but you overlooked the other four.  And you completely discounted the definition of internal auditing that states auditing provides two services (assurance and consulting).  Are you suggesting that the "red-i book" (it is international now) be edited down to fit the <b>"World according to Norman"</b>?

    How valuable is an internal audting function that places a low priority on: integrity & reliability of information in operational & financial systems; safe guarding of assets; compliance with laws & regulations; and, effectiveness & efficiency of operations & processes?

    PS: I will leave the parenting advise alone as on the east coast, we have issues with duct tape and pythons as pets.

    best regards,


  1. Norman,

    I totally agree with you and I don't belive that what you say is inconsistent with the Definition & Standards.  IA's primary duty is to provide assurance even if that is sometimes negative (run-down house analogy).  IA hopefully by providing assurance it can help managment direct resources to areas needing improvment and confirming areas that are fine.  This is added-value.  If it has sufficient resources to do more than the required assurance, then it can do consultancy, which is specific and focused "Value-added" (should be cheaper etc than outside consultancy).



  1. If this is controversial, then the profession needed the reminder.  The concept of "value-add" is (too often) limited to only that value that can be monetized.  There is value in identifying cost savings.  But if Internal Audit focuses only on this, they become another profit center, and stray from their core mission.  There IS value in assurance, as Norman describes with the "lightning at night" analogy.  There is value in identifying improvement opportunities, mis-aligment of business processes or operations with an organization's strategic objectives, and many other areas where Internal Audit's skill sets and rigor can be applied.  This is a good reminder that we could do a better job of packaging and communicating that value.

  1. Most definitely, IA should focus on providing assurance as its primary role. As Douglas points out, there is significant value attached to the application of that unique skill set necessary to assure management, the board and investors that processes and operations are in line with corporate objectives. The value-added projects you mentioned require a slightly different skill set; as well as a different mindset. While they certainly are a compliment to IA, they also change the role of IA and should in my mind be a separate component of IA.

  1. Norm and everyone else:

    You can provide assurance and provide value to the organization. They should not be mutually-exclusive and need not be. As you know, the Internal Audit function serves two masters (1) Management and (2) the Internal Audit profession. And I remember well how these two masters are not always equally served. By definition, there is going to be conflict. The argument is as old as dirt. The expense of Internal Audit vs. the benefit. In the olden days (when Authur Andersen was still the largest auditing firm on the planet and Enron was just some energy company in Houston) the issue was less clear cut. Now it has become more so. But "providing value" is certainly defined by the organizations management and board. There is no reason why Internal Auditing cannot add value (in monetary terms) and provide some measure of assurance service.

  1.  Norman:

    There is no such thing as assurance and value add as being mutually exclusive. If you are in the business of providing assurance as you indicate above, it must be viewed as being value added. If it is not, then either something is wrong with the audit team or something is wrong with intended recipients of the report. In fact the continued bifurcation of these two terms is one of the reasons why internal audit still cannot provide proper assurance over the activities of a risk management system. If they did do this, there would be complete acceptance as to the value added nature of it..

    We have discussed the concept of silos and fragmentation in various points in companies and other organizations. We provide assurance and we need to do what we need to do to demonstrate the value added nature of it. I think that in not providing real high quality assurance, this has opened the door for others to say that instead we should be focusing on such things as cost savings and operational improvements. While this is not a bad thing, anything that distracts us from our primary objective of providing assurance as  you lay out above, is not a good thing

  1. I am thoroughly heartened by the comments, which all confirm the great value of assurance. Thanks to all.

    Sparks, my good friend, I suspect you and I may see things a little differently.

    1. I agree that the definition says assurance and consulting, and I support consulting where it contributes to peace of mind - i.e., recommendations as part of assurance services. Other consulting activities are OK only if assurance services are fully resourced first.
    2. With respect to "integrity & reliability of information in operational & financial systems; safe guarding of assets; compliance with laws & regulations; and, effectiveness & efficiency of operations & processes", these are the areas that internal controls target. But internal controls should not be considered in isolation, only as responses to risks (or treatments of risk). I prefer to provide assurance on the more significant risks, and that means only assessing the controls (whether relating to compliance, integrity, or other) relied on to manage those risks.
  1.  Lawrence, thank you for the comment. I am going to disagree with your statement that the "the Internal Audit function serves two masters (1) Management and (2) the Internal Audit profession". I believe internal audit should seek first to meet the needs of the governing body (and through them external stakeholders), and then the management leadership team. I don't see them considering a duty to the profession as a whole.

  1. Norman, thanks for the insite for the group as I do believe I see where you are coming from.  However, hanging at the 30,000 foot view of auditing critical tasks and priorities is easy.  It is when you zoom in to the tree top level that you realize not all auditing functions (and auditors) see issues the same way.  I suspect many would challenge the "Five Critical Tasks" as I have extracted from the redbook.

    I still encounter internal auditing functions with a strategic mission to integrate other priorities as stated in the redbook, and pull away from a mere "compliance" group.

    best regards,


  1. Norman, insightful as usual. Maybe value is a proxy for risk and a value add approach has you looking at the same things a risk based approach would.

  1. I think this is an important topic; but I agree with comments that value adding IA work should not be regarded as mutually exclusive from risk based work.

    I believe IA should be seeking to meet its assurance obligations in a value adding way: After all if we assure a minor issue where there is a control question that will - arguably - add less value than assuring a key risk area where there is uncertainty; so even in relation to assurance some of what we do adds more value than other work (for example - does it really add that much value to audit an area where there is a known problem?)

    Central to this is what we do to validate what adds value - our own views of whats adding value or something that we have cross-checked with our key stakeholders?

    The lean concept of Kano is worth looking up. This approach also provides a powerful way of determining the assurance / advisory balance that so many struggle with - see link attached for more on Lean auditing. 

  1. Providing assurance is to ensure that the risks of the organisation are within the risk apetite of the board. Now, the value addition can be seen from two angles. one- that the assurance provided is the one on which the board  can rely upon i.e. effectiveness of the controls laid down by the management. Two - the value addition can also be in bringing in the desired  efficiency in the controls i.e. the cost saving part of it. This can be a consultancy in addition to the assurance fucntion.

    I am not clear on how the auditors can add value without helping the organisation in manageing the risks well. Both to me are intertwined with one being the basic function of audit. The analogy could be the bread and butter. Without bread, butter does not make sense to me.

  1. I concur with the significant value from risk-based assurance work. The point is that some projects that are focused on value-adde (such as those listed) rather than on top-rated risks consume resources at the cost of providing assurance on major risks.

    For example, why do departments provide fraud detection, duplicate payment, and/or healthcare audit services but (a) do not provide an overall opinion on governance, risk management, and related controls, or (b) do not audit these areas?

    - risk management across the organization

    - the provision of timely, reliable, current, and useful information for making decisions

    - governance processes, such as the performance of the external auditor or the provision of information to the board

  1. Hi, Norman

    I share your point because by end of the story, in my view,  the common sense of internal audit should be the capability of assurance.

  1. Norman,

    Your last point is the one I have been struggling with the most recently.  It seems to me the Truth of what we do is to call out what may prevent us from achieving strategy.  Strategy set by the governing by body, decisions made by management, risks that eventually become issues. 

    At the end of the day two items continue to pop up for me communication and leadership.  Are you willing to tell the truth about what you see?  Are you willing to hold  folks accountable for telling the truth and getting the results we all agreed upon?  If you can't see clear evidence at the top through governance processes, your chances of be able to provide assurance, whether through audit or any other activity, is limited. 

    If the governing body isn't willing to tow the line and hold the mirror with a steady hand value is an irrelevant subject.

  1. Hi Everybody,

    After reading all the comments, I am of the opinion that most of us are on a similar view having diffrence experience. As per IIA now Assurance, Insight & Objectivity are expected from Internal Audit. Now we need to play a bigger role 

  1. Hi Everyone,

    I’m an auditor from China and I’m really glad to come across this insightful post with its thought provoking discussions:
    If I may share my view here, it appears to me firstly there is a lack of consensus regarding the definition of the key term, 'value added’. If we go back to the original meaning of the term, it might probably blow the mist away in the most efficient manner:  
    Wikipedia definition: Outside of economics, value added refers to "extra" feature(s) of an item of interest (product, service, person etc.) that go beyond the standard expectations and provide something "more" while adding little or nothing to its cost.See,
    So there is an obvious difference between the “primarily value” and the ‘value added’, or in other word, a difference between standard expectations and extra features.  Also, maybe one thing we should agree on is, ‘valued added’ is wider than just a monetary concept. 

Leave a Reply