Too Much Value-add Can Destroy Internal Audit - Maybe My Most Controversial Post to Date
In a recent discussion in a network group, an experienced practitioner advocated focusing on a value-add approach to internal audit rather than one that is risk-based. I can understand the desire to demonstrate value through internal audit activities.
- It makes friends and builds support for the internal audit function. When internal audit is able to point to savings that come close to or even surpass its cost, management (and generally the board) will be cheerleaders. Some years ago, my contracts audit team made so much money that during a period of layoffs management found funds for it to add staff.
- IIA Standards support value-added activities. For example, Standard 2000 states: “The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.”
- It is satisfying, both for the staff and IA management. Just look at any internal auditing conference program and you are bound to see sessions on adding value through audits of healthcare providers, contractors, and duplicate payments.
But, at what cost are we adding value?
This is how I replied to the group:
I am not persuaded that value based auditing is the way to go. That will result in all efforts being put on auditing contractors, finding duplicate payments, improving process efficiency, etc. We will be polishing the trees while the forest is burning.Let me propose that internal audit should be providing assurance to the governing body and executive leadership that the organization’s processes and practices provide reasonable assurance that value creation opportunities are realized, risks to objectives managed, and operations are in compliance.There is tremendous value in that assurance. Once that is delivered, any resources left can be focused on value-based audits.Our primary mission is to provide assurance. Period.
But what is "assurance"?
If you hear your young child cry out in the night because he is afraid of the thunder, you go to him and assure him that he is safe, you are there, and everything is all right. The roof is sound and the house strong enough to protect him from the thunder, lightning, and hail.
Providing assurance to the governing body (the board and/or audit committee) and executive leadership is very similar. You tell them that the organization’s processes and practices (and related controls) provide reasonable assurance that they can sleep through the business storm. The governance processes, risk management program, and the related controls are adequately designed and are operating effectively to deliver value, manage risks to objectives, and keep the organization in compliance.
But what if you can’t do that? What if you have been out making money for the family and have not tended to the structure of the house? You haven’t made sure the structure and roof are in good condition and any necessary maintenance and repairs have been completed? Can you reassure your child he will be safe?
So what does this mean?
Before you do any value-add work make sure you have the resources and plan that will enable you to provide assurance
Only take on projects such as the following if they will not interfere with your ability to provide an assessment of governance processes, the risk management program, and the related controls:
- Audits of contractors
- Healthcare audits
- Duplicate payment reviews
- Fraud detection (this is ideally a management function)
- SOX testing (this is a value-add activity)
Do you agree with me? Can you add to the list of value-add work that might interfere with the primary mission of assurance? In fact, do you agree that our primary mission is assurance?
Posted on Jul 15, 2011 by Norman Marks
Share This Article: