Determining the Value of Internal Audit

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Many internal auditors want an answer to the question: How do we put a value on internal audit? 

Let's answer another question first: what is the value of a home? The correct answer is that a house is worth what somebody is willing to pay for it.

Now, what is the value of an internal audit function? The correct answer is that it is worth what the board is willing to pay for it.

The value is not some mythical calculation based on the value of process improvements or identified overpayments. No, it is worth what the audit committee of the board is willing to pay for it.

The value to the typical board is derived primarily from the value it places on the assurance it receives from internal audit. Any value from consulting activities is a welcome addition.

If the value is less than the cost, you have a problem. Hopefully, the value is more than the cost.

I think that efforts to show value by putting a number on process improvements and contract overpayment recoveries is putting too much attention on what should be a secondary activity for internal audit. Only when the board's assurance needs have been satisfied should internal audit seek to perform other value-add activities.

CAEs that want to ensure they provide the maximum value should look first to the value they provide to the audit committee if the board. Maximize the assurance value by ensuring you are providing peace of mind on the more significant risks to the organization. That is the meat; valuable consulting services to management are just the gravy. What's the point if gravy when there is little or undercooked meat?

I welcome your views.

Posted on Mar 13, 2013 by Norman Marks

Share This Article:    

  1. Marks, You are making a presumption that the Board/Audit Committee will place the right value (i.e. will be appreciative) of Internal Audit' assurance activities. What if it doesn't? Does that make IA's contribution less valuable?
  1.  Excellent point! Many audit committees don't realize how much value internal audit can and should provide.

    However, they will get the IA they deserve until a CAE leads both IA and the audit committee to a new vision.

    My experience is that when IA delivers valuable assurance, the audit committee is quick to recognize it.

  1. I like the idea of determining value based on what the Board will pay.  I'm not sure I agree with the statement that IA can "Maximize the assurance value by ensuring you are providing peace of mind on the more significant risks to the organization."  Some of the more significant risks this year include external factors such as the continued weak economy, sequestration, and lack of a federal budget.  By the time we learn enough on these subjects to provide any value in assurance, we'll be somewhere in 2014 or later! 

    I believe that IA should be aware of (and include in our assessments) these global risks that our senior management are facing as well as the more common business risks (financial, operational, compliance and strategic) that are typically included in the IA risk assessment.  We add very limited value in our reviews if we don't have the ability to understand fully what those significant risks are, what management is doing to address them (if anything), and most importantly recommending changes to improve how the risks are being mitigated.  And my concern is that for the truly significant enterprise risks, IA is not going to be able to deliver much value at all.

  1. Norman: Great post.  As boards recognize that they are going to increasingly be held responsible for overseeing management's risk appetite and tolerance what they need and want from internal audit will take on far greater clarity than exists today.

    Unfortunately, my 30 years of global experience suggests that internal audit has been primarily "supply driven" to date, particularly with respect to what internal audit functions have delivered to boards.  Boards have generally been non-discriminating with respect to IA product and not clearly communicated what they want/need.  I believe many boards just wanted to be able to say the company had an IA department who planned, completed and reported on audits.  As long as that happened the board/audit committee were often happy.

    This paradigm is changing to what I call "Demand driven" internal audit where the board demands reliable information on the current retained/residualr risk status from management and "demands" an opinion from IA whether the process that produced the report and the report itself is reliable.

    I will be presenting on this topic for IIA Canada March 27th.  It's free to all IIA members.  Information is available at:


  1.  This seems to be a prickly question continuously challenging internal auditors. I have come across whole seminars debating it and many interesting facets are brought to the fore attempting to extract the true value of the internal audit function. I normally try to put a different flavour to it.

    Finance theory suggests that the value of a business to the sharehodlers is the PV of the future cash streams (with other complications, but let us keep it simple). The cap rate used would be, again in simple terms, a %age that is a build-up on top of a risk-free rate RFR (say AAA rated governement bonds). So in essence, the RFR would be increased by country risk, industry risk, company specific risk etc. Since the future income streams of the company, ie the potential for dividend and investment, is divided by the cap rate (again rendering simple) to establish the capital sum one would invest to earn the income streams at the perceived level of risk within the cap rate, then it follows that value is inversely proportionate to the cap rate. The higher the cap rate, the lower the value of a business.

    Turning back to internal audit function, if you were buying a business that has an IA, or a similar business that does not, would you not attach a higher risk to the projected future cash streams in the case of a company that has no IA function? - I would!! So there you go, the future cash streams capitalised by a higher company specific risk embedded in the cap rate, would squarely result in a lower value. Hence, if I were a shareholder I would definitely be more pleased to know there is a fully functional and effective IA unit because the value of my shares in the company would most probably be perceived to be higher. If on the other hand the company does away with internal auditing, then that would increase the cap rate, meaning that I would risk less by way of investment capital in such a company to reap the same cash streams!


  1.  Tim got really nice perspective about the evolving role of IA from "supply driven" to "demand driven". Whichever IA  successfully manages this transformation will add the necessary value, otherwise there will probably be enormous lag between the objectives and the actions of the organization which may be triggered by the IA reccomendations.

  1. Norman has raised an interesting issue but has, in my view, left it unresolved. The board is paying for the services of Internal Audit. Is the cost of IA then same as what the board perceive the value? The analogy of valuing my house would suggest so. However, If the answer is yes, the value add by IA is (and will always remain) zero. If not, it brings us back to the original question - how does the board measure the value of IA? 

  1.  Asim, I don't think the value add is zero. The audit committee is willing to pay $x, but the cost may (and hopefully is) less.

    If you are willing to pay $50 to have your car washed and polished, does that mean no value is added. Presumably it is at least $50

  1. It all depends on the tone at the top. If the tone at the top is strong, resonnant and clear, then they will value internal audit. You can put a price on a luxury, but you can't put on a price on necessity. 

  1. Very thoght provoking (blog /replies). Earlier Indian cos saw internal audit as a complaince issue but now many look from the Value- at- risk perspective with the changing regulatory regime & very high volatility in the industry's busniness environment.  What is the cost of not having an internal audit/poor internal audit? I predict the next stage as cos rewording to say " What is the cost of not having a risk-based internal audit?"

Leave a Reply