What the IIA Study on Measuring Internal Auditing Value Tells Us

I recommend checking out The IIA’s 2010 Global Internal Audit Survey (free to members). Several reports have been issued to discuss the results of the survey in different areas. One is on Measuring Internal Auditing’s Value.

My congratulations, first, to The IIA and the project team for a well-produced and informative set of papers. There is much to absorb and consider.

But, we must recognize that the survey is only reporting what people are doing, not necessarily what they should be doing, or what leading practices are. Caution should be used, because organizations should not be striving to reach the middle.

The survey identified a number of areas where we should all be disappointed by current practices (in addition, I question how the report presents some of the survey results):

  • 10% did not believe their function was "credible" within the organization, and 20% did not have sufficient status within the organization to be effective.
  • More than 30% said their internal audit activities do not bring a systematic approach to evaluating the effectiveness of governance activities. (I doubt that 70% provide a formal opinion on governance activities, which I believe is an essential part of any evaluation).
  • 21% said the same about assessing risk management, and again I strongly doubt that 79% formally assess their organization’s risk management program.
  • 21% said their program failed to provide reliable information to management (all I can say is “Wow”).
  • The top measurement of internal audit performance was the percentage of audit plan completed. This certainly is a traditional method, but with risks changing all the time, adherence to an annual plan may simply be an indication that internal audit is blindly auditing what used to be the risks to the organization.
  • The second measurement was the number of recommendations accepted/implemented. A drive to exceed a quota of findings is a drive to failure. Internal audit should focus on assurance and adding value, not in the number of findings.

What did you like/dislike in the report? Did anything surprise you?

Posted on Apr 19, 2011 by Norman Marks

Share This Article:    

  1. great information to know, specially the 21% part related to audit involvement in assessing the risk management in the organization,and the same 21% of failure to provide reliable information . if i made the right link, this indicatesand proofs  that non risk based audit will result to insufficient and non added value audit activities.

    I dislike the measurement methods where internal audit assessed based on number of recommendations and completion of the audit plan. The audit plan will be always subject to change based on the new addressed risks in the organization and the sourrounding environment ( competition , laws , economy ...). adding to that the consulting activities and educating responsibilities that internal audit provides to the organization in relation to risk and control.


Leave a Reply