What is an Effective Internal Audit function?

As I write this article I reflect on what has been a big week for our profession with the publication of the new Internal Audit Standards as well as the publication of an article authored by me in the Chartered Institute of Internal Auditors magazine.

Firstly the article. Obviously I would urge all my readers to read it. You won’t be surprised that I continue to refer to culture. I see the culture of an organisation as the most fundamental success factor and as a profession we cannot afford to continue downplaying this theme. For those of you interested in hearing more I will be discussing this subject, in my capacity of President at the CIIA’s Welsh conference in Cardiff on January 24th and, for the first time in a long time internationally, at the Audit Masters in Lisbon in May where I will be performing “Auditing Culture - The Theatre Production”!

Now lets turn to the Standards which come into full force in January next year. Last week I spoke about the High Performing Internal Auditor. Today I want to speak about the Performing Internal Audit function and one particular facet. The new document requires internal audit functions to conform with these standards and related internal audit policies and procedures. But it doesn’t stop there. It also requires internal audit functions to meet meaningful performance standards.

In other words, conformance is not enough. It leaves the definition of performance to the market.

This is my contribution to defining performance. In making my suggestions I am very mindful that a successful profession has a “seat in the C-Suite”. To achieve this we need to be taken seriously and we need to be equipped to move the dial.

Please note that the standards also require the board to measure internal audit’s performance.

From my perspective a performing internal audit function is an effective internal audit function. An effective internal audit function is one that supports the board and management in avoiding surprises when it comes to management of risk. I would love to claim this standard as my own but it is not. This standard was first inculcated into me by a former dear colleague, Ian Overton .

To meet this lofty ideal, an internal audit needs to be equipped not only with a good knowledge of the business and its inherent risks but also with foresight (please refer to the Purpose of Internal Audit which explicitly refers to this word).

The way in which an internal audit function can meet this standard is a subject for another day but I do want to address the dimension of measurement. How do we know whether an internal audit function has met this standard?

We backtest!. A job for a quality assurance function in a large audit function and certainly a job for the External Quality Assurance profession.

We backtest from two perspectives.

Firstly we identify a material risk eventsthat has damaged our organisation and we identify whether our function raised control findings related to the underlying risk. If the answer is no, there is obviously room for improvement.

Secondly, we also focus on our peer competitors’ misery. We apply the same test to events that would have been material to us but happened to other firms. Once again, did our internal audit function raise findings. If the answer is yes then it’s champagne time. You certainly moved the dial an saved your organisation.

Do we stop here when it comes to defining an effective internal audit function?

Given that Rome wasn’t built in a day probably yes but I do want to flag one other dimension.

Is a function that raises findings with foresight that the board and management subsequently ignores effective?

Its a cloudy depressing dark day in London so enough blue sky thinking for the moment!