If you were to ask your stakeholders to describe how internal auditing adds value, you might receive a different response from each person you talked to. The CEO might focus on recommendations for improving efficiency, while the chief financial officer might describe audit value in terms of cost savings.
One audit committee member might discuss independence and objectivity, while another might mention assurance. And a chief information officer might refer to your advice about a troublesome information security issue, but a human resources director might describe the value of internal audit as a pipeline for organizational leadership.
Each of their observations about internal audit value would likely be accurate, yet their conclusions regarding the overall value of internal audit might be very different depending upon their individual needs and expectations.
Everyone assesses internal audit value differently, and it’s not always easy for stakeholders to see the value of the strength internal audit adds to the control environment. When things are going well, they likely don’t appreciate the potential impact of mishaps that didn’t happen because of our work. But if something goes wrong — for example, a stakeholder needs help analyzing potential opportunities but instead receives a compliance review — it’s easy for them to see that their needs are not being met.
A while back, The IIA formed a task force to explore stakeholder expectations and determine what internal auditors should deliver in the way of value. Its recommendations described a “value proposition” for internal auditing based on three core concepts: assurance, insight, and objectivity. The task force pointed out that, by focusing on those concepts in our communications, we could help ensure that stakeholders understand the full value of our services.
According to the value proposition, internal auditing:
Internal auditors ignore those three elements at their own peril. The value proposition helps ensure that stakeholders appreciate the full scope of our contributions, and that we consider all of our stakeholders’ expectations. But the value proposition alone cannot guarantee that we deliver the services that best fulfill our stakeholders’ needs. As I’ve mentioned in previous blog posts, internal auditors can audit anything, but we can’t audit everything.
Sometimes, our stakeholders are looking for assurance. Sometimes, they are looking for insight. And, on occasion, they simply want objective advice. Their needs are constantly evolving, and they will ultimately judge our value based on how well we fulfill those needs at any point. If we haven’t struck the right balance between assurance and advisory work, for example, some stakeholders might question whether they are getting what they pay us for.
I learned this lesson during the early part of my career in internal review at U.S. Army Forces Command, when I completed a quality assessment of one of the command’s biggest internal review offices. After a comprehensive assessment of the department, it appeared that the internal review function was one of the best I had ever seen. The team’s work was consistently performed in accordance with relevant professional standards, and the quality of its work was impeccable.
I gave them high marks. So, imagine my surprise less than two years later when I learned that the department had been abolished and the chief audit executive reassigned to another area. I couldn’t believe it. I even imagined that the department might have fallen victim to a conspiracy of sorts — its work had been that good.
But when I asked around to find out what had happened, I learned that the commander, the chief of staff, and the controller had concluded that they weren’t getting value from the internal review office. It was a time when the Army was downsizing, and the internal review office became a casualty.
The lesson was clear: Our key stakeholders have the last word on whether we are doing our jobs well. And they judge an internal audit function not by how well run it is, but by the value it generates for them.
Evaluating emerging technologies; analyzing opportunities; assessing quality, economy, and efficiency; and providing accurate and timely communication are just a few of the activities that internal auditors perform every day. All of these services can have value. But ultimately it is for others to decide whether we are valuable to them. If they say we aren’t, the problem may be that we aren’t adding enough value to the organization, or it may be that we are haven’t helped our stakeholders appreciate the value we do add. In either case, we must address the problem before it is too late.