What does “effective” mean?
In our view, there are two key aspects to internal audit effectiveness, rigour and impact – we consider both in our reviews:
Technical capability, or the quality of Internal Audit’s work, is clearly a very important aspect. For example...
- … does Internal Audit have a robust approach?
- … has it the right skills and resources, and does it use the right tools?
- … does it have effective quality assurance processes to ensure its work is of a high standard?
Equally important is the impact that Internal Audit makes, and the value it adds to the organisation. For example…
- … is internal audit credible in the eyes of its stakeholders and does it make a difference?
- … does it support the work of the Audit Committees (and other board committees such as the Risk Committee)?
- … does management respond in the ‘right’ way when dealing with internal audit, and does it value and act on internal audit’s recommendations?
A technically solid internal audit function is not much good if it does not make a difference in the eyes of its stakeholders and if management disregards its recommendations. Nor is it appropriate if the function is highly regarded but its work is built on flimsy foundations. (We’ve seen both situations.) So, both the quality of its work and the impact it makes underpins an internal audit function’s effectiveness.
Additionally, the environment in which Internal Audit operates plays an important role. The audit committee’s support and challenge help shape internal audit’s effectiveness, as does management’s attitude and executive support. The way the first and second lines of defence work with internal audit also will influence its effectiveness. Our reviews, therefore, look at Internal Audit in context.
We believe that three simple but key questions are at the heart of the effectiveness of any internal audit function and form the basis of our approach to assessing effectiveness:
1. What is Internal Audit there to do?
We consider its role, remit and the context in which it operates – looking at, for example: Internal Audit’s responsibilities, charter, reporting lines, stakeholder expectations, alignment with other assurance activities, and coordination with the external auditors.
2. Is it equipped to do this?
We assess whether it is fit for purpose – looking at, for example: organisation structure, leadership, management, resources, tools, approach, strategy, plans, resource development, conflict management and independence.
3. Is it doing what it’s supposed to do?
We evaluate internal audit’s work and service delivery – looking at, for example: planning, execution, documentation, reporting, impact and relationships.
Simply put, our approach is to keep things simple.
What does "effective" mean?