The Institute of Internal Auditors (IIA) requires an External Quality Assessment Review (EQAR) at least every five years for the Internal Audit Activity (IAA). As part of the review, assessors examine the internal audit activity and evaluate their conformance with the IIA standards. Additionally, areas of success and opportunities for performance enhancement are identified. When working with clients, we’ve found it most helpful to break down the performance evaluation into the following distinct areas: planning, people, metrics, and tools. Upon doing so, we’ve gathered several noteworthy observations for each performance area. Today’s area of focus is metrics.
Metrics Observations
We generally see IAAs with an excellent audit plan and then fail to achieve their plan due to several common pitfalls. An IAA needs to know where they are based on the annual audit plan. Are they on schedule? Behind schedule? The below pitfalls are areas in which IAAs do not sufficiently measure and communicate their performance based on their plan.
1) Insufficient Measurements
As the famous management guru W. Edwards Deming said, “If you can’t measure it, you can’t improve it.” Careful consideration of what is measured is therefore essential. An IAA may only use quantitative metrics. They can consider strategic and qualitative metrics, like anecdotes of how the IAA provided value or assistance to the organization. Other IAAs use too few metrics or do not use a consistent standard for measurement. A small percentage have the wrong measures based on key stakeholder expectations and organizational needs.
The following questions should be considered:
- Does your list of metrics include a mix of quantitative, qualitative, and strategic metrics?
- What is valued in your organization? Do you have a measure for each of those values?
- Do you have a range of metrics that address the value you provide to the business or efficiency in performing quality engagements?
- Do you have a metadata standard for calculating consistent metrics across multiple years?
2) SALY (“Same as Last Year”) Metrics
“SALY” is the familiar auditor phrase for “Same as Last Year.” While some aspects of an organization may be the same as last year, an IAA function should evaluate its list of metrics annually to reflect areas that should be improved. Metrics that are easily met each year may need to be adjusted or replaced.
The following questions should be considered:
- Did you meet all your metrics last year? If so, should some be replaced or adjusted?
- What significant changes occurred in the organization, and how could that impact your metrics? For example, if the organization focuses on cost savings, should you add a metric to quantify your observation in this area?
- Based on auditee feedback you may receive in your QAIP, should you consider implementing a new metric to track improvement in that area?
3) Misalignment of IAA Metrics
Many IAAs measure the percentage of the audit plan they complete during the year. However, this measurement may cause an IAA to complete many engagements that do not provide value to the organization or sufficiently cover the top organizational risks. Therefore, the following questions should be considered:
- Do your metrics align with the IAA mission or vision? Can you properly link them to your annual IAA goals?
- Have you considered key stakeholder satisfaction, financial value, or audit coverage?
- Do you have a mechanism to obtain feedback from your stakeholders, e.g., interviews or a post-audit survey?
4) Lack of Communication of Results
An IAA can have a meticulously designed, managed, and monitored list of metrics. However, we have seen IAAs be hesitant to communicate the objective results to their stakeholders. This is a great marketing tool and is not used as often as it should be. It is important to share a holistic view with your stakeholders, which will help maintain mutual trust.
The following questions should be considered:
- Do you report your metrics to the audit committee on a quarterly or annual basis?
- Do you share successes with your stakeholders to enhance and fortify your value and credibility to the organization?
- Does your IAA have the means to share these successes through an intranet page or periodic newsletter?
Examples of Common IAA Metrics
Each IAA should tailor metrics that align with the organization’s values and goals. Here is a list of metrics to consider implementing for your IAA:
- Key Stakeholder Satisfaction
- Budget to Actual
- Timeliness of Issue Resolution
- Audit Coverage
- Repeat Findings
- Reissuance of Report
- Skill Sets and Credentials
- Succession planning
How MorganFranklin Can Help
We work with our clients to provide an independent validation of the Internal Audit Activity and identification of opportunities to increase effectiveness, improve processes, and enhance credibility. Our methodology is built around complete support and encompasses benchmarking, best practices, templates, and tools to support business goals. To learn more about MorganFranklin’s EQAR, contact our experts below.