You are on page 1of 8

Metrics by design

A practical approach
to measuring internal
audit performance

September 2014

At a glance
Expectations of Internal
Audit are rising.
Regulatory pressure is
increasing. Budgets are
tightening. Internal audit
scope is expanding. In
this environment Internal
Audit must always start
with delivering increased
value, but must also
demonstrate its value to
the organizationnot
just by showing how well
it runs its operations
but by capturing
and reporting the
contribution it is making
to the organization. To
do this well, leading
Internal Audit functions
are re-designing their
balanced scorecard of
metrics to better align
with what matters most
to stakeholders.

.
Introduction
Is your Internal Audit metric scorecard influencing the perception of
the value you deliver? Is your scorecard driving behaviors and results
that are perceived as valued by your organization? According to
PwCs 2014 State of the Internal Audit Profession Study, stakeholders
of organizations where internal audit functions are delivering at a
Trusted Advisor level (see Figure1) consistently report that they receive
a significantly higher level of value compared to those stakeholders
where Internal Audit is performing at the Assurance Provider level.
This paper explores how all internal audit functions, regardless of
where they operate along the continuum, can leverage metrics to
both communicate the value they are providing and drive results.

Figure 1: PwC internal audit operating continuum

Providing value-added services


Unrealized value Trusted and proactive strategic advice to
Align expectations advisor the business well beyond the
Build capabilities effective and efficient execution of
Deliver quality the audit plan
Increase value Insight Insight Taking a more proactive role
generator generator in suggesting meaningful
improvements and risk assurance

Problem Problem Problem Bringing analysis and perspective


solver solver solver on root causes of issues identified
in audit findings to help business
units take corrective action
Assurance Assurance Assurance Assurance Delivering objective assurance
provider provider provider provider of the effectiveness of an
organizations internal controls

Source: PwCs 2014 State of the Internal Audit Profession.

| A practical approach to measuring Internal Audit performance


Expectations are rising
Metrics must keep pace

Expectations of Internal Audit have and business analytics risk, just to


increased as companies find themselves name a few. Despiteor perhaps
in a more complex risk environment. because ofrising expectations,
In response, leading internal audit stakeholder perception of Internal
functions have transformed themselves Audit performance is relatively low.
to help their organizations manage Overall, senior management believes
risk more effectively. Evolving from Internal Audit performance should
being relied upon largely to meet improve. We found that only 63%
financial reporting compliance of senior management believes
requirements, Internal Audit is now Internal Audit is performing well
challenged to help the organization at focusing on critical risks, only
protect itself from risks ranging 50% believe they are delivering cost
from globalization of supply chains effective services and a mere 36%
to cybercrime. According to PwCs believe Internal Audit is leveraging
2014 State of the Internal Audit technology effectively. These are all
Profession Study more than 70% indicators that internal audit functions
of board members want Internal are either not keeping pace with
Audit more involved in technology, the changing risk environment and
security, reputational, and big data rising expectations or they are not
reporting the value being delivered
through the metrics they are using.

Figure 2: Performance of trusted advisors vs. assurance providers When we dug deeper into these
stakeholder perspectives, we found
an astounding difference in the
Focusing on critical risks and 53%
perceived value of internal audit
issues the company is facing 84%
functions performing more Trusted
Aligning scope and audit plan 64% Advisor types of services than
with stakeholder expectations 83% those performing more traditional
Assurance Provider services. As
Promoting quality 29% Figure2 illustrates, Trusted Advisors
improvement and innovation 73% are outpacing Assurance Providers at
Obtaining, training and/or performance on a wide range of areas
45%
sourcing the right level from their audit plan addressing the
68%
of talent for audit critical risks of the organization to
Leveraging technology leveraging technology effectively.
29%
effectively in the execution
51%
of audit services
As expectations have risen, leading
20% 40% 60% 80% 100% internal audit functions have not
only adjusted their core working
Percent of respondents indicating Internal Audit was
performing well
practices to keep pace, they are
also adjusting the metrics used to
Trusted advisors Assurance providers drive results and report value.

Source: PwCs 2014 State of the Internal Audit Profession.

PwC | 1
Never a one size fits all solution
But a common approach

Since expectations of Internal to change with an organizations such as adherence to budget, coverage
Audit vary widely across industries, evolving expectations (see Figure 3). of the plan and timeliness of report
geographies and company size, there issuance. While these metrics are
is no single set of best practice Establish and align metrics essential to stay on top of how the
metrics. That said, Chief Audit Starting from Internal Audits mandate function is operating, they are often
Executives (CAEs) of leading internal is essential as the mandate provides internally focused and dont align
audit functions follow a common clarity of the scope of services and to what stakeholders value most.
approach to designing their metrics. role of Internal Audit. From our Aligning metrics to stakeholder
They consistently align metrics to their research, Internal Audit tends to have expectations is not only important
mandate (that istheir strategy, vision mandates ranging from Assurance for Internal Audit, but has been true
and mission) as well as stakeholder Provider to Trusted Advisor, as of leading corporations for decades.
expectations. They establish clear represented in Figure 1. As such, Numerous companies are no longer
targets to provide more relevant and the most effective metrics, which in business because they missed
valued performance indicators of will vary based on where a function major market shifts as they focused
both their own operations as well as operates along this continuum, on internal performance rather than
perspectives on enterprise levels of clearly measure and communicate stakeholder (or market) expectations.
risk. Keeping metrics relevant ensures the value the internal audit function Conversely, corporations that focus
they are continually reporting the is providing to the organization as on stakeholder expectations have
value they deliver their function established by its specific mandate. remained relevant because they are
evolves and as their organizations opportunistic as expectations shift and
risk profiles change. In other words, Internal Audit functions have always proactive at addressing risks. The same
leading practice metrics are right had methods in place to assess the approach holds true for Internal Audit.
sized for the function and fluid departments operational performance Internal audit functions with metrics
that report the value they deliver to
stakeholders are receiving higher
Figure 3: Common metrics approach
performance marks from stakeholders.

Evaluate and sustain metrics


Establish and align metrics
When metrics are aligned with what
matters most to Internal Audits
Internal Audit mandate
(strategy, vision, mission) Sta stakeholders they drive results and
ke
ho performance that add value to the
l
organizationhowever, a balanced
de
re

approach is still needed. Leading


xp
ecta

internal audit functions not only


tions

Metrics purposefully design metrics that focus


by design on delivering superior operating
results, they focus on balancing
S e t rt t o
re p o

rd e

their scorecard across a few critical


ca th
tar

re nce

areas, such as process effectiveness,


g e dr

, l
iv m e
ts

Ba co
a

e
a c a s u re s
people, risk coverage and value. They
co a
unta n d also adapt the nature of the metrics
b ili t y
to be reflective of where they are
E v al operating along the internal audit
u ate a n d s ustain
continuum. While there is never a
Key enablers: one size fits all approach, we have
observed similar types of metrics used
People Process Technology by leading internal audit functions
across this continuum (Figure 4).
2 | A practical approach to measuring Internal Audit performance
Balance the scorecard the efficiency of the internal audit and different metrics are reported
department processes, while to others. The key is to select a
As metrics are identified across
important to drive internal operational succinct number of balanced metrics
the balanced scorecard, careful
efficiencies, may not be seen as critical that are appropriately tailored,
consideration should be given to
to senior management or the Audit tracked and reported to each of
ensure that the mix of internally
Committee when compared to metrics Internal Audits stakeholder groups.
focused and risk based/strategic
that measure the coverage of key or The considerations for balancing
metrics is appropriate and that the
emerging risks or involvement with the scorecard using appropriate
metrics are sufficiently tailored for
transformational initiatives. This metrics become more clear by
each unique stakeholder group.
may mean that certain metrics are looking closely at a few examples.
For example, metrics that measure
reported to one stakeholder group

Figure 4: Metrics considerations for the balanced scorecard

Illustrative Internal Audit balanced scorecard

% of audits and SOX testing Business process improvements resulting from Internal Audit
completed within schedule and on Level of management requested involvement with strategic initiatives
budget Stakeholder assessment and feedback themes compared with
% of completed audits that utilized expectations
Value

Value
data analytics Level of insight and proactive advice delivered
End of audit client satisfaction Training sessions or involvement with enhancing internal control/risk
survey results management knowledge of the organization

% of the audit plan aligned to major risk Visual representation of alignment of audit plan to individual
Risk coverage

Risk coverage
categories (i.e., financial, operational, enterprise risks
strategic, etc.) Level of focus on emerging risks or transformational initiatives
% of non-IT versus IT audits included in Alignment and coordination with other compliance functions
the plan (i.e., enterprise risk management, SOX compliance,
legal/compliance, etc.)

% of Internal Audit staff with relevant certifications Alignment of talent to enterprise risks
% of IT versus non-IT staff Leverage of subject matter specialists and
People

Internal Audit department turnover guest auditors People


Departmental headcount compared to budget Placement of internal audit staff into advanced Internal
Audit positions or rotation to the business

Overall Internal Audit department budget compared to Cost effectiveness of services


prior period % of audits where tools (i.e., data analytics,
Number of audits completed within the budgeted timing dashboards, databases, continuous auditing
effectiveness

effectiveness

Audit report findings by status and division routines, thought leadership, etc.) were provided
Process

Process

Audit report ratings issued during the period to the business


Number of days from fieldwork to report Number of audit findings remediated before
% of audits with internal quality review performed by the report issuance
end of fieldwork % of audits using data analytics to drive scoping
decisionsresulting in hour reductions

Assurance provider Problem solver Insight generator Trusted advisor

Note: The above illustrative balanced scorecard is not intended to be comprehensive, rather to provide areas to consider as functions build
their scorecard and to show the movement of metrics as functions operate along the Internal Audit Operating Continuum.
PwC | 3
Process effectiveness metrics are internal audit personnel within the tends to be on adherence to plan,
typically used to drive the behaviors organization. The latter metrics better with metrics such as the percentage
of the internal audit department as demonstrate that Internal Audit has of audits completed within budgeted
well as measure the responsiveness the right skills in place to address hours or cost savings generated.
of management to audit findings. A the key risks of the organization, is While these are certainly important
typical metric we see being used by deploying these resources in a strategic internal performance metrics, aligning
an Assurance Provider is reporting manner to add maximum value to stakeholder expectations of value
the number of audit findings by and that the function is delivering has been a key to enabling leading
division/location. While this metric against a mandate of training and internal audit functions enhancing
is excellent at reporting on the level developing talent for the organization. their brand. Examples of value-based
of issues by division, it can also result metrics shared with us included
in unintended consequences. For Risk coverage metrics are at the stakeholder feedback programs similar
example, when an internal audit heart of any well-balanced scorecard to brand health indices, process
department focuses too heavily and these metrics can either report improvement ideas generated and
on measuring audit findings by the facts (example, % of audits level of involvement with enterprise-
division it can result in an inordinate covering enterprise risks) or they wide strategic initiatives. These
amount of time debating ratings can focus on measuring the value of metrics, while more qualitative in
with management to improve risk coverage. One Trusted Advisor nature, provide greater measurement
the metric, versus addressing the CAE we spoke with shared how she of how Internal Audit is delivering
control improvements needed. In has adjusted Internal Audits top tier value as defined by its stakeholders,
comparison, some leading internal executive management and audit including greater transparency
audit functions are addressing this committee reporting metrics to better around its impact on the effectiveness
by focusing on metrics that evaluate demonstrate the interconnectivity and efficiency of the business.
the level of process and control of each enterprise risk to their audit
corrections made by management plan and audit findings. They now Set targets, measure and report
before reports are even issued. The report quarterly on each enterprise to drive accountability
resultgreater alignment between risk covered and the relevancy of audit Metrics are most relevant when
Internal Audit and stakeholders, findings in these areas to achieving they provide a basis for taking
more immediate improvement their business objectives. To create this action targeted at reducing risks
in the control environment and metric and gain alignment with the and improving the overall control
elimination of unproductive various management stakeholders, environment. To better report the
time spent debating ratings. the CAE also had to change individual value delivered and drive performance
audit reports to be reflective of these improvement, metrics need to be
People metrics are often crafted to same points of view. These changes reported in comparison to established
ensure that the right talent resides not only provided a better frame of targets and linked to the variety of
within the function. As we explored reference for their stakeholders as stakeholder expectations. Doing
these metrics, we found them to differ to the level of risk associated with so enables Internal Audit to better
widely across internal audit functions. audit findings, but also significantly demonstrate the value it is providing
A typical internally focused metric enhanced the value stakeholders to its various stakeholder groups.
might include measuring turnover were receiving from Internal Audit.
in the department and certifications And, of course, sustainable metrics
held. In contrast, leading practice Value metrics are the most difficult and their related targets need to
internal audit functions are focusing to develop and consistently measure, be evaluated periodically to ensure
on measuring alignment of talent but often are at the heart of the high continued relevancy. Routinely
with business risks and the critical marks stakeholders give on satisfaction assessing where Internal Audit
operations of the business, as well with Internal Audits performance. A stands relative to the metric targets
as measuring the advancement of common approach to report on value enables greater agility to either

4 | A practical approach to measuring Internal Audit performance


We have been working on enhancing our performance/value reporting matrix. The way Internal Audit
was capturing performance was very activity based and didnt allow us to speak to the outcomes we are
driving. Reporting on the number of audits, percent of recommendations implementedthese are fine
but they dont tell a story on value or the impact to the company. We continue to enhance our value-based
auditing and tie our work and performance metrics to the company value drivers. While our metrics are
evolving, I finally have a values based scorecardhard core, qualitative and quantitative elements that tie
back to the strategy of the company and how it performs.
Vice President Internal Audit, Major Retail Company

seize opportunities or intervene tracking and reporting applies to outline each metrics data source
when needed. If targets are both internally focused metrics and and frequency for updating, as well
consistently being exceeded they metrics that track the value Internal as ongoing validation. Undoubtedly,
may not be holding Internal Audit Audit is providing to the business. as internal audit functions strive to
or the organization to a high enough enhance their metrics, gathering
standard. The most successful CAEs we Enable through people, and/or obtaining new data will
spoke with recommend re-evaluating process and technology be a challenge. But similar to any
and refreshing metrics (and targets Creating the balanced metric scorecard other process improvement effort,
for each of the metrics) annually, in is only the beginning of the effort. performing a gap assessment of
conjunction with stakeholder feedback Having a meaningful metrics program the data sources needed, having
programs or strategic planning process. will perhaps mean cultural change, a roadmap for when the data will
and change must be managed through be available, and a stakeholder
Further, having a sustainable process communication plan for the timeline
people. CAEs will need to provide the
in place to measure and reward of revised metrics are the steps
vision for the future in which metrics
the function, the organization and that successful CAEs have taken.
will be aligned with stakeholder
internal audit team is of course an
expectations by creating a clear
important part of any effective metrics As reported in PwCs The Internal
communication plan that expresses
program. This includes holding the Audit Analytics ConundrumFinding
the future state and at the same time
department and the individuals your way through data significant
define the behavior that is expected.
within it accountable for results advancements have been made in
through linking departmental metrics When communicating metrics, the the availability, cost and ease of
to performance and compensation. audience should be clearly understood use of a variety of data analysis and
Leading practice internal audit and the method, frequency and visualization tools. Leading internal
departments clearly communicate the approach for reporting adjusted to audit departments are not only using
metrics to the team, visually display meet stakeholder needs. This includes these tools to improve the overall
progress against the metrics so that the leveraging data visualization to analyze efficiency of their audit process, they
team is continuously updated on the trends over time, depict progress are leveraging their capabilities to
overall progress and include metrics against targets, identify where actions accumulate and report metrics via
as a topic at department meetings to are required, and determine the details dashboarding and data visualization
demonstrate their importance. One on actions being taken as needed. that are more visually appealing
CAE we spoke with shared how he, and create a greater understanding
similar to many of the plant locations That said, without a sustainable of the value they are delivering.
within his company, has a bulletin process to gather the metrics data, Further, data visualization allows
board outside his office with the even the best change management Internal Audit to better demonstrate
internal audit department metrics plan will fail. To support metrics the interconnectivity of its metrics to
displayed to highlight the teams reporting, leveraging technology is a what matters most to stakeholders.
progress and areas for continuous must. Sustainable metrics programs
improvement. The key is that are supported by data plans that

PwC | 5
Whats next?
Making it matter

As expectations continue to rise, on its mandate, clarifying any


Internal Audit must keep pace ambiguity that may be present
by adjusting working practices across stakeholder groups. It opens
and demonstrating its value to the communication channels
the organization. To do this well, between the board, management
leading internal audit functions and Internal Audit on expectations
make sure they are contributing and performance. Furthermore,
to the organizations strategy it improves Internal Audits
and objectives and have well-run ability to rapidly adjust working
operations. Importantly, they also practices, seize opportunities to
track and communicate Internal take corrective action, and strive
Audits value to key stakeholders for continuous improvement.
by focusing on a succinct number
of balanced metrics that matter As Internal Audit sets objectives
the most and are tailored for in the coming year, make metrics
different stakeholder groups. an integral part of the discussion.
By purposefully designing metrics
Taking a fresh look at Internal that align to your mandate
Audit metrics can have significant and stakeholder expectations,
payoffs which lead to greater Internal Audit will be able to drive
value creation. Doing so aligns performance and communicate
Internal Audit and its stakeholders value in more meaningful ways.

Reach out to your PwC representative or the individuals below for a further dialogue around selecting,
tracking and reporting on the metrics that matter the most for your internal audit function.

Jason Pett Michelle Hubble Laura Koelzer


US Internal Audit Leader US Internal Audit Center of Director, Internal Audit
(410) 659 3380 Excellence Leader (312) 298 3179
jason.pett@us.pwc.com (309) 680 3230 laura.k.loelzer@us.pwc.com
michelle.hubble@us.pwc.com

www.pwc.com
2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to
the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC US helps
organizations and individuals create the value theyre looking for. Were a member of the PwC network of firms with more than 180,000 people in 145 countries.
Were committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/us.

MW-15-0204 JP