Despite the critical role it can play in a company’s GRC efforts, the Internal Audit function is traditionally considered a necessary cost that is justified solely in terms of risk avoidance. To maintain funding to operate and enhance the Internal Audit function, GRC executives must shift the Internal Audit focus from “risk” to “value.”
The Internal Audit Value Challenge
AMR Research reports in their recently released GRC in 2010 that “risk/costs of non-compliance” – traditional justification for operating budgets and incremental investment for the Internal Audit function – will drive only 20% of GRC investments in 2010. With 75% of Internal Audit budgets remaining stable or even increasing in 2010 according to the Institute of Internal Auditors (IIA)[1], the Internal Audit budget is likely to be scrutinized as “new normal” behaviors drive business executives to look for a tangible return on investment rather than just a mitigation of potential risk. To maintain relevance and secure funding, Internal Audit departments must shift some portion of their focus from “risk” to “value.”
Meeting the Challenge
The idea of Internal Audit creating value is not a new one. The IIA already envisions this focus as part of its International Professional Practices Framework when it states, “Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services.” This new focus on value creation is therefore well within the charter of most Internal Audit departments. The question is, will they be empowered by the business to execute on that charter.
Internal Audit programs often are created by the business to address a particular area of regulatory compliance or a known (or perceived) risk within the operations of the business. GRC executives can help introduce that new value focus for Internal Audit by incorporating consideration of potential business performance improvement opportunities and elements of the company’s competitive advantage into Internal Audit plans. For example:
- Internal Audit functions traditionally look at the maturity and effectiveness of business process controls through inquiry and various tests. This approach also represents the majority of the effort required to measure the maturity and efficiency of the business process itself, which can be achieved by leveraging models and data available from sources such as COSO and American Productivity and Quality Center (APQC). By expanding the Internal Audit charter and scope of audit in this way, it becomes possible for Internal Audit to drive business performance improvement as well as mitigate business risk.
- Similarly, many Internal Audit functions review the maturity and effectiveness of controls within the IT function and could similarly enhance their scope using readily available IT process maturity models available from ITIL, ISACA, PMI and other organizations to drive improvements in the maturity and efficiency of IT processes. This in turn would generate opportunities to increase service and reduce costs.
- The same competencies and much of the same data required for Internal Audit departments to review contract compliance can also be leveraged to review contract value and supplier performance, creating opportunities for improving the supply chain process and increasing inventory turns, as well as the potential to collect performance penalties from suppliers who have not met their commitments.
- Many of the existing controls in Internal Audit plans are focused on risk of loss, but additional controls may be developed, implemented and monitored to address risk of “lost opportunity,” which is inherently more recoverable. For example, existing controls over a quoting and bidding process may help to ensure that appropriate individuals were involved in the sign-off of a given contract. However, an additional set of controls could also focus on whether the pricing, profitability and other economic factors associated with bids and quotes were (or are being) met. If they have not been met, this would trigger a reevaluation process or even renegotiation of the bid.
- Another example of “lost opportunity” that could be recaptured by leveraging the existing Internal Audit investment is to consider the upside of reevaluating the credit-granting process to accept a higher level of credit risk, thereby expanding the customer base, billing a higher amount, or even garnering greater appreciation and goodwill from new customers. Where the Internal Audit function today may be empowered only to look for processes not being followed in credit granting, expanding their charter to question whether or not credit-granting polices are too stringent based on past results may help the company avoid leaving money on the table.
Next Steps
Take the potential value-creation capabilities of your Internal Audit function for a test drive by identifying a single business challenge or issue that a) might be addressed by increasing business process maturity; and b) that would require little or no incremental effort to address as part of an upcoming Internal Audit plan. An easy starting point might be to assess the maturity level of an underperforming business process to identify quick-hit performance improvement opportunities.
Building on the foundation of one such success, GRC executives can work with their business counterparts to identify opportunities to leverage the Internal Audit function to drive performance of other business processes or enable other strategic objectives of the business.
[1] Internal Auditing in 2010: Shifting Priorities for a Changing Environment, Institute of Internal Auditors, March 2010
PDF 
I strongly agree that an internal audit should focus on value creation. As a Head of Internal Audit, i usually look for process improvement and missed opportunites. For sharing you may visit my twitter account bhtay audit express or my blog bhtay at wordpress. Cheers!