Delivering on the

MANAGEMENT

Promise Closer Look

Measuring Internal Audit Value and Performance

Jane Seago

Sponsored by
CBOK IIA–Charlotte Chapter
The Global Internal Audit IIA–Raleigh-Durham Chapter
Common Body of Knowledge IIA–Triad Chapter
 About CBOK

SURVEY FACTS T he Global Internal Audit Common Body of Knowledge (CBOK) is the world’s
largest ongoing study of the internal audit profession, including studies of inter-
nal audit practitioners and their stakeholders. One of the key components of CBOK
Respondents 14,518*
Countries 166 2015 is the global practitioner survey, which provides a comprehensive look at the
Languages 23 activities and characteristics of internal auditors worldwide. This project builds on two
previous global surveys of internal audit practitioners conducted by The IIA Research
EMPLOYEE LEVELS Foundation in 2006 (9,366 responses) and 2010 (13,582 responses).
Chief audit
Reports will be released on a monthly basis through July 2016 and can be
executive (CAE) 26%
downloaded free of charge thanks to the generous contributions and support from
Director 13% individuals, professional organizations, IIA chapters, and IIA institutes. More than
Manager 17% 25 reports are planned in three formats: 1) core reports, which discuss broad topics,
Staff 44% 2) closer looks, which dive deeper into key issues, and 3) fast facts, which focus on a
specific region or idea. These reports will explore different aspects of eight knowledge
*Response rates vary per
tracks, including technology, risk, talent, and others.
question.
Visit the CBOK Resource Exchange at www.theiia.org/goto/CBOK to download
the latest reports as they become available.

CBOK 2015 Practitioner Survey: Participation from Global Regions

Europe 23%

North
America 19%
Middle East
& North 8%
Africa South
Asia 5%

Latin East
America 14% Asia 25%
& Caribbean & Pacific
Sub-
Saharan 6%
Africa

Note: Global regions are based on World Bank categories. For Europe, fewer than 1% of respondents were from Central Asia.
Survey responses were collected from February 2, 2015, to April 1, 2015. The online survey link was distributed via institute email
lists, IIA websites, newsletters, and social media. Partially completed surveys were included in analysis as long as the demographic
questions were fully completed. In CBOK 2015 reports, specific questions are referenced as Q1, Q2, and so on. A complete list of
survey questions can be downloaded from the CBOK Resource Exchange.

2  ●  Delivering on the Promise

 Contents
CBOK
Knowledge
Tracks

Future

Executive Summary 4

Introduction 5
Global
Perspective 1 Delivering the Value of Internal Audit 7

2 Rating the Performance 9

3 Taking a Balanced Approach to Measurement

Governance Methods 11

4 Aligning Performance Perspectives between

Internal Audit and Stakeholders 13
Management
Conclusion 15

Appendix A 16

Risk Resources 22

Standards &
Certifications

Talent

Technology

www.theiia.org/goto/CBOK  ● 3
 Executive Summary

T he ever-increasing complexity of business in an always-on, globally connected

world means that there is a growing list of ways that internal auditors can deliver
value to their organizations. They can provide assurance over specific aspects of the
business, offer insights and recommendations to maximize return on organizational
activities, and present objectivity to decision makers—all of which deliver on internal
audit’s value proposition. However, as a practical matter, time and resources are lim-
ited. How can internal auditors identify and focus on the activities that are of most
value to their clients and key stakeholders?
This report presents a step-by-step process to ensure that expectations are under-
stood and agreed upon, and appropriate measures are developed to drive and track
performance. Readers can use it to compare their value and performance practices to
other organizations based on insights from the CBOK 2015 Global Internal Audit
Survey, the largest ongoing study of the internal audit profession in the world. These
insights can help practitioners at all levels deliver on the internal audit value proposi-
tion of assurance, insight, and objectivity.

4  ●  Delivering on the Promise

Introduction

I n 2010, The IIA recognized a need to capture a simple, memorable, and straight-
forward way to help internal auditors convey the value of their efforts to important
stakeholders, such as boards of directors, audit committees, management, and clients.
To that end, the association introduced the Value Proposition for Internal Auditing,
which characterizes internal audit’s value as an amalgam of three elements: assurance,
insight, and objectivity (see exhibit 1).
But identifying the conceptual elements of value is only part of what needs to be
done. How does that construct look in the workplace? What activities does internal
audit undertake that deliver the most value? What should be measured to determine
that the organization’s expectations of value are being met? How does internal audit
organize and structure the information that populates the metrics? And, most critically,
do the answers to all these questions align; that is, does internal audit’s perception of
its value, as measured and tracked, correlate with what the organization wants and
needs from the internal audit function?

Exhibit 1 The Internal Audit Value Proposition

ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the orga-
nization’s governance, risk management, and
control processes to help the organization
achieve its strategic, operational, financial, and
compliance objectives.

INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an
organization’s effectiveness and efficiency by
providing insight and recommendations based
on analyses and assessments of data and busi-
ness process.

OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value
to governing bodies and senior management as an objective source of inde-
pendent advice.

Source: The Internal Audit Value Proposition graphic is used by permission from The IIA.
All rights reserved.

www.theiia.org/goto/CBOK  ● 5
 These are the kinds of questions the CBOK 2015 global practitioner survey posed
to chief audit executives (CAEs) from around the world. The activities these CAEs
believe bring value to the organization are consistent with the three elements of The
IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the
most value can be mapped directly to the three elements, as shown in exhibit 2.
However, in looking at the performance measures and tools used by the organi-
zation and the internal audit function, a gap appears to form between value-adding
activities and the ways performance is measured. This report explores that gap in
greater detail and clarifies the respondents’ view of value-adding activities, preferred
performance measures, and the methodologies and tools most commonly used to sup-
port internal audit’s quality and performance processes. Where appropriate, responses
tabulated by geographic regions and organization types are examined.
Finally, based on the findings, the final chapter of the report provides a series of
practical steps that practitioners at all levels can implement to help their internal audit
department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2 The Internal Audit Value Proposition (mapped to response options from the CBOK
survey)

ASSURANCE ACTIVITIES
●● Assuring the adequacy and effectiveness of the internal
control system
●● Assuring the organization’s risk management processes
●● Assuring regulatory compliance
●● Assuring the organization’s governance processes

INSIGHT ACTIVITIES OBJECTIVE ADVICE ACTIVITIES

●● Recommending business ●● Informing and advising management
improvement ●● Investigating or deterring fraud
●● Identifying emerging risks ●● Informing and advising the audit
committee

Note: The activities listed in this graphic are from the response options to Q89: In your opinion, which are the five internal
audit activities that bring the most value to your organization? The Internal Audit Value Proposition graphic is used by
permission from The IIA. All rights reserved.

6  ●  Delivering on the Promise

1 Delivering the Value of Internal
Audit

I nternal audit practitioners around the

world are providing value to their orga-
nizations in a wide variety of ways. The
consensus on what constitutes value (see
exhibit 3).
It is probably no surprise that “assur-
CBOK 2015 practitioner survey listed 14 ing the adequacy and effectiveness of the
internal audit activities and invited CAEs internal control system” is the most com-
to select up to five that they believe bring monly selected activity by a wide margin,
the most value to their organizations. more than 30 percentage points higher
Nine of those 14 are noted as being used than the second most often indicated
by at least one-quarter of the respon- option. The usage of other activities was
dents, indicating a fairly broad global broadly distributed. As the colored bars

Exhibit 3 Audit Activities That Bring Most Value (CAEs Indicating Their Top Five Choices)

Assuring the adequacy and effectiveness 86%

of the internal control system

Recommending business improvement 55%

Assuring the organization's risk

53%
management processes

Assuring regulatory compliance 50%

Informing and advising management 40%

Identifying emerging risks 37%

Assuring the organization's governance processes 37%

Investigating or deterring fraud 29%

Informing and advising the audit committee 28%

0% 20% 40% 60% 80% 100%

Assurance activities Insight activities Objectivity activities

Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Purple bars are assurance activities, royal are insight, and green are objectivity, as related to The IIA’s Internal
Audit Value Proposition. n = 2,641.

www.theiia.org/goto/CBOK  ● 7
❝Most work on in exhibit 3 show, there is a mix of the
three elements of internal audit’s value
For the area of objectivity (or objective
advice, represented by green bars), about
assurance focuses proposition—assurance (purple), insight a third of respondents say their top five
on assessing the (blue), and objectivity (green)—but the value activities include “informing and
highest percentages are for assurance. advising management,” “investigating
effectiveness of
In the area of insight, more than half or deterring fraud,” or “informing and
controls (Is the of respondents say that “recommending advising the audit committee.”
control followed?) business improvement” is an important It is important to remember that
way they add value, which is a strong, survey respondents were asked to only
and less work or
positive sign that internal audit is going choose their top five activities, so they
no work at all is beyond assurance in many organiza- were limited in how many activities they
done on assuring tions. In addition, it is significant that could select. This means that they may be
more than one-third of the CAEs indi- involved in other areas, but they did not
the adequacy
cated “identifying emerging risks” as an choose them as a top five value driver.
of controls (Has important value-adding activity. This Value drivers can vary from one
the control been aligns with the current focus on risk- organization to the next for many rea-
based auditing, says Tania Stegemann, sons: industry sector, organization type,
designed properly
executive audit manager, CIMIC Group management preferences, geographic
to mitigate risk?). Ltd, Melbourne, Australia. “It is critical region, and regulatory requirements, to
If auditors are to that auditors understand the key risks name a few. For details on value-adding
facing the organization as well as the key internal audit activities by organization
add value to the
controls in place. This is fundamental to and region type, see exhibit A1 and
business, they risk-based auditing and should form the exhibit A2 in the appendix.
should not only basis of the annual audit plan.”
assess whether
a procedure is
followed but also
determine whether
that procedure can
mitigate the risk. ❞
—Augustino Mbogella,
Chief Internal Auditor, NMB,
Dar es salaam, Tanzania

8  ●  Delivering on the Promise

2 Rating the Performance

B ecause of the nature of internal

auditing, perhaps few professions
are more aligned with the conventional
question on the measures used to evalu-
ate internal audit’s value.
The respondents were offered nine
management wisdom “you can’t manage response options for the question “What
what you can’t measure.” Add to that the specific measures does your organization
secondary precept “what gets measured use to evaluate the performance of its
gets done” and it is not surprising that internal audit activity?” and invited to
the CBOK survey included a detailed select all that apply (see exhibit 4). The

Exhibit 4 Measures Used for Internal Audit Performance (CAEs Choosing All That Apply)

Percentage of audit plan complete 66%

Timely closure of audit issues 42%

Completion of mandated coverage 41%

Client satisfaction goals 38%

The fulfillment of specific expectations set 32%

and agreed to with key stakeholders

Budget to actual audit hours 29%

Performance against the internal 23%

audit financial budget

Cycle time from end of fieldwork to final report 23%

Cycle time from entrance conference to draft report 19%

We have not established formal

15%
performance measures.

Other 10%

0% 20% 40% 60% 80%

Inward-facing measures Outward-facing measures Other

Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) Green bars are inward-facing measures, purple bars are outward-facing measures, and gray are other options. CAEs
only. n = 2,641.

www.theiia.org/goto/CBOK  ● 9
 top selection, by a considerable margin, value of those activities by others. On
was “percentage of audit plan complete,” the other hand, it is encouraging to see
chosen by 66% of respondents (this per- that one outward-facing measure—client
centage was similar to the CBOK 2010 satisfaction goals—came in at a close
survey results). “Timely closure of audit fourth place, selected by 38% of respon-
issues” and “completion of mandated dents. This means that many CAEs are
coverage” were virtually tied for a some- connecting their value with their stake-
what distant second at just over 40%. holder needs. Another 32% say they also
In considering the meaning of these measure their value by “the fulfillment
top three choices, it is useful to note the of specific expectations set and agreed
difference between inward-facing and to with key stakeholders,” another out-
outward-facing measures. Inward-facing ward-facing measure.
measures focus on how work is done At the same time, a cause for con-
internally and, very generally speaking, cern may be the fact that 15% indicate
tend to incline toward administrative effi- that no formal measures of value have
ciency. Outward-facing measures focus been established. This fairly substantial
on the customer’s satisfaction (the ulti- percentage would be surprising if the
mate recipient of the benefits provided responses include those who are not in
by the activity) and incline toward effec- management; the fact that all respon-
tiveness. Both types of measures reveal dents to this question are CAEs makes it
important and actionable information. even more perplexing. Those in the 15%
In the case of the results illustrated in category may wish to consider the rami-
exhibit 4, it is important to note that fications of the absence of measures: lack
the top three metrics are inward-facing. of measurements make it more difficult
They focus on completion of tasks as to be in conformity with IIA Standard
the primary indicators that the internal 1311: Internal Assessments, and they risk
audit function is delivering value. This not knowing the quality of their efforts
task-specific focus looks more at a “to-do (or the organization’s perception of that
list” and less on the perception of the quality).

10  ●  Delivering on the Promise

3 Taking a Balanced Approach to
Measurement Methods
❝In my audit
practice, we
M easures can become addictive. In
their book, Measurement Madness:
Recognizing and Avoiding the Pitfalls of
there is a strong, positive increase in the
outward-facing measure. In the CBOK
2010 practitioner survey, only 9% indi-
recommend Performance Measurement, the authors cated that they used customer surveys to
business point out the ramifications of mea- gather information about how internal
surements that are out of control.* audit activities were perceived, while in
improvement Unrestrained measures can provide too 2015, the rate increased to 50%.
through a variety much data but not enough information. Another considerable change from
of ways. Some are They can proliferate and thereby add 2010 is the use of the balanced scorecard,
confusion and cost but little clarity. Most increasing from 4% to 26% globally.
hard to measure, important, they can fail to drive perfor- This result is in line with the expectations
such as compliance mance. Measures should exist to clarify a of the 2010 respondents who selected
assurance, but we business situation, opportunity, or chal- balanced scorecard as the approach they
lenge, not simply exist for their own sake. most anticipated would have greater
do try to estimate With that in mind, how do the measures usage “five years from now.”
a dollar value being used by organizations and internal The use of a balanced scorecard in
where possible auditors stack up against the desired goal support of internal audit’s quality and
of realizing value from the internal audit value efforts is on the rise globally, and
by quantifying function? this increased focus may help support
cost reduction, The two most popular methods among internal audit’s efforts to be responsive to
cost avoidance, survey respondents were “surveys of audit key stakeholder needs. This outcome may
clients” (an outward-facing approach) be achieved as a result of the balanced
and the revenue and “internal quality assessments initi- scorecard’s recognition that an organi-
enhancement ated by internal audit” (an inward-facing zation’s success hinges on more than
impact of our approach) (see exhibit 5). Because these simply financial outcomes. The balanced
top two assessments represent both an scorecard approach calls for examination
work. ❞ inward-facing and an outward-facing of and measures for three other perspec-
approach, it is a positive indicator of a tives as well: customer, internal business
—Karen Begelfer, Vice
balanced approach among those who are processes, and learning and growth. This
President, Corporate Audit
Services, Sprint Nextel gauging their performance. In addition, broader perspective renders the balanced
Corporation, Kansas City, scorecard a strategic leadership tool,
Missouri, USA not just a tactic to achieve a narrowly
*  Dina Gray, Pietro Micheli, and Andrey defined objective. To be successful in
Pavlov, Measurement Madness: Recognizing
an internal audit environment, use of
and Avoiding the Pitfalls of Performance
Measurement (West Sussex, United Kingdom: the balanced scorecard requires linking
John Wiley & Sons, 2015). the internal audit strategy to enterprise

www.theiia.org/goto/CBOK  ● 11
Exhibit 5 Methods Used to Support Performance

Surveys of audit clients 50%

Internal quality assessments initiated by internal audit 47%

Surveys of key stakeholders 28%

External quality assessments initiated by internal audit 27%

Balanced scorecard 26%

Peer reviews 20%

Reviews from external regulators 18%

Reviews by your organization's 13%

internal quality assurance function
Other 10%

Not applicable 15%

0% 10% 20% 30% 40% 50%

Inward-facing measures Outward-facing measures Other

Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) Green bars are inward-focused methods and purple bars are outward-focused measures. CAEs only.
n = 2,641.

strategy, and then translating the strategy For results about measures and meth-
of the internal audit function into appro- odologies by geographic region and
priate balanced scorecard performance industry type, see exhibits A3 through
measures. A6 in the appendix.

12  ●  Delivering on the Promise

4 Aligning Performance
Perspectives between Internal
Audit and Stakeholders
❝When developing
performance
T he Performance Measurement
Triangle provides a good visual-
ization of how to align performance
arrows). “The CAE needs to understand
the expectations of the audit committee
and board,” notes Stegemann. “What is
measures, the expectations between internal audit and considered as adding value for one orga-
internal audit stakeholders (see exhibit 6). The key is nization may differ for another.”
to bring different perspectives together Therefore, in the spirit of “what gets
activity should
through effective communication. measured gets done,” following are a set
consider: How Internal audit and stakeholders need to of action steps to help internal audit align
effectively are collaborate to agree on what activities its value drivers with stakeholder expec-
add value (see the red arrows). Then tations and create a measurement system
the performance
they can agree on the best performance that reflects all aspects of the internal
measures linked measures for these activities (see the gold audit value proposition.
to the internal
audit activity’s
Exhibit 6 The Performance Measurement Triangle
strategy? ❞
—The IIA’s Practice Value-
Guide, Measuring Internal Adding
Audit Effectiveness and Activities
Efficiency (Altamonte
Springs, FL: The Institute
of Internal Auditors, 2010).
www.global.theiia.org

Performance
Measures

Stakeholder Internal Audit

Perspectives Perspectives

Note: Internal audit and stakeholders have their own perspectives about value, so they need
to collaborate in order to agree on value-adding activities and how to measure them.

www.theiia.org/goto/CBOK  ● 13
 4. Start measuring. Implement tools
❝When you want to Steps to Align Performance
Measures and Value-Adding and methodologies to capture and
know how stake- Activities
track internal audit’s performance
holders rate your against the value drivers and the
1. Learn the customer’s expectations.
internal quality standards. Be sure
performance, Internal auditors cannot deliver
to address the non-assurance aspects
you need to do expected value unless they know spe-
of internal audit’s work by devising
cifically how management and key
more than send a way to obtain feedback from key
stakeholders define value. The only
stakeholders on qualitative and advi-
out a feedback way to find out is to ask. Interview
sory activities.
survey. We ask key stakeholders (members of the
board and the audit committee) 5. Report back. Make sure that stake-
an independent and executive management and use holders whose input formed the list
party to sit with those responses to develop a list of of value-driving activities outlined
our stakeholders what they indicate are value-adding in step 1 are regularly informed of
activities. the internal audit function’s status
for a focused and performance against their
2. Validate your understanding.
conversation. ❞ Review the list developed in step
expectations.
1 with the key stakeholders whose 6. Repeat the cycle. Periodically (at
—Robert Kella, Senior Vice
interview comments helped create the least annually) reconfirm the expec-
President of Internal Audit
for Emirates Group, Dubai, list and secure their agreement that it tations with the key stakeholders and
United Arab Emirates is an accurate and complete reflection update the list of value-adding activi-
of value expected from the internal ties as necessary. Support any updates
audit function. with new performance measures.
3. Develop outward-facing and
Remember that successful application
inward-facing performance
of these steps requires use of one of the
measures.
most important skills internal auditors
a. Outward-facing measures: For must possess: communication. Listening
each value activity, develop one or to stakeholders enables internal auditors
more outward-facing performance to craft measurements and methodol-
measure that provides a clear, ogies that reflect stakeholder priorities.
repeatable, and accurate view of Reporting back to them on status and
how well the activity delivered the performance of the identified activities
expected value for the stakeholder. demonstrates internal audit’s competence
and collaborative spirit. Value is thus
b. Inward-facing measures: There
realized on both sides of the equation,
are many critical, inward-facing
and the organization is the ultimate
activities that internal audit must
beneficiary.
undertake to keep its activities in
order. Develop performance mea-
sures for those activities.

14  ●  Delivering on the Promise

Conclusion

T he CAEs who participated in the CBOK 2015 practitioner survey clearly under-
stand that the success of the internal audit function—defined in this case as
meeting stakeholder expectations for value—depends on more than completed audits.
While operational expertise (reflected in completing audits on time and closing audit
issues on schedule) is valuable and therefore measured, other activities such as advising
and recommending are also part of internal audit’s contribution to the organization. To
provide the highest level of service to their organizations, internal auditors should col-
laborate with their stakeholders to align performance measures to their top priorities.

www.theiia.org/goto/CBOK  ● 15
Appendix A

Exhibit A1 Audit Activities That Bring Most Value (Organization Type View)

Public sector
global average)

Financial (including
Ranking (by

sector Privately Publicly government

(privately held traded agencies and
held and (excluding (excluding government- Not-for-
publicly financial financial owned profit
Value-Adding Activities traded) sector) sector) operations) organization Average
Assuring the adequacy and
1 effectiveness of the internal 90% 85% 88% 84% 82% 87%
control system

Recommending business
2 49% 57% 57% 57% 54% 55%
improvement

Assuring the organization's

3 61% 51% 51% 50% 47% 53%
risk management processes

Assuring regulatory
4 62% 44% 42% 51% 59% 50%
compliance

Informing and advising

5 33% 38% 40% 46% 43% 40%
management

6 Identifying emerging risks 39% 41% 30% 39% 39% 37%

Assuring the organization's

7 36% 37% 36% 41% 26% 37%
governance processes

Investigating or deterring
8 20% 38% 34% 24% 32% 29%
fraud

Informing and advising the

9 35% 21% 33% 23% 36% 28%
audit committee

Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage significantly
above. Only the nine most popular choices are shown. n = 2,641.

AUDIT ACTIVITIES THAT BRING MOST VALUE:

DIFFERENCES AMONG ORGANIZATION TYPES

●●In the financial sector, internal auditors tend to focus more on assurance activities than on insight or objec-
tive advice.

●●For privately held and publicly traded organizations that are not in the financial sector, internal auditors
tend to focus less on “assuring regulatory compliance” and more on “investigating or deterring fraud.”

16  ●  Delivering on the Promise

Exhibit A2 Audit Activities That Bring Most Value (Region View)
global average)

Global Average
North America

Latin America
Middle East &

Sub-Saharan
North Africa

& Caribbean
Ranking (by

East Asia &

South Asia
Europe

Pacific
Africa
Value-Adding Activities
Assuring the adequacy and effectiveness of the internal
1 86% 82% 91% 96% 86% 85% 89% 87%
control system

2 Recommending business improvement 57% 58% 48% 39% 55% 56% 56% 55%

3 Assuring the organization's risk management processes 56% 50% 64% 51% 62% 34% 62% 53%

4 Assuring regulatory compliance 43% 46% 57% 70% 57% 46% 57% 50%

5 Informing and advising management 43% 32% 32% 24% 38% 51% 29% 40%

6 Identifying emerging risks 42% 36% 44% 43% 29% 33% 42% 37%

7 Assuring the organization's governance processes 36% 46% 49% 39% 43% 24% 39% 37%

8 Investigating or deterring fraud 27% 25% 26% 34% 31% 28% 34% 29%

9 Informing and advising the audit committee 26% 28% 30% 21% 16% 45% 24% 28%

Note: Q89: In your opinion, which are the five internal audit activities that bring the most value to your organization? (Choose up
to five.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage significantly
above. Only the nine most popular choices are shown. n = 2,605.

AUDIT ACTIVITIES THAT BRING MOST VALUE: DIFFERENCES AMONG REGIONS

●●Respondents in North America assign a lower value to “assuring the organization’s risk management pro-
cesses” than any other global region.

North America was relatively late in adopting formal enterprise risk management (ERM) processes
and assurance of the risk management framework by internal audit, while other areas of the world
have been using risk management standards since the late 1990s.

●●In South Asia, the highest priority after “assuring the adequacy and effectiveness of the internal control
system” is overwhelmingly “assuring regulatory compliance.”

The South Asia region consists primarily of India, where new regulatory requirements for internal
audit have recently been implemented. In India, all listed companies (plus certain unlisted public com-
panies and private companies that fulfill specific conditions) are required by the Companies Act 2013
to appoint an internal auditor (whether an employee or an external agency) to undertake internal
audit activities. The way the legal requirement is currently structured, the duties and responsibilities
of the internal auditor are not yet stipulated, which may account for emphasis on assuring regulatory
compliance.

www.theiia.org/goto/CBOK  ● 17
Exhibit A3 Measures Used for Internal Audit Performance (Organization Type View)

Public sector
(including
Financial government
sector Privately Publicly agencies
(privately held traded and
held and (excluding (excluding government- Not-for-
publicly financial financial owned profit
Performance Measures traded) sector) sector) operations) organization Average

Percentage of audit plan complete 73% 66% 65% 65% 55% 66%

Timely closure of audit issues 46% 45% 45% 37% 37% 42%

Completion of mandated coverage 44% 39% 44% 39% 41% 41%

Client satisfaction goals 38% 36% 39% 38% 35% 38%

The fulfillment of specific expectations

33% 34% 33% 27% 38% 32%
set and agreed to with key stakeholders

Budget to actual audit hours 34% 27% 26% 29% 28% 29%

Performance against the internal audit

26% 21% 25% 21% 20% 23%
financial budget

Cycle time from end of fieldwork to

26% 21% 26% 19% 21% 23%
final report

Cycle time from entrance conference to

19% 17% 18% 23% 16% 19%
draft report

We have not established formal

10% 15% 14% 18% 20% 15%
performance measures.

Other 11% 9% 11% 11% 9% 10%

Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a percentage
significantly above. n = 2,641.

MEASURES USED FOR INTERNAL AUDIT PERFORMANCE:

DIFFERENCES AMONG ORGANIZATION TYPES

●●When performance measures are viewed according to organization type, most of the significant differences
disappear.

This result suggests that the differences between regions may be related more to the different mix
of organization types than to cultural variances. Expressed another way, the most logical ways of
measuring internal audit performance may be tied more closely to organization type than to regional
distinctions.

18  ●  Delivering on the Promise

Exhibit A4 Measures Used for Internal Audit Performance (Region View)

Latin America &

Global Average
North America
Middle East &

Sub-Saharan
North Africa

East Asia &

South Asia

Caribbean
Europe

Pacific
Africa
Performance Measures
Percentage of audit plan complete 64% 69% 82% 69% 66% 56% 76% 66%

Timely closure of audit issues 43% 46% 46% 64% 38% 41% 43% 42%

Completion of mandated coverage 34% 47% 53% 63% 52% 35% 41% 42%

Client satisfaction goals 39% 39% 45% 34% 34% 40% 33% 38%

The fulfillment of specific expectations set and agreed to with key stakeholders 28% 31% 42% 46% 26% 35% 37% 32%

Budget to actual audit hours 25% 40% 30% 30% 30% 29% 32% 29%

Performance against the internal audit financial budget 19% 20% 32% 16% 21% 31% 20% 23%

Cycle time from end of fieldwork to final report 21% 25% 24% 30% 24% 23% 22% 23%

Cycle time from entrance conference to draft report 18% 30% 17% 22% 17% 19% 22% 19%

We have not established formal performance measures. 17% 11% 7% 7% 15% 18% 13% 15%

Other 11% 8% 10% 6% 8% 13% 8% 10%

Note: Q90: What specific measures does your organization use to evaluate the performance of its internal audit activity? (Choose
all that apply.) CAEs only Red indicates a percentage significantly below the global average and blue indicates a percentage
significantly above. n = 2,605.

MEASURES USED FOR INTERNAL AUDIT PERFORMANCE: DIFFERENCES AMONG REGIONS

●●For nearly every region, the measure that outweighs all others is “percentage of audit plan complete.”

●●The use of “client satisfaction goals” is remarkably consistent across all regions—ranging from 33% to 45%.

This represents broad agreement that effectiveness in advising and recommending activities depends
on a thorough understanding of what the client hopes to gain from the internal audit activity.

●●The Sub-Saharan Africa and Latin America & Caribbean areas show a significantly higher reliance on the
“percentage of audit plan complete” as a way to evaluate the value delivered by internal audit.

One possible explanation is that organizations in the region generally match salaries or benefits to a
unit’s performance. Organizations tend to find the percentage of audit plan completed the easiest and
most direct way to measure internal audit’s performance, similar to the way other units are measured
by their percentage of objectives completed. Clearly, more sophisticated measures exist to measure
added value, but they may be less readily understood or accepted throughout the organization.

www.theiia.org/goto/CBOK  ● 19
Exhibit A5 Methods Used to Support Quality and Performance (Organization Type)

Public sector
Financial (including
sector Privately Publicly government
(privately held traded agencies and
held and (excluding (excluding government- Not-for-
Methods That Support publicly financial financial owned profit
Performance traded) sector) sector) operations) organization Average

Surveys of audit clients 52% 46% 51% 53% 47% 50%

Internal quality assessments initiated

53% 39% 43% 52% 46% 47%
by internal audit

Surveys of key stakeholders 28% 28% 27% 29% 30% 28%

External quality assessments initiated

34% 23% 23% 30% 20% 27%
by internal audit

Balanced scorecard 26% 29% 22% 25% 24% 26%

Peer reviews 18% 20% 17% 25% 22% 20%

Reviews from external regulators 36% 10% 8% 18% 16% 18%

Reviews by your organization's

13% 13% 10% 14% 13% 13%
internal quality assurance function

Other 10% 11% 11% 10% 13% 10%

Not applicable 11% 17% 18% 12% 15% 15%

Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) CAEs only. Red indicates a percentage significantly below the global average and blue indicates a
percentage significantly above. n = 2,641.

METHODS USED TO SUPPORT QUALITY AND PERFORMANCE:

DIFFERENCES AMONG ORGANIZATIONS

●●Privately held organizations were less active than average for “internal quality assessments initiated by
internal audit,” “external quality assessments initiated by internal audit,” and “reviews from external regula-
tors.” In these same areas, the financial sector was more active.

●●Public sector respondents exceeded all other organization types for “peer reviews.”

20  ●  Delivering on the Promise

Exhibit A6 Methods Used to Support Quality and Performance (Region View)

Latin America
Middle East &

Sub-Saharan
North Africa

& Caribbean
East Asia &
South Asia

America

Average
Europe

Pacific

Global
Africa

North
Methods That Support Performance
Surveys of audit clients 51% 47% 53% 51% 43% 56% 51% 50%

Internal quality assessments initiated by internal audit 48% 49% 55% 37% 43% 51% 39% 47%

Surveys of key stakeholders 26% 30% 31% 34% 26% 32% 26% 28%

External quality assessments initiated by internal audit 35% 28% 25% 21% 17% 33% 18% 27%

Balanced scorecard 22% 31% 39% 31% 23% 20% 34% 26%

Peer reviews 19% 20% 28% 36% 18% 19% 21% 20%

Reviews from external regulators 17% 20% 22% 12% 15% 18% 21% 18%

Reviews by your organization's internal quality assurance function 9% 13% 19% 16% 20% 5% 18% 13%

Other 11% 6% 9% 12% 9% 12% 11% 10%

Not applicable 14% 17% 5% 15% 20% 16% 12% 15%

Note: Q91: Which of the following methodologies and tools do you use to support your quality and performance processes?
(Choose all that apply.) CAEs only. Highlighted cells show the general relationship between “external quality assessments initiated
by internal audit” compared to “reviews by the organization’s internal quality assurance.” Red indicates a percentage significantly
below the global average and blue indicates a percentage significantly above. n = 2,605.

METHODS USED TO SUPPORT QUALITY AND PERFORMANCE:

DIFFERENCES AMONG REGIONS

●●The “balanced scorecard” appears to be especially favored in the Sub-Saharan Africa and Latin America &
Caribbean areas, but not so widely used in North America and Europe.

In Sub-Saharan Africa and Latin America & Caribbean, the balanced scorecard is a relatively new con-
cept widely recognized as a good management practice. In North America, the balanced scorecard
may have been replaced or supplemented by the more abbreviated dashboard approach.

●●Regions with higher rates of review by their organization’s quality assurance function tend to have lower
levels of “external quality assessments initiated by internal audit” and vice versa (see highlighted cells).

This would tend to indicate that internal audit may need to explain to its stakeholders the value of
external quality reviews and that internal quality reviews cannot be a substitute for external quality
reviews, which are required for conformance with the Standards at least every five years.

www.theiia.org/goto/CBOK  ● 21
 Resources

The Balanced Scorecard: Applications in Internal Auditing and Risk Management by

Mark L. Frigo (Altamonte Springs, FL: The Institute of Internal Auditors Research
Foundation, 2014).

Become a Strategic Internal Auditor: Tying Risk to Strategy by Paul L. Walker (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation, 2014).

The IIA’s Practice Guide, Measuring Internal Audit Effectiveness and Efficiency
(Altamonte Springs, FL: The Institute of Internal Auditors, 2010). www.global.theiia.org

Insight: Delivering Value to Stakeholders by Patty Miller and Tara Smith (Altamonte
Springs, FL: The Institute of Internal Auditors Research Foundation, 2011).

Job Satisfaction for Internal Auditors: How to Retain Top Talent by Venkataraman Iyer
(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation,
2014).

Keeping Quality in Focus Through Internal Assessments (Altamonte Springs, FL: The
Institute of Internal Auditors, Audit Executive Center, 2014). www.theiia.org/cae

“Options for Using the Value Proposition for Internal Auditing” (Altamonte Springs,
FL: The Institute of Internal Auditors, 2012).

Quality Assessment Manual for the Internal Audit Activity by Patrick Copeland, Donald
Espersen, Martha Catherine Judith Grobler, and James Roth (Altamonte Springs, FL:
The Institute of Internal Auditors Research Foundation, 2013).

Value and Competency—The Stakeholder Perspective: Insights for Internal Auditors and
Management by Vu H. Pham and Betsy Bosak (Altamonte Springs, FL: The Institute
of Internal Auditors Research Foundation, 2013).

22  ●  Delivering on the Promise

About the Project Team

About the Author

Jane Seago is a technical and business writer who focuses on information systems
audit, information security, IT governance, internal audit, enterprise risk, data privacy,
and cybersecurity topics.

CBOK Development Team

CBOK Co-Chairs: Primary Data Analyst: Dr. Po-ju Chen

Dick Anderson (United States) Content Developer: Deborah Poulalion
Jean Coroller (France) Project Managers: Selma Kuurstra and
Practitioner Survey Subcommittee Chair: Kayla Manning
Michael Parkinson (Australia) Senior Editor: Lee Ann Campbell
IIARF Vice President: Bonnie Ulmer

Report Review Committee

Karen Begelfer (United States) Charles Saunders (United States)

María José Ferres (Uruguay) Tania Stegemann (Australia)
Augustino Mbogella (Tanzania)

Acknowledgments

The IIARF appreciates contributions to the development of this report made by Dick
Anderson (United States) and Serge Van Herpen (Netherlands). In addition, The
IIARF thanks Jørgen Bock (Norway), Robert Kella (United Arab Emirates), and Karen
Begelfer (United States) for providing their perspectives for this report via interviews.

Sponsorship

The IIARF thanks IIA–Charlotte Chapter, IIA–Raleigh-Durham Chapter, and

IIA–Triad Chapter for partnering together to sponsor this project.

www.theiia.org/goto/CBOK  ● 23
 About The IIA Research Foundation

Your CBOK is administered through The IIA Research Foundation (IIARF), which has
provided groundbreaking research for the internal audit profession for the past four
Donation
decades. Through initiatives that explore current issues, emerging trends, and future
Dollars at needs, The IIARF has been a driving force behind the evolution and advancement of
Work the profession.
CBOK reports are
available free to Limit of Liability
the public thanks
to generous The IIARF publishes this document for information and educational purposes only.
contributions IIARF does not provide legal or accounting advice and makes no warranty as to any
from individuals,
legal or accounting results through its publication of this document. When legal or
organizations, IIA
chapters, and IIA accounting issues arise, professional assistance should be sought and retained.
institutes around the
world. Contact Us

The Institute of Internal Auditors Global Headquarters

Donate to
247 Maitland Avenue
CBOK Altamonte Springs, Florida 32701-4201, USA
www.theiia.org/goto/
CBOK Copyright © 2015 by The Institute of Internal Auditors Research Foundation (IIARF).
All rights reserved. For permission to reproduce or quote, please contact research@
theiia.org. ID # 2015-1484