Internal Audit Business Model and its Key Performance Indicators

INTRODUCTION

Each activity (either business or personal) can be described in terms of a business model in order to provide a holistic view of comprising elements of the system. Internal Audit (IA) business model can be described in the structure of nine elements/dimensions adding to full picture of IA framework:

1. Mission
2. Added Value
3. Clients
4. Client Relationships
5. Channels of «Sales»
6. Partners
7. Key Activity
8. Key Resources
9. Costs

Proposed IA business model is used to describe IA activity, its framework, key elements to better understand by stakeholders and internal staff of what IA is doing, how it is functioning, what are outcomes, what are key activities, resources etc. This business model is based on and aligned with IPPF.

For almost each of these dimensions and its constituents, key performance indicators (KPIs) as a balanced scorecard system could be developed to digitize and measure IA performance. Setting KPI is a key to effective management (“what cannot be measured cannot be managed”) including quality management. Balanced scorecard system can be used by IA managers to keep track of the execution of activities by the audit staff within their control and to monitor the consequences arising from these actions.

Firstly, let’s roll out these dimensions. Then propose KPIs/Balanced Scorecard for each of the dimension. Based on KPIs by dimensions QAIP can be developed and measured.

IA BUSINESS MODEL

A. MISSION

Mission of any system, activity or function is a key element used to describe and substantiate the reason why this system or function exists, for what purpose. What it brings to external world, to the organization (in our context)?

The mission of IA function could be expressed as follows:

The IA mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight, leading to

1. risks mitigation,
2. costs reduction,
3. business process optimization, and
4. overall assurance in achieving organization’s objectives.

From defined mission second dimension of the model follows:

B. ADDED VALUE

As a result of IA functioning (which is added value)

• no (or minimal) losses from risks occur,
• costs are reduced,
• business processes become more transparent and controllable, and
• productivity and efficiency of the organization is increased.

Another indirect result of IA performance is development of highly professional and experienced staff who could be promoted to other senior positions in the organization.

Those who use results of IA activity are IA clients.

C. CLIENTS

There are a lot of groups of clients who consume results of IA activity, for whom IA brings value:

• Shareholders and Supervisory Board
• Top and Senior management (Management Board, B-1, B-2 managers)
• Regulators (for Ukrainian banks it is NBU, State Deposit Guarantee Fund, etc.)
• External auditors

But mainly IA serves for the interests of organization’s shareholders and Supervisory Board representing them.

IA needs to establish relations with its clients to communicate (“sale”) its results.

D. RELATIONS WITH CLIENTS

IA builds relations with its clients to communicate its results, ask for support and obtain resources needed. These relations are formalized by regular reporting on Supervisory Board, Audit Committee, Management Board and its committees’ meetings, informal interim communications and exchange with management, audit engagement results debrief, etc. Good communication is a key for success of IA function. It allows to demonstrate added value of the function for shareholders and organization and is prerequisite in obtaining resources (staff, trainings, IT) needed to effectively execute its mission.

Also, these relations are formalized in channels of “sales”:

E. CHANNELS OF “SALE”

We can define following “IA sales channels”:

• Collective bodies meetings
• Audit Reports & Dashboards
• Corporate mail communications
• Page on intrasite
• Presentations to the organization’s staff (for awareness and education)
• Informal communications

In doing IA business the function cooperates with its partners:

F. PARTNERS

Partners of the IA function are intersected with its clients. Partners help to accomplish IA mission and provide high quality services. They are

• Supervisory Board,
• Audit Committee,
• Management Board, and
• Second Line of Defense (Risks, Compliance, and sometimes Security).

Partners share with IA information on the organization development including its control environment, risks assessments and data, provide needed support in obtaining resources and cooperation.  It could be said that IA uses partners and serves for the partners.

To accomplish its mission IA has key activities:

G. KEY ACTIVITIES

Firstly, IA should plan its activity (audits – assurance and consulting missions) in advance to allocate limited resources for the risks coverage. Usually, IA develops 3 or 5 years audit plan to cover all auditable items (or units) in the organization in order to provide assurance and added value as defined earlier in section A and B of this model. Annual planning methodology should be developed and Annual Audit Plan (AAP) is to be approved by Supervisory Board based on auditable units risks assessment in order to cover most risky areas at first place. AAP is not a static document and can be reviewed and updated upon external and internal changes in risks surface.

Further, another key activity is Risk Assessment performed annually for composition of AAP and before each audit engagement. IA can build a model for risks assessment encompassing a set of factors influencing risk level of a given auditable unit or subunit. For example, these factors could be:

1) state of control environment,

2) management concerns,

3) previous audit findings,

4) internal and

5) external changes,

6) importance and

7) size of auditable unit, and

8) date of the last audit of an auditable object (unit).

Risks assessment serves as a basis for auditable unit’s Diagnosis and further Investigation (controls testing during field work) combined with information and data obtained from auditees and partners. Most of the time of IA is spent on these two activities (diagnosis & investigation).

Diagnosis and Investigation is followed by Reporting which is highly formalized and structured presentation of the results of the previous activities. Reports contain executive summary and detailed findings which consist of observations, risks, consequences and root causes definition, and recommendations for risks/root causes mitigation/elimination followed by management agreed actions on recommendations implementation.

After a report is issued management has to implement recommendations/agreed actions in due time set by a recommendation. This implementation is monitored and reported by IA during Follow Up key activity by setting agreed actions statuses (open, closed/implemented, past due etc.) Follow up reports and statistics is presented for Management and Supervisory Board for review and actions taking. It also reflects state of control environment in the organization.

To ensure that IA function works with highest performance standards Quality Assurance and Improvement Program – QAIP (according to IPPF) should be developed, implemented and reported annually to the Supervisory Board. Standard 1300 – Quality Assurance and Improvement Program (and 1310, 1311, 1312, 1320 inside it) sets framework for the IA quality assurance and development.

Usually, QAIP defines KPIs to measure quality and performance of IA practice. This article proposes set of KPIs for that purpose defined by the structure of IA business model described above.

In order to perform IA activities effectively sufficient resources are needed:

H. KEY RESOURCES

Key resources to perform IA activities are:

1) skilled staff,

2) trainings and professional education to support and develop IA skills of the staff,

3) information technologies (laptops, office and specialized applications, access to the organization databases and electronic information), and

4) recruitments of skilled personnel or motivated youngsters with professional development potential.

This is almost all that is needed to successfully perform IA activities and fulfill IA mission. Not more and not less.

IA resources substantiate costs needed to acquire these resources:

I. COSTS

Costs are logically

1) salary costs,

2) cost of trainings, courses and conferences,

3) costs for purchasing hardware & software and to less extent

4) costs of HR recruitment (e.g. paying fees to HR agencies). These almost are all elements of IA function budget

KPIs OF IA BUSINESS MODEL

Key Performance Indicators / Balanced Scorecard defined below can be used to measure IA activity, IA model efficiency and its quality, and be part of QAIP.

SOURCES

• IPPF – International Professional Practice Framework (TheIIA.org)
• Business Model Generation: A Handbook for Visionaries, Game Changers, and Challengers. (Alexander Osterwalder, Yves Pigneur)
• KEY PERFORMANCE INDICATORS FOR INTERNAL AUDIT FUNCTION | Pempal

Maksym Pomerko,

CIA, CISA,

ProCredit Bank Ukraine,

Acting Head of IA

29/07/2022