An audit report should provide added value in the field of performance by challenging its objectives decided by senior management. It is also a good occasion to review the corporate governance set-up. Indeed, the internal audit is one of the few opportunities for this capital challenge.
Improving the performance of the audited entity (division of the company, subsidiary) is the ultimate goal of risk management. It is also the value of an internal audit as stated by COSO’s fundamental premise. Good risk management is here to deliver objectives decided by senior management over long term. Unfortunately the internal audits often overlook the performance assessment of the entity as they wrongly focus only on risks control.
The audited entity may be a subsidiary (therefore a company by itself) or an internal entity of a large company. Each of them will have different performance paradigm. Appreciation of the performance can be rather difficult, especially regarding internal entities of large companies.
- Financial results will of course be the first criterion. However it’s also auditors job to find how to link financial results and business strategy. They need to answer the following questions : An entity that is profitable but not working in a consistent direction with she the Group’s strategy will be judged favorably? Conversely, a less profitable entity serving the company strategy should be evaluated as a poor performer ?
- As for Internal entities (divisions, services …) of a company, they are even more complex to assess because they are rarely true Business Unit with the financial results (turnover, EBITDA, ….) comparable to those of a subsidiary company. Auditors have to find relevant performance measures for internal entities.
Of course, in order to assess the performance, internal auditors will first rely on the objectives decided by senior management. It is also a good occasion to challenge them.
Reaching or not the level defined by senior management will clearly define the performance. However, experience shows that these objectives (both what is the objective and the level of the target) need also some challenge. It seems that the top management sometimes lacks time and independent analysis of the operational management of the entity to set them relevant targets, although this is an absolute essential task. It is auditors job who have one rare opportunity to challenge the performance objectives set by top management. Who else than internal audit have time and legitimacy to do this challenge?
Therefore, this is what auditors should do to bring audit value to their report:
1- Balance the audit report by allowing sufficient space to assess the technical and financial performance. Risk management and control activities should not be the only corner of appreciation of the entity.
2- Challenge the objectives defined by senior management. Compare them to performance criteria suggested by the auditors. Auditors have a unique experience of the company internal business acquired through all internal audits performed. They do have in their hands enough experience to challenge and suggest performance criterion. If the audit manages to offer relevant suggestions it is undeniable that the report will be of high interest to management and bring value to the group it serves.
3- Open the audit scope to evaluate the performance of the company versus other companies (market or benchmark) and get some forward looking. For instance, auditors can review the current business assumptions and corporate governance setup versus business trends.
– – – – – –
Making value for money audit is the key target of this blog: let’s have a look to the next best practice proposed to auditors: writing high value recommandations.