Best Practices for the Profession
Internal auditors and internal audit functions have been struggling — some more than others — to find convincing answers addressing one fundamental question: What is the added value of internal auditing in the specific organizational context? This question is of particular relevance to internal auditors and the internal audit profession. On a micro level, that question bluntly challenges the contributions from internal auditing, and on a macro level, the legitimacy and relevance of internal auditing as a profession. Furthermore, this question is highly relevant to internal audit’s key stakeholders, e.g., senior management and the audit committee.
This research provides insights into the applied practices addressing the value question and suggests concrete pointers on how to define, measure, and communicate the value of internal audit. Based on interviews with chief audit executives (CAEs) and a comprehensive global survey, we examine the following questions. How do internal auditors and internal audit functions:
1. Define their added value to the organization?
2. Measure their added value — and which metrics do they use?
3. Communicate their added value?
The results of this study suggest a maturity model distinguishing the roles of internal audit as a governance, risk, and control (GRC) partner, trusted advisor, and value driver as maturing roles of the internal audit function. Assurance emerges as an overarching theme across all roles: The GRC partner delivers assurance services as core remit. The trusted advisor goes beyond to offer advice; however, often limited to subject matters in or associated with internal audit’s core competencies in the GRC arena. The value driver goes further, cracks the traditional boundaries, and contributes to what truly matters in the respective organization, thereby also dealing with the not so familiar, the lesser or unknown subject matters, and the more complex issues.
