While external audit is often mandated for organisations, internal audit is another assurance activity that can add significant value.

Internal audit work often focuses on compliance and financial auditing, with recommendations made to more effectively manage risks and address control deficiencies. This is valuable assurance work, but many boards, audit committees, CEOs and senior executives are seeking more.

A requirement of internal audit functions is to have an independent external assessment conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. This assesses conformance with the internal audit standards and the quality of internal audit services delivered.

- Why can’t internal audit deliver more value and help us improve the business?

A good internal audit should assess and offer recommendations that address the three Es – efficiency, effectiveness and economy.

Efficiency is concerned with the relationship between goods and services produced (outputs) and the resources used to produce them (inputs). It’s about getting the most from available resources. An example would be reducing the cost of providing healthcare over time.

Effectiveness is converned with achieving predetermined objectives (specifically planned achievements) and having the actual impact (output achieved) compared with the intended impact (objective). An example would be where disease rates have fallen as a result of the healthcare provided.

Economy is concerned with minimising the cost of resources used (people, materials, equipment, etc) and considering the appropriate quality required – that is, keeping the cost of inputs low, without compromising quality. For example, are healthcare supplies or services of a specific quality purchased at the best-possible price? Operational auditing Any compliance or financial audit can also be an operational audit (it may be called a performance audit in the public sector). Operational auditing uses the three Es but it differs from compliance and financial auditing, as shown in the table, below.

- where improvements can be made.

8 Develop audit findings and value-adding options and recommendations.

While most steps may not be different from a compliance or financial audit, the crucial, value-adding steps are numbers three, seven and eight. These are the difficult parts. Most internal auditors can work out whether there is compliance, but undertaking a review of efficiency, effectiveness and economy can be a more diffi cult proposition.

Most internal auditors can also work out an effect, but trying to isolate the cause can be much harder. Hence, many internal auditors find it easier just to report on what is wrong and avoid trying to identify the ‘root cause’ of an issue. Often, an internal audit recommendation will be something like: ‘employees should follow the procedure’. This is lazy internal audit work. Few employees will deliberately bypass a procedure unless it is a bad procedure or something else is preventing them from complying with it.

The real value in an internal audit report is in determining the cause of the differences between ‘what is’ and ‘what should be’, and developing audit findings and value-adding options and recommendations. By working closely with management at the conclusion of an audit to discuss improvement options – possibly using a facilitated workshop approach – a much better outcome can be achieved. After all, the people doing the job know a lot more about it than the internal auditor.

Andrew Cox