As Managing Director of the Internal Audit Division of MIS Training Institute, I have led many symposia, seminars and other programs over the years, and this has given me the chance to work with hundreds of people whose internal audit departments are making significant contributions to their organizations.

I have learned a great deal about what they do and how they do it, and I suppose it is only natural to have gleaned from this experience a way to define and identify important attributes that high-performing, value-adding internal audit departments share.
Departments with these attributes are world-class. It is important to strive for world-class levels of performance because internal audit is more visible and accountable than ever. Sarbanes-Oxley requirements, safety and environmental regulations, economic stresses, industry innovations, etc. The list of pressures on organizations and the need for internal audit departments to help organizations address them could run for pages.

For these reasons, internal audit has entered the business mainstream. The function is more visible and accountable than ever. To achieve a world-class level of performance, we need key stakeholders to maximize their partnership with us. In this day and age of competing resources, it is important that internal audit receive its share of these resources. Regardless of the size of an internal audit department or the resources it receives, the chief challenge is to maximize the resources it has been given using best practices to add value to the organization.

The chief audit executive (CAE) plays an essential role in this effort. The CAE must be visionary and understand the organization’s priorities and the specific strategies to employ to help the organization. The role of the audit committee of the board of directors or of senior management would be to lend their support to internal audit. For them to provide that support, they need to understand how internal audit can add value to the organization. No internal audit department can achieve a world-class level of performance without the support of the audit committee.

Top-Level Support
If internal audit can earn the support of the C-suite and the audit committee, every door in the organization opens. With all doors open, internal audit is well on its way to achieving world-class performance.

If a department strives for this level of performance, it will question every day the deployment of resources. People will ask, “Is this where I should be? When we see a new fraud or an emerging risk come into the news, are we reacting properly? Are we ‘green’ enough to address environmental concerns? Have we reacted to slowdowns in construction? Have we reacted to increases in fraud if we have payroll deduction or decreases in workforce? Are we reacting as quickly as we can?”

I believe one essential thing for any audit shop to keep in mind – especially one that strives to be world-class – is the reporting structure. It is not who to report to -- it is who you report to. On paper you can report to the audit committee. But who do you really report to? Who determines your compensation? Who determines where you go? Can you audit anywhere in your organization? There is a lot of discussion in business literature about who internal audit reports to. Clearly it must be the audit committee, but to have a world-class audit function, the audit committee must play a pivotal role in compensation and resources decisions.

We also need to keep in mind that there is no single definition for “world-class.” This is because no two organizations are the same. There are different industries, organizations, internal audit department sizes and cultures.  A CAE must evaluate these things and the core competencies of the people in the department to see how to best address the organization’s needs.

The CAE also must be able to augment the department’s resources with additional internal and external co-sourcing. I honestly believe no department can be world-class without a strong co-sourcing relationship. No one department has all the resources needed to achieve this level of performance.

This is one reason audit executives must know their enterprise risk management (ERM) structure and have their finger on the pulse of the organization and the industry it is in. This enables them to quickly recognize emerging risks and try to match the department’s skills to them. Where certain skills may be lacking, co-sourcing is called for.

A CAE also must be able to market and sell the accomplishments of the department to create more demand for services. In short, the CAE must be able to take the stakeholder relationship to new levels.

Defining World Class
With all this in mind, below are what I believe to be the chief attributes of world-class internal audit departments. Outside of the first item, this list is not in order of importance, as some attributes may be more or less important depending on an organization’s culture, size, industry, etc.:

1. Know your risks – Address key inherent and residual risks, recognize emerging risks, and continually test the key controls.
2. Proactively affect change – Internal audit can no longer come in after the battle and stab the wounded. We must address weaknesses during development and become a part of things as they are happening.
3. Virtual, diverse, and competent – Operate a virtual audit department, and, through diversity of personnel, have the core competencies to address the key risks. This is why there needs to be a robust co-sourcing relationship.
4. Manage change – Work towards good communication (upward and downward). Auditors often try to make change where people do not want it. Negotiation skills, good listening skills, conflict resolution, etc.  These things are essential if IA is going to create change.
5. Use technology – Maximize leading edge technology to help audit in a more efficient and continuous manner.
6. Control environment – Maintain a great control environment throughout the organization. World-class performance promotes this. But in today’s atmosphere of staff cutbacks, we must make sure management has invested hard controls where the greatest risks exist.
7. Be a partner to the business units – Knows their goals and objectives and create audit tasks to help reach them with the fewest controls that create the most coverage against the risks.
8. Do value-added audits – I ask people, “Would you pay for the last audit you did?” World-class departments conduct effective, short engagements that address the key risks.
9. Provide visionary leadership – A great leader understands where the organization is strategically going within the next one to three years, and is building a department to help achieve those goals.
10. Balance governance and consulting – A truly great department does great assurance auditing as well as consulting work.
11. Ownership – Clearly define ownership of controls, with management acknowledging it owns all the controls and is responsible for minimizing the risks.
12. Calculate audit’s value – Show at the end of the year how the department has added value, qualitatively and quantitatively. Internal audit must ask what happened because we were here this year. If there is no good answer, the department is headed down the wrong path.
13. Have the best people – Internal audit is a people service. We cannot vary from standards of having the best people full-time and those we borrow internally and externally. Every time someone leaves our department to do an engagement, that person is an extension of our credibility.
14. Exhibit global visibility – World-class departments understand how world events could impact their organization and address the actions senior management must take.
15. Be independent – World-class operations must be independent as well as proactive. They retain independence and help management ensure the organization has the best controls. It is wrong to hide behind the shield of independence and not work with management to enhance value.
16. Break rules – I often tell people if we audited ourselves, we would fire ourselves. It is important to look at what we are doing and question why we are doing it. Why do we have to finish every audit we begin? Why write a perfect audit program when we know it is going to change? Why develop a perfect audit that is soon outdated?
17. Perform best practices every day – A tremendous amount has been written on best practices by the Big Four, Protiviti, The Institute of Internal Auditors (IIA) and MIS. At MIS, we have more than 200 best practices that get modified or deleted every year. No one does all 200. Each internal audit department should do the 40 or 50 that are most relevant to them and continually add some every year.
18. Define what you do – Have a mission/vision statement that says exactly what the department’s goals and objectives are.
19. Strive for continuous improvement – People in world-class departments never stop trying to learn and improve. There are many examples where CAEs have done knowledge sharing in the department, such as sharing books to read, things learned at outside training, new software, new legislation, new SEC pronouncements, etc.
20. Knowledge is power – Take advantage of the knowledgeable people in the department and learn about the business from their experiences.

The closer an internal audit department can come to achieving each of these attributes, the closer it will be to delivering the world-class assurance and consulting services organizations need to succeed.