I Prefer to say that internal auditing is not into ( measure ) but more into making sure that the company or firm is following the policies and procedures,
when I was junior a finance manager told me ( audit your work before a real auditor audited for you)
Totally agree. IA is a tollused to assess the day to day operations and assess the complinace with the existing policies and procedures as a part of the IA work.
But top hierarchy only required the result oriented statement by Internal Auditors, so for the sake of reporting a auditor have to measure with yardstick.
par
Mohammed Azhar Alam Khan , Supervisor (Materials Planning & Warehouse Operations) , POWER & WATER UTILITY COMPANY (MARAFIQ)
Yes I agree, it measures deployment against available planned arrangement (policies and procedures) and also comes out with improvement areas, reporting key positives and areas of improvements.
For the sake of reporting, I guess you could say that the yardstick would be the existing policies and procedures. However, the purpose is not exactly to measure but to ensure adherence to policy, to check on the relevance or continued applicability of existing policy, pinpoint loopholes, assess risks and assess areas for improvement. To measure would result in a quantitative report, whereas management is more on the lookout for the qualitative report of the auditor since this would result in improvements.
par
KEITH JOHNSTON , Various from Senior Internal Auditor to Internal Audit Manager to ERM/GRC Consultant , Both Public & Private Sector
If the '3rd Line of Defence' role of Internal Audit (IA) is adopted, IA's key focus is to assess the suitability of the entity's corporate-wide risk management (ERM) framework. It performs the latter role to render an objective opinion as to whether there is reasonable assurance that corporate objectives will be achieved.
Part of the above assessment will involve appraising how effective policies and day-to-day procedures are in helping in the management of risk - e.g. are processes optimally designed to efficiently mitigate risk within appetite (calculate/compare unit costs for desired outputs)? - is a policy unclear/poorly worded such that staff do not understand or misunderstand management intentions (survey staff and test the degree of common/intended understanding)?
Can IA perform any measurement activities in conducting its assessments and appraisals? There can be situations where this is appropriate - e.g. IA believes that operational mangement have not developed appropriate KRIs and/or KPIs and to support its recommendations to Management performs measurement activity to help understanding and benefit the company.
K R Johnston, MBA, CPFA, CMIIA