Module 3B Managing Resources

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

<strong>3B</strong>. <strong>Managing</strong> <strong>Resources</strong> (20%)<br />

<strong>3B</strong> Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Manage resources to support planned and ad hoc engagements.<br />

• Manage resources to support the internal audit operational plan.<br />

• Manage resources to support the internal audit strategic plan.<br />

<strong>3B</strong>.1 Financial Management for Internal Audit Functions<br />

<strong>3B</strong>.1.1 Professional Standards<br />

The International Standards for the Professional Practice of Internal Auditing define<br />

expectations for the head of internal audit as manager of the function and its resources, most<br />

notably in Standards 2000, 2010, and 2030. These important standards are quoted in full below:<br />

Standard 2000 – <strong>Managing</strong> the Internal Audit Activity<br />

The chief audit executive must effectively manage the internal audit activity to ensure it adds<br />

value to the organization.<br />

Interpretation:<br />

The internal audit activity is effectively managed when:<br />

• It achieves the purpose and responsibility included in the internal audit charter.<br />

• It conforms with the Standards.<br />

• Its individual members conform with the Code of Ethics and the Standards.<br />

• It considers trends and emerging issues that could impact the organization.<br />

The internal audit activity adds value to the organization and its stakeholders when it<br />

considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk<br />

management, and control processes; and objectively provides relevant assurance. 21<br />

Standard 2010 – Planning<br />

The chief audit executive must establish a risk-based plan to determine the priorities of the<br />

internal audit activity, consistent with the organization's goals.<br />

Interpretation:<br />

To develop the risk-based plan, the chief audit executive consults with senior management<br />

and the board and obtains an understanding of the organization’s strategies, key business<br />

objectives, associated risks, and risk management processes. The chief audit executive<br />

21<br />

International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />


must review and adjust the plan, as necessary, in response to changes in the organization’s<br />

business, risks, operations, programs, systems, and controls.<br />

2010.A1 – The internal audit activity's plan of engagements must be based on a<br />

documented risk assessment, undertaken at least annually. The input of senior management<br />

and the board must be considered in this process.<br />

2010.A2 – The chief audit executive must identify and consider the expectations of senior<br />

management, the board, and other stakeholders for internal audit opinions and other<br />

conclusions.<br />

2010.C1 - The chief audit executive should consider accepting proposed consulting<br />

engagements based on the engagement's potential to improve management of risks, add<br />

value, and improve the organization's operations. Accepted engagements must be included<br />

in the plan. 22<br />

Standard 2030 – Resource Management<br />

The chief audit executive must ensure that internal audit resources are appropriate,<br />

sufficient, and effectively deployed to achieve the approved plan.<br />

Interpretation:<br />

Appropriate refers to the mix of knowledge, skills, and other competencies needed to<br />

perform the plan. Sufficient refers to the quantity of resources needed to accomplish the<br />

plan. <strong>Resources</strong> are effectively deployed when they are used in a way that optimizes the<br />

achievement of the approved plan. 23<br />

Strategic, operational, and engagement planning and managing people are discussed in <strong>Module</strong><br />

2. In this section we focus on managing financial resources and performance management.<br />

<strong>3B</strong>.1.2 Financial Management for Internal Audit Functions<br />

According to Standard 2030, resources must be “appropriate, sufficient, and effectively deployed<br />

to achieve the approved plan.” <strong>Resources</strong> available to an internal function should be approved<br />

by the audit committee (if there is one) or the governing body when the audit plan is approved.<br />

In an ideal scenario in which the internal audit function enjoys a high degree of organizational<br />

independence, resources to support the internal audit strategic and operational plans may be<br />

allocated in the form of a financial budget with which the head of internal audit can decide how<br />

many full-time, part-time, and outsourced auditors to engage and at what level, as well as<br />

obtaining other resources, such as training, memberships and subscriptions, office furniture and<br />

equipment (including IT), and auditing software. However, some of these expenses may be<br />

22<br />

International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />

23<br />

International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />


controlled in other ways rather than the head of internal audit deciding how to spend the<br />

function’s budget.<br />

• Staff positions and salaries, for example, may be set according to departmental or<br />

central government decree and policies.<br />

• Office furniture and equipment (including IT) may also be handled separately from the<br />

budget allocated to the internal audit function.<br />

• The training budget may be held centrally by the Central Harmonization Unit.<br />

The requirement for the head of internal audit to develop, seek approval for, and manage a<br />

budget may be limited in practice. Even with delegated budgetary responsibility, many of the<br />

costs associated with the function may not be discretionary (i.e., a matter for the budget holder<br />

to decide). Salaries (aside from performance-related bonuses), for example, are pre-determined<br />

and need only to be tracked.<br />

Setting such difficulties to one side, in order to seek approval for a budget, the head of the<br />

function needs to produce a proposal aligned with the strategy and plan of engagements. A<br />

good starting point is the previous year’s budget although it is not simply a matter of adding a<br />

percentage to allow for inflation. Prior levels of resourcing may have been insufficient.<br />

Conditions, requirements, and expectations change, and the head of internal audit should<br />

always be seeking improvements that may require utilizing resources in a different way.<br />

The IIA’s paper “Budgeting the Internal Audit Function: How Much is Enough?” addresses these<br />

questions. Benchmarking is sometimes used to help determine what is the appropriate level of<br />

resourcing, but no two organizations are completely identical. The paper suggests following a<br />

five-step process.<br />

Step 1: Define the audit universe. This is a description of all auditable entities (“departments,<br />

divisions, systems, processes, subsidiaries, programs, activities, and even accounts”).<br />

Step 2: Assess the risks. It is highly unlikely an internal audit function has sufficient<br />

resources to audit the entire audit universe. Besides, this approach would be highly<br />

inefficient by applying resources to low likelihood, low impact risks where assurance and<br />

advice may have limited value. The audit plan needs to prioritize engagements based on<br />

organizational objectives and risks because “while internal audit can audit anything, it can’t<br />

audit everything.” Assurance mapping may be part of this process to avoid unnecessary<br />

overlap and duplication with the work of other assurance providers on which internal audit<br />

can place reliance.<br />

Step 3: Develop the audit plan. Identifying which audits must be undertaken as a matter of<br />

highest urgency helps determine the major part of the budget based on estimated staff<br />

hours needed, although some allowance should be made for ad hoc engagements and<br />

reactive assurance and advisory engagements for new and emerging risks and<br />


management requests. Budgeting should also address the needs of the internal audit<br />

strategic plan, such as investment in new audit software, specialist expertise, and training.<br />

Step 4: Determine training, co-sourcing, and administrative expenses. “Budgets and<br />

schedules must also allow for time off, as well as time spent on administrative tasks,<br />

training, and activities such as quality assurance and audit follow-up.” Continuous training is<br />

needed for auditors to maintain their competency. In addition, the planned engagements in<br />

the plan may call for competencies not readily available from the existing team of auditors.<br />

This may be resolved over time by training and recruitment but more immediately it may<br />

require the use of guest or external services.<br />

Step 5: Review and approve – independence matters. “It’s important to review the operating<br />

budget periodically to ensure that it remains realistic and accurate, identifying and reporting<br />

any variances promptly. In most organizations, the CAE prepares the budget and senior<br />

management reviews it, but final review and approval is left to the audit committee or board<br />

of directors.” For the survey undertaken to support the guidance, The IIA found “CAEs were<br />

significantly more likely to state they had sufficient resources at organizations with<br />

independent audit committees than at organizations where the audit committee was not<br />

independent of management.” 24<br />

Have established the budget and had it approved, the head of the unit must monitor actual<br />

incomes and expenses against the plan. This is discussed in sections 3A.2.5 and 3A.3.4.<br />

<strong>3B</strong>.1: Reflection<br />

Is your internal audit function in full conformance with these Standards (2000, 2010, 2030)?<br />

How much autonomy does the head of the internal audit unit have in managing the budget<br />

and other resources?<br />

Who approves the staffing and budget for the internal audit unit? Are these arrangements<br />

consistent with internal audit independence?<br />

<strong>3B</strong>.2 Performance Management<br />

Performance management requires the identification of risks and the implementation of controls<br />

for ensuring economic, effective, and efficient resource utilization. <strong>Managing</strong> performance needs<br />

to take place at every level of activity.<br />

24<br />

“Budgeting the Internal Audit Function: How Much is Enough?” Tone at the Top, The IIA, 2018.<br />


• Individuals are responsible for managing their own performance, including time-keeping,<br />

maintaining due diligence, following instructions and procedures, reporting periodically to<br />

their supervisor, and escalating issues requiring someone else’s attention.<br />

• Supervisors are responsible for managing the performance of their team members<br />

individually and collectively. A typical performance management cycle comprises:<br />

o Agreeing individual goals commensurate with role, responsibilities, ambitions,<br />

and competencies, and aligned with team-level and organizational objectives.<br />

o Providing time, tools, resources, training, and sufficient autonomy and<br />

supervision as required.<br />

o Monitoring performance.<br />

o Providing feedback, both as encouragement and in highlighting areas requiring<br />

remediation.<br />

o Formally appraising performance according to a regular cycle and in consultation<br />

with the individual, allowing them to account for their own performance.<br />

o Recognizing achievements and allocating rewards according to policy.<br />

o Identifying and creating opportunities for personal and professional development<br />

and progression.<br />

o Reporting the results of performance evaluation up the chain of command.<br />

o Acting as an advocate for their team members, giving due credit for their<br />

accomplishments.<br />

o Agreeing goals for the next cycle.<br />

Team leaders are responsible for achieving the goals assigned to their unit and for managing<br />

the performance of individuals. This continues upwards to the highest levels of the entity with<br />

ultimate accountability to stakeholders for fulfilling organizational purpose economically,<br />

effectively, efficiently, ethically, and sustainably.<br />

This process of performance management links with the concepts of managerial accountability<br />

discussed in <strong>Module</strong> 2 and applies to internal audit functions as much as any other department.<br />

Performance management is a natural part of risk management and internal control.<br />

Organizational-level objectives need to be cascaded down to every level so that goals of<br />

departments, teams, and individuals are all aligned. Decision-making and implementation of<br />

controls are most effective when they are delegated to the lowest level of competence<br />

necessary to enable managers to manage and leaders to lead. As goals are assigned, they<br />

must be accompanied by responsibility, autonomy, and resources. This requires trust.<br />

Supervision is part of the system of control but too much supervision and monitoring constitutes<br />

micro-management, which is inefficient, intrusive, and often counter-productive. Individuals<br />

resent excessive scrutiny since it communicates a lack of trust in their integrity and ability.<br />


There is also a link with leadership styles, as discussed in <strong>Module</strong> 2. A more authoritarian style<br />

tends toward greater supervision while a laissez-faire attitude tends toward less supervision.<br />

The appropriate and most effective style depends on the characteristics of the staff member,<br />

their role, experience, and competency, their relationship with their supervisor, their personal<br />

preferences, organizational conditions, and more. Managers need to adapt their style according<br />

to circumstances.<br />

We have said repeatedly that risk management and internal control should not be regarded as<br />

discrete activities, an additional responsibility on top of managing operations and activities.<br />

When reflecting on performance management we should remind ourselves of the COSO<br />

Internal Control – Integrated Framework with its five elements:<br />

• Control environment.<br />

• Risk assessment.<br />

• Control activities.<br />

• Information and communication.<br />

• Monitoring.<br />

We could use these five elements to describe performance management or more broadly the<br />

responsibilities of management. Making a decision, taking a risk, managing a risk, pursuing<br />

objectives, and implementing goal-oriented actions are the same thing. The purpose of risk<br />

management and internal control is to do this mindfully and systematically.<br />

<strong>3B</strong>.2.1 Approaches to Performance Management<br />

In 2018, McKinsey developed a model for sustaining high performance in the public sector in<br />

the long-term 25 . The authors identified that project pilots tend to out-perform expectations but<br />

thereafter, as they lose their initial momentum, the performance of initiatives tends to diminish.<br />

The authors associated this with the added interest and level of oversight new projects generate<br />

followed by an inevitable decline once activities become part of routine operations and the<br />

novelty and excitement fades.<br />

To address this pattern, McKinsey developed a seven-stage model designed to maximize and<br />

maintain effective performance management. The model is organized in three areas of focus:<br />

• Create transparency:<br />

1. Define meaningful performance metrics.<br />

2. Set stretch targets.<br />

3. Create digital tools for sharing information.<br />

• Involve managers in the solution:<br />

4. Institute motivational dialogues.<br />

5. Use agile methodologies.<br />

25<br />

Sustaining High Performance Beyond Public Sector Pilot Projects, McKinsey, 2018.<br />


• Empower the people:<br />

6. Emphasize nonfinancial incentives.<br />

7. Build the skills for success.<br />

Collectively these elements reinforce the importance of:<br />

• Setting and communicating clear financial and nonfinancial goals (including “stretch<br />

goals” to encourage even greater performance).<br />

• Taking people with you through continuous and inspirational communication and<br />

providing training as needed.<br />

• Being prepared to adapt to changing conditions and keeping processes lean and flexible<br />

(“agile”).<br />

These principles are important for all approaches. How performance management differs is<br />

generally characterized by a particular mindset or focus applied to directing and monitoring<br />

activities. Common approaches used to manage performance include:<br />

• Plan-do-check-act (PDCA).<br />

• Budget-driven performance management.<br />

• Management by objectives (MBO).<br />

• Balanced scorecard.<br />

These and similar approaches may be used in combination. Whatever approach is taken, it<br />

should be adapted to suit the circumstances.<br />

Plan-Do-Check-Act (PDCA)<br />

Plan-Do-Check-Act (PDCA) is a very simple conceptual approach to managing performance.<br />

More broadly, it is a model for quality assurance, continuous improvement, and change<br />

management. It is described as a continuous cycle and reminds managers to incorporate<br />

feedback as part of monitoring to enable timely interventions.<br />


• Plan. The cycle is initiated through a planning process. Depending on the scale and<br />

scope of the activity, planning may include situational analysis (e.g., SWOT, PESTEL),<br />

objective and target setting, risk assessment, budgeting, and related activities.<br />

• Do. For clarity, it is helpful to distinguish between the two stage “Do” and “Act” which<br />

sound similar. The Do stage is intended to reflect project implementation. This may<br />

include a testing or trial phase before full roll-out.<br />

• Check. This is a key characteristic of the PDCA approach. Rather than waiting until<br />

implementation is complete, monitoring needs to be fully integrated from the beginning.<br />

Monitoring can be accomplished by a mix of approaches, such as direct observation,<br />

supervision, automated processes, client feedback, staff feedback, vendor feedback,<br />

financial reporting, and tracking budget utilization. Such approaches link closely with<br />

internal control. (Performance management is integral to internal control.)<br />

• Act. This stage uses the intelligence gathered through monitoring to make<br />

improvements. Errors, control weaknesses, inefficiencies, and defective outputs can be<br />

addressed by improving processes leading to better future results.<br />

• Plan. Improvements inform planning for the next cycle.<br />

The PDCA approach is implicitly or explicitly part of most organizational activity, including risk<br />

management and the quality assurance and improvement program (QAIP) for the internal audit<br />

function.<br />

Budget-Driven Performance Management<br />

Budget-driven performance management relies heavily on financial planning and monitoring.<br />

The budget establishes goals or limits for incomes and expenditure and becomes a proxy for<br />

objectives. Actual results can be compared with the budget and communicated in a financial<br />

report, as discussed in section 3A.2. Variances can be calculated and analyzed, as discussed in<br />

section 3A.3. Satisfying or exceeding the budget is considered the primary measure of success.<br />

Actual performance information is then used to determine future budgets. Sometimes this<br />

approach is referred to as performance budgeting.<br />

While this approach has merits, it can skew management’s focus and exclude other important<br />

considerations.<br />

Pros and cons of budget-driven performance management<br />

Cons<br />

Pros<br />

• The budget is developed to support<br />

organizational objectives and therefore<br />

there is naturally a close alignment<br />

between the budget and objectives.<br />

• Checking income and expenditure against<br />

a budget is relatively easy, assuming<br />

there is a robust financial reporting<br />

system.<br />

48<br />

• Budget-driven performance management<br />

focuses only on financial goals, ignoring<br />

other types of value.<br />

• Meeting or exceeding budgetary goals<br />

does not guarantee successful<br />

performance against organizational<br />

objectives and purpose. It is possible to<br />

improve upon a budget, for example, by

• Variance analysis provides useful<br />

under-performing and doing less work<br />

quantitative measures of performance. than planned, thus saving costs.<br />

Management by Objectives (MBO)<br />

Management by objectives places emphasis on defining objectives as the primary means of<br />

coordinating activity and optimizing outcomes. Agreement by staff and managers to objectives<br />

creates greater commitment together with efforts to motivate and incentivize performance<br />

through appropriate rewards. However, incentivization in the public sector is less common,<br />

largely because individual and team performance are often evaluated based on conformance<br />

with budgetary and other formal requirements rather than outcomes. It is also hard to isolate<br />

contributions to performance and attribute outcomes to specific individuals. Most results are<br />

achieved through collaboration.<br />

Pros and cons of management by objectives (MBO)<br />

Cons<br />

Pros<br />

• Activity across the organization is closely<br />

aligned.<br />

• Teams and individuals are driven to meet<br />

and exceed targets.<br />

49<br />

• Performance can be skewed toward the<br />

achievement of incentives. Staff may be<br />

tempted to take shortcuts causing a<br />

reduction of quality. Other goals and<br />

activities may also be ignored. It is hard to<br />

measure desirable qualitative outcomes,<br />

such as client satisfaction. Goals can be<br />

measured and achieved in ways that are<br />

not always of greatest benefit to the<br />

organization. Once targets for incentives<br />

have been achieved, motivation may<br />


Given the concern that incentivization can lead to unexpected outcomes, it is often not tried in<br />

public sector bodies and budget-driven approaches are preferred for managing performance.<br />

Balanced Scorecard<br />

The Balanced Scorecard model was popularized by Kaplan and Norton in 1996. While being<br />

developed with private sector organizations in mind, it has great applicability for the public<br />

sector. As the title suggests, it aims to establish and maintain a suitably balanced set of metrics<br />

for monitoring performance. It recognizes that financial metrics on their own are not enough and<br />

can lead to a distorted perspective, which is one of the criticisms of budget-driven performance<br />

management.<br />

According to Kaplan and Norton, “what you measure is what you get.” In other words, the things<br />

you decide to focus on become the things you achieve. What gets measured gets done. In a<br />

similar vein, Lord Kelvin, a scientist notable for his work in developing a new temperature scale,<br />

remarked “if you cannot measure it, you cannot improve it.” We need tools to define how well<br />

we are doing currently, to set targets for improvement, and to determine whether we are being<br />

successful. Peter Drucker, the management guru, said it like this: “If you can’t measure it, you<br />

can’t manage it.”<br />

The balanced scorecard examines performance from four perspectives:<br />

• Financial perspective.<br />

• Customer perspective.<br />

• Internal perspective.<br />

• Learning and growth potential (organizational capacity perspective).<br />

The model links to value creation. Improvements in capacity drive improvements in processes<br />

leading to greater customer satisfaction and ultimately better financial performance.<br />


The balanced scorecard approach needs to be adjusted for the public sector. Public financial<br />

management (PFM) is not focused on generating profits for shareholders. Outcomes and<br />

impacts are not always measurable in simple financial terms.<br />

Governments are also highly complex entities compared with most organizations, having many<br />

different lines of activity and services.<br />

As compared to commercial institutions, government agencies face a unique set of<br />

challenges when trying to manage performance and achieve their strategic goals and<br />

initiatives. Their mission and budgets are often decided externally… Additionally, agencies<br />

face the uphill task of meeting their goals without direct control of shrinking budgets and<br />

resources. This furthers the need for managing performance at every step along the way. 26<br />

Adaptation of the balanced scorecard model to a public sector setting can be summarized as<br />

follows:<br />

Balanced Scorecard<br />

Public Sector Emphasis<br />

Perspectives<br />

Financial perspective<br />

Budgetary performance, stewardship of<br />

resources<br />

Customer perspective<br />

Stakeholder engagement and satisfaction<br />

Internal perspective<br />

Economy, effectiveness, efficiency<br />

Learning and growth potential Knowledge and capacity<br />

The balanced scorecard itself can take the form of a regular report or digital dashboard with<br />

information organized to reflect these quadrants, showing actual performance or status in<br />

comparison with goals.<br />

Pros<br />

Pros and cons of balanced scorecard<br />

Cons<br />

26<br />

Whittaker, J., Strategy and Performance Management in the Government, Pilot Software, November<br />

2003. Quoted in “How to Manage (and Measure) Government Performance,” FreeBalance, August 9,<br />

2022.<br />


• Encourages consideration of a broader<br />

range of metrics when monitoring<br />

performance.<br />

• The approach is more complex and<br />

requires greater coordination and<br />

integration of data sets as well as<br />

sufficient familiarity with the model to<br />

interpret accordingly.<br />

<strong>3B</strong>.2.2 Measuring Performance<br />

When considering the performance of an activity, project, department, or organization, we can<br />

consider different dimensions.<br />

• Inputs. These are the resources that are applied to undertaking the activity.<br />

• Outputs. These are the products and initial results of the activity. Often outputs are more<br />

tangible or immediately apparent than the subsequent outcomes and impacts.<br />

• Outcomes. These are the effects of the activity and link closely to the objectives.<br />

• Impacts. These are the longer-term consequences of the activity.<br />

The distinction between outcomes and impacts is not always made. We may consider them as<br />

short-term and long-term impacts. Inputs, outputs, outcomes, and impacts relating to internal<br />

auditing are illustrated below.<br />

When developing metrics for performance management, it is important to include measures of<br />

outcomes and impacts because these relate to the purpose of internal auditing. Inputs and<br />


outputs are useful for monitoring purposes, but internal audit managers should look further than<br />

completion of the audit plan as a goal.<br />

• Inputs and outputs answer the question: what have we done?<br />

• Outcomes and impacts answer the question: what difference have we made?<br />

The following graphic illustrates possible metrics:<br />

According to the IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency,<br />

performance measures for internal auditing may comprise both qualitative and quantitative<br />

metrics as illustrated by the following examples:<br />

• Conformance with the International Standards for the Professional Practice of Internal<br />

Auditing.<br />

• Level of contribution to the improvement of risk management, control, and governance<br />

practices.<br />

• Achievement of key goals and objectives.<br />

• Evaluation of progress against audit activity plan.<br />

• Improvement in staff productivity.<br />

• Increase in efficiency of the audit process.<br />

• Increase in number of action plans for process improvements.<br />

• Adequacy of engagement planning and supervision.<br />


• Effectiveness in meeting stakeholders’ needs.<br />

• Results of quality assurance assessments and internal audit activity’s quality<br />

improvement programs.<br />

• Effectiveness in conducting the audit.<br />

• Clarity of communications with the audit client (often referred to as “auditee”) and the<br />

board. 27<br />

It is clear this list comprises inputs, outputs, and some outcomes, including those related to the<br />

improvement of internal auditing as well as broader organizational improvements.<br />

<strong>3B</strong>.2: Reflection<br />

As a manager or leader, do you adopt a particular approach to managing performance (such<br />

as PDCA, management by objectives, balanced scorecard, or management by budget)?<br />

Which methods of managing performance do you find are the most effective?<br />

What constraints are there on the way a manager or leader chooses to manage<br />

performance? Are there organizational or other expectations that shape the way performance is<br />

managed?<br />

As an individual whose performance is monitored and managed by a superior, what<br />

approaches do you find the most helpful?<br />

What measures are typically used in your audit function to monitor performance? Which of<br />

them relate to: inputs, outputs, outcomes, and impacts?<br />

27<br />

IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency, The IIA, 2010.<br />


Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!