Module 3B Managing Resources

3B. Managing Resources (20%)
3B Learning Outcomes
On completion of this section, students will be better able to:
• Manage resources to support planned and ad hoc engagements.
• Manage resources to support the internal audit operational plan.
• Manage resources to support the internal audit strategic plan.
3B.1 Financial Management for Internal Audit Functions
3B.1.1 Professional Standards
The International Standards for the Professional Practice of Internal Auditing define
expectations for the head of internal audit as manager of the function and its resources, most
notably in Standards 2000, 2010, and 2030. These important standards are quoted in full below:
Standard 2000 – Managing the Internal Audit Activity
The chief audit executive must effectively manage the internal audit activity to ensure it adds
value to the organization.
Interpretation:
The internal audit activity is effectively managed when:
• It achieves the purpose and responsibility included in the internal audit charter.
• It conforms with the Standards.
• Its individual members conform with the Code of Ethics and the Standards.
• It considers trends and emerging issues that could impact the organization.
The internal audit activity adds value to the organization and its stakeholders when it
considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk
management, and control processes; and objectively provides relevant assurance. 21
Standard 2010 – Planning
The chief audit executive must establish a risk-based plan to determine the priorities of the
internal audit activity, consistent with the organization's goals.
Interpretation:
To develop the risk-based plan, the chief audit executive consults with senior management
and the board and obtains an understanding of the organization’s strategies, key business
objectives, associated risks, and risk management processes. The chief audit executive
21
International Professional Practices Framework (2017 Edition), The IIA, 2016.
41

must review and adjust the plan, as necessary, in response to changes in the organization’s
business, risks, operations, programs, systems, and controls.
2010.A1 – The internal audit activity's plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of senior management
and the board must be considered in this process.
2010.A2 – The chief audit executive must identify and consider the expectations of senior
management, the board, and other stakeholders for internal audit opinions and other
conclusions.
2010.C1 - The chief audit executive should consider accepting proposed consulting
engagements based on the engagement's potential to improve management of risks, add
value, and improve the organization's operations. Accepted engagements must be included
in the plan. 22
Standard 2030 – Resource Management
The chief audit executive must ensure that internal audit resources are appropriate,
sufficient, and effectively deployed to achieve the approved plan.
Interpretation:
Appropriate refers to the mix of knowledge, skills, and other competencies needed to
perform the plan. Sufficient refers to the quantity of resources needed to accomplish the
plan. Resources are effectively deployed when they are used in a way that optimizes the
achievement of the approved plan. 23
Strategic, operational, and engagement planning and managing people are discussed in Module
2. In this section we focus on managing financial resources and performance management.
3B.1.2 Financial Management for Internal Audit Functions
According to Standard 2030, resources must be “appropriate, sufficient, and effectively deployed
to achieve the approved plan.” Resources available to an internal function should be approved
by the audit committee (if there is one) or the governing body when the audit plan is approved.
In an ideal scenario in which the internal audit function enjoys a high degree of organizational
independence, resources to support the internal audit strategic and operational plans may be
allocated in the form of a financial budget with which the head of internal audit can decide how
many full-time, part-time, and outsourced auditors to engage and at what level, as well as
obtaining other resources, such as training, memberships and subscriptions, office furniture and
equipment (including IT), and auditing software. However, some of these expenses may be
22
International Professional Practices Framework (2017 Edition), The IIA, 2016.
23
International Professional Practices Framework (2017 Edition), The IIA, 2016.
42

controlled in other ways rather than the head of internal audit deciding how to spend the
function’s budget.
• Staff positions and salaries, for example, may be set according to departmental or
central government decree and policies.
• Office furniture and equipment (including IT) may also be handled separately from the
budget allocated to the internal audit function.
• The training budget may be held centrally by the Central Harmonization Unit.
The requirement for the head of internal audit to develop, seek approval for, and manage a
budget may be limited in practice. Even with delegated budgetary responsibility, many of the
costs associated with the function may not be discretionary (i.e., a matter for the budget holder
to decide). Salaries (aside from performance-related bonuses), for example, are pre-determined
and need only to be tracked.
Setting such difficulties to one side, in order to seek approval for a budget, the head of the
function needs to produce a proposal aligned with the strategy and plan of engagements. A
good starting point is the previous year’s budget although it is not simply a matter of adding a
percentage to allow for inflation. Prior levels of resourcing may have been insufficient.
Conditions, requirements, and expectations change, and the head of internal audit should
always be seeking improvements that may require utilizing resources in a different way.
The IIA’s paper “Budgeting the Internal Audit Function: How Much is Enough?” addresses these
questions. Benchmarking is sometimes used to help determine what is the appropriate level of
resourcing, but no two organizations are completely identical. The paper suggests following a
five-step process.
Step 1: Define the audit universe. This is a description of all auditable entities (“departments,
divisions, systems, processes, subsidiaries, programs, activities, and even accounts”).
Step 2: Assess the risks. It is highly unlikely an internal audit function has sufficient
resources to audit the entire audit universe. Besides, this approach would be highly
inefficient by applying resources to low likelihood, low impact risks where assurance and
advice may have limited value. The audit plan needs to prioritize engagements based on
organizational objectives and risks because “while internal audit can audit anything, it can’t
audit everything.” Assurance mapping may be part of this process to avoid unnecessary
overlap and duplication with the work of other assurance providers on which internal audit
can place reliance.
Step 3: Develop the audit plan. Identifying which audits must be undertaken as a matter of
highest urgency helps determine the major part of the budget based on estimated staff
hours needed, although some allowance should be made for ad hoc engagements and
reactive assurance and advisory engagements for new and emerging risks and
43

management requests. Budgeting should also address the needs of the internal audit
strategic plan, such as investment in new audit software, specialist expertise, and training.
Step 4: Determine training, co-sourcing, and administrative expenses. “Budgets and
schedules must also allow for time off, as well as time spent on administrative tasks,
training, and activities such as quality assurance and audit follow-up.” Continuous training is
needed for auditors to maintain their competency. In addition, the planned engagements in
the plan may call for competencies not readily available from the existing team of auditors.
This may be resolved over time by training and recruitment but more immediately it may
require the use of guest or external services.
Step 5: Review and approve – independence matters. “It’s important to review the operating
budget periodically to ensure that it remains realistic and accurate, identifying and reporting
any variances promptly. In most organizations, the CAE prepares the budget and senior
management reviews it, but final review and approval is left to the audit committee or board
of directors.” For the survey undertaken to support the guidance, The IIA found “CAEs were
significantly more likely to state they had sufficient resources at organizations with
independent audit committees than at organizations where the audit committee was not
independent of management.” 24
Have established the budget and had it approved, the head of the unit must monitor actual
incomes and expenses against the plan. This is discussed in sections 3A.2.5 and 3A.3.4.
3B.1: Reflection
Is your internal audit function in full conformance with these Standards (2000, 2010, 2030)?
How much autonomy does the head of the internal audit unit have in managing the budget
and other resources?
Who approves the staffing and budget for the internal audit unit? Are these arrangements
consistent with internal audit independence?
3B.2 Performance Management
Performance management requires the identification of risks and the implementation of controls
for ensuring economic, effective, and efficient resource utilization. Managing performance needs
to take place at every level of activity.
24
“Budgeting the Internal Audit Function: How Much is Enough?” Tone at the Top, The IIA, 2018.
44

• Individuals are responsible for managing their own performance, including time-keeping,
maintaining due diligence, following instructions and procedures, reporting periodically to
their supervisor, and escalating issues requiring someone else’s attention.
• Supervisors are responsible for managing the performance of their team members
individually and collectively. A typical performance management cycle comprises:
o Agreeing individual goals commensurate with role, responsibilities, ambitions,
and competencies, and aligned with team-level and organizational objectives.
o Providing time, tools, resources, training, and sufficient autonomy and
supervision as required.
o Monitoring performance.
o Providing feedback, both as encouragement and in highlighting areas requiring
remediation.
o Formally appraising performance according to a regular cycle and in consultation
with the individual, allowing them to account for their own performance.
o Recognizing achievements and allocating rewards according to policy.
o Identifying and creating opportunities for personal and professional development
and progression.
o Reporting the results of performance evaluation up the chain of command.
o Acting as an advocate for their team members, giving due credit for their
accomplishments.
o Agreeing goals for the next cycle.
Team leaders are responsible for achieving the goals assigned to their unit and for managing
the performance of individuals. This continues upwards to the highest levels of the entity with
ultimate accountability to stakeholders for fulfilling organizational purpose economically,
effectively, efficiently, ethically, and sustainably.
This process of performance management links with the concepts of managerial accountability
discussed in Module 2 and applies to internal audit functions as much as any other department.
Performance management is a natural part of risk management and internal control.
Organizational-level objectives need to be cascaded down to every level so that goals of
departments, teams, and individuals are all aligned. Decision-making and implementation of
controls are most effective when they are delegated to the lowest level of competence
necessary to enable managers to manage and leaders to lead. As goals are assigned, they
must be accompanied by responsibility, autonomy, and resources. This requires trust.
Supervision is part of the system of control but too much supervision and monitoring constitutes
micro-management, which is inefficient, intrusive, and often counter-productive. Individuals
resent excessive scrutiny since it communicates a lack of trust in their integrity and ability.
45

There is also a link with leadership styles, as discussed in Module 2. A more authoritarian style
tends toward greater supervision while a laissez-faire attitude tends toward less supervision.
The appropriate and most effective style depends on the characteristics of the staff member,
their role, experience, and competency, their relationship with their supervisor, their personal
preferences, organizational conditions, and more. Managers need to adapt their style according
to circumstances.
We have said repeatedly that risk management and internal control should not be regarded as
discrete activities, an additional responsibility on top of managing operations and activities.
When reflecting on performance management we should remind ourselves of the COSO
Internal Control – Integrated Framework with its five elements:
• Control environment.
• Risk assessment.
• Control activities.
• Information and communication.
• Monitoring.
We could use these five elements to describe performance management or more broadly the
responsibilities of management. Making a decision, taking a risk, managing a risk, pursuing
objectives, and implementing goal-oriented actions are the same thing. The purpose of risk
management and internal control is to do this mindfully and systematically.
3B.2.1 Approaches to Performance Management
In 2018, McKinsey developed a model for sustaining high performance in the public sector in
the long-term 25 . The authors identified that project pilots tend to out-perform expectations but
thereafter, as they lose their initial momentum, the performance of initiatives tends to diminish.
The authors associated this with the added interest and level of oversight new projects generate
followed by an inevitable decline once activities become part of routine operations and the
novelty and excitement fades.
To address this pattern, McKinsey developed a seven-stage model designed to maximize and
maintain effective performance management. The model is organized in three areas of focus:
• Create transparency:
1. Define meaningful performance metrics.
2. Set stretch targets.
3. Create digital tools for sharing information.
• Involve managers in the solution:
4. Institute motivational dialogues.
5. Use agile methodologies.
25
Sustaining High Performance Beyond Public Sector Pilot Projects, McKinsey, 2018.
46

• Empower the people:
6. Emphasize nonfinancial incentives.
7. Build the skills for success.
Collectively these elements reinforce the importance of:
• Setting and communicating clear financial and nonfinancial goals (including “stretch
goals” to encourage even greater performance).
• Taking people with you through continuous and inspirational communication and
providing training as needed.
• Being prepared to adapt to changing conditions and keeping processes lean and flexible
(“agile”).
These principles are important for all approaches. How performance management differs is
generally characterized by a particular mindset or focus applied to directing and monitoring
activities. Common approaches used to manage performance include:
• Plan-do-check-act (PDCA).
• Budget-driven performance management.
• Management by objectives (MBO).
• Balanced scorecard.
These and similar approaches may be used in combination. Whatever approach is taken, it
should be adapted to suit the circumstances.
Plan-Do-Check-Act (PDCA)
Plan-Do-Check-Act (PDCA) is a very simple conceptual approach to managing performance.
More broadly, it is a model for quality assurance, continuous improvement, and change
management. It is described as a continuous cycle and reminds managers to incorporate
feedback as part of monitoring to enable timely interventions.
47

• Plan. The cycle is initiated through a planning process. Depending on the scale and
scope of the activity, planning may include situational analysis (e.g., SWOT, PESTEL),
objective and target setting, risk assessment, budgeting, and related activities.
• Do. For clarity, it is helpful to distinguish between the two stage “Do” and “Act” which
sound similar. The Do stage is intended to reflect project implementation. This may
include a testing or trial phase before full roll-out.
• Check. This is a key characteristic of the PDCA approach. Rather than waiting until
implementation is complete, monitoring needs to be fully integrated from the beginning.
Monitoring can be accomplished by a mix of approaches, such as direct observation,
supervision, automated processes, client feedback, staff feedback, vendor feedback,
financial reporting, and tracking budget utilization. Such approaches link closely with
internal control. (Performance management is integral to internal control.)
• Act. This stage uses the intelligence gathered through monitoring to make
improvements. Errors, control weaknesses, inefficiencies, and defective outputs can be
addressed by improving processes leading to better future results.
• Plan. Improvements inform planning for the next cycle.
The PDCA approach is implicitly or explicitly part of most organizational activity, including risk
management and the quality assurance and improvement program (QAIP) for the internal audit
function.
Budget-Driven Performance Management
Budget-driven performance management relies heavily on financial planning and monitoring.
The budget establishes goals or limits for incomes and expenditure and becomes a proxy for
objectives. Actual results can be compared with the budget and communicated in a financial
report, as discussed in section 3A.2. Variances can be calculated and analyzed, as discussed in
section 3A.3. Satisfying or exceeding the budget is considered the primary measure of success.
Actual performance information is then used to determine future budgets. Sometimes this
approach is referred to as performance budgeting.
While this approach has merits, it can skew management’s focus and exclude other important
considerations.
Pros and cons of budget-driven performance management
Cons
Pros
• The budget is developed to support
organizational objectives and therefore
there is naturally a close alignment
between the budget and objectives.
• Checking income and expenditure against
a budget is relatively easy, assuming
there is a robust financial reporting
system.
48
• Budget-driven performance management
focuses only on financial goals, ignoring
other types of value.
• Meeting or exceeding budgetary goals
does not guarantee successful
performance against organizational
objectives and purpose. It is possible to
improve upon a budget, for example, by

• Variance analysis provides useful
under-performing and doing less work
quantitative measures of performance. than planned, thus saving costs.
Management by Objectives (MBO)
Management by objectives places emphasis on defining objectives as the primary means of
coordinating activity and optimizing outcomes. Agreement by staff and managers to objectives
creates greater commitment together with efforts to motivate and incentivize performance
through appropriate rewards. However, incentivization in the public sector is less common,
largely because individual and team performance are often evaluated based on conformance
with budgetary and other formal requirements rather than outcomes. It is also hard to isolate
contributions to performance and attribute outcomes to specific individuals. Most results are
achieved through collaboration.
Pros and cons of management by objectives (MBO)
Cons
Pros
• Activity across the organization is closely
aligned.
• Teams and individuals are driven to meet
and exceed targets.
49
• Performance can be skewed toward the
achievement of incentives. Staff may be
tempted to take shortcuts causing a
reduction of quality. Other goals and
activities may also be ignored. It is hard to
measure desirable qualitative outcomes,
such as client satisfaction. Goals can be
measured and achieved in ways that are
not always of greatest benefit to the
organization. Once targets for incentives
have been achieved, motivation may
diminish.

Given the concern that incentivization can lead to unexpected outcomes, it is often not tried in
public sector bodies and budget-driven approaches are preferred for managing performance.
Balanced Scorecard
The Balanced Scorecard model was popularized by Kaplan and Norton in 1996. While being
developed with private sector organizations in mind, it has great applicability for the public
sector. As the title suggests, it aims to establish and maintain a suitably balanced set of metrics
for monitoring performance. It recognizes that financial metrics on their own are not enough and
can lead to a distorted perspective, which is one of the criticisms of budget-driven performance
management.
According to Kaplan and Norton, “what you measure is what you get.” In other words, the things
you decide to focus on become the things you achieve. What gets measured gets done. In a
similar vein, Lord Kelvin, a scientist notable for his work in developing a new temperature scale,
remarked “if you cannot measure it, you cannot improve it.” We need tools to define how well
we are doing currently, to set targets for improvement, and to determine whether we are being
successful. Peter Drucker, the management guru, said it like this: “If you can’t measure it, you
can’t manage it.”
The balanced scorecard examines performance from four perspectives:
• Financial perspective.
• Customer perspective.
• Internal perspective.
• Learning and growth potential (organizational capacity perspective).
The model links to value creation. Improvements in capacity drive improvements in processes
leading to greater customer satisfaction and ultimately better financial performance.
50

The balanced scorecard approach needs to be adjusted for the public sector. Public financial
management (PFM) is not focused on generating profits for shareholders. Outcomes and
impacts are not always measurable in simple financial terms.
Governments are also highly complex entities compared with most organizations, having many
different lines of activity and services.
As compared to commercial institutions, government agencies face a unique set of
challenges when trying to manage performance and achieve their strategic goals and
initiatives. Their mission and budgets are often decided externally… Additionally, agencies
face the uphill task of meeting their goals without direct control of shrinking budgets and
resources. This furthers the need for managing performance at every step along the way. 26
Adaptation of the balanced scorecard model to a public sector setting can be summarized as
follows:
Balanced Scorecard
Public Sector Emphasis
Perspectives
Financial perspective
Budgetary performance, stewardship of
resources
Customer perspective
Stakeholder engagement and satisfaction
Internal perspective
Economy, effectiveness, efficiency
Learning and growth potential Knowledge and capacity
The balanced scorecard itself can take the form of a regular report or digital dashboard with
information organized to reflect these quadrants, showing actual performance or status in
comparison with goals.
Pros
Pros and cons of balanced scorecard
Cons
26
Whittaker, J., Strategy and Performance Management in the Government, Pilot Software, November
2003. Quoted in “How to Manage (and Measure) Government Performance,” FreeBalance, August 9,
2022.
51

• Encourages consideration of a broader
range of metrics when monitoring
performance.
• The approach is more complex and
requires greater coordination and
integration of data sets as well as
sufficient familiarity with the model to
interpret accordingly.
3B.2.2 Measuring Performance
When considering the performance of an activity, project, department, or organization, we can
consider different dimensions.
• Inputs. These are the resources that are applied to undertaking the activity.
• Outputs. These are the products and initial results of the activity. Often outputs are more
tangible or immediately apparent than the subsequent outcomes and impacts.
• Outcomes. These are the effects of the activity and link closely to the objectives.
• Impacts. These are the longer-term consequences of the activity.
The distinction between outcomes and impacts is not always made. We may consider them as
short-term and long-term impacts. Inputs, outputs, outcomes, and impacts relating to internal
auditing are illustrated below.
When developing metrics for performance management, it is important to include measures of
outcomes and impacts because these relate to the purpose of internal auditing. Inputs and
52

outputs are useful for monitoring purposes, but internal audit managers should look further than
completion of the audit plan as a goal.
• Inputs and outputs answer the question: what have we done?
• Outcomes and impacts answer the question: what difference have we made?
The following graphic illustrates possible metrics:
According to the IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency,
performance measures for internal auditing may comprise both qualitative and quantitative
metrics as illustrated by the following examples:
• Conformance with the International Standards for the Professional Practice of Internal
Auditing.
• Level of contribution to the improvement of risk management, control, and governance
practices.
• Achievement of key goals and objectives.
• Evaluation of progress against audit activity plan.
• Improvement in staff productivity.
• Increase in efficiency of the audit process.
• Increase in number of action plans for process improvements.
• Adequacy of engagement planning and supervision.
53

• Effectiveness in meeting stakeholders’ needs.
• Results of quality assurance assessments and internal audit activity’s quality
improvement programs.
• Effectiveness in conducting the audit.
• Clarity of communications with the audit client (often referred to as “auditee”) and the
board. 27
It is clear this list comprises inputs, outputs, and some outcomes, including those related to the
improvement of internal auditing as well as broader organizational improvements.
3B.2: Reflection
As a manager or leader, do you adopt a particular approach to managing performance (such
as PDCA, management by objectives, balanced scorecard, or management by budget)?
Which methods of managing performance do you find are the most effective?
What constraints are there on the way a manager or leader chooses to manage
performance? Are there organizational or other expectations that shape the way performance is
managed?
As an individual whose performance is monitored and managed by a superior, what
approaches do you find the most helpful?
What measures are typically used in your audit function to monitor performance? Which of
them relate to: inputs, outputs, outcomes, and impacts?
27
IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency, The IIA, 2010.
54