Module 3B Managing Resources
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>3B</strong>. <strong>Managing</strong> <strong>Resources</strong> (20%)<br />
<strong>3B</strong> Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Manage resources to support planned and ad hoc engagements.<br />
• Manage resources to support the internal audit operational plan.<br />
• Manage resources to support the internal audit strategic plan.<br />
<strong>3B</strong>.1 Financial Management for Internal Audit Functions<br />
<strong>3B</strong>.1.1 Professional Standards<br />
The International Standards for the Professional Practice of Internal Auditing define<br />
expectations for the head of internal audit as manager of the function and its resources, most<br />
notably in Standards 2000, 2010, and 2030. These important standards are quoted in full below:<br />
Standard 2000 – <strong>Managing</strong> the Internal Audit Activity<br />
The chief audit executive must effectively manage the internal audit activity to ensure it adds<br />
value to the organization.<br />
Interpretation:<br />
The internal audit activity is effectively managed when:<br />
• It achieves the purpose and responsibility included in the internal audit charter.<br />
• It conforms with the Standards.<br />
• Its individual members conform with the Code of Ethics and the Standards.<br />
• It considers trends and emerging issues that could impact the organization.<br />
The internal audit activity adds value to the organization and its stakeholders when it<br />
considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk<br />
management, and control processes; and objectively provides relevant assurance. 21<br />
Standard 2010 – Planning<br />
The chief audit executive must establish a risk-based plan to determine the priorities of the<br />
internal audit activity, consistent with the organization's goals.<br />
Interpretation:<br />
To develop the risk-based plan, the chief audit executive consults with senior management<br />
and the board and obtains an understanding of the organization’s strategies, key business<br />
objectives, associated risks, and risk management processes. The chief audit executive<br />
21<br />
International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />
41
must review and adjust the plan, as necessary, in response to changes in the organization’s<br />
business, risks, operations, programs, systems, and controls.<br />
2010.A1 – The internal audit activity's plan of engagements must be based on a<br />
documented risk assessment, undertaken at least annually. The input of senior management<br />
and the board must be considered in this process.<br />
2010.A2 – The chief audit executive must identify and consider the expectations of senior<br />
management, the board, and other stakeholders for internal audit opinions and other<br />
conclusions.<br />
2010.C1 - The chief audit executive should consider accepting proposed consulting<br />
engagements based on the engagement's potential to improve management of risks, add<br />
value, and improve the organization's operations. Accepted engagements must be included<br />
in the plan. 22<br />
Standard 2030 – Resource Management<br />
The chief audit executive must ensure that internal audit resources are appropriate,<br />
sufficient, and effectively deployed to achieve the approved plan.<br />
Interpretation:<br />
Appropriate refers to the mix of knowledge, skills, and other competencies needed to<br />
perform the plan. Sufficient refers to the quantity of resources needed to accomplish the<br />
plan. <strong>Resources</strong> are effectively deployed when they are used in a way that optimizes the<br />
achievement of the approved plan. 23<br />
Strategic, operational, and engagement planning and managing people are discussed in <strong>Module</strong><br />
2. In this section we focus on managing financial resources and performance management.<br />
<strong>3B</strong>.1.2 Financial Management for Internal Audit Functions<br />
According to Standard 2030, resources must be “appropriate, sufficient, and effectively deployed<br />
to achieve the approved plan.” <strong>Resources</strong> available to an internal function should be approved<br />
by the audit committee (if there is one) or the governing body when the audit plan is approved.<br />
In an ideal scenario in which the internal audit function enjoys a high degree of organizational<br />
independence, resources to support the internal audit strategic and operational plans may be<br />
allocated in the form of a financial budget with which the head of internal audit can decide how<br />
many full-time, part-time, and outsourced auditors to engage and at what level, as well as<br />
obtaining other resources, such as training, memberships and subscriptions, office furniture and<br />
equipment (including IT), and auditing software. However, some of these expenses may be<br />
22<br />
International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />
23<br />
International Professional Practices Framework (2017 Edition), The IIA, 2016.<br />
42
controlled in other ways rather than the head of internal audit deciding how to spend the<br />
function’s budget.<br />
• Staff positions and salaries, for example, may be set according to departmental or<br />
central government decree and policies.<br />
• Office furniture and equipment (including IT) may also be handled separately from the<br />
budget allocated to the internal audit function.<br />
• The training budget may be held centrally by the Central Harmonization Unit.<br />
The requirement for the head of internal audit to develop, seek approval for, and manage a<br />
budget may be limited in practice. Even with delegated budgetary responsibility, many of the<br />
costs associated with the function may not be discretionary (i.e., a matter for the budget holder<br />
to decide). Salaries (aside from performance-related bonuses), for example, are pre-determined<br />
and need only to be tracked.<br />
Setting such difficulties to one side, in order to seek approval for a budget, the head of the<br />
function needs to produce a proposal aligned with the strategy and plan of engagements. A<br />
good starting point is the previous year’s budget although it is not simply a matter of adding a<br />
percentage to allow for inflation. Prior levels of resourcing may have been insufficient.<br />
Conditions, requirements, and expectations change, and the head of internal audit should<br />
always be seeking improvements that may require utilizing resources in a different way.<br />
The IIA’s paper “Budgeting the Internal Audit Function: How Much is Enough?” addresses these<br />
questions. Benchmarking is sometimes used to help determine what is the appropriate level of<br />
resourcing, but no two organizations are completely identical. The paper suggests following a<br />
five-step process.<br />
Step 1: Define the audit universe. This is a description of all auditable entities (“departments,<br />
divisions, systems, processes, subsidiaries, programs, activities, and even accounts”).<br />
Step 2: Assess the risks. It is highly unlikely an internal audit function has sufficient<br />
resources to audit the entire audit universe. Besides, this approach would be highly<br />
inefficient by applying resources to low likelihood, low impact risks where assurance and<br />
advice may have limited value. The audit plan needs to prioritize engagements based on<br />
organizational objectives and risks because “while internal audit can audit anything, it can’t<br />
audit everything.” Assurance mapping may be part of this process to avoid unnecessary<br />
overlap and duplication with the work of other assurance providers on which internal audit<br />
can place reliance.<br />
Step 3: Develop the audit plan. Identifying which audits must be undertaken as a matter of<br />
highest urgency helps determine the major part of the budget based on estimated staff<br />
hours needed, although some allowance should be made for ad hoc engagements and<br />
reactive assurance and advisory engagements for new and emerging risks and<br />
43
management requests. Budgeting should also address the needs of the internal audit<br />
strategic plan, such as investment in new audit software, specialist expertise, and training.<br />
Step 4: Determine training, co-sourcing, and administrative expenses. “Budgets and<br />
schedules must also allow for time off, as well as time spent on administrative tasks,<br />
training, and activities such as quality assurance and audit follow-up.” Continuous training is<br />
needed for auditors to maintain their competency. In addition, the planned engagements in<br />
the plan may call for competencies not readily available from the existing team of auditors.<br />
This may be resolved over time by training and recruitment but more immediately it may<br />
require the use of guest or external services.<br />
Step 5: Review and approve – independence matters. “It’s important to review the operating<br />
budget periodically to ensure that it remains realistic and accurate, identifying and reporting<br />
any variances promptly. In most organizations, the CAE prepares the budget and senior<br />
management reviews it, but final review and approval is left to the audit committee or board<br />
of directors.” For the survey undertaken to support the guidance, The IIA found “CAEs were<br />
significantly more likely to state they had sufficient resources at organizations with<br />
independent audit committees than at organizations where the audit committee was not<br />
independent of management.” 24<br />
Have established the budget and had it approved, the head of the unit must monitor actual<br />
incomes and expenses against the plan. This is discussed in sections 3A.2.5 and 3A.3.4.<br />
<strong>3B</strong>.1: Reflection<br />
Is your internal audit function in full conformance with these Standards (2000, 2010, 2030)?<br />
How much autonomy does the head of the internal audit unit have in managing the budget<br />
and other resources?<br />
Who approves the staffing and budget for the internal audit unit? Are these arrangements<br />
consistent with internal audit independence?<br />
<strong>3B</strong>.2 Performance Management<br />
Performance management requires the identification of risks and the implementation of controls<br />
for ensuring economic, effective, and efficient resource utilization. <strong>Managing</strong> performance needs<br />
to take place at every level of activity.<br />
24<br />
“Budgeting the Internal Audit Function: How Much is Enough?” Tone at the Top, The IIA, 2018.<br />
44
• Individuals are responsible for managing their own performance, including time-keeping,<br />
maintaining due diligence, following instructions and procedures, reporting periodically to<br />
their supervisor, and escalating issues requiring someone else’s attention.<br />
• Supervisors are responsible for managing the performance of their team members<br />
individually and collectively. A typical performance management cycle comprises:<br />
o Agreeing individual goals commensurate with role, responsibilities, ambitions,<br />
and competencies, and aligned with team-level and organizational objectives.<br />
o Providing time, tools, resources, training, and sufficient autonomy and<br />
supervision as required.<br />
o Monitoring performance.<br />
o Providing feedback, both as encouragement and in highlighting areas requiring<br />
remediation.<br />
o Formally appraising performance according to a regular cycle and in consultation<br />
with the individual, allowing them to account for their own performance.<br />
o Recognizing achievements and allocating rewards according to policy.<br />
o Identifying and creating opportunities for personal and professional development<br />
and progression.<br />
o Reporting the results of performance evaluation up the chain of command.<br />
o Acting as an advocate for their team members, giving due credit for their<br />
accomplishments.<br />
o Agreeing goals for the next cycle.<br />
Team leaders are responsible for achieving the goals assigned to their unit and for managing<br />
the performance of individuals. This continues upwards to the highest levels of the entity with<br />
ultimate accountability to stakeholders for fulfilling organizational purpose economically,<br />
effectively, efficiently, ethically, and sustainably.<br />
This process of performance management links with the concepts of managerial accountability<br />
discussed in <strong>Module</strong> 2 and applies to internal audit functions as much as any other department.<br />
Performance management is a natural part of risk management and internal control.<br />
Organizational-level objectives need to be cascaded down to every level so that goals of<br />
departments, teams, and individuals are all aligned. Decision-making and implementation of<br />
controls are most effective when they are delegated to the lowest level of competence<br />
necessary to enable managers to manage and leaders to lead. As goals are assigned, they<br />
must be accompanied by responsibility, autonomy, and resources. This requires trust.<br />
Supervision is part of the system of control but too much supervision and monitoring constitutes<br />
micro-management, which is inefficient, intrusive, and often counter-productive. Individuals<br />
resent excessive scrutiny since it communicates a lack of trust in their integrity and ability.<br />
45
There is also a link with leadership styles, as discussed in <strong>Module</strong> 2. A more authoritarian style<br />
tends toward greater supervision while a laissez-faire attitude tends toward less supervision.<br />
The appropriate and most effective style depends on the characteristics of the staff member,<br />
their role, experience, and competency, their relationship with their supervisor, their personal<br />
preferences, organizational conditions, and more. Managers need to adapt their style according<br />
to circumstances.<br />
We have said repeatedly that risk management and internal control should not be regarded as<br />
discrete activities, an additional responsibility on top of managing operations and activities.<br />
When reflecting on performance management we should remind ourselves of the COSO<br />
Internal Control – Integrated Framework with its five elements:<br />
• Control environment.<br />
• Risk assessment.<br />
• Control activities.<br />
• Information and communication.<br />
• Monitoring.<br />
We could use these five elements to describe performance management or more broadly the<br />
responsibilities of management. Making a decision, taking a risk, managing a risk, pursuing<br />
objectives, and implementing goal-oriented actions are the same thing. The purpose of risk<br />
management and internal control is to do this mindfully and systematically.<br />
<strong>3B</strong>.2.1 Approaches to Performance Management<br />
In 2018, McKinsey developed a model for sustaining high performance in the public sector in<br />
the long-term 25 . The authors identified that project pilots tend to out-perform expectations but<br />
thereafter, as they lose their initial momentum, the performance of initiatives tends to diminish.<br />
The authors associated this with the added interest and level of oversight new projects generate<br />
followed by an inevitable decline once activities become part of routine operations and the<br />
novelty and excitement fades.<br />
To address this pattern, McKinsey developed a seven-stage model designed to maximize and<br />
maintain effective performance management. The model is organized in three areas of focus:<br />
• Create transparency:<br />
1. Define meaningful performance metrics.<br />
2. Set stretch targets.<br />
3. Create digital tools for sharing information.<br />
• Involve managers in the solution:<br />
4. Institute motivational dialogues.<br />
5. Use agile methodologies.<br />
25<br />
Sustaining High Performance Beyond Public Sector Pilot Projects, McKinsey, 2018.<br />
46
• Empower the people:<br />
6. Emphasize nonfinancial incentives.<br />
7. Build the skills for success.<br />
Collectively these elements reinforce the importance of:<br />
• Setting and communicating clear financial and nonfinancial goals (including “stretch<br />
goals” to encourage even greater performance).<br />
• Taking people with you through continuous and inspirational communication and<br />
providing training as needed.<br />
• Being prepared to adapt to changing conditions and keeping processes lean and flexible<br />
(“agile”).<br />
These principles are important for all approaches. How performance management differs is<br />
generally characterized by a particular mindset or focus applied to directing and monitoring<br />
activities. Common approaches used to manage performance include:<br />
• Plan-do-check-act (PDCA).<br />
• Budget-driven performance management.<br />
• Management by objectives (MBO).<br />
• Balanced scorecard.<br />
These and similar approaches may be used in combination. Whatever approach is taken, it<br />
should be adapted to suit the circumstances.<br />
Plan-Do-Check-Act (PDCA)<br />
Plan-Do-Check-Act (PDCA) is a very simple conceptual approach to managing performance.<br />
More broadly, it is a model for quality assurance, continuous improvement, and change<br />
management. It is described as a continuous cycle and reminds managers to incorporate<br />
feedback as part of monitoring to enable timely interventions.<br />
47
• Plan. The cycle is initiated through a planning process. Depending on the scale and<br />
scope of the activity, planning may include situational analysis (e.g., SWOT, PESTEL),<br />
objective and target setting, risk assessment, budgeting, and related activities.<br />
• Do. For clarity, it is helpful to distinguish between the two stage “Do” and “Act” which<br />
sound similar. The Do stage is intended to reflect project implementation. This may<br />
include a testing or trial phase before full roll-out.<br />
• Check. This is a key characteristic of the PDCA approach. Rather than waiting until<br />
implementation is complete, monitoring needs to be fully integrated from the beginning.<br />
Monitoring can be accomplished by a mix of approaches, such as direct observation,<br />
supervision, automated processes, client feedback, staff feedback, vendor feedback,<br />
financial reporting, and tracking budget utilization. Such approaches link closely with<br />
internal control. (Performance management is integral to internal control.)<br />
• Act. This stage uses the intelligence gathered through monitoring to make<br />
improvements. Errors, control weaknesses, inefficiencies, and defective outputs can be<br />
addressed by improving processes leading to better future results.<br />
• Plan. Improvements inform planning for the next cycle.<br />
The PDCA approach is implicitly or explicitly part of most organizational activity, including risk<br />
management and the quality assurance and improvement program (QAIP) for the internal audit<br />
function.<br />
Budget-Driven Performance Management<br />
Budget-driven performance management relies heavily on financial planning and monitoring.<br />
The budget establishes goals or limits for incomes and expenditure and becomes a proxy for<br />
objectives. Actual results can be compared with the budget and communicated in a financial<br />
report, as discussed in section 3A.2. Variances can be calculated and analyzed, as discussed in<br />
section 3A.3. Satisfying or exceeding the budget is considered the primary measure of success.<br />
Actual performance information is then used to determine future budgets. Sometimes this<br />
approach is referred to as performance budgeting.<br />
While this approach has merits, it can skew management’s focus and exclude other important<br />
considerations.<br />
Pros and cons of budget-driven performance management<br />
Cons<br />
Pros<br />
• The budget is developed to support<br />
organizational objectives and therefore<br />
there is naturally a close alignment<br />
between the budget and objectives.<br />
• Checking income and expenditure against<br />
a budget is relatively easy, assuming<br />
there is a robust financial reporting<br />
system.<br />
48<br />
• Budget-driven performance management<br />
focuses only on financial goals, ignoring<br />
other types of value.<br />
• Meeting or exceeding budgetary goals<br />
does not guarantee successful<br />
performance against organizational<br />
objectives and purpose. It is possible to<br />
improve upon a budget, for example, by
• Variance analysis provides useful<br />
under-performing and doing less work<br />
quantitative measures of performance. than planned, thus saving costs.<br />
Management by Objectives (MBO)<br />
Management by objectives places emphasis on defining objectives as the primary means of<br />
coordinating activity and optimizing outcomes. Agreement by staff and managers to objectives<br />
creates greater commitment together with efforts to motivate and incentivize performance<br />
through appropriate rewards. However, incentivization in the public sector is less common,<br />
largely because individual and team performance are often evaluated based on conformance<br />
with budgetary and other formal requirements rather than outcomes. It is also hard to isolate<br />
contributions to performance and attribute outcomes to specific individuals. Most results are<br />
achieved through collaboration.<br />
Pros and cons of management by objectives (MBO)<br />
Cons<br />
Pros<br />
• Activity across the organization is closely<br />
aligned.<br />
• Teams and individuals are driven to meet<br />
and exceed targets.<br />
49<br />
• Performance can be skewed toward the<br />
achievement of incentives. Staff may be<br />
tempted to take shortcuts causing a<br />
reduction of quality. Other goals and<br />
activities may also be ignored. It is hard to<br />
measure desirable qualitative outcomes,<br />
such as client satisfaction. Goals can be<br />
measured and achieved in ways that are<br />
not always of greatest benefit to the<br />
organization. Once targets for incentives<br />
have been achieved, motivation may<br />
diminish.
Given the concern that incentivization can lead to unexpected outcomes, it is often not tried in<br />
public sector bodies and budget-driven approaches are preferred for managing performance.<br />
Balanced Scorecard<br />
The Balanced Scorecard model was popularized by Kaplan and Norton in 1996. While being<br />
developed with private sector organizations in mind, it has great applicability for the public<br />
sector. As the title suggests, it aims to establish and maintain a suitably balanced set of metrics<br />
for monitoring performance. It recognizes that financial metrics on their own are not enough and<br />
can lead to a distorted perspective, which is one of the criticisms of budget-driven performance<br />
management.<br />
According to Kaplan and Norton, “what you measure is what you get.” In other words, the things<br />
you decide to focus on become the things you achieve. What gets measured gets done. In a<br />
similar vein, Lord Kelvin, a scientist notable for his work in developing a new temperature scale,<br />
remarked “if you cannot measure it, you cannot improve it.” We need tools to define how well<br />
we are doing currently, to set targets for improvement, and to determine whether we are being<br />
successful. Peter Drucker, the management guru, said it like this: “If you can’t measure it, you<br />
can’t manage it.”<br />
The balanced scorecard examines performance from four perspectives:<br />
• Financial perspective.<br />
• Customer perspective.<br />
• Internal perspective.<br />
• Learning and growth potential (organizational capacity perspective).<br />
The model links to value creation. Improvements in capacity drive improvements in processes<br />
leading to greater customer satisfaction and ultimately better financial performance.<br />
50
The balanced scorecard approach needs to be adjusted for the public sector. Public financial<br />
management (PFM) is not focused on generating profits for shareholders. Outcomes and<br />
impacts are not always measurable in simple financial terms.<br />
Governments are also highly complex entities compared with most organizations, having many<br />
different lines of activity and services.<br />
As compared to commercial institutions, government agencies face a unique set of<br />
challenges when trying to manage performance and achieve their strategic goals and<br />
initiatives. Their mission and budgets are often decided externally… Additionally, agencies<br />
face the uphill task of meeting their goals without direct control of shrinking budgets and<br />
resources. This furthers the need for managing performance at every step along the way. 26<br />
Adaptation of the balanced scorecard model to a public sector setting can be summarized as<br />
follows:<br />
Balanced Scorecard<br />
Public Sector Emphasis<br />
Perspectives<br />
Financial perspective<br />
Budgetary performance, stewardship of<br />
resources<br />
Customer perspective<br />
Stakeholder engagement and satisfaction<br />
Internal perspective<br />
Economy, effectiveness, efficiency<br />
Learning and growth potential Knowledge and capacity<br />
The balanced scorecard itself can take the form of a regular report or digital dashboard with<br />
information organized to reflect these quadrants, showing actual performance or status in<br />
comparison with goals.<br />
Pros<br />
Pros and cons of balanced scorecard<br />
Cons<br />
26<br />
Whittaker, J., Strategy and Performance Management in the Government, Pilot Software, November<br />
2003. Quoted in “How to Manage (and Measure) Government Performance,” FreeBalance, August 9,<br />
2022.<br />
51
• Encourages consideration of a broader<br />
range of metrics when monitoring<br />
performance.<br />
• The approach is more complex and<br />
requires greater coordination and<br />
integration of data sets as well as<br />
sufficient familiarity with the model to<br />
interpret accordingly.<br />
<strong>3B</strong>.2.2 Measuring Performance<br />
When considering the performance of an activity, project, department, or organization, we can<br />
consider different dimensions.<br />
• Inputs. These are the resources that are applied to undertaking the activity.<br />
• Outputs. These are the products and initial results of the activity. Often outputs are more<br />
tangible or immediately apparent than the subsequent outcomes and impacts.<br />
• Outcomes. These are the effects of the activity and link closely to the objectives.<br />
• Impacts. These are the longer-term consequences of the activity.<br />
The distinction between outcomes and impacts is not always made. We may consider them as<br />
short-term and long-term impacts. Inputs, outputs, outcomes, and impacts relating to internal<br />
auditing are illustrated below.<br />
When developing metrics for performance management, it is important to include measures of<br />
outcomes and impacts because these relate to the purpose of internal auditing. Inputs and<br />
52
outputs are useful for monitoring purposes, but internal audit managers should look further than<br />
completion of the audit plan as a goal.<br />
• Inputs and outputs answer the question: what have we done?<br />
• Outcomes and impacts answer the question: what difference have we made?<br />
The following graphic illustrates possible metrics:<br />
According to the IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency,<br />
performance measures for internal auditing may comprise both qualitative and quantitative<br />
metrics as illustrated by the following examples:<br />
• Conformance with the International Standards for the Professional Practice of Internal<br />
Auditing.<br />
• Level of contribution to the improvement of risk management, control, and governance<br />
practices.<br />
• Achievement of key goals and objectives.<br />
• Evaluation of progress against audit activity plan.<br />
• Improvement in staff productivity.<br />
• Increase in efficiency of the audit process.<br />
• Increase in number of action plans for process improvements.<br />
• Adequacy of engagement planning and supervision.<br />
53
• Effectiveness in meeting stakeholders’ needs.<br />
• Results of quality assurance assessments and internal audit activity’s quality<br />
improvement programs.<br />
• Effectiveness in conducting the audit.<br />
• Clarity of communications with the audit client (often referred to as “auditee”) and the<br />
board. 27<br />
It is clear this list comprises inputs, outputs, and some outcomes, including those related to the<br />
improvement of internal auditing as well as broader organizational improvements.<br />
<strong>3B</strong>.2: Reflection<br />
As a manager or leader, do you adopt a particular approach to managing performance (such<br />
as PDCA, management by objectives, balanced scorecard, or management by budget)?<br />
Which methods of managing performance do you find are the most effective?<br />
What constraints are there on the way a manager or leader chooses to manage<br />
performance? Are there organizational or other expectations that shape the way performance is<br />
managed?<br />
As an individual whose performance is monitored and managed by a superior, what<br />
approaches do you find the most helpful?<br />
What measures are typically used in your audit function to monitor performance? Which of<br />
them relate to: inputs, outputs, outcomes, and impacts?<br />
27<br />
IIA Practice Guide: Measuring Internal Audit Effectiveness and Efficiency, The IIA, 2010.<br />
54