Audit Performance Metrics: Measuring Internal Audit PerformancePublished March 28, 2019 by Karen Walsh • 4 min read
While most companies attempt to secure their data, many continue to fail their IT audits. When trying to determine whether your risk management program effectively mitigates risks, you need to find metrics that support your ability to comply with internal policies as well as external industry standards and regulatory requirements.
Audit Performance Metrics
What are the benefits of metrics?
Metrics provide stakeholders objective input for determining resource allocations. For example, if an internal audit finds that the organization did not patch security updates in the 30-60 days, then the organization may need greater accountability or automated tools.
Moreover, mature cybersecurity programs often incorporate tracking mechanisms. These tools enable documentation and quantification to decrease the errors arising from manual reporting.
Why incorporating stakeholders allows an organization to set internal audit metrics
Different stakeholders within the organization may define internal audit performance differently.
While the Board of Directors may be looking to eliminate reputational and financial risks, the c-suite may be seeking to build a tone of accountability. Meanwhile, the audit committee may want to use internal audit metrics to reduce external audit fees or protect from external auditor findings.
Thus, part of defining the metrics requires creating an audit team that includes internal stakeholders who communicate their different needs.
How robust internal audit policies and procedures define audit metrics
After creating an audit team, you need to put together a focused list of the needs and objectives that align across the organization.
For example, if you need to be PCI DSS, SOX, or HIPAA compliant, regulatory fines and penalties will be a crucial driver for all stakeholders, including the external auditor. On the other hand, your audit committee and c-suite may also want to reduce external audit costs by using the internal audit outcomes to streamline the more expensive process.
As with creating an audit plan, you need to start by prioritizing the metrics based on business objectives.
How to use audit metrics to mature your compliance program
Organizations increasingly add Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) providers to enable business-critical operations. However, the cybersecurity risks inherent in these services can create business continuity risks that risk the financial bottom line.
Organizations that align their internal audit metrics to these integrated information security and business risks strengthen compliance and revenue outcomes. For example, operational risk now becomes an IT risk. Before computers, an employee accessing hard copies of sensitive information was an operational risk because it meant that the business did not follow its employee internal control procedures. Cloud migration now makes unauthorized access an IT risk as well as an operational risk.
What are five critical internal audit program metrics to use?
How Satisfied Are the Internal Stakeholders?
Your internal stakeholders need insight into whether their risk mitigations strategies work. When designing the audit plan, you set a scope and objectives.
As part of the audit committee review, the internal stakeholders need to make sure that the audit met the scope and objectives. For example, if the organization added a new SaaS payroll application, then the internal audit needs to provide information proving the PCI DSS network segregation requirement is effective. This insight provides both the c-suite and Board assurance over internal IT controls and the financial risk mitigation strategy effectiveness.
What was the financial value of the internal audit?
Organizations using internal audits to reduce external audit costs need metrics that give insight. Comparing year-to-year costs is a starting point. However, some cost reductions may be less noticeable.
For example, managing vendor risk means gaining visibility into the organization’s third-party and fourth-party service providers. By engaging in an internal audit process that regularly monitors and documents the vendors’ control effectiveness, comparing it to the service level agreement (SLA), you can streamline the external audit process. Then, you can compare year-to-year the cost and time the external audit took.
How was the performance reported?
Although internal auditors segregated from the departments they review, human error often plays a factor in decreasing internal audit value.
Finding solutions that remove human error, therefore, can create better internal audit reporting metrics. A single internal auditor can only review a limited number of logs. However, an automated system that aggregates the reports and provides visual representations can allow your internal auditor to consider more information in less time. With more data comes greater assurance over the internal reporting that then reduces external auditor time.
What was the audit plan coverage?
While the cost to complete an external audit may matter to the c-suite and Board, the audit plan coverage may be more likely to prevent data breaches.
Unfortunately, information security risk continuously evolves. Thus, traditional point-in-time audits may fail at providing full coverage. Using automated tools that provide continuous monitoring over the data environment allow an organization to provide greater coverage, mitigate more risks, and offer greater assurance over their IT control effectiveness.
How rapidly were issues remediated?
If your company is using its internal audit function to lead to stronger external audit outcomes, then you need to find a way to streamline communications and speed up remediations.
Prioritizing remediation activities and communicating them can be a key metric when reviewing internal audit effectiveness. Internal communications can act as a barrier to remediation, which then undermines the goals of the internal audit function. The organization needs to prioritize and track issues so that it can work faster to remediate any problems.
How ZenGRC Enables Audit Metrics and Reporting
ZenGRC offers workflow tagging so that you can delegate audit tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.
ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making audit documentation easier.
Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.
When using internal audits to enable external audit processes and reduce time spent, using ZenGRC’s single source of information platform can speed up internal stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.
For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.