Risk Management

Metric of the Month: Internal Audit Costs

While not all public companies have an internal audit function, the tide may soon be turning.
Mary C. DriscollNovember 3, 2015

In a perfect world, employees would all be trustworthy and CFOs would all sleep soundly at night, knowing that every penny is exactly where it should be, safe in the company coffers. But we don’t live in a perfect world. We live in a world where skilled internal auditors have job security.

METRICOFTHEMONTHWhile not all public companies have an internal audit function, relying instead on their external auditors, the tide may soon be turning. The Institute of Internal Auditors (IIA) is among those urging the U.S. Securities and Exchange Commission to require all public companies to maintain an internal audit function, arguing that doing so is in the best interest of the investing public and is important for effective corporate governance.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Richard Chambers, president and CEO of the IIA, stated in a recent blog post to members: “I strongly believe an organizational commitment to good governance falls short without the independent and qualified oversight function that internal audit offers. Organizations operate in a global marketplace that is dynamic, fast-moving, technology-driven, and as competitive as ever. In this atmosphere, the odds are stacked against those with a less-than-ideal risk management and control environment.”

Meanwhile, the SEC requirements grow ever tighter. The commission is apparently seeking to make audit committees accountable, not only for official financial statements, but also for every other finance-related communication coming out of an organization.

The Cost of Internal Audit

Articles from the IIA suggest that one reason some companies decline to fund a bona fide internal audit function is their sense that there’s not adequate value to be captured from doing so. It’s likely that these naysayers figure they’re spending enough on external auditors already. But how much, really, does the internal audit process cost?

To find out, we at APQC, a nonprofit business benchmarking and research firm based in Houston, tapped into our Open Standards Research database of of 1,069 public companies. Our research found that the 25% of the North and South American companies in our study population that are most cost-efficient (the top quartile) spends 13 cents or less per $1,000 in revenue to operate controls and monitor compliance with internal controls policies and procedures.

The most expensive (the bottom quartile) spends $1.40 or more per $1,000 in revenue, while the median lands at 39 cents. We also looked at the total process costs, which includes the above sub-process costs along with activities associated (a) establishing policies and procedures and (b) reporting on internal controls compliance. Looking at the all-in costs, we found the most cost-efficient companies spend 40 cents or less per $1,000 in revenue, while the ones who pay the most spend $3.06. (See Figure 1.)


Readers will surely argue that while cost-efficiency is important in any financial process, it is not the end-all and be-all when it comes to good governance. I agree. What’s the point of having a dirt-cheap internal controls function if it lacks the resources to do a decent job?

At the very basic level, an organization needs both preventive and detective controls. Preventive controls are proactive while detective controls help to prove that the preventive controls are working. What’s the right mix? That depends on business model and geographic reach, among other factors.

But for a general sense of things, we went back to our benchmarking database. Among the companies that answered the assessment questions about the prevalence of both preventive and detective controls, we found that when it comes to preventive controls, at the median, 57% of all controls fit the bill.

A look at detective controls shows that at the median 38% of all controls can be labelled as detective. Discussing how much of each variety makes the most sense under various scenarios is way above my pay grade. So I’ll leave that to the experts in corporate governance.

Future Trend

A lot of screening that once had to be done by fine-tooth comb can now be done by computers. Internal audit is moving toward automation, which is a cost-efficient way to catch more potential fraudsters with less work. According to Deloitte’s “Audit of the Future” study conducted in late 2014, 76% of 50 audit committee members and 84% of 50 financial statement preparers believe there are significant benefits to auditors in using advanced technologies, and almost all of them think that they should be used in executing an audit.

New auditing technologies allow companies to capture and analyze big data in real time, spotting fraud in progress and helping to head off potential catastrophe. For example, software robots can scan huge volumes of transactions or even employee emails for specific words or phrases, red-flagging areas of concern for auditor review. Other systems can review purchase orders and spot irregularities, such as values that exceed averages, or fake vendor accounts created using employee bank accounts, addresses, or Social Security numbers.

By examining and comparing data from multiple systems at once, over a long period of time, such fraud-detection systems can spot fraudulent activity that might otherwise go undetected for years.

Unlike traditional “random sampling” auditing, automation allows companies to examine a vast majority, if not all, transactions or communications flowing through the business. It keeps labor costs low, as an auditor’s expert eye is only needed when the system catches something that looks out of place. And it provides detailed evidence when proof is required during an investigation or prosecution.

Such advanced fraud-detection capabilities not only boost investor confidence, they let employees know that if their primary career goal is to line their own pockets with embezzled funds, they would do better to seek employment elsewhere.

Mary C. Driscoll is a senior research fellow in Financial Management at APQC, a nonprofit business benchmarking and research firm based in Houston.