Determining the budget for internal audit (IA) is a balance act—too little resulting in lawsuits, too much in audit fatigue—that is best achieved through transparency about the most assurance funding can buy.
The Internal Auditor’s Peer Group (IAPG) wrapped up a recent meeting discussing how to address a question from the board of director’s audit committee about whether IA’s budget is sufficient. Like other corporate support functions, IA is typically competing for a slice of the company’s overall budget, but audits can also go overboard.
“If you’re out grinding this stuff too much, you can bring [corporate functions to their] knees” by over-auditing, noted one participant.
One approach. Another participant described an approach that others said echoed their own. When this member joined his company several years earlier, the CFO asked him about the state of IA’s budget. He asked to lead the enterprise risk process, which he did over the next few months, to “put down a baseline.” From there, his team drew up an audit plan that provided “minimum, ideal and maximum” audit scenarios based on the determined risks, and the level risk coverage according to board expectations.
From there, he could determine the total audit hours necessary, how full-time equivalents (FTEs) would be necessary to complete the work, and their estimated compensation.
“Here’s the total budget and does that make sense?” he said. “Again, we established a baseline and worked off that.”
He noted that taking that approach still involves haggling—IA may request $2.7 million, the audit committee asks if $2.2 million would work, and they agree on $2.5 million. “It boils down to what we’re given to work with. As long as the quality of the assurance we’re giving the board remains, we should be fine,” he said.
Why transparency is important. Another member described internal audit is similar to health insurance: “You don’t know how much you need until you’re sick” but “are you going to have a shareholder lawsuit if you don’t invest enough” in IA.
The consensus of most IAPG members appeared to be that providing the audit committee with as much transparency as possible about what they’ll get for their money in terms of auditing is the most effective approach; essentially putting the ball in the audit committee’s court. One member shared a situation in which the audit committee noted IA’s important findings and asked what would happen if its budget was doubled.
“I’m like, if this is what you want, you’re welcome to it, but there’s also audit fatigue and you can bring [functions] to their knees,” the auditor said, adding that IA will execute whatever is asked of it, whether it’s to oversee a change in regulations, GDPR, or something else. “We’ll make thoughtful recommendations and, if necessary, step things up for more resources. But it’s a gentle balance, and that’s the hard part.”