A recent LinkedIn poll offered a stark reminder of the level of staff resources that are often dedicated to an internal audit engagement. The survey posted by Kyle McMullan asked: “What do you think should be the average budget for an “average” audit? Enough to provide assurance on key risks.” The results from more than 200 respondents were a reminder that a typical internal audit demands a significant staff investment:

• Up to 300 hours: 15%
• 300 to 750 hours: 42%
• 750 to 1,500 hours: 35%
• 1,500 TO 3,000+ hours: 8%

As with all LinkedIn polls, this one was not scientific, but my instincts tell me the results are not that far from reality when it comes to the level of effort invested in a typical internal audit. Certainly, small audit shops (less than 5 staff) are unlikely to dedicate 1,000+ hours to an average engagement. Nor are large departments (20+ staff) likely to average fewer than 300 hours per engagement. But the weighted average of the survey results suggests that it is not uncommon for an internal audit engagement to absorb more than 800 staff hours.

I have long cautioned of the consequences of internal audit engagements that take too long. I have also warned of the danger of missing key risks because we are spending too much time focused on the wrong things. But I haven’t explored an issue that isn’t widely discussed, and in many organizations is a well-kept secret: The true (financial) cost of an internal audit engagement.

I first started pondering engagement costs almost 30 years ago when I headed the U.S. Army’s internal review (audit) function. At the time, we had more than 300 offices around the world, and many were under intense resource pressure. Their stakeholders were outspoken about perceived inefficiencies and lack of value coming from internal audits. We were determined to enhance timeliness, focus on the real risks, and increase stakeholder satisfaction. I chronicled our journey in detail in my first book, “Lessons Learned on the Audit Trail.” 

I spent a lot of time during that journey examining audit processes, methodologies, and timeliness. I had a lot of data at my fingertips, and one day I decided to calculate the true cost of an average internal audit. It was a simple exercise at first. I simply took the total budget for our organization and divided it by the number of engagements we completed during the prior year. The results took my breath away. The average cost of an engagement was more than $600K (in today’s dollars). I knew that was a toxic number that would inflame the passions of our beleaguered stakeholders, many of whom were under extraordinary budget pressures themselves. I also knew that I couldn’t really argue that the value of the average engagement was anywhere near that number at the time.

Having spent “tour of duty” in the cost analysis field a few years earlier, I knew that the calculation I had made was a crude one at best. So, I began to urge the CAEs of our 300 subsidiary organizations to undertake their own analyses. We provided detailed guidance on how to generate a more accurate estimate of the cost of their engagements. Essentially, our guidance was to:

• Determine the total annual budget for their department (fully loaded for overhead/indirect costs).
• Calculate the number of direct audit hours available (we used a formula of 1,440 hours per full-time internal auditor). The CAE’s time and that of administrative staff was only to be included to the extent they directly participated in the engagements.
• Divide the fully loaded cost of operations by the total number of direct audit hours available to obtain an hourly audit rate.
• Multiply the hourly audit rate by the number of hours that an engagement took to obtain an approximate cost for the engagement. For those internal audit functions that undertake advisory engagements, the same methodology can applied.

When unveiling the cost calculation guidance, I jokingly told the CAEs that they should calculate the costs of their engagement and then quickly hide the results in their desk drawers. For I knew that the cost of many engagements would be hard to justify.

The feedback after the calculations were made was swift and loud. The CAEs were often shocked at the results. They argued that we had provided the wrong methodology. They argued that we shouldn’t burden the cost of the audits with indirect costs or unproductive time such as vacations and holidays. In the end, however, they knew the results shined a light on an inconvenient truth: many of our engagements were not worth the expense!

Fast forward 30 years, and I believe the lessons we learned are still applicable for many. The fact is that we would be right to criticize business units in our organizations whose processes are inefficient and cost prohibitive. And while I strongly believe that our stakeholders should be the ultimate judge of our value, we must not lose sight of the real cost of our results.

To be clear, a great many internal audit engagements are worth every penny of their costs. Findings of waste and inefficiency that exceed the costs of the engagements are no-brainers. So too are audits that expose fraud or highlight non-compliance with laws or regulations that may bring penalties, reputational damage or even worse. I would never suggest that an audit shouldn’t be undertaken where risks are significant, or regulators demand them. However, it doesn’t hurt to know the true cost of what we do. It can only make us stronger.

I welcome your thoughts on this topic. Are you comfortable with your “cost of doing business?”