Why More Audits Will Not Save the Business
The audit committee meeting is approaching. The stress is high as your boss, the chief audit executive (CAE), needs to present the annual plan for approval. During the meeting, the audit committee chair tells the CAE that the plan looks good, but we need to leverage Artificial Intelligence (AI) to perform more audits and cover more risks. Reluctantly, your CAE agrees, and an initiative is born: we will perform 20% more audits this year by leveraging AI.
Nine months later, the CAE reports back that the target was surpassed. The audit committee is delighted. You get a pat on the back.
But here is the reality check. While the audit committee may be satisfied with increased outputs, management can tell whether an audit function is actually effective, and this may not be directly related to the number of audits performed. As an audit function, we know that the goal is to cover more risks and provide assurance over the effectiveness of controls. The challenge is how the team can cover more risks with the same resources.
The solution is not increased effort measured in terms of the number of audits. To fix this, we need to be precise about the difference between Output and Outcome.
Output is what we do — performing audits, speaking with stakeholders, complying with the latest Global Internal Audit Standards (GIAS). It keeps us occupied and our dashboards green.
Outcome is what that work actually changes — reducing errors through automation, identifying the root cause for overpayments to key suppliers, escalating a critical control gap that prompted the business to deploy real resources to fix it.
An output may produce no meaningful outcome at all. But every outcome traces back to some output. The question is whether the things we are doing actually matter, or whether we are just being busy. This distinction sits at the heart of how we set our annual objectives, and yet most audit functions never confront it directly.
The Outcome Measurement Problem
Here is where things get uncomfortable. The natural next step might be to say, “Let us measure outcomes instead.” Unfortunately, identifying outcomes to measure is not easy.
The GIAS, which took effect last year, require internal audit functions to measure their own effectiveness but deliberately stop short of prescribing how. This reflects a recognition that every organisation has different strategic priorities, risk appetites, and definitions of what a successful audit function looks like.
Can we define what success looks like in our organisation? Do we really know whether our functions are successful? Many audit functions may retreat to what is measurable and defensible: the audit plan completed, hours logged, and findings raised. These are numbers that look good on paper. However, a department can hit 100% of its audit plan and still fail to prevent a major systemic breakdown.
The Conversation That Matters More Than the Metric
A perfect outcome key performance indicator (KPI) is difficult to define. That metric, in its purest form, may not exist. More frustratingly, the ‘perfect’ outcome KPI may resonate differently with our two main stakeholders — the audit committee and management.
The audit committee typically wants internal audit to be independent, to be their eyes and ears on the ground, perform audits in accordance with the audit standards, and focus its attention on high-profile, high-risk areas. Management's answer may differ. Their ideal internal audit function may be to help the business navigate critical risks without performing time-consuming audits, taking responsibility for internal controls, and acting as a subject matter expert by providing a ‘sign-off’ prior to a product launch.
Both answers are legitimate but point in different directions. The best way to frame this is to go back to basics, noting that the purpose statement in the GIAS states that internal audit enhances the organisation’s successful achievement of its objectives.
Driving Outcomes Versus Outputs
I started this post intentionally with a reference to AI. A senior leader told me, “Please flag all manual controls, regardless of whether they are working effectively or not. We need to automate these controls using AI to confidently say that these controls will not break, and even if they do, we will receive alerts to warn us.”
An audit function that measures the increased number of audits performed by leveraging AI is focused on outputs. By contrast, recommending a dashboard that tracks and measures exceptions over time focuses on the outcome we want to achieve: a stronger control environment. That differentiates valued audit teams from average ones.
Conclusion
Setting internal audit objectives is not a bureaucratic exercise. It is a statement of intent about where the function's efforts will be prioritised in the next 12 months.
In reality, most audit functions will land on a hybrid mix of output and outcome objectives. That combination is imperfect because it does not fully capture whether the organisation is genuinely safer. However, by continuing to focus on measuring outcomes, we move from being the people with checklists to being the ones the business turns to for solutions.
So the next time you are asked to "do more," ask this: "Are we looking for more reports, or the time to find the outcomes that actually matter?"
Gary Teo currently leads the internal audit department at Airwallex, a fintech company headquartered in Singapore and is the Treasurer of The Institute of Internal Auditors Singapore.
