KnowledgeLeader Blog

Internal Audit’s Performance – Raising the Bar

Posted by Sharise Cruz on Fri, Mar 21, 2014 @ 11:04 AM

""The internal audit function’s position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management and control processes, as well as consulting services to improve operations. With this critical responsibility to fulfill, implicit in executing those duties is internal audit’s continuous improvement to its own practices.

How do you do that? A high-quality internal audit function meets or exceeds stakeholder expectations, while ensuring that value is added to the organization. One of the most critical factors in achieving internal audit quality is the auditor’s competency and proficiency in evaluating the organization’s risk-management, control and governance processes. Each internal audit department should have a program that not only encourages top quality of internal audit reports, investigations, consulting and other services, but that also institutionalizes continuous improvement in its service to stakeholders.

STEPS TO SUCCESS

The Institute of Internal Auditors issued a “quality maturity model” several years ago that included a roadmap for improving internal audit practices over time. The model comprises five basic levels:

Level 1: Introductory. The internal audit function at this level has no quality assurance and improvement program in place. Typically, a Level 1 internal audit department would be fairly new or one that has not yet conformed to the quality requirements within the IIA’s International Standards for the Professional Practice of Internal Audit. In other cases, the chief auditing executive or the audit committee lacks a clear understanding of the substantial value that such a program can bring to an organization.

Level 2: Emerging. The internal audit function conducts periodic and ongoing self-assessments, or internal quality assessments, monitoring the department’s compliance with the Standards.

Level 3: Established. The internal audit activity obtains an independent evaluation of its self-assessment and improvement efforts at least every five years.

Level 4: Progressive. A quality assurance and improvement program is integrated into the operations of the internal audit activity. The activity generally complies with the Standards and Code of Ethics and obtains an external quality assurance review at least every five years.

Level 5: Advanced. An active and fully integrated quality assurance and improvement program exists within the daily operations of the internal audit function. An external quality assurance review is conducted at least every three years. All staff members follow a rigorous continuing education program. Finally, the function should be sharing its best practices with other organizations, providing resources to participate in peer reviews, and completing various other outreach efforts–to improve the practice of internal auditing.

In most enterprises, the audit committee oversees the internal audit function. As such, audit committee members should have direct interaction with the leadership and activities of the internal audit team and should monitor the internal audit team’s performance. Using the quality maturity model’s guidance to discuss regularly the internal audit department’s continuous improvement efforts will encourage a world-class audit function. Regular revisiting of internal audit department’s quality “progress” also will influence the motivation and focus of the audit team.

BOARD GUIDANCE

The IIA worked with the Canadian Institute of Chartered Accountants (CICA), which published the landmark board-level guidance, 20 Questions Directors Should Ask About Internal Audit. This publication helps audit committees develop a better understanding of, and establish performance standards for, the chief auditing executive’s activities (a summary of the 20 questions is provided below).

The first important area to explore is the mandate of the internal audit function, including what services it should provide and what its priorities should be. Ask yourself: is internal audit focused on the right things? For example, does the IA function evaluate the company’s efforts to establish an effective enterprise-wide risk-management program? What role should internal audit play with fraud risk management and fraud risk detection? What are the longer term assurance requirements of the organization that internal audit should be focused on? Information reliability has become a major item on the audit committee agenda. Has internal audit stepped up to the plate in assessing the organization’s practices in this important area?

An important audit activity is how the internal audit function decides on the priorities. First, the internal audit function has to be knowledgeable about the business generally: what are the economic drivers; what parts of the business matter the most? Second, a formal audit risk assessment process needs to be in place, and that process should involve both internal audit’s own expertise and management and board input.

Another important topic is the audit committee’s relationship with the internal audit function. Here, the key issues are whether the internal audit activities are supported by the audit committee (for example, ensuring appropriate prominence on the organizational chart) and what influence management has on the internal audit efforts through its organizational structure. Are there open lines of communication between the chair of the audit committee and the chief audit executive? Is there an executive session with the CAE at every audit committee meeting to ensure frank discussion? What can the CAE do to improve audit committee communications, both written and verbal? Is the CAE regularly reexamining the content of oral presentations and always looking at what other information they can give in reports? How best can CAEs present so the information is easily and clearly understood? Finally, how do CAEs make them aware of general issues in the environment and educate them about auditing and other relevant issues?  

A fourth concern is resources. Does internal audit have the appropriate level of resources with the right skill sets to produce world-class results? If not, auditing of the business and the depth of analysis could be inappropriate. Internal audit requires highly skilled resources, and the competition for staff becomes more intense each year. A long-term workforce plan would be highly beneficial in today’s complex and fast-changing business environment. An annual audit committee review of internal audit and enterprise-wide human resource planning can be invaluable. Internal audit can add superior value by understanding the business needs of tomorrow today, that is, the CAE must always have a view to the future, and internal audit needs to continually identify innovative ways to perform its audits.

Finally, the results of the internal audit efforts should be reviewed regularly by the audit committee, and an overall determination made about whether the audit committee is satisfied with the information and performance it receives from internal auditing.      

ADOPTING EXCELLENCE

Confirming that your internal audit function is on the road to quality—and consequently helping to ensure the ongoing value of your internal audit activity—will bring great benefits to your organization and its stakeholders. Even answering relatively simple questions such as "who are our customers, and what do they want from us?" will provide fascinating insights into how internal audit is perceived by the audit committee and management, and what changes are needed.

A few steps CAEs should consider taking:

  1. Educate themselves and their staff in quality practices.

  2. Define their stakeholders: shareholders, the audit committee, executives, corporate management and business unit managers, at the least—perhaps more.

  3. Brainstorm with staff. Let them explain what they see as their collective strengths and weaknesses. What do they need and what do they desire to become more effective and productive?

  4. Involve stakeholders in an initial conversation about expectations and needs; conduct brainstorming sessions and determine what is done well and what areas need improvement.

  5. Create, distribute and tabulate a survey for the organization’s various levels, and implement change improvements.

  6. Periodically review progress and determine where additional change and improvement is needed.

  7. Continue to track those areas where CAEs can be most effective. Publish accomplishments and improvements.

  8. Engage outside fraud investigators to teach internal auditors what to look for, and have them work with auditors on internal cases to help auditors appreciate what they are looking for and how insiders try to hide those things. Consider the use of other outside specialists as department needs dictate.

  9. Consider measuring progress with the overall quality effort by developing a “balanced scorecard” for the internal audit department. Don’t be too complex, especially at the beginning, but do leverage the basic idea of “what you do not measure you cannot improve.” A balanced scorecard allows the ability to show improvements (hopefully) over time.

The audit committee, meanwhile, has some questions of its own that it should be asking:

  • Has a quality assurance and improvement program within internal audit been established? What are the results to-date?

  • How do we know the internal audit function is effective? What are the key performance measures and results to-date? How many frauds have been detected through audits per year? Are the rates of detection changing from year to year, and why or why not?

  • What kind of control weaknesses, revenue gains or expense reductions have been identified? Is internal audit making an impact?

  • How is the internal audit function doing in relation to the International Standards for the Practice of Internal Auditing? What are the strengths and weaknesses of the internal audit department?

Finally, is your organization’s internal audit function practicing what it preaches? That is, has internal audit established a long-term continuous improvement program? Finally, is the audit committee doing all it can to ensure the internal audit function has the organizational status, independence and objectivity to complete its mandate effectively?

The bottom line is that improving the internal audit department’s performance will help improve the whole enterprise’s performance as well. Internal audit properly implemented is a value-adding function; it can and should be identifying improvement opportunities across the entire organization.

The audit committee must provide effective internal audit oversight. By using the right guidance and by asking the right questions, it can do just that.

20 QUESTIONS

The excerpt below is from 20 Questions Directors Should Ask about Internal Audit, published by The Canadian Institute of Chartered Accountants (CICA):

A. Internal audit’s role and mandate

  • Should we have an internal audit function?

  • What should our internal audit function do?

  • What should be the mandate of the internal audit function?

B. Internal audit relationships

  • What is the relationship between internal auditing and the audit committee?

  • To whom does internal auditing report administratively? 

C. Internal audit resources

  • How is the internal audit function staffed?

  • How does internal auditing get/maintain the expertise it needs to conduct its assignments?

  • Are the activities of internal auditing coordinated with those of the external auditors?

D. Internal audit process

  • How is the internal audit plan developed?

  • What does the internal audit plan not cover?

  • How are internal audit findings reported?

  • How are corporate managers required to respond to internal audit recommendations?

  • What services does internal auditing provide in connection with fraud?

  • How do you assess the effectiveness of your internal audit function?

E. Closing questions

  • Does internal auditing have sufficient resources?

  • Does the internal audit function get support from the CEO and senior management?

  • Are you satisfied that this organization has adequate internal controls over its major risks?

  • Are there any other matters that you wish to bring to the audit committee’s attention?

  • Are there ways in which internal auditing and the audit committee could better support each other?

F. Audit committee overall assessment

  • Are we (the audit committee) satisfied with our internal audit function?

 
This article was written by KnowledgeLeader contributing writer Dan Swanson and originally appeared on KnowledgeLeader on March 17, 2014. If you have a question or comment for Dan, or would like to see him cover something specific in the future, let us know in the comments section!
 

Topics: performance management, Hot Issues, internal audit, risk assessment, Dan Swanson, audit committee & board, quality assessment review, audit planning, performance measurement

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all