The internal audit function’s position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management and control processes, as well as consulting services to improve operations. With this critical responsibility to fulfill, implicit in executing those duties is internal audit’s continuous improvement to its own practices.
How do you do that? A high-quality internal audit function meets or exceeds stakeholder expectations while ensuring that value is added to the organization. One of the most critical factors in achieving internal audit quality is the auditor’s competency and proficiency in evaluating the organization’s risk-management, control and governance processes. Each internal audit department should have a program that not only encourages top quality of internal audit reports, investigations, consulting and other services, but that also institutionalized continuous improvement in its service to stakeholders.
STEPS TO SUCCESS
The Institute of Internal Auditors (IIA) issued a “quality maturity model” several years ago that included a road map for improving internal audit practices over time. The model comprises five basic levels:
- Level 1: Introductory. The internal audit function at this level has no quality assurance and improvement program in place. Typically, a Level 1 internal audit department would be new or one that has not yet conformed to the quality requirements within the IIA’s International Standards for the Professional Practice of Internal Audit. In other cases, the chief auditing executive or the audit committee lacks a clear understanding of the substantial value that such a program can bring to an organization.
- Level 2: Emerging. The internal audit function conducts periodic and ongoing self-assessments, or internal quality assessments, monitoring the department’s compliance with the Standards.
- Level 3: Established. The internal audit activity obtains an independent evaluation of its self-assessment and improvement efforts at least every five years.
- Level 4: Progressive. A quality assurance and improvement program is integrated into the operations of the internal audit activity. The activity generally complies with the standards and code of ethics and obtains an external quality assurance review at least every five years.
- Level 5: Advanced. An active and fully integrated quality assurance and improvement program exists within the daily operations of the internal audit function. An external quality assurance review is conducted at least every three years. All staff members follow a rigorous continuing education program. Finally, the function should be sharing its best practices with other organizations, providing resources to participate in peer reviews and completing various other outreach efforts to improve the practice of internal auditing.
In most enterprises, the audit committee oversees the internal audit function. As such, audit committee members should have direct interaction with the leadership and activities of the internal audit team and should monitor the internal audit team’s performance. Using the quality maturity model’s guidance to regularly discuss the internal audit department’s continuous improvement efforts will encourage a world-class audit function. Regularly revisiting the internal audit department’s quality “progress” also will influence the motivation and focus of the audit team.
The IIA worked with the Canadian Institute of Chartered Accountants (CICA), which published the landmark board-level guidance, 20 Questions Directors Should Ask About Internal Audit. This publication helps audit committees develop a better understanding of, and establish performance standards for the chief auditing executive’s activities (a summary of the 20 questions is provided below).
The first important area to explore is the mandate of the internal audit function, including what services it should provide and what its priorities should be. Ask yourself: Is internal audit focused on the right things? For example, does the IA function evaluate the company’s efforts to establish an effective enterprisewide risk management program? What role should internal audit play with fraud risk management and fraud risk detection? What are the longer-term assurance requirements of the organization that internal audit should be focused on? Information reliability has become a major item on the audit committee agenda. Has internal audit stepped up to the plate in assessing the organization’s practices in this important area?
An important audit activity is how the internal audit function decides on the priorities. First, the internal audit function must be knowledgeable about the business generally: What are the economic drivers, and what parts of the business matter the most? Second, a formal audit risk assessment process needs to be in place, and that process should involve both internal audit’s own expertise and management and board input.
Another important topic is the audit committee’s relationship with the internal audit function. Here, the key issues are whether the internal audit activities are supported by the audit committee (for example, ensuring appropriate prominence on the organizational chart) and what influence management has on the internal audit efforts through its organizational structure. Are there open lines of communication between the chair of the audit committee and the chief audit executive? Is there an executive session with the CAE at every audit committee meeting to ensure frank discussion? What can the CAE do to improve both written and verbal audit committee communications? Is the CAE regularly reexamining the content of oral presentations and always looking at what other information they can give in reports? How can CAEs best present so that information is easily and clearly understood? Finally, how do CAEs make them aware of general issues in the environment and educate them about auditing and other relevant issues?
A fourth concern is resources. Does internal audit have the appropriate level of resources with the right skill sets to produce world-class results? If not, auditing of the business and the depth of analysis could be inappropriate. Internal audit requires highly skilled resources, and the competition for staff becomes more intense each year. A long-term workforce plan would be highly beneficial in today’s complex and fast-changing business environment. An annual audit committee review of internal audit and enterprisewide human resources planning can be invaluable. Internal audit can add superior value by understanding the business needs of tomorrow today, that is, the CAE must always have a view of the future, and internal audit needs to continually identify innovative ways to perform its audits.
Finally, the results of the internal audit efforts should be reviewed regularly by the audit committee and an overall determination made about whether the audit committee is satisfied with the information and performance it receives from internal auditing.
Confirming that your internal audit function is on the road to quality—and consequently helping to ensure the ongoing value of your internal audit activity—will bring great benefits to your organization and its stakeholders. Even answering relatively simple questions such as "Who are our customers, and what do they want from us?" will provide fascinating insights into how internal audit is perceived by the audit committee and management and what changes are needed.
CAEs should consider taking the following steps:
- Educate the entire staff in quality practices.
- Define stakeholders (shareholders, the audit committee, executives, corporate management and business unit managers).
- Brainstorm with staff. Let them explain what they see as their collective strengths and weaknesses. Ensure that they understand what they need and what they desire to become more effective and productive.
- Involve stakeholders in an initial conversation about expectations and needs, and conduct brainstorming sessions and determine what is done well and what areas need improvement.
- Create, distribute and tabulate a survey for the organization’s various levels, and implement change improvements.
- Review progress periodically and determine where additional change and improvement is needed.
- Track areas where CAEs can be most effective continuously. Publish accomplishments and improvements.
Consider measuring progress with the overall quality effort by developing a “balanced scorecard” for the internal audit department. Don’t be too complex, especially at the beginning, but do leverage the basic idea of “what you do not measure you cannot improve.” A balanced scorecard allows the ability to show improvements (hopefully) over time.
Meanwhile, the audit committee has some questions of its own that it should be asking:
- Has a quality assurance and improvement program within internal audit been established? What are the results to date?
- How do we know the internal audit function is effective? What are the key performance measures and results to-date? How many frauds have been detected through audits per year? Are the rates of detection changing from year to year, and why or why not?
- What kind of control weaknesses, revenue gains or expense reductions have been identified? Is internal audit making an impact?
- How is the internal audit function doing in relation to the International Standards for the Practice of Internal Auditing? What are the strengths and weaknesses of the internal audit department?
Finally, is your organization’s internal audit function practicing what it preaches? That is, has internal audit established a long-term continuous improvement program? Finally, is the audit committee doing all it can to ensure the internal audit function has the organizational status, independence and objectivity to complete its mandate effectively?
The bottom line is that improving the internal audit department’s performance will help improve the whole enterprise’s performance as well. Internal audit properly implemented is a value-adding function; it can and should be identifying improvement opportunities across the entire organization.
The audit committee must provide effective internal audit oversight. By using the right guidance and by asking the right questions, it can do just that.
The excerpt below is from 20 Questions Directors Should Ask about Internal Audit, published by The Canadian Institute of Chartered Accountants (CICA):
- Should we have an internal audit function?
- What should our internal audit function do?
- What should be the mandate of the internal audit function?
- Internal audit relationships
- What is the relationship between internal auditing and the audit committee?
- To whom does internal auditing report administratively?
- Internal audit resources
- How is the internal audit function staffed?
- How does internal auditing get/maintain the expertise it needs to conduct its assignments?
- Are the activities of internal auditing coordinated with those of the external auditors?
- How is the internal audit plan developed?
- What does the internal audit plan not cover?
- How are internal audit findings reported?
- How are corporate managers required to respond to internal audit recommendations?
- What services does internal auditing provide in connection with fraud?
- How do you assess the effectiveness of your internal audit function?
- Does internal auditing have enough resources?
- Does the internal audit function get support from the CEO and senior management?
- Are you satisfied that this organization has adequate internal controls over its major risks?
- Are there any other matters that you wish to bring to the audit committee’s attention?
- Are there ways in which internal auditing and the audit committee could better support each other?
- Is the audit committee satisfied with our internal audit function?
For more information on internal audit, you are encouraged to explore these related tools on KnowledgeLeader: