ACCA - The global body for professional accountants

The internal audit function's position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management and control processes, as well as consulting services to improve operations. With this critical responsibility to fulfil, implicit in executing those duties is internal audit's continuous improvement to its own practices.

Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one hour of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

How do you achieve this? A high-quality internal audit function meets or exceeds stakeholder expectations, while ensuring that value is added to the organisation. The most critical factor in achieving internal audit quality is the auditor's competency and proficiency in evaluating the organisation's risk management, control and governance processes. Each internal audit department should have a programme not only to ensure top quality of internal audit reports, investigations, consulting and other services, but it should also have a way to effect continuous improvement in its service to stakeholders.

Steps to success

The Institute of Internal Auditors (IIA) recently issued a 'quality maturity model' that includes a roadmap for improving internal audit practices over time. The model comprises five basic levels.

Level 1: Introductory The internal audit function at this level has no quality assurance and improvement programme in place. Typically, a Level 1 internal audit department would be fairly new, or one that has not yet conformed to the quality requirements within the IIA's International Standards for the Professional Practice of Internal Audit. In other cases, the chief auditing executive or the audit committee lacks a clear understanding of the substantial value that such a programme can bring to an organisation.

Level 2: Emerging The internal audit function conducts periodic and ongoing self assessments, or internal quality assessments, monitoring the department's compliance with the Standards.

Level 3: Established The internal audit activity obtains an independent evaluation of its self assessment and improvement efforts at least every five years.

Level 4: Progressive A quality assurance and improvement programme is integrated into the operations of the internal audit activity. The activity generally complies with the Standards and Code of Ethics, and obtains an external quality assurance review at least every five years.

Level 5: Advanced An active and fully integrated quality assurance and improvement programme exists within the daily operations of the internal audit function. An external quality assurance is conducted at least every three years. All staff members follow a rigorous continuing education programme. Finally, the function should be sharing its best practices with other organisations, providing resources to participate in peer reviews, and completing various other outreach efforts to improve the practice of internal auditing.

In most enterprises, the audit committee oversees internal audit. As such, audit committee members should have direct interaction with the leadership and activities of the internal audit team, and should monitor the internal audit team's performance. Using the quality maturity model's guidance to discuss regularly the internal audit department's continuous improvement efforts will encourage a world-class audit function. Regular revisiting of the internal audit department's quality 'progress' will also influence the motivation and focus of the audit team.

Other board guidance

The IIA's briefing paper, Internal Audit Standards: Why They Matter, presents a series of questions to facilitate a closer relationship between the audit committee and internal auditing. This guidance also provides a summary of typical audit committee oversight responsibilities. Directors of enterprises that have internal audit departments are expected to determine that the internal audit function works effectively. Where an internal audit function has not been formally established, these questions should be discussed with senior management.

The IIA has also worked with the Canadian Institute of Chartered Accountants (CICA) who published the landmark board-level guidance, 20 Questions Directors Should Ask About Internal Audit, to help audit committees develop a better understanding of, and establish performance standards for, the chief auditing executive's activities. (A summary of the 20 questions is provided in the table).

The first important area to explore is the mandate of the internal audit function, including what services it should provide and what its priorities should be. Ask yourself: is internal audit focused on the right things? For example, does the internal audit function evaluate the company's efforts to establish an effective enterprise-wide risk management programme? What role should internal audit play with fraud risk management and fraud risk detection? What are the longer term assurance requirements of the organisation that internal audit should be focused on? Information reliability has become a major item on the audit committee agenda; has internal audit stepped up to the plate in assessing the organisation's practices in this important area?

Priorities

An important audit activity is how the internal audit function decides on priorities. First, internal audit has to be knowledgeable about the business generally - what are the economic drivers, what parts of the business matter the most? Secondly, a formal audit risk assessment process needs to be in place, and that process should involve both internal audit's own expertise, and the input of management and the board.

Another important topic is the audit committee's relationship with the internal audit function. Here, the key issues are whether the internal audit activities are supported by the audit committee (for example, ensuring appropriate prominence on the organisational chart) and what influence management has on the internal audit efforts through its organisational structure. Are there open lines of communication between the chair of the audit committee and the chief audit executive (CAE)? Is there an executive session with the CAE at every audit committee meeting to ensure frank discussion? What can the CAE do to improve audit committee communications, both written and verbal? Is the CAE regularly re-examining the content of their oral presentations and always looking at what other information they can give in reports to them? How best can CAEs present to them so it is easily understood and clear? Finally, how do CAEs make them aware of general issues in the environment and educate them about auditing and other relevant issues?

A fourth concern is resources. Does internal audit have the appropriate level of resources with the right skill sets to produce world-class results? If not, auditing of the business and the depth of analysis could be inappropriate. Internal audit requires highly skilled resources, and the competition for staff becomes more difficult each year. A long-term workforce plan would be very beneficial in today's complex and fast-changing business environment. An annual audit committee review of internal audit and enterprise-wide human resource planning can be invaluable. Internal audit can add superior value by understanding the business needs of tomorrow today - i.e. the CAE must always have a view to the future, and internal audit needs to continually identify innovative ways to perform their audits.

Finally, the results of the internal audit efforts should be reviewed regularly by the audit committee, and an overall determination made about whether the audit committee is satisfied with the information and performance it receives from internal auditing.

Adopting excellence

Confirming that your internal audit function is on the road to quality - and consequently helping to ensure the ongoing value of your internal audit activity - will bring great benefits to your organisation and its stakeholders. Even answering relatively simple questions such as 'who are our customers and what do they want from us?' will provide fascinating insights into how internal audit is perceived by the audit committee and management, and what changes are needed.

A few steps CAEs should consider taking are:

  • educating themselves and their staff in quality practices
  • defining their stakeholders - shareholders, the audit committee, executives, corporate management and business unit managers, at the least; perhaps more for your specific enterprise
  • brainstorming with staff - letting them tell you what they see as their collective strengths and weaknesses; what do they need and what do they desire to become more effective and productive?
  • involving stakeholders in an initial conversation about expectations and needs; conducting brainstorming sessions and determining what you do well and what areas need improvement
  • creating, distributing, and tabulating a survey for your various levels, and implementing change improvements
  • periodically reviewing your progress, and determining where additional change and improvement is needed
  • continuing to track those areas where you can be most effective; publishing your accomplishments and improvements
  • engaging outside fraud investigators to teach internal auditors what to look for, and have them work with auditors on internal cases to help auditors appreciate what they are looking for and how insiders try to hide those things; considering the use of other outside specialists as department needs dictate
  • considering measuring progress with the overall quality effort by developing a 'balanced scorecard' for the internal audit department. Don't be too complex, especially at the beginning, but do leverage the basic idea 'what you do not measure you cannot improve'. A balanced scorecard allows you to show improvements (hopefully) over time.

The audit committee, meanwhile, has some questions of its own that it should be asking:

  • has a quality assurance and improvement programme within internal audit been established? What are the results to date?
  • how do we know the internal audit function is effective? What are the key performance measures and results to date? How many frauds have been detected through audits per year? Are the rates of detection changing from year to year, and why or why not?
  • what kind of control weaknesses, revenue gains, or expense reductions have been identified? Is internal audit making an impact?
  • how is the internal audit function doing in relation to the International Standards for the Practice of Internal Auditing? What are the strengths and weaknesses of the internal audit department?
  • is your organisation's internal audit function practising what it preaches? That is, has internal audit established a long-term continuous improvement programme? Finally, is the audit committee doing all it can to ensure the internal audit function has the organisational status, independence and objectivity to complete its mandate effectively?

The bottom line is that improving the internal audit department's performance will help improve the whole enterprise's performance as well. Internal audit properly implemented is a value adding function. Internal auditing can and should be identifying improvement opportunities across the entire organisation.

The audit committee must provide effective internal audit oversight. By using the right guidance, and by asking the right questions, it can do just that.


The excerpt below is from 20 Questions Directors Should Ask about Internal Audit, published by the Canadian Institute of Chartered Accountants (CICA).

A. Internal audit's role and mandate

1. Should we have an internal audit function?

2. What should our internal audit function do?

3. What should be the mandate of the internal audit function?

B. Internal audit relationships

4. What is the relationship between internal auditing and the audit committee?

5. To whom does Internal Auditing report administratively?

C. Internal audit resources

6. How is the internal audit function staffed?

7. How does internal auditing get/maintain the expertise it needs to conduct its assignments?

8. Are the activities of internal auditing coordinated with those of the external auditors?

D. Internal audit process

9. How is the internal audit plan developed?

10. What does the internal audit plan not cover?

11. How are internal audit findings reported?

12. How are corporate managers required to respond to internal audit recommendations?

13. What services does internal auditing provide in connection with fraud?

14. How do you assess the effectiveness of your internal audit function?

E. Closing questions

15. Does internal auditing have sufficient resources?

16. Does the internal audit function get support from the CEO and senior management?

17. Are you satisfied that this organisation has adequate internal controls over its major risks?

18. Are there any other matters that you wish to bring to the audit committee's attention?

19. Are there ways in which Internal Auditing and the audit committee could better support each other?

F. Audit committee overall assessment

20. Are we (the audit committee) satisfied with our internal audit function?

Dan Swanson is an internal audit veteran who is also a former director of professional practices at the Institute of Internal Auditors. He has completed audit projects for more than 30 different organisations, and has almost 25 years' auditing experience in government at federal, provincial and municipal levels, as well as in the private sector. 

He can be contacted here.

This article is based on a column published in the January 2008 edition of Compliance Week, and was reproduced with permission.

Last updated: 29 Oct 2012