Learn about internal audit
As an internal auditor, you'll be familiar with the theory behind the IIA's Professional Practices Framework (PPF) and International Standards for the Professional Practice of Internal Auditing.
Supplementing these, this section explores what internal auditing is like in practice and the many pitfalls to avoid.
A valuable and comprehensive resource, this section can be used as a refresher or as training for those moving into internal audit.
The Internal Auditor and the seven quotients of ACCA's qualification
Following the canvassing of 2000 professional accountants and C-suite executives across the globe the ACCA concluded that the skills required to future proof the profession could be categorised in seven quotients: Technical Skills and Ethics (TEQ), Intelligence (IQ), Creative (CQ), Digital (DQ), Emotional intelligence (EQ), Vision (VQ), and Experience (EQ).
A number of articles have been written providing comprehensive explanations and definitions of the quotients - The Magnificent Seven, The Seven Quotients and Drivers of change and future skills.
This material is intended to provide guidance on the quotients in the context the role of an in internal auditor. As with all professions there is no formula that can determine the optimal mix of quotients (the Professional Quotient – PQ) for you; the balance is not static and will change as your career, role and responsibilities develop, and external factors influence the industry you are employed in. So, for example, the PQ for an internal auditor in a health trust will be different to an internal auditor in a global financial services company. The good news is that competency in any of the quotients can be improved by training, experience and learning, but it is important to have self-awareness of the areas that may require development and to address them.
Technical skills and ethics (TEQ)
This is defined as the skills and abilities to perform activities consistently to a defined standard while maintaining the highest standards of integrity, independence and scepticism.
This is the most basic and fundamental quotient and the words in this definition should be found in the job description of all internal auditors of all levels. The integrity of an internal auditor must be unquestionable as without it the results of our work would have no value; opinion must be without bias and evidentially based and, if it is forward looking, founded on impartial market intelligence. Independence of internal audit should be derived from a reporting line for the Head of Internal Audit to the Chair of the Audit Committee (or other independent NED) and any conflicts of interest, or pressure from the executive of the company, need to be identified and addressed.
Professional scepticism is part and parcel of the role of an internal auditor and that is why even though we are told that controls are in place and work we will test to confirm. We will always look for tangible evidence to support statements that are made or, as a minimum, corroboration. In addition to the highest ethical standards that we are obliged to follow as members of a professional accountancy body we are expected to understand and apply the IIA International Standards (as supplemented by the Financial Services code, if applicable), or be able to explain why they are not applicable. For anyone working in a regulated industry a good understanding of the regulations, as they apply to your company and products, is essential.
TEQ also means that we need to understand and acknowledge any gaps in our technical skills and engage subject matter experts to provide valued input to eliminate the risk of providing false assurance to our clients.
This is defined as the ability to acquire and use knowledge: thinking, reasoning and solving problems.
Again, this is very much part of the job description of an internal auditor of any level, where understanding and contextualising the issues we encounter is a continual requirement. When looking at the results of testing, or considering assertions that are provided to us, we have to think about whether these are what we should encounter in the circumstances, and are logical, or if there is something that does not ring true. When presenting issues identified from sample testing, an understanding of the assurance level is required when extrapolating the results for the whole population and context may be necessary. To be credible the profession needs rounded people who have the skills to see and analyse the big picture, including from the perspective of the auditee, and not just the issue or shortcoming identified (if a control has failed, or is not performed, what are the implications upstream, or downstream, or for the other tasks performed by the same person?). The IQ of an internal auditor should be continually challenged and expanded through training and development to remain abreast of new products and practices, both in our profession and in the industry in which we are working.
This is defined as the ability to use existing knowledge in a new situation, to make connections, explore potential outcomes, and generate new ideas.
Historically this would have been considered to be outside the comfort zone for an internal auditor as we were generally perceived to be box tickers and appliers of rules, with little appreciation of any colour other than black or white! Fortunately, with the latest generation of professionals, this is changing with our risk based, or outcomes based, approach, but there is scope to further improve with practice and training.
There may not be a great deal of scope to be creative during the simple completion of an assignment, but by remaining abreast of the strategy of the company and the evolution of the industry we can keep our eyes on the horizon and not just the records we are reviewing. Make sure that you understand the company’s risk appetite and articulate your conclusions in the context of that (as well as considering the appropriateness of the risk appetite in the context of the company’s strategy!). Avoid becoming dogmatic, or entrenched, when presenting conclusions and embrace the challenges the business provides.
This is defined as the awareness and application of existing and emerging digital technologies, capabilities, practices and strategies.
Technology is moving fast and while internal audit tends to have specialist IT auditors we should all keep up to speed with developments, which would currently include cyber security, Artificial Intelligence (AI), robotics and blockchain. These are becoming part of everyday business lexicon, and every business will be at least touching, if not embracing, one or all of these (and the next generation of technology will not be far away!). Emerging technologies and processes, and the controls that go with them, need to be understood to be able to challenge the governance that is proposed and this will require both IT and operational internal auditors. Our colleagues in the external audit firms can be an excellent source of intelligence on this and there are webinars and other material available from the ACCA Internal Audit Network.
Technology brings opportunity, so embrace it! Data mining is now widely used, and its use will continue to grow, and this provides the advantage that we can interrogate the whole population and are not restricted to representative samples, so see how you can use it in your business.
Emotional intelligence (EQ)
This is defined as the ability to identify your own emotions and those of others, harness and apply them to tasks, and regulate and manage them.
EQ refers to both personal and interpersonal skills and so includes understanding the impact that our emotions and behaviours have on others. Equally, you need to recognise the emotions in those you are dealing with, although this is clearly easier with those with whom you work more closely, manage the situation, accommodate it, or work around it. Empathy is essential with the members of our teams, but also you should focus on developing this with the business as it will go a long way to helping you get to the position where you are a “trusted advisor”.
Communication is a key ingredient in EQ and as internal auditors we need to be able to articulate the results of our work clearly in non-technical language, so that anyone reading our reports, or hearing our presentations, can understand the message and further explanation or definition is not required.
This is defined as the ability to anticipate future trends accurately by extrapolating existing trends and facts, and filling the gaps by thinking innovatively.
VQ means that we have to think “outside the box” and this is where keeping up to date with industry trends, news and innovations is essential even for an internal auditor. If you are responsible for preparing the audit plans, stop and think after you have analysed your firm and prioritised the work and ask “what is not on here?”. To further prompt you, or help with this, topically there are two further questions that you could ask: what are we, as a company, doing about environmental or ESG (environmental, social and governance) issues and is there anything internal audit should be doing, or raising, in this space?; and, strategically what are our competitors doing and is my company leading or lagging the sector benchmark? It may not be feasible to undertake assignments on these subjects immediately, but these should form discussions with the executive team and be included in future plans.
This is defined as the ability and skills to understand customer expectations, meet desired outcomes and create value.
With each assignment that we participate in we are gaining experience, either practically or theoretically through the research that we do in relation to the area under review. XQ may be no more than being incorrectly challenged by the business on the issues we raise and having to defend our position in intimidating circumstances. Experience will help in recognising whether responses we are given are feasible and logical or if they are no more than an attempt to baffle us, so do not be afraid to say that you do not understand and a further explanation, or practical illustration, is needed. Internal audits should not be limited to financial matters and should include policies, processes and strategy (as well as the other matters mentioned earlier such as ESG and culture) and experience will equip you for these.
- Internal audit for beginners
- Internal audit for the management team
- Internal audit for the audit committee
- Guidance for Heads of Internal Audit
Evidencing compliance with professional standards
Standard 1100 Independence and Objectivity
Standard 2200 Engagement Planning
Standard 2300 Performing the Engagement
Standard 2400 Communicating Results
Standard 2050 Coordination and Reliance
Financial Reporting Council (FRC) International Standards on Auditing (UK)