As a chief audit executive, you evaluate company performance and manage risk on a daily basis. Running an effective internal audit department relies on maintaining an independent, objective assurance and consulting function for your organization. A quality assurance review can help you be sure your internal audit activities drive real value for your organization.
IIA standards: What they mean for your internal audit function
Leading organizations put their internal audit function to the test by aligning audit activities with standards issued by the Institute of Internal Auditors (IIA), the International Standards for the Professional Practice of Internal Auditing . The standards are mandatory for organizations that claim to operate in conformance with IIA requirements. These principle-based standards, organized by 10 categories, provide a framework and means to measure how well departmental performance aligns with the practice of internal audits.
- Purpose, authority, and responsibility
- Independence and objectivity
- Proficiency and due professional care
- Quality assurance and improvement program
- Managing the internal audit activity
- Nature of work
- Engagement planning
- Performing the engagement and communicating results
- Monitoring progress
- Communicating acceptance of risk
The Quality Assurance and Improvement Program (QAIP)
Of all of these categories, the Quality Assurance and Improvement Program (QAIP) is a key area of focus when performing a quality assurance review (QAR). The QAIP measures alignment with the categories above and allows internal audit departments to elicit valuable, constructive feedback through both internal and external assessments.
Internal assessments leverage the expertise of internal audit staff to perform a self-assessment of internal audit department activities. They also serve as a prudent — and typically very insightful — preparatory exercise for an independent, external assessment. Performing an initial self-assessment helps your internal audit department establish benchmarks and metrics that align with and meet the requirements of the standards.
External assessments, conducted by an independent peer internal auditor or a service provider, deliver value in several ways. First, external assessments provide an independent assessment on the degree of alignment and conformance with the standards. External assessments also offer a fresh-eyed view of the internal audit department itself. Independent external partners should bring a fresh perspective, innovative thinking, knowledge of industry trends and developments, as well as informative knowledge of cutting-edge internal audit practices and tools, such as data analytics and new visualization tools. This perspective can create value-added opportunities well beyond the standards, such as enhancements to your internal audit department’s productivity, self-worth, and overall efficacy.
Your internal audit department should obtain an independent external assessment at least every five years to maintain conformance with the standards — and to meet the expectations of your audit committee. Additionally, if your organization isn’t properly segregating duties, now’s the time to assess. Not only can segregation of duties help prevent fraud, it can help bridge the gap between the internal audit and other critical business functions, thereby contributing to a stronger, opportunity-rich risk management strategy for your organization.
How to ensure an effective quality assurance review
An effective QAR demands several coordinated, well-executed activities. Here’s how you can best support the process.
Planning and coordination:
- Work with your service provider or peer auditor to establish good communication protocols. Your objective here is to ensure all stakeholders are fully informed of assessment progress and findings.
- Collaborate with your review partner, management, and audit committee leadership to establish the appropriate assessment scope of the QAR so that the engagement runs smoothly, on time, and on budget.
Assessment execution:
The assessment should typically take place at the central point of internal audit operations, and fieldwork should happen over the course of one to two weeks, based on management scheduling needs. Your independent QAR provider will want to interview key stakeholders and primary beneficiaries of internal audit, such as senior management, accounting leadership, and operational department heads.
Ensure that these key stakeholders understand the value proposition of the assessment and that candid and constructive feedback will benefit the internal audit function.
Collaborative feedback and next steps:
Your quality assurance review provider should deliver a QAR report, which includes an overall assessment of your organization’s conformity with the IIA’s Standards and Code of Ethics under the International Professional Practices Framework.
The report should also provide recommendations and observations of opportunities for internal audit improvement.
Share this report with your audit committee, along with an established action plan to address any identified improvement opportunities. Feedback should be summarized by internal audit leadership and shared with the department — with expectations for improvement action as a component of the QAIP.
A quality assurance review of your internal audit environment helps you optimize your operations with specific, actionable feedback on your internal audit personnel, processes, and technology.
Think of the independent QAR as a valuable tool to not only to meet IIA standards but also to improve the proficiency, expertise, and organizational knowledge of your internal audit function. Put simply, a QAR helps you to optimize the value your internal audit department brings to your organization and its stakeholders.