The internal audit function’s position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management, and control processes, as well as consulting services to improve operations. With this critical responsibility to fulfill, implicit in executing those duties is internal audit’s continuous improvements to its own practices.
How do you do that? A high-quality internal audit function meets or exceeds stakeholder expectations, while ensuring that value is added to the organization. The most critical factor in achieving internal audit quality is the auditor’s competency and proficiency in evaluating the organization’s risk-management, control, and governance processes. Each internal audit department should have a program not only to ensure top quality of internal audit reports, investigations, consulting, and other services, but it should also have a way to effect continuous improvement in its service to stakeholders.
Steps to Success
The Institute of Internal Auditors recently issued a “quality maturity model” that includes a roadmap for improving internal audit practices over time. The model comprises five basic levels:
Level 1: Introductory. The internal audit function at this level has no quality assurance and improvement program in place. Typically, a Level 1 internal audit department would be fairly new or one that has not yet conformed to the quality requirements within the IIA’s International Standards for the Professional Practice of Internal Audit. In other cases, the chief auditing executive or the audit committee lacks a clear understanding of the substantial value that such a program can bring to an organization.
Level 2: Emerging. The internal audit function conducts periodic and ongoing self-assessments, or internal quality assessments, monitoring the department’s compliance with the Standards.
Level 3: Established. The internal audit activity obtains an independent evaluation of its self-assessment and improvement efforts at least every five years.
Level 4: Progressive. A quality assurance and improvement program is integrated into the operations of the internal audit activity. The activity generally complies with the Standards and Code of Ethics, and obtains an external quality assurance review at least every five years.
Level 5: Advanced. An active and fully integrated quality assurance and improvement program exists within the daily operations of the internal audit function. An external QA is conducted at least every three years. All staff members follow a rigorous continuing education program.
In most enterprises, the audit committee oversees the internal audit function. As such, audit committee members should have direct interaction with the leadership and activities of the internal audit team and should monitor the internal audit team’s performance. Using the quality maturity model’s guidance to discuss regularly the internal audit department’s continuous improvement efforts will encourage a world-class audit function. Regular revisiting of internal audit department’s quality “progress” will also influence the motivation and focus of the audit team.
Other Board Guidance
The IIA’s briefing paper, Internal Audit Standards: Why They Matter, presents a series of questions to facilitate a closer relationship between the audit committee and internal auditing. This guidance also provides a summary of typical audit committee oversight responsibilities. Directors of enterprises that have internal audit departments are expected to determine that the IA function works effectively. Where an internal audit function has not been formally established, these questions should be discussed with senior management (see my May 9, 2006 column for an expanded discussion of this audit committee briefing).
The IIA has also issued the landmark board-level guidance, 20 Questions Directors Should Ask About Internal Audit, to help audit committees develop a better understanding of, and establish performance standards for, the chief auditing executive’s activities.
The first important area to explore is the mandate of the internal audit function, including what services it should provide and what its priorities should be. Ask yourself: Is internal audit focused on the right things? For example, does the IA function evaluate the company’s efforts to establish an effective enterprise-wide risk-management program?
Another important topic is the audit committee’s relationship with the internal audit function. Here, the key issues are whether the internal audit activities are supported by the audit committee (for example, ensuring appropriate prominence on the organizational chart) and what influence management has on the internal audit function through its organizational structure. Are there open lines of communication between the chair of the audit committee and the chief audit executive? Is there an executive session with the CAE at every audit committee meeting to ensure frank discussion?
A third concern is resources. Does internal audit have the appropriate level of resources with the right skill sets to produce world-class results? If not, auditing of the business and the depth of analysis can be inappropriate. Internal audit requires highly skilled resources, and the competition for staff becomes more difficult each year. A long-term workforce plan would be very beneficial in today’s complex and fast-changing business environment. An annual audit committee review of internal audit and enterprise-wide human resource planning can be invaluable.
Finally, the results of the internal audit efforts should be reviewed regularly by the audit committee, and an overall determination made about whether the audit committee is satisfied with the information and performance it receives from internal auditing (see my June 2006 column for an expanded discussion of the 20 questions publication).
Confirming that your internal audit function is on the road to quality—and consequently helping to ensure the ongoing value of your internal audit activity—will bring great benefits to your organization and its stakeholders. A few steps CAEs should consider taking:
(1) Educate themselves and their staff in quality practices.
(2) Define their stakeholders; shareholders, the audit committee, executives, corporate management, and business unit managers, at the least; perhaps more for your specific enterprise.
(3) Brainstorm with staff. Let them tell you what they see as their collective strengths and weaknesses. What do they need and what do they desire to become more effective and productive?
(4) Involve stakeholders in an initial conversation about expectations and needs; conduct brainstorming sessions and determine what you do well and what areas need improvement.
(5) Create, distribute, and tabulate a survey for your various levels, and implement change improvements.
(6) Periodically review your progress, and determine where additional change and improvement is needed.
(7) Continue to track those areas where you can be most effective. Publish your accomplishments and improvements.
(8) Engage outside fraud investigators to teach internal auditors what to look for, and have them work with auditors on internal cases to help auditors appreciate what they are looking for and how insiders try to hide those things. Consider the use of other outside specialists as department needs dictate.
The audit committee, meanwhile, has some questions of its own that it should be asking:
Has a quality assurance and improvement program within internal audit been established? What are the results to date?
How do we know the internal audit function is effective? What are the key performance measures and results to date? How many frauds have been detected through audits per year? Are the rates of detection changing from year to year, and why or why not?
What kind of control weaknesses, revenue gains, or expense reductions have been identified? Is internal audit making an impact?
How is the internal audit function doing in relation to the International Standards for the Practice of Internal Auditing? What are the strengths and weaknesses of the internal audit department?
Is your organization’s internal audit function practicing what it preaches? That is, has internal audit established a long-term continuous improvement program? Finally, is the audit committee doing all it can to ensure the internal audit function has the organizational status, independence, and objectivity to complete its mandate effectively?
The bottom line is that improving the internal audit department’s performance will help improve the whole enterprise’s performance as well. That is, effective internal auditing can be leveraged across the company. The audit committee must provide effective oversight over internal audit. By using the right guidance and by asking the right questions, it can do just that.