Print | Reprint

The Vital Need For Quality Internal Auditing

By Dan Swanson, Compliance Week Columnist — April 4, 2006

ABOUT COMPLIANCE WEEK Compliance Week content is normally restricted to paying subscribers only. However, this article was made available to you through a special arrangement with KPMG. For full access to Compliance Week every week, click here to become a subscriber.

n the past few years, massive efforts have been expended to prepare and implement the requirements of the Sarbanes-Oxley Act, in particular Section 404. While a corporation’s management and board of directors have always been responsible for internal control, the level of scrutiny by the investing public and the regulatory bodies has reached new levels. As a result, today more than ever before an organization’s internal audit function must be robust and contribute to ensuring the accuracy of financial reporting.

There’s no question that fostering a strong internal audit department should be a high priority for management. Indeed, the Institute for Internal Auditors spells out as much in its International Standards for the Professional Practice of Internal Auditing: “The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness.”

Fundamentally, internal audit efforts are focused on identifying the key goals, issues and challenges facing an organization and evaluating its progress. Internal auditors also assess senior management’s procedures and related controls for achieving those objectives, while identifying opportunities for improvement. Each organization has different goals and objectives, and certainly specific issues and challenges facing a company depend on the business environment involved. Therefore, unfortunately, there is no one-size-fits-all internal audit process, nor one audit approach that fits all situations. But companies can ask themselves a few basic questions about what sort of internal audit function they want, and take steps to ensure the internal auditing they do meets those expectations.

Start by defining the function. Internal audit provides strategic, operational and tactical value to an organization’s operations. For example, internal auditing is:

• A resource to the board and management for ensuring the entire organization has the resources, systems, and processes for operating an efficient and effective operation.

• An assurance tool for management and the board to know all that should be done is being done. By ensuring qualified professional reviews and tests are performed, the board and management can advance the goal of overseeing the organization’s operations and ensuring its continuous improvement and success.

• An independent validation that the organization’s efforts are proactive and effective against current and emerging threats.

Some key questions the audit committee should be asking management:

• Has a quality assurance and improvement program within internal audit been established? What are the results to date?

• How do we know the internal audit function is effective? What are the key performance measures and results to date?

• How is the internal audit function doing in relation to the International Standards for the Practice of Internal Auditing? What are the strengths and weaknesses?

• Will the company meet the IIA’s reporting deadline for reporting the external quality assessment review? (For most audit departments this is January 2007).

• Has the internal audit department begun its journey in quality?

Enter Quality Assurance

Professionalism does not occur overnight; it takes time. Professionalism evolves from dedication, professional growth and staff effort. Integral to this process—and the essence of excellence in the business environment—is quality. To ensure consistent quality in your internal audit function, a quality assurance and improvement program is necessary. The required elements include ongoing and periodic internal quality assessments, external quality assessments, internal monitoring, and assurance that the internal audit activity is complying with the IIA Standards and the IIA Code of Ethics.

FURTHER READING

An audit committee briefing “Internal Audit Standards: Why They Matter” (by The IIA) presents further guidance on the practice of internal auditing and the assurance internal audit can provide the audit committee. For additional guidance study the articles and resources listed below. The International Standards for the Professional Practice of Internal Auditing Attribute Standard 1300: Quality Assurance And Improvement Program “The Internal Audit profession and the necessity for professionalism” “The Quality Assurance FAQs” “The Power Of The Professional Practices Framework” “The Internal Audit Profession FAQs” IIA’s Most Popular Internal Audit Guidance Downloads IIA Quality Assessment Manual

An external quality assessment, or QA, evaluates compliance with the Standards, the internal audit and audit committee charters, the organization’s risk and control assessment, and the use of best practices. Regardless of an organization’s industry or the internal audit team’s complexity or size, two approved approaches to external QA are at the company’s disposal. The first approach, an external assessment with independent validation, involves an outside team under the leadership of an experienced and professional project manager. The team members should be competent professionals who are well-versed in best internal audit practices.

The second approach seeks out an objective outside party for independent validation of an internal self-assessment and report completed by the internal audit group. This approach brings in a competent, independent evaluator experienced in quality assessment methodology to validate the aforementioned self-assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the chief audit executive’s report regarding conformity to the Standards or issues a separate report on the disparities.

The external quality assessment provides the audit committee and management with an official “report card” on the internal audit department’s efforts and identifies opportunities for improvement. An effective internal audit function understands the organization, its culture, operations and risk profile. This makes audit a valuable resource for management, the board and its designated audit committee. The objectivity, skills, and knowledge of competent internal auditors can significantly add value to an organization’s internal control, risk management, and governance processes. Similarly, effective internal audit can provide assurance to other stakeholders such as regulators, employees, investors, external auditors and shareholders.

Completing the external quality assessment provides assurance to the audit committee and the board that internal audit is doing all the things it should be doing. And in today’s climate of enhanced attention to financial reporting—a climate not likely to change any time soon—that robust internal audit function can only strengthen corporate performance.

About the author:

Dan Swanson is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. Prior to the IIA, Swanson was an independent management consultant for more than 10 years.

Swanson has completed audit projects for more than 30 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors. He has completed nearly 100 internal audits in his career including: operational audits, system audits, financial audits, value-for-money audits, comprehensive audits, and many more. He has completed almost 50 IT conversion audits and a dozen comprehensive audits of the information technology function.

The author of more than 70 articles on internal auditing, Swanson is currently a freelance writer and independent management consultant at an eponymous firm.

Dan Swanson can be reached via the Web at www.securitybenchmark.com.

---