The Importance of Internal Audit Quality Assessments

The internal audit function is an invaluable element of the control framework for many organizations. Large or small, public or private, companies that require consistent application of internal controls, seek to maximize their operational efficiency, or monitor their systems security can find value in the establishment of an internal audit function. According to the definition of internal auditing in The Institute of Internal Auditor’s (IIA’s) International Professional Practices Framework (IPPF), internal auditing is an independent, objective, assurance, and consulting activity designed to add value and improve an organization's operations.

To ensure a consistent methodology in the establishment and conduct of an internal audit function, the IIA developed the International Standards for the Professional Practice of Internal Auditing (herein, the Standards). Part of these standards includes a section on Quality Assurance which requires that the internal audit activity and each member of the staff conform with all mandatory elements of the IPPF. Section 1312 of the Standards require an external assessment of the Internal Audit function once every five years, performed by qualified, independent assessors that are typically engaged by the Board of Directors of the governing body of the organization.

To guide the external assessments, the IIA developed the Quality Assessment Manual (QA Manual) which breaks the process down into four distinct phases:

Planning
In this phase, the assessor and Board agree on the scope and objectives of the full external assessment, request and review the planning guides completed by the internal audit team, select and schedule interviews with the internal audit department’s key staff, distribute surveys to executive leadership, operations, and internal audit staff, and arrange a preliminary conference with the Chief Audit Executive or equivalent (CAE).

Off-site Procedures
In this phase, the assessors review the planning documentation and survey responses. Based on the documentation provided in this phase, the assessor will tailor the IIA’s review programs to be performed on-site (or remotely if required). Survey results are also provided for feedback to the CAE.

On-site Procedures
On-site procedures is the most comprehensive element of the quality assurance review. Using the quality assessment process map provided in the QA Manual, the assessor assesses the Internal Audit Governance, Internal Audit Staff, Internal Audit Management, and Internal Audit Process. This typically includes:

• Conducting interviews with selected members of the audit committee, executive management, operating managers, and internal audit staff
• Reviewing a sample of the internal audit function’s audits and consulting engagements, reports, and supporting documentation, and administrative and operating policies, practices, procedures, and records
• Determining the staffing knowledge and skills, especially in IT and other specialty areas; risk assessment, controls monitoring, interaction with governance participants, successful practices, and other evidence of continuous improvement
• Reviewing reports for communications with management and the audit committee to assess the extent to which the internal audit department meets objectives and adds value
• Reviewing and assessing the coordination of the internal audit department with the work of the independent auditors
• Evaluating the internal audit department’s conformance with the IIA Standards and other relevant policies and procedures
• Reviewing the quality/process improvement actions currently underway and planned for the near term. We will also consider successful practices appropriate to the organization’s environment.

Evaluating the Internal Audit Activity and Reporting
The most important aspects of the assessment are the evaluation of the internal audit department’s conformity with the IIA’s Definition of Internal Auditing, Code of Ethics, and Standards; its adherence to its charter; the extent of its adoption of leading practices; and its program of continuous improvement. These evaluations will also disclose opportunities for improvement. This is the culmination of the analysis of surveys, interviews, and documentation. As appropriate, the assessor will provide recommendations for the internal audit department to enhance conformance with the Standards, add value for the organization, and be a catalyst for positive change in the company. The assessor will exercise professional judgment to render an opinion as to the level of conformance with the Standards by the internal audit activity.

For an activity designed to monitor the operations and conformity of its organization, it only makes sense that the internal audit function be evaluated against the processes and procedures to which it is required to conform.

If you are interested in learning more about the Quality Assurance Review process and how Citrin Cooperman’s Technology, Risk Advisory & Cybersecurity (TRAC) Practice can help your organization with an assessment, please contact Michael Camacho, Partner (mcamacho@citrincooperman.com).