Assuring quality of Internal Audit tweetchat
Assuring internal audit quality: summary of chat
By Nina F Collins
We held the tweet chat on 7 October 2011. It was a lively discussion involving staff, IIA members and other twitter users. There were several threads to the discussion, but I’ve attempted to pull them together:
Quality means:
- Being fit for purpose
- Providing a consistent service
- Satisfying stakeholders
- Striving to be better i.e. continually improving
- Exceeding expectations
- Being innovative in what you do and how you do it
For internal audit quality also means:
- Providing relevant assurance..
- ..And relevant means the assurance stakeholders want
- Providing assurance on risk management
- Occasionally telling stakeholders things that make them uncomfortable (and this is not easy as they are the judges of internal audit quality!).
Engaging with stakeholders is key:
- Internal auditors will only understand what stakeholders want by engaging with them
- Stakeholders cannot always articulate what they want of internal audit. So internal audit should help them clarify and articulate their needs. And this may mean starting with the question 'what does internal audit mean to you'?
- Stakeholders, e.g. the board, struggle with aspects of risk management. Internal audit has a role in highlighting to boards the areas of risk management that they are not addressing/dealing with
- If stakeholders’ assurance requirements are too narrow (e.g. focusing on VFM only) internal audit needs to remind them of other considerations.
Working with the internal audit team:
- The internal audit team are stakeholders too
- Quality means engaging with those doing the work, i.e. the internal auditors, so that quality is ‘built-in’.
External quality assessments (EQAs)
- The International Standards stipulate that internal audit functions should be externally assessed every five years. However, not all functions conforming to this standard. Why?...
- …Is it too easy for HIAs not to tell stakeholders that EQA is a requirement? Are EQAs considered an unnecessary expense? Does the IPPF need ‘more teeth’? And does ‘more teeth’ mean spot-checking internal audit functions; or asking HIAs to submit review documentation to the IIA? On the other, might these layers of checking be counter-productive?
- Who decides the scope of the EQAs? Is there a risk that heads of internal audit can control the scope of EQAs and thus reduce their value? Perhaps HIAs should disclose conflicts of interest to their respective audit committees.
- EQA assessors should also be disclosing conflicts of interest to the audit committee.