A commitment to the continual review and improvement of the internal audit activity is a vital aspect of earning and maintaining credibility and trust among its stakeholders. Conformance to the International Standards requires that regular, independent external quality assessments are carried out once every five years.
Since the inception of external quality assessments (EQAs) eight years ago, commencing in the latter part of 2011-12, we have undertaken over 150 reviews of both public and private sector organisations of varying sizes of internal audit activities.
There has been a slight increase in numbers from 2017-2018. Based on the work undertaken in 2019 and projected work through to the end of March 2020 we anticipate a continuing increase.
We offer a range of services from readiness assessments through to comprehensive in-depth reviews and follow-up assessments. During 2018-19 we undertook 26 reviews (12 in the public sector, 14 in the private sector), a small number of these being readiness assessments, facilitated self-assessments and follow up work.
Of the number of EQAs undertaken, 82% generally conformed to the IIA Standards where two achieved full general conformance across the Standards.
One of the common themes in the areas for improvement is quality assurance and improvement programme (Standards 1300 – 1322). Our EQA work shows that of the five areas of conformance, recommendations are within performance and planning.
The knowledge, experience and support of our review team has helped these organisations to devise action plans to deliver significant improvement. The Chartered IIA is seeking to identify common themes in terms of non-conformance with the Standards so that technical guidance, training courses and events can be created to address these areas. Thereby providing additional support to internal audit activities and in turn, aid conformance with the Standards.
Our colleagues at IIA Global, following the revision to the Standards, have provided implementation guidance to give clarity and guidance as to how conformance with the Standards is demonstrated.
The implementation guides are available to members.
The detail within this report provides useful benchmarks and highlights potential areas for improvement based on our insight into the organisations we have worked with.
The key points highlighted, cumulatively, in the 2018-19 EQA review findings do not mirror those identified in the work completed in 2017-18:
The feedback sought from key stakeholders were used in conjunction with other information gathered, with outcomes from the 2018-19 report highlights to prepare a Strengths Weaknesses Opportunities Threats (SWOT) analysis:
Free autonomy over internal audit activities with high levels of independence to complete their job, and is reflected in the well regarded, professionally qualified and equally experienced internal audit teams. In addition, co-source partners were efficiently used to keep up to date with developments in the industry.
Lack of development strategies implemented with personnel to assist in planning and staff development which has also affected assurance mapping to identify and coordinate all sources of assurance. Last year we identified a loss of knowledge in IT and cyber skill gaps with improvement shown this year, however Computer Assisted Auditing Techniques (CAATs) are still limited.
Development of staff through recruiting widely, allowing for exploitation of internal audits with expertise, including co-sourced options to provide management and board with a greater level of assurance. Incubating talent for the organisation that can involve internal secondments.
Threats identified reflected limited internal audit resource, loss of staff who have sufficient expertise and relevant expertise which now needs to be replaced. Furthermore, the perception of senior stakeholders as the role of internal audit activity; an investigative body or a second line of defence.
Internal auditing is conducted in diverse legal and cultural environments; for organisations that vary in purpose, size, complexity, and structure; and by persons within or outside the organisation. While differences may affect the practice of internal auditing in each environment, conformance to the International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.
To best serve the organisation and inspire stakeholder confidence, internal audit must operate at the highest level of ethical and professional competencies to ensure consistent and accurate delivery of risk-based and objective assurance, advice and insight. Internal audit is most effective when its resource level, competence, and structure are aligned with organisational strategy, and when it follows the International Professional Practices Framework (IPPF) promulgated by IIA Global.
Maintaining independence and objectivity is important so as to ensure internal audit has the ability to make decisions of the highest standard with unbiased judgements. Audit Committee members, in particular, want opinions they can rely upon that are unbiased and objective. Conformance to the Standards that relate to the positioning of internal audit as 84%, a decrease of 7% from last year.
The issues that have come to surface are similar to last year’s reviews, with regards to updating the internal audit charter, ensuring it is in line with the most recent Standards produced. Internal audit should operate under a regularly approved charter by the audit committee.
To meet the needs of the organisation and board, the appropriate skills and competencies is crucial for the internal audit and delivering the level of assurance required. To meet these needs internal audit activities are using a range of methods to complement their in-house teams such as guest auditors and co-sourcing arrangements as well as identifying skills gaps. Positive feedback has been received during EQAs on the quality of internal audit staff; professionally qualified and experienced.
Stakeholders should require the internal audit activity to maintain a QA&IP and demand regular external quality assurance reviews.
Quality in internal audit is guided by both an obligation to meet customer expectations as well as professional responsibilities inherent in conforming to the Standards. A well-developed QA&IP ensures that the concept of quality is embedded in the internal audit activity and all of its operations.
The head of internal audit (HIA) is responsible for managing the internal audit activity in a way that enables the internal audit activity to conform with the Standards and individual internal auditors to conform with the Standards and Code of Ethics. It is therefore crucial that the HIA regularly reviews the International Professional Practices Framework (IPPF) to address the details of conformance, through QA&IPs as mentioned above.
Furthermore, the HIA is required to create a risk based internal audit plan to determine the priorities of the internal audit activities assurance and consulting engagements that consider trends and emerging issues, regulatory requirements, and political and economic situations.
Conformance in this area shows a 6% increase on 2016–17 figures. However, this is an area where a number of recommendations have been made to enhance current planning processes such as mapping assurance to ensure a more co-ordinated approach, criteria developed to determine when consulting engagements are accepted, development of an audit manual to help the team deliver their obligations for example.
This group of Standards extends from the planning of an individual audit engagement through to its execution, reporting and follow-up. There is a high level of conformance with this group of Standards which is consistent between the two years and a small number of recommendations have been made across the range of Standards to improve processes.
By definition and design, conformance to the IPPF strengthens the delivery of internal audit services, which in turn helps the organisation improve governance, manage risks, and implement controls to more effectively achieve its goals. Every professional internal auditor and every internal audit activity must follow the mandatory components of the IPPF. As a set of principles-based, internationally applicable requirements for the practice and evaluation of internal auditing services, the Standards are fundamental to successful internal auditing.
Those who benefit include internal auditors, audit committees, management, the board, shareholders, and regulators.
The IPPF provides a credible and current framework for these stakeholders to understand internal audit’s role in effective governance, risk management and control, and outlines the expectations they should have of their internal audit activity.
Conformance increases professionalism, drives and encourages continued development of the profession, and nurtures conditions under which internal audit can thrive and more effectively enhance and protect organisational value.