Internal audit performance

A summary of the effectiveness of the internal audit functions reviewed during 2017–18

A commitment to the continual review and improvement of the internal audit activity is a vital aspect of earning and maintaining credibility and trust among its stakeholders. The IIA Standards contains an obligation (Attribute Standard 1312: External Assessment) for an external quality assurance review every five years.

Since the inception of the external quality assessments (EQAs) six years ago, commencing in the latter part of 2011–12 we have undertaken over 100 reviews of both public and private sector organisations of varying sizes of internal audit activities.

A range of services are offered from readiness assessments, the latest service to be offered, through to comprehensive in-depth reviews and follow-up assessments. During 2017–18 we undertook 25 reviews (12 in the public sector, 13 in the private sector), a small number of these being readiness assessments, facilitated self-assessments and follow up work.

There has been a slight increase in numbers from 2016–17 and based on the work undertaken in 2018 and projected work through to the end of the March 2019 we anticipate a continuing increase in numbers to 2017–18.

EQAs by sector 

 

Overall four generally conformed to the IIA Standards with 17 partially conforming, half of these having between one and four partials, with two having one area of non-conformance and one having two areas of non-conformance.

Overall performance against IIA Standards 

 

One of the common themes in the areas for improvement is planning and co-ordination and reliance (Standards 2000–2130). Our EQA work shows that of the six areas of conformance, recommendations are within planning and co-ordination and reliance.

The knowledge, experience and support of our review team has helped these organisations to devise action plans to deliver significant improvement. The Chartered IIA is seeking to identify common themes in terms of non-conformance with the Standards so that technical guidance, training courses and events can be created to address these areas and thereby providing additional support to internal audit activities and aid conformance with the Standards.

Our colleagues at IIA Global, following the revision to the Standards, have provided implementation guidance to provide clarity and guidance as to how to demonstrate conformance with the Standards. 

The implementation guides are available to members.

The detail within this report provides useful benchmarks and highlights potential areas for improvement based on our insight into the organisations we have worked with.

The key points highlighted, cumulatively, in the 2017–18 EQA review findings mirror those identified in the 2016–17 work and include:

  • Ensuring internal audit charters reflect the Core Principles and the mandatory nature of the IPPF as well as the full range of services provide by the internal audit activity and roles and responsibilities provided to the organisation. Scheduling reports into audit committee meeting agendas according to a quality assurance and improvement programme (QA&IP) timetable.
  • Demonstrating independence and objectivity through a functional reporting line to the chair of the audit committee.
  • Regularly reviewing the experience, knowledge and skills required for an effective internal audit operation in your organisation.
  • The development and maintenance of a comprehensive QA&IP with scheduled reports into audit committee meeting agendas according to a QA&IP timetable.
  • Designing an internal audit plan that has explicit alignment to strategic risks and justifies the choice of audits on the basis of their importance and value, illustrating the percentage coverage of key risks.
  • Looking at areas of governance, the performance of risk management and other critical issues as separate audits or part of every audit.
  • Working closely with other assurance providers to maximise assurance coverage - avoiding duplication of effort and gaps in assurance.
  • Working with managers to focus assurance upon the management of priorities, risks and critical success factors.

Through the feedback sought from key stakeholders which are used in conjunction with other information to prepare a SWOT analysis. The main outcomes from the 2017–18 reports highlight the following:

Strengths

The professionalism of internal audit activities, that have qualified and experienced staff who are respected and trusted by stakeholders to deliver added value. They may be enriched with guest auditors and supplemented by co-source partners. In addition, there is a commitment to a risk based approach with a risk orientated plan and to continuous improvement and training. The internal audit activity has the freedom to do its job.

Weaknesses

Lack of co-ordination and knowledge sharing with other internal and external assurance providers; timeliness of audit engagements; succession planning, loss of knowledge and consideration on how to fill skills gaps, in particular IT and cyber.

Opportunities

Through the preparation of an internal audit strategy document setting out how the department will evolve to keep pace with risks resulting from organisational strategy and the focus on strategic and operational risks rather than low level audits as well as engaging in key areas of change and transformation risk at the right time.

Work in relation to the identification and co-ordination of assurance to avoid any duplication/gaps in audit coverage and providing an opinion on whether first and second line of assurance can be relied upon. Development of staff through, for instance, building in time for effective knowledge transfer from a variety of sources enhances both individual and team competencies in emerging topic areas such as GDPR, culture, data analytics.

Threats

The main threats identified were around the loss of staff and knowledge and the lack of any formal succession planning and retention strategy along with IT skills and budget constraints.


Standards

Internal auditing is conducted in diverse legal and cultural environments; for organisations that vary in purpose, size, complexity, and structure; and by persons within or outside the organisation. While differences may affect the practice of internal auditing in each environment, conformance to the International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.

To best serve the organisation and inspire stakeholder confidence, internal audit must operate at the highest level of ethical and professional competencies to ensure consistent and accurate delivery of risk-based and objective assurance, advice and insight. Internal audit is most effective when its resource level, competence, and structure are aligned with organisational strategy, and when it follows the International Professional Practices Framework (IPPF) promulgated by IIA Global.

Positioning: 1000–1130 Independence and objectivity 

The positioning and independence of the internal audit activity is crucial for enhancing and protecting organisational value. Audit committee members in particular want opinions they can rely upon that are unbiased and objective. Conformance to the Standards that relate to the positioning of internal audit is 91%, an increase from last year of 3% with a subsequent decrease of partial conformance at 7%.

The issues that have come to the surface relate to updating the internal audit charter to provide more clarity with formal review and adoption of the document. Internal audit should operate under a charter that adopts the IPPF, and stakeholders should expect and accept nothing less.

Positioning: 1200–1230 Proficiency and due professional care 

Audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks and controls such as cyber security and technology risks which requires a wide range of knowledge and skills. To meet these needs internal audit activities are using a range of methods to complement their in-house teams such as guest auditors and co-sourcing arrangements as well as identifying skills gaps. Positive feedback has been received during EQAs on the quality of internal audit staff and commitment to continuous improvement and training. The 2017–18 conformance figure in this area shows a 13% increase to the previous year. 

Performance: 1300–1322 Quality assurance and improvement programmes (QA&IP) 

Stakeholders should require the internal audit activity to maintain a QA&IP and demand regular external quality assurance reviews. 

Quality in internal audit is guided by both an obligation to meet customer expectations as well as professional responsibilities inherent in conforming to the Standards. A well-developed QA&IP ensures that the concept of quality is embedded in the internal audit activity and all of its operations.

Conformance in this area remains consistent over the two years. Areas for improvement are around the preparation of a QA&IP framework with reporting to the audit committee and tracking progress against agreed recommendations. 

Planning: 2000–2130 Managing internal audit

The head of internal audit (HIA) is responsible for managing the internal audit activity in a way that enables the internal audit activity to conform with the Standards and individual internal auditors to conform with the Standards and Code of Ethics. It is therefore crucial that the HIA regularly reviews the International Professional Practices Framework (IPPF) to address the details of conformance, through QA&IPs as mentioned above.

Furthermore, the HIA is required to create a risk based internal audit plan to determine the priorities of the internal audit activities assurance and consulting engagements that consider trends and emerging issues, regulatory requirements, and political and economic situations.

Conformance in this area shows a 6% increase on 2016–17 figures. However, this is an area where a number of recommendations have been made to enhance current planning processes such as mapping assurance to ensure a more co-ordinated approach, criteria developed to determine when consulting engagements are accepted, development of an audit manual to help the team deliver their obligations for example.

Process: 2200–2600 Performing audit engagement

This group of Standards extends from the planning of an individual audit engagement through to its execution, reporting and follow-up. There is a high level of conformance with this group of Standards which is consistent between the two years and a small number of recommendations have been made across the range of Standards to improve processes. 


Who benefits from conformance?

By definition and design, conformance to the IPPF strengthens the delivery of internal audit services, which in turn helps the organisation improve governance, manage risks, and implement controls to more effectively achieve its goals. Every professional internal auditor and every internal audit activity must follow the mandatory components of the IPPF. As a set of principles-based, internationally applicable requirements for the practice and evaluation of internal auditing services, the Standards are fundamental to successful internal auditing.

Those who benefit include internal auditors, audit committees, management, the board, shareholders, and regulators.

The IPPF provides a credible and current framework for these stakeholders to understand internal audit’s role in effective governance, risk management and control, and outlines the expectations they should have of their internal audit activity.

Conformance increases professionalism, drives and encourages continued development of the profession, and nurtures conditions under which internal audit can thrive and more effectively enhance and protect organisational value.


Download this report (pdf)