A commitment to the continual review and improvement of the internal audit activity is a vital aspect of earning and maintaining credibility and trust among its stakeholders. The IIA Standards contains an obligation (Attribute Standard 1312: External Assessment) for an external quality assurance review every five years.
Since the inception of the external quality assessments (EQAs) six years ago, commencing in the latter part of 2011–12 we have undertaken over 100 reviews of both public and private sector organisations of varying sizes of internal audit activities.
A range of services are offered from readiness assessments, the latest service to be offered, through to comprehensive in-depth reviews and follow-up assessments. During 2017–18 we undertook 25 reviews (12 in the public sector, 13 in the private sector), a small number of these being readiness assessments, facilitated self-assessments and follow up work.
There has been a slight increase in numbers from 2016–17 and based on the work undertaken in 2018 and projected work through to the end of the March 2019 we anticipate a continuing increase in numbers to 2017–18.
Overall four generally conformed to the IIA Standards with 17 partially conforming, half of these having between one and four partials, with two having one area of non-conformance and one having two areas of non-conformance.
One of the common themes in the areas for improvement is planning and co-ordination and reliance (Standards 2000–2130). Our EQA work shows that of the six areas of conformance, recommendations are within planning and co-ordination and reliance.
The knowledge, experience and support of our review team has helped these organisations to devise action plans to deliver significant improvement. The Chartered IIA is seeking to identify common themes in terms of non-conformance with the Standards so that technical guidance, training courses and events can be created to address these areas and thereby providing additional support to internal audit activities and aid conformance with the Standards.
Our colleagues at IIA Global, following the revision to the Standards, have provided implementation guidance to provide clarity and guidance as to how to demonstrate conformance with the Standards.
The implementation guides are available to members.
The detail within this report provides useful benchmarks and highlights potential areas for improvement based on our insight into the organisations we have worked with.
The key points highlighted, cumulatively, in the 2017–18 EQA review findings mirror those identified in the 2016–17 work and include:
Through the feedback sought from key stakeholders which are used in conjunction with other information to prepare a SWOT analysis. The main outcomes from the 2017–18 reports highlight the following:
The professionalism of internal audit activities, that have qualified and experienced staff who are respected and trusted by stakeholders to deliver added value. They may be enriched with guest auditors and supplemented by co-source partners. In addition, there is a commitment to a risk based approach with a risk orientated plan and to continuous improvement and training. The internal audit activity has the freedom to do its job.
Lack of co-ordination and knowledge sharing with other internal and external assurance providers; timeliness of audit engagements; succession planning, loss of knowledge and consideration on how to fill skills gaps, in particular IT and cyber.
Through the preparation of an internal audit strategy document setting out how the department will evolve to keep pace with risks resulting from organisational strategy and the focus on strategic and operational risks rather than low level audits as well as engaging in key areas of change and transformation risk at the right time.
Work in relation to the identification and co-ordination of assurance to avoid any duplication/gaps in audit coverage and providing an opinion on whether first and second line of assurance can be relied upon. Development of staff through, for instance, building in time for effective knowledge transfer from a variety of sources enhances both individual and team competencies in emerging topic areas such as GDPR, culture, data analytics.
The main threats identified were around the loss of staff and knowledge and the lack of any formal succession planning and retention strategy along with IT skills and budget constraints.
Internal auditing is conducted in diverse legal and cultural environments; for organisations that vary in purpose, size, complexity, and structure; and by persons within or outside the organisation. While differences may affect the practice of internal auditing in each environment, conformance to the International Standards for the Professional Practice of Internal Auditing (Standards) is essential in meeting the responsibilities of internal auditors and the internal audit activity.
To best serve the organisation and inspire stakeholder confidence, internal audit must operate at the highest level of ethical and professional competencies to ensure consistent and accurate delivery of risk-based and objective assurance, advice and insight. Internal audit is most effective when its resource level, competence, and structure are aligned with organisational strategy, and when it follows the International Professional Practices Framework (IPPF) promulgated by IIA Global.
The positioning and independence of the internal audit activity is crucial for enhancing and protecting organisational value. Audit committee members in particular want opinions they can rely upon that are unbiased and objective. Conformance to the Standards that relate to the positioning of internal audit is 91%, an increase from last year of 3% with a subsequent decrease of partial conformance at 7%.
The issues that have come to the surface relate to updating the internal audit charter to provide more clarity with formal review and adoption of the document. Internal audit should operate under a charter that adopts the IPPF, and stakeholders should expect and accept nothing less.
Audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks and controls such as cyber security and technology risks which requires a wide range of knowledge and skills. To meet these needs internal audit activities are using a range of methods to complement their in-house teams such as guest auditors and co-sourcing arrangements as well as identifying skills gaps. Positive feedback has been received during EQAs on the quality of internal audit staff and commitment to continuous improvement and training. The 2017–18 conformance figure in this area shows a 13% increase to the previous year.
Stakeholders should require the internal audit activity to maintain a QA&IP and demand regular external quality assurance reviews.
Quality in internal audit is guided by both an obligation to meet customer expectations as well as professional responsibilities inherent in conforming to the Standards. A well-developed QA&IP ensures that the concept of quality is embedded in the internal audit activity and all of its operations.
Conformance in this area remains consistent over the two years. Areas for improvement are around the preparation of a QA&IP framework with reporting to the audit committee and tracking progress against agreed recommendations.
The head of internal audit (HIA) is responsible for managing the internal audit activity in a way that enables the internal audit activity to conform with the Standards and individual internal auditors to conform with the Standards and Code of Ethics. It is therefore crucial that the HIA regularly reviews the International Professional Practices Framework (IPPF) to address the details of conformance, through QA&IPs as mentioned above.
Furthermore, the HIA is required to create a risk based internal audit plan to determine the priorities of the internal audit activities assurance and consulting engagements that consider trends and emerging issues, regulatory requirements, and political and economic situations.
Conformance in this area shows a 6% increase on 2016–17 figures. However, this is an area where a number of recommendations have been made to enhance current planning processes such as mapping assurance to ensure a more co-ordinated approach, criteria developed to determine when consulting engagements are accepted, development of an audit manual to help the team deliver their obligations for example.
This group of Standards extends from the planning of an individual audit engagement through to its execution, reporting and follow-up. There is a high level of conformance with this group of Standards which is consistent between the two years and a small number of recommendations have been made across the range of Standards to improve processes.
By definition and design, conformance to the IPPF strengthens the delivery of internal audit services, which in turn helps the organisation improve governance, manage risks, and implement controls to more effectively achieve its goals. Every professional internal auditor and every internal audit activity must follow the mandatory components of the IPPF. As a set of principles-based, internationally applicable requirements for the practice and evaluation of internal auditing services, the Standards are fundamental to successful internal auditing.
Those who benefit include internal auditors, audit committees, management, the board, shareholders, and regulators.
The IPPF provides a credible and current framework for these stakeholders to understand internal audit’s role in effective governance, risk management and control, and outlines the expectations they should have of their internal audit activity.
Conformance increases professionalism, drives and encourages continued development of the profession, and nurtures conditions under which internal audit can thrive and more effectively enhance and protect organisational value.