Top tips: ensuring quality in the smallest internal audit activities

Quality has been an increasingly important aspect of the management of internal audit over the past decade or so, with some larger functions having an in-house quality assurance team to support continuous improvement. But how do smaller functions ensure quality is embedded in their processes? And how do the smallest ensure they continue to improve given the challenges of resource constraints, limited scope for independent review and the need to conform to the same standards as much larger functions?

Heads of internal audit (HIAs) are required to develop a Quality Assurance and Improvement Programme (QAIP) that includes both internal and external assessments (Standard 1300). A QAIP helps a HIA address two broad areas of audit risk:

Conformance (or compliance) risk

Does the function and its processes conform to the IIA Standards and apply the Code of Ethics and other sector specific requirements and to the activity’s own internal audit methodology?

Opinion risk

Has the right audit work been performed and the right interpretation of results made to support the conclusions reached and the opinions issued?

Supplemental guidance has been published, called Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing to support smaller functions in implementing standards. This recognises a high level of challenge in implementing the respective QAIP attribute standards, particularly regarding internal assessments. However, there are some practical steps that can help HIAs meet the standard and get real benefit from continuous improvements in quality. 


Ongoing review and supervision

Ongoing review and supervision is the most immediate and direct way to ensure the quality of work performed, and is the cornerstone of a QAIP. It enables the early challenge of poor practice, facilitates the generation of new ideas, supports the coaching and development of teams and team members, and ensures the right focus and effort at all stages of the internal audit process.

  1. Clearly define roles and responsibilities for ongoing review and supervision for each engagement or activity. Ensure this is more than simply signing-off the file or report at the end of the audit.

  2. Consider how the supervision and review effort can be risk-based to best allocate resources. But be careful – how sure are you that the lower risk areas won’t unearth important issues, and remember that the quality of assurance over well-controlled areas is often as valuable as raising the big issues.

Experienced team members and subject matter experts (SMEs)

The involvement of experienced team members and SMEs is another important way to embed quality in the audit process, and can support your QAIP. The challenge in smaller functions is often access to the right SMEs, and finding the right blend of internal audit expertise and industry or product knowledge.

  1. Consider focusing your co-source resource on bringing in the right SMEs at the right stages of an audit, ensuring the right risks are considered, the right conclusions are reached, and allowing team members to bring learning into the audit process for future benefit, thereby enhancing quality.

Independent reviews 

Independent reviews of a sample of audits or on some key themes is often the first thing we think about when we consider QAIP. And it is important for small functions to find ways of evaluating their effectiveness in this respect and, crucially, of feeding this into learning and the improvement programme. Ideally, independent reviews should involve other experienced members of the in-house team. But these colleagues should not have been involved in the original audit engagement, which in small teams is difficult, if not impossible.

  1. Consider outsourcing quality assurance for individual audits. But make sure you are getting more than just a checklist. Audit files must demonstrate more than simple conformance with methodology. The rationale for key decisions around scope, interpretation and reporting must be clear to the reviewer, ensuring opinion risk can be considered. This does not necessarily mean an SME needs to be involved – an experienced internal auditor should be able to deduce this from the audit documentation. Budgetary constraints may limit a small activities ability to outsource to an external professional services provider. Consider engaging an experienced independent professional as a cost-effective alternative.

  2. Another option is to use co-source resource to support QAs. This would allow senior team members to be involved where possible, but gives flexibility where not. Again, budgets may limit the function’s scope to do this.

  3. Both outsourcing and co-sourcing of QAs, if established effectively, have the benefit of bringing external good practice, which can otherwise be difficult for a smaller team. You should, however, be comfortable that there is appropriate independence both at an individual and organisational level from any other work performed for your function or the wider organisation.

  4. The supplemental guidance noted earlier suggests that people with internal audit experience but working elsewhere in the organisation could be involved in QAs. This is rarely considered in practice, perhaps due to independence or objectivity concerns, but may be another option available to the HIA.

Periodic self-assessment

Periodic self-assessment can be daunting for a small function. But a small function has the benefit that the HIA and other senior team members know most, or all the activities performed by the team and will have the information to make and evidence judgements easily to hand.

  1. Use templates from the IIA or elsewhere to ensure all standards are covered. Reference your supporting evidence and ensure the self-assessment is kept current.

  2. Rotate responsibility for completion among senior team members. This can usefully support individual and team learning. It can also bring different views of the function’s effectiveness and challenges.

  3. Link your self-assessment to the ongoing development of your methodology, so that gaps or areas for improvement can easily be filled.

  4. Keep a suggestions log to enable all team members to highlight areas for improvement. This will support your self-assessment and can lead to, and evidence, ongoing improvement in methodology and other practices.

Report the results

You must report the results of your QAIP to senior management and the board (Standard 1320). It is important that this includes any challenges in meeting standards, any non-conformances, and any risks the function faces as a result.


Leverage your external quality assessment (EQA)

  1. An EQA must be performed at least once every five years (Standard 1312). It is vitally important that even the smallest functions dedicate the necessary resources to commissioning and enabling this, both to give assurance to the audit committee and to support ongoing improvement.

  2. Some providers offer an ongoing assessment, and some HIAs may want a more regular exercise that will looks at the function more frequently. This can focus on different aspects of the function. Consider this option to get ongoing and regular feedback.

  3. Don’t fear an EQA; use it as an opportunity to develop your function. Maximise the value by effective scoping and structuring. Prepare well, and develop a realistic action plan to address recommendations in a way which is sustainable and appropriate for the size of the function.

Feedback

Consider feedback from stakeholders and look at what key performance indicators (KPIs) are telling you.

  1. Ensure you have robust feedback mechanisms to understand what the audit committee and other stakeholders think about your service. Make quality and improvement part of the conversations, and include these in your functional and personal objectives.

  2. You should agree appropriate KPIs with the audit committee. These will include hard metrics that will help you understand where you need to focus improvement efforts.

  3. Finally, don’t try to do too much. Prioritise key initiatives based on all of the information available, and focus on delivering these effectively. 

Further reading

Standards

Attribute 1300 series

Implementation guides

1300 Quality assurance and improvement programme
1310 Requirements of the quality assurance and improvement programme
1311 Internal assessments
1312 External assessments
1320 Reporting on the quality assurance and improvement programme
1321 Use of “conforms with the International Standards for the Professional Practice of Internal Auditing”
1322 Disclosure of non-conformance

Supplemental guidance

Quality Assurance and Improvement Program
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing

Guidance

Quality and the international standards
Quality assurance and improvement programmes
Internal audit performance measurement

Template

Self-assessment checklist

Content reviewed: 10 May 2022