Like other professions, internal audit should strive to deliver the best service it can. How do we do this? The Standards (1300-1322) require the head of internal audit to develop and maintain a quality assurance and improvement programme (QA&IP) that covers all aspects of the internal audit activity. Both internal (1311) and external assessments (1312) are required with the head of internal audit communicating the results of the QA&IP to senior management and the audit committee (1320).
Internal assessments must include ongoing monitoring of the performance of the internal audit activity through the day-to-day supervision, review, and measurement of the activity and should be incorporated in the routine policies and practices. Periodic self-assessments or assessments by other persons within the organisation, with sufficient knowledge of internal audit practices, are good practice and prevalent in most organisations. This requires at least an understanding of all the elements of the International Professional Practices Framework.
External assessments must be conducted at least once every five years by a qualified, independent assessor/assessment team from outside the organisation. This must be discussed with the audit committee, who will be the customer of the EQA Review, covering the form and frequency of the external assessments and the qualifications and independence of the assessor/assessment team, including any potential conflict of interest.
As one of a team of EQA reviewers, what we are looking for when we visit an internal audit function is a desire and a commitment to improve/be better. Of course the components are important. A well-designed audit manual, supportive coaching and supervision, key performance indicators, feedback from stakeholders, self-assessment against the IIA Standards, staff appraisals and professional development are all indicators that quality and improvement is taken seriously. Ultimately, it is all about the attitude and culture in the function, the determination and extent to which continuous improvement is embraced. The components are simply tools that support an internal audit function’s drive towards excellence.
Saying that, the Internal Audit Effectiveness Report 2016/17 shows that from the reviews undertaken, 86% of the organisations ‘conform’ against the Standards, and 12% ‘partially conform’. An organisation is classed as ‘non-conforming’ if they fail 10 or more standards out of the total of 56. Only 2% of the reviewed internal audit functions failed, which shows an improvement of 13% in comparison to our 2015/2016 report.
The EQA reviews undertaken identified that some internal audit functions struggled with scheduling QA&IP reports into audit committee meeting agendas. The Standards require internal audit to report conformance or indeed non-conformance with the Standards to the audit committee on a regular basis. Perhaps we need to be more forceful when liaising with those planning the audit committee agenda?
To conclude on the QA&IP Standards – the results of QA&IP must be communicated to senior management and the board (1320). You can state that the internal audit activity 'conforms to the International Standards for the Professional Practice of Internal Auditing' if the results support this statement (1321). If any non-conformance impacts the overall scope or operation of the internal audit activity, this must be disclosed to senior management and the audit committee along with an overview of the actual impacts (1322).