Six Ways a Quality Assessment Adds Value to Internal Audit
In accordance with The Institute of Internal Auditors’ (The IIA) International Standards for the Professional Practice of Internal Auditing (Standards), “The Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.” Such a program must include both internal and external assessments. However, while a requirement of the Standards, there is a much better reason for performing such an assessment, i.e., the value it can add to an internal audit (IA) function.
While internal quality assessments (QA) include ongoing monitoring of the IA function’s performance and periodic reviews through self-assessment, external QAs should be conducted at least once every five years by a qualified, independent reviewer from outside the organization. Whether internal or external, the QA focuses on six areas that we’ll cover in this article:
- IA Structure & Responsibilities
- Risk Assessment & Audit Planning
- Staff Professional Proficiency
- Information Technology
- Completion of the Audit Plan & Value Added
- Planning & Executing the Engagement, Workpaper Review, Audit Reporting, & Monitoring Progress
IA Structure & Responsibilities
The foundation of an IA department is its structure, providing basic guidelines by which it operates. The audit charter outlines the purpose, authority and scope, independence, responsibility, and reporting requirements of the IA activity. Formal reporting lines—typically to an audit committee or senior executive—indicate the level of internal support and guidance the activity will receive to maintain independence and objectivity throughout execution of the internal audit plan.
Independence is of utmost importance, and care must be taken to help ensure the IA reporting structure does not compromise—or appear to compromise—this independence. For instance, IA may report to the vice president (VP) of finance, who understands the need for the activity to operate independently to be objective and effective in its work. However, if the VP of finance is responsible for the chief audit executive’s (CAE) compensation review and adjustment, the appearance of independence might be compromised when IA performs audits of functions (such as the treasury) that also report to the VP of finance. There could be concern that since the VP of finance is responsible for the CAE’s compensation adjustments, the CAE may issue favorable results for audits of functions that report to the VP of finance.
The QA reviewer must decide whether the various policies and procedures, coupled with the activity’s purpose and reporting structure, provide an appropriate infrastructure to add value to the company while following the strict guidelines of the profession.
Risk Assessment & Audit Planning
While defining the IA activity’s structure and responsibilities provides a foundation for the function to operate within the organization, it is the risk assessment and audit planning process that determines the function’s potential success and value-add. The IIA guidelines focus on the idea of a risk-based approach to help ensure activities focus on the most critical risk areas and allow the IA activity to add value. Annually, the CAE performs a risk assessment of auditable areas, during which the CAE gains a better understanding of the key controls and potential risks to the organization through a series of interviews and surveys. The results of the interviews are taken into consideration with the entity’s strategic goals and mission to build an annual audit plan. Thus, a strong annual risk assessment process sets up the rest of the year.
When assessing compliance of the IA’s risk assessment and audit planning process against the Standards, the QA reviewer considers:
- Does IA determine a complete audit universe or scope of auditable areas?
- Is a formal risk assessment performed at least annually to determine which auditable areas should be addressed in the annual audit plans?
- Do the individual audit plans focus on significant risks in each auditable area that is selected for review?
- If staffing does not allow for completion of all audits identified in the risk assessment, is the process to defer or reschedule audits reasonable, and has it been communicated?
A big concern in this area is that available staffing drives the audit plan, rather than the audit plan driving staffing needs. Too often, an IA function “backs into” an audit plan based on available staffing. A risk assessment should be completed first, and then consideration should be given to whether staffing levels are adequate to address the major risks identified. The QA reviewer walks through the process of what happens if audits are identified as needed during the risk assessment process but are deferred or rescheduled due to inadequate staffing levels, including communication to the board and/or executive management and their response.
Staff Professional Proficiency
As with any profession, the tools of the trade are required. In this case, the auditors must possess appropriate skills, experience, and competencies to perform the work. In addition, the organization must provide ongoing support and continuing education to keep the staff’s skills current. The CAE must decide the makeup of the audit team based on the industry and risk assessment results. Degrees and certifications expected of each staff member, e.g., financial, operational, or information technology (IT), are driven by the audit base. The QA reviewer evaluates if these attributes are met in accordance with the Standards.
Often, a concern in this area pertains to the staff’s IT audit skills. While there are several resources available to educate staff about IT controls, IT audit skills are difficult to develop without the appropriate exposure and training in the field. Rather than the organization acquiring the needed skill sets—either through hiring or a co-sourcing arrangement—many simply eliminate IT audits from their annual audit plan or “water down” the scope of the audits and have a financial auditor perform the work. In addition, many perform IT audits separately from the non-IT audits when an integrated audit approach is preferable. The QA reviewer evaluates if the team appears to possess adequate IT audit skills, and if it does not, the reviewer may recommend for management to consider hiring or contracting staff to meet this need and internally train the developing staff members.
Many IA teams do not have the appropriate IT resources to audit all risks. In addition to considering the IA staff’s IT audit skills, the QA reviewer should determine if continuous auditing procedures are in place and, if not, whether implementing such procedures would benefit the organization.
One common criticism of IA teams relates to the timeliness of reporting results. By the time results are tallied and reviewed and reports are drafted and scrutinized, audit results can be months old. Such an observation is often noted during a QA. However, data mining technologies now allow IA teams to immediately add value and improve timeliness by performing tests through continuous auditing techniques and methodologies.
Continuous auditing has been used for years and continues to gain popularity as data mining technologies improve. When continuous auditing is used, testing is performed by extracting current data on a continuous, routine basis, e.g., daily, weekly, or monthly, and data reports are often generated by exception only. This results in a much more efficient use of the internal auditor’s time, since exceptions requiring a follow-up already have been identified. It also allows for testing over an entire population versus a sample of items.
For example, an organization may want to implement continuous auditing procedures to help identify potential fraudulent payments made through the accounts payable process. Procedures could be implemented to identify payments to vendors who share an employee’s name or address or payments sent to vendors at a post office box or mailbox service address. Real-time investigations of such payments could help quickly identify whether fraudulent payments have begun.
Completion of the Audit Plan & Value Added
The timely issuance of reports after fieldwork and completion of planned audits are important metrics for gauging the IA team’s effectiveness, but the value added by the team is another metric that is important to measure and communicate to leadership. CAEs are beginning to view the QA as an opportunity to validate their actions to their audit committees and build credibility. In addition, CAEs may share metrics such as the results from client surveys, savings, number of recommendations implemented by auditable units, and consultation requests from management to illustrate the value-add.
As the IA function matures, it should be perceived by management as a value-added resource and a go-to partner that has the organization’s best interests as its top priority. In addition to working through the annual audit plan, internal auditors with the right skill set can provide consulting services, such as providing internal control expertise when an organization implements a new system or product. Also, if approved by the board, the CAE can adjust the annual audit plan to add engagements that address needs that were not present during the annual risk assessment, such as adding a control design assessment in response to a recent fraud event. A QA reviewer can help an organization determine if its IA function appears to be adding value to the organization and, if not, what changes the activity should consider implementing to make the function more effective.
Planning & Executing the Engagement, Workpaper Review, Audit Reporting, & Monitoring Progress
A formal methodology and approach help organizations properly plan, execute, and review all work. Most IA departments are good at exercising basic procedures to review the quality of supporting workpapers for specific audits.
One area evaluated during the QA review is the IA function’s system to monitor audit results communicated to management. As much as it is the IA activity’s responsibility to audit risk areas and communicate recommendations, it is also their responsibility to collect management’s action plans and monitor that the action plans have been implemented and effectively address the risks noted during the audit. An exception to this is when senior management accepts the risk of not acting against the activity’s observations. It is a best practice to regularly monitor action plans and communicate the results to the board and/or executive management. Without this system, senior management may place audit reports on a shelf and ignore the recommendations until the next audit. The QA reviewer determines if this system exists and is consistently applied.
Once the independent reviewer has assessed the six areas covered in this article, a report is issued that opines on the IA team’s conformance to the Standards. Also included in this report are observations and recommendations to improve the IA department’s structure, staffing, deployment of resources, and value-add.
How BKD CPAs & Advisors Can Help
BKD National Enterprise Risk Solutions (ERS) Practice provides specialized resources that deliver the right combination of expertise and skills to achieve integrated results. Our ERS division features experienced professionals who provide QA services to organizations seeking to improve their IA activity’s effectiveness and value. BKD offers a variety of QA service levels to meet your needs, including an Independent Validation of Self-Assessment (SAIV) or a full external QA. In addition, our professionals can help establish an IA function and provide co-sourcing and out-sourcing options as well as transformation services of an existing IA function.
For more information, reach out to your BKD Trusted Advisor™ or use the Contact Us form below.