Effective January 1, 2002, the Institute of Internal Auditors (IIA) released updated standards in the International Professional Practices Framework (IPPF). Internal auditing departments, according to Standard 1312 of the IPPF, must complete an external assessment once every five years from a qualified independent assessor or assessment team. In addition, the chief audit executive (CAE) must discuss the form and frequency of external assessments and the qualifications and independence of the external assessor or assessment team with the board of directors. Standards (unlike practice advisories, practice guides and position papers) are principal focused mandatory requirements consisting of statements for the professional practice of internal auditing and for evaluating the effectiveness of performance which are applicable at the organizational and individual levels.
Quality Assessment and Improvement Program
Before beginning any assessment the CAE should implement a Quality Assessment and Improvement Program (QAIP). According to the IIA practice guide,
"Quality should be built in to, and not on to, the way the activity conducts its business—through its internal audit methodology, policies and procedures, and human resource practices."
The common elements of the QAIP, as defined by the Quality Assessment Manual for the Internal Audit Activity, include the following:
- All facets of the internal audit activity
- An evaluation of conformance with the Definition of Internal Auditing, the Code of Ethics, and The IIA’s Standards
- An appraisal of the efficiency and effectiveness of the internal audit activity.
- Identification of opportunities for improvement
Ongoing monitoring and periodic self-assessments are the key elements of QAIP process. Effective QAIPs maintain built in ongoing monitoring procedures. Often used to aid the internal audit activity in their ongoing monitoring procedures is the Deming Cycle of Plan-Do-Check-Act. The self-assessment requirements are supported further in the IPPF Standard 1320 which states “The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.”
The goal of the QAIP program is to promote continuous improvement within the internal audit activity. Adoption of the Deming Cycle can enhance the likelihood of continuous improvement. According to the
Quality Assessment Manual for the Internal Audit Activity, benefits reported from an overall focus on continuous improvement within the internal audit activity include the following:
- Reduced error rates leading to increased stakeholder satisfaction and recognition of value produced by the internal audit activity
- Greater adaptability in implementing incremental internal audit process changes, resulting in greater responsiveness to emerging stakeholder expectations
- Enhanced internal audit productivity following the elimination of non-value-added activities
- Improved internal audit staff morale resulting from a focus on process improvements where all ideas are welcome
Types of Assessments
The IIA recognizes three types of QAR assessments; self-assessment with independent validation, full external assessment, and the peer review (made up of at least three independent organizations). When determining the best method for the organization the CAE should have an understanding of each type of assessment:
- Self-assessment with independent validation involves the CAE overseeing an internal team to perform the planning, assessment work programs, evaluation of conformance to the IIA’s mandatory guidance, and production of a summary report. Once completed, an independent external assessor or assessment team validates the result of the report completed by the internal team. Key benefits include the budget conscious approach and confidentiality of internal processes from other similar organizations.
- Full external assessments are QARs completed entirely by a qualified external assessor or assessment team. During this type of assessment the external assessor(s) focus on governance, risk management, and control processes. Observations are made by the external assessor(s) to identify opportunities for improvement and to enhance the internal audit activities ability to add value to the organization. Key benefits include the reduced internal effort, confidentiality of internal processes from other similar organizations, and third party observations with value-add benefits.
- Peer reviews are often used when budget constraints are an issue or in government organizations. A minimum of three organizations in reciprocal review is required to engage in a peer review. A key component of the peer review is ensuring the qualifications and independence of the peer review partners. The benefit of this option is that it is the most budget conscious approach.
Key Segments of the Quality Assessment Review
QARs are broken into four key segments that are reviewed through each phase of the process. IPPF standards can be tied to the individual segments to determine the Internal Audit Activities conformance. Each segment and the associated Standards are listed below:
- Internal Audit Governance - Standards series 1000, 1100, 1300, Code of Ethics, and the Definition of Internal Auditing (additional information regarding governance and the internal audit activities role can be found in the IPPF practice advisory 2110)
- Internal Audit Staff - Standards series 1200
- Internal Audit Management - Standards series 2000, 2100, and 2600
- Internal Audit Process - Standards series 2200, 2300, 2400, and 2500
Quality Assessment Review Process
Regardless of the type of assessment selected the QAR process is broken into the following six phases:
- Planning guides are used to gather background information about the organization and internal audit activity including key contacts, locations, and documents (e.g. audit committee charter). These documents are used to identify significant changes, plan who will receive surveys, and to create a high level road map to complete the QAR.
- Surveys are sent to executive leadership, operations management, and individuals that have had recent interaction with the internal audit activity. In addition the CAE should complete a survey to reflect their expectation of how others in the organization will respond. The survey results are used to identify opportunities for improvement, areas of strength, and areas that may require further investigation during the interview process.
- Interviews provide an opportunity to explore variations identified in the surveys between varying levels of the organization. Interviews often return more detailed results and candid responses than the surveys. Interviews can be conducted as a focus group or one on one. The depth and focus of the interviews should vary based on who is being interviewed, the size of the organization, availability, and the level of interaction with the internal audit activity.
- Work programs, designed to focus on each of the four segments, are completed based on information obtained during document collection, surveys, and interview results. These work programs help determine the internal audit activity’s conformance with the standards, assess their efficiency and effectiveness, and identify opportunities for improvement.
- Evaluation summaries are completed to determine overall conformance to the standards as generally conforms, partially conforms, or does not conform. Internal audit activities assessed as “generally conforms” would be able to use the statement “Conforms with the Internal Standards for the Professional Practice of Internal Auditing” as defined in Standard 1321.
- Reporting is completed with an opinion based report that includes the objective and scope, overall compliance evaluation, Standards and conformance levels, a summary of issues, and process improvement areas. The final report is addressed to the CAE with the expectation that it will be presented to the board.