Who audits the internal auditors?

(Conclusion)

How to prepare for an external assessment?

Before the external assessment, the chief audit executive (CAE) should make sure that his/her organization has the following conditions as a minimum:

• Risk-based audit strategy and annual plan approved by the board or its audit committee (a board created committee tasked to oversee internal and external audit and ideally headed by an independent director);

• Audit charter approved by the board or audit committee;

• Functioning audit committee which meets regularly (supported by minutes of meetings and periodic CAE reports [i.e., progress, interim, special and annual] to the committee, and backed by an audit committee charter approved by board);

• Comprehensive audit (procedures and policy) manual

• Organizational independence such that the CAE reports directly to the board or to a level within the organization that allows internal audit activity to fulfill its responsibilities and its activity, is free from interference;

• Quality assurance and improvement program (particularly completion of an internal quality assessment by a Certified Internal Auditor or CIA or equivalent professional with conclusion, findings and recommendations or a “road map” to improvements);

• Final audit reports and corresponding working papers (to support or evidence execution of the approved audit plan)

• Adequate audit staff with the desired professional attitude (by being impartial, unbiased) and proficiency (by obtaining appropriate professional certifications like the CIA and Certified Information System Auditor or CISA), and;

• Continuing professional development program to enhance the auditors’ knowledge, skills and other competencies;

The audit manual should prescribe procedures that are aligned with the International Standards for the Professional Practice of Internal Auditing (ISPPIA or “the Standard”) as well as “leading practices” in internal audit. This manual should include:

• Requirements to implement a risk-based approach;

• Administrative matters like having adequate staffing and engagement supervision;

• Conduct of pre- and post-audit meetings/conferences with the auditees to present and explain the audit objectives, program and scope;

• Validation and clearance of the audit findings/observations noted;

• Minimum working paper requirements/templates to support audit program execution and to evidence findings/observations noted;

• Audit sampling policy

• Report writing standards (as to format, conciseness, contents, draft and final versions, capturing auditees’ response, and timing of release);

• Performance metrics and criteria

• Mandatory follow-up of outstanding issues and recommendations of previous audit reports.

What is a quality assurance and improvement program?

Just like the risk-based approach to internal audit, a quality assurance and improvement program is a set of rigorous, comprehensive processes that the CAE is required to put in place in order to ensure the quality of the internal audit activity. These processes include appropriate supervision, periodic internal assessments and ongoing monitoring of quality assurance, and periodic external assessments (Practice Advisory or PA 1300-1 – Quality Assurance and Improvement Program).

 The Standard defines

Quality Assurance and Improvement Program (QAIP) as a program that is “designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement” (ISPPIA 1300 – Quality Assurance and Improvement Program). Specifically, “QAIPs include an evaluation of:

• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, including timely corrective actions to remedy any significant instances of nonconformance;

• Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures;

• Contribution to the organization’s governance, risk management, and control processes;

• Compliance with applicable laws, regulations, and government or industry standards;

• Effectiveness of continuous improvement activities and adoption of best practices;

• The extent to which the internal audit activity adds value and improves the organization’s operations.”

(PA 1310-1 – Requirements of the Quality Assurance & Improvement Program)

How to establish a QAIP?

To establish a QAIP, the CAE will need to have the “right people”, “right processes” and “right tools”. For example, the CAE needs to have the “right people”, such as Certified Internal Auditors (CIAs) or other competent audit professionals currently assigned elsewhere in the organization to do a periodic internal assessment (the “right process”) using the “right tools”, like IIA’s Quality Assessment Manual or a comparable set of guidance or tools. The CAE will also have to formulate and issue an audit manual (“right tool”) to be followed by all the members of his/her audit team. To determine whether the members of the team are complying with the established policy and the Standard, a selective peer review of working papers by staff not involved in the respective engagement, as well as a regular or random survey of the auditees (audit customers or other stakeholders), may have to be conducted after the engagement (“right processes”) to obtain feedback (PA 1311-1 – Internal Assessment, paragraphs 1, 3 & 4).

What does it mean to pass the external quality assessment?

To pass the external quality assessment is a major milestone because it provides reasonable assurance to the stakeholders that relevant IA structures, policies and procedures comply with the requirements of the Standards and IIA’s Code of Ethics. It can also be inferred that the CAE and IA team have shown that they have developed and maintained their professional proficiency, performed their work diligently, competently and objectively, and served stakeholders reasonably well for the period covered, hence, have earned the trust and respect of their senior management and the board.

What is greatest value of the  external quality assessment?

Nevertheless, the greatest value of the external quality assessment does not merely rest on the independent reviewer’s overall opinion of “conformance”, “partial conformance”, or “non-conformance” to the Standards, but rather on the key areas for improvements that came out of the independent review.

Based on my professional experience, even the best companies in their industry have “room for improvements” as far as their internal audit activity is concerned. Invariably, there were some bitter critics or unsatisfied parties in the performance of internal audit work, especially those that received not-so-good audit ratings (which is typical and expected). It is very encouraging to note that, despite “angry or strong criticisms”, “gaps” and “shortcomings” noted, all the CAEs we’ve dealt with have exhibited “uncommon humility” and fortitude as well as remarkable openness to all significant issues presented and proposed changes, most especially those that will lead them to adopt “leading or best practice” in internal audit. This positive frame of mind by the CAEs raises the bar of excellence in enterprise assurance and, promotes good corporate governance.

(Reginald C. Nery, CPA, CIA , CISA, CFSA, CCSA, CISSP, CISM. He is the Head & Partner of Performance and Technology Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International Cooperative, (KPMG International), a Swiss entity.

This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com or rcnery@kpmg.com)

Show comments