Why is it important for an internal audit function to have an effective quality assurance and improvement program?

You are here:

This information sheet (INFO 221) provides guidance to assist organisations that are considering whether to have an internal audit function, and to ensure the quality of this function. It may be relevant to directors and audit committees of entities subject to the ASX principles.

This information sheet explains:

What is internal audit?

An internal audit function can contribute to corporate governance by providing an organisation's directors and audit committee with independent reviews of, and suggestions for, improving the design and operation of the organisation’s:

• financial and non-financial control environment
• processes for identifying and monitoring risks
• governance processes.

Internal audit can be an important element in the control environment of organisations and can contribute to more effective risk management.

What do the ASX Corporate Governance Principles say about having an internal audit function?

The ASX Corporate Governance Principles and Recommendations (PDF 2.2MB) state that if a listed entity does not have an internal audit function, they need to explain the reason for this. Additionally, they should explain how risk management and internal control processes are managed, evaluated and continually improved in the absence of an internal audit function.

How can internal audit be independent?

In order to ensure the independence of the internal audit function from management:

• the internal audit function should report directly to the audit committee, rather than the management of the organisation
• the internal audit charter and plan should be reviewed and approved by the audit committee, who should also receive and review reports on internal audit engagements, and monitor the performance and independence of the internal audit function
• while the internal audit budget may be set with the chief executive officer, the appropriateness of the budget should be reviewed by the audit committee.

Internal audit services may be provided by employees, external service providers or a combination of the two. However, the external auditor should generally not also provide internal audit services to the same organisation.

How is the quality of internal audit work assured?

Internal audit should maintain a quality assurance and improvement program, including workpaper reviews and performance evaluations. Periodic external reviews of internal audit may also be appropriate.

Where can I get more information?

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

This is Information Sheet 221 (INFO 221), issued on 20 June 2017. Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.

As a chief audit executive, you evaluate company performance and manage risk on a daily basis. Running an effective internal audit department relies on maintaining an independent, objective assurance and consulting function for your organization. A quality assurance review can help you be sure your internal audit activities drive real value for your organization.

IIA standards: What they mean for your internal audit function

Leading organizations put their internal audit function to the test by aligning audit activities with standards issued by the Institute of Internal Auditors (IIA), the International Standards for the Professional Practice of Internal Auditing . The standards are mandatory for organizations that claim to operate in conformance with IIA requirements. These principle-based standards, organized by 10 categories, provide a framework and means to measure how well departmental performance aligns with the practice of internal audits.

• Purpose, authority, and responsibility
• Independence and objectivity
• Proficiency and due professional care
• Quality assurance and improvement program
• Managing the internal audit activity
• Nature of work
• Engagement planning
• Performing the engagement and communicating results
• Monitoring progress
• Communicating acceptance of risk

The Quality Assurance and Improvement Program (QAIP)

Of all of these categories, the Quality Assurance and Improvement Program (QAIP) is a key area of focus when performing a quality assurance review (QAR). The QAIP measures alignment with the categories above and allow internal audit departments to elicit valuable, constructive feedback through both internal and external assessments.

Internal assessments leverage the expertise of internal audit staff to perform a self-assessment of internal audit department activities. They also serve as a prudent — and typically very insightful — preparatory exercise for an independent, external assessment. Performing an initial self-assessment helps your internal audit department establish benchmarks and metrics that align with and meet the requirements of the standards.

External assessments, conducted by an independent peer internal auditor or a service provider, deliver value in several ways. First, external assessments provide an independent assessment on the degree of alignment and conformance with the standards. External assessments also offer a fresh-eyed view of the internal audit department itself. Independent external partners should bring a fresh perspective, innovative thinking, knowledge of industry trends and developments, as well as informative knowledge of cutting-edge internal audit practices and tools, such as data analytics and new visualization tools. This perspective can create value-added opportunities well beyond the standards, such as enhancements to your internal audit department’s productivity, self-worth, and overall efficacy.

Your internal audit department should obtain an independent external assessment at least every five years to maintain conformance with the standards — and to meet the expectations of your audit committee.

How to ensure an effective quality assurance review

An effective QAR demands several coordinated, well-executed activities. Here’s how you can best support the process.

Planning and coordination:

• Work with your service provider or peer auditor to establish good communication protocols. Your objective here is to ensure all stakeholders are fully informed of assessment progress and findings.
• Collaborate with your review partner, management, and audit committee leadership to establish the appropriate assessment scope of the QAR so that the engagement runs smoothly, on time, and on budget.

Assessment execution:

The assessment should typically take place at the central point of internal audit operations, and fieldwork should happen over the course of one to two weeks, based on management scheduling needs. Your independent QAR provider will want to interview key stakeholders and primary beneficiaries of internal audit, such as senior management, accounting leadership, and operational department heads.

Ensure that these key stakeholders understand the value proposition of the assessment and that candid and constructive feedback will benefit the internal audit function.

Collaborative feedback and next steps:

Your quality assurance review provider should deliver a QAR report, which includes an overall assessment of your organization’s conformity with the IIA’s Standards and Code of Ethics under the International Professional Practices Framework.

The report should also provide recommendations and observations of opportunities for internal audit improvement.

Share this report with your audit committee, along with an established action plan to address any identified improvement opportunities. Feedback should be summarized by internal audit leadership and shared with the department — with expectations for improvement action as a component of the QAIP.

A quality assurance review of your internal audit environment helps you optimize your operations with specific, actionable feedback on your internal audit personnel, processes, and technology.

Think of the independent QAR as a valuable tool to not only to meet IIA standards but also to improve the proficiency, expertise, and organizational knowledge of your internal audit function. Put simply, a QAR helps you to optimize the value your internal audit department brings to your organization and its stakeholders.

Demands on internal audit (“IA”) functions have never been greater or more complex, with corporate governance, risk management and internal controls under increased scrutiny by regulators and stakeholders alike. IA functions are the last line of defense for any organisation to ensure that these elements are in line with ever increasing expectations. Making sure that audits performed are of high quality is key to ensuring that the function remains relevant to the needs of the business.

This booklet (~5 minute read) outlines key concerns for IA quality and identifies the key elements and action points for developing an effective Quality Assurance Improvement Programme (“QAIP”). Beyond the traditional QAIP, it also identifies how data analytics, continuous risk assessment and other measures can provide rich insights to audit committees.