There are organizations and then there are “world-class” organizations. Similarly, there are Internal Audit (IA) departments and then there are “world-class” IA departments. And it is not necessary that world-class organizations will have all their departments in that category. Surely, the chances are significantly high. There are several parameters which can be judged to ascertain if the IA activity falls in that category. Few that come to the immediate attention are:
- Use of Computer Assisted Auditing Techniques
- Employee motivation and retention
- Clear understanding of organization risks
These are taken from none other than the International Professional Practices Framework (IPPF) – The Standards.
Whilst the implementation of the Standards is not mandatory, they are considered sacrosanct. And compliance to the IPPF is the ultimate goal of almost every IA department. There are several IA departments who demonstrate compliance to many ‘individual’ parts of the Standards, but fail to demonstrate complete compliance when it comes to Standards 1300 –
Quality Assurance and Improvement Program (QIAP).
And it is not the difficulty which is the bottle-neck. In many cases, it is typically the lack of understanding of Standards 1300 and its expected benefits and value addition to the IA department and the organization. This article will aim to demystify this myth.
Quality is word which is perhaps difficult to define as it may take different connotations under different circumstances. In the words of Aristotle “Quality is not an act, it is a habit”. Whilst management guru Peter Drucker says “Quality is what the customer gets and is willing to pay for”. In the context of internal audit, it can be defined as “the responsibility on the shoulders of the Chief Audit Executive (CAE) to fulfil the needs and expectations of the stakeholders; whilst complying to their own professional ethics through conformance to the Standards.”Compliance and conformance alone fail to leverage the power of a Quality Assessment.
Quality Assurance and Improvement Program (QAIP)
The QAIP has 2 elements which need to be collectively addressed to conform to Standards 1300.
- Internal Assessment; and
- External Assessment
Many IA departments demonstrate the adherence to the IA plan and department budget as their KPIs. However, internal assessments also require to perform on-going assessments which can include work-paper review, staff performance evaluation, auditee satisfaction surveys, monitoring of KPIs, Actual v-s Budget, etc. IA departments also require to perform periodic self-assessments. (Note: this is not an exhaustive list).
External assessments must be conducted once every 5 years by a qualified and independent assessor from outside the organization and reported to the Audit Committee (AC). And this is one point many IA department overlook, especially those who are large conglomerates. Whilst there are no defined qualifications which an assessor should have, they should largely demonstrate competency in two areas: The understanding of the IPPF and the external assessment process.
The Road map to Initiating a Quality Assessment
The UAE Internal Auditors Association (UAE IAA), ensures that its assessors have undergone the QA course offered by the IIA and have a certain minimum experience without which they are not considered for the engagements. The UAE IAA adopts the IIA’s proven and documented methodology – The Quality Assessment Manual.
The QAs can be called for by either the Chairperson of the AC or the CAE. There are no statistics, but, experience has shown that when the AC calls for the QAs, there is usually some lack of trust or deliverables between them and the CAE with such assessments ending up on the “not favorable” side of the assessment scale as against when the CAE calls for the assessment. CAE’s may well wish to consider this point and “stick their neck out” and call for QAs on their department – of course with adequate preparation and planning as the outcome of the assessments requires to be communicated to the Board/AC.
A quality assessment, or QA, evaluates the compliance with the Standards, the definition of internal auditing, the Code of Ethics, the internal audit & audit committee charters, the organization’s governance, risk and control assessment and the use of successful practices.
So who audits the auditors? When an IA department undergoes a QA, it can proudly say that they too have been assessed. The rating mechanism of a QA can be either “General Conforms”, “Partially Conforms” or “Does Not Conform”.
Typically, a QA scope covers
- Conformance with the Standards & the Code of Ethics & the IA’s charter, plan, policies, procedures and applicable laws & regulatory requirements
- The expectations of the IA as expressed by the board, executive management and operational management
- The integration of the IA into the governance process, including the relationships between and among the key groups involved in the process
- Tools and techniques
- Mix of knowledge, experience and disciplines within the staff, including the focus on process improvement
- Determination that the internal audit activity adds value and improves the organization’s operations
It provides the IA departments to delve into the minds of their stakeholders and gauge their level of trust in the IA department and its functioning. The independent nature of the external assessor also provides for an opportunity to ask certain questions which can be used for further probing to provide further value added service. The CAE gets a holistic picture of what is happening around him/her without ruffling too many feathers. The QA assessors take care of those uncomfortable questions.
Think for a minute how many times the phone rings for a CAE or an email with a request – sometimes an urgent one – requesting for help in either a certain review or in some investigation. The number of consulting activities can be an indicator of how much value-added resource the IA department is considered by the organization’s management. With the level of such engagements rising the perceived value that the IA department is adding is definitely proportionate. As they say – a voice but no vote at on the management table.
Benefits of a QA
CBOK surveys have revealed that the top 5 reasons for investing in a QAIP are
- Identifying areas for improvement
- Full conformance to the Standards
- Bring systematic, disciplined approach
- Increase credibility within the organization
- Anticipate, meet and/or exceed stakeholder’s expectations
Further, the survey concludes that, when compared to other internal audit departments, those that conform to the quality standards:
- Were more likely to have complete and unrestricted access to information as appropriate for the performance of audit activities
- Made more use of technology in internal audit processes
- Used a wider variety of resources to develop audit plans
- Were more likely to have documented procedures in an internal audit manual
- Received more hours of training and were more likely to have formalised training programmes
- Served organisations with more highly developed risk management processes
- Were more likely to report that funding for the internal audit function was “completely sufficient”.
Conducting a Quality Assessment exercise offers the internal audit activity several benefits.
- It offers an opportunity to benchmarked against other IA departments. The Global Audit Information Network (GAIN) is also a good tool to use.
- The conducting of the QA is in itself adherence to full conformance to The Standards. This permits the IA activity (if the assessment results permits so) to insert the statement “This audit is conducted in conformance with ………..” within its audit report and can also state that the department itself conforms with the requirements of the IPPF.
- This lends credibility to the IA activity and increases the perceived value of the activity within the organization.
- The typical question of “Who audits the auditors?” also gets answered. The IA activity being subjected to the assessment which is conducted by independent assessors lends credibility to its activities.
- QAs also give an opportunity to meet or exceed stakeholder expectations as a result of the interviews and surveys which are conducted The Chief Audit Executive (CAE) is able to lay emphasis on the expectations spelt out.
- The CAE can use this opportunity to lay emphasis and focus on the IPPF and raise the awareness of The Standard amongst the management.
Overall, the reputation of organization is enhanced. This, due to the fact that nothing and no one in that organization is immune and is subjected to audit. It is a sign of a mature organization which is willing to learn and improve.
How to be Successful in a QA?
QAs require tremendous commitment from each and every staff of the IA department. It calls for commitment to quality (Mission/Vision/Values/Goals/Objectives/KPIs), drafting of policies and procedures, demonstrating continual improvement, monitoring and reviewing mechanisms and their subsequent reporting to the Board/AC – as a minimum. Conducting periodic internal assessment, plugging the identified gaps, and a formal documentation of the QAIP is a large step forward.
“The Audit team was very professional, systematic and helped us towards further improving our quality performance, professionalism and use of best practices.”
Tamer Said Ali, Deputy Chief Internal Auditor, Obeikan Investment Group
“It was a fruitful exercise and we welcome the improvement opportunities highlighted to enhance the quality and performance of the department.”
Beelall Ramdianee, Vice President – Internal Audit, Dubai International Financial Centre
The Next Steps?
It is quite certain that the benefits from a Quality Assessment far outweigh in not going for it. But this also calls for good preparation at all levels with the department hierarchy. To begin, it is important to have a project leader who understands the QA process. And attending a training session for a QA course will prove beneficial.
The QA cannot be done in isolation from the audit committee and hence it is imperative to appraise them of the exercise and the credentials of the team engaged to conduct the same. Having the audit committee on board is vital.
Historical data is proof that when a QA is called by the CAE, the chances of a successful QA are significantly higher than when called for by an audit committee. So, prepare well, and go for it. Do not wait for your audit committee to instruct you on this one.