News
External Independent Assessment of Internal Audit Function
14-Nov-2022
By: Alaa Abdul Aziz Abu Naba’a/ Expert in Internal Auditing, Control, and Governance
External Independent Assessment as an Objective rather than a Requirement
The quality of a service is defined as the extent to which that service achieves its intended goal by meeting the stakeholders’ expectations. In the context of internal auditing, the quality of internal audit activities ( ) is determined through the following three points:
1- The value added that was achieved in the organization, along with the improvements in the processes of governance, risk management, and control;
2- Meeting the expectations of internal audit clients; internal auditors don’t get paid or compensated for the audit reports they prepare, or for the conclusions they reach, but for the activities they undertake to make their organizations better; and
3- Adherence to the International Professional Practices Framework (IPPF) for internal auditing.
Standard 1300, Quality Assurance and Improvement Program, of the International Standards for the professional practice of internal auditing (“the standards”) states that: “the chief audit executive (CAE) must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity”. The standard may be interpreted as follows: “a quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the standards, and to evaluate whether internal auditors apply the Code of Ethics” This program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The CAE should encourage the board’s oversight in the quality assurance and improvement program”.
Practice Advisory 1310-1, Requirements of the Quality Assurance and Improvement Program, states that “the quality assurance and improvement program must include both internal and external assessments” The objectives of the internal assessments ( ), and the external assessments, carried out by independent external bodies, are clear in the interpretation of the standard. In my opinion, these objectives are critical, and the CAEs should consider addressing them as an objective to improve their departments, rather than a burden or an ongoing requirement, as in the internal assessment( ). Such activities should be performed once every five years, as in external assessments ( ).
The quality assurance and improvement program may be adopted to achieve the following primary objectives through the assessment of the following aspects:
1- The level of consistency between the strategic plan of the internal auditing activity and the strategic plan of the organization;
2- The adequacy of the internal audit charter, the policies, procedures, and objectives related to the internal audit activities;
3- The extent to which the internal audit activities contribute to the improvement of the organization’s system of governance, risk management, and control, and the value added to the processes and activities that the organization performs, for which assurance and consultation services were provided;
4- Completeness of coverage of the entire audit universe;
5- Compliance with the applicable laws and regulations, and the common standards of the industry in which the organization operates;
6- The effectiveness of continuous improvement activities and adoption of professional practices; and
7- The key performance indicators of the internal audit activity
Typically, the quality assurance and improvement programs address all the aspects of the internal audit activity, including governance, planning, implementation, reporting, and monitoring of the activity’s outcomes, in addition to the efficiency of the allocated resources.
In this article, I will focus on independent external assessments which constitute a crucial and essential part of the quality assurance and improvement program.
The Three Acceptable Approaches to the Conduct of External Assessments
According to practice advisory 1312 (external assessments), there are two approaches to the conduct of external assessments:
1- A full external assessment; and
2- A self-assessment with independent external validation ( ).
In the implementation guidance, a third acceptable approach to external assessments, in the special considerations of the practice advisory 1312, was introduced; the mutual assessments of three or more peer organizations (e.g., within the same industry or other affinity groups, or regional association) ( ). Until the date of writing this article, I’ve never heard of an organization that uses this acceptable approach of assessment, despite its great advantages, on top of which is the availability of experience relevant to the same industry, as well as the cost-effectiveness factor.
Unfortunately, in this article I won’t be able to list the pros, cons, and challenges for each of these approaches, however, I mentioned them to make the reader familiar with the acceptable approaches according to the standards.
The Common mistakes in the Performance of External Assessments
I: Mistakes in the Selection of an External Assessor, or an Assessment Team
1- Placing too much focus on contracting with big consultation firms to undertake the assessment, although it is acceptable to have the assessment performed by an independent objective assessor, or team of assessors, as long as they are objective and independent;
2- The independent assessor (or the team of assessors) doesn’t possess the following necessary competencies, referred to in the “competencies of an external assessor” section in the implementation guidance of the advisory practice 1312 (external assessments):
• The professional practice of internal auditing (including an updated knowledge of the IPPF);
• The professional practice of external assessments;
• A certificate in the field of internal auditing (e.g., the Certified Internal Auditor (CIA));
• Knowledge about the best practices in internal auditing; and
• Recent experience in the practice of internal auditing at the managerial level, which demonstrates practical knowledge and ability to apply the IPPF.
The practice advisory of standard 1312 (external assessments) also refers to the following additional competencies of the assessment team leaders and independent assessors:
• Additional experience and skills that were acquired through previously conducted external assessments;
• Completion of the training course in quality assessment, provided by the Institute of Internal Auditors (IIA), or similar training courses; and
• The relevant technical experience in the industry to which the organization belongs.
3- Failure to verify that the external assessor, or all the assessment team members, are free of any conflict of interest, with the organization or any of its employees, whether the conflict is actual, appearance, perceived, or potential, may impair objectivity ( ).
II: Mistakes in the Assessment Procedures
1- limiting the assessment to what is stated in the IPPF, without considering the relevant legal requirements;
2- The assessment program doesn’t include adequate procedures to implement the following:
• Measurement of the efficiency and effectiveness of the internal audit activity;
• Measurement of compliance with the ethical principles and evaluation of the behaviors of internal auditors;
• Benchmarking the internal auditing activities and practices against the recommended practices in the profession and the industry to which the organization belongs;
• Evaluation of the coordination between the internal audit activity and other internal and external regulators;
• Evaluation of the competence level ( ) of the internal audit staff; and
• Ensuring that the internal audit activity uses appropriate standards in assessing the governance, risk management, and control systems, such as COSO-IC, COSO-ERM, and King IV report on corporate governance.
3- The external assessor, or the assessment team, and the members of the audit committees do not hold meetings during the assessment process;
4- Questionnaires to internal audit clients and all internal auditors, that aim at identifying the extent to which the internal audit activity achieves the expectations of the Board of Directors, senior management, and operational management, and the value it adds to the organization are not disseminated;
5- Placing too much emphasis on the last year of the assessment scope, although the scope includes the last five years; and
6- In general, the CAE doesn’t encourage the board’s oversight in the quality assurance and improvement program.
III: Mistakes in the External Assessments Reports
1- The assessor, or the assessment team, doesn’t comprehend the justifications of the internal audit activity due to noncompliance with the standards ( );
2- The audit committees or CAEs require the external assessor or the assessment team to provide testimonies about the outcomes of the assessment or provide an acknowledgment of the CAE’s or the internal audit function efforts in a separate report other than the external assessment report. As far as I know, this is not mentioned at all in the components of the IPPF. In my opinion, the request for such testimony should be raised to the audit committee or the board;
3- Many reports do not include any reference to the level of effectiveness and efficiency of the internal audit activity, as these reports focus on the level of commitment to the organization’s systems and policies;
4- The reports do not include the results of the follow-up of the observations that were noted in a previous assessment report.
Conclusion
The process of the development and establishment of the quality assurance and improvement program starts during the construction phases of the internal audit activity. That program should be developed in a manner that guarantees that quality will form an integral part of the internal audit activity, to ensure that such activities are automatically performed to meet the expectations of clients and to conform to the standards and the Code of Ethics.
I recommend that the various regulatory and supervisory bodies should require the internal audit departments, subject to their supervision, to adopt and monitor the quality assurance and improvement programs because such programs have a positive impact on the development of internal control systems, governance, and risk management.