Over the past decade, great emphasis has been placed on determining the quality and effectiveness of risk and control programs. It started with Sarbanes-Oxley compliance and has gained new meaning and momentum as a result of the financial crisis of 2008. However, as is often said, beauty is in the eye of the beholder. In this case, the beholder is often the Internal Audit (“IA”) function since the evaluation of the quality and effectiveness of the risk and control program typically rests with the Internal Audit function within a company. So, to ensure that your company is performing a quality evaluation, your company must have a solid understanding of the quality of its IA function.
Best practice dictated by the Institute of Internal Auditors requires an independent quality assessment of the IA function at least once every five years. A more frequent assessment may be considered if significant changes have occurred to impact how the IA function performs its responsibilities – e.g. change in IA leadership and/or oversight, change in IA methodology, significant merger and/or acquisition, etc.
The quality assessment should address the following objectives:
- Assess the effectiveness of an IA function in providing assurance and consulting services to the board, senior executives, and other interested parties. This includes the adequacy of the IA activity’s charter, goals, objectives, policies and procedures as well as the IA activity’s contribution to the organization’s governance, risk management and control processes.
- Assess conformance to the Institute of Internal Auditors’ Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (“Standards”) and provide an opinion as to whether the IA activity generally conforms to all.
- Identify opportunities, offer recommendations for improvement, and provide counsel to the Chief Audit Executive (“CAE”) and staff for improving their performance and services and promoting the image and credibility of the internal audit function.
In addition, a well-designed quality assessment will include an evaluation of the following key IA function elements:
- The expectations of the IA activity expressed by the board, executive management, and its other “customers” (i.e., management of operational and support units).
- The entity’s control environment and the CAE’s audit practice environment.
- The focus on evaluating enterprise risk, assessing organizational controls, and including aspects of the governance process in audit plans to assure that audit activities add value to the enterprise.
- The integration of internal auditing into the organization’s governance process, including the attendant relationships and communications between and among the key groups involved in that process and aligning audit objectives and plans with the strategic objectives of the entity as a whole.
- The International Standards for the Professional Practice of Internal Auditing.
- The mix of knowledge, experience, and disciplines among the staff, including staff focus on process improvement and value-added activities.
- The tools and techniques employed by the department, with emphasis on the use of technology.
The final key element is often one that typically receives the least focus, but can yield the greatest benefit to the IA function and the company as a whole. By automating the IA management processes such as scheduling, planning, workpaper preparation, reporting and issue follow-up, IA functions can dramatically increase their ability to perform their responsibilities in concert with a company’s operation and risk profile. Open Pages’ Internal Audit Management solution is a great example of a solid platform that can support a high quality IA function.
If you are interested in learning more about conducting an IA quality assessment for your company, please email us at NavigateSuccessfully@WheelhouseAdvisors.com.