Author: Oluwasegun Sonola
This article aims to encourage stakeholders to ensure that an External Quality Assessment (EQA) of an internal audit (IA) function is undertaken periodically. It highlights the benefits of an EQA and suggests ways to extract maximum value from this activity.
According to the Global Internal Audit Standards (Standards) of the Institute of Internal Auditors (IIA), quality assurance and improvement program is a program established by the Chief Audit Executive (CAE) to evaluate and ensure the internal audit function conforms with the Standards, achieves performance objectives and pursues continuous improvement. The program includes internal and external assessments.
The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team - this may also be achieved through a self-assessment with independent validation. However, one member of the independent EQA assessment team should be an active Certified Internal Auditor. Various regulators in the region, such as The Central Bank of the UAE and The Saudi Central Bank also require that an EQA of the IA function is undertaken every five years.
The outcome of the EQA is a report which includes conformance rating and detailed findings / gaps. The Standards prescribe a four-level quality rating and model/scale for concluding on conformance with requirements and standards and achievement of principles, the Purpose of internal auditing, and overall quality. The ratings are full achievement / conformance, general achievement / conformance, partial achievement / conformance and nonachievement / nonconformance.
Beyond obtaining an opinion on conformance with the Standards, the outcome of the EQA also includes recommendations for improvement. Thus, the EQA can contribute to improving audit quality, enhancing internal audit processes, improving efficiency and effectiveness, continuous performance improvement and positioning the IA function to support achievement of the organisation’s objectives. Yet, the value from an EQA can be further enhanced through the following activities.
1. Surveys and interviews
As part of an EQA, assessors should obtain stakeholders’ views on various aspects of the IA function, such as effectiveness and efficiency of the IA function, value add, contribution to the improvement of the organisation’s operations, meeting stakeholders’ expectations, and improvement of governance, risk management and control processes. The views can be obtained through well-crafted surveys and interview questions.
Surveying and interviewing various stakeholders (IA team, senior management, operational management, board members and other assurance providers) provides multiple perspectives on how IA is performing through different stakeholder lenses. Accordingly, the CAE can identify relevant focus and priority areas.
Also, it is important for the CAE to complete the survey and be interviewed. The responses should then be compared with other stakeholder groups to uncover gaps, misalignment or divergence of views and perspectives on the effectiveness of the IA function. This is useful for identifying areas of strength and opportunities for improvement for the function.
2. Maturity assessment
Though not a mandatory requirement of an EQA, a maturity assessment can maximise the value delivered to stakeholders. Through the use of a maturity model, it provides additional insights and foresight to the CAE, board and other stakeholders on leading practices and insights to help improve quality.
The IIA’s suggested maturity model for IA functions is a five-level framework with maturity ratings / levels defined as ‘initial’, ‘infrastructure’, ‘integrated’, ‘managed’ and ‘optimising’. The ratings are defined for relevant individual themes / elements namely; services and role of internal auditing, people management, professional practices, performance management and accountability, organizational relationships and culture, and governance structures. However, other models, such as the BDO’s maturity model, exist and may be used for this purpose.
This assessment can further reveal the degree of awareness of the CAE and organisation, and integration, of widely accepted external frameworks and leading practices. Additionally, an IA function can identify the level at which it is currently operating, aspire a desired level to attain and identify relevant strategic initiatives.
3. Benchmarking
Maturity assessment may be a form of benchmarking, however real benchmarking entails comparison with internal audit functions of an actual organisation(s) or group of organisations. This can be qualitative and/or quantitative covering elements such as those defined in the maturity assessment above or areas of interest for the CAE or the organisation. Thus, benchmarking criteria may be defined and agreed between the CAE / board and the assessors.
However, benchmarking should be undertaken cautiously as this activity may suggest that there is a perfect/ideal benchmark organisation(s). No two IA functions or organisations are exactly the same. Therefore, assessors should consider the uniqueness of each internal audit function and context of the organisation e.g. the legal structure, headcount, industry and culture. A further challenge is access to and availability of relevant benchmark data for effective and useful comparison.
From experience, determining an appropriate benchmark organisation is important as this could consider size, revenue, governance structure, legal structure, sector/industry and if local / global. Hence, the CAE and audit committee should proactively engage the assessors on suggested appropriate benchmark organisation(s) and key areas of interests for benchmarking such as scope and priorities, processes, resource management, use of technologies, integration with second line and innovation.
Boards, senior management, CAEs and other stakeholders should therefore ensure that an EQA of the internal audit function is undertaken periodically even if regulations do not require it.
This article aims to encourage stakeholders to ensure that an External Quality Assessment (EQA) of an internal audit (IA) function is undertaken periodically. It highlights the benefits of an EQA and suggests ways to extract maximum value from this activity.
What is an EQA?
According to the Global Internal Audit Standards (Standards) of the Institute of Internal Auditors (IIA), quality assurance and improvement program is a program established by the Chief Audit Executive (CAE) to evaluate and ensure the internal audit function conforms with the Standards, achieves performance objectives and pursues continuous improvement. The program includes internal and external assessments.The external assessment must be performed at least once every five years by a qualified, independent assessor or assessment team - this may also be achieved through a self-assessment with independent validation. However, one member of the independent EQA assessment team should be an active Certified Internal Auditor. Various regulators in the region, such as The Central Bank of the UAE and The Saudi Central Bank also require that an EQA of the IA function is undertaken every five years.
EQA activities and reporting:
BDO’s approach to EQA includes review of:- Internal audit governance framework, including structures, roles, mandate, charter, reporting lines and accountabilities
- Internal audit strategy, performance measurement, policies and procedures, methodology, processes, risk assessment and internal audit plan
- Resource management, skills, competencies, due professional care, continual development and use of tools
- Quality of internal audit reporting to the board, senior management and other stakeholders
- Sample engagement files
The outcome of the EQA is a report which includes conformance rating and detailed findings / gaps. The Standards prescribe a four-level quality rating and model/scale for concluding on conformance with requirements and standards and achievement of principles, the Purpose of internal auditing, and overall quality. The ratings are full achievement / conformance, general achievement / conformance, partial achievement / conformance and nonachievement / nonconformance.
Benefits of an EQA
Beyond obtaining an opinion on conformance with the Standards, the outcome of the EQA also includes recommendations for improvement. Thus, the EQA can contribute to improving audit quality, enhancing internal audit processes, improving efficiency and effectiveness, continuous performance improvement and positioning the IA function to support achievement of the organisation’s objectives. Yet, the value from an EQA can be further enhanced through the following activities.1. Surveys and interviews
As part of an EQA, assessors should obtain stakeholders’ views on various aspects of the IA function, such as effectiveness and efficiency of the IA function, value add, contribution to the improvement of the organisation’s operations, meeting stakeholders’ expectations, and improvement of governance, risk management and control processes. The views can be obtained through well-crafted surveys and interview questions.
Surveying and interviewing various stakeholders (IA team, senior management, operational management, board members and other assurance providers) provides multiple perspectives on how IA is performing through different stakeholder lenses. Accordingly, the CAE can identify relevant focus and priority areas.
Also, it is important for the CAE to complete the survey and be interviewed. The responses should then be compared with other stakeholder groups to uncover gaps, misalignment or divergence of views and perspectives on the effectiveness of the IA function. This is useful for identifying areas of strength and opportunities for improvement for the function.
2. Maturity assessment
Though not a mandatory requirement of an EQA, a maturity assessment can maximise the value delivered to stakeholders. Through the use of a maturity model, it provides additional insights and foresight to the CAE, board and other stakeholders on leading practices and insights to help improve quality.
The IIA’s suggested maturity model for IA functions is a five-level framework with maturity ratings / levels defined as ‘initial’, ‘infrastructure’, ‘integrated’, ‘managed’ and ‘optimising’. The ratings are defined for relevant individual themes / elements namely; services and role of internal auditing, people management, professional practices, performance management and accountability, organizational relationships and culture, and governance structures. However, other models, such as the BDO’s maturity model, exist and may be used for this purpose.
This assessment can further reveal the degree of awareness of the CAE and organisation, and integration, of widely accepted external frameworks and leading practices. Additionally, an IA function can identify the level at which it is currently operating, aspire a desired level to attain and identify relevant strategic initiatives.
3. Benchmarking
Maturity assessment may be a form of benchmarking, however real benchmarking entails comparison with internal audit functions of an actual organisation(s) or group of organisations. This can be qualitative and/or quantitative covering elements such as those defined in the maturity assessment above or areas of interest for the CAE or the organisation. Thus, benchmarking criteria may be defined and agreed between the CAE / board and the assessors.
However, benchmarking should be undertaken cautiously as this activity may suggest that there is a perfect/ideal benchmark organisation(s). No two IA functions or organisations are exactly the same. Therefore, assessors should consider the uniqueness of each internal audit function and context of the organisation e.g. the legal structure, headcount, industry and culture. A further challenge is access to and availability of relevant benchmark data for effective and useful comparison.
From experience, determining an appropriate benchmark organisation is important as this could consider size, revenue, governance structure, legal structure, sector/industry and if local / global. Hence, the CAE and audit committee should proactively engage the assessors on suggested appropriate benchmark organisation(s) and key areas of interests for benchmarking such as scope and priorities, processes, resource management, use of technologies, integration with second line and innovation.
Conclusion
Undertaking an EQA that includes surveys, interviews, maturity assessment and benchmarking can enable IA functions and organisations to obtain insights on opportunities to further improve performance, add value to their organisations, enhance the credibility of the internal audit function, foster trust, and promote relevance in a changing environment. This can further enable the CAE to develop strategies for improvement and goals that are aligned with the evolving needs of the organisations and contribute to the achievement of business objectives.Boards, senior management, CAEs and other stakeholders should therefore ensure that an EQA of the internal audit function is undertaken periodically even if regulations do not require it.