At the start of a recent presentation, I asked a group of internal auditors to stand up if they thought internal audit was of great value to their organizations. Not surprisingly, everyone in the room stood up. I then asked them to sit down if they thought it would be acceptable if internal audit underperformed. Nobody sat down. Finally, I asked them to sit down if they thought other corporate functions that were just as valuable as internal audit should be audited periodically. Everyone sat down.
The purpose of this exercise was to demonstrate that an internal audit activity, if truly delivering the level of value it is capable of delivering, should be subject to an independent review. Because internal audit is an important part of an organization’s processes to assess and monitor risk management activities, failing to get assurance on internal audit’s effectiveness may diminish the organization’s overall risk management effectiveness.
The Audit Universe
An audit universe is a list of all auditable entities in an organization. An auditable entity could be a location, department, function, financial statement area, compliance requirement, or a multitude of other entities. Including such an entity in the audit universe is justified if the entity has some role in creating or preserving value for the organization. Stating it differently, an auditable entity has some role in managing one or more risks to the achievement of organizational objectives. If it can’t be tied to an objective and risk, it shouldn’t be in the audit universe. The auditable entity’s role in managing those risks could be a form of risk mitigation such as controls, risk seeking — helping the organization take on or exploit risk to its advantage — or monitoring some aspect of those two.
The International Professional Practices Framework’s new mission for internal auditing includes the phrase, “to enhance and protect organizational value.” That mission aligns with the description of auditable entities. Most internal audit activities follow a risk-based approach, which helps them deliver on that mission. The Glossary to the International Standards for the Professional Practice of Internal Auditing (Standards) defines risk as “The possibility of an event occurring that will have an impact on the achievement of objectives.”
Therefore, any organizational activity that helps to reduce the impact or likelihood of negative events (protect value) or increase the likelihood that objectives will be achieved (enhance value) should be included in the audit universe. This logic supports including the internal audit activity in the audit universe.
A Quality Assurance Review
The Glossary to the Standards defines assurance services as “An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization.” Broadly, an assurance-focused audit typically involves:
- Establishing one or more objectives for the audit such as determining the accuracy of financial reporting or certain recorded amounts, evaluating the adequacy of internal controls, confirming compliance with laws and regulations, or assessing the effectiveness and efficiency of certain processes.
- Understanding criteria against which an examination can be made. For example, such criteria may be generally accepted accounting principles for a financial reporting audit, regulations or policies for a compliance audit, or leading practices for a controls-focused or operational audit.
- Gathering evidence to support judgments and conclusions as to how effectively the area being audited is achieving those audit objectives and the associated criteria.
- Reporting on the results of the audit.
The means to audit an internal audit activity is through a quality assurance review. The interpretation to Standard 1300: Quality Assurance and Improvement Program states, “A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.” That interpretation provides the outline for conducting an assurance review of the internal audit activity. The objectives of a quality assurance review are to:
- Evaluate the internal audit activity’s conformance with the Standards.
- Evaluate whether auditors apply the Code of Ethics.
- Assess the efficiency and effectiveness of the internal audit activity.
- Identify opportunities for improvement.
The criteria are the Standards and the Code of Ethics. Evidence is then gathered to support achievement of those objectives and, more specifically, conformance with the principles and requirements outlined in the Standards and Code of Ethics. Finally, a report on the results of the assessment is issued to communicate the results of the assurance engagement.
There’s one final requirement to truly make it an audit of the internal audit activity: an objective examination of evidence. Self-assessments and other forms of review can be an important part of a quality assurance and improvement program, as outlined in the Standards. However, to live up to the level of other internal audits, a quality assurance review should be conducted by individuals who are objective, such as appropriately trained individuals from a peer company or an outside service provider. This objective party should report on internal audit’s conformance with the Standards to the appropriate stakeholders. Once these final requirements are met, the CAE can feel comfortable that an audit of the internal audit activity has been completed.
Don’t Be Left Standing
It should be clear that if an organization’s internal audit activity is truly valued and plays an important governance role, it meets the criteria for being an auditable entity that should be included in an audit universe. Once internal audit is part of the audit universe, a risk-based approach should be applied to determine how often it should be audited, although to comply with the Standards, the audit should be performed at least once every five years.
The steps to perform such an audit are well-documented in the quality assurance review approach, which aligns with internal audit’s assurance service approach. Finally, the quality assurance report should be sent to key stakeholders, just like any other audit report is. If there are gaps in performance, the CAE should provide an action plan to close those gaps to internal audit’s key stakeholder, the audit committee.
This all seems logical and rooted in the Standards, yet only 42 percent of respondents to the 2015 Global Internal Audit Common Body of Knowledge Practitioner Survey indicate they conform with the 1300 series of the Standards related to a quality assurance and improvement program. It’s up to all internal auditors to make sure that if they’re ever asked to stand up in a crowd if they think internal auditing is important, and then sit down if their internal audit activity is audited, they aren’t one of those who remain standing.