Requirements for a quality assurance and improvement program (QAIP) are outlined in IIA Standard 1300. An integral part of any QAIP should be to help ensure an internal audit department is addressing expectations through the use of surveys. However, audit departments often limit the use of surveys to management in the area in which assurance or advisory activities are performed and miss an opportunity to obtain feedback from other key stakeholders, including the audit committee and executive management.
Audit departments should have a process to survey management at the conclusion of assurance or advisory activities to help identify opportunities for improvement. Questions should be objective and geared toward adherence to the
International Standards for the Professional Practice of Internal Auditing to help minimize subjective responses. In addition, rather than asking "yes" or "no" questions, respondents should be provided a scale ranging from "strongly agree" to "strongly disagree" or a number range such as 1 through 4. Including space to write comments to further elaborate on each of the ratings will provide greater insight into management's perspective.
Assurance & Advisory Survey
- The objective, scope, and timing of the assurance or advisory activity was clearly communicated.
- The team clearly communicated ongoing status as well as evolving issues throughout the assurance or advisory work.
- Appropriate areas of risk, including your specific concerns, were considered.
- At the conclusion of planning, the audit team demonstrated an appropriate level of industry and technical knowledge.
- The team demonstrated independence and objectivity in performing the assurance or advisory work.
- The team demonstrated courtesy, professionalism, and a constructive and positive approach and was able to establish effective working relationships.
- The disruption of activities was minimized as much as possible by the team.
- The assurance or advisory work consumed the amount of your and your team's time that you anticipated at the beginning of the review or less.
- Issues identified were constructive, accurate, mutually agreed upon, and communicated timely.
- Recommendations were creative, reasonable, actionable, and addressed the root causes of problems.
- The report was clear, accurate, and issued timely.
- The assurance or advisory work resulted in an enhanced awareness of business risks and controls in my department.
Just as action is expected by audit clients when control concerns are noted from audits, the chief audit executive (CAE) should take action if the response from a survey question falls below established expectations. For example, any score that is less than 3 on a 4-point scale should result in a follow-up. The process may include contacting the respondent or head of the area to obtain further information and reiterate the department's commitment to quality. Action may involve updating a department manual as well as communicating existing or enhanced procedures to all auditors to help avoid shortcomings in the future.
In addition, survey results should be shared with the audit committee and executive management as part of a balanced scorecard to measure the department on the basis of cost, quality, and timeliness. Survey results can be an effective measurement of quality for the department and should be paired with other quality metrics.
Despite efforts to create objective questions, it is often difficult to avoid correlation between the audit opinion rating and the survey results. It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the
Standards. Management is human and may use the survey as an opportunity to praise or criticize the audit team, regardless of how the team actually performed.
Key Stakeholder Surveys
Managers over the areas where assurance or advisory activities are being provided are not the most important customer of the audit. First and foremost, internal audit serves the needs of the audit committee, followed closely by executive management. To ensure it's meeting key stakeholder needs, the department should have a mechanism in place such as a "Key Stakeholder Survey" (see below).
By surveying key stakeholders, the audit department can assess whether it is addressing Standards 2010: Planning, 2110: Governance, 2120: Risk Management, and 2420: Quality of Communications. The audit committee and executive management are in the best position to provide insight into the effectiveness of the department in addressing these standards as they consider the overall audit plan and results communicated throughout the year. While survey questions related to these standards can be asked of management over each audit area, key stakeholders see the broader value audits bring to the organization as a whole.
Using another department such as Communications or a third party and making the survey anonymous will improve the chances that key stakeholders will be more candid. Survey results should be shared with the audit committee, executive management, and external audit. Scores that are less than desirable, or comments that may indicate improvement opportunities, should be discussed along with action plans. These plans should be tracked with progress reported periodically to the audit committee and executive management.
Create a Repeatable Process
Performing key stakeholder surveys regularly, ideally annually, helps the CAE more quickly identify areas of concern rather than waiting for them to surface as part of an external quality assessment review or, worse yet, from complaints that may go to the audit committee regarding the department.
While many management surveys are performed at the conclusion of each assurance or advisory activity, these surveys may not provide feedback from the most important group of customers. Departments should create a repeatable process to survey the audit committee, executive management, and external audit and incorporate this into their QAIP.
Key Stakeholder Survey
Statements should be ranked and opportunity for comment provided.
- Internal audit is independent and objective in performing its work.
- Internal audit possesses the knowledge and skills, such as insurance industry knowledge and technology skills, needed to perform its responsibilities.
- Internal audit understands company business operations and strategy.
- The audit plan is risk-based.
- I receive adequate updates on the progress of achieving the audit plan.
- Internal audit evaluates risk exposures and the adequacy and effectiveness of related controls regarding:
- Achievement of strategic objectives.
- Reliability and integrity of financial and operational information.
- Effectiveness and efficiency of operations and programs.
- Compliance with laws, regulations, policies, procedures, and contracts.
- Safeguarding of assets.
- Internal audit adequately assesses and provides appropriate recommendations for helping improve the governance process at the organization, including:
- Promoting appropriate ethics and values within the organization.
- Ensuring effective organizational performance management and accountability.
- Communicating risk and control information to appropriate areas of the organization.
- Coordinating the activities of and communicating information among the board, external auditors, and management.
- Internal audit reports and communications are clear, accurate, and issued timely.
- The conclusions reached in audit reports and the opinions rendered are appropriate.
- Internal audit shares information and coordinates activities with other internal and external providers of assurance and advisory activities to ensure adequate coverage and minimize any duplication of efforts.