Is Your Audit House Shatterproof?
May 24, 2013
You've heard the expression, "People who live in glass houses shouldn't throw stones." A corollary drawn from a presentation I share with government auditors, though applicable to all internal audit shops, is "If you're going to throw stones, you'd better live in a shatterproof house."
As internal audit professionals we do live in glass houses. People expect us to walk the talk. They expect us to be, perhaps, just a bit more ethical than everyone else. And if at some point in our careers we have had a lapse in good judgment, or someone in the internal audit department had transgressions that others in the company knew about, we can expect to be discredited by those we critique.
Say, for example, you find that someone is not following company travel policy. If you aren't following that policy yourself and they know it, they're going to call you out for hypocrisy. As a professional who should help guide the ethical conscience of the organization, your actions should be above reproach.
If we're going to comment on the internal controls of other functions or business units, we must make sure that our own internal controls are effective and that the audit function is well-managed. A strong and effective quality assurance and improvement program is one means of assessing the resiliency of our glass houses.
As we all know, the International Standards for the Professional Practice of Internal Auditing(Standards) requires ongoing internal monitoring and an external quality assessment at least once every five years. The internal assessments must include ongoing monitoring of the performance of the internal audit activity and periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.
External assessments can be in the form of a full external assessment, or a self-assessment with independent external validation. The assessment must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board the form and frequency of external assessment and the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments, and the results of ongoing monitoring are communicated at least annually. The results include the assessor's or assessment team's evaluation with respect to the degree of conformance.
These rules have been in place since 2002, and yet I have heard auditors from companies that should know better than to complain that they had no written audit policies or procedures. Surveys have shown that a significant number of internal audit departments have never had an independent quality assessment.
Does any of this ring true for you? When was your last review? I'd love to hear your thoughts on this subject.