For internal auditors, knowing how the audited organization (i.e., board members, audit committee members, management) defines value is one of the most important, yet most challenging, aspects of the profession.
Auditors routinely issue reports that include findings and recommendations related to user provisioning, formalized policies and procedures, undocumented reviews, and outdated system patches. These are relevant internal control issues that need to be corrected but are commonplace and not shocking to audit committees. Recently, KraftCPAs presented an audit report that addressed a programming error in the company’s three-way match process. The error would allow a payment to be processed when there was a significant difference between the purchase order price and invoice price. During the presentation, the audit committee chair asked, “How did you find that?” with a sense of amazement. This is when you know you have provided value as an auditor.
Value is different for everyone and can change based on circumstances. Accordingly, there isn’t an instruction manual that can be followed to ensure that your internal audit function is delivering value. However, the Institute of Internal Auditors (IIA) provides a framework that can set a foundation for credibility and provide the conditions necessary to deliver value to the organization.
Credibility bridges the gap between those moments of value-added amazement and keeps your internal audit function relevant. The IIA’s Quality Assurance and Improvement Program (QAIP) is the framework that helps build and maintain that credibility.
The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards) establishes a road map for what the internal audit function should do. The QAIP, which is required by the Standards, is an ongoing program that provides a structure to increase the quality and value of internal audit services. It includes an assessment of the efficiency and effectiveness of the Internal Audit function, along with compliance with the Standards. It also provides the information needed for improvement and gives the best opportunity to deliver value.
For most, when a defined set of standards developed by a recognized professional organization are followed, credibility is immediately established. Credibility is further reinforced if the organization is assessed by a third party and found to be compliant with those standards.
All internal audit organizations should have a QAIP, but it’s required for organizations that use the phrase “… conforms with the International Standards for the Professional Practice of Internal Auditing” in their audit reports or other information describing their audit services.
The Standards establish how the internal audit activity should be structured. They also establish the activities that should be performed in three core components: governance, professional practices, and communication. Activities from these core components are assessed as part of the QAIP. QAIP assessments consist of three elements as well: ongoing monitoring, periodic self-assessments, and external assessments.
Sustainability for the QAIP is obtained by developing processes and templates that are repeatable and enforce compliance with the Standards.
One component of a QAIP that seems to be the most daunting and keeps internal audit functions from fully complying with the Standards is the required assessment by an independent third party every five years. Yes, even auditors try to avoid being audited. This fear comes from a lack of preparation. There is no secret to how the external assessors will perform their assessment. In fact, the QAIP provides the framework to prepare an internal audit organization through a self-assessment using the guidance used by external assessors.
Beyond the structure provided by the QAIP, relationship building is the most important factor in an internal audit function’s quest for delivering value. Having the right relationships and aligning audit activities with the strategic goals of the organization can lead to those value-added moments. This is the only way value can truly be understood. Relationships can be built and maintained through annual risk assessments, seeking management feedback, communicating the results of audit activities, and offering to help.
Many years ago, KraftCPAs inherited an internal audit function that had lost the trust of management and the audit committee. There were many challenges, but the top priority was to build relationships, establish credibility, and cultivate trust. This was accomplished by seeking constant feedback from management and offering to help, instead of being critical of mistakes and minor issues. Over the years, the client offered a “thank you” many times for guidance through the development of new controls during the implementation of new processes or systems. The prior audit team frequently declined to help in those situations.
Implementing a QAIP can seem like an uphill task, but most Internal Audit functions are inherently doing most of the required activities. With just a little guidance and developing repeatable processes, any internal audit function can be successful. In fact, there is no mystery to how it works. The IIA provides all the guidance and tools necessary.
You know your QAIP is successful if the result of your external assessment is that the audit function “generally conforms” with the Standards, or, more importantly, the organization is seeking internal audit’s help and advice outside of routine audits.
If you need help establishing an internal audit function that adds value, your audit activity needs assistance establishing a QAIP, or your audit function needs an independent external assessment to demonstrate compliance with the Standards, KraftCPAs has the knowledge and experience to help.