Executive Summary
-
Internal audit has a range of stakeholders who rely on its work, seeking assurance that the organization is running well and that there are effective controls in place.
-
Internal audit has a responsibility to its stakeholders to provide reports on the operation of the organization’s risk management, control, and governance processes. It also has a responsibility to justify the value of its work and the organization’s spending on internal audit resources.
-
Internal audit can report on its work to its stakeholders by:
-
reporting on the outcomes of its internal audit work;
-
reporting on the quality of its internal audit work.
-
Together, these elements combine to provide stakeholders with an overall view of the effectiveness of internal audit; one without the other will only provide a partial reporting structure.
Introduction
Internal audit has a variety of stakeholders who rely on its work. These include: the board of directors; the audit committee; the chief executive officer; senior executives such as the chief financial officer, chief information officer, chief risk officer, etc.; the external auditors; in some cases, regulatory bodies; and stockholders—who, in the case of government organizations, could be the public.
All these stakeholders are seeking assurance that the organization is running well, and that effective controls are in place and operating properly. Internal audit has an important role to play in providing assurance to these stakeholders, but the trick is how to report the results of its work to them effectively.
Assurance Models
Assurance can be equated with the term governance, the four pillars of a good corporate governance framework being—according to the Institute of Internal Auditors—executive management, the audit committee, external audit, and internal audit. Each of these elements relies to an extent on the others, and they all need to be operating effectively to provide overall assurance to stakeholders.
The board of directors will generally want to see a combined assurance model in place for the organization that provides three lines of defense, as shown in Table 1. This demonstrates the interdependencies between the four pillars of good corporate governance and the three lines of defense that go to make up a combined assurance model.
Table 1. Combined assurance model with three lines of defense
| First line of defense | Second line of defense | Third line of defense |
| Management controls | Management of risk | Independent assurance |
| Real-time focus | Real-time focus + review focus of 1st line | Review focus of 1st and 2nd line |
| Elements Policies and procedures Internal controls | Elements Risk management Legal department | Elements External audit Internal audit |
| Role Review compliance Impplement improvements | Role Comfirm compliance Recommend improvements | Role Independently confirm compliance Recommend improvements |
Source: National Australia Bank, with amendment.
Reporting on the Outcomes of Internal Audit Work
A model for reporting the outcomes of internal audit work could be based on the following four elements: internal audit reports, recommendations for improvement, a communication strategy, and an annual internal audit report. These are discussed below.
Internal Audit Reports
Internal audit reports are the most important part of the work of an internal audit function. The report is the culmination of the effort directed toward an audit of a part of the organization. Internal audit can be a costly resource, so reports of its work should demonstrate its value to the organization. Internal audit reports need to be:
-
Timely: reports should be issued in a timely manner.
-
Accurate: reports should contain accurate information.
-
Logical: reports should be logical and valid.
-
Clear: reports should be clearly written and easily understood.
-
Purposeful: reports should state why the internal audit was performed.
-
Written with the audience in mind: reports should be written to suit the intended reader.
The power of a tick cannot be underestimated—it provides balance to an internal audit report. People do not go to work to do a bad job, and they appreciate recognition of good work. What they do not appreciate is an audit report that is negative by exception, says nothing positive, and effectively just gives them stick. So, acknowledge good work, and always say something positive in the report—and not begrudgingly.
Internal audit reports need to tell a story and be insightful. Merely telling people what is wrong cannot be seen as a good use of internal audit resources. That is the easy work, and does not reflect well on internal auditing as a profession. The real value of the work of internal audit comes from an emphasis on cause and effect. It is easy work to find the effect, but much more difficult to ascertain the root cause. Because of this, many internal auditors take the easy way out and just report on what has been found to be operating ineffectively.
Many internal audits could provide additional value to the organization if there was more emphasis on efficiency, effectiveness, economy, and organizational outcomes, with a view to assisting the organization further to improve and streamline business processes.
Recommendations for Improvement
Internal audit reports need to contain recommendations for improvement if they are to have any point. And the recommendations need to be targeted at correcting the root cause.
Locating the cause provides information on accountability relationships, and provides the basis for making improvements. It is important not just to find that something is wrong, but to work out what caused it to be wrong. This can prevent similar problems from happening again. Each recommendation needs to include:
-
Whether it is agreed with or not by the audit customer (and if not, why not).
-
What the audit customer is going to do about it (action plan).
-
By what date the action will be implemented and completed.
-
Who will be responsible for implementing the recommendation.
Recommendations contained in internal audit reports also need to be risk rated. In this way, management with the responsibility to implement remedial action will know which recommendations are most important and should be implemented first.
An important task of the internal audit function is to ensure that agreed recommendations arising from internal audit reports are satisfactorily actioned within a reasonable time-frame. If this is not done, its work will be virtually worthless. Many internal audit functions adopt an approach whereby:
-
Agreed recommendations from internal audit, external audit, and regulatory bodies are entered into a tracking system and monitored on an ongoing basis by internal audit and the audit committee.
-
Management responsible for implementing the recommendations is required to advise internal audit when this is complete, or to provide periodic reports on progress where this may be over a longer period of time.
-
Overdue recommendations are reported to the audit committee.
-
Internal audit periodically follows up to ensure that implementation has occurred as reported by management. This can be by 100% follow-up, by following up only those recommendations of higher risk, or by following up on a sample basis. A full follow-up audit is not generally necessary.
One point worthy of consideration is the necessity to cover off risks if recommendations are not actioned within a reasonable time-frame. Where a recommendation relates to a higher-risk problem and is not dealt with quickly, the chief audit executive should ask:
-
Why has it not been actioned?
-
Should the risk rating assigned to the recommendation be increased?
-
What fall-back or interim risk management procedures have been put in place to mitigate the risks associated with nonimplementation of the recommendation?
-
Should management make a statement accepting the risk associated with nonimplementation of the recommendation?
This information should be reported to each meeting of the audit committee.
Communication Strategy
To develop and maintain a profile within an organization, internal audit should take steps to improve its communication in order to make itself more visible to the wider organization. Some ways in which internal audit might do this include:
Raising awareness
-
Have information about internal audit and its achievements posted on the organization’s intranet.
-
Distribute a small brochure about internal audit, what it does, and its achievements.
-
Further develop relationships with stakeholders by making presentations on the work of internal audit to groups within the organization’s corporate environment.
-
Prepare an annual internal audit report on its activities.
Engaging management
-
Consult with internal audit customers prior to the commencement of each internal audit, and request their input to the objectives and scope of the audit.
-
Facilitate a risk workshop with internal audit customers in the planning phase of each internal audit.
-
When conducting internal audits, internal auditors should spend most of their time in the work areas of their internal audit customers, rather than in the internal audit work area.
-
At the completion of internal audit fieldwork, hold a workshop with the audit customer to discuss and agree possible improvement options.
-
Provide a balanced reporting format by reporting on what management is doing well, in addition to identifying opportunities for improvement.
Providing value-add
-
Plan for each internal audit with a wider view by encompassing objectives relating to efficiency, effectiveness, economy, and organizational outcomes.
-
Have involvement in working groups related to strategic developments within the organization in an observer/adviser capacity. It is considered best practice for internal audit to contribute to such forums by providing opinions, and ensuring that controls are considered and built-in to projects and systems under development, rather than after the event via post-implementation reviews, without necessarily compromising the integrity of later audits.
Annual Internal Audit Report
In some organizations, best practice extends to providing the audit committee and management with an annual report of internal audit activities featuring:
-
Achievements in the year.
-
Analysis of systemic issues identified through the work of internal audit.
-
An opinion on the organization’s overall risk management, control, and governance environment.
This can provide additional assurance to the audit committee, as well as being beneficial in alerting management to issues and risks identified in internal audits but which may also be occurring in other business areas.
Reporting on the Quality of Internal Audit Work
A model for reporting on the quality of internal audit work could be based on the following four elements: a quality assurance and improvement program, performance measures, review by external audit, and review by regulatory bodies.
Quality Assurance and Improvement Program
The “International Standards for the Professional Practice of Internal Auditing” issued by the Institute of Internal Auditors requires every internal audit function to operate a quality assurance program:
“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of internal audit activity.”
A quality assurance and improvement program is designed to enable an evaluation of internal audit’s conformance with the Definition of Internal Auditing and the Standards, and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of internal audit and identifies opportunities for improvement.
This program should include both internal and external assessments. Internal assessments comprise: ongoing monitoring of the performance of the internal audit activity; and periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.
External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board the need for more frequent external assessments; and the qualifications and independence of the external reviewer or review team, including any potential conflict of interest. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.
Performance Measures
Best practice in internal auditing suggests that, like most business units in an organization, internal audit should have performance measures or key performance indicators (KPIs) in place to demonstrate its own level of performance. Best practice also suggests that performance measures need to be specific (clear and concise), measurable (quantifiable), achievable (practical and reasonable), relevant (to users), and timed (having a range or time limit). For more on this, see the case study.
Review by External Audit
As part of its annual external audit of an organization, the external auditors will usually assess the internal audit function on such matters as its organizational status, scope of function, technical competence, and due professional care exercised in its work.
Review by Regulatory Bodies
In many countries, regulatory bodies review the competency and work of internal audit as part of their periodic regulatory review of an organization. These are generally restricted to particular industry groups, for example financial institutions.
Case Study
Measurement of the Internal Audit Function
The chief audit executive of an organization in Brisbane Australia was seeking ways to measure the work of his internal audit function. He knew that internal audit was doing a good job, but he did not have the evidence to prove it. In thinking how to address this problem, he designed KPIs against which his internal audit function could demonstrate its performance to the audit committee and the organization (Table 2). After all, internal audit assesses the performance of other areas of the organization, so why should it be exempt from having its own performance examined?
Table 2. KPIs prepared by the chief audit executive to assess internal audit
| Key performance indicator | Measure | Target | Frequency | |
| 1. Completion of Internal Audit Plan | ||||
| 1.1 | Complete planned internal audits as per the approved Internal Audit Plan (subject to approved plan amendments) | % of planned internal audits completed within the financial year | 95% | Annually |
| 1.2 | Complete special and ad hoc management-initiated internal audits and investigations in addition to scheduled internal audits (an allowance for this is contained in the Internal Audit Plan) | % of allowance utilized for unplanned ad hoc and management-initiated internal audits and investigations | 95% | Annually |
| 1.3 | Approved Internal Audit Plan to be completed within the approved internal audit budget | % variance from approved budget for the financial year | 5% | Annually |
| 2. Implementation of internal audit recommendations | ||||
| 2.1 | Internal audit recommendations accepted by management | % of recommendations accepted by management (subject to internal audit independence being maintained) | 95% | Annually |
| 2.2 | Monitor the implementation status of internal audit recommendations by management and report outcomes to the audit committee | Updated status obtained from responsible managers and reported to the audit committee | Quarterly status reports delivered | Quarterly |
| 3. Formal survey feedback | ||||
| 3.1 | Results of customer feedback surveys following each internal audit | % of survey responses of good or better (averaged) | 90% | Annually |
| 3.2 | Result of annual feedback survey of members of the audit committee | % of survey responses of good or better (averaged) | 90% | Annually |
| 4. Independent quality review of internal audit | ||||
| 4.1 | Result of external quality assessment of internal audit in accordance with The International Standards for Professional Practice of Internal Auditing | Report issued detailing results of review | Consistent with better practice | Five-Yearly |
Source: National Australia Bank, with amendment.
The chief audit executive considered these to be the KPIs the audit committee would be interested in to provide an overall assessment of the work of internal audit, and when he asked the audit committee, they agreed. He discounted KPIs such as the number of internal audit recommendations, or the number of internal audit hours delivered, since these can be manipulated and would therefore have little credibility with the committee.
Conclusion
Internal audit has a responsibility to its stakeholders to provide reports on the operations of the organization’s risk management, control, and governance processes. It also has a responsibility to justify the value of its work and the organization’s spending on internal audit resources.
Internal audit can do this in two ways:
-
By reporting on the outcomes of its internal audit work.
-
By reporting on the quality of its internal audit work.
Making It Happen
The chief audit executive should develop effective reporting mechanisms with the audit committee and other stakeholders. Key reporting tools include:
-
Insightful internal audit reports.
-
Monitoring of internal audit recommendations, and periodic follow-up to ensure that recommendations have been implemented effectively and in a timely way.
-
An internal audit communication strategy.
-
An annual internal audit report that covers achievements in the year, an analysis of systemic issues identified through the work of internal audit, and an opinion
-
on the organization’s overall risk management, control, and governance environment.
-
on the organization’s overall risk management, control, and governance environment.
-
A quality assurance and improvement program that incorporates both internal and external assessments.
-
Key performance indicators measuring the performance of internal audit.
-
Periodic review of internal audit by external auditors and, where applicable, regulatory bodies.
www.qfinance.com