Reporting on the Quality of Internal Audit Work
A model for reporting on the quality of internal audit work could be based on the following four elements: a quality assurance and improvement program, performance measures, review by external audit, and review by regulatory bodies.
Quality Assurance and Improvement Program
The “International Standards for the Professional Practice of Internal Auditing” issued by the Institute of Internal Auditors requires every internal audit function to operate a quality assurance program:
“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of internal audit activity.”
A quality assurance and improvement program is designed to enable an evaluation of internal audit’s conformance with the Definition of Internal Auditing and the Standards, and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of internal audit and identifies opportunities for improvement.
This program should include both internal and external assessments. Internal assessments comprise: ongoing monitoring of the performance of the internal audit activity; and periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.
External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board the need for more frequent external assessments; and the qualifications and independence of the external reviewer or review team, including any potential conflict of interest. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.
Best practice in internal auditing suggests that, like most business units in an organization, internal audit should have performance measures or key performance indicators (KPIs) in place to demonstrate its own level of performance. Best practice also suggests that performance measures need to be specific (clear and concise), measurable (quantifiable), achievable (practical and reasonable), relevant (to users), and timed (having a range or time limit). For more on this, see the case study.
Review by External Audit
As part of its annual external audit of an organization, the external auditors will usually assess the internal audit function on such matters as its organizational status, scope of function, technical competence, and due professional care exercised in its work.
Review by Regulatory Bodies
In many countries, regulatory bodies review the competency and work of internal audit as part of their periodic regulatory review of an organization. These are generally restricted to particular industry groups, for example financial institutions.