Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > How Can Internal Audit Report Effectively to Its Stakeholders?

Auditing Best Practice

How Can Internal Audit Report Effectively to Its Stakeholders?

by Andrew Cox

Reporting on the Quality of Internal Audit Work

A model for reporting on the quality of internal audit work could be based on the following four elements: a quality assurance and improvement program, performance measures, review by external audit, and review by regulatory bodies.

Quality Assurance and Improvement Program

The “International Standards for the Professional Practice of Internal Auditing” issued by the Institute of Internal Auditors requires every internal audit function to operate a quality assurance program:

“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of internal audit activity.”

A quality assurance and improvement program is designed to enable an evaluation of internal audit’s conformance with the Definition of Internal Auditing and the Standards, and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of internal audit and identifies opportunities for improvement.

This program should include both internal and external assessments. Internal assessments comprise: ongoing monitoring of the performance of the internal audit activity; and periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.

External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board the need for more frequent external assessments; and the qualifications and independence of the external reviewer or review team, including any potential conflict of interest. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.

Performance Measures

Best practice in internal auditing suggests that, like most business units in an organization, internal audit should have performance measures or key performance indicators (KPIs) in place to demonstrate its own level of performance. Best practice also suggests that performance measures need to be specific (clear and concise), measurable (quantifiable), achievable (practical and reasonable), relevant (to users), and timed (having a range or time limit). For more on this, see the case study.

Review by External Audit

As part of its annual external audit of an organization, the external auditors will usually assess the internal audit function on such matters as its organizational status, scope of function, technical competence, and due professional care exercised in its work.

Review by Regulatory Bodies

In many countries, regulatory bodies review the competency and work of internal audit as part of their periodic regulatory review of an organization. These are generally restricted to particular industry groups, for example financial institutions.

Case Study

Measurement of the Internal Audit Function

The chief audit executive of an organization in Brisbane Australia was seeking ways to measure the work of his internal audit function. He knew that internal audit was doing a good job, but he did not have the evidence to prove it. In thinking how to address this problem, he designed KPIs against which his internal audit function could demonstrate its performance to the audit committee and the organization (Table 2). After all, internal audit assesses the performance of other areas of the organization, so why should it be exempt from having its own performance examined?

Table 2. KPIs prepared by the chief audit executive to assess internal audit

Key performance indicator Measure Target Frequency
1. Completion of Internal Audit Plan
1.1 Complete planned internal audits as per the approved Internal Audit Plan (subject to approved plan amendments) % of planned internal audits completed within the financial year 95% Annually
1.2 Complete special and ad hoc management-initiated internal audits and investigations in addition to scheduled internal audits (an allowance for this is contained in the Internal Audit Plan) % of allowance utilized for unplanned ad hoc and management-initiated internal audits and investigations 95% Annually
1.3 Approved Internal Audit Plan to be completed within the approved internal audit budget % variance from approved budget for the financial year 5% Annually
2. Implementation of internal audit recommendations
2.1 Internal audit recommendations accepted by management % of recommendations accepted by management (subject to internal audit independence being maintained) 95% Annually
2.2 Monitor the implementation status of internal audit recommendations by management and report outcomes to the audit committee Updated status obtained from responsible managers and reported to the audit committee Quarterly status reports delivered Quarterly
3. Formal survey feedback
3.1 Results of customer feedback surveys following each internal audit % of survey responses of good or better (averaged) 90% Annually
3.2 Result of annual feedback survey of members of the audit committee % of survey responses of good or better (averaged) 90% Annually
4. Independent quality review of internal audit
4.1 Result of external quality assessment of internal audit in accordance with The International Standards for Professional Practice of Internal Auditing Report issued detailing results of review Consistent with better practice Five-Yearly

Source: National Australia Bank, with amendment.

The chief audit executive considered these to be the KPIs the audit committee would be interested in to provide an overall assessment of the work of internal audit, and when he asked the audit committee, they agreed. He discounted KPIs such as the number of internal audit recommendations, or the number of internal audit hours delivered, since these can be manipulated and would therefore have little credibility with the committee.

Back to Table of contents

Further reading


  • Australian National Audit Office (ANAO). Public Sector Internal Audit—An Investment in Assurance and Business Improvement. Canberra: ANAO, September 24, 2007. Online at:
  • Reding, K. F., et al. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2007.
  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. Altamonte Springs, FL: Institute of Internal Auditors, 2003.



Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share