Reporting on the Quality of Internal Audit Work
A model for reporting on the quality of internal audit work could be based on the following four elements: a quality assurance and improvement program, performance measures, review by external audit, and review by regulatory bodies.
Quality Assurance and Improvement Program
The “International Standards for the Professional Practice of Internal Auditing” issued by the Institute of Internal Auditors requires every internal audit function to operate a quality assurance program:
“The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of internal audit activity.”
A quality assurance and improvement program is designed to enable an evaluation of internal audit’s conformance with the Definition of Internal Auditing and the Standards, and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of internal audit and identifies opportunities for improvement.
This program should include both internal and external assessments. Internal assessments comprise: ongoing monitoring of the performance of the internal audit activity; and periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.
External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board the need for more frequent external assessments; and the qualifications and independence of the external reviewer or review team, including any potential conflict of interest. The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.
Best practice in internal auditing suggests that, like most business units in an organization, internal audit should have performance measures or key performance indicators (KPIs) in place to demonstrate its own level of performance. Best practice also suggests that performance measures need to be specific (clear and concise), measurable (quantifiable), achievable (practical and reasonable), relevant (to users), and timed (having a range or time limit). For more on this, see the case study.
Review by External Audit
As part of its annual external audit of an organization, the external auditors will usually assess the internal audit function on such matters as its organizational status, scope of function, technical competence, and due professional care exercised in its work.
Review by Regulatory Bodies
In many countries, regulatory bodies review the competency and work of internal audit as part of their periodic regulatory review of an organization. These are generally restricted to particular industry groups, for example financial institutions.
Measurement of the Internal Audit Function
The chief audit executive of an organization in Brisbane Australia was seeking ways to measure the work of his internal audit function. He knew that internal audit was doing a good job, but he did not have the evidence to prove it. In thinking how to address this problem, he designed KPIs against which his internal audit function could demonstrate its performance to the audit committee and the organization (Table 2). After all, internal audit assesses the performance of other areas of the organization, so why should it be exempt from having its own performance examined?
|Key performance indicator||Measure||Target||Frequency|
|1. Completion of Internal Audit Plan|
|1.1||Complete planned internal audits as per the approved Internal Audit Plan (subject to approved plan amendments)||% of planned internal audits completed within the financial year||95%||Annually|
|1.2||Complete special and ad hoc management-initiated internal audits and investigations in addition to scheduled internal audits (an allowance for this is contained in the Internal Audit Plan)||% of allowance utilized for unplanned ad hoc and management-initiated internal audits and investigations||95%||Annually|
|1.3||Approved Internal Audit Plan to be completed within the approved internal audit budget||% variance from approved budget for the financial year||5%||Annually|
|2. Implementation of internal audit recommendations|
|2.1||Internal audit recommendations accepted by management||% of recommendations accepted by management (subject to internal audit independence being maintained)||95%||Annually|
|2.2||Monitor the implementation status of internal audit recommendations by management and report outcomes to the audit committee||Updated status obtained from responsible managers and reported to the audit committee||Quarterly status reports delivered||Quarterly|
|3. Formal survey feedback|
|3.1||Results of customer feedback surveys following each internal audit||% of survey responses of good or better (averaged)||90%||Annually|
|3.2||Result of annual feedback survey of members of the audit committee||% of survey responses of good or better (averaged)||90%||Annually|
|4. Independent quality review of internal audit|
|4.1||Result of external quality assessment of internal audit in accordance with The International Standards for Professional Practice of Internal Auditing||Report issued detailing results of review||Consistent with better practice||Five-Yearly|
Source: National Australia Bank, with amendment.
The chief audit executive considered these to be the KPIs the audit committee would be interested in to provide an overall assessment of the work of internal audit, and when he asked the audit committee, they agreed. He discounted KPIs such as the number of internal audit recommendations, or the number of internal audit hours delivered, since these can be manipulated and would therefore have little credibility with the committee.