Governing the Internal Audit Function (Part 2/5): 5 Ways to Measure Quality in Internal Audit
Mathabatha Julius Mojapelo CIA, CRMA, CA(SA), RA (IRBA), BSQP, PEQA
Audit and Risk Professional |Thought Leader | Business Leader | Community Builder
As internal audits increasingly drive transparency and accountability within organisations, governing bodies need clear guidelines to ensure these functions deliver tangible value.
In this second part of our five-part series on governing the internal audit function, we delve into five key ways to assess internal audit quality. From gauging the competence of your team to fostering external collaborations, these indicators will help organisations not only evaluate performance but also promote ongoing improvement in their internal audit processes.
1. Team Competence: Are Your Internal Auditors Up to the Task?
Quality starts with the people. According to Standard 3.1 of the Global Internal Audit Standards, internal auditors must possess the appropriate competencies to carry out their responsibilities effectively. This includes not only relevant technical skills but also soft skills like critical thinking and communication. The chief audit executive (CAE) plays a crucial role here, ensuring that the internal audit function collectively has or can acquire the required competencies.
Continuing professional development (Standard 3.2) is also key to maintaining and enhancing these competencies. Certified auditors, for example, must fulfill ongoing education requirements to keep their skills sharp.
King IV’s Practice 50 also supports this, advising that the governing body should ensure that the arrangements for internal audit provide for the necessary skills and resources to address the complexity and volume of risk faced by the organisation, and that internal audit is supplemented as required by specialist services such as those provided by forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries.
The Standards require that the Chief Audit Executives (CAEs) help their boards to understand the qualifications and competencies necessary to manage the internal audit function. While this seems reasonable, there’s a glaring conflict of interest: the CAE is essentially grading themselves.
Without an independent benchmark for CAE qualifications, boards may be left relying on the CAE’s subjective interpretation of what competencies are "common" or "leading." This is particularly concerning in situations where the CAE is not certified in internal audit, as the standards don’t specifically require that the CAE be certified as an Internal Auditor. This gap could undermine the effectiveness of internal audit leadership, especially in organisations where the CAE lacks strong professional credentials.
Without a competent team, the internal audit function risks being ineffective, ultimately failing to provide the value expected by the board and stakeholders.
2. Internal Assessments: Continuously Monitor and Improve
One often overlooked element of audit quality is the process of internal assessments. As per Standard 12.1, the CAE is responsible for developing and conducting internal assessments that monitor conformance with the Global Internal Audit Standards. These assessments are essential in identifying areas for improvement and addressing nonconformance, ensuring the internal audit function doesn’t stagnate.
The Standards require that the chief audit executive must establish a methodology for internal assessments that includes:
Based on the results of periodic self-assessments, the chief audit executive must develop action plans to address instances of nonconformance with the Standards and opportunities for improvement, including a proposed timeline for actions.
Practice 60 of King IV Code of Corporate Governance requires that the governing body should obtain confirmation annually from the CAE that internal audit conforms to a recognised industry code of ethics.
3. External Quality Assessments: The Objective Lens
No matter how robust internal assessments are, an external review brings an independent, objective perspective that is crucial for true quality assurance. According to Standard 8.4, an external quality assessment should be conducted at least every five years, either by an independent assessor or through a validated self-assessment.
The Standards require that when selecting the independent assessor or assessment team, the chief audit executive must ensure that at least one person holds an active Certified Internal Auditor® designation.
King IV’s Practice 59 reinforces the importance of these independent reviews, stressing that organisations must ensure external quality assessments are done to maintain credibility.
The following important considerations for implementation are included in the Standards:
Practice 59 in King IV Code of Corporate Governance aligns with the standards requiring that the governing body should ensure that an external, independent quality review of the internal audit function is conducted at least once every five years.
4. Performance Scorecards: Quantify and Qualify Success
Standard 12.2 suggests that CAEs must develop performance objectives in consultation with the board and senior management. These objectives should go beyond merely meeting deadlines or delivering reports but should also consider stakeholder satisfaction, operational efficiency, and the internal audit team's development.
A performance scorecard can track both qualitative and quantitative metrics, allowing CAEs to periodically validate progress. This balanced approach ensures that internal audit not only meets its obligations but continually improves and adds greater value to the organisation.
5. Reliance by External Audit: Boosting Confidence through Collaboration
International Standard on Auditing (ISA) 610 (Revised 2013) relating to Using the work of Internal Auditors indicates that while the objectives of an entity’s internal audit function and the external auditor differ, the function may perform audit procedures similar to those performed by the external auditor in an audit of financial statements.
Where this is the case, the external auditor may make use of the Internal Audit Function for purposes of the audit of financial statements in one or more of the following ways:
ISA 610 prohibits the external auditor from using the work of the internal audit function if the external auditor determines that:
Paragraph A13 of ISA 610 clarifies that the consideration of these factors individually and in aggregate is important because an individual factor is often not sufficient to conclude that the work of the internal audit function cannot be used for purposes of the audit.
It is therefore important to ensure that the reasons for the decision to rely or not rely on the work of internal audit are fully analysed as some of the factors considered may be out of the control of the Internal Audit Team.
The external auditor’s confidence in the internal audit function can be a powerful testament to its quality.
By fostering collaboration between internal and external auditors, organisations can streamline their audit processes and reduce duplication of efforts. This not only enhances efficiency but also demonstrates the internal audit function's competence and reliability.
Conclusion: Elevating Internal Audit through Quality Metrics
The quality of an internal audit function goes beyond simply meeting deadlines and ticking boxes. By focusing on team competence, thorough internal assessments, independent external reviews, detailed performance scorecards, and collaboration with external auditors, organisations can create an internal audit function that truly adds value.
Measuring these areas ensures the internal audit function stays effective while boosting stakeholder confidence that risks are managed, and organisational objectives are on track.
The next step? Implementing these measures to ensure that internal audit is not just effective but exceptional.
Sources:
Contact me at julius@ditsibiconsulting.com if you or your organisation may benefit from the following: