Preparing for an Internal Audit Quality Assurance Review

Internal audit spends most of its time assessing various functions and processes across the organization. But how well does it know itself? After all, Aristotle once said, “knowing yourself is the beginning of all wisdom.”

Luckily, there is an accepted review process for assessment of internal audit, known as a Quality Assurance Review. This is like a periodic check-up that can be conducted by an external expert, such as a Big Four audit firm or a boutique firm that specializes in QARs, or by the internal audit team itself with an independent external validation. In fact, the Institute of Internal Auditors requires that a QAR be conducted for internal audit at least once every five years.

Still, many companies across the world tend to put this project off, as internal audit is a relatively self-regulated department, often with more work to do than it can get to already. And a QAR is like going to the dentist. We already know we should floss and brush more, there’s just not enough time in the day. So, if you’ve made the decision to have a QAR completed for your internal audit function, congratulations; you’ve completed the most difficult step in the QAR process!

But now, several questions begin to whirl through your head: How do I prepare for a QAR? What will they look at? And will my department live up to the Professional Practice Standards set by the IIA? Don’t worry; you’ve come to the right place. Here we’ll consider some of the key documents you’ll want to prepare to ensure you are ready for your QAR long before the external auditors even send you their request list.

1: Internal Audit Governing Documents
The first thing an external auditor will do, after reviewing any previous QARs that have been completed in the past, is to look at your governing documents. These often overlooked documents give the reviewer a template for how to measure your internal audit function. The reviewer will look to answer the following questions: Do these documents accurately describe what is in place? Do they follow the IIA’s Performance and Attribute Standards? Are they logical? Have these documents been approved by the appropriate governing body, such as the audit committee of the full board of directors?

The following are what I’d consider the needed governing documents for a QAR. While all of these are not technically required by the IIA Standards, they are the most effective way to provide reasonable assurance that many of the Standards are fulfilled. If you don’t have some of these documents on hand, you might consider preparing them before the start of your QAR.

• Internal Audit Charter: a formal document that clearly defines and articulates the internal audit function’s main goals and reasons for existence.
• Audit Committee Charter
• Internal Audit Policy
• Internal Audit Procedures Manual
• Anti-Fraud and Whistleblower Protection Policy
• Job descriptions for the Chief Audit Executive, internal audit staff, and internal audit interns

2: Quality Assurance and Improvement Program
The reviewers will then look at your Quality Assurance and Improvement Program (QAIP) to provide reasonable assurance that it is adequate and that progress is being made. Often, this is where many audit departments get tripped up. Internal auditors spend most of their time reviewing other people’s work, but there is very little time spent on internal assessment and improvement, so it is important to have a plan in place to ensure that audit’s work is adequately reviewed.

Your reviewers should be looking to ensure that your QAIP has the following, at a minimum:

• Internal and external assessment requirements
• Comprehensive and attainable goals for the size and level of the audit function
• Approval by the Audit Committee

They will also want to ensure that the QAIP results are communicated to senior management and the board, and that it meets the requirements of IIA Standards 1300-1320.

3: Internal Audit Strategic Plan or Long-Range Audit Plan
As individuals, it is difficult to improve or stay on task without a goal or a plan. The internal audit department is no different. So, it is suggested that your department have it’s own strategic plan, separate from any corporate strategic plans which your company may have in place.

The plan should include a three-to-five-year range of attainable goals for your internal audit function. It should identify and assess risks, including fraud risks (Standard 2120). And it should take into account the organization’s strategic objectives, safeguarding assets, and compliance with all applicable laws and regulations (Standard 2120.A1).

4: Audit Plan–Budget to Actual
Speaking of plans, your department should also have an even more detailed audit plan that has been approved by the audit committee. An extensive risk assessment process should have helped created this audit plan. It should include input from company management and the board of directors, combined with that of the internal audit leader or chief audit executive to create a well-rounded audit plan for the year. Internal audit should then track hours every day and measure progress towards the plan over the course of each plan year. The audit plan should include all audits, consulting engagements, administration time, external engagement preparation time, fraud investigations, travel time, holidays, paid time off, and any other use of internal audit time.

The reviewer will compare your audit plan to the risk assessments mentioned above, and will compare the budget to actual numbers. Not only is this plan and the budget compared to actual numbers important to keep track of how audit is doing, it also allows the audit committee to appropriately manage the internal audit team from afar.

5:  Audit Workpapers
The main event of any internal audit department is the actual audit! So, your audit workpapers should be in tiptop shape. But what does that mean exactly? A reviewer should ask the following about your audit workpapers:

• Was an appropriate scope established for each engagement?
• Are the workpapers complete and accurate?
• Was adequate documentation obtained and logically organized?
• Were conclusions and engagement results based on appropriate analyses and evaluations?
• Were results appropriately communicated with the auditee?
• Were those communications accurate, objective, clear, concise, constructive, complete, and timely?
• Where the workpapers appropriately reviewed, and any errors followed-up on?

Your workpapers should tell a story. They should document the time and effort you and your team put into each audit. I always tell internal audit team members that I should be able to follow their workpapers and their thought process without asking any questions. If I can do this, you’ve likely done a great job!

6: Audit Issue Tracking
You spend the countless hours auditing various functions at your organization. Then you create a beautifully written report to let management know how they need to fix the issues you found. Next, they respond saying they will do the things you’ve asked, and you breath a sigh of relief knowing your work for this engagement is over. Right? Wrong!

Now is the time to follow-up and track each recommendation until management has completed their action plan. The best way to track this is typically with a quarterly all-encompassing report that includes a summary of the issue, management’s initial response, and then a section for management to complete that includes details of progress towards completion of the goals.

7: Audit Committee Minutes
As we often say in the auditing world, you are only as good as your documentation. The audit committee is no exception! Well-written audit committee minutes are the official record of all the critical tasks and duties performed, and fulfill many of the requirements in the Standards for communication with the board.

While direct communication with the board is sometimes needed, indirect communication, as outlined in Standard 2060 is a requirement. To tell the full story, be sure to include information such as:

• Independence of the internal audit activity
• The audit plan and progress against the plan
• Results of audit activities
• Conformance with the Code of Ethics and Standards, and action plans to address and significant conformance issues

While this list is not meant to be all-inclusive, if you have these items ready to go, you are on the right track to have a successful QAR!  

Editor’s Note: Templates and examples for all of the documents listed above can be found on The Audit Library’s website. (A subscription is required.)

John Kaneklides is co-founder of The Audit Library, a digital collection of internal audit documents, templates, and tools, as well as a provider of audit consulting services. He is also an internal audit consultant and a former audit senior at a credit union.