job Kvalitet og metode

Preparing Internal Audit for an External Quality Assessment

This short overview explains some of the key opportunities and threats of an EQA and encourages readers to ensure they properly prepare their IA team for an EQA and choose their EQA assessor carefully.

Over the past few years I have worked as an External Quality Assessor, helping Internal Audit teams to meet their obligations to have an External Quality Assessment at least every 5 years. In addition, I have helped several Heads of Internal Audit to prepare for an up-coming External Quality Assessment, often with important and unexpected results and benefits. Clearly each internal audit team is different and some are very well prepared for an EQA, but here are some of the key themes that I have picked up:

  • Make sure key documents have been updated for the latest IIA International professional practices framework. It is a requirement of the new IIA standards to ensure that IA team charters etc. are in line with the requirements of the new standards and most readers will be aware that these have been updated in 2017, covering, for example, that:
    • IA teams should be aligned with the strategies, objectives and risks of the organisation,
    • IA teams should operate in an insightful, forward looking and proactive manner and
    • IA teams should coordinate with other assurance providers and consider relying on their work (using a systematic basis of determining this).

Ensure you have done an assessment of the strengths and improvement needs of your IA team, within all levels of the IA team (managers and staff). Especially for larger internal audit teams it is not unusual for an HIA or IA management team to have one impression of key strengths and improvement areas against the IIA standards, but find that the auditors «on the coal face» have another view about, for example, skills and training plans, the quality of audit planning process (even if they are not involved in it!), the quality of assignment planning, the usefulness of supporting tools (e.g. data analytics) and the quality of the audit software that they use (often less positive than the IA management team).

Readers are encouraged to ensure there is an IA team discussion about the IIA standards and IA team strengths and improvement areas, to avoid vital information that is known to team members, but perhaps not to the IA management team, being missed until the EQA starts.

Be clear about the EQA scope and process and ensure you will get credit and acknowledgement for known issues and current improvement plans.

  • Sometimes EQA assessors are keen to have as broad a remit as is possible, interviewing large numbers of senior managers across the organisation; and whilst this can have benefits, some HIAs have spoken of concerns about «fishing trips» and EQAs based on stakeholder opinions. Some have even reported the EQA as a precursor to the outsourcing of the IA function (which may of course be merited, it is hard to generalise). Hopefully this is not a serious risk for most IA teams, but some sensible conversations and appropriate due diligence about this potential risk are worth bearing in mind. In addition, readers will appreciate that there is nothing worse than reading a final draft EQA report and finding known issues and improvement areas reported back as if they are «fresh» findings. Ensure any EQA process explicitly includes a clear step that involves getting the IA team perspective on key issues, and what it is already working on, and understand how this will be reported in the final EQA report.
  • Ensure there is clarity about how the EQA will distinguish between judgements against the IIA standards and judgments against «best practice». For several clients, I have seen EQA reports that list improvement actions against best practice as if they were basic IIA requirements. This can give the impression that the IA team is much further back than it actually is. Therefore, it is important to clarify with any proposed EQA assessor how they will distinguish between basic compliance points and improvement areas towards best practice. Also, make sure that if something is being cited as best practice it is clear how many IA functions have actually implemented it, and their circumstances. For example, I have seen EQA recommendations suggesting the implementation of practices for audit teams that have under 10 staff, which when challenged, have turned out to be more suited and more common in audit teams of 25+ auditors.
  • Look at IIA guidance on common EQA findings. These may vary from country to country, but some of the most common findings I have seen are:
    • The need to strengthen stakeholder management (both senior executive and audit committee / board)
    • The need to have a plan that is truly aligned to strategies, objectives and risks (all too often the plan is based on a process/ unit based audit universe and retrofitted
    • The need to do audit work in the context of the overall assurance picture – which can be evidenced by having an assurance map and a clear sense of measuring the assurances from both line management and 2nd line functions (a big topic in its own right).
    • The need to be very proactive about audit team skills and capabilities and ensuring these match the needs of the audit plan (linked to key risks etc.).
  • Remember an EQA can give you significant benefits, but only if you trust the EQA assessor. Despite the risks outlined above, I am personally a strong believer in the benefits that can flow from having the right EQA. It can sometimes bring prominence to gaps that have concerned the audit team, but have been rather stuck – for example by helping to remove «no go» zones in the audit planning process, or by encouraging a stronger flow of experienced staff into the audit team, or more support for the use of guest auditors and guest advisors. All this highlights the need to choose your EQA assessor carefully, so that you can be confident it will have a positive impact, not just on the internal audit team, but on some related organisational governance, risk and compliance activities. And – speaking of a pet hate – make sure your assessor does not take pride in raising minor housekeeping points in relation to audit files, unless there is a clear impact on important audit conclusions!

Engage with key decision makers and manage their expectations

Audit Committees and Senior Managers may play a key role in selecting an EQA provider and considering their feedback. Make sure they are fully onboard with the considerations discussed in this note.

In conclusion, I hope this short overview explains some of the key opportunities and threats of an EQA and encourages readers to ensure they properly prepare their IA team for an EQA and choose their EQA assessor carefully.