Show Internal audit spends most of its time assessing various functions and processes across the organization. But how well does it know itself? After all, Aristotle once said, “knowing yourself is the beginning of all wisdom.” Luckily, there is an accepted review process for assessment of internal audit, known as a Quality Assurance Review. This is like a periodic check-up that can be conducted by an external expert, such as a Big Four audit firm or a boutique firm that specializes in QARs, or by the internal audit team itself with an independent external validation. In fact, the Institute of Internal Auditors requires that a QAR be conducted for internal audit at least once every five years. Still, many companies across the world tend to put this project off, as internal audit is a relatively self-regulated department, often with more work to do than it can get to already. And a QAR is like going to the dentist. We already know we should floss and brush more, there’s just not enough time in the day. So, if you’ve made the decision to have a QAR completed for your internal audit function, congratulations; you’ve completed the most difficult step in the QAR process! But now, several questions begin to whirl through your head: How do I prepare for a QAR? What will they look at? And will my department live up to the Professional Practice Standards set by the IIA? Don’t worry; you’ve come to the right place. Here we’ll consider some of the key documents you’ll want to prepare to ensure you are ready for your QAR long before the external auditors even send you their request list. 1: Internal Audit Governing Documents The following are what I’d consider the needed governing documents for a QAR. While all of these are not technically required by the IIA Standards, they are the most effective way to provide reasonable assurance that many of the Standards are fulfilled. If you don’t have some of these documents on hand, you might consider preparing them before the start of your QAR.
2: Quality Assurance and Improvement Program Your reviewers should be looking to ensure that your QAIP has the following, at a minimum:
They will also want to ensure that the QAIP results are communicated to senior management and the board, and that it meets the requirements of IIA Standards 1300-1320. 3: Internal Audit Strategic Plan or Long-Range Audit
Plan The plan should include a three-to-five-year range of attainable goals for your internal audit function. It should identify and assess risks, including fraud risks (Standard 2120). And it should take into account the organization’s strategic objectives, safeguarding assets, and compliance with all applicable laws and regulations (Standard 2120.A1). 4: Audit Plan–Budget to Actual The reviewer will compare your audit plan to the risk assessments mentioned above, and will compare the budget to actual numbers. Not only is this plan and the budget compared to actual numbers important to keep track of how audit is doing, it also allows the audit committee to appropriately manage the internal audit team from afar. 5: Audit Workpapers
Your workpapers should tell a story. They should document the time and effort you and your team put into each audit. I always tell internal audit team members that I should be able to follow their workpapers and their thought process without asking any questions. If I can do this, you’ve likely done a great job! 6: Audit Issue Tracking Now is the time to follow-up and track each recommendation until management has completed their action plan. The best way to track this is typically with a quarterly all-encompassing report that includes a summary of the issue, management’s initial response, and then a section for management to complete that includes details of progress towards completion of the goals. 7: Audit Committee Minutes While direct communication with the board is sometimes needed, indirect communication, as outlined in Standard 2060 is a requirement. To tell the full story, be sure to include information such as:
While this list is not meant to be all-inclusive, if you have these items ready to go, you are on the right track to have a successful QAR! Editor’s Note: Templates and examples for all of the documents listed above can be found on The Audit Library’s website. (A subscription is required.)John Kaneklides is co-founder of The Audit Library, a digital collection of internal audit documents, templates, and tools, as well as a provider of audit consulting services. He is also an internal audit consultant and a former audit senior at a credit union. How often should internal auditing be done?Audits should usually be scheduled at least once per year and should cover all of the activities you undertake – especially if they are relevant to your Management System. Depending on the process being audited, it may be necessary to change this frequency.
How often should the internal audit charter be reviewed?The internal audit charter is vital to internal audit's success and should be reviewed annually by the governing body. The internal audit charter should be approved by the governing body and agreed to by senior management.
What is the usual time frame for auditing by internal auditors?Audits are typically scheduled for three months from beginning to end, which includes four weeks of planning, four weeks of fieldwork and four weeks of compiling the audit report. The auditors are generally working on multiple projects in addition to your audit.
What are the skills required of an internal auditor?Generally speaking, internal audit competencies fall into one of three broad areas: Technical auditing or accounting skills; Skills relating to critical thinking and business understanding; and. Interpersonal and communication skills.
|