As an Internal Auditor, you spend the majority of your time reviewing other people’s work; making sure they are following laws, policies, procedures and best practices. Then every once in a while, someone will ask “Who audits the Internal Auditors?”
When I worked in public accounting, I saw auditors from other firms come in and perform our peer review. When I worked in my first Internal Audit job at a credit union, my answer was the National Credit Union Administration, or NCUA. However, I quickly learned that their cursory review was not as beneficial to my department as I had assumed.
So what is the the real answer? In the Internal Audit world Quality Assurance Reviews, commonly referred to as QARs, are the industry standard. As a Chief Audit Executive I engaged a QAR, and now I perform these engagements as an assurance consultant, so I’m approaching this topic from all sides. Internal Audit is a self-regulated industry and engaging a QAR embraces the spirit of our work as we open ourselves up to the same level of scrutiny required of auditees.
I’ll get into how QARs are mandatory per the Standards, but there are many benefits of completing this project beyond just “checking a box.” Why are QARs so important? When are they required? How much work and disruption can Internal Audit departments expect during the QAR engagement? What benefits will ultimately be gained? Read on!
The Technical Stuff
To get our heads around Quality Assurance Reviews, let’s start with the International Professional Practices Framework Standard 1300 – Quality Assurance and Improvement Program:
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
The Standards go on to state that the Quality Assurance and Improvement Program (QAIP) must include both internal and external assessments, which leads me to IPPF Standard 1312 – External Assessments:
External Assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.
Upon a successful implementation of the QAIP per IPPF Standard 1321, the Internal Audit Activity can use the phrase “conforms with the International Standards for the Professional Practice of Internal Auditing” in reports and other communications. If the Internal Audit Activity does not conform with the Standards, including the Code of Ethics, this must be disclosed to the board and senior management, according to IPPF Standard 1322.
That was a lot of technical information, and if QARs were only important because of the Standards, this would be a very boring post and I would not have started an assurance consulting business with my co-founder, John Kaneklides. Neither of us is too keen on being bored all the time!
The Real Benefits
The actual benefits that can be gained from engaging a qualified team to complete your QAR are real and tangible.
First of all, your auditees will appreciate seeing the Internal Auditors inspected, questioned and examined. From their perspective, it’s only fair. Your Audit Committee and Board of Directors are also likely to be impressed. These folks put a lot of trust in Internal Audit, and can sleep a little better knowing that a team of experts has assessed the audit activity, given feedback and concluded that your team is doing a great job.
When I was a Chief Audit Executive, I engaged the first QAR in the company’s history. At the Board meeting following our final report being issued, I was acknowledged for this accomplishment by the Chairman of the Board. I was completely surprised and honored when this happened. I went into the project thinking the QAR was simply a requirement and I was getting my house in order. However, it meant much more to the company leaders than I realized, raised the profile of our team and created a better working relationship with those that I audited.
What Holds Auditors Back?
Everyone wants to follow the rules, but unfortunately, this project is often delayed and prolonged by Internal Audit departments. When I’m discussing the need for QARs with peers and potential clients, I find that folks usually have a plan and timeframe to complete a QAR, but miss their own deadlines. Simply put, people are busy and audits tend to disrupt the normal flow of business.
Also, it’s unlikely that your CEO or Audit Committee will come knocking you’re your door, asking you to go spend money on consultants and then be unavailable for a few days. In many cases, the Internal Audit Department is the only group that knows about the QAR requirement at all. The mark of a true professional is someone who gets the work done and makes sure things are running smoothly; they don’t wait for someone to tell them to do it. You or your Chief Audit Executive will have to take the initiative to complete this project, include it in the budget and engage a qualified firm.
Yes, it’s a process, there is a cost, and there will be some work on Internal Audit’s part. If any auditors reading this are reluctant to start the QAR process because it’s a lot of work that will disrupt their department…
How do you think your auditees feel when your team shows up!?
The QAR is just one part of a comprehensive Quality Assurance & Improvement Program. The easiest way to get started is to perform a quality assurance self-assessment, wherein Internal Auditors can identify and self-correct issues before spending time and money on a QAR. Subscribers to The Audit Library can download our Quality Assurance Self-Assessment Work Program, which meets my interpretation of the Standards and provides valuable feedback.
Selecting a Provider
Moving on to the external assessment portion, the first step is to select a qualified provider by sending Request for Proposals (RFPs) to firms. Unless your external audit firm has rules against it, you may include them in the RFP process, and it’s a good practice to include one or two additional providers as well. This could be an opportunity to test out a firm if you plan on changing external auditors within the next few years, or to engage a firm that specializes in QARs and can bring their real world experience to your department. Each firm and auditor can bring something unique to the table, so it’s worth the time and effort to find the right fit for your department. The Audit Library has templates available to assist auditors in the selection process, including a QAR RFP Letter Template and a QAR Provider Selection Tool.
Audit departments can theoretically arrange a peer review with other colleagues and meet the external assessment standard. This takes a bit of planning, as at least three companies would need to be involved for independence reasons (A audits B, B audits C and C audits A). This type of arrangement can save your company consulting fees, but you also have to consider the opportunity costs. You will spend time preparing to conduct the review, be out of the office at some point performing a peer review and will need to consider the scheduling needs of two other companies. I’ve never been part of a peer review, but I’m guessing the company reviewed last will take a while. It’s hard enough to coordinate one project, let alone three!
While I can’t give peer reviews a full endorsement, if you choose to go that route, there is a Peer Review Audit Work Program available for subscribers.
The Typical Engagement
While each firm and auditor will approach the QAR engagement differently, there are many universal work steps:
- Review the prior QAR and any self-assessments performed
- Review the company’s financial statements and regulatory reports
- Review the company’s organizational chart and governing structure
- Interview the Chief Audit Executive, Internal Audit staff, Audit Committee members, company executives and others as needed
- Review charters, policies, procedures and any other governing documents
- Review Audit Committee minutes
- Review key Internal Audit department processes for effectiveness, efficiency and compliance with the Standards
- Determine whether Internal Audit planning, budgeting, and accountability measures are functioning appropriately
- Determine whether any scope limitations are being placed on the Internal Audit Activity, limiting their effectiveness
- Review training records and the continuing education plan for the department
Overall, the engagement team is determining whether the work quality and output of the Internal Audit Activity is commensurate with the needs of the company and requirements of the Standards. Any reputational issues, communication breakdowns or performance problems related to the Internal Audit Activity should come to light through this process. Like any traditional audit, the engagement team should discuss potential issues and findings with the Chief Audit Executive prior to submitting their report. Once the report is issued, it should be shared with the Audit Committee, CEO, and Board of Directors. An action plan and time frame for completion should be created for any issues, and the Audit Committee should be consulted if you disagree with any of the conclusions.
Clearly, the entire Internal Audit team will need to assist the engagement team to complete the project. Other staff will be involved as well. The Audit Library Consulting Group advises clients to budget for 20 work hours of preparation, and 20 hours assisting our team on site. Preparation typically involves gathering and organizing documents, sending files, arranging interviews, and having status updates and calls with our team.
The Audit Library Consulting Group offers QARs and other consulting services for Credit Unions. We have a team of former Internal Auditors who bring first-hand experience to help your department. If your Credit Union is due for a QAR, or if you have further questions, please request a proposal. This may be just what your Internal Audit department needs to raise your profile while satisfying an important requirement.
Have you engaged a QAR? How was the process, and what advice can you share with peers? Leave a comment!