As a consultant, I review the internal audit departments at multiple financial organizations each year through Quality Assurance Reviews (QARs). While my goal for these reviews is to help the Internal Audit department become more efficient and effective, I also focus on providing reasonable assurance that Institute of Internal Auditors Standards (the Standards), which provide exemplary guidance for how to run an audit shop, are being followed.
In many recent reviews I’ve noticed a trend of financial institutions not understanding the difference between internal audit and quality control. As an internal auditor, it’s essential to understand the differences between these two essential functions and ensure that they are separated appropriately. While the two terms are sometimes (incorrectly) used interchangeably, they have significant differences that can impact roles in the organization.
What is Internal Audit?
Let’s start by clearly defining Internal Audit. The Institute of Internal Auditors (IIA) defines internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit involves evaluating and testing an organization’s financial, operational, and compliance risks and controls. Internal Auditors provide recommendations to management for corrective action to improve the organization’s performance. The scope of Internal Audit covers all aspects of the organization’s operations, including financial reporting, information technology, human resources, and operations.
Internal Audit procedures can be conducted on a periodic basis, such as annually or quarterly, or on an ad-hoc basis when specific issues arise. The department reports to the Audit Committee from a functional standpoint and a member of senior management, typically the CEO, from an administrative perspective. Their main objective is to provide reasonable assurance that the organization’s controls are effective and risks are appropriately managed.
Quality Control is NOT Internal Audit!
In contrast, quality control is a function that monitors, inspects, and proposes measures to correct the organization’s products, processes, and services to meet established quality standards set by management. Quality control is a continuous and ongoing process that involves monitoring and evaluating the organization’s performance against these established quality standards. There may be daily, weekly, monthly, quarterly, or even annual quality control checks of different functions and processes.
The process of performing quality control involves identifying deficient areas and implementing corrective action to address any inadequacies. Quality control can be performed by a designated department that reports to management, or by the employees themselves. There is no independence or objectivity requirement here. For example, a branch at a credit union may have a daily report of new accounts and loans which the employees look over to make sure all documents have been obtained and all required fields have been filled out.
Quality control is essential for enhancing customer satisfaction, improving employee engagement, and reducing costs associated with poor quality/error. When you really think about it, it would be almost impossible for any company to keep the lights on and the doors open without quality control processes in place.
The Three Lines of Defense Model
To fully appreciate the importance of the separation between these two functions, one must truly understand the Three Lines of Defense model. This model is a risk management framework that outlines the roles and responsibilities of different groups within an organization in managing and mitigating risks. In addition to the model being widely accepted across thousands of organizations, the IIA updated the model in July of 2020 to better outline its structure and identify responsibilities of management, internal audit, and overall governance. The model consists of three lines, each with a distinct role and responsibility in managing risk.
The first line of defense is responsible for managing risks on a day-to-day basis. This includes the provisions set in place for products, processes, and services. Front-line employees who directly deal with customers, and other operational staff who are responsible for ensuring that risks are identified, assessed, and managed appropriately also play a large part in the first line of defense. The first line of defense is a function of management.
The second line of defense is responsible for providing monitoring oversight and challenge to the first line of defense on risk-related matters. This includes functions such as risk management, compliance, and our friends in quality control. The second line of defense ensures that risks are managed consistently across the organization and that controls are in place to mitigate those risks. The second line of defense is also a function of management.
The third line of defense is responsible for providing independent and objective assurance on the effectiveness of the organization’s risk management and control processes. The third line of defense is a function of internal audit, which provides an independent and objective assessment of the organization’s risk management practices. External auditors and consultants performing outsourcing and co-sourcing engagements would also be considered the third line of defense.
By implementing the Three Lines of Defense model, organizations can achieve a more effective and efficient risk management framework. It enables clear separation of duties, provides a structured approach to managing risk, and ensures that there is independent assurance on the effectiveness of risk management and control processes. Ultimately, the model helps organizations to achieve their objectives while mitigating risks effectively.
Internal Audit and Quality Control: It’s Complicated!
Often Internal Audit feels like it is their responsibility to complete some quality control activities because no one else at the organization covers it, or management has requested audit to review reports or processes. As we have learned already, these duties are not the responsibility of Internal Audit and can cause conflicts of interest if Internal Audit completes them.
One issue that can arise is Internal Audit not including quality control in their annual risk assessment and audit plan. Either it slips through the cracks because there is not one department in charge of quality control or it isn’t included because Internal Audit is performing the quality control duties themselves. According to the Standards, it is essential for Internal Audit review all areas of management’s risk management process, and that includes quality control.
Another complication I’ve run across is Internal Audit not realizing or explicitly identifying that they are completing quality control duties. Some common examples include reviewing the following reports on an ongoing basis:
- Continuous monitoring on dormant accounts
- Address file maintenance reviews
- Rate file maintenance report
- Negative balance reports
- Various exception reports
Reviewing these reports as part of a formal audit is not considered quality control. However, daily or weekly monitoring of these reports could be considered quality control and could greatly reduce the time audit has to spend on higher risk items as identified in their risk-based audit plan.
In summary, as an internal auditor for a financial institution, it’s crucial to understand the differences between internal audit and quality control and ensure that the two are clearly separated. Are you responsible for any quality control functions at your company? Leave a comment and tell us about it.