Auditing the internal audit
Credit to Author: The Manila Times| Date: Thu, 02 May 2019 16:19:04 +0000
Did you know that May is International Internal Audit Awareness Month?
Internal auditors worldwide unite to raise awareness of the profession and its value to the organization. They strive to not only inform the business community more about the profession, but also on the major contributions of the internal audit (IA) function to the effectiveness of the organizational governance, risk management and internal
control processes.
There are various creative ideas on how internal auditors raise awareness –from simply customizing email signature and social media accounts with the International
Internal Audit Awareness Month digital icon, to conducting a lunch-and-learn with other employees in the organization to explain what internal auditors do and why they do it, and answer questions to clarify their perceptions.
Despite of all the awareness campaigns by internal auditors, a question still lingers at the back of the minds of people being audited by these professionals: “Who audits the internal auditors?”
Internal auditors are empowered by the audit committee of the board of directors to examine many, if not all, parts of the organization. So it is but natural for stakeholders and auditees to ask on who checks the quality of IA activities.
The Institute of Internal Auditors (IIA), an international professional organization that serves as the voice, recognized authority, acknowledged leader, chief advocate and principal educator of the profession provides internal audit professionals with authoritative guidance in the form of the International Professional Practice Framework (IPPF). The IPPF’s mandatory elements recognized in IA charters require internal audit functions to develop and maintain a Quality Assurance and Improvement Program (QAIP) that covers all aspects of IA activity.
According to the IPPF Implementation Guides, the QAIP is designed to evaluate the IA activity’s conformance with the International Standards for the Professional Practice of Internal Auditing (the Standards, for short) and the internal auditor’s compliance with the IIA’s Code of Ethics. As such, it must include ongoing and periodic internal assessments as well as external assessments by a qualified independent assessor or assessment team.
It is the responsibility of the Chief Audit Executive (CAE) to have IA activities externally assessed at least every five years.
The purpose of external assessment is for a qualified, independent assessor or assessment team to validate the organization’s IA activities if they conform to the Standards and if internal auditors apply the Code of Ethics. The assessor or assessment team should be someone from outside the organization who is competent in IA and the external assessment process. Normally, these are internal auditors from outside the organization, independent consultants or audit firms, but preferably not those who audit the financial statements or those that provide IA co-sourcing to the organization. In the Philippines, the external assessment is usually done by audit firms and IIA Philippines through its pool of professional resources.
According to the Global Internal Audit Common Body of Knowledge’s (CBOK) recent closer look on Internal Audit Quality Assurance and Improvement, only 34 percent of participating CAEs state that they fully conform to the requirement for an external assessment, and many of them have not disclosed their non-conformance to their audit committees.
Locally, the only industry with high rate of conformance with the external assessment requirement is the banking industry, particularly the universal and commercial banking institutions. This is due to the Bangko Sentral ng Pilipinas’ requirement for the IA function to comply with sound IA standards such as the IIA’s International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics.
External assessment has also been on the radar of publicly listed companies these past years in response to Recommendation 12.1 of the Code of Corporate Governance of
Publicly Listed Companies, i.e. “Company has an adequate and effective internal control system in the conduct of its business”. The integrated annual corporate governance report requires listing quality service programs for IA functions in response to Recommendation 12.1.
It is true that regulators do not compel IA activities to undergo external assessment, except for commercial and universal financial institutions. However,if the IA charter recognizes the mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards and the Definition of Internal Auditing, it then follows that they should adhere to the conduct of external assessment at least every five years.
The CBOK study raises a key point that failure to conform to quality standards may have severe repercussions—both for the profession and for organizations served by internal auditors. The study says that the IA professional’s failure to abide by and enforce quality standards increases the risk that IAs will fail to identify and address significant issues, and that it can lead to inefficient or ineffective use of resources.
The same study found out that IA functions conforming to the requirements of QAIP and external assessment:
• were more likely to report functionally to a board, audit committee or equivalent
• were more likely to have complete and unrestricted access to information as appropriate for the performance of audit activities
• worked in organizations with more highly developed risk management processes
• used a wider variety of resources to develop audit plans
• made more use of technology in internal audit processes
• were more likely to have documented procedures in an IA manual
• received more hours of training and were more likely to have formalized training programs
• were more likely to report that funding for the IA function was “completely sufficient”.
At the end of the day, the greatest value an external assessment can bring is the key areas of improvement identified after the review. In addition, most external assessments by audit firms include benchmarking IA operating practices with those of its peers. In PwC, the external assessment of compliance with the Standards that is normally delivered to clients is packaged with benchmarking with the other IA functions in the same industry, and comparing the IA function’s operating practices with the perception and expectations of key stakeholders.
We’ve learned from various audit committee presentations that members of the committee are not only after conformance. They are also interested whether their IA functions meet their stakeholders’ expectations in terms of overall value being delivered to the organization.
Let me leave you with this quotation from the IIA’s Quality Assessment Manual for IA activity: “A critical asset for an internal audit activity is its credibility with stakeholders. To provide credible assistance and constructive challenge to management, internal auditors must be perceived as professionals. Professionalism requires conforming to a set of professional standards.”
Internal audit professionals, let’s continue to strengthen our credibility as we usher in the International Internal Audit Awareness Month.
* * *
Abigail Blanca M. Peña is a Risk Assurance Director of Isla Lipana & Co., the Philippine member firm of the PwC network.For more information, please email markets@ph.pwc.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
The post Auditing the internal audit appeared first on The Manila Times Online.