The Institute of Internal Auditors (IIA) requires an External Quality Assessment Review (EQAR) at least every five years for the Internal Audit Activity (IAA). As part of the review, assessors examine the internal audit activity and evaluate their conformance with the IIA standards. Additionally, areas of success and opportunities for performance enhancement are identified. When working with clients, we’ve found it most helpful to break down the performance evaluation into the following distinct areas: planning, people, metrics, and tools. Upon doing so, we’ve gathered several noteworthy observations for each performance area.
In general, our observations in our QARs are positive concerning the internal audit activity’s planning. Management expects Internal Audit to execute its annual plan and to operate at a level consistent with “best in class.”
1) Incorporating risk analysis for annual planning efforts
To determine the priorities for the internal audit activity, the annual plan must be risk-based. While this may seem obvious and relatively straightforward, it is frequently overlooked or forgotten. Therefore, the following questions should be considered:
- Have you preformed a risk assessment?
- If so, does your risk assessment link to the company’s Enterprise Risk Management program?
- Does your risks assessment consider various factors, such as financial statement materiality, prior audit issues, the last time the area was audited, and other assurance functions (e.g., Three Lines of Defense)?
- If you have multiple locations, do you perform a location risk assessment?
2) A Collaborative Approach to Annual Planning
It is essential to obtain the input of senior management and key stakeholders throughout the risk assessment process. By doing so, organizations ensure the assessment is conducted outside of a vacuum, and key stakeholder concerns or questions are addressed in a timely manner. The following questions should be considered:
- Did you obtain the input of senior management and key stakeholders during the risk assessment process?
- Do you consult with other internal and external assurance functions pertaining to their strategic initiatives, audit plans, and changes in scope?
- Do you informally consult with the Audit Committee Chair before submitting the risk assessment and audit plan to the Audit Committee for approval?
3) Adjust the Annual Plan in Respons to Changes
While the Chief Audit Executive (CAE) should review and adjust the plan as needed in response to changes within the organization or at large, given time constraints, this step is often overlooked and viewed as unnecessary or unrealistic. Therefore, the following questions should be considered:
- Did the Chief Audit Executive (CAE) review and adjust the draft plan for known organizational changes?
- When developing the annual audit plan, do you consider significant changes in people, processes, and technology?
- Do you utilize the company’s earnings presentation to identify investor concerns and industry risks?
4) Frequency of Conducting Annual Plan
While the Internal Audit plan should be based on a documented risk assessment undertaken at least annually, our observations show that–at best–risk assessments are generally conducted every three years. Therefore, the following questions should be considered:
5) Engagement Planning Considerations
Frequently, there is an excellent risk-based annual plan but no linkage to the engagement plan. This stems from teams not knowing the risks that were identified during annual planning, as well as the concerns of key stakeholders. To create linkage, engagement planning should not be conducted in a vacuum. Each engagement audit owner should consider the following questions:
- Why is the engagement on the annual plan?
- What are the risks associated with the area?
- Have areas of concern changed? A concern ten months ago may not still be present, or a new risk may have emerged.
Engagement Planning Does Not Include All the Required Elements
Organizations should have a documented plan for each engagement. Frequently, however, there is an audit program and testing results, but no initial plan demonstrating that all relevant areas are covered. This often occurs when organizations use third parties, failing to capture scope, access to records, and report distribution limitations. Therefore, it is essential to capture all risks relevant to the engagement and to document the following elements:
- Scope: What is included, what is excluded, and why?
- Timing: Are you expecting any significant changes within the organization? Will there be system changes or upgrades? If so, it may be best to perform the review after the change(s) have occurred.
- Resource allocations: Do you have the right skillsets and experience to execute the review? Have you adequately evaluated the amount of time needed for each review?
How MorganFranklin Can Help
We work with our clients to provide an independent validation of the Internal Audit Activity and identification of opportunities to increase effectiveness, improve processes, and enhance credibility. Our methodology is built around complete support and encompasses benchmarking, best practices, templates, and tools to support business goals. To learn more about MorganFranklin’s EQAR, contact our experts below.