quality assurance internal audit; analysis of standards and guidlines implemented by the institute...

Upload: annisa-puspa-dewi

Post on 07-Jul-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    1/25

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 85

    Quality assurance in internalauditing: An analysis of the

    standards and guidelinesimplemented by the Instituteof Internal Auditors (IIA)

    M Marais

    School of Accounting SciencesUniversity of South Africa

    Abstract

    Via the Institute of Internal Auditors, founded in 1941, the internal auditing

    profession actively promote the quality of internal auditors and internal auditactivities. Since 1999, internal auditing standards have been revised. From

    1 January 2002, all internal audit activities/any consultant rendering internal

    auditing services must undergo quality control, according to the provisions of

    Attribute Standard 1300. The revised internal auditing standards on quality

    control in internal audit activities reflect fundamental changes for the internal

    auditing profession. This article analyses the formal prescriptions and guide-

    lines on quality in internal audit activities contained in the internal auditing

    standards and related practice advisories.

    Key words

    Chief audit executive External assessment

     Internal assessment Internal auditing

     Internal auditors Internal auditing standards

     Internal audit activity Internal auditing clients

    Quality Quality control

    Quality assurance Quality assessment

    Quality programme Quality service

    1 IntroductionAll good auditors know that to audit requires standards. All good managers know that to man-

    age requires standards. Therefore all good internal auditing managers should be doubly aware of

    this! (Large 997:6.)

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    2/25

    Quality assurance in internal auditing

    86  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    Since the founding of the Institute of Internal Auditors (referred to hereafter as the

    IIA) in the USA in 1941, the internal auditing profession has focused actively on

    promoting the quality of internal auditors and of internal audit activities. Their

    internal auditing standards currently require that quality control be exercised over

    internal audit activities; and they have laid down broad guidelines on the form that

    quality control in internal audit activities should assume.

    The IIA endorses a set of standards called the Standards for the Professional

    Practice of Internal Auditing (hereafter referred to as “the internal auditing stan-dards”) with which internal auditors must comply. In accordance with these stan-

    dards, internal audit activities must fulfil the responsibilities implied by the defini-

    tion of internal auditing.

    According to the IIA (IIA 2004:4), the objectives of the internal auditing stan-

    dards are:

    l  To delineate basic principles that represent the practice of internal auditing as it

    should be.

    l  To provide a framework for performing and promoting a broad range of value

    added internal audit activities.

    l  To establish a basis for the evaluation of internal audit performance.

    l  To foster improved organisational processes and operations.

    Since 1999, the guidelines for the internal auditing profession (including the stan-

    dards for the professional practice of internal auditing and the code of ethics) have

    undergone a process of revision. Since 1 January 2002, all internal audit activities

    and any consultant who renders internal auditing services have to be subjected to

    quality control, according to the provisions of  Attribute Standard 1300  of the

    internal auditing standards. The revised internal auditing standards on quality

    control in internal audit activities reflect fundamental changes for the internal

    auditing profession.

    Prior to the latest revision of the internal auditing standards, these standards con-

    tained only one standard (Standard 560) on quality control. Standard 560 stipulated

    that the head of the internal auditing function or chief audit executive was required

    to implement a programme to ensure and improve the quality of his or her internal

    audit activity (IIA 1998:84). The revised internal auditing standards at presentcontain seven different standards that set out specific activities that must form part

    of a quality assurance programme. According to the new standards on quality

    control, any quality programme must meet certain requirements. It must:

    l  Cover all aspects of the internal audit activity (Standard 1300).

    l  Continuously monitor the effectiveness of the internal audit activity (Standard

    1300).

    l  Offer assurance regarding the internal audit activity’s compliance with the

    internal auditing standards and the code of ethics (Standard 1300).

    l  Assist the internal audit activity in adding value and improving the organis-

    ation’s activities (Standard 1300).

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    3/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 87

    l  Make provision for continuous as well as periodic internal monitoring and

    assessment (Standards 1310 and 1311).

    l  Make provision for an external assessment, at least once every five years, the

    results of which should be reported to the organisation’s board of control (Stan-

    dards 1310, 1312, 1320 and 1340) (IIA 2004:11-12).

    The omission of any of the above elements from a quality programme indicates that

    the internal audit activity fails to meet the requirements of the internal auditing

    standards. If an internal audit activity does not comply with the internal auditingstandards, the internal auditors may not declare that their work has been performed

    in compliance with the internal auditing standards (Standard 1330). According to

    Standard 1340, when non-compliance of the internal auditing standards has an

    impact on the overall scope of operation of the internal audit activity, disclosure of

    such non-compliance to senior management and the board of control is required

    (IIA 2004:12).

    2 Purpose of the articleThe purpose of this article is to analyse the formal prescriptions and guidelines on

    quality in internal audit activities, as contained in the internal auditing standards

    (Attribute Standards 1300-1330) and the related Practice Advisories.

    Practice advisories are endorsed by the IIA and are strongly recommended as

    ways to implement the internal auditing standards. They represent best practices

    endorsed by the IIA, but they are not mandatory (IIA 2004: xxiv).

    Although it is fair to assume that all the internal auditing standards and existing

    internal auditing guidelines have been compiled with the ultimate objective of

    promoting the overall quality of internal auditing, the discussion of internal auditing

    standards in this article is confined to the process of quality control in internal audit

    activities, which is primarily the responsibility of the head of the internal audit

    activity or the chief audit executive. Only those standards which are directly related

    hereto are discussed in this article.

    3 Research strategyThe following research strategy was followed in this study:

    l  Both local and overseas literature on the topic, in the form of published books,

    articles in professional and other journals and the published guidelines of the

    IIA, was consulted.

    l  Appropriate theses, dissertations and opinion polls were studied.

    The research findings are discussed in the following sections below:

    4 Internal Auditing Standard 1300: General and specific prescriptions of the

    internal auditing standards in respect of quality assurance

    5 Internal Auditing Standard 1310: Quality programme assessments

    6 Internal Auditing Standard 1311: Internal assessments

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    4/25

    Quality assurance in internal auditing

    88  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    7 Internal Auditing Standard 1312: External assessments

    8 Internal Auditing Standard 1320: Reporting on the quality programme

    9 Internal Auditing Standard 1330: Use of the expression, “Conducted in accord-

    ance with the internal auditing standards”

    10 Internal Auditing Standard 1340: Disclosure if the internal auditing standards

    are not met

    11 Summary12 References

    4 Internal Auditing Standard 1300: General andspecific prescriptions of the internal auditingstandards in respect of quality assurance

    4.1  General prescriptions

    It would appear from the title of Standard 1300 of the internal auditing standards,

    Quality Assurance and Improvement Program (hereafter referred to as a “quality

    programme”) that the aim of this standard is to ensure and improve quality in

    internal auditing services.To ensure and improve the quality of the internal auditing services, a quality pro-

    gramme is proposed which:

    l  Is developed and maintained by the chief audit executive.

    l  Covers all aspects of the internal audit activity.

    l  Monitors, on an ongoing basis, the effectiveness of all aspects of the internal

    audit activity (IIA 2004:11).

    A quality programme should be developed in such a way that it helps the internal

    audit activity to:

    l  Add value to and improve an organisation’s activities.

    l  Meet the internal auditing standards and code of ethics of the IIA (IIA

    2004:11)

    4.2  Specific prescriptions

    4.2.1  The chief audit executive is responsible for the development andmaintenance of the quality programme

    The concept chief audit executive (also referred to as the general auditor, chief

    audit executive and inspector general) is described in the internal auditing stan-

    dards (IIA 2004:26) as the most important position in the organisation which bears

    the responsibility for internal audit activities. In an in-house internal audit activity,

    the position is filled by the director or head of the internal auditing function (chief

    audit executive). In instances where internal auditing services are rendered by

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    5/25

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    6/25

    Quality assurance in internal auditing

    90  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    l Responsibility

    The following should be evident:

    – assurance

    – consultation

    – value added

    – support/service provision, and

    – the establishment of a systematic and disciplined approach.

    Objectives

    – improvement of the organisation’s activities.

    – realisation of the organisation’s objectives, and

    – promotion of the effectiveness of risk management, control and

    management processes.

    Besides the above, each prescription in the internal auditing standards can be

    regarded as an area in which quality control should be exercised. Compliance with

    the internal auditing standards as such is also such an area.

    According to guidance provided by the IIA (IIA 2003:9-10), during a quality

    assessment review cognisance should be taken of the following aspects:

    l  Executive management, any review function and operational management’s

    expectations of the internal audit activity.

    l  The organisation’s control environment and the environment in which the

    internal audit activity operates.

    l  The extent to which the focus is on the evaluation of risk, assessment of control

    systems and the inclusion of aspects of organisational control in audit planning

    to ensure that internal audit activities add value to organisations.

    l  The integration of the internal audit activity in the organisation’s management

    processes, with due consideration of service provision and communication be-

    tween the principal role players in the management processes.

    l  The embodiment of internal auditing standards, including the IIA’s five pri-mary internal control objectives.

    l  The combination of the auditing staff’s knowledge, experience and specialist

    fields with their propensity to improve processes and operations that add value.

    l  The aids and techniques applied by the internal audit activity, with the empha-

    sis on the utilisation of the technology available.

    In the development and maintenance of a quality programme, the chief audit execu-

    tive(s) should consider all the points mentioned above, as well as factors emanating

    from the various internal audit activity’s unique circumstances. According to

    Chapman and Anderson (2002:53-54), comprehensive procedures should be in

    place to ensure quality control of all aspects of the internal audit activity.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    7/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 91

    4.2.3  The quality programme must monitor the effectiveness of allaspects of the internal audit activity on a continuous basis

    An isolated or discontinuous effort to check the performance of internal audit

    activities is not sufficient to comply with the requirements of the internal auditing

    standards. Certain operations inherent in the internal auditing process must be

    performed on a continuous basis in order to monitor internal audit activities. Ac-

    tions that are built into the internal auditing process, such as checking the auditing

    working papers and approving internal audit reports before they are issued, ensurethe effectiveness of the internal audit activity on an ongoing basis (Chapman and

    Anderson 2002:54).

    In external assessments undertaken by the IIA itself, effectiveness is measured

    against how well the internal audit activity meets clients’ needs and criteria, which

    are normally determined by the audit committee, the organisation’s executive

    management and other auditing clients (IIA 2003:11).

    The chief audit executive must therefore keep abreast of the expectations of the

    audit committee, of the executive management and of other auditing clients, as well

    as of the criteria against which the performance of an internal audit activity can be

    measured. On the basis hereof, they then need to develop and maintain procedures

    to ensure that the internal audit activity complies with these expectations and

    criteria in all respects.

    4.2.4  A quality programme should help the internal audit activity to addvalue to and improve an organisation’s operations

    According to the glossary to the internal auditing standards (IIA 2004:25), the

    concept to “add value” means to create value or benefits for the owners, other

    interested parties, users and clients. The value that internal audit activities add

     justifies their existence. Value is created by applying resources to develop and

    market products and services.

    Internal auditors are continually collecting information in order to understand

    and evaluate the risks faced by their organisations, and in the process they develop

    a sound knowledge of and insight into the organisation’s operations. They also seek

    opportunities for improvement. This information can be passed on to the appro-

    priate managers and operating personnel by way of consultation, advice, writtenreports or other methods.

    Micheal P. Fabrizius (1997:3), former chairman of the IIA, mentions the

    following questions that people involved in internal audit activities need to answer

    to ensure that they are adding value:

    l  Are they focused on and attuned to their clients?

    l  Are their services cost-effective and timeous?

    l  Can they satisfy their clients’ needs?

    l  Do they continuously add value?

    According to Chapman and Anderson (2002:55), effectiveness, efficiency and

    value adding should be assessed from the perspective of an organisation’s senior

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    8/25

    Quality assurance in internal auditing

    92  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    management, the board of control and other role players who avail themselves of

    the services of the internal audit activity. If an internal audit activity wants to add

    value, the organisation’s strategic objectives and values should be the starting point

    for identifying opportunities for improvement. The following are examples of

    measures they could suggest for evaluating whether value is being added:

    l  Surveys of clients’ satisfaction on completion of an auditing project or consul-

    tation.

    l  The number of times management request involvement in the internal audit.

    l  The extent to which best practices and new procedures are implemented by the

    internal audit activity to add value.

    l  The scope and quality of communication between the internal audit activity,

    senior management and the board of control.

    4.2.5  A quality programme should offer assurance that the internalaudit activity complies with the internal auditing standards andcode of ethics

    Since compliance with developed practice standards and a code of ethics is

    generally accepted as a prerequisite for the quality of work in any industry, some

    measurement of the extent to which internal audit activities satisfy the internal

    auditing standards and the IIA’s code of ethics should be a primary objective ofsuch a quality programme (Chapman and Anderson 2002:54).

    According to guidance provided in Practice Advisory 1310-1, paragraph 1, a

    quality programme should reassure not only the chief audit executive, but also all

    other interested parties, such as senior management, external auditors, the

    organisation’s board of control and regulating authorities that the internal audit

    activity satisfies the requirements of the internal auditing standards and code of

    ethics (IIA 2004:101).

    5 Internal Auditing Standard 1310: Qualityprogramme assessments

    According to Standard 1310 of the internal auditing standards (IIA 2004:11), every

    internal audit activity should include a process that monitors the generaleffectiveness of the quality programme. The process should include both internal

    and external assessments.

    Monitoring quality programmes entails continous measurement and analysis of

    performance criteria. An assessment of quality programmes involves a study of the

    quality of the internal audit activity, which culminates in a conclusion and possible

    recommendations. According to guidance provided in Practice Advisory 1310-1

    (IIA 2004:102), it should also include measurement of the following:

    l  Compliance with the internal auditing standards and code of ethics.

    l  Adequacy of the internal auditing operation’s charter, aims, objectives, policy

    and procedures.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    9/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 93

    l  Contribution to the organisation’s risk management, control and management

    processes.

    l  Compliance with appropriate laws, regulations and government and industry

    standards.

    l  The effectiveness of the operations and acceptance of best practices.

    l  Value added and improvement of the organisation’s activities through the

    internal audit activity (IIA 2004:102).

    Practice Advisory 1310-1 also recommends that all endeavours to improve qualityshould be linked to a communication process developed to facilitate the necessary

    adjustments to resources, technology, processes and procedures, and that the chief

    audit executive should establish accountability by discussing the results of the

    external assessment (and where appropriate, the results of the internal assessment of

    the quality programme) with individuals with an interest in the internal audit

    activity, such as senior management, the board of directors, the audit committee and

    the external auditors (IIA 2004:102-103).

    6 Internal Auditing Standard 1311: Internalassessment of quality programmes

    Internal assessment provides assurance to the chief audit executive that all internal

    auditing personnel, including the supervisors, are doing their work properly.Periodic internal assessments are also conducted to provide assurance with regard

    to specific projects that the findings reported are accurate and reliable (Sawyer,

    Dittenhofer and Scheiner 2003:1025).

    Standard 1311 of the internal auditing standards stipulates that internal assess-

    ment should include:

    l  Ongoing reviews of the performance of the internal audit activity.

    l  Periodic assessments, either by means of self-assessment or assessments

    conducted by other individuals in the organisation with the necessary knowl-

    edge of internal auditing practice and of the internal auditing standards (IIA

    2004:11).

    6.1  Continuous internal assessmentAccording to guidance provided in Practice Advisory 1311-1, Internal Assessments,

    opinions should continuously be formed about the ongoing performance of the

    internal audit activity and regular follow-ups should take place to ensure that

    appropriate improvements are implemented. The principal component of continu-

    ous monitoring and assessment is supervision over internal auditing projects, as

    explained in Practice Advisory 2340-1, Engagement Supervision. Adequate super-

    vision is the basis of a quality programme and also the foundation upon which

    internal and external assessments are conducted. According to Practice Advisory

    1311-1, paragraph 1, the work of internal auditors needs to be supervised to ensure

    compliance with the internal auditing standards, the policy of the internal audit

    activity and internal audit programmes (IIA 2004:105).

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    10/25

    Quality assurance in internal auditing

    94  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    According to Sawyer et al (2003: 1024), “properly supervised audit projects are

    the first and, perhaps, the most important step in a program of quality assurance.

    When supervisors do their jobs properly in the first place, the internal and external

    reviews should disclose no serious defects in those matters that are under the direct

    control of the internal audit department”. Standard 2340 of the internal auditing

    standards stipulates that internal audit engagements should be conducted under

    proper supervision to ensure that the objectives, the required quality control and

    personnel development are achieved (IIA 2004:21).Additional methods for continuous monitoring of internal auditing work are:

    l  Checklists to ensure that the standard processes and procedures of the internal

    audit activity are in fact followed.

    l  Feedback from auditing clients and other interested parties on completion of an

    audit project.

    l  Analysis of performance standards, for example, the time it takes to complete

    an audit project and the percentage of internal audit recommendations imple-

    mented.

    l  Budget statistics on audit projects, systems that monitor the amount of time

    spent on the project, tasks completed in respect of the tasks planned and cost

    recoveries (IIA 2004:105-106).

    Sawyer et al (2003:1010) subscribe to the above in their discussion of what theycall a “micro-approach” to quality control. They contend that individual audit

    processes should be investigated and evaluated on a continuous basis. Each indi-

    vidual audit should have a measurable objective. The objective as well as the

    measurement criteria should be included in the audit programme. The objectives of

    an audit should therefore be defined and on completion of each audit, an indication

    should be given of the extent of the achievement of the objectives, based on the

    measurement criteria outlined in the audit programme.

    6.2  Periodic internal assessment

    6.2.1  General

    Practice Advisory 1311-1: Internal Assessments provides the following guidelines

    on the performance of internal assessments: periodic internal assessment should bedesigned to assess compliance with the charter of the internal audit activity, compli-

    ance with the internal auditing standards and the code of ethics as well as the

    effectiveness of the internal audit activity (IIA 2004:106).

    6.2.2  Qualifications of the internal assessor

    The same standards of objectivity and independence for any other internal audit

    should also apply to the internal assessment of internal audit activities (Moeller and

    Witt 1999:32-33). In larger organisations, one person may be appointed to exercise

    quality control. Such a person would be a suitable candidate for the job of team

    leader in an internal assessment. In smaller organisations, flexibility is necessary for

    internal assessments to be conducted. It must be borne in mind that the auditor may

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    11/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 95

    not evaluate work for which he or she was responsible and that a certain level of

    expertise and knowledge is necessary to evaluate an internal audit activity (IIA

    2003:31).

    The following criteria may be used in the selection of internal evaluators:

    l  Objectivity.

    l  Knowledge of internal auditing standards.

    l  Managerial skills.

    l  Technical knowledge (financial, operational, management and information

    technology).

    l  A professional qualification, such as a certified internal auditor’s (CIA) qualifi-

    cation.

    l  Knowledge of the industry.

    l  Knowledge of the organisation.

    l  Availability.

    l  Interest in the internal quality revision.

    l  Good communication skills.

    l  Human relations skills.

    l

      The ability to make constructive recommendations (IIA 2003:31-32).Generally, at least two team members are required to complete an assessment within

    a reasonable time. One of them should act as the team leader. Team members

    should be alternated from time to time. This will result in new perspectives on the

    evaluation process.

    Scope of the internal assessment

    Practice Advisory 1311-1(IIA 2004:106), recommends that periodic assessment

    may:

    l  Include more in-depth interviews with and opinion surveys of interested

    groups.

    l  Be conducted by certified internal auditors (CIAs) or other competent profes-

    sional auditors working elsewhere in the organisation.

    l  Be conducted by members of the internal audit activity (self-assessment), if thenecessary objectivity can be ensured.

    l  Involve a combination of self-assessment and the preparation of material

    checked by a CIA or another competent professional auditor.

    l  Entail the measurement of the internal audit activity’s practices and perform-

    ance indicators against suitable best practices of the internal auditors’ profes-

    sion.

    According to the Quality Assessment Manual (IIA 2003:32-36), an internal assess-

    ment corresponds largely to an external assessment and consists of the following

    components:

    l  Completion of a standard questionnaire by the chief audit executive.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    12/25

    Quality assurance in internal auditing

    96  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    l  Opinion polls by internal audit clients and internal audit personnel.

    l  Implementation of the procedures decided upon.

    l  Interviews with the board of directors and audit committee, the organisation’s

    chief executive officer, other executive directors, operational managers and in-

    ternal auditors.

    l  An assessment of the internal audit activity.

    l  A summary of the findings and recommendations in order to come up withmeaningful suggestions for the final meeting.

    l  A report to the chief audit executive according to the method agreed upon with

    him or her at the start of the evaluation.

    l  A follow-up to ensure that the necessary attention is focused on the recommen-

    dations in the report.

    Moeller and Witt (1999:32/22) hold that the internal assessment of an internal audit

    activity should be a formal process, similar to that followed in any other formal

    internal auditing project. It should be properly planned and conducted according to

    a formal audit programme. In contrast to the provisions of the internal auditing

    standards as set out above, it should be conducted by individuals who are independ-

    ent from the internal audit activity (Moeller and Witt 1999:32/33). In order to offer

    the necessary assurance to the chief audit executive and any other interested party, aperiodic internal assessment should be conducted with the same formality and

    discipline as any other internal auditing project.

    Sawyer et al (2003:1025-1026) recommend that an internal assessment should:

    l  Be conducted according to a budget and fixed schedule.

    l  Be carried out according to an audit programme that explains the steps the

    evaluator should follow.

    l  Be conducted on a sample of internal audit projects representative of the total

    output of the internal audit activity.

    l  Make provision for the evaluator to discuss any problems he or she may iden-

    tify with the auditors and supervisors of the relevant audit project.

    l  Be supported by working papers documenting the entire evaluation process.

    l  Culminate in a formal report on the results of the assessment.

    6.2.3  Reporting the results

    Conclusions should be drawn about the performance of an internal audit activity

    and the appropriateness of action taken in order to improve performance and

    promote compliance with the internal auditing standards (IIA 2004:106).

    The chief audit executive should develop a structure for reporting the results

    of periodic assessments to ensure the necessary merit and objectivity. As a rule,

    those tasked with the responsibility of conducting continuous and periodic assess-

    ments should report to the chief audit executive while they are conducting the

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    13/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 97

    assessments. Their findings should be communicated directly to the chief audit

    executive (IIA 2004:107).

    The chief audit executive should discuss the results of the internal assessment

    and the plans of action required with the appropriate parties outside the internal

    audit activity, such as senior management, the board of directors, the audit commit-

    tee and external auditors (IIA 2004:107).

    According to the guidelines for internal assessments contained in the Quality Assessment Manual (IIA 2003:35), the review team should prepare a complete

    report of the results of the internal assessment and submit it to the chief of the

    internal audit activity. The format of the report should be decided upon at the start

    of the assessment. In response to the report of the review team, the chief of the

    internal audit activity should compile a roster for implementation with regard to

    each recommendation. The chief audit executive may involve members of the

    internal auditing management team in this response. The response should indicate

    clearly whether those involved in the internal audit activity concur with the recom-

    mendation or whether they wish to make another recommendation. Reasons should

    be given for any decision to disregard a recommendation. If the report of the

    internal assessment is sent to a party outside the internal audit activity, for example,

    the audit committee, it should be accompanied by the chief audit executive’s written

    response to the evaluation.

    7 Internal auditing standard 1312: Externalassessment of quality programmes

    Standard 1312 of the internal auditing standards stipulates that an external assess-

    ment should be conducted at least once every five years by a qualified, independent

    reviewer or review team from outside the organisation concerned (IIA 2004:11).

    Hence, each internal audit activity should allow an external assessment to be con-

    ducted within five years from 1 January 2002, the date of implementation of the

    new internal auditing standards (IIA 2004:11).

    The guidelines contained in Practice Advisory 1312-1: External Assessments are

    elucidated in the following six sections, adding relevant information from other

    sources.

    7.1  General

    During the external assessment of an internal audit activity, compliance of the

    internal audit activity with the internal auditing standards should be evaluated and

    an opinion formed. Where appropriate, recommendations should be made to rectify

    shortcomings. These revisions may be highly significant for the chief audit execu-

    tive and other members of the internal auditing operation. Only suitably qualified

    people should be permitted to conduct such evaluations.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    14/25

    Quality assurance in internal auditing

    98  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    An external assessment is required within five years from 1 January 2002. Or-

    ganisations that have already had an external assessment done should have the next

    one done within five years.

    Once an external assessment has been completed, a formal report should be sub-

    mitted to the control board and senior management of the organisation concerned

    (IIA 2004:109-110).

    7.2  Qualifications of the external assessorBoth external evaluators of good quality, and the individuals who authorise self-

    assessments (see the discussion later in this article) must be independent of the

    organisation and the internal audit activity. The team responsible for conducting the

    assessment should consist of individuals skilled in the professional practice of

    internal auditing and the external assessment process.

    The following requirements should be considered in the choice of an external

    assessor:

    l Independence

      External assessments should be conducted by suitably qualified individuals

    who are independent of the organisation and who do not have any real or ap-

    parent conflict of interest. Being independent of the organisation means not be-ing part of the organisation and not being under the control of the organisation

    in which the internal audit activity is established. The person who is conducting

    the external assessment, the team members and any other individuals involved

    in the process should have no obligation towards or interest in the organisation

    that is being evaluated or its personnel. Individuals employed in another de-

    partment in the organisation (even though they may be independent of the in-

    ternal audit activity) are not deemed to be independent for the purposes of con-

    ducting an external assessment (IIA 2004:110).

    In the selection of an external evaluator, cognisance should be taken of possi-

    ble, real or apparent conflicts of interest which the evaluator may have as a re-

    sult of previous or current ties with the organisation or the internal audit activ-

    ity (IIA 2004:111).

    l Integrity and objectivity

      Integrity requires that the team conducting the evaluation should be honest and

    operate within the bounds of confidentiality. Service and the trust of the public

    should not be made subservient to self-gain and profit. Objectivity is an intel-

    lectual propensity. Objectivity compels an evaluator to be impartial and intel-

    lectually honest. There may be no conflicts of interest (IIA 2004:111).

    l Competence

      Professional judgment is necessary to conduct an external assessment and

    communicate the results thereof. Hence an individual conducting an evaluation

    must:

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    15/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 99

      – be a competent, certified professional auditor (a CIA, CA or CISA) who is

    fully conversant with the internal auditing standards;

    – be well grounded in best practices in the internal auditing profession;and/or

    – have at least three years or recent experience in the application of internalauditing at management level (IIA 2004:111).

    The review team should include members who are skilled in information technology

    and who have experience of the appropriate industry. Individuals who are special-ists in other specialised fields such as statistical sampling or self-assessments canassist the review team in those areas (IIA 2004:111).

    The most general conductors of external assessments are the IIA, public account-ing and auditing firms and private consultants. The following candidates are listedspecifically in Practice Advisory 1312-1 (2004:112) as being fully qualified to actas external quality assessors:

    l  Trained quality programme assessors of the IIA.

    l  People qualified to confirm compliance with legislation and regulations (com-pliance auditors).

    l  Consultants.

    l  External auditors.

    l  Other professional service providers, and/or

    l  Internal auditors from outside the organisation.

    7.3  Approval of management and the board of directors

    The chief audit executive should involve senior management in the selection of theexternal evaluator(s) and obtain their approval for the appointment (IIA 2004:112).

    7.4  Scope of external assessments

    According to paragraph 12 of Practice Advisory 1312: External Assessment  (IIA2004:112), the external assessment should provide a broad overview and includecoverage of the following elements of the internal audit activity:

    l  Compliance with the internal auditing standards and the code of ethics.l  Compliance with the internal audit activity’s charter, planning, policy, pro-

    cedures and practices.

    l  Compliance with appropriate legislation and other regulations.

    l  Fulfilment of the expectations of the board of control, executive managementand operational management as expressed by them.

    l  Integration of the internal audit activity in the organisation’s control processesand the existing relationships between the key groups involved in the process.

    l  Aids and techniques used in the internal audit activity.

    l  The composition of the knowledge, experience and disciplines in which thepersonnel are schooled, as well as their propensity for improving processes.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    16/25

    Quality assurance in internal auditing

    100  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    l  The success of the internal audit activity in adding value and improving the

    organisation’s activities.

    According to a release of the Quality Review Service (IIA[s.a.]:3), external assess-

    ments conducted by the IIA have the following objectives:

    l  Evaluating the effectiveness and efficiency of the internal audit activity;

    l  Identifying opportunities and advising chief audit executives and internal audit

    staff on improving their performance.

    l  Evaluating the auditing environment and the methods followed in the annual

    risk analysis used to compile the audit schedule.

    l  Evaluating the organisation’s structure and the approach of the internal audit

    activity to establish whether the audit resources are adequate to ensure proper

    coverage of all facets of the business.

    l  Conducting a survey of perceptions about internal auditing within the organisa-

    tion to determine the level of satisfaction of executive management and clients

    of the internal audit activity with internal auditing services.

    l  Evaluating the adequacy of techniques and methods used by the internal audit

    activity to test internal control systems.

    l  Identifying methods to improve policies and practices in the internal audit

    activity and co-ordination with external auditors.l  Expressing an opinion about the internal audit activity’s compliance with the

    internal auditing standards.

    Besides the above objectives, the risk to the organisation should be calculated if the

    internal audit activity is found to be ineffective or does not meet the internal audit-

    ing standards (IIA 2003:11).

    7.5  Reporting of the results

    The preliminary results of an external assessment of an internal audit activity should

    be discussed with the chief audit executive during the completion of the evaluation

    process. The final results should be communicated to the chief audit executive or to

    any other official who authorised the investigation.

    Reporting should address the following:

    l  The nature or the review – is it a full review or an independent validation of a

    self-assessment?

    l  The internal audit activity’s compliance with the internal auditing standards –

    the term “compliance” means that the activities of the internal audit activity,

    viewed as a whole, comply with the requirements of the internal auditing stan-

    dards. In the same vein, “non-compliance” means that the impact and substance

    of the deviation in activities of the internal audit activity is so serious that the

    internal audit activity’s ability to perform its duties is hampered. Expressing an

    opinion on the basis of the results of the external assessment demands pure

    business judgment, integrity and proper professional care.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    17/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 101

    l  Judging and evaluating the use of best practices in conducting internal audit

    assignments and managing the internal audit activity.

    l  Recommendations for the improvement of methods, procedures and processes,

    where appropriate.

    l  Feedback by the chief audit executive, including a plan of action to implement

    recommendations and indicating the proposed dates of implementation (IIA

    2004:113-114).

    The chief audit executive must discuss the results of the evaluation and any plans of

    action with the relevant senior management and the organisation’s board of control

    (IIA 2004:19). This responsibility of the chief audit executive to report on the

    results of the external assessment is discussed in more detail in Section 5 of this

    article.

    7.6  Self-assessment with independent validation

    An alternative proposed by Practice Advisory 1312-1 for external assessment is that

    the chief audit executive must undertake a self-assessment of the internal audit

    activity and that he or she must have it ratified by an independent person. Such a

    self-assessment should be characterised by the following:

    l  A comprehensive and fully documented self-assessment process.

    l  An independent validation, on the premises of the auditing activity, by an

    evaluator who meets the prerequisites.

    l  The requirements for economic time and resource utilisation.

    A team led by the chief audit executive must conduct the self-assessment and the

    results should be communicated to the appropriate senior management and the

    organisation’s board of control. The self-assessment should focus on the internal

    audit mission and compliance with the internal auditing standards. A qualified

    independent evaluator should be appointed to conduct limited tests on the self-

    assessment, to ratify the results and express an opinion about the apparent level of

    the activity’s compliance with the internal auditing standards (IIA 2004:113).

    Moeller and Witt (1999:33/9) contend that self-assessment is a cost-effective

    method whereby the smaller internal audit activities can judge their own quality.Small internal audit activities can often not afford the services of an external

    evaluator and do not have enough appropriate staff to assign to quality assessments.

    According to the fourth edition of the Quality Assessment Manual (IIA 2003:21-

    22), the self-assessment with independent validation has the following characteris-

    tics: an evaluation similar to the external assessment is conducted, but with the

    difference that it is performed by competent professional internal auditors under the

    leadership of the chief audit executive. Owing to the knowledge that the internal

    auditors have of the internal audit activity, the organisation’s policy and procedures

    and the internal audit activity’s application of internal auditing standards, this

    evaluation should be less time-consuming than an external assessment. However,

    external evaluators have greater exposure and can suggest new ideas, techniques

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    18/25

    Quality assurance in internal auditing

    102  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    and processes which could provide a considerable advantage to the internal audit

    activity. The basic steps should include the following:

    l  Planning and preparation, including the appointment of the team leader, the

    team members and the external validator, as well as reflection on the process to

    be followed and the reporting that will take place.

    l  Fieldwork, during which the focus should be on the structure of the internal

    audit activity and organisation, risk assessment and planning of audit projects,personnel skills and experience, utilisation of technology, value added to the

    organisation and compliance with the internal auditing standards.

    l  The formulation of results, recommendations and implementation plans by the

    self-assessment team leader, in collaboration with the chief audit executive, for

    validation by the independent validator and submission to senior management

    and the audit committee or other review function.

    l  Independent validation of the self-assessment.

    The self-assessment should be properly documented. As in the case of the external

    assessment, conclusions should be drawn about the internal audit activity’s compli-

    ance with the internal auditing standards, the charter and the appropriate criteria,and it should also contain recommendations for improvements and a plan of imple-

    mentation.

    A report on the results of the self-assessment should be compiled for submission

    to senior management and the audit committee (or other review function) after

    validation thereof by an external independent party.

    The qualified independent party then conducts interviews with the chairperson of

    the audit committee or other suitable council member and senior members of

    management and conducts limited tests on the self-assessment and the preliminary

    report to the board of directors and senior management. Hence the results of the

    self-assessment are verified and can serve as the basis for any comments or further

    recommendations.

    The external reviewer expresses an opinion about the suitability of the process

    followed during the self-assessment and the level of compliance with the internal

    auditing standards pointed out by the self-assessment. The external validator’s

    report is then included in or attached to the self-assessment report submitted to the

    audit committee and to senior management.

    Although a full external assessment holds the most benefits for an internal as-

    sessment, and should be included in the quality programme of an internal auditing

    operation, self-assessment with independent validation is a method that allows

    alternative compliance with the provisions of Standard 1312 of the internal auditing

    standards (IIA 2004:113).

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    19/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 103

    8 Internal Auditing Standard 1320: Reporting on thequality programme

    According to Standard 1320 of the internal auditing standards, the chief audit

    executive should report the results of external assessments to the board of directors,

    appropriate members of senior management and the audit committee (IIA 2004:11).

    Practice Advisory 1320-1 recommends that on completing an external assess-

    ment, the team that conducted the assessment should issue a formal report express-ing an opinion about the internal audit activity’s compliance with the internal

    auditing standards. The report should also refer to the internal audit activity’s

    compliance with the internal audit charter and other appropriate standards and it

    should contain recommendations for improving the quality of the internal audit

    activity (IIA 2004:115).

    A preliminary report should be supplied to the chief audit executive on the basis

    of which he or she is afforded an opportunity to make comments. The chief audit

    executive should respond to the comments and recommendations in the report with

    a formal plan of action. Proper follow-up is also the responsibility of the chief audit

    executive (IIA 2004:115).

    The final report containing the chief audit executive’s comments and plans of

    action is usually addressed to the person in the organisation who requested the

    evaluation, with copies of the report to the board of directors, appropriate membersof senior management and the audit committee or other review function with an

    interest in the internal audit activity (IIA 2003:20).

    9 Internal Auditing Standard 1330: Use of theexpression “Conducted in accordance with theinternal auditing standards” 

    In Standard 1330 of the internal auditing standards, internal auditors are encour-

    aged to report on the statement that internal auditing is conducted in accordance

    with the Standards for the Professional Practice of Internal Auditing.  Internal

    auditors may, however, only use this statement if assessment of the quality pro-

    gramme confirms that the internal audit activity does in fact comply with the inter-nal auditing standards (IIA 2004:12).

    Practice Advisory 1330-1 (2004:117-118) contains the following guidelines in

    this regard: before an audit report can declare that an audit has been conducted in

    accordance with the internal auditing standards, the quality programme must be

    evaluated and the finding should be that the internal audit activity does comply with

    the internal auditing standards. Instances where non-compliance has an impact on

    the total review of the operation of the internal audit activity (including neglecting

    to allow an external assessment to be conducted by 1 January 2007), should be

    reported to senior management and the board of directors.

    It is important to note that the above provisions apply only in instances where

    quality assessments indicate that the internal audit activity in general does not

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    20/25

    Quality assurance in internal auditing

    104  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    comply with the internal auditing standards. It is not aimed at detecting isolated

    cases of non-compliance. Internal auditors who find it impossible to comply with a

    specific standard in certain circumstances can still claim that their work was con-

    ducted in accordance with the internal auditing standards, as long as (in compliance

    with the specifications of Standard 2430) they declare the specific areas of non-

    compliance in their final communication regarding the audit project, and indicate in

    their evaluations of quality that they have fulfilled the internal auditing standards in

    all other respects.

    10 Internal Auditing Standard 1340: Disclosure if theinternal auditing standards are not met

    Although internal audit activities should comply fully with the internal auditing

    standards and the internal auditors’ code of ethics, there may be instances in which

    internal audit activities and/or internal auditors do not satisfy these standards. When

    such non-compliance influences the review and functioning of the internal audit

    activity, it should be reported to senior management and the board of control (IIA

    2004:12).

    Standard 2430 stipulates in cases where the internal auditing standards are not

    complied with in a specific audit project that in the final report containing the

    results of the audit project, the following should be mentioned:l  What internal auditing standard was not complied with.

    l  The reason why the standard was not complied with.

    l  The impact of the non-compliance with the standard on the audit project

    (IIA 2004:22)

    11 Summary“the challenge today is to raise the broad market perception of the value of our services” (IIA

    1999:27).

    According to the Guidance Task Force1 (IIA 1999:27-28), “a profession can have

    great standards, but without credible mechanisms to enforce compliance, they lose

    their effectiveness and their status as a mark of professional quality”.

    ________________________

    1 In 1997, The Guidance Task Force was appointed by the board of directors of the IIA to

    investigate the following matters:

    (1) the possibility that there is a gap between developing internal audit practice and the existing

    internal auditing standards. and

    (2) possible improvements to the existing processes in terms of which internal auditing stan-

    dards are written and laid down and ways in which improvement can be promoted.

    The Guidance Task Force consisted of 16 leaders in the field of internal auditing and was

    representative of all interested parties throughout the world. They met six times: the first meet-

    ing took place in December 1997, and final one in September 1998. The details and results of

    their study are contained in a publication of the Institute of Internal Auditors’ Research Foun-

    dation entitled A vision for the future: professional practices framework for internal auditing

    (IIA 1999:1).

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    21/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 105

    In the light of their investigation and findings, the Guidance Task Force made the

    following recommendations to move internal auditing to an advanced level of

    professionalism, which, according to them, will promote the quality, competitive-

    ness and recognition of the profession:

    l  Compliance with the internal auditing standards should be compulsory and

    should be proved by internal audit activities, by means of a satisfactory quality

    assessment by an independent party.

    l  The internal auditing standards should demand that internal audit reportscontain an explicit declaration that internal auditing work is conducted accord-

    ing to the Standards for the Professional Practice of Internal Auditing  (IIA

    1999:27).

    Since 1999, the IIA, in reaction to the findings of the Guidance Task Force, has put

    into effect the acceptance of a new definition, implemented a new practice frame-

    work and updated the internal auditing standards. As discussed in this paper, the

    internal auditing standards have already been amended and supplemented with the

    following prescriptions on quality control:

    l  The external assessment should be performed at least every five years (Stan-

    dard 1312).

    l  The chief audit executive should report the results of external assessments to

    the board of directors (Standard 1320).l  Internal auditors can only declare that an audit has been performed in compli-

    ance with the internal auditing standards if, according to the prescriptions of

    the standards, they have been subjected to an external assessment (Standard

    1330).

    l  When non-compliance with the internal auditing standards could affect the

    overall scope or operation of the internal audit activity, this should be disclosed

    to senior management and the board of directors, via the chief audit executive

    (Standard 1340).

    The discussion in this article clearly shows that adequate standards are in place to

    ensure the application of proper quality control in internal audit activities. The

    important thing, however, is to encourage internal audit activities to apply proper

    quality control themselves.

    Although general compliance with the internal auditing standards is not enforced

    in South Africa, legislation and regulations have been developed either to force or

    to encourage larger organisations to use internal auditing services. The Public

    Finance Management Act 1 of 1999 (as amended) stipulates that all state depart-

    ments, listed public entities, constitutional institutions, Parliament and provincial

    authorities should have internal audit activities that comply with the Treasury

    regulations, which have been compiled in terms of the Act. These Treasury regu-

    lations stipulate that internal auditing services should be rendered on the basis of

    the internal auditing standards (RSA 1999).

    The King Report on Corporate Governance (Institute of Directors in Southern

    Africa 2002) with which listed companies must comply in order to list at the

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    22/25

    Quality assurance in internal auditing

    106  Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 

    Johannesburg Securities Exchange recommends that companies should have an

    effective internal audit activity and the Report endorses the definition of internal

    auditing, code of ethics and standards of the IIA, Inc. (Institute of Directors in

    Southern Africa 2002, sec 3).

    In the light of the fact that the majority of organisations with internal audit activi-

    ties in South Africa are either regulated by the Public Finance Management Act or

    by the listing requirements of the Johannesburg Securities Exchange, most internal

    audit activities in South Africa should be actively steering towards proper qualitycontrol over their activities in order to comply with the internal auditing standards

    set by the IIA.

    Bibliography

    Chapman, C. and Anderson, U. 2002. Implementing the professional practices

    framework, Institute of Internal Auditors, Altamonte Springs, Florida.

    Fabrizius, M.P. 1997. A passion for excellence, Internal Auditor, October, Vol. 54,

    No. 5, pp.22-27.

    Institute of Directors in Southern Africa. 2002. King report on corporate govern-

    ance for South Africa 2002, Institute of Directors in Southern Africa, Parkland,

    South Africa.

    Institute of Internal Auditors (IIA). [s.a.]. QAR The key to improved effectiveness

    and efficiency, Quality Auditing Division, Institute of Internal Auditors, Altamonte

    Springs, Florida.

    Institute of Internal Auditors (IIA). 1998. Standards for the professional practice of

    internal auditing: Statements on internal auditing, standards nos. 1-18, statement of

    responsibilities of internal auditing, code of ethics, Institute of Internal Auditors,

    Altamonte Springs, Florida.

    Institute of Internal Auditors (IIA). 1999. A vision for the future: professional

     practices framework for internal auditing, Report of the guidance task force to the IIA’ss board of directors, Institute of Internal Auditors, Altamonte Springs, Florida.

    Institute of Internal Auditors. 2003. Quality assessment manual, 4th edition, Insti-

    tute of Internal Auditors, Altamonte Springs, Florida.

    Institute of Internal Auditors. 2004. The professional practice framework , Institute

    of Internal Auditors, Altamonte Springs, Florida.

    Large, N. 1997. How are we doing? The need for quality assurance, IIA IA Ad-

    viser, January/February, pp.5-6.

    Moeller, R.R. and Witt, H. 1999.  Brink’s modern internal auditing, Wiley,

    5th edition, New York.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    23/25

     Marais

     Meditari Accountancy Research Vol. 12 No. 2 2004 : 85–107 107

    Sawyer, L.B., Dittenhofer, M.A. and Scheiner, J.H. 2003.  Sawyer’s internal

    auditing. The practice of modern internal auditing, Institute of Internal Auditors,

    5th edition, Altamonte Springs, Florida.

    Republic of South Africa. 1999. Public Finance Management Act 1 of 1999

    (amended), Government Printer, Pretoria.

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    24/25

  • 8/18/2019 Quality Assurance Internal Audit; Analysis of Standards and Guidlines Implemented by the Institute of IIA

    25/25

    Reproducedwithpermissionof thecopyrightowner. Further reproductionprohibitedwithoutpermission.