colleagues in a conference room with glass walls

Who audits the auditors? External quality assessments as a measure of internal audit effectiveness

Yannis Kavvadias, Manager Protiviti Switzerland

Over the past three years, I have worked as an assessor for external quality assessments (EQAs) and as a project manager leading EQAs for larger internal audit departments. In 2022, along with Protiviti colleagues from across the globe, I was a part of Performing Effective External Quality Assessments, a course led by The Institute of Internal Auditors (IIA).

So, what, exactly, are EQAs?

The IIA defines EQAs as follows: “An … EQA evaluates conformance with the Definition of Internal Auditing, the International Standards of the Professional Practice of Internal Auditing (Standards) and an evaluation of whether internal auditors apply the Code of Ethics.”

EQAs are a set of interviews, questionnaires and reviews allowing for the confirmation that internal audit departments are in line with The IIA’s Standards for the profession. An EQA can provide significant insights on the inner workings of an internal audit department, such as its methods, its team members, its interactions with upper management or even its reputation within the company.

The external quality assessor will develop recommendations for the audited departments that would lead to improved conformance with the IIA Standards and potential improvements for the future. The process ends with a report that summarizes whether the department generally conforms (highest), partially conforms or does not conform (lowest) to each of the IIA Standards and on an overall basis.

Who are EQAs for?

Every internal audit department that I have worked with or for in the past 10 years relies on a solid internal audit charter. The charter includes three statements that are the basis for the internal audit department’s mission and vision. According to The IIA’s International Professional Practices Framework from 2017, internal audit teams should:

  • Do work aligned with the strategies, objectives and risks of the organization.
  • Operate in an insightful, forward-looking and proactive manner.
  • Coordinate with other assurance providers and consider relying on their work.

While there have been extensive discussions on the exact definition of “insights” or how to effectively align on risks, the essence remains the same: Internal audit must be strategically aligned with the company’s management and should coordinate where needed with external assurance providers.

But how often are the points above assessed in depth? And what are some of the benefits of an EQA?

EQAs are required to be performed by an independent third party every 5 years for internal audit departments of all shapes and sizes. In addition to giving the department a benchmark versus the standards of the profession, an EQA demonstrates the department’s commitment to continuous development and improvement.

For example, a past EQA engagement on which I was involved showed that the audit department performed, on average, more audits on a specific department, which nevertheless represented a low percentage of revenue compared to others. EQA interviews showed audit planning was strongly influenced by company management, rather than the audit committee or the internal audit department itself. This led to a potential risk in internal audit independence, as mandated by The IIA, which was highlighted in the report and subsequently improved.

EQAs can also provide insight into management’s perception of internal audit. Another recent EQA conducted showed that the internal audit team was not viewed as a talent pool, without internal audit management understanding why. Interviews revealed that some of the team members did not have the appropriate skill sets to be considered strong candidates for executive management, effectively hindering the execution of their work and having an impact on their career prospects outside internal audit.

EQAs allow audit departments time to reflect on their strategic direction as an integral part of a company’s control framework. Recent developments in internal controls have highlighted an acceleration in the digitalization and automatization of risk and compliance services, most notably through the increased use of complex governance, risk and compliance (GRC) tools. For internal audit, this will likely lead to a necessary expansion of the auditor’s toolkit to incorporate cutting-edge digital knowledge and tools in the auditor’s own department. An EQA can emphasize this in the interest of enhancing audit effectiveness, thus potentially making a case for a department’s continued growth into a next-generation internal audit function.

Where do I start?

A strong first step for every internal audit department is the definition of a quality assurance and improvement program (QAIP) as part of its charter, and in agreement with its audit committee or other governing body in the company. This emphasizes the department’s will to ensure consistent quality and commitment to improvement and growth. The QAIP should include not only the periodic performance of EQAs but also annual internal monitoring of quality.

An EQA can also influence the overall QAIP: once the assessment is complete, part of the QAIP can be to establish improvement metrics for the internal audit department to measure itself against. For example, if the external assessor rates a section “Does Not Conform,” the goal will be to make sure that all recommendations are applied to have it reach the desired “Generally Conforms” rating. This can be periodically measured through the use of targeted key performance indicators (KPIs).

What are the key points to consider before having an EQA performed?

Similar to standard internal audits, to ensure optimal results, EQAs require some preparation before they are conducted. The main areas of focus before starting an EQA include the following:

  • Documentation alignment with IIA Standards and common findings: The internal audit department’s management must, at minimum, familiarize itself with The IIA Standards, especially regarding its charter, as detailed in the “Why are EQAs important?” section. In addition, common findings highlighted by The IIA also help in benchmarking the internal audit department.
  • Alignment within the internal audit team: Internal audit department management must ensure that it is aware of the current strengths, challenges and areas for improvement in the department. It is not uncommon (especially for larger organizations) to find different perspectives at different levels of the internal audit department. The objective is to encourage discussion between management and the teams to ensure that information is known and shared with everyone in the group.
  • Highlighting the scope of the EQA: Internal audit department management should discuss the scope of the EQA with its chosen assessor before the start of the assignment. The scope of each engagement must be mutually understood whether regarding the people to be interviewed (e.g., senior management, board members), topics to be addressed (ensuring that known issues are not reported as unknown), and the distinction between judgment against the internal audit standard and judgment against best practice. Discussing these topics in-depth before the EQA starts also helps establish a relationship of trust between both parties, which is essential for the engagement. The result of the EQA should be a collaborative effort in improving the internal audit function and giving a true and fair view of the department’s current state and opportunities for improvement.

I hope this short overview was helpful in understanding the key points on EQAs, especially regarding such an engagement’s benefits and preparation recommendations.

Learn about Protiviti’s Internal Audit Services and read additional posts related to internal audit on The Protiviti View.

Add comment