Demands on Internal Audit (“IA”) functions have never been greater or more complex, with corporate governance, risk management and internal controls under increased scrutiny by regulators and stakeholders alike.
IA functions are the last line of defense for any organisation to ensure that these elements are in line with ever increasing expectations. Making sure that audits performed are of high quality is key to ensuring that the IA function remains relevant to the needs of the business.
The Institute of Internal Auditor’s (“IIA”) International Standards sets out the requirements and expectations on quality assurance for IA functions. Having a quality assurance function to continuously challenge the effectiveness of IA has become the new normal for large audit teams in all sectors.
Patrick Farrell and our Internal Audit team explore below.
Standard up to 8 January 2025
Institute of Internal Auditors Standards and Requirements IIA Standard: 1300 - Quality Assurance and Improvement Program*
The Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
Standard from 9 January 2025
Institute of Internal Auditors Global Internal Audit Standards - Standard 8.3: Quality*
The Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
The quality assurance and improvement program must include both internal and external assessments. The Chief Audit Executive must communicate the results of the quality assurance and improvement program to senior management and the Board.
*See IIA Standard for complete wording of the Standards – synopsis included above. For 2024 Global Internal Audit Standards see also Standard 12.1
Application in a small audit function
According to the 2024 Global Internal Audit Standards: If the internal audit function comprises only one member, an adequate quality assurance and improvement program will require assistance from outside the internal audit function.
What are Heads of IA’s key concern on audit quality?
- Was the work performed to a high quality, resulting in all key issues identified?
- Was the prescribed internal audit methodology fully applied?
- How to drive continuous improvement within the IA function?
Generating insights and improving on these objectives requires a quality assurance function that is staffed by suitable senior professionals who are experienced in leading IA practices and are proficient in the technical aspects of all subject matter areas of the organisation. This requires significant investment and buy-in from business leaders, which can be challenging.
In practice, access to such experienced resources or the approval of a dedicated headcount to focus solely on quality assurance is often limited. Instead, we observe that Heads of Internal Audit often deploy a “peer review” model, where auditors perform quality assurance on each other's work. Such reviews are often performed against a pre-defined checklist or questionnaire that specifies only minimum expectations for audit activities.
While a peer review model helps overcome some of the cost and headcount restrictions, we find that it poses an even greater number of challenges for Heads of Internal Audit.
A structured approach to quality assurance
A Quality Assurance Improvement Programme (“QAIP”) built with the sole focus of assessing whether audit teams are following the IA functions’ internal audit methodologies no longer meets the demand of stakeholders. Board of Directors and Audit Committees expect that IA functions are developing in line with the changing external and internal environment.
As such, Heads of IA need to demonstrate additional value and return on investment from their quality assurance programme.
To develop an impactful QAIP model, an IA function should consider a flexible, cost effective and scalable quality assurance methodology. The methodology should define a complete set of requirements on areas like IA capabilities, technology support and deliverables.
This approach requires not just senior internal audit professionals, but also subject matter experts across the key business risks and operational processes, to provide views on the adequacy of audit coverage and quality of work. The desired methodology should be capable of addressing three key objectives of quality assurance:
| Quality of Work | |
|---|---|
| Audit Planning and Engagement Scoping |
|
| Quality of Fieldwork Performed |
|
| Conclusions and Reporting |
|
| Use of SMEs in Specialised Audits |
|
| Assess Compliance | |
|---|---|
| Audit Process |
|
| Gateway and Milestone Approvals |
|
| Audit Execution |
|
| Documentation |
|
| Continuous Improvement | |
|---|---|
| Audit Methodology Assessment |
|
| Audit Data Trend Analysis |
|
| Audit Timeliness and Performance Benchmarking |
|
| Knowledge and Insight Sharing |
|
Having the right people is key to success
A peer-review QAIP model with general auditors might work for standard audits. However, it may prove difficult to provide the necessary level of challenge for specialised audit areas, especially on the quality of risks being identified, the appropriateness of scope changes during fieldwork, the appropriateness of issues identified and the final audit rating. A value adding QAIP would consider the use of SMEs to share industry knowledge and provide insights during the quality review of specialised audit areas.
Based on KPMG market insights, the following areas are considered the most challenging for quality assurers to provide valuable insights on:
Going beyond the traditional QAIP
A traditional QAIP helps to improve the performance of your internal audit team. Heads of IA can also utilise the quality assurance function to conduct additional assessments aimed at improving other aspects of the IA function.
A modern QAIP should be able to provide rich insights to the Board or the Audit Committee, providing them extra comfort that the IA function is fully effective as the third line of defense of their organisation:
Additional Data Analysis
Data analysis on the IA function is as important as incorporate data analysis in your internal audit work. Are you using data to actively identify actions for the coming year?
Continuous Risk Assessment
If you have a big organisation with different businesses and jurisdiction, you urgently need to launch an on-going assessment for managing various strategic and emerging risks. Are you certain that the internal audit plan is up-to-date and reflective of emerging risk and changes in the external environment?
Issue Follow Up and Validation Process
It is important to evaluate whether issues are closed off. Do audit teams sufficiently test and assess managements’ remediation actions and identify repeat issues?
IA Employee Survey
Your audit team is your strongest asset. Do you have good line-of-sight on potential concerns and improvement areas from their perspective?
Treatment of Repeat Issues
The problem of repeat issues can be due to multiple reasons. Does your IA function investigate root causes, both holistically and on a per-issue basis?
How can KPMG help?
When conducting Quality Assurance Reviews, our objective is to share our view of leading internal audit practices which reflect your industry, business, size, structure, and most importantly, your goals.
We believe that there is no one-size-fits-all approach to QAIP. We will tailor our service offering to reflect the nature, scale, and complexity of your organisation.
Highlights of our service offerings include:
QAIP Advisory
We can review and assess your QAIP against our leading QAIP methodology and benchmark that against participants in the market.
QAIP outsource
We can work closely with the Head of IA and provide a tailored quality assurance service leveraging our proven QAIP approach.
SME file review
Keeping a specialist knowledge pool is resource constraining. We can offer SMEs to review and evaluate the specialised audit areas of your organisation.
