Gerry Dixon Partner and Leader Risk Services Ernst & Young

Garry Goodall Senior Manager Risk Services Ernst & Young

“Are we getting an acceptable return from our increased expenditures on risk management and compliance?” That’s the question many financial services organizations are asking as they consider the sizable costs incurred to comply with the Sarbanes-Oxley Act, prevent errors and fraud, and implement or reinvigorate their enterprise risk management programs. The question is a valid one, since even after substantial outlays of funds, organizations may continue to experience errors, frauds, and inefficiencies that can heighten their risk of financial loss.

Even though much of the increased expenditures have been made in risk management and compliance areas, it is the internal audit (IA) department that is often placed under the greatest scrutiny. Many chief audit executives are under growing pressure to demonstrate the value they deliver to the organization and how they are contributing to the future state of risks and controls within their respective firm. Adding to this pressure, an Institute of Internal Auditors (IIA) standard calls for an external assessment of the IA function, such as a quality assurance review (QAR), to be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. So internal audit is clearly in the crosshairs of management, regulators, and other key stakeholders.

Although the primary purpose of a QAR is to determine compliance with the International Standards for the Professional Practice of Internal Auditing, many of the stakeholders of IA departments, including audit committee members and C-suite executives, are taking a serious interest in these assessments. They are using them to confirm alignment of IA with their priorities and expectations, identify opportunities to significantly improve IA departments, and optimize the level of convergence of IA with other risk functions in the organization.

How Can a QAR Help?
Whether or not you have concerns about the direction, performance, and deliverables of your IA function, a QAR presents an ideal opportunity to confirm that IA is maximizing the value that can be delivered. And if the QAR determines that it isn’t, the review team can help you create a mutually acceptable action plan to get IA where it needs to be.

In most cases, a QAR reveals that many improvements are needed in one or more of the areas covered by the five key questions below. If you answer “no” or “don’t know” to any of these questions, your organization may be missing an opportunity to derive significant value from a function that is a key component of its overall corporate governance:

• What assurance do we actually get from IA? Has its role been clearly defined, and is this role understood across the organization, and aligned with other risk management and assurance functions?
• Does IA have personnel with the required business, auditing, and relationship management skills and experience, and is there a formal process for continuous development?
• Is IA focused on the right risks, and does the audit plan provide sufficient risk coverage?
• Does IA have a robust process to confirm that all audit work is of high quality?i.e., that controls are evaluated appropriately, testing is rigorous, and appropriate conclusions are reached?
• Is IA sufficiently independent and objective, and are its reports valued?

A properly executed and focused QAR provides numerous benefits to the IA department and the overall organization, including:
• Alignment between the expectations of key stakeholders, other risk management functions, and the IA department.
• Confirmation that your IA function is performing well and is in compliance with professional standards.

• Perspectives on what other leading functions are doing to address today’s risk and assurance challenges.
• Pragmatic and actionable plans to address any shortcomings in direction, performance, and reporting.

Options and Approaches
Ultimately, depending on its needs, your organization has options in terms of the approach taken for the QAR. These options relate to the scope and focus of the QAR, as well as the team that performs the work.

The scope of the review can range from a relatively narrow focus on the IIA standards to a broad evaluation of the function in the context of all stakeholders’ expectations and the practices employed by leading functions within other organizations. Many organizations recognize the value provided by a broader review, particularly given the intensified focus on corporate governance. You should expect the firm you select to perform the QAR to work with you up front to determine the scope and focus of the review.

Whether the team consists of appropriately qualified individuals from the IIA, peer institutions (although many organizations are concerned about the implications of sharing data with auditors from their peers), or a qualified external provider, it should have the ability to benchmark your IA department against other firms, both within and outside the industry. For an IA department to be progressive and responsive, it needs to learn from what other firms are doing so it can improve its operations.

While the IIA provides guidance on how to execute a QAR, it is critically important that the core objectives of the review be discussed with, and have buy-in from, not only the chief audit executive, but also the chair of the audit committee and other key IA stakeholders, typically the chief financial officer. Common key objectives, beyond IIA compliance, include optimizing leverage from other risk and assurance functions, determining the adequacy of risk coverage, and achieving stronger alignment with stakeholder expectations.

The QAR review should include the following components:

Stakeholder interviews. In addition to audit committee members, the review team interviews a broad cross section of executives and external audit partners to identify themes. The number of interviews may range from 10 to as many as 40, although 30 interviews usually are optimal.

IA staff surveys/interviews. These interviews are the source of enormous insight on how well IA is performing. With confidentiality guaranteed, the IA staff can often highlight gaps in performance.

Documentation and infrastructure review. The team also should review IA’s own quality assessment process. Other typical areas reviewed include the risk assessment and audit plan, a representative sample of work papers, audit reports, and audit committee and executive reporting. It is also common to evaluate the department’s mission, people model, organization structure, policies and procedures manual and use of technology.

Action plan development and reporting. The observations and recommendations found in some QARs suggest that the review team simply did not understand the size and complexity of the organization. Realistic, pragmatic and actionable plans to address shortfalls in direction, performance, and reporting are essential. The most effective action plans emanate from a joint effort between the IA leadership team and the QAR team, supported, as appropriate, by a selection of industry and internal audit professionals from the review firm.

Areas that Need Attention
For the most part, a QAR reveals that a leading-practice IA function is innovative and actively seeks to improve itself through best-in-class initiatives and best practices groups. Many IA functions are focused on providing robust and independent assurance, adding value, and continually improving their contribution to the organization. However, reviewers frequently encounter recurring areas of needed improvement related to the key questions posed at the beginning of this article:

The role of audit. In the post-Sarbanes era, many IA functions are reevaluating their role in the organization. Some want to be more consultative on operational and control issues, some want to audit operational effectiveness, and others want to ensure independence and objectivity to enhance their oversight of the internal control environment. With such a broad range of roles, there may be a misalignment between what the audit committee and management want and how IA actually operates. Often, departments must match their focus and priorities with users’ expectations.

Also, IA departments are only slowly beginning to leverage the work of other risk management and assurance functions, including the internal controls/Sarbanes-Oxley group, which should be accelerated to achieve greater efficiencies.

People. IA departments often become a victim of their own success, losing some of their most talented individuals to other parts of the organization. The best IA functions have great people, are often viewed as pioneers by the human resource department, and have robust orientation, training, and development programs. Conversely, many functions have skills gaps, inadequate training support, and no clear direction as to what the people model should be. Is the department planning to hire many junior auditors and grow talent for the firm? Will more senior-level people be rotated into key positions? Is it planning to rotate professionals into audit? A clear and concise plan, approved by the audit committee, is key to sustaining a high-performing function.

Risk focus. Audit functions frequently do not demonstrate that they are aligned with the key risks facing the organization, as viewed by senior management. There are two root causes for this. First, IA leadership often fails to discuss and agree on the role and focus of IA work. This can be a fatal flaw, because management buy-in is critical to proper alignment and risk coverage. Second, IA may perform a risk assessment of the organization by breaking it down into hundreds of auditable entities, without ever linking these to the risks that most concern management. The first issue—the failure to discuss and agree upon IA’s role—reflects more seriously on IA leadership than the second, which often can be addressed by enhanced mapping of the audit plan and more transparent reporting.

Reviewers also frequently find that the risk assessment and audit plan contain gaps in coverage, often in areas where IA lacks expertise, such as tax, human capital, real estate, and some technical areas, such as market/credit risk and technology.

Quality. The quality of internal audit documentation nearly always surfaces as an issue in a QAR, inevitably raising questions about the overall quality of the work performed. In some cases, the documentation needed to demonstrate the thought process, logic, and robustness of the IA work is inadequate, disjointed, or incomplete. Often, this proves to be a matter of “form over substance” because the actual work performed is solid. However, even in such cases, poor internal quality control leads to inefficiencies and a loss of confidence in conclusions and recommendations.

Reporting. The focal point of IA work is the regular report provided to the audit committee, executive management, and the organization’s risk and control committee(s). Leading IA departments recognize that the audit committee and executive management want these presentations to provide assurance on as many of the major risks facing the organization as possible, and to highlight the major risks that the audit committee and executive management need to be concerned about today.

These departments provide a holistic evaluation of risk management and control across the entire organization on a regular basis (e.g., quarterly or semiannually). Often, this evaluation compares the control environment across different divisions, functions, and enterprises within the business (e.g., an assessment for each of the direct reports provided by the CEO), and, highlights overall trends and themes emanating from the audit results.

Unfortunately, many IA departments fall short in both of these areas. Too often, their reports focus only on describing the issues identified in completed audits, and only limited attempts are made to highlight recurring themes or significant risks. This is not an optimal use of resources, since it indicates that IA is failing to leverage its position of being able to view risks and issues from an organization-wide perspective.

Inadequate IA reports can lead to an under-informed audit committee and executive management team. Moreover, they can promote the often-mistaken belief that there is a direct correlation between the number of issues raised by IA and the effectiveness of the organization’s risk management and controls.

Performance - the Bottom Line
As these commonly found areas of weakness demonstrate, a comprehensive quality assurance review can help an organization find out whether it is getting a sufficient return on increased expenditure on risk management and assurance services. By determining whether there are any fundamental gaps with respect to the role, people, risk focus, quality, and reporting of the IA department, the QAR can play a key role in ensuring a high-performing and effective IA department that can make a critical difference to an organization.