Print this article | Return to Article | Return to CFO.com
To attain IIA certification, internal auditors must undergo an external quality assessment every five years.
Helen Shaw, CFO.com | US
February 8, 2006
Many companies might soon be looking for ways to provide an audit of the inner workings of their internal-audit departments. While the "audit of the (internal) audit" is a service that the Big Four and second-tier accounting firms have offered for some time, it's likely to be in greater demand because the effective deadline of a standard by the Institute of Internal Auditors is slated to roll in next New Year's Day.
Beginning next year, in order to be able to claim their practices are in line with IIA standards, internal auditors will have to undergo an external quality assessment of their work every five years. Before the standard was adopted on January 1, 2002, getting such an audit every three years was merely a recommendation. Internal audit departments that existed before then will have to undergo an external assessment by January 1, 2007.
At stake is an internal-audit team's ability to state in its internal charter that the company is acting "in accordance with the International Standards for the Professional Practice of Internal Auditing." In turn, a successful assessment of the team enables individual internal auditors to say they're acting in line with the standards as well.
Although SOX bars external auditors from performing internal-audit services themselves, the Public Company Accounting Oversight Board (PCAOB) allows them to rely on the work of competent internal auditors. An external assessment—by another audit firm, presumably—is one way for a company to display the expertise of its internal audit department, according to the IIA.
But the process can provide other benefits. "The value of quality monitoring is for the internal auditors themselves to get constant feedback on how they perform," said Dominique Vincenti, chief advocacy officer at the IIA. "For employers of internal auditors, this is [also] evidence they are dealing with professionals."
The assessment evaluates compliance with the IIA's standards, the company's internal audit and audit committee charters, its risk and control assessment, and its use of best practices. The review also includes a look at the structure of the audit department, its chain of command, and its operational independence. The final report is submitted to the board audit committee and senior management.
There are also different ways to accomplish the external review than using an external services provider. To limit costs and receive input from outside volunteers with a strong internal audit background, Aquila engaged in a peer review process through the IIA. Often, the volunteers come from competing companies and sign confidentiality agreements to prevent inter-company spying. The cost was only $12,000 and the review lasted one week, added Fountain. In exchange for the service, Aquila will provide staff volunteers to perform another company's review.
The results of an assessment, of course, can differ widely from company to company. "In one case, a strong internal audit function got past the standards compliance piece quickly and focused on ideas and enhancements rather than problems," observes Dick Anderson, partner of PricewaterhouseCooopers' internal audit services. On the other hand, Anderson has observed situations in which assessments that unearthed operational difficulties resulted in reports that were "not flattering to internal audit."
From their point of view, the external reviewers must set priorities in order to be successful in assessing internal auditors, experts say. "It is important that the review not just be a 'checklist' appropriate to conformance with standards," says Lynn Fountain, vice president of risk assessment and audit at Aquila, a Kansas City, Missouri-based utility that distributes electricity and gas.
The problem with a checklist approach is that it inefficiently applies the same standard of comparison to risks both big and small, according to Fountain. That can increase the cost and distort the results of an internal-audit review by causing the reviewer to place too much stress on insignificant issues and vice versa. "Not all key controls are created equal," she notes.