Quality assurance in internal

auditing: An analysis of the

standards and guidelines
implemented by the Institute
of Internal Auditors (IIA)
M Marais
School of Accounting Sciences
University of South Africa
Abstract
Via the Institute of Internal Auditors, founded in 1941, the internal auditing
profession actively promote the quality of internal auditors and internal audit
activities. Since 1999, internal auditing standards have been revised. From
1 January 2002, all internal audit activities/any consultant rendering internal
auditing services must undergo quality control, according to the provisions of
Attribute Standard 1300. The revised internal auditing standards on quality
control in internal audit activities reflect fundamental changes for the internal
auditing profession. This article analyses the formal prescriptions and guidelines on quality in internal audit activities contained in the internal auditing
standards and related practice advisories.
Key words
Chief audit executive
Internal assessment
Internal auditors
Internal audit activity
Quality
Quality assurance
Quality programme

External assessment
Internal auditing
Internal auditing standards
Internal auditing clients
Quality control
Quality assessment
Quality service

1 Introduction
All good auditors know that to audit requires standards. All good managers know that to manage requires standards. Therefore all good internal auditing managers should be doubly aware of
this! (Large 997:6.)

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

85

Quality assurance in internal auditing

Since the founding of the Institute of Internal Auditors (referred to hereafter as the
IIA) in the USA in 1941, the internal auditing profession has focused actively on
promoting the quality of internal auditors and of internal audit activities. Their
internal auditing standards currently require that quality control be exercised over
internal audit activities; and they have laid down broad guidelines on the form that
quality control in internal audit activities should assume.
The IIA endorses a set of standards called the Standards for the Professional
Practice of Internal Auditing (hereafter referred to as the internal auditing standards) with which internal auditors must comply. In accordance with these standards, internal audit activities must fulfil the responsibilities implied by the definition of internal auditing.
According to the IIA (IIA 2004:4), the objectives of the internal auditing standards are:
l To delineate basic principles that represent the practice of internal auditing as it
should be.
l To provide a framework for performing and promoting a broad range of value
added internal audit activities.
l To establish a basis for the evaluation of internal audit performance.
l To foster improved organisational processes and operations.
Since 1999, the guidelines for the internal auditing profession (including the standards for the professional practice of internal auditing and the code of ethics) have
undergone a process of revision. Since 1 January 2002, all internal audit activities
and any consultant who renders internal auditing services have to be subjected to
quality control, according to the provisions of Attribute Standard 1300 of the
internal auditing standards. The revised internal auditing standards on quality
control in internal audit activities reflect fundamental changes for the internal
auditing profession.
Prior to the latest revision of the internal auditing standards, these standards contained only one standard (Standard 560) on quality control. Standard 560 stipulated
that the head of the internal auditing function or chief audit executive was required
to implement a programme to ensure and improve the quality of his or her internal
audit activity (IIA 1998:84). The revised internal auditing standards at present
contain seven different standards that set out specific activities that must form part
of a quality assurance programme. According to the new standards on quality
control, any quality programme must meet certain requirements. It must:
l Cover all aspects of the internal audit activity (Standard 1300).
l Continuously monitor the effectiveness of the internal audit activity (Standard
1300).
l Offer assurance regarding the internal audit activitys compliance with the
internal auditing standards and the code of ethics (Standard 1300).
l Assist the internal audit activity in adding value and improving the organisations activities (Standard 1300).
86

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

l Make provision for continuous as well as periodic internal monitoring and

assessment (Standards 1310 and 1311).
l Make provision for an external assessment, at least once every five years, the
results of which should be reported to the organisations board of control (Standards 1310, 1312, 1320 and 1340) (IIA 2004:11-12).
The omission of any of the above elements from a quality programme indicates that
the internal audit activity fails to meet the requirements of the internal auditing
standards. If an internal audit activity does not comply with the internal auditing
standards, the internal auditors may not declare that their work has been performed
in compliance with the internal auditing standards (Standard 1330). According to
Standard 1340, when non-compliance of the internal auditing standards has an
impact on the overall scope of operation of the internal audit activity, disclosure of
such non-compliance to senior management and the board of control is required
(IIA 2004:12).

2 Purpose of the article

The purpose of this article is to analyse the formal prescriptions and guidelines on
quality in internal audit activities, as contained in the internal auditing standards
(Attribute Standards 1300-1330) and the related Practice Advisories.
Practice advisories are endorsed by the IIA and are strongly recommended as
ways to implement the internal auditing standards. They represent best practices
endorsed by the IIA, but they are not mandatory (IIA 2004: xxiv).
Although it is fair to assume that all the internal auditing standards and existing
internal auditing guidelines have been compiled with the ultimate objective of
promoting the overall quality of internal auditing, the discussion of internal auditing
standards in this article is confined to the process of quality control in internal audit
activities, which is primarily the responsibility of the head of the internal audit
activity or the chief audit executive. Only those standards which are directly related
hereto are discussed in this article.

3 Research strategy
The following research strategy was followed in this study:
l Both local and overseas literature on the topic, in the form of published books,
articles in professional and other journals and the published guidelines of the
IIA, was consulted.
l Appropriate theses, dissertations and opinion polls were studied.
The research findings are discussed in the following sections below:
4 Internal Auditing Standard 1300: General and specific prescriptions of the
internal auditing standards in respect of quality assurance
5 Internal Auditing Standard 1310: Quality programme assessments
6 Internal Auditing Standard 1311: Internal assessments
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

87

Quality assurance in internal auditing

7 Internal Auditing Standard 1312: External assessments

8 Internal Auditing Standard 1320: Reporting on the quality programme
9 Internal Auditing Standard 1330: Use of the expression, Conducted in accordance with the internal auditing standards
10 Internal Auditing Standard 1340: Disclosure if the internal auditing standards
are not met
11 Summary
12 References

4 Internal Auditing Standard 1300: General and

specific prescriptions of the internal auditing
standards in respect of quality assurance
4.1 General prescriptions
It would appear from the title of Standard 1300 of the internal auditing standards,
Quality Assurance and Improvement Program (hereafter referred to as a quality
programme) that the aim of this standard is to ensure and improve quality in
internal auditing services.
To ensure and improve the quality of the internal auditing services, a quality programme is proposed which:
l Is developed and maintained by the chief audit executive.
l Covers all aspects of the internal audit activity.
l Monitors, on an ongoing basis, the effectiveness of all aspects of the internal
audit activity (IIA 2004:11).
A quality programme should be developed in such a way that it helps the internal
audit activity to:
l Add value to and improve an organisations activities.
l Meet the internal auditing standards and code of ethics of the IIA (IIA
2004:11)

4.2 Specific prescriptions

4.2.1 The chief audit executive is responsible for the development and
maintenance of the quality programme
The concept chief audit executive (also referred to as the general auditor, chief
audit executive and inspector general) is described in the internal auditing standards (IIA 2004:26) as the most important position in the organisation which bears
the responsibility for internal audit activities. In an in-house internal audit activity,
the position is filled by the director or head of the internal auditing function (chief
audit executive). In instances where internal auditing services are rendered by
88

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

providers of internal auditing services from outside the organisation, the chief audit
executive is the person who is responsible for:
l The overall control over the internal auditing service contract and the quality of
those services.
l Reporting to senior management and the board of directors on internal auditing
activities.
l Following up on the results stemming from the service contract (IIA 2004:26).
The person in an organisation who accepts the final responsibility for the internal
auditing activities is therefore also responsible for developing and maintaining a
quality programme for the internal audit activity.
Practice Advisory 1310-1 (IIA 2004:101-102) explains the responsibility of the
chief audit executive as follows: the chief audit executive should be held accountable for the implementation of a process designed to offer various interested parties
the reasonable assurance that the internal audit activity:
l Performs in accordance with its charter, which should be consistent with the
internal auditing standards and the IIAs code of ethics.
l Functions effectively and efficiently.
l Is deemed to add value and to improve the activities of the organisation.

4.2.2 The quality programme should cover all aspects of the internal
audit activity
In the internal auditing standards, an internal audit activity is defined as a department, section, team of consultants or other practitioner that renders independent,
objective, assurance and consulting services and is established or appointed to add
value and improve the organisations activities (IIA 2004:29).
The internal audit activity helps an organisation to realise its objectives by means
of a systematic, disciplined approach whereby the effectiveness of the organisations risk management, control and governance processes are evaluated and improved (IIA 2004:29).
The IIA (IIA 2004:xxvii) defines internal auditing as an independent, objective,
assurance and consulting activity designed to add value and improve an organisations operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes. From this description of an
internal audit activity and the definition of internal auditing, the following aspects
of the nature, responsibility and purpose of an internal audit activity can be inferred
and they should be contained in a quality programme:
l Nature
The internal audit activity should function independently.
The internal auditors should be objective.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

89

Quality assurance in internal auditing

l Responsibility
The following should be evident:
assurance
consultation
value added
support/service provision, and
the establishment of a systematic and disciplined approach.
Objectives
improvement of the organisations activities.
realisation of the organisations objectives, and
promotion of the effectiveness of risk management, control and
management processes.
Besides the above, each prescription in the internal auditing standards can be
regarded as an area in which quality control should be exercised. Compliance with
the internal auditing standards as such is also such an area.
According to guidance provided by the IIA (IIA 2003:9-10), during a quality
assessment review cognisance should be taken of the following aspects:
l Executive management, any review function and operational managements
expectations of the internal audit activity.
l The organisations control environment and the environment in which the
internal audit activity operates.
l The extent to which the focus is on the evaluation of risk, assessment of control
systems and the inclusion of aspects of organisational control in audit planning
to ensure that internal audit activities add value to organisations.
l The integration of the internal audit activity in the organisations management
processes, with due consideration of service provision and communication between the principal role players in the management processes.
l The embodiment of internal auditing standards, including the IIAs five primary internal control objectives.
l The combination of the auditing staffs knowledge, experience and specialist
fields with their propensity to improve processes and operations that add value.
l The aids and techniques applied by the internal audit activity, with the emphasis on the utilisation of the technology available.
In the development and maintenance of a quality programme, the chief audit executive(s) should consider all the points mentioned above, as well as factors emanating
from the various internal audit activitys unique circumstances. According to
Chapman and Anderson (2002:53-54), comprehensive procedures should be in
place to ensure quality control of all aspects of the internal audit activity.
90

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

4.2.3 The quality programme must monitor the effectiveness of all

aspects of the internal audit activity on a continuous basis
An isolated or discontinuous effort to check the performance of internal audit
activities is not sufficient to comply with the requirements of the internal auditing
standards. Certain operations inherent in the internal auditing process must be
performed on a continuous basis in order to monitor internal audit activities. Actions that are built into the internal auditing process, such as checking the auditing
working papers and approving internal audit reports before they are issued, ensure
the effectiveness of the internal audit activity on an ongoing basis (Chapman and
Anderson 2002:54).
In external assessments undertaken by the IIA itself, effectiveness is measured
against how well the internal audit activity meets clients needs and criteria, which
are normally determined by the audit committee, the organisations executive
management and other auditing clients (IIA 2003:11).
The chief audit executive must therefore keep abreast of the expectations of the
audit committee, of the executive management and of other auditing clients, as well
as of the criteria against which the performance of an internal audit activity can be
measured. On the basis hereof, they then need to develop and maintain procedures
to ensure that the internal audit activity complies with these expectations and
criteria in all respects.

4.2.4 A quality programme should help the internal audit activity to add
value to and improve an organisations operations
According to the glossary to the internal auditing standards (IIA 2004:25), the
concept to add value means to create value or benefits for the owners, other
interested parties, users and clients. The value that internal audit activities add
justifies their existence. Value is created by applying resources to develop and
market products and services.
Internal auditors are continually collecting information in order to understand
and evaluate the risks faced by their organisations, and in the process they develop
a sound knowledge of and insight into the organisations operations. They also seek
opportunities for improvement. This information can be passed on to the appropriate managers and operating personnel by way of consultation, advice, written
reports or other methods.
Micheal P. Fabrizius (1997:3), former chairman of the IIA, mentions the
following questions that people involved in internal audit activities need to answer
to ensure that they are adding value:
l Are they focused on and attuned to their clients?
l Are their services cost-effective and timeous?
l Can they satisfy their clients needs?
l Do they continuously add value?
According to Chapman and Anderson (2002:55), effectiveness, efficiency and
value adding should be assessed from the perspective of an organisations senior
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

91

Quality assurance in internal auditing

management, the board of control and other role players who avail themselves of
the services of the internal audit activity. If an internal audit activity wants to add
value, the organisations strategic objectives and values should be the starting point
for identifying opportunities for improvement. The following are examples of
measures they could suggest for evaluating whether value is being added:
l Surveys of clients satisfaction on completion of an auditing project or consultation.
l The number of times management request involvement in the internal audit.
l The extent to which best practices and new procedures are implemented by the
internal audit activity to add value.
l The scope and quality of communication between the internal audit activity,
senior management and the board of control.

4.2.5 A quality programme should offer assurance that the internal

audit activity complies with the internal auditing standards and
code of ethics
Since compliance with developed practice standards and a code of ethics is
generally accepted as a prerequisite for the quality of work in any industry, some
measurement of the extent to which internal audit activities satisfy the internal
auditing standards and the IIAs code of ethics should be a primary objective of
such a quality programme (Chapman and Anderson 2002:54).
According to guidance provided in Practice Advisory 1310-1, paragraph 1, a
quality programme should reassure not only the chief audit executive, but also all
other interested parties, such as senior management, external auditors, the
organisations board of control and regulating authorities that the internal audit
activity satisfies the requirements of the internal auditing standards and code of
ethics (IIA 2004:101).

5 Internal Auditing Standard 1310: Quality

programme assessments
According to Standard 1310 of the internal auditing standards (IIA 2004:11), every
internal audit activity should include a process that monitors the general
effectiveness of the quality programme. The process should include both internal
and external assessments.
Monitoring quality programmes entails continous measurement and analysis of
performance criteria. An assessment of quality programmes involves a study of the
quality of the internal audit activity, which culminates in a conclusion and possible
recommendations. According to guidance provided in Practice Advisory 1310-1
(IIA 2004:102), it should also include measurement of the following:
l Compliance with the internal auditing standards and code of ethics.
l Adequacy of the internal auditing operations charter, aims, objectives, policy
and procedures.
92

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

l Contribution to the organisations risk management, control and management

processes.
l Compliance with appropriate laws, regulations and government and industry
standards.
l The effectiveness of the operations and acceptance of best practices.
l Value added and improvement of the organisations activities through the
internal audit activity (IIA 2004:102).
Practice Advisory 1310-1 also recommends that all endeavours to improve quality
should be linked to a communication process developed to facilitate the necessary
adjustments to resources, technology, processes and procedures, and that the chief
audit executive should establish accountability by discussing the results of the
external assessment (and where appropriate, the results of the internal assessment of
the quality programme) with individuals with an interest in the internal audit
activity, such as senior management, the board of directors, the audit committee and
the external auditors (IIA 2004:102-103).

6 Internal Auditing Standard 1311: Internal

assessment of quality programmes
Internal assessment provides assurance to the chief audit executive that all internal
auditing personnel, including the supervisors, are doing their work properly.
Periodic internal assessments are also conducted to provide assurance with regard
to specific projects that the findings reported are accurate and reliable (Sawyer,
Dittenhofer and Scheiner 2003:1025).
Standard 1311 of the internal auditing standards stipulates that internal assessment should include:
l Ongoing reviews of the performance of the internal audit activity.
l Periodic assessments, either by means of self-assessment or assessments
conducted by other individuals in the organisation with the necessary knowledge of internal auditing practice and of the internal auditing standards (IIA
2004:11).

6.1 Continuous internal assessment

According to guidance provided in Practice Advisory 1311-1, Internal Assessments,
opinions should continuously be formed about the ongoing performance of the
internal audit activity and regular follow-ups should take place to ensure that
appropriate improvements are implemented. The principal component of continuous monitoring and assessment is supervision over internal auditing projects, as
explained in Practice Advisory 2340-1, Engagement Supervision. Adequate supervision is the basis of a quality programme and also the foundation upon which
internal and external assessments are conducted. According to Practice Advisory
1311-1, paragraph 1, the work of internal auditors needs to be supervised to ensure
compliance with the internal auditing standards, the policy of the internal audit
activity and internal audit programmes (IIA 2004:105).
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

93

Quality assurance in internal auditing

According to Sawyer et al (2003: 1024), properly supervised audit projects are

the first and, perhaps, the most important step in a program of quality assurance.
When supervisors do their jobs properly in the first place, the internal and external
reviews should disclose no serious defects in those matters that are under the direct
control of the internal audit department. Standard 2340 of the internal auditing
standards stipulates that internal audit engagements should be conducted under
proper supervision to ensure that the objectives, the required quality control and
personnel development are achieved (IIA 2004:21).
Additional methods for continuous monitoring of internal auditing work are:
l Checklists to ensure that the standard processes and procedures of the internal
audit activity are in fact followed.
l Feedback from auditing clients and other interested parties on completion of an
audit project.
l Analysis of performance standards, for example, the time it takes to complete
an audit project and the percentage of internal audit recommendations implemented.
l Budget statistics on audit projects, systems that monitor the amount of time
spent on the project, tasks completed in respect of the tasks planned and cost
recoveries (IIA 2004:105-106).
Sawyer et al (2003:1010) subscribe to the above in their discussion of what they
call a micro-approach to quality control. They contend that individual audit
processes should be investigated and evaluated on a continuous basis. Each individual audit should have a measurable objective. The objective as well as the
measurement criteria should be included in the audit programme. The objectives of
an audit should therefore be defined and on completion of each audit, an indication
should be given of the extent of the achievement of the objectives, based on the
measurement criteria outlined in the audit programme.

6.2 Periodic internal assessment

6.2.1 General
Practice Advisory 1311-1: Internal Assessments provides the following guidelines
on the performance of internal assessments: periodic internal assessment should be
designed to assess compliance with the charter of the internal audit activity, compliance with the internal auditing standards and the code of ethics as well as the
effectiveness of the internal audit activity (IIA 2004:106).

6.2.2 Qualifications of the internal assessor

The same standards of objectivity and independence for any other internal audit
should also apply to the internal assessment of internal audit activities (Moeller and
Witt 1999:32-33). In larger organisations, one person may be appointed to exercise
quality control. Such a person would be a suitable candidate for the job of team
leader in an internal assessment. In smaller organisations, flexibility is necessary for
internal assessments to be conducted. It must be borne in mind that the auditor may
94

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

not evaluate work for which he or she was responsible and that a certain level of
expertise and knowledge is necessary to evaluate an internal audit activity (IIA
2003:31).
The following criteria may be used in the selection of internal evaluators:
l Objectivity.
l Knowledge of internal auditing standards.
l Managerial skills.
l Technical knowledge (financial, operational, management and information
technology).
l A professional qualification, such as a certified internal auditors (CIA) qualification.
l Knowledge of the industry.
l Knowledge of the organisation.
l Availability.
l Interest in the internal quality revision.
l Good communication skills.
l Human relations skills.
l The ability to make constructive recommendations (IIA 2003:31-32).
Generally, at least two team members are required to complete an assessment within
a reasonable time. One of them should act as the team leader. Team members
should be alternated from time to time. This will result in new perspectives on the
evaluation process.
Scope of the internal assessment
Practice Advisory 1311-1(IIA 2004:106), recommends that periodic assessment
may:
l Include more in-depth interviews with and opinion surveys of interested
groups.
l Be conducted by certified internal auditors (CIAs) or other competent professional auditors working elsewhere in the organisation.
l Be conducted by members of the internal audit activity (self-assessment), if the
necessary objectivity can be ensured.
l Involve a combination of self-assessment and the preparation of material
checked by a CIA or another competent professional auditor.
l Entail the measurement of the internal audit activitys practices and performance indicators against suitable best practices of the internal auditors profession.
According to the Quality Assessment Manual (IIA 2003:32-36), an internal assessment corresponds largely to an external assessment and consists of the following
components:
l Completion of a standard questionnaire by the chief audit executive.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

95

Quality assurance in internal auditing

l Opinion polls by internal audit clients and internal audit personnel.

l Implementation of the procedures decided upon.
l Interviews with the board of directors and audit committee, the organisations
chief executive officer, other executive directors, operational managers and internal auditors.
l An assessment of the internal audit activity.
l A summary of the findings and recommendations in order to come up with
meaningful suggestions for the final meeting.
l A report to the chief audit executive according to the method agreed upon with
him or her at the start of the evaluation.
l A follow-up to ensure that the necessary attention is focused on the recommendations in the report.
Moeller and Witt (1999:32/22) hold that the internal assessment of an internal audit
activity should be a formal process, similar to that followed in any other formal
internal auditing project. It should be properly planned and conducted according to
a formal audit programme. In contrast to the provisions of the internal auditing
standards as set out above, it should be conducted by individuals who are independent from the internal audit activity (Moeller and Witt 1999:32/33). In order to offer
the necessary assurance to the chief audit executive and any other interested party, a
periodic internal assessment should be conducted with the same formality and
discipline as any other internal auditing project.
Sawyer et al (2003:1025-1026) recommend that an internal assessment should:
l Be conducted according to a budget and fixed schedule.
l Be carried out according to an audit programme that explains the steps the
evaluator should follow.
l Be conducted on a sample of internal audit projects representative of the total
output of the internal audit activity.
l Make provision for the evaluator to discuss any problems he or she may identify with the auditors and supervisors of the relevant audit project.
l Be supported by working papers documenting the entire evaluation process.
l Culminate in a formal report on the results of the assessment.

6.2.3 Reporting the results

Conclusions should be drawn about the performance of an internal audit activity
and the appropriateness of action taken in order to improve performance and
promote compliance with the internal auditing standards (IIA 2004:106).
The chief audit executive should develop a structure for reporting the results
of periodic assessments to ensure the necessary merit and objectivity. As a rule,
those tasked with the responsibility of conducting continuous and periodic assessments should report to the chief audit executive while they are conducting the
96

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

assessments. Their findings should be communicated directly to the chief audit

executive (IIA 2004:107).
The chief audit executive should discuss the results of the internal assessment
and the plans of action required with the appropriate parties outside the internal
audit activity, such as senior management, the board of directors, the audit committee and external auditors (IIA 2004:107).
According to the guidelines for internal assessments contained in the Quality
Assessment Manual (IIA 2003:35), the review team should prepare a complete
report of the results of the internal assessment and submit it to the chief of the
internal audit activity. The format of the report should be decided upon at the start
of the assessment. In response to the report of the review team, the chief of the
internal audit activity should compile a roster for implementation with regard to
each recommendation. The chief audit executive may involve members of the
internal auditing management team in this response. The response should indicate
clearly whether those involved in the internal audit activity concur with the recommendation or whether they wish to make another recommendation. Reasons should
be given for any decision to disregard a recommendation. If the report of the
internal assessment is sent to a party outside the internal audit activity, for example,
the audit committee, it should be accompanied by the chief audit executives written
response to the evaluation.

7 Internal auditing standard 1312: External

assessment of quality programmes
Standard 1312 of the internal auditing standards stipulates that an external assessment should be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organisation concerned (IIA 2004:11).
Hence, each internal audit activity should allow an external assessment to be conducted within five years from 1 January 2002, the date of implementation of the
new internal auditing standards (IIA 2004:11).
The guidelines contained in Practice Advisory 1312-1: External Assessments are
elucidated in the following six sections, adding relevant information from other
sources.

7.1 General
During the external assessment of an internal audit activity, compliance of the
internal audit activity with the internal auditing standards should be evaluated and
an opinion formed. Where appropriate, recommendations should be made to rectify
shortcomings. These revisions may be highly significant for the chief audit executive and other members of the internal auditing operation. Only suitably qualified
people should be permitted to conduct such evaluations.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

97

Quality assurance in internal auditing

An external assessment is required within five years from 1 January 2002. Organisations that have already had an external assessment done should have the next
one done within five years.
Once an external assessment has been completed, a formal report should be submitted to the control board and senior management of the organisation concerned
(IIA 2004:109-110).

7.2 Qualifications of the external assessor

Both external evaluators of good quality, and the individuals who authorise selfassessments (see the discussion later in this article) must be independent of the
organisation and the internal audit activity. The team responsible for conducting the
assessment should consist of individuals skilled in the professional practice of
internal auditing and the external assessment process.
The following requirements should be considered in the choice of an external
assessor:
l Independence
External assessments should be conducted by suitably qualified individuals
who are independent of the organisation and who do not have any real or apparent conflict of interest. Being independent of the organisation means not being part of the organisation and not being under the control of the organisation
in which the internal audit activity is established. The person who is conducting
the external assessment, the team members and any other individuals involved
in the process should have no obligation towards or interest in the organisation
that is being evaluated or its personnel. Individuals employed in another department in the organisation (even though they may be independent of the internal audit activity) are not deemed to be independent for the purposes of conducting an external assessment (IIA 2004:110).
In the selection of an external evaluator, cognisance should be taken of possible, real or apparent conflicts of interest which the evaluator may have as a result of previous or current ties with the organisation or the internal audit activity (IIA 2004:111).
l Integrity and objectivity
Integrity requires that the team conducting the evaluation should be honest and
operate within the bounds of confidentiality. Service and the trust of the public
should not be made subservient to self-gain and profit. Objectivity is an intellectual propensity. Objectivity compels an evaluator to be impartial and intellectually honest. There may be no conflicts of interest (IIA 2004:111).
l Competence
Professional judgment is necessary to conduct an external assessment and
communicate the results thereof. Hence an individual conducting an evaluation
must:
98

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

be a competent, certified professional auditor (a CIA, CA or CISA) who is

fully conversant with the internal auditing standards;
be well grounded in best practices in the internal auditing profession;
and/or
have at least three years or recent experience in the application of internal
auditing at management level (IIA 2004:111).
The review team should include members who are skilled in information technology
and who have experience of the appropriate industry. Individuals who are specialists in other specialised fields such as statistical sampling or self-assessments can
assist the review team in those areas (IIA 2004:111).
The most general conductors of external assessments are the IIA, public accounting and auditing firms and private consultants. The following candidates are listed
specifically in Practice Advisory 1312-1 (2004:112) as being fully qualified to act
as external quality assessors:
l Trained quality programme assessors of the IIA.
l People qualified to confirm compliance with legislation and regulations (compliance auditors).
l Consultants.
l External auditors.
l Other professional service providers, and/or
l Internal auditors from outside the organisation.

7.3 Approval of management and the board of directors

The chief audit executive should involve senior management in the selection of the
external evaluator(s) and obtain their approval for the appointment (IIA 2004:112).

7.4 Scope of external assessments

According to paragraph 12 of Practice Advisory 1312: External Assessment (IIA
2004:112), the external assessment should provide a broad overview and include
coverage of the following elements of the internal audit activity:
l Compliance with the internal auditing standards and the code of ethics.
l Compliance with the internal audit activitys charter, planning, policy, procedures and practices.
l Compliance with appropriate legislation and other regulations.
l Fulfilment of the expectations of the board of control, executive management
and operational management as expressed by them.
l Integration of the internal audit activity in the organisations control processes
and the existing relationships between the key groups involved in the process.
l Aids and techniques used in the internal audit activity.
l The composition of the knowledge, experience and disciplines in which the
personnel are schooled, as well as their propensity for improving processes.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

99

Quality assurance in internal auditing

l The success of the internal audit activity in adding value and improving the
organisations activities.
According to a release of the Quality Review Service (IIA[s.a.]:3), external assessments conducted by the IIA have the following objectives:
l Evaluating the effectiveness and efficiency of the internal audit activity;
l Identifying opportunities and advising chief audit executives and internal audit
staff on improving their performance.
l Evaluating the auditing environment and the methods followed in the annual
risk analysis used to compile the audit schedule.
l Evaluating the organisations structure and the approach of the internal audit
activity to establish whether the audit resources are adequate to ensure proper
coverage of all facets of the business.
l Conducting a survey of perceptions about internal auditing within the organisation to determine the level of satisfaction of executive management and clients
of the internal audit activity with internal auditing services.
l Evaluating the adequacy of techniques and methods used by the internal audit
activity to test internal control systems.
l Identifying methods to improve policies and practices in the internal audit
activity and co-ordination with external auditors.
l Expressing an opinion about the internal audit activitys compliance with the
internal auditing standards.
Besides the above objectives, the risk to the organisation should be calculated if the
internal audit activity is found to be ineffective or does not meet the internal auditing standards (IIA 2003:11).

7.5 Reporting of the results

The preliminary results of an external assessment of an internal audit activity should
be discussed with the chief audit executive during the completion of the evaluation
process. The final results should be communicated to the chief audit executive or to
any other official who authorised the investigation.
Reporting should address the following:
l The nature or the review is it a full review or an independent validation of a
self-assessment?
l The internal audit activitys compliance with the internal auditing standards
the term compliance means that the activities of the internal audit activity,
viewed as a whole, comply with the requirements of the internal auditing standards. In the same vein, non-compliance means that the impact and substance
of the deviation in activities of the internal audit activity is so serious that the
internal audit activitys ability to perform its duties is hampered. Expressing an
opinion on the basis of the results of the external assessment demands pure
business judgment, integrity and proper professional care.
100

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

l Judging and evaluating the use of best practices in conducting internal audit
assignments and managing the internal audit activity.
l Recommendations for the improvement of methods, procedures and processes,
where appropriate.
l Feedback by the chief audit executive, including a plan of action to implement
recommendations and indicating the proposed dates of implementation (IIA
2004:113-114).
The chief audit executive must discuss the results of the evaluation and any plans of
action with the relevant senior management and the organisations board of control
(IIA 2004:19). This responsibility of the chief audit executive to report on the
results of the external assessment is discussed in more detail in Section 5 of this
article.

7.6 Self-assessment with independent validation

An alternative proposed by Practice Advisory 1312-1 for external assessment is that
the chief audit executive must undertake a self-assessment of the internal audit
activity and that he or she must have it ratified by an independent person. Such a
self-assessment should be characterised by the following:
l A comprehensive and fully documented self-assessment process.
l An independent validation, on the premises of the auditing activity, by an
evaluator who meets the prerequisites.
l The requirements for economic time and resource utilisation.
A team led by the chief audit executive must conduct the self-assessment and the
results should be communicated to the appropriate senior management and the
organisations board of control. The self-assessment should focus on the internal
audit mission and compliance with the internal auditing standards. A qualified
independent evaluator should be appointed to conduct limited tests on the selfassessment, to ratify the results and express an opinion about the apparent level of
the activitys compliance with the internal auditing standards (IIA 2004:113).
Moeller and Witt (1999:33/9) contend that self-assessment is a cost-effective
method whereby the smaller internal audit activities can judge their own quality.
Small internal audit activities can often not afford the services of an external
evaluator and do not have enough appropriate staff to assign to quality assessments.
According to the fourth edition of the Quality Assessment Manual (IIA 2003:2122), the self-assessment with independent validation has the following characteristics: an evaluation similar to the external assessment is conducted, but with the
difference that it is performed by competent professional internal auditors under the
leadership of the chief audit executive. Owing to the knowledge that the internal
auditors have of the internal audit activity, the organisations policy and procedures
and the internal audit activitys application of internal auditing standards, this
evaluation should be less time-consuming than an external assessment. However,
external evaluators have greater exposure and can suggest new ideas, techniques
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

101

Quality assurance in internal auditing

and processes which could provide a considerable advantage to the internal audit
activity. The basic steps should include the following:
l Planning and preparation, including the appointment of the team leader, the
team members and the external validator, as well as reflection on the process to
be followed and the reporting that will take place.
l Fieldwork, during which the focus should be on the structure of the internal
audit activity and organisation, risk assessment and planning of audit projects,
personnel skills and experience, utilisation of technology, value added to the
organisation and compliance with the internal auditing standards.
l The formulation of results, recommendations and implementation plans by the
self-assessment team leader, in collaboration with the chief audit executive, for
validation by the independent validator and submission to senior management
and the audit committee or other review function.
l Independent validation of the self-assessment.
The self-assessment should be properly documented. As in the case of the external
assessment, conclusions should be drawn about the internal audit activitys compliance with the internal auditing standards, the charter and the appropriate criteria,
and it should also contain recommendations for improvements and a plan of implementation.
A report on the results of the self-assessment should be compiled for submission
to senior management and the audit committee (or other review function) after
validation thereof by an external independent party.
The qualified independent party then conducts interviews with the chairperson of
the audit committee or other suitable council member and senior members of
management and conducts limited tests on the self-assessment and the preliminary
report to the board of directors and senior management. Hence the results of the
self-assessment are verified and can serve as the basis for any comments or further
recommendations.
The external reviewer expresses an opinion about the suitability of the process
followed during the self-assessment and the level of compliance with the internal
auditing standards pointed out by the self-assessment. The external validators
report is then included in or attached to the self-assessment report submitted to the
audit committee and to senior management.
Although a full external assessment holds the most benefits for an internal assessment, and should be included in the quality programme of an internal auditing
operation, self-assessment with independent validation is a method that allows
alternative compliance with the provisions of Standard 1312 of the internal auditing
standards (IIA 2004:113).

102

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

8 Internal Auditing Standard 1320: Reporting on the

quality programme
According to Standard 1320 of the internal auditing standards, the chief audit
executive should report the results of external assessments to the board of directors,
appropriate members of senior management and the audit committee (IIA 2004:11).
Practice Advisory 1320-1 recommends that on completing an external assessment, the team that conducted the assessment should issue a formal report expressing an opinion about the internal audit activitys compliance with the internal
auditing standards. The report should also refer to the internal audit activitys
compliance with the internal audit charter and other appropriate standards and it
should contain recommendations for improving the quality of the internal audit
activity (IIA 2004:115).
A preliminary report should be supplied to the chief audit executive on the basis
of which he or she is afforded an opportunity to make comments. The chief audit
executive should respond to the comments and recommendations in the report with
a formal plan of action. Proper follow-up is also the responsibility of the chief audit
executive (IIA 2004:115).
The final report containing the chief audit executives comments and plans of
action is usually addressed to the person in the organisation who requested the
evaluation, with copies of the report to the board of directors, appropriate members
of senior management and the audit committee or other review function with an
interest in the internal audit activity (IIA 2003:20).

9 Internal Auditing Standard 1330: Use of the

expression Conducted in accordance with the
internal auditing standards
In Standard 1330 of the internal auditing standards, internal auditors are encouraged to report on the statement that internal auditing is conducted in accordance
with the Standards for the Professional Practice of Internal Auditing. Internal
auditors may, however, only use this statement if assessment of the quality programme confirms that the internal audit activity does in fact comply with the internal auditing standards (IIA 2004:12).
Practice Advisory 1330-1 (2004:117-118) contains the following guidelines in
this regard: before an audit report can declare that an audit has been conducted in
accordance with the internal auditing standards, the quality programme must be
evaluated and the finding should be that the internal audit activity does comply with
the internal auditing standards. Instances where non-compliance has an impact on
the total review of the operation of the internal audit activity (including neglecting
to allow an external assessment to be conducted by 1 January 2007), should be
reported to senior management and the board of directors.
It is important to note that the above provisions apply only in instances where
quality assessments indicate that the internal audit activity in general does not
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

103

Quality assurance in internal auditing

comply with the internal auditing standards. It is not aimed at detecting isolated
cases of non-compliance. Internal auditors who find it impossible to comply with a
specific standard in certain circumstances can still claim that their work was conducted in accordance with the internal auditing standards, as long as (in compliance
with the specifications of Standard 2430) they declare the specific areas of noncompliance in their final communication regarding the audit project, and indicate in
their evaluations of quality that they have fulfilled the internal auditing standards in
all other respects.

10 Internal Auditing Standard 1340: Disclosure if the

internal auditing standards are not met
Although internal audit activities should comply fully with the internal auditing
standards and the internal auditors code of ethics, there may be instances in which
internal audit activities and/or internal auditors do not satisfy these standards. When
such non-compliance influences the review and functioning of the internal audit
activity, it should be reported to senior management and the board of control (IIA
2004:12).
Standard 2430 stipulates in cases where the internal auditing standards are not
complied with in a specific audit project that in the final report containing the
results of the audit project, the following should be mentioned:
l What internal auditing standard was not complied with.
l The reason why the standard was not complied with.
l The impact of the non-compliance with the standard on the audit project
(IIA 2004:22)

11 Summary
the challenge today is to raise the broad market perception of the value of our services (IIA
1999:27).

According to the Guidance Task Force1 (IIA 1999:27-28), a profession can have
great standards, but without credible mechanisms to enforce compliance, they lose
their effectiveness and their status as a mark of professional quality.
________________________

104

In 1997, The Guidance Task Force was appointed by the board of directors of the IIA to
investigate the following matters:
(1) the possibility that there is a gap between developing internal audit practice and the existing
internal auditing standards. and
(2) possible improvements to the existing processes in terms of which internal auditing standards are written and laid down and ways in which improvement can be promoted.
The Guidance Task Force consisted of 16 leaders in the field of internal auditing and was
representative of all interested parties throughout the world. They met six times: the first meeting took place in December 1997, and final one in September 1998. The details and results of
their study are contained in a publication of the Institute of Internal Auditors Research Foundation entitled A vision for the future: professional practices framework for internal auditing
(IIA 1999:1).

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

In the light of their investigation and findings, the Guidance Task Force made the
following recommendations to move internal auditing to an advanced level of
professionalism, which, according to them, will promote the quality, competitiveness and recognition of the profession:
l Compliance with the internal auditing standards should be compulsory and
should be proved by internal audit activities, by means of a satisfactory quality
assessment by an independent party.
l The internal auditing standards should demand that internal audit reports
contain an explicit declaration that internal auditing work is conducted according to the Standards for the Professional Practice of Internal Auditing (IIA
1999:27).
Since 1999, the IIA, in reaction to the findings of the Guidance Task Force, has put
into effect the acceptance of a new definition, implemented a new practice framework and updated the internal auditing standards. As discussed in this paper, the
internal auditing standards have already been amended and supplemented with the
following prescriptions on quality control:
l The external assessment should be performed at least every five years (Standard 1312).
l The chief audit executive should report the results of external assessments to
the board of directors (Standard 1320).
l Internal auditors can only declare that an audit has been performed in compliance with the internal auditing standards if, according to the prescriptions of
the standards, they have been subjected to an external assessment (Standard
1330).
l When non-compliance with the internal auditing standards could affect the
overall scope or operation of the internal audit activity, this should be disclosed
to senior management and the board of directors, via the chief audit executive
(Standard 1340).
The discussion in this article clearly shows that adequate standards are in place to
ensure the application of proper quality control in internal audit activities. The
important thing, however, is to encourage internal audit activities to apply proper
quality control themselves.
Although general compliance with the internal auditing standards is not enforced
in South Africa, legislation and regulations have been developed either to force or
to encourage larger organisations to use internal auditing services. The Public
Finance Management Act 1 of 1999 (as amended) stipulates that all state departments, listed public entities, constitutional institutions, Parliament and provincial
authorities should have internal audit activities that comply with the Treasury
regulations, which have been compiled in terms of the Act. These Treasury regulations stipulate that internal auditing services should be rendered on the basis of
the internal auditing standards (RSA 1999).
The King Report on Corporate Governance (Institute of Directors in Southern
Africa 2002) with which listed companies must comply in order to list at the
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

105

Quality assurance in internal auditing

Johannesburg Securities Exchange recommends that companies should have an

effective internal audit activity and the Report endorses the definition of internal
auditing, code of ethics and standards of the IIA, Inc. (Institute of Directors in
Southern Africa 2002, sec 3).
In the light of the fact that the majority of organisations with internal audit activities in South Africa are either regulated by the Public Finance Management Act or
by the listing requirements of the Johannesburg Securities Exchange, most internal
audit activities in South Africa should be actively steering towards proper quality
control over their activities in order to comply with the internal auditing standards
set by the IIA.

Bibliography
Chapman, C. and Anderson, U. 2002. Implementing the professional practices
framework, Institute of Internal Auditors, Altamonte Springs, Florida.
Fabrizius, M.P. 1997. A passion for excellence, Internal Auditor, October, Vol. 54,
No. 5, pp.22-27.
Institute of Directors in Southern Africa. 2002. King report on corporate governance for South Africa 2002, Institute of Directors in Southern Africa, Parkland,
South Africa.
Institute of Internal Auditors (IIA). [s.a.]. QAR The key to improved effectiveness
and efficiency, Quality Auditing Division, Institute of Internal Auditors, Altamonte
Springs, Florida.
Institute of Internal Auditors (IIA). 1998. Standards for the professional practice of
internal auditing: Statements on internal auditing, standards nos. 1-18, statement of
responsibilities of internal auditing, code of ethics, Institute of Internal Auditors,
Altamonte Springs, Florida.
Institute of Internal Auditors (IIA). 1999. A vision for the future: professional
practices framework for internal auditing, Report of the guidance task force to the
IIAss board of directors, Institute of Internal Auditors, Altamonte Springs, Florida.
Institute of Internal Auditors. 2003. Quality assessment manual, 4th edition, Institute of Internal Auditors, Altamonte Springs, Florida.
Institute of Internal Auditors. 2004. The professional practice framework, Institute
of Internal Auditors, Altamonte Springs, Florida.
Large, N. 1997. How are we doing? The need for quality assurance, IIA IA Adviser, January/February, pp.5-6.
Moeller, R.R. and Witt, H. 1999. Brinks modern internal auditing, Wiley,
5th edition, New York.
106

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

Marais

Sawyer, L.B., Dittenhofer, M.A. and Scheiner, J.H. 2003. Sawyers internal
auditing. The practice of modern internal auditing, Institute of Internal Auditors,
5th edition, Altamonte Springs, Florida.
Republic of South Africa. 1999. Public Finance Management Act 1 of 1999
(amended), Government Printer, Pretoria.

Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107

107

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.