Escolar Documentos
Profissional Documentos
Cultura Documentos
External assessment
Internal auditing
Internal auditing standards
Internal auditing clients
Quality control
Quality assessment
Quality service
1 Introduction
All good auditors know that to audit requires standards. All good managers know that to manage requires standards. Therefore all good internal auditing managers should be doubly aware of
this! (Large 997:6.)
85
Since the founding of the Institute of Internal Auditors (referred to hereafter as the
IIA) in the USA in 1941, the internal auditing profession has focused actively on
promoting the quality of internal auditors and of internal audit activities. Their
internal auditing standards currently require that quality control be exercised over
internal audit activities; and they have laid down broad guidelines on the form that
quality control in internal audit activities should assume.
The IIA endorses a set of standards called the Standards for the Professional
Practice of Internal Auditing (hereafter referred to as the internal auditing standards) with which internal auditors must comply. In accordance with these standards, internal audit activities must fulfil the responsibilities implied by the definition of internal auditing.
According to the IIA (IIA 2004:4), the objectives of the internal auditing standards are:
l To delineate basic principles that represent the practice of internal auditing as it
should be.
l To provide a framework for performing and promoting a broad range of value
added internal audit activities.
l To establish a basis for the evaluation of internal audit performance.
l To foster improved organisational processes and operations.
Since 1999, the guidelines for the internal auditing profession (including the standards for the professional practice of internal auditing and the code of ethics) have
undergone a process of revision. Since 1 January 2002, all internal audit activities
and any consultant who renders internal auditing services have to be subjected to
quality control, according to the provisions of Attribute Standard 1300 of the
internal auditing standards. The revised internal auditing standards on quality
control in internal audit activities reflect fundamental changes for the internal
auditing profession.
Prior to the latest revision of the internal auditing standards, these standards contained only one standard (Standard 560) on quality control. Standard 560 stipulated
that the head of the internal auditing function or chief audit executive was required
to implement a programme to ensure and improve the quality of his or her internal
audit activity (IIA 1998:84). The revised internal auditing standards at present
contain seven different standards that set out specific activities that must form part
of a quality assurance programme. According to the new standards on quality
control, any quality programme must meet certain requirements. It must:
l Cover all aspects of the internal audit activity (Standard 1300).
l Continuously monitor the effectiveness of the internal audit activity (Standard
1300).
l Offer assurance regarding the internal audit activitys compliance with the
internal auditing standards and the code of ethics (Standard 1300).
l Assist the internal audit activity in adding value and improving the organisations activities (Standard 1300).
86
Marais
3 Research strategy
The following research strategy was followed in this study:
l Both local and overseas literature on the topic, in the form of published books,
articles in professional and other journals and the published guidelines of the
IIA, was consulted.
l Appropriate theses, dissertations and opinion polls were studied.
The research findings are discussed in the following sections below:
4 Internal Auditing Standard 1300: General and specific prescriptions of the
internal auditing standards in respect of quality assurance
5 Internal Auditing Standard 1310: Quality programme assessments
6 Internal Auditing Standard 1311: Internal assessments
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
87
Marais
providers of internal auditing services from outside the organisation, the chief audit
executive is the person who is responsible for:
l The overall control over the internal auditing service contract and the quality of
those services.
l Reporting to senior management and the board of directors on internal auditing
activities.
l Following up on the results stemming from the service contract (IIA 2004:26).
The person in an organisation who accepts the final responsibility for the internal
auditing activities is therefore also responsible for developing and maintaining a
quality programme for the internal audit activity.
Practice Advisory 1310-1 (IIA 2004:101-102) explains the responsibility of the
chief audit executive as follows: the chief audit executive should be held accountable for the implementation of a process designed to offer various interested parties
the reasonable assurance that the internal audit activity:
l Performs in accordance with its charter, which should be consistent with the
internal auditing standards and the IIAs code of ethics.
l Functions effectively and efficiently.
l Is deemed to add value and to improve the activities of the organisation.
4.2.2 The quality programme should cover all aspects of the internal
audit activity
In the internal auditing standards, an internal audit activity is defined as a department, section, team of consultants or other practitioner that renders independent,
objective, assurance and consulting services and is established or appointed to add
value and improve the organisations activities (IIA 2004:29).
The internal audit activity helps an organisation to realise its objectives by means
of a systematic, disciplined approach whereby the effectiveness of the organisations risk management, control and governance processes are evaluated and improved (IIA 2004:29).
The IIA (IIA 2004:xxvii) defines internal auditing as an independent, objective,
assurance and consulting activity designed to add value and improve an organisations operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes. From this description of an
internal audit activity and the definition of internal auditing, the following aspects
of the nature, responsibility and purpose of an internal audit activity can be inferred
and they should be contained in a quality programme:
l Nature
The internal audit activity should function independently.
The internal auditors should be objective.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
89
l Responsibility
The following should be evident:
assurance
consultation
value added
support/service provision, and
the establishment of a systematic and disciplined approach.
Objectives
improvement of the organisations activities.
realisation of the organisations objectives, and
promotion of the effectiveness of risk management, control and
management processes.
Besides the above, each prescription in the internal auditing standards can be
regarded as an area in which quality control should be exercised. Compliance with
the internal auditing standards as such is also such an area.
According to guidance provided by the IIA (IIA 2003:9-10), during a quality
assessment review cognisance should be taken of the following aspects:
l Executive management, any review function and operational managements
expectations of the internal audit activity.
l The organisations control environment and the environment in which the
internal audit activity operates.
l The extent to which the focus is on the evaluation of risk, assessment of control
systems and the inclusion of aspects of organisational control in audit planning
to ensure that internal audit activities add value to organisations.
l The integration of the internal audit activity in the organisations management
processes, with due consideration of service provision and communication between the principal role players in the management processes.
l The embodiment of internal auditing standards, including the IIAs five primary internal control objectives.
l The combination of the auditing staffs knowledge, experience and specialist
fields with their propensity to improve processes and operations that add value.
l The aids and techniques applied by the internal audit activity, with the emphasis on the utilisation of the technology available.
In the development and maintenance of a quality programme, the chief audit executive(s) should consider all the points mentioned above, as well as factors emanating
from the various internal audit activitys unique circumstances. According to
Chapman and Anderson (2002:53-54), comprehensive procedures should be in
place to ensure quality control of all aspects of the internal audit activity.
90
Marais
4.2.4 A quality programme should help the internal audit activity to add
value to and improve an organisations operations
According to the glossary to the internal auditing standards (IIA 2004:25), the
concept to add value means to create value or benefits for the owners, other
interested parties, users and clients. The value that internal audit activities add
justifies their existence. Value is created by applying resources to develop and
market products and services.
Internal auditors are continually collecting information in order to understand
and evaluate the risks faced by their organisations, and in the process they develop
a sound knowledge of and insight into the organisations operations. They also seek
opportunities for improvement. This information can be passed on to the appropriate managers and operating personnel by way of consultation, advice, written
reports or other methods.
Micheal P. Fabrizius (1997:3), former chairman of the IIA, mentions the
following questions that people involved in internal audit activities need to answer
to ensure that they are adding value:
l Are they focused on and attuned to their clients?
l Are their services cost-effective and timeous?
l Can they satisfy their clients needs?
l Do they continuously add value?
According to Chapman and Anderson (2002:55), effectiveness, efficiency and
value adding should be assessed from the perspective of an organisations senior
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
91
management, the board of control and other role players who avail themselves of
the services of the internal audit activity. If an internal audit activity wants to add
value, the organisations strategic objectives and values should be the starting point
for identifying opportunities for improvement. The following are examples of
measures they could suggest for evaluating whether value is being added:
l Surveys of clients satisfaction on completion of an auditing project or consultation.
l The number of times management request involvement in the internal audit.
l The extent to which best practices and new procedures are implemented by the
internal audit activity to add value.
l The scope and quality of communication between the internal audit activity,
senior management and the board of control.
Marais
93
Marais
not evaluate work for which he or she was responsible and that a certain level of
expertise and knowledge is necessary to evaluate an internal audit activity (IIA
2003:31).
The following criteria may be used in the selection of internal evaluators:
l Objectivity.
l Knowledge of internal auditing standards.
l Managerial skills.
l Technical knowledge (financial, operational, management and information
technology).
l A professional qualification, such as a certified internal auditors (CIA) qualification.
l Knowledge of the industry.
l Knowledge of the organisation.
l Availability.
l Interest in the internal quality revision.
l Good communication skills.
l Human relations skills.
l The ability to make constructive recommendations (IIA 2003:31-32).
Generally, at least two team members are required to complete an assessment within
a reasonable time. One of them should act as the team leader. Team members
should be alternated from time to time. This will result in new perspectives on the
evaluation process.
Scope of the internal assessment
Practice Advisory 1311-1(IIA 2004:106), recommends that periodic assessment
may:
l Include more in-depth interviews with and opinion surveys of interested
groups.
l Be conducted by certified internal auditors (CIAs) or other competent professional auditors working elsewhere in the organisation.
l Be conducted by members of the internal audit activity (self-assessment), if the
necessary objectivity can be ensured.
l Involve a combination of self-assessment and the preparation of material
checked by a CIA or another competent professional auditor.
l Entail the measurement of the internal audit activitys practices and performance indicators against suitable best practices of the internal auditors profession.
According to the Quality Assessment Manual (IIA 2003:32-36), an internal assessment corresponds largely to an external assessment and consists of the following
components:
l Completion of a standard questionnaire by the chief audit executive.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
95
Marais
7.1 General
During the external assessment of an internal audit activity, compliance of the
internal audit activity with the internal auditing standards should be evaluated and
an opinion formed. Where appropriate, recommendations should be made to rectify
shortcomings. These revisions may be highly significant for the chief audit executive and other members of the internal auditing operation. Only suitably qualified
people should be permitted to conduct such evaluations.
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
97
An external assessment is required within five years from 1 January 2002. Organisations that have already had an external assessment done should have the next
one done within five years.
Once an external assessment has been completed, a formal report should be submitted to the control board and senior management of the organisation concerned
(IIA 2004:109-110).
Marais
99
l The success of the internal audit activity in adding value and improving the
organisations activities.
According to a release of the Quality Review Service (IIA[s.a.]:3), external assessments conducted by the IIA have the following objectives:
l Evaluating the effectiveness and efficiency of the internal audit activity;
l Identifying opportunities and advising chief audit executives and internal audit
staff on improving their performance.
l Evaluating the auditing environment and the methods followed in the annual
risk analysis used to compile the audit schedule.
l Evaluating the organisations structure and the approach of the internal audit
activity to establish whether the audit resources are adequate to ensure proper
coverage of all facets of the business.
l Conducting a survey of perceptions about internal auditing within the organisation to determine the level of satisfaction of executive management and clients
of the internal audit activity with internal auditing services.
l Evaluating the adequacy of techniques and methods used by the internal audit
activity to test internal control systems.
l Identifying methods to improve policies and practices in the internal audit
activity and co-ordination with external auditors.
l Expressing an opinion about the internal audit activitys compliance with the
internal auditing standards.
Besides the above objectives, the risk to the organisation should be calculated if the
internal audit activity is found to be ineffective or does not meet the internal auditing standards (IIA 2003:11).
Marais
l Judging and evaluating the use of best practices in conducting internal audit
assignments and managing the internal audit activity.
l Recommendations for the improvement of methods, procedures and processes,
where appropriate.
l Feedback by the chief audit executive, including a plan of action to implement
recommendations and indicating the proposed dates of implementation (IIA
2004:113-114).
The chief audit executive must discuss the results of the evaluation and any plans of
action with the relevant senior management and the organisations board of control
(IIA 2004:19). This responsibility of the chief audit executive to report on the
results of the external assessment is discussed in more detail in Section 5 of this
article.
101
and processes which could provide a considerable advantage to the internal audit
activity. The basic steps should include the following:
l Planning and preparation, including the appointment of the team leader, the
team members and the external validator, as well as reflection on the process to
be followed and the reporting that will take place.
l Fieldwork, during which the focus should be on the structure of the internal
audit activity and organisation, risk assessment and planning of audit projects,
personnel skills and experience, utilisation of technology, value added to the
organisation and compliance with the internal auditing standards.
l The formulation of results, recommendations and implementation plans by the
self-assessment team leader, in collaboration with the chief audit executive, for
validation by the independent validator and submission to senior management
and the audit committee or other review function.
l Independent validation of the self-assessment.
The self-assessment should be properly documented. As in the case of the external
assessment, conclusions should be drawn about the internal audit activitys compliance with the internal auditing standards, the charter and the appropriate criteria,
and it should also contain recommendations for improvements and a plan of implementation.
A report on the results of the self-assessment should be compiled for submission
to senior management and the audit committee (or other review function) after
validation thereof by an external independent party.
The qualified independent party then conducts interviews with the chairperson of
the audit committee or other suitable council member and senior members of
management and conducts limited tests on the self-assessment and the preliminary
report to the board of directors and senior management. Hence the results of the
self-assessment are verified and can serve as the basis for any comments or further
recommendations.
The external reviewer expresses an opinion about the suitability of the process
followed during the self-assessment and the level of compliance with the internal
auditing standards pointed out by the self-assessment. The external validators
report is then included in or attached to the self-assessment report submitted to the
audit committee and to senior management.
Although a full external assessment holds the most benefits for an internal assessment, and should be included in the quality programme of an internal auditing
operation, self-assessment with independent validation is a method that allows
alternative compliance with the provisions of Standard 1312 of the internal auditing
standards (IIA 2004:113).
102
Marais
103
comply with the internal auditing standards. It is not aimed at detecting isolated
cases of non-compliance. Internal auditors who find it impossible to comply with a
specific standard in certain circumstances can still claim that their work was conducted in accordance with the internal auditing standards, as long as (in compliance
with the specifications of Standard 2430) they declare the specific areas of noncompliance in their final communication regarding the audit project, and indicate in
their evaluations of quality that they have fulfilled the internal auditing standards in
all other respects.
11 Summary
the challenge today is to raise the broad market perception of the value of our services (IIA
1999:27).
According to the Guidance Task Force1 (IIA 1999:27-28), a profession can have
great standards, but without credible mechanisms to enforce compliance, they lose
their effectiveness and their status as a mark of professional quality.
________________________
104
In 1997, The Guidance Task Force was appointed by the board of directors of the IIA to
investigate the following matters:
(1) the possibility that there is a gap between developing internal audit practice and the existing
internal auditing standards. and
(2) possible improvements to the existing processes in terms of which internal auditing standards are written and laid down and ways in which improvement can be promoted.
The Guidance Task Force consisted of 16 leaders in the field of internal auditing and was
representative of all interested parties throughout the world. They met six times: the first meeting took place in December 1997, and final one in September 1998. The details and results of
their study are contained in a publication of the Institute of Internal Auditors Research Foundation entitled A vision for the future: professional practices framework for internal auditing
(IIA 1999:1).
Marais
In the light of their investigation and findings, the Guidance Task Force made the
following recommendations to move internal auditing to an advanced level of
professionalism, which, according to them, will promote the quality, competitiveness and recognition of the profession:
l Compliance with the internal auditing standards should be compulsory and
should be proved by internal audit activities, by means of a satisfactory quality
assessment by an independent party.
l The internal auditing standards should demand that internal audit reports
contain an explicit declaration that internal auditing work is conducted according to the Standards for the Professional Practice of Internal Auditing (IIA
1999:27).
Since 1999, the IIA, in reaction to the findings of the Guidance Task Force, has put
into effect the acceptance of a new definition, implemented a new practice framework and updated the internal auditing standards. As discussed in this paper, the
internal auditing standards have already been amended and supplemented with the
following prescriptions on quality control:
l The external assessment should be performed at least every five years (Standard 1312).
l The chief audit executive should report the results of external assessments to
the board of directors (Standard 1320).
l Internal auditors can only declare that an audit has been performed in compliance with the internal auditing standards if, according to the prescriptions of
the standards, they have been subjected to an external assessment (Standard
1330).
l When non-compliance with the internal auditing standards could affect the
overall scope or operation of the internal audit activity, this should be disclosed
to senior management and the board of directors, via the chief audit executive
(Standard 1340).
The discussion in this article clearly shows that adequate standards are in place to
ensure the application of proper quality control in internal audit activities. The
important thing, however, is to encourage internal audit activities to apply proper
quality control themselves.
Although general compliance with the internal auditing standards is not enforced
in South Africa, legislation and regulations have been developed either to force or
to encourage larger organisations to use internal auditing services. The Public
Finance Management Act 1 of 1999 (as amended) stipulates that all state departments, listed public entities, constitutional institutions, Parliament and provincial
authorities should have internal audit activities that comply with the Treasury
regulations, which have been compiled in terms of the Act. These Treasury regulations stipulate that internal auditing services should be rendered on the basis of
the internal auditing standards (RSA 1999).
The King Report on Corporate Governance (Institute of Directors in Southern
Africa 2002) with which listed companies must comply in order to list at the
Meditari Accountancy Research Vol. 12 No. 2 2004 : 85107
105
Bibliography
Chapman, C. and Anderson, U. 2002. Implementing the professional practices
framework, Institute of Internal Auditors, Altamonte Springs, Florida.
Fabrizius, M.P. 1997. A passion for excellence, Internal Auditor, October, Vol. 54,
No. 5, pp.22-27.
Institute of Directors in Southern Africa. 2002. King report on corporate governance for South Africa 2002, Institute of Directors in Southern Africa, Parkland,
South Africa.
Institute of Internal Auditors (IIA). [s.a.]. QAR The key to improved effectiveness
and efficiency, Quality Auditing Division, Institute of Internal Auditors, Altamonte
Springs, Florida.
Institute of Internal Auditors (IIA). 1998. Standards for the professional practice of
internal auditing: Statements on internal auditing, standards nos. 1-18, statement of
responsibilities of internal auditing, code of ethics, Institute of Internal Auditors,
Altamonte Springs, Florida.
Institute of Internal Auditors (IIA). 1999. A vision for the future: professional
practices framework for internal auditing, Report of the guidance task force to the
IIAss board of directors, Institute of Internal Auditors, Altamonte Springs, Florida.
Institute of Internal Auditors. 2003. Quality assessment manual, 4th edition, Institute of Internal Auditors, Altamonte Springs, Florida.
Institute of Internal Auditors. 2004. The professional practice framework, Institute
of Internal Auditors, Altamonte Springs, Florida.
Large, N. 1997. How are we doing? The need for quality assurance, IIA IA Adviser, January/February, pp.5-6.
Moeller, R.R. and Witt, H. 1999. Brinks modern internal auditing, Wiley,
5th edition, New York.
106
Marais
Sawyer, L.B., Dittenhofer, M.A. and Scheiner, J.H. 2003. Sawyers internal
auditing. The practice of modern internal auditing, Institute of Internal Auditors,
5th edition, Altamonte Springs, Florida.
Republic of South Africa. 1999. Public Finance Management Act 1 of 1999
(amended), Government Printer, Pretoria.
107
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.