Performing an Internal Self-Assessment of your Internal Audit Department

August 12, 2022


Internal audit departments following the Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF or “Standards”) are required to develop and maintain a quality assurance and improvement program (QAIP) that includes internal and external assessments. A QAIP verifies the work is performed in accordance with the Standards and the IIA’s Code of Ethics and that the internal audit department operates in an efficient and effective manner.

Most audit shops are already performing ongoing reviews of their engagements through supervision, workpaper review, following established audit policies and procedures governing the audit process, and soliciting feedback from customers. Periodic self-assessments go beyond the routine supervision and monitoring of each engagement to evaluate each IIA Standard. Performing a thorough self-assessment can help increase efficiencies, create uniformity of documentation amongst your team, and help prepare the audit shop for a positive external review.

Periodic self-assessments are often conducted at the mid-point of the five-year external review cycle but may be conducted more frequently. The review may be performed by the chief audit executive (CAE), assigned to a senior auditor, preferably a Certified Internal Auditor (CIA), or divided amongst the staff. It is important that all members of your review team be open to change and allow a positive dialog for discussing potential weaknesses and recommendations.

There is no single method required for conducting a self-assessment. One way to efficiently evaluate all of the Standards is to design your self-assessment around the following four themes: Governance, Staff, Management, and Process, which is how the IIA teaches external reviews. The Governance and Staff sections address the IIA’s Attribute Standards and the Management and Process sections address the IIA’s Performance Standards.

If you are a state college or university and your state performs peer reviews, you may be able to obtain detailed templates from your state auditor’s office to help in your review. The following is a summary of the critical tests that the State of North Carolina uses for its external reviews:

Governance

These Standards refer to how the internal audit function is governed. Key documents include the Audit Charter, department procedures manual, organization chart, and independence attestations.
  • The Purpose, Authority, and Responsibility need to be defined in your Internal Audit Charter. The language in the charter should align with the IPPF, address both assurance and consulting services, and allow unrestricted access to records and personnel. Review your charter and ensure it reflects your current practices and has been approved by your Board of Trustees or Audit Committee.  
  • Independence of the internal audit department should be confirmed to the Board at least annually. Departmental independence is often achieved by reporting administratively to the President/Chancellor and functionally to the Board of Trustees or Audit Committee. Ensure your organizational chart reflects an independent reporting structure. Additionally, individual auditors must be independent of the areas audited, and new auditors must refrain from assessing specific operations for which they were previously responsible for within the last year. Auditor independence may be demonstrated by individual attestation for the audit plan year or for each engagement by each auditor.
  • The IIA Code of Ethics must be followed by all members of the Internal Audit department, whether or not they hold any IIA certifications. Consider whether all team members uphold the principles of integrity, objectivity, confidentiality and competency. One option to demonstrate awareness is to include the IIA Code of Ethics in your procedure manual and have team members sign an affidavit to confirm their understanding.
  • The Quality Assurance and Improvement Program must be developed and maintained by the CAE. A description of regular engagement monitoring, periodic internal assessment, and 5-year external assessments should be documented in the procedure manual. Verify prior assessments were timely and shared with senior management and the Board.

Staff

The Staff Standards focus on auditor competency and the ability to have sufficient knowledge and skills to perform engagements. Employee certifications and training records are tangible evidence, and the ability to exercise due professional care is reflected in the engagement work papers.
  • Proficiency must be demonstrated by all internal audit team members. Auditors must possess the knowledge and skills needed to perform their responsibilities individually and as a department. Maintain records on professional certifications and continuing professional education logs that show the staff collectively has specialty knowledge such as IT, fraud detection and data analytic skills required to complete the audit plan. Subject matter experts may be needed. Evidence of proficiency may be documented in performance reviews, and post-engagement client surveys should include feedback on staff proficiency.
  • Due Professional Care, that which is expected of a reasonably prudent and competent auditor, must be applied. Determine whether engagements were staffed and adequately supervised based on the complexity of the subject. Verify engagement planning considered fraud and the feasibility of using data analytics for a higher level of assurance.
  • Continuous Professional Development applies to all team members, not just those maintaining certifications. Define training requirements in the procedure manual and counsel staff on relevant training opportunities. Audit team members should track their continuing professional education training and ensure they meet licensing and departmental requirements.

Management

Management refers to managing the duties of the internal audit function along with the nature of work. The internal audit activity is effectively managed when it achieves the purpose of the audit charter, conforms with the Standards, and considers emerging trends that could impact the organization. Annual audit plans, performance metrics, achievement of the plan, reports to the Board, engagement reporting, and meeting minutes are key documents for the self-assessment.
  • An Audit Plan that determines the priorities of the internal audit activity must be established by the CAE, usually on an annual basis. The audit plan should be based on a risk assessment, input solicited from senior management and the Board, and consider resource management. Ensure the methodology for establishing the audit plan was documented, and the final plan was formally approved by the Board.
  • Policies and Procedures should be documented to guide the internal audit activity. Review the department’s procedure manual and verify that it is current, complete, and aligns with the Standards. Ensure that the procedure manual is being followed throughout the internal assessment process.
  • Reporting to Senior Management and the Board should occur regularly. Verify that the following items were reported at least annually: the audit charter, independence of the internal audit activity, the audit plan and progress against the plan, resource requirements, results of audit activities and conformance with the Standards.
  • The Governance of the organization needs to be assessed by the internal audit activity, and appropriate recommendations for improvement should be made. Verify there is documentation to support sufficient coverage of improvements to the organization’s governance process, such as memos and meeting minutes.
  • The Risk Management process of the organization must be evaluated, and the internal audit activity must evaluate the effectiveness and contribute recommendations for improvements. Auditors may collaborate with other areas such as Legal or the Enterprise Risk Management function. Significant risks, including fraud risks, should be addressed in the annual audit plan.
  • If Overall Opinions are used for engagements, they must be supported by a summary of the information that supports the opinion. Review your reports for appropriate overall opinions.
  • Communicating the Acceptance of Risk by management should be handled consistently. The procedure manual should state the process taken when management accepts a level of risk that may be unacceptable to the organization, such as escalation to the Board. Verify these processes were followed for any engagements where unacceptable risks were identified.  

Process

Process refers to the execution of engagements in the audit plan. Several engagements should be chosen for the self-assessment to evaluate workpapers for planning, fieldwork and reporting along with tracking follow up items. Sample different types of engagements such as audits, consultations and investigations performed by different auditors.
  • Engagement Planning is required for each engagement to establish the engagement’s objectives, scope, timing and resource allocations. For the sample of engagements, determine whether risks were identified, objectives were established, and appropriate scope and resources were defined and documented in an engagement letter to the client.
  • Engagement Work Programs should be developed and documented that address key risks, policies and procedures. Verify work programs were created that included clear instructions, addressed risks and objectives, and were approved prior to fieldwork.
  • While Performing the Engagement, auditors must identify, analyze, evaluate and document sufficient information to achieve the engagement’s objectives. Review engagement workpapers and verify they identified factual, adequate and convincing information. Workpapers should be consistently performed by all team members and reliable and useful enough to support the conclusions. Ensure sound and accurate sampling and testing procedures were performed. Confirm workpapers are retained per your institution’s requirements.
  • Engagement Supervision is necessary to ensure objectives are achieved, quality is assured and staff is developed. Verify there is evidence of workpaper review, which could be a manual or electronic sign-off or approval completed using audit software. Demonstrate that staff members receive feedback and training during engagements by retaining review notes.
  • Communicate the Results of engagements to the auditee and appropriate parties such as senior management and the Board. Confirm engagement report observations and conclusions were supported by the workpapers. Evaluate whether positive results and satisfactory performance were included in final communications. Ensure reported results were helpful to the client and organization and led to improvements where needed. Determine whether any errors or omissions were corrected and re-issued.
  • A Monitoring Process must be developed by the CAE to ensure actions have been effectively implemented. This process should be defined in the procedure manual and followed for all engagements. Outstanding items should be tracked and monitored. Review past engagements with findings and verify there is evidence that management action plans are being followed-up and resolved timely.  

Conclusion

Complete your self-assessment by identifying areas of improvement and have team members collaborate on feasible solutions. As you would for any other audit, document the findings in a report along with your department’s management responses and due dates, and ensure those changes are made timely. Share your accomplishments and commitment to improvement with senior management and the Board.

While a full internal self-assessment can be time-consuming, it can be worked on intermittently throughout the year or completed all at once. By utilizing a team approach, the team members will learn the IIA Standards and strengthen their knowledge of departmental requirements. Single-member audit shops will also benefit from conducting an internal assessment by ensuring their department meets the Standards and is prepared for the external review. 
 
Ms. Hefner will be speaking on this topic at the 2022 AuditCon in Las Vegas, session A10 Internal Self-Assessments: Create A Winning Hand.
 

About the Author

Kara Hefner

 

Kara Hefner, CPA, CIA, CFE has been a Senior Internal Auditor at the University of North Carolina at Chapel Hill for the past three years and has 19 additional years of internal audit experience in university health care...
Read Full Author Bio

Kara Hefner

 

Kara Hefner, CPA, CIA, CFE has been a Senior Internal Auditor at the University of North Carolina at Chapel Hill for the past three years and has 19 additional years of internal audit experience in university health care, public utilities, and student loan guarantors. Kara has been trained by the IIA to perform external assessments and has conducted internal and external assessments of internal audit departments at various state agencies. Kara is the current Deputy Editor of the College and University Auditor Journal and presents at ACUA conferences.

Articles
Auditing Pandemic Relief Funds: A Uniform Guidance Approach
Performing an Internal Self-Assessment of your Internal Audit Department