
The IIA recommends that an assessment be made at least every five years, but most CAEs want to know how well they are doing every year.
When I became a CAE, I started by benchmarking against firms that had a great reputation, either for their business practices or internal audit departments. That is still a good idea and I recommend it. But in my case I found so many practices that disturbed me that after a couple of years I only met with CAEs whose presentations at conferences indicated they led practices I would admire. For example, one major company’s auditors spent 60% of their audit time on documentation, which is far too much, and would continue to perform audit work until their allocated time ran out even if they had completed the defined scope. Another said they had a risk-based approach; but they then said that every function and process is audited at least once every five years on a cyclical basis. That is not risk-based internal auditing.
I highly recommend attending conferences and seminars to keep up-to-date, build and maintain a network, and hear from your peers and thought-leaders. However, always listen with both an open and questioning mind. Not all so-called thought leaders should (IMHO) be considered up to world-class levels. This blog is quite active in criticizing some of the guidance that is published!
One approach is to have an external quality assurance review (QAR). That can be done through the IIA, who will assign a team of experienced auditors to follow IIA QAR guidance and methodologies. The primary focus is typically compliance with IIA Standards and the Code of Ethics, although the better review leads will also interview stakeholders and provide more of a qualitative assessment of performance. You can also engage one of the consulting firms to perform a QAR.
The value of external reviews is limited to the experience and quality of the QAR team. If they are conversant with leading practices, then you may get a review of high quality. Unfortunately, not every experienced auditor, even CAE, has reached world-class levels in their own practices.
If you engage a consultancy firm, they may focus unnecessarily on the quality of your tools (such as analytics and RPA) instead of the value of your assurance and insight. They often rely on a list of so-called best practices rather than understanding the needs of your organization and the potential value internal audit can deliver.
I believe that the only assessment that makes sense is that of the customer: the audit committee of the board and the senior management of the organization.
I also believe that it is immensely valuable to use a maturity model. The IIA has a practice guide on how to use one for other processes and I have one in my books for risk management. But there aren’t any that I could find for internal audit that reflect leading thinking and practices.
One of the values of a maturity model is that if it helps both CAEs and audit committees understand and then discuss leading practices. Many audit committees are complacent, accepting what they are receiving because they don’t realize more value can be obtained.
I have tried to fill the gap with a new book. Is your Internal Audit world-class: a Maturity Model for Internal Audit includes both a set of questions that can be used as a basis for obtaining internal audit stakeholders’ assessments and a detailed maturity model. It is based on the leading practices discussed in Auditing that Matters.
The guidance can (and probably should) be used in any QAR, but can also be used by CAEs and their audit committees simply to see where they stand on an annual basis. If you engage a team of reviewers to perform a QAR, I suggest asking them to use my maturity model (modified as appropriate) and consider my questions.
Knowing how you compare to world-class practices and understanding the added value of moving up the maturity curve can, itself, have great value.
I hope you find this guide useful and I look forward to your comments.
- The agile organization - May 17, 2023
- Internal audit and ESG: My opinion - April 24, 2023
- Was Silicon Valley Bank a failure of risk management? - March 28, 2023