RSM Resources

The sweeping Sarbanes-Oxley Act of 2002 (SOX) has attracted both praise and protest for how it forced public companies to shore up corporate governance procedures, improve financial reporting and increase overall controls.

However, that same year, the Institute of Internal Auditors (IIA) upgraded its compliance standards by calling on companies to conduct regular quality assurance reviews of their internal audit practices. While the change generated little fanfare at the time, it is receiving more attention as companies approach the January 2007 compliance deadline.

"This is an important issue, because companies that don’t comply will be unable to claim that their internal audit programs meet international standards," says Trish Harris, communications director for the IIA. "That lack of compliance could generate concern with audit committees, investors and a company’s management team."

A quality assurance review (QAR) is an independent assessment of an organization’s internal audit programs and processes. In making the change back in 2002, the IIA required that QARs take place at least once every five years – with exceptions made only if a business did not have an internal audit function as of Jan. 1, 2002.

A company can meet the QAR requirement in one of two ways. The first approved approach is for a company to retain a qualified outside reviewer to provide an independent internal audit assessment, which will determine if the existing approach meets IIA’s professional practice standards. Such a review typically takes up to two weeks for a midsized company and focuses on activity in the current year.

The second approach allows a business to perform a self-assessment of its internal audit practice, which a qualified outside resource must then review and validate. Under this model, an outside provider must make at least one on-site visit, interview senior management and co-sign the self-assessment form. The outside evaluator drafts and files a separate report with IIA if it finds any discrepancies with the internal review. While this approach can hold down costs, experts caution that it may not have the scope to evaluate the internal audit operations of midsized or large companies. It also may not be as beneficial as a traditional QAR for smaller internal audit departments that have never had a quality assurance review.

Unlike SOX, noncompliance with IIA’s new standards isn’t punishable by law. However, compliance does indicate that the internal audit has evolved beyond a mere check-off point for cost control. Supported by a QAR, a company’s internal audit program has a solid platform from which to identify improvement opportunities and make recommendations that can reduce risk and enhance the bottom line.

Has your company completed its QAR? If not, here are seven steps that can help you move confidently though the process.

Act now.The January 2007 deadline is less than six months away, so demand for experienced, third-party QAR reviewers is extremely high. If you have not already scheduled an internal audit evaluation, experts suggest contacting a firm that has significant experience conducting QAR reviews with midsized companies. While it may be too late to budget for QAR expenses in this fiscal year, be sure to allocate an appropriate amount as soon as possible to be in compliance.

Involve management and the audit committee.Many organizations form a QAR oversight committee, which may include the chief executive officer, chief financial officer and a member of the audit committee. This approach has dual benefits: The committee can provide invaluable guidance to the chief auditor during the process,and the QAR provides an opportunity to engage and educate senior management about audit processes and related issues.

Build consensus on QAR objectives. While IIA provides two models by which companies can comply with the international internal audit standards, the outcomes from those approaches can vary considerably. A self-assessment with independent validation may tend to focus on basic compliance, while a full third-party QAR may provide detailed analyses for businesses interested in elevating their audit function to world-class performance. Regardless of the course, it is important for a company’s senior leadership and audit committee to support the desired project outcomes.

Develop a written request for proposal (RFP).Building on the previous step, a well-written RFP will communicate your company’s expectations to potential service providers in clear and concise terms. This document should provide key background and performance details such as the number of internal auditors on staff,the number and type of audits performed in-house, and the location of company offices QAR evaluators should visit. The RFP also should include appropriate documentation such as copies of the internal audit charter, the internal audit annual plan, and organizational charts of executive management and the internal audit function.

Take a close look at prospective QAR providers. Because of the explosive growth in the audit field since SOX, there is a much larger talent pool than ever. However, not all auditors bring the same skills to the table. For a QAR, experts suggest company decision-makers examine a provider’s professional certifications and willingness to tailor the review to meet your objectives. Midsized businesses are good candidates for a team approach, because it can provide reviewers with relevant industry backgrounds as well as hands-on experience in internal audit departments of similar size. Ideally, such a team should include at least one person who has led an internal audit function, as well as an information-technology audit specialist.

Take time to prepare. While interviewing QAR providers, the internal audit department should start planning for the review. This may include setting internal expectations about the time needed for QAR interviews and conducting a review of all existing internal audit standards, policies and procedures. If a company has not been though a prior audit quality review, experts suggest purchasing IIA’s Quality Assessment Manual (5^th edition), which offers a full overview of what outside auditors will look for in the QAR process.

Take time to communicate.Instead of viewing the QAR as a requirement, regard it as an opportunity to gain advice and counsel from independent audit experts who will assess your department’s operations. Such conversations with reviewers might help you refine risk assessments, identify gaps in audit coverage or reduce turnover rates. To maximize this opportunity, develop a list of issues to discuss with the review team during their visit, and incorporate the feedback into a departmental roadmap for improvement.

By following these seven steps, you can help your company’s internal audit function comply with international standards and leverage the opportunity to make future improvements in financial management.