Menu Close

Preparing Internal Audit for an External Quality Assessment (EQA)

By James C Paterson

Over the past 7 years I have worked as an External Quality Assessor, helping Internal Audit teams to meet their obligations to have an EQA at least every 5 years. In addition, I have helped several Heads of Internal Audit to prepare for an up-coming External Quality Assessment. I run training for the IIA UK on preparing for an EQA and with the IIA Netherlands I run a “hybrid” course: for those who want to train to be a qualified EQA assessor, a two-day course and for those who want to prepare for an EQA, a one-day course. We do these together and the courses are next scheduled in 8 and 9 December 2020 (delivered via Zoom).

Here is a summary of some of the key messages from the course preparing for an EQA, but – of course – we go into more detail at the training.

  • Make sure key documents (IA charter etc) have been up-dated for the IIA International professional practices framework from 2017.

It is a requirement of 2017 IIA standards to ensure that IA team charters etc. are in line with the requirements of the new standards and most readers will be aware that this requires that:

  1. IA teams should do work that is aligned with the strategies, objectives and risks of the organisation;
  2. IA teams should operate in an insightful, forward looking and proactive manner and;
  • IA teams should co-ordinate with other assurance providers and consider relying on their work (using a systematic basis of determining this).

Behind these simple messages is the question of how you make sure that you are actually living up to these requirements. For example, how do you ensure the audit plan is clearly tied to key objectives and risks; how do you define “insight” (two comments here: don’t tell them what they already know and do root cause analysis) and how do you develop an assurance map and measure the amount of assurance from other functions (a requirement of IIA 2050).

  • Ensure you have done an assessment of the strengths and improvement needs of your IA team, within all levels of the IA team (managers and staff).

Especially for larger internal audit teams, it is not unusual for an HIA or IA management team to have one impression of key strengths and improvement areas of the team against the IIA standards, but find that the auditors “working at ground level” have another view about, for example, skills and training plans, the quality of audit planning process (even if they are not involved in it!) the quality of assignment planning, the usefulness of supporting tools (e.g. data analytics) and the quality of the audit software that they use (sometimes less positive than the IA management team). Heads of Audit are encouraged to ensure there is an IA team discussion about the IIA standards and IA team strengths and improvement areas, to avoid vital information that is known to team members, but perhaps not to the IA management team; since any good EQA assessor will seek to understand the view of the whole team during an EQA.

  • Be clear about the EQA scope, and process, and ensure you will get credit and acknowledgement for known issues and current improvement plans.

Sometimes EQA assessors are keen to have as broad a remit as is possible, interviewing large numbers of senior managers across the organisation; and whilst this can have benefits, some HIAs have even reported the EQA as a pre-cursor to the outsourcing of the IA function.  Hopefully this is not a serious risk for most IA teams, but some sensible conversations and appropriate due diligence about this potential risk are worth bearing in mind. For this reason, readers will appreciate that there is nothing worse than reading an EQA report and finding issues that are already known reported back as if they are “fresh” findings from the EQA. Ensure any EQA process explicitly includes a clear step that involves getting the IA team perspective on key issues, and what it is already working on, and understand how these will be reported in the final EQA report, so you get credit for that.

  • Ensure there is clarity about how the EQA will distinguish between judgements against the IIA standards and judgments against “best practice”.

For several clients, I have seen EQA reports that list improvement actions against best practice as if they were actions against the IIA standards. This can give the impression that the IA team is much further back than it actually is. Therefore, it is important to clarify with any proposed EQA assessor how they will distinguish between basic IIA compliance points and other improvement areas vs. best practice. Also, make sure that if something is being cited as best practice it is clear how many IA functions have actually implemented it, and their circumstances. For example, I have seen EQA recommendations suggesting the implementation of practices for an audit team of 6-10 staff, which – when challenged – turned out to be more common good practice in audit teams of 20+ auditors.

  •  Look at IIA guidance on common EQA findings.

These may vary from country to country, but some of the most common findings I have seen are:

  1. The need to have a plan that is truly aligned to strategies, objectives and risks (all too often the plan is based on a process/unit based audit universe and retrofitted to the organisations strategy, objectives and key risks)
  2. The need to do audit work in the context of the overall assurance picture – which can be evidenced by having an assurance map and a clear sense of measuring the assurances from both line management and 2nd line functions (a big topic in its own right, and that I covered in another course).
  3. The need to be very proactive about audit team skills and capabilities and ensuring these match the needs of the audit plan (linked to key risks etc.).
  4. The need to strengthen the stakeholder management process and review lessons learned after each assignment.

 

  • Remember an EQA can give you significant benefits, but only if you trust the EQA assessor.

Despite the risks outlined above, I am a strong believer in the benefits that can flow from having the right EQA. It can bring prominence to issues that have concerned the audit team, but have been hard to address – for example by helping to remove “no go” zones in the audit planning process, or by encouraging a stronger flow of experienced staff into the audit team, or more support for the use of guest auditors and guest advisors.

All this highlights the need to choose your EQA assessor carefully, so that you can be confident it will have a positive impact, not just on the internal audit team, but on some related organisational governance, risk and compliance activities. And – speaking of a pet hate – make sure your assessor does not take pride in raising minor house-keeping points in relation to audit files, unless there is a clear impact on important audit conclusions!

  • Engage with key decision makers and manage their expectations

Audit Committees and Senior Managers may play a key role in selecting an EQA provider and considering their feedback. Make sure they are fully on-board with the considerations discussed in this note.

In conclusion, I hope this short overview explains some of the key opportunities and threats of an EQA and encourages readers to ensure they properly prepare their IA team for an EQA and chose their EQA assessor carefully. This will be discussed in much more detail at our workshop/webinars.

About James C Paterson 

James Paterson is the former Head of Internal Audit for AstraZeneca PLC. He has been consulting, training and coaching in Internal Audit since 2010 and is the author of the book “Lean Auditing”. 

 

Leave a Reply

Your email address will not be published. Required fields are marked *