From RSM McGladrey Advantage
The sweeping Sarbanes-Oxley Act of 2002 (SOX) has attracted both praise and
protest for how it forced public companies to shore up corporate governance
procedures, improve financial reporting and increase overall controls.
However, that same year, the Institute of Internal Auditors (IIA) upgraded
its compliance standards by calling on companies to conduct regular quality
assurance reviews of their internal audit practices. While the change generated
little fanfare at the time, it is receiving more attention as companies approach
the January 2007 compliance deadline.
"This is an important issue, because companies that don't comply will be
unable to claim that their internal audit programs meet international
standards," says Trish Harris, communications director for the IIA. "That lack
of compliance could generate concern with audit committees, investors and a
company's management team."
A quality assurance review (QAR) is an independent assessment of an
organization's internal audit programs and processes. In making the change back
in 2002, the IIA required that QARs take place at least once every five years –
with exceptions made only if a business did not have an internal audit function
as of Jan. 1, 2002.
A company can meet the QAR requirement in one of two ways. The first approved
approach is for a company to retain a qualified outside reviewer to provide an
independent internal audit assessment, which will determine if the existing
approach meets IIA's professional practice standards. Such a review typically
takes up to two weeks for a midsized company and focuses on activity in the
current year.
The second approach allows a business to perform a self-assessment of its
internal audit practice, which a qualified outside resource must then review and
validate. Under this model, an outside provider must make at least one on-site
visit, interview senior management and co-sign the self-assessment form. The
outside evaluator drafts and files a separate report with IIA if it finds any
discrepancies with the internal review. While this approach can hold down costs,
experts caution that it may not have the scope to evaluate the internal audit
operations of midsized or large companies. It also may not be as beneficial as a
traditional QAR for smaller internal audit departments that have never had a
quality assurance review.
Unlike SOX, noncompliance with IIA's new standards isn't punishable by law.
However, compliance does indicate that the internal audit has evolved beyond a
mere check-off point for cost control. Supported by a QAR, a company's internal
audit program has a solid platform from which to identify improvement
opportunities and make recommendations that can reduce risk and enhance the
bottom line.
Has your company completed its QAR? If not, here are seven steps that can
help you move confidently though the process.
Act now. The January 2007 deadline is less than six months away, so
demand for experienced, third-party QAR reviewers is extremely high. If you have
not already scheduled an internal audit evaluation, experts suggest contacting a
firm that has significant experience conducting QAR reviews with midsized
companies. While it may be too late to budget for QAR expenses in this fiscal
year, be sure to allocate an appropriate amount as soon as possible to be in
compliance.
Involve management and the audit committee. Many organizations form a
QAR oversight committee, which may include the chief executive officer, chief
financial officer and a member of the audit committee. This approach has dual
benefits: The committee can provide invaluable guidance to the chief auditor
during the process, and the QAR provides an opportunity to engage and educate
senior management about audit processes and related issues.
Build consensus on QAR objectives. While IIA provides two models by
which companies can comply with the international internal audit standards, the
outcomes from those approaches can vary considerably. A self-assessment with
independent validation may tend to focus on basic compliance, while a full
third-party QAR may provide detailed analyses for businesses interested in
elevating their audit function to world-class performance. Regardless of the
course, it is important for a company's senior leadership and audit committee to
support the desired project outcomes.
