Lee Glover

I have been both an in-house auditor and for many years an out-sourced internal audit provider, so when the question arises ‘Should I have an EQA?’, against the Institute of Internal Auditors’ (IIA) International Professional Practices Framework (IPPF) which provides the global standards for the internal audit profession, the immediate answer that pops into my head is ‘Yes, of course, why not?’ After all, a set of professional standards exist, which are widely acknowledged and adopted, therefore to know how we stand against these can surely only be a good thing. Secondly, as an out-sourced provider it can rubber stamp your quality credentials. But that is a quick answer, in this brief article I will explore this a little more. 

Firstly, let me address the issue that as an ACCA member you may be thinking ‘well those are IIA standards and I do not work to those’. This may be true, but it does not mean we cannot learn and improve from considering those requirements and the experience of others.  If you think otherwise, then maybe you should reflect upon whether you are in the right role?   

Secondly, you may function within an organisation that does not want to comply with the Standards; they are voluntary and internal audit is technically largely an unregulated activity after all. But again at least at the extreme of the argument, why would an organisation take that view? I would be asking myself does this business value internal audit? Does this business value my input? Maybe you are in the wrong business?

Thirdly, proportionality. Internal audit functions vary dramatically in size from a single person to large teams. Standards are of course arguably easier to adopt within larger teams with greater resources.  However, spirit and proportionality should of course enable any team to achieve compliance or at least improve.

In terms of the process, internal audit teams should perform an annual self-assessment (in-house) against the professional standards and then have an independent EQA at least every five years, to be able to state compliance with the Standards.  

Given internal audit is often not mandated or seen as a regulated activity the IIA strongly recommends, but cannot mandate, that functions undergo EQA. The Standards are voluntary. 

While an EQA is not mandatory, there are several reasons why internal audit functions often choose to undergo this type of assessment:

  1.  Enhanced credibility: Simply undergoing the process demonstrates a commitment to quality and adherence to recognised professional standards; after all, as internal auditors, we would not want a situation of ‘do as we say, not as we do’. It demonstrates accountability and provides validation for internal audit.
  2. Stakeholder confidence: Sharing of results with stakeholders, including senior management and the board of directors can reinforce confidence in the internal audit function and demonstrates a commitment to quality, objectivity, and continuous improvement. It provides assurance.  
  3. Continuous improvement: In a similar vein as internal audit, external eyes over processes can provide valuable insights into the strengths and weaknesses of a function which often those close to the action will not necessarily pick up in their day-to-day role to help ensure activities meet or exceed the Standards. This can help ensure that internal audit activities evolve and adapt to changing organisational needs. It identifies areas for improvement in processes, methodologies, resourcing, and overall performance. This feedback is valuable for continuous improvement efforts within the internal audit function; it can also feed an individual team member’s own Professional Development.
  4. Good practice/peer comparison: The EQA will be undertaken by an individual who has likely performed such exercises across a range of industries and teams; therefore, often enabling them to benchmark against good practice they have seen elsewhere and drive improvement which may otherwise be missed.
  5. Regulatory expectations: Whilst internal audit is generally unregulated, there are certain sectors where established requirements exist, such as the UK Public Sector Internal Audit Standards (PSIAS). The PSIAS are an annotated version of the IPPF and requires that functions undertake a periodic external assessment or self-assessment with external validation.

Then of course, there are several challenges or arguments against an EQA:

  1. Costs: Both in respect of consuming internal time preparing and participating in the process but also commissioning the external assessor; this may be a particular burden in smaller organisations. The assessment process can take a considerable amount of time, from planning and data collection to reporting and follow-up. This can be disruptive to the day-to-day operations of the internal audit function and may lead to a temporary reduction in productivity. Then of course there is the time to put any improvements in place, if the benefit of the process is to be realised, plus the opportunity cost of missed opportunities should you not undertake an EQA. 
  2. Resistance: There may be resistance from team or management to an EQA, especially if there are concerns about the process being overly critical or if there is a fear of negative findings impacting individual careers or the reputation of the function. But wait, we are internal auditors, do we walk around thinking we are all perfect and it is only our auditees which need help? Come on!
  3. Disruption: The assessment process may disrupt the normal workflow of the internal audit function diverting attention from the team’s regular audit activities; but do we not we expect this of our auditees? Smells a little of double standards. 
  4. Scope: The scope of assessment should usually cover the breadth of the IPPF, however, as with any assurance piece limitations may be applied which reduce the realisable benefit.  This is only the same as agreeing an audit budget; give someone three days budget they are less likely to find as many potential improvements than if you give them 30 days, or the assessor may not have sufficient time to grasp specific nuances. Often there is a balance to be struck.
  5. Improvements: As with any assurance product, there is a need for clear communication and collaboration between the assessor and the function to ensure a shared understanding and identification of the best solution, this is true of any internal audit you perform and no different here. Make sure that your management team are available to discuss findings and agree the best solution which works for your organisation to drive the necessary change and achieve improvement.
  6. ‘Bad Day’ Scenario: An assessment provides a snapshot of the internal audit function at a particular point in time, everyone can have a bad day. Of course, this also applies to our auditees. The assessment itself should be part of a cycle of internal self-assessment, periodic external assessment, and wider continuous improvement activities. The communication, feedback, and collaboration to determine best solutions should minimise the likelihood of a truly ‘bad day’ tainting the entire outcome and opinion of the EQA process.

Yes, there will be other arguments both for and against an EQA, the assessment above is not intended to be exhaustive. 

In conclusion, we should never ask others to do things we are not willing to do ourselves, therefore, as internal auditors I believe it is only correct that we open our doors to scrutiny, and the EQA process is one way in which we can achieve this. Whether a prescribed minimum frequency of five years is appropriate or necessary is maybe less clear cut; as internal auditors we would generally assess the frequency of a review based upon an assessment of risk, considering the degree of change in respect of people, processes, systems, activities, resources, and the external environment.  

Of course, there are other activities we undertake to inform our development, both as a function and individuals, including participation in groups, forums, conferences, and wider continuous professional development; the EQA process should be seen as part of the jigsaw.   

I last commissioned an EQA in March 2022. The process was engaging and thorough, and whilst there were no areas for improvement identified, it was reassuring to have our internal audit methodology and approach - which I had largely designed and refined over the years - reviewed, and challenged by a knowledgeable and experienced peer. 

Even if no improvements are identified as part of the process, value still exists - the value resides in the assurance provided that your processes are operating effectively and in accordance with recognised standards. This is true of an internal audit report with no recommendations - in such circumstances management and board can be assured that risks within the area of scope are reasonably managed, and there is value in the assurance itself. What value do you place on a good night’s sleep?

At Validera it is our mission to help our clients improve, comply and optimise their operations. I cannot help thinking that the EQA process is one such tool through which internal audit itself can seek to improve, comply and optimise its own activities to best meet the needs of its stakeholders.  

If we are not willing to subject ourselves to EQA, should we be internal auditors?

Validera

Lee Glover FCCA - Director, Validera