The Institute of Internal Auditors (IIA) has released a new practice guide aimed at helping smaller audit organisations maintain professional standards. Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing [Standards] acknowledges the challenges that many chief audit executives (CAEs) and audit leadership in small audit activities face in implementing The IIA's Standards and provides specific examples and leading practices to help them meet those challenges.
"The Standards are applicable to all audit organisations, regardless of their size, level of resources, or complexity," says IIA Vice President of Standards and Guidance Beryl Davis, CIA. "However, smaller audit activities sometimes have challenges implementing the Standards due to limited staff and resources." In fact, limited resources can impact the organisation's ability to conduct the internal and external assessments required by the Standards. Smaller audit organisations may also have difficulty maintaining independence and attracting and retaining qualified subject matter experts.
According to the new practice guide, which includes a "heat map" that highlights the degree of difficulty for small audit activities to conform with specific IIA Standards, the five most challenging areas for small audit organisations tend to be independence and objectivity, quality assurance/improvement programs, managing the internal audit activity, engagement planning, and performing the engagement. For each of these areas, the guide offers the following advice:
Independence and Objectivity– Maintain open communications with the board and senior management concerning the importance of preserving independence and objectivity. This includes explaining the difficulties involved with auditing areas over which auditors may have been given operational responsibilities, and discussing the challenges resulting from organisational reporting structures.
Quality Assurance/Improvement Program – Integrate quality into the audit process by routinely performing an audit review as part of each audit and obtaining feedback from stakeholders through surveys or documented discussions. Additionally, consider using external peer organisation reviews to satisfy the Standards requirement that an external quality assessment be conducted at least once every five years. A peer group formed by auditors from four similar-sized organisations, for example, can conduct bartered external peer reviews and reduce third-party assessment fees substantially.
Managing the Internal Audit Activity – Ensure that the audit plan is risk-based. Solicit feedback from key stakeholders periodically to verify that the audit activity is performing value-added audits and that the audit plan remains aligned with strategic objectives and key risks facing the organisation.
Engagement Planning – Identify the key components of the planning process — the engagement objectives, scope, and audience — which should drive many of the factors considered during the planning stage, including the duration of the audit, key due dates, staffing, and the extent of documentation. Additionally, ensure that the engagement scope considers relevant risks.
Performing the Engagement – Ensure greater involvement on the part of the CAE for high-risk or complex engagements. At the onset of a complex engagement, the CAE should set expectations for audit evidence. For less complex or lower risk engagements, an experienced audit staff member may set the expectations and review the work of less experienced staff.
"In small audit organisations, staff members may wear multiple hats, their work may not be based on a risk assessment, and they may place more emphasis on financial auditing. They may even have to audit their own work at times," notes Davis. "This template serves as a checklist to help audit leaders get organized as they review their common practices to make sure that they are complying with the Standards."
MORE ARTICLES ON INTERNAL AUDIT