Path to Quality - The Institute of Internal Auditors

The Path to Quality
. . . a step-by-step guide to world-class internal auditing

Quality can be viewed as the characteristic of meeting or exceeding stakeholder expectations, while ensuring that value is added to an organization. The most critical factor in achieving internal audit quality is the activity's competency and proficiency in evaluating the organization's risk management, control, and governance processes.

The Institute of Internal Auditors understands that internal audit quality is not achieved overnight. Elevating quality requires the understanding of not only those performing internal auditing but also of audit customers as well as those responsible for internal audit oversight. In addition, maintaining quality requires a concentrated commitment and diligence on the part of the chief audit executive (CAE), as an organization and its culture change. A CAE's first step to ensuring quality is to establish a Quality Assurance and Improvement Program.

Although quality is a key requirement of The IIA's International Standards for the Professional Practice of Internal Auditing (Standards), one size does not fit all. Internal audit shops exist in all sizes, of all complexities, and with differing resources and levels of experience, knowledge, and sophistication. To support these diverse internal audit shops, The IIA has developed a step-by-step guide for progressing from one level to the next on the Quality Maturity Model. Based on proven practices, with each level building upon the previous one and serving as a stepping-stone to the next, this simple, user-friendly guide categorizes messages and tools that will help CAEs stay on track as they venture forward on the path to quality.

Click here for the Path to Quality PowerPoint Presentation (PPT, 306 KB).

LEVEL 1: Introductory
The internal audit activity does not have a Quality Assurance and Improvement Program in place. Typically, a level-1 internal audit shop would be fairly new or one that has not yet conformed to the new requirements. In some cases the CAE and audit committee might not have a clear understanding of the importance of such a program and the value it can bring to an organization.
LEVEL 2: Emerging
The internal audit activity conducts periodic and ongoing self-assessments, or internal quality assessments (QA's), monitoring compliance with the Standards.
LEVEL 3: Established
The internal audit activity obtains an independent validation of its self-assessment and will do so every five years.
LEVEL 4: Progressive
A Quality Assurance and Improvement Program is well defined within the ongoing operations of the internal audit activity. The activity generally complies with the Standards and Code of Ethics, and obtains an external QA every five years.
LEVEL 5: Advanced
An active and fully integrated Quality Assurance and Improvement Program exists within the daily operations of the internal audit activity. The activity obtains an external QA every three years. All staff members follow a rigorous continuing education program.

LEVEL 1: Introductory
Key Messages

Although quality sometimes might be considered a subjective concept, The IIA promotes objectively monitoring, improving, and reporting on quality, as defined by the values of an organization and the needs of its stakeholders.
The rapid growth in the field of and demand for internal auditing has resulted in the implementation of new internal audit activities in many organizations for the first time.
Results from The IIA Research Foundation's recent Common Body of Knowledge (CBOK) survey also point to the growth in the number of internal audit activities established within the past few years, and the fact that many of these new shops are not yet up to par in regard to assessing and documenting their quality.
Because the establishment of a new internal audit shop requires a significant commitment of an organization's attention, time, and resources, it is realistic to expect "young" internal audit activities to grow as they go - improving and advancing in expertise, quality, and overall professionalism as time passes. It also is important to point out that such an internal audit activity can comply with the Standards along its way to the next level of maturity.
While establishing a Quality Assurance and Improvement Program is important for all internal audit activities, it is especially critical for newly established shops, as it provides a blueprint, based on the Standards, for a quality-oriented internal audit activity.

Steps to Introductory Quality

Adopt The IIA's official definition of internal auditing.
Achieve the appropriate reporting relationships.
Make a commitment to quality. Demonstrate this commitment by developing a charter for the internal audit activity, defining the scope of work, and delineating areas for which it is accountable and responsible.
Work to achieve the buy-in of executive management and the audit committee. Set up meetings with them to share your mission and philosophy on quality, as well as learn about their expectations. Use A Standard of Quality as a presentation to build awareness and understanding, and garner their support.
Make sure each audit committee member receives the Tone at the Top newsletter, and has access to these corporate brochures, which feature the importance of internal audit quality:

LEVEL 2: Emerging
Key Messages

The Quality Assurance and Improvement Program should include both ongoing monitoring and the use of periodic assessments of compliance with the Standardsand the Code of Ethics.
Self-assessments bring to light departmental strengths and things that are going well. They also identify areas in need of improvement, as well as send to management a message regarding the internal audit activity's commitment to quality improvement.
Self-assessments should be performed by the CAE or under the direction of the CAE by competent in-house audit professionals or other persons within the organization with internal audit experience and understanding of the Standards.
Documentation of a self-assessment should include thoughtful recommendations for improvement, as well as detailed plans for implementing improvements.
The internal audit activity should present to the oversight body and executive management a report or presentation on the results of the self-assessment and steps for improvement.

Steps to Emerging Quality

Get involved in the local IIA and/or industry group of internal auditors, actively network with other internal audit practitioners, and participate in QA training.
Ensure that the CAE begins working toward earning appropriate professional certifications, including the Certified Internal Auditor (CIA).
Assign one to three members of the internal audit staff responsibility for internal monitoring. Information revealed by monitoring, interviews, workpapers, and a self-assessment should lead the CAE and internal QA team to conclusions regarding the internal audit activity's compliance with the Standards, conformance to its charter, and other relevant criteria.
Refer to The IIA's Self-assessment Checklist (Word, 125 KB). Also, refer to The IIA's Quality Assessment Manual, 5^th edition for a detailed description of the self-assessment process.
Elicit feedback from others in the self-assessment process. Although this is not mandatory, it is helpful, as are results from surveys used at the end of your audits.

Audit Customer (Client) Surveys can provide excellent feedback about the internal audit activity's effectiveness and potential opportunities for improvement. The survey of audit customers should precede the on-site work. To benchmark your clients' ratings with those of other internal audit departments, refer to the Client Survey Historical Results (2001-2007).
Internal Audit Staff Surveys also are an efficient way to obtain information from your staff members. To benchmark your staff's ratings with those of other internal audit departments, refer to the Staff Survey Historical Results (2002-2007).

LEVEL 3: Established
Key Messages

The CAE generally leads the process of selecting an independent validator with the full involvement and support of the audit committee and executive management.
The audit committee should be directly involved in the process, as well as, the determination of the QA method to be used, the approach to be followed, and the overall cost.
The independent validation process involves the completion and documentation of a rigorous internal audit activity self-assessment (See Maturity Level-2), which is reviewed and tested by a qualified and independent validator. The validator also conducts interviews with the audit committee chair or other appropriate board member and several key senior executives. The resulting report is shared with senior management and the audit committee, and complies with the Standards.
Independent validations can be conducted through peer reviews by internal auditors - all of whom must be qualified to conduct external QAs - from a pool of three or more different organizations.
When depending on a peer review for independent validation in the government sector, it is preferable to tap government auditors who are not "related" to or have any influence over the department under review, and that an independent validator still be engaged to review and validate the peer review.

Steps to Established Quality

Work on obtaining an appropriate mix of professional designations (including the CIA) that demonstrate your activity's professionalism and competency.
Complete - by or under the supervision of the CAE - the preparation for independent validation using a "balanced scorecard" approach. A balanced scorecard (PPT, 35KB) serves as a tool to help translate strategy into operational terms, from four perspectives: financial goals, customer growth and retention, internal business processes, and innovation and growth. The scorecard should be balanced between external measures for shareholders and customers and internal measures for internal business processes, innovation, and growth; as well as between outcome measures and measures of future performance. The balanced scorecard will help you to gather specific information about your organization and internal audit staff so that you can identify potential strengths and opportunities for improvement. Also, refer to The IIA's Quality Assessment Manual, 5^th edition for more preparation tools, as well as a detailed description of the independent validation process.
Refer to the following criteria when seeking a qualified independent validator:
a. Honest and candid within the scope of confidentiality.
b. Objective - more interested in service and the public trust than personal gain and advantage; impartial, intellectually honest, free of conflicts of interest.
c. Independent - not associated with the organization in any way.
d. Experienced - has personal knowledge of conducting external QA's.
e. Competent - preferably, a certified internal auditor, well-versed in best practices; with a minimum of three years recent internal audit or related management-consulting experience.
Put into place a CAE-developed plan, based on the findings and recommendations made by the independent validator, for addressing the needed changes, along with a timeline for implementation. This plan should be presented to senior management and the audit committee.
Contact The IIA at quality@theiia to report independent validation of your self-assessment, so that your organization's name can be added to the list on The IIA's Web site.

LEVEL 4: Progressive
KEY MESSAGES

Obtaining an external quality assessment (QA) demonstrates the internal auditors' mindset for professionalism.
An external QA provides evidence to the board, management, and staff that both the audit committee and the internal audit activity are concerned about the success of an organization's internal controls, ethics, governance, and risk management processes.
An external QA also builds stakeholder confidence by documenting management's commitment to quality and successful practices.
An external QA evaluates conformance with the Standards, the efficiency and effectiveness of the internal audit activity, and the use of successful practices.
In order for an internal audit activity to claim that it complies with the Standards, it must conduct ongoing and periodic internal QAs and undergo an external QA at least once every five years.

STEPS TO PROGRESSIVE QUALITY

Ensure the CAE of your internal audit activity is a Certified internal Auditor (CIA).
Review the Common Observations from External Quality Assessments and address similar areas in your internal audit activity that might be below the level of desired quality.
Use Internal Audit Activity Leading Practices as a model for your continued growth.
Download and modify the Sample Request for a Proposal for distribution when seeking external QA services from potential providers.
Contact The IIA at quality@theiia.org to report completion of your external QA, so that your organization's name can be added to The IIA's Web site list. Also, be sure to inform your audit customers about your external QA, both before and after it has been conducted. This practice sends a message that you are willing to undergo the same level of scrutiny that they go through when being audited, and that you are taking steps to implement recommended improvements.

LEVEL 5: Advanced
KEY MESSAGES

Although the Standards set the bar for professional practice, organizations at the advanced level are exceeding requirements of the profession and key stakeholders, by going beyond the minimum level of compliance. This indicates the very highest level of commitment and professionalism, not just that which is mandated.
This internal audit activity has achieved organization-wide respect for demonstrating value in helping achieve organizational objectives, as well as serving as a resource for education, counsel, and recommendations for improvement. This also applies to the view of the internal audit activity held by executive management and the audit committee.
Clearly, the CAE is a C-level (chief or top-level) executive at this organization.
The activity demonstrates an unrelenting commitment to growth, development, and improvement through a systematic and ongoing mentoring, training, and education of its staff members.
Not only does the internal audit activity operate at the advanced level, but - due in part to the positive influence and diligence of the CAE - the audit committee is exemplary in setting and adhering to its charter and following the organization's code of ethics; monitoring, overseeing, and evaluating the duties and responsibilities of management, the internal audit activity, and the external auditors; and reporting to the full board all-important matters pertaining to the organization's controlling processes.

STEPS TO ADVANCED QUALITY

Acquire and maintain an appropriate mix of professional designations (including the CIA) that demonstrate your internal audit activity's professionalism and competency.
Regularly benchmark your progress, such as through The IIA's Global Audit Information Network (GAIN).
Chronicle your activity's advancement through the levels to the top, and make your story available to others through IIA Global Headquarters at PR@theiia.org. Also, serve as a model for continued growth by sharing your practices and tools for success with The IIA by contacting quality@theiia.org.
Serve on external QA teams, or participate in peer reviews.
Give back to the profession by mentoring lower-level internal audit activities through IIA affiliation, speaking at events, participating in research studies, and writing articles that are based upon professional knowledge, experience, and expertise.

BACK TO TOP

There is no question that internal auditing should add value to an organization. And to operate at its highest level of proficiency and achieve its greatest potential, it should be perceived as adding value by management, the audit committee, and audit customers. Get on the path to quality today and ensure the value your internal audit activity will bring to your organization and its varied stakeholders tomorrow.

Quick Search Advanced Search Site Map IIA Popular Pages Find Your Local IIA Research Reports Discussion Groups E-learning Find a Job Contact Information For more information, or if you have a question related to Quality or QAs, please send an e-mail to Quality@theiia.org, or call +1-407-937-1100.		Home / Professional Guidance / Quality / The External Quality Assessment Process / Path to Quality The Path to Quality . . . a step-by-step guide to world-class internal auditing Quality can be viewed as the characteristic of meeting or exceeding stakeholder expectations, while ensuring that value is added to an organization. The most critical factor in achieving internal audit quality is the activity's competency and proficiency in evaluating the organization's risk management, control, and governance processes. The Institute of Internal Auditors understands that internal audit quality is not achieved overnight. Elevating quality requires the understanding of not only those performing internal auditing but also of audit customers as well as those responsible for internal audit oversight. In addition, maintaining quality requires a concentrated commitment and diligence on the part of the chief audit executive (CAE), as an organization and its culture change. A CAE's first step to ensuring quality is to establish a Quality Assurance and Improvement Program. Although quality is a key requirement of The IIA's International Standards for the Professional Practice of Internal Auditing (Standards), one size does not fit all. Internal audit shops exist in all sizes, of all complexities, and with differing resources and levels of experience, knowledge, and sophistication. To support these diverse internal audit shops, The IIA has developed a step-by-step guide for progressing from one level to the next on the Quality Maturity Model. Based on proven practices, with each level building upon the previous one and serving as a stepping-stone to the next, this simple, user-friendly guide categorizes messages and tools that will help CAEs stay on track as they venture forward on the path to quality. Click here for the Path to Quality PowerPoint Presentation (PPT, 306 KB). LEVEL 1: Introductory The internal audit activity does not have a Quality Assurance and Improvement Program in place. Typically, a level-1 internal audit shop would be fairly new or one that has not yet conformed to the new requirements. In some cases the CAE and audit committee might not have a clear understanding of the importance of such a program and the value it can bring to an organization. LEVEL 2: Emerging The internal audit activity conducts periodic and ongoing self-assessments, or internal quality assessments (QA's), monitoring compliance with the Standards. LEVEL 3: Established The internal audit activity obtains an independent validation of its self-assessment and will do so every five years. LEVEL 4: Progressive A Quality Assurance and Improvement Program is well defined within the ongoing operations of the internal audit activity. The activity generally complies with the Standards and Code of Ethics, and obtains an external QA every five years. LEVEL 5: Advanced An active and fully integrated Quality Assurance and Improvement Program exists within the daily operations of the internal audit activity. The activity obtains an external QA every three years. All staff members follow a rigorous continuing education program. LEVEL 1: Introductory Key Messages Although quality sometimes might be considered a subjective concept, The IIA promotes objectively monitoring, improving, and reporting on quality, as defined by the values of an organization and the needs of its stakeholders. The rapid growth in the field of and demand for internal auditing has resulted in the implementation of new internal audit activities in many organizations for the first time. Results from The IIA Research Foundation's recent Common Body of Knowledge (CBOK) survey also point to the growth in the number of internal audit activities established within the past few years, and the fact that many of these new shops are not yet up to par in regard to assessing and documenting their quality. Because the establishment of a new internal audit shop requires a significant commitment of an organization's attention, time, and resources, it is realistic to expect "young" internal audit activities to grow as they go - improving and advancing in expertise, quality, and overall professionalism as time passes. It also is important to point out that such an internal audit activity can comply with the Standards along its way to the next level of maturity. While establishing a Quality Assurance and Improvement Program is important for all internal audit activities, it is especially critical for newly established shops, as it provides a blueprint, based on the Standards, for a quality-oriented internal audit activity. Steps to Introductory Quality Adopt The IIA's official definition of internal auditing. Achieve the appropriate reporting relationships. Make a commitment to quality. Demonstrate this commitment by developing a charter for the internal audit activity, defining the scope of work, and delineating areas for which it is accountable and responsible. Work to achieve the buy-in of executive management and the audit committee. Set up meetings with them to share your mission and philosophy on quality, as well as learn about their expectations. Use A Standard of Quality as a presentation to build awareness and understanding, and garner their support. Make sure each audit committee member receives the Tone at the Top newsletter, and has access to these corporate brochures, which feature the importance of internal audit quality: What Does It Take to Be a Professional? Internal Auditing - All in a Day's Work Internal Auditing - Adding Value across the Board The Audit Committees - Purpose, Process, Professionalism The Audit Committee - A Holistic View of Risk BACK TO TOP LEVEL 2: Emerging Key Messages The Quality Assurance and Improvement Program should include both ongoing monitoring and the use of periodic assessments of compliance with the Standardsand the Code of Ethics. Self-assessments bring to light departmental strengths and things that are going well. They also identify areas in need of improvement, as well as send to management a message regarding the internal audit activity's commitment to quality improvement. Self-assessments should be performed by the CAE or under the direction of the CAE by competent in-house audit professionals or other persons within the organization with internal audit experience and understanding of the Standards. Documentation of a self-assessment should include thoughtful recommendations for improvement, as well as detailed plans for implementing improvements. The internal audit activity should present to the oversight body and executive management a report or presentation on the results of the self-assessment and steps for improvement. Steps to Emerging Quality Get involved in the local IIA and/or industry group of internal auditors, actively network with other internal audit practitioners, and participate in QA training. Ensure that the CAE begins working toward earning appropriate professional certifications, including the Certified Internal Auditor (CIA). Assign one to three members of the internal audit staff responsibility for internal monitoring. Information revealed by monitoring, interviews, workpapers, and a self-assessment should lead the CAE and internal QA team to conclusions regarding the internal audit activity's compliance with the Standards, conformance to its charter, and other relevant criteria. Refer to The IIA's Self-assessment Checklist (Word, 125 KB). Also, refer to The IIA's Quality Assessment Manual, 5^th edition for a detailed description of the self-assessment process. Elicit feedback from others in the self-assessment process. Although this is not mandatory, it is helpful, as are results from surveys used at the end of your audits. Audit Customer (Client) Surveys can provide excellent feedback about the internal audit activity's effectiveness and potential opportunities for improvement. The survey of audit customers should precede the on-site work. To benchmark your clients' ratings with those of other internal audit departments, refer to the Client Survey Historical Results (2001-2007). Internal Audit Staff Surveys also are an efficient way to obtain information from your staff members. To benchmark your staff's ratings with those of other internal audit departments, refer to the Staff Survey Historical Results (2002-2007). BACK TO TOP LEVEL 3: Established Key Messages The CAE generally leads the process of selecting an independent validator with the full involvement and support of the audit committee and executive management. The audit committee should be directly involved in the process, as well as, the determination of the QA method to be used, the approach to be followed, and the overall cost. The independent validation process involves the completion and documentation of a rigorous internal audit activity self-assessment (See Maturity Level-2), which is reviewed and tested by a qualified and independent validator. The validator also conducts interviews with the audit committee chair or other appropriate board member and several key senior executives. The resulting report is shared with senior management and the audit committee, and complies with the Standards. Independent validations can be conducted through peer reviews by internal auditors - all of whom must be qualified to conduct external QAs - from a pool of three or more different organizations. When depending on a peer review for independent validation in the government sector, it is preferable to tap government auditors who are not "related" to or have any influence over the department under review, and that an independent validator still be engaged to review and validate the peer review. Steps to Established Quality Work on obtaining an appropriate mix of professional designations (including the CIA) that demonstrate your activity's professionalism and competency. Complete - by or under the supervision of the CAE - the preparation for independent validation using a "balanced scorecard" approach. A balanced scorecard (PPT, 35KB) serves as a tool to help translate strategy into operational terms, from four perspectives: financial goals, customer growth and retention, internal business processes, and innovation and growth. The scorecard should be balanced between external measures for shareholders and customers and internal measures for internal business processes, innovation, and growth; as well as between outcome measures and measures of future performance. The balanced scorecard will help you to gather specific information about your organization and internal audit staff so that you can identify potential strengths and opportunities for improvement. Also, refer to The IIA's Quality Assessment Manual, 5^th edition for more preparation tools, as well as a detailed description of the independent validation process. Refer to the following criteria when seeking a qualified independent validator: a. Honest and candid within the scope of confidentiality. b. Objective - more interested in service and the public trust than personal gain and advantage; impartial, intellectually honest, free of conflicts of interest. c. Independent - not associated with the organization in any way. d. Experienced - has personal knowledge of conducting external QA's. e. Competent - preferably, a certified internal auditor, well-versed in best practices; with a minimum of three years recent internal audit or related management-consulting experience. Put into place a CAE-developed plan, based on the findings and recommendations made by the independent validator, for addressing the needed changes, along with a timeline for implementation. This plan should be presented to senior management and the audit committee. Contact The IIA at quality@theiia to report independent validation of your self-assessment, so that your organization's name can be added to the list on The IIA's Web site. BACK TO TOP LEVEL 4: Progressive KEY MESSAGES Obtaining an external quality assessment (QA) demonstrates the internal auditors' mindset for professionalism. An external QA provides evidence to the board, management, and staff that both the audit committee and the internal audit activity are concerned about the success of an organization's internal controls, ethics, governance, and risk management processes. An external QA also builds stakeholder confidence by documenting management's commitment to quality and successful practices. An external QA evaluates conformance with the Standards, the efficiency and effectiveness of the internal audit activity, and the use of successful practices. In order for an internal audit activity to claim that it complies with the Standards, it must conduct ongoing and periodic internal QAs and undergo an external QA at least once every five years. STEPS TO PROGRESSIVE QUALITY Ensure the CAE of your internal audit activity is a Certified internal Auditor (CIA). Review the Common Observations from External Quality Assessments and address similar areas in your internal audit activity that might be below the level of desired quality. Use Internal Audit Activity Leading Practices as a model for your continued growth. Download and modify the Sample Request for a Proposal for distribution when seeking external QA services from potential providers. Contact The IIA at quality@theiia.org to report completion of your external QA, so that your organization's name can be added to The IIA's Web site list. Also, be sure to inform your audit customers about your external QA, both before and after it has been conducted. This practice sends a message that you are willing to undergo the same level of scrutiny that they go through when being audited, and that you are taking steps to implement recommended improvements. BACK TO TOP LEVEL 5: Advanced KEY MESSAGES Although the Standards set the bar for professional practice, organizations at the advanced level are exceeding requirements of the profession and key stakeholders, by going beyond the minimum level of compliance. This indicates the very highest level of commitment and professionalism, not just that which is mandated. This internal audit activity has achieved organization-wide respect for demonstrating value in helping achieve organizational objectives, as well as serving as a resource for education, counsel, and recommendations for improvement. This also applies to the view of the internal audit activity held by executive management and the audit committee. Clearly, the CAE is a C-level (chief or top-level) executive at this organization. The activity demonstrates an unrelenting commitment to growth, development, and improvement through a systematic and ongoing mentoring, training, and education of its staff members. Not only does the internal audit activity operate at the advanced level, but - due in part to the positive influence and diligence of the CAE - the audit committee is exemplary in setting and adhering to its charter and following the organization's code of ethics; monitoring, overseeing, and evaluating the duties and responsibilities of management, the internal audit activity, and the external auditors; and reporting to the full board all-important matters pertaining to the organization's controlling processes. STEPS TO ADVANCED QUALITY Acquire and maintain an appropriate mix of professional designations (including the CIA) that demonstrate your internal audit activity's professionalism and competency. Regularly benchmark your progress, such as through The IIA's Global Audit Information Network (GAIN). Chronicle your activity's advancement through the levels to the top, and make your story available to others through IIA Global Headquarters at PR@theiia.org. Also, serve as a model for continued growth by sharing your practices and tools for success with The IIA by contacting quality@theiia.org. Serve on external QA teams, or participate in peer reviews. Give back to the profession by mentoring lower-level internal audit activities through IIA affiliation, speaking at events, participating in research studies, and writing articles that are based upon professional knowledge, experience, and expertise. BACK TO TOP There is no question that internal auditing should add value to an organization. And to operate at its highest level of proficiency and achieve its greatest potential, it should be perceived as adding value by management, the audit committee, and audit customers. Get on the path to quality today and ensure the value your internal audit activity will bring to your organization and its varied stakeholders tomorrow.		EL CAMINO A LA CALIDAD