May 2011

Assessing the Quality of the IT Audit Function

Performing regular reviews of IT audit activities can provide assurance that practitioners are doing what is necessary to help the organization mitigate technology risks.

Syed Salman, CISA
Manager, Enterprise Risk Services
Deloitte & Touche (M.E.)

Today’s organizations rely significantly on IT to manage and operate their business. This growing trend requires chief audit executives (CAEs) to plan and devote more time and effort to audit controls implemented by management to mitigate risks to the IT environment. Given IT’s importance, it is essential for organizations to perform a quality assurance review (QAR) of the IT audit function to ensure that auditors are assessing all controls in the IT environment effectively to help mitigate the organization’s risk exposure.

A QAR is an independent strategic assessment of an internal audit department, including its infrastructure, staff experience, and performance relative to business goals, best practices, and applicable standards. Typically, this review will assess:

  • Proficiency. Assess the extent of internal auditing’s conformity with all components of the International Professional Practices Framework (IPPF). Also, evaluate whether the department maintains the right level of professionals with the appropriate skill sets and training to perform its activities adequately.
  • Internal audit effectiveness. Evaluate internal auditing’s effectiveness and efficiency in carrying out its mission, as set forth in its charter and expressed in the expectations of the organization’s audit committee and management. Review whether the charter, policies, and procedures support the internal audit department’s needs and goals.
  • Management and structure. Identify opportunities to enhance internal auditing’s management and work processes, as well as its value to the group. Also, determine whether the internal audit activities are placed within the group appropriately to provide independent and objective feedback.
  • Leading practices. Benchmark the current practices of the internal audit function against best practices for the profession.
  • Internal audit methodologies, tools, and technologies. Review whether the current audit methodologies, tools, and technologies are appropriate to assess risks and evaluate internal controls within the business processes, allocate audit resources, and execute audits effectively and efficiently.

An IT audit function complying with all sections of the IPPF and its International Standards for the Professional Practice of Internal Auditing (Standards) will be in a good position to deliver the greatest value to the organization. Standard 1300 – Quality Assurance and Improvement Program directs CAEs to implement a quality assurance program covering all aspects of internal auditing. IT audit functions can be well-served by performing an internal assessment of their IT audit practices to see to what extent they conform with the Standards. Standard 1311 provides further guidance for internal assessments, while Standard 1312 requires external assessments of the internal audit function by an independent reviewer at least once every five years.

The table on the next page highlights areas of the Standards on which an IT audit QAR should place extra emphasis. 

To comment on this article, email the author at

The information provided does not speak in detail of the subject matter, but has provided a good intraduction
Posted By: Ronald Joseph
2011-06-05 6:35 PM
Cood information but not enough
The article describes common approach to quality assessment of all types of internal audit and certain frequent problems (shortcomings) of IT audit with no other specific details how to perform the quality assessment of IT Audit.
Posted By: Alexander Levin
2011-05-11 2:36 AM
Good Job
Good Job, you highlight some very important points here, keep up the good work.
Posted By: Ali Kazim
2011-05-05 10:30 AM
Good Initiative
Good article Syed, keep the good work
Posted By: Nayef Trad
2011-05-05 7:26 AM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014