Resources and lack of IT capabilities create big barriers to getting QAR done for some.
No one doubts the value of conducting a Quality Assurance Review (QAR) to gauge how well the internal audit program is meeting its goals.
In fact, a QAR is part of the requirements to meet to The Institute of Internal Auditors professional standards. In accordance with The IIA's standards, "The chief audit executive must develop and maintain a quality assurance and improvement program (QAIP) that covers all aspects of the internal audit activity." (The QAIP requirement is known as Standard 1300.)
“A good quality review allows you to have a measuring stick to assess how well internal audit is doing over time,” says Steve Minder, CEO of YCN Group, an internal audit software, consulting, and training firm.
Yet, for some companies a QAR is a luxury they cannot afford. “It works well for those with the right resources and support from the board and management, but not every company has that,” says Minder. Companies that don’t have the resources or staff to conduct a QAR internally could hire outside help, such as a consulting firm or audit provider. These same organizations that don’t have the resources to conduct the reviews internally, however, may not have the support to use outside help.
The lack of staff or resources is causing some companies to forgo the reviews. A recent report from the IIA found that the top reason for internal audit departments to be out of conformance with its standards is that a comprehensive QAIP is not in place. The second most common nonconformance issue is not reporting the results of the internal audit quality review to the board and management, which is, of course, difficult if you are not conducting the review in the first place.
In general, many companies face two big challenges when it comes to adopting a quality review program, says Minder. The first is that the IT risk has become massively complex and they don’t have the IT audit capabilities. “It has become so specialized,” says Minder. “When a quality reviewer asks for an IT audit risk assessment from the client, they often get a ‘deer in the headlights’ look.”
The second challenge for some companies is getting management to buy into the necessity of conducting quality reviews. “There’s already so much on the audit plan, it gets down to prioritization,” Minder says. “Most CAEs want to comply with the standards. The problem they sometimes have is getting management to see the same value in complying.”
For companies that are not complying, the IIA urges them to: “Establish a formal QAIP that comprises two interrelated components of internal assessments: ongoing monitoring and periodic self-assessment.”
According to Minder, one of the same hurdles to conducting QARs—technology—can be a big help to having internal audit departments complete them. He says automating as much of the QAR process as possible can reduce the prep time for conducting a good review nearly in half or more. “One organization that was putting in 40 hours of prep time reduced it to about 16 hours,” he says.
Adding efficiency through implementation of technology could go a long way to saving enough resources for smaller audit teams to get the QAR done and stay in compliance with IIA standards.