Posted: 01 Oct. 2020 10 min. read

Financial Services Internal Audit – Planning Priorities 2021

Effective and Valuable Quality Assurance – Providing value and confidence in a period of heightened risk and Internal Audit transformation

Why is QA important?

The remit, scope and approach of audit functions is under increased pressure, with internal and external stakeholders looking to Internal Audit to play a vital role in providing robust, timely and valuable assurance over the response of controls and governance to the volatile risk environment brought about by COVID-19. As a result, the importance of a high quality Internal Audit function has never been higher.

In addition, in much the same way that Internal Audit teams are providing assurance over how businesses have adapted their control environment as a result of COVID-19, Audit Committees and stakeholders want assurance that the Internal Audit control environment has evolved appropriately, with audit quality being maintained. In response, IA functions are refreshing their approach to QA.

Going beyond assessing audit quality and promoting a culture of continuous improvement, QA should be used as a tool for providing timely insights into the impacts of remote audit working, identifying real-time improvement opportunities, and sharing best practice to support teams as they settle into new ways of working.

What’s new?

As noted in our previous blog [Re-thinking Internal Audit’s remit post COVID-19], the impacts of the global pandemic have provided new opportunities for IA functions to add more value around assurance, improve the advice they provide and increase their anticipation of risk. With functions responding with new audit approaches and the increased provision of real time, “advisory” or “in-flight” opinions, the inherent risk within Internal Audit delivery models has increased. As a result, there is a significant need for real-time assurance around the quality and impact of these new ways of working, making sure that they are driving the value and impact of Internal Audit forward, while providing the right assurance at the right time to all stakeholders.

Internal Audit are also experiencing the same challenges as other parts of the business, with prolonged periods of remote working and the function having to respond quickly to the dynamic and uncertain risk landscape that their business is operating within.

Whilst many IA functions are used to working remotely, the current prolonged period of remote working has restricted the ‘organic’ and informal face-to-face office interactions. As a result, sharing experiences, best practice and business insights between team members requires more discipline. The virtual office environment also introduces the potential for staff to suffer from isolated working and ‘home working fatigue’ which negatively impact on Internal Audit’s culture and quality. In this environment, QA offers a valuable avenue for communication and education. It provides a mechanism for identifying and sharing best practice and insights across the entire IA team, as well as addressing areas of audit need and audit quality.

The impacts of COVID-19 are continuing to evolve at pace, exposing organisations to new, complex and rapidly evolving business risks. As such, Internal Audit must continue to respond and focus on the key risks, whilst delivering assurance in a way that is sympathetic to the operational challenges faced by management. This is where QA can be of real value; providing real-time assurance over Internal Audit’s response, objectively concluding on the quality of the audit scope, approach and conclusions.

What should QA be doing in response?

Now more than ever QA programmes need to go beyond retrospective file reviews of methodology compliance and should cover all aspects of the Internal Audit cycle. They should also be responsive and tailored to the emerging risks associated with Internal Audit delivery in a global pandemic.

As a result, QA programmes should consider including:

  • In-flight reviews – shadowing key points of the audit cycle to provide continuous real-time feedback. QA teams work closely with audit teams to assess, challenge and resolve areas of potential audit risk during the audit process. This allows potential quality issues to be resolved before audit risk arises and impacts on the effectiveness and reputation of the IA function. The ‘live’ nature of in-flights reviews also allows the sharing of knowledge and best practice with IA teams without impacting on audit delivery or efficiency.
  • Thematic reviews – focussed on high risk and high impact areas of the audit process. The objective of thematic QA reviews is to perform a detailed assessment of specific areas of audit approach across a higher sample of Internal Audits. These are a fast, effective way of assessing quality and consistency; benchmarking IA teams to identify training needs and highlighting examples of best practice, which together support continuous improvement and increase the impact and efficiency of Internal Audit.
  • Continuous monitoring – the tracking of QA KPIs, identification of emerging trends, and/or material issues, and the sharing of the results with IA management to provide visibility on the whole audit function. For example, quality scores arising from the review of key audit deliverables and assessing the extent to which they consider the impact on the organisation’s strategy, provide a complete audit opinion in line with the audit objective, demonstrate and highlight the root cause analysis, and provide appropriate commentary on culture. Data analytics can also be used to provide real-time sight of quality hot spots (e.g. timing of review, quantity of documents retained on file, timeliness to archive). The use of this continuous monitoring capability will help drive improved standards and proactively inform the future development needs of the audit function.
  • Audit Plan Coverage – helping ensure the audit plan remains risk focussed, while provide adequate coverage in line with the original and revised audit plans agreed with the Audit Committee.

Covering these elements allows QA to become a more effective tool in facilitating positive change; keeping Internal Audit teams focussed on what matters, identifying real-time learning and development opportunities, and supporting the continuous the improvement of Internal Audit. This will help ensure Internal Audit departments remain fit for purpose in the current environment, as well as ‘fit for the future’ as businesses work through the impacts of the global pandemic.

What’s next?

  • The focus on having an effective QA programme is only likely to increase, particularly as regulators look into how Internal Audit have navigated the evolving risks and business challenges caused by COVID-19.
  • Heads of Audit should consider whether their current QA approach is delivering the right level of challenge and assurance to allow them to demonstrate the quality of their functions’ response to the global pandemic. Does your QA programme provide confidence in the effectiveness of Internal Audit?
  • In the same way that the business’s control environment needs to remain robust and impactful, Internal Audit should review their key control activities such that they continue to provide quality assurance around the quality and impact of the function. Revisit the QA operating model to determine whether the structure and resourcing remain appropriate in light of the increased risks and demands on the Internal Audit function. Do you have the right skills, experience and capacity in the QA team to support the audit function through these challenging times, and Thrive as we enter the next phase of COVID-19.

Key contacts

Matthew Cox

Matthew Cox

Partner

Matt Cox is a leader in Deloitte's insurance internal audit and controls advisory team in the UK. Matt has 17 years of experience working with internal audit functions at insurers and other financial service organisations and has performed senior internal audit roles at a number of large insurers.

Marc McNulty

Marc McNulty

Director

Marc has over 14 years’ experience leading internal audit, assurance, SOX and regulatory compliance engagements in both industry and professional practice. Marc is part of our financial services internal audit leadership team and leads our team in Scotland, providing co-sourced, outsourced and External Quality Assessment services to financial services organisations. Marc also leads the our Internal Audit Quality Assurance team, providing independent Quality Assurance support to a number of financial services internal audit teams across the UK.