The quality of enterprise governance and the questionable judgment and roles of internal auditors have resulted in some financial reporting irregularities, fraud and various forms of malpractice such as insider trading. As a result, organizations have faced financial, legal and reputational losses. This has been made evident by a spate of incidents such as the 2015 Toshiba accounting scandal,1 the 2009 Satyam financial misstatement scam,2 and the 2001 Enron accounting and corporate fraud crimes.3 To counter this, it is essential to have a peer reviewer consistently monitor the quality and efficiency of the internal audit department to identify and help avoid any potential malpractice or errors that might be a result of inefficient or poorly conducted internal audits. To ensure the independence and sanctity of the peer review process, it is recommended to make the peer review process an external function by using a third party that is qualified to provide an assessment of internal audit best practices. By understanding best practices of the peer review process and the parameters for selecting an appropriate external third party to perform it, organizations can improve the quality of audit and assurance services. A peer review tool can be an effective way to identify reviewers through quantitative scoring and measure the effectiveness of the peer review process.
Peer Review Process Key Objectives
To promote and enhance quality in auditing practices, an organization’s senior leadership must understand the essence of the peer review process. A peer review of an organization’s internal audit department should have several key objectives, as shown in figure 1.
Peer Review Process Key Criteria
Any independent audit organization planning to perform peer reviews for an internal audit department must adhere to key criteria (figure 2). These key criteria are imperative to ensure objectivity and efficacy in the review process. The criteria can be separated into three categories:
- Strategic—These criteria enable enterprises to align with organizational and departmental strategy and direction. These should support the organization in pursuing its overall strategy.
- Operational—These criteria help to utilize the operational capacity of people, processes and technology and link them to enterprise strategic goals and objectives.
- Tactical—These criteria support the steps taken to achieve the strategic objective.
Parameters for Selecting a Third Party for Peer Review
To choose a competent and objective assessor, key selection criteria should be identified based on industry experience and knowledge obtained as part of the third line of defense (figure 3).
Using a Scoring Tool
A tool that should be used to select a third party and quantify the success of the third-party assessment program has been developed.
Any organization can use such a tool as a starting point and customize it per their requirements. It is essentially to use a scoring sheet to objectively compute the efficiency of the peer review process and gauge the parameters of the peer reviewer selection process.
Organizations complete one scoring process for peer reviewers (figure 4) and one for the third-party reviewer assessment (figure 5). In the scoring sheet, each criterion is rated as high, moderate or low and given a weighting of critical, high or medium, and that weighting is given a numeric score (i.e., crucial, 10; high, 5; medium, 2). Once the criterion is rated, the sheet computes a score based on the weight of the criterion/parameter (as the case may be) and the selected choice.
The weight provided in the scoring sheet is recommended. However, based on the organization’s business requirement, appropriate adjustments can be made.
Guard rails for grading the final score are shown in figures 6 and 7.
Conclusion
Establishing peer review parameters provides organizations with a measurement tool to ensure an efficient peer review process and gauge the peer reviewer selection process. A peer review process that includes the assessment of internal audit is essential to ensure that it is carrying out the function of third line of defense appropriately and with efficiency in the auditable entities and to protect the organization from financial and reputational repercussions.
Endnotes
1 Farrell, S.; “Toshiba Boss Quits Over £780m Accounting Scandal,” The Guardian, 21 July 2015, https://www.theguardian.com/world/2015/jul/21/toshiba-boss-quits-hisao-tanaka-accounting-scandal
2 Ramesh, R.; K. Bhattacharya; “India Has its ‘Enron Moment’ After Revelations of Satyam Founder’s
£1bn Fraud,” The Guardian, 8 January 2009, https://www.theguardian.com/business/2009/jan/08/satyam-fraud-industry
3 Tran, M.; “How Enron Lost its Spark,” The Guardian, 29 November 2011, https://www.theguardian.com/business/2001/nov/29/corporatefraud.enron1
GAURAV PRIYADARSHI | CISA, BS 25999 LI, CSA CERTIFIED STAR AUDITOR, ISO 27001 LA, ITIL V3
Is a senior auditor at a Fortune 50 organization with more than 15 years of global experience in audit and information security consulting. Priyadarshi is a technology evangelist and a follower of trending audit concepts. He can be reached at gpriyadarshi@gmail.com.
ABHISHEK ANAND | CISA, CISM, COSE, ITIL V3
Is an audit manager at a Fortune 50 organization with more than a decade of global experience in audit and information security consulting, including the Big Four accounting firms. He is a process-oriented auditor with interest in emerging technologies. He can be reached at abhishekanand_s@yahoo.com.
ISHIKA SHUKLA
Is a team lead at a Fortune 50 organization with experience delivering internal and external audit assignments to a range of clients including the Big Four accounting firms. She can be reached at ishikashuklapro@gmail.com.