Confidence in the internal controlling system of an enterprise is essentially determined by the existence of a working quality assurance system. The internal control system governing the enterprise's activities can only inspire confidence if a functioning internal monitoring system exists. Handling these tasks is a central function of internal auditing. But who performs a quality review of the internal audit?
Standards for reviewing an internal auditing system arise from the Institute of Internal Auditors' (IAA's) Professional Practices Framework (IPPF) or from requirements of securities legislation. According to Attribute Standard AS 1312 - External Assessments - published by the IIA, an external assessment of the internal audit must be performed at least every five years by a qualified, independent reviewer, to ensure an assessment that is free of conflicts of interest on conformity with the internal auditing definition and standards, and guarantee compliance with professional conduct (code of ethics). Otherwise a statement on compliance with international recognised standards for professional practice in internal auditing may not be issued (AS 1321). § 107 para. 3 sentence 2 AktG envisages the Supervisory Board being able to constitute an audit committee from among its members, in addition to monitoring the annual audit, the committee
- monitors the accounting process,
- the effectiveness
- of the internal controlling system,
- the risk management system and
- the internal audit system.
Following this suggestion by the legislators and standard-setters, Heads of Internal Auditing, Executive Boards and Supervisory Boards are increasingly seeking independent third-party support for their own conclusions on the internal audit system, which at the same time provides input for quality assurance and improvement.
Based on practical experience and knowledge of audit departments in companies from the financial sector with different business models and operation sizes, BDO has developed a differentiated check list-based process in accordance with the IIR audit standards for performing quality reviews of audit departments. The quality review is risk-oriented, i.e., it takes into account the principle of proportionality as well as the supervisory requirements for the internal audit, which are defined in particular in MaRisk.