Our Business Assurance Director, Gemma Smith, on the news that our Internal Audit Team has received its External Quality Assessment results.

I am delighted to announce that the Group's Internal Audit Team has just had an External Quality Assessment (EQA) and received the highest possible rating!

What is the purpose of an EQA?

Every internal audit team must conform to a set of standards (57 in total) defined by the Chartered Institute of Internal Auditors (IIA). Some examples of the requirements of the standards are:

• Demonstrating organisational independence
• Having an internal audit plan that focuses on things that matter to the organisation
• Reporting on internal audit activity to the board and senior management.

As a qualified/Chartered Member of the IIA myself, I take compliance with the standards very seriously. An EQA is required every five years to provide independent assurance that the team conforms to the standards. For me, it is essential to get this external validation of the quality of the work undertaken by the team and how the team is perceived and valued by the organisation; this is doubly important as the team is directly employed by the organisation (rather than outsourcing to an external provider).

What was involved?

This is the second EQA I have been involved in since joining the Group, and I have also had experience working on EQAs in previous roles. Therefore, I had a good idea of what to expect.

We provided evidence to the EQA assessor to demonstrate conformance with each Standard. The assessor provided a list so we knew what to submit. He also met with a range of stakeholders to ask for feedback on the team's effectiveness and review a sample of specific audit working papers and reports.

As I already undertake an annual self-assessment of conformance against the standards (and the more detailed Internal Audit Code of Practice), I was already confident that there were no significant gaps. And whilst it took a little bit of time to collate all of the information for the assessor, our clear and up-to-date electronic filing systems made it straightforward to locate everything requested.

Where necessary, we met with the assessor to clarify some of the requests and to discuss how and why we do certain things the way we do. While it was clear that the assessor was challenging us on these things, it also felt like a collaborative approach. The assessor listened to what we said and considered it when forming his opinions.

What were the findings?

Whilst the outcome 'generally conforms' doesn't sound exciting, it is the highest possible grading for an EQA.

The definition for generally conforms is:
"The relevant structures, policies, and procedures of the activity, as well as the processes by which they are applied, comply with the requirements of the individual Standard or element of the Code of Ethics in all material respects. Some opportunities for improvement have been identified".

Leading a small internal audit team isn't always plain sailing. It is important to ensure the team is sufficiently skilled and resilient to successfully deliver its purpose - this means that we can't always meet each of the standards down to the exact criteria. But what we can do is document the exceptions and discuss and agree on them with the Audit Committee. For example, ideally, the Chief Internal Auditor/Head of Internal Audit would not hold other operational responsibilities. But at Progress, I am responsible for several areas, including data protection and insurance. However, we have documented this within our Internal Audit Charter and ensured that the Audit Committee is fully aware and comfortable with this.

Of course, there's always room for improvement! As some of our roles and responsibilities across the team (and even our approaches to delivering assurance) are quite new, we will be updating our templates and procedures. Given my broad remit and length of time in the role, we will also be doing more to articulate clearly how we obtain assurance for each area I am responsible.

Our next EQA (due in five years) will take place before January 2028.