quality assurance and improvement program october 2015 www.pwc.com
Post on 17-Jan-2016
Embed Size (px)
External Strategic Assessment Guide
Quality Assurance and Improvement ProgramOctober 2015www.pwc.com1Learning ObjectivesUnderstanding Quality Assurance Review (QAR) Practices Review of current standards and expectations for quality assurance and improvement programLeading practices and approaches for quality assurance and improvement2PwC2Understanding Quality Assurance Review PracticesThe StandardsThe International Standards for the Professional Practice of Internal Auditing (ISPPA) represent principle focused standards intended to provide a framework for performing and promoting internal auditing.
Standard 1312 External Assessments must be conducted once every five years by a qualified, independent assessor or assessment team from outside the organization.3Most internal audit departments view IIA standards as mandatory.PwCMany IA functions use the ISPPA standards as their framework for executing their IA departments and communicate to their Audit Committee and other stakeholders that they follow these standards. 34IIA StandardsInternal Audit departments are assessed against 11 Standards developed by the IIA. Four standards (1000-1300) address the attributes of Internal Audit (i.e., who or what internal audit is); seven standards (2000-2600) address the performance of Internal Audit (i.e., how internal audit conducts its work). Understanding Quality Assurance Review PracticesThe StandardsStandard NumberSummary of IIA Standards1000Purpose, authority, and responsibility1100Independence and objectivity1200Proficiency and due professional care1300Quality assurance & improvement program2000Managing the internal audit activity2100Nature of work2200Engagement planning2300Performing the engagement2400Communicating results2500Monitoring progress2600Communicating the acceptance of riskPwCThe Standards are viewed by the IIA as fundamental attributes for an internal audit function (i.e., they represent the minimum acceptable level of performance).1000The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.1100The internal audit activity must be independent, and internal auditors must be objective in performing their work.1200Engagements must be performed with proficiency and due professional care.1300The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. 2000The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization.2100The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.2200Internal auditors must develop and document a plan for each engagement, including the engagements objectives, scope, timing and resource allocations.2300Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagements objectives.2400Internal auditors must communicate the engagement results.2500The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.2600When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive must report the matter to the board for resolution.
Each standard area should be reviewed to determine where current performance does or does not meet the Standards. Conformance with both the spirit and letter of the Standard should be considered. The assessment should conclude for each standard area with one of the following ratings: Generally conforms the internal audit activity has policies, processes and practices that are in accordance with the Standards. Opportunities for enhancements may exist. Partially conforms deviations from the Standards exist, but did not preclude the internal audit activity from performing its responsibilities in an acceptable manner. Does not conform deficiencies in practice are so significant as to seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities.
4Understanding Quality Assurance Review PracticesTypes of External Strategic Assessments (ESA) services 5Companies typically to perform an ESA for a variety of reasons, ranging from developing a strategic plan to benchmarking to complying with the IIA standards. We can break down ESAs into two types:Type 1: Full ESA This assessment provides the greatest value to companies as it assesses 1) stakeholder expectations and opinions on Internal Audits current performance and compares those opinions against Internal Audits current operating practices; 2) Internal Audits operating practices against peer results; and 3) Internal Audits operating practices against the IIA standards.Type 2: IIA Standards Assessment This is a subset of the full ESA, with more limited insight as it evaluates only whether Internal Audit operating practices conform with the IIA standards and how the departments operating practices compare against peers. PwCNote - Type 2 engagements do not typically result in a high level of value for a Company as they are less focused on determining whether the internal audit or other quality assurance program is aligned with the expectations of key stakeholders than a Type 1.
5External Strategic AssessmentsTypes of ESA services (continued) 6The table below provides a summary of the objectives, deliverables and value for each type of service: Type 1: ESAType 2: IIA Standards AssessmentObjectiveAssess Internal Audit for the following:Stakeholder expectations and perception of IAs performance against the eight attributes of excellenceMaturity of IA operating practices against the eight attributes of excellenceIA operating practices against peer company operating practicesConformance to IIA StandardsInsights ObtainedThe following information is summarized to gain insight into the IA department:Results of stakeholder assessment of Internal Audit (i.e., the stakeholders expectations vs their perception of performance)Comparison of IAs operating practice results against 1) stakeholder expectations; and 2) stakeholder perception of IAs performanceResults of operating practices for each of the 8 attributes and overallBenchmarking of operating practice results against peersConformance to IIA Standards and actions warranted to achieve conformance, as neededValue DeliveredStrategic assessments allow departments to assess the value they deliver:Insight into where Internal Audit is not meeting the expectations of their stakeholdersInsight into whether that misalignment is a result of under-performing teams or a need to enhance existing operating practicesUnderstanding of IAs operating capabilities compared against peersRoadmap of actions warranted to achieve conformance with the IIA StandardsAchievement of requirements for IIA Standard 1312PwC1312 - External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment; and The qualifications and independence of the external assessor or assessment team, including any
Typical Calendar Timeframe & level of PwC effort8-12 week duration (from kick off to report)4-6 week duration (from kick off to report)300-600 hours (highly dependent on number of interviews and complexity of environment 200-300 hours(dependent on size of department and number of interviews) potential conflict of interest.6External Strategic AssessmentsOverviewThe primary internal audit performance improvement service offered by PwC is an External Strategic Assessment (ESA), performed using a proprietary approach and technology known as Profiler. Companies typically may require such a service if they desire a perspective on how their internal audit group is performing relative to leading practices and/or professional standards, or at the onset of developing a Strategic Plan. Areas to be reviewed may encompass the entire spectrum of internal audit strategy and operations or be very specific to a certain area. A full external strategic assessment consists of:7Understanding internal audit stakeholders perspectives of internal audits performance and value. Stakeholders typically include: Audit Committee &/or Board members, Executives and Senior leadership, other risk and compliance leaders, internal audit staff and external auditors;Evaluating internal audit working practices, including evaluation of select audits, to understand the maturity of the departments current operating capabilities; An assessment of conformance against each of the 11 Standards within the Institute of Internal Auditors' ("IIA") International Standards for the Professional Practice of Internal Auditing ("IIA Standards" or "the Standards"); andBenchmarking of internal audit working practices against peer companies from Profiler.StakeholderValueStakeholderExpectations & AlignmentPerformanceOperationalCapabilityCompliance with IIA standardsPwC7External Strategic Assessments (continued)The ESA frameworkOur ESA framework is built off of the Internal Audit Maturity scale across the internal audit Eight Attributes of Excellence. This means that we assess Internal Audits operating practices as well