quality evaluation and improvement for internal audit svilena simeonova 1
TRANSCRIPT
CONTENTS
1. Quality of Internal Audit – review
2. Legal and methodological framework
3. Quality Assurance and Improvement Program (QAIP)
4. Internal assessments
5. External assessments
6. Benchmarks for the assessment
7. Internal Audit maturity model of the IIA related to QAIP
8. Role of the central coordination units for Quality assurance process
1. QUALITY OF INTERNAL AUDIT – REVIEW
Meeting expectations of the head of the organisation, audit entities, Audit Committee and other stakeholders;
Conformity with the standards, definition and Code of Ethics;
Conformity with legal requirements
Adding value for the organization
Contribution to the effectiveness and efficiency of the governance, risk management and control processes
Providing relevant assurance and consultancy
LEGAL AND METHODOLOGICAL FRAMEWORK (1)
International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors
1300 – Quality Assurance and Improvement ProgramThe chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.1310 – Requirements of the Quality Assurance and Improvement ProgramThe quality assurance and improvement program must include both internal and external assessments.1311 – Internal AssessmentsInternal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.1312 - External AssessmentsExternal assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.
LEGAL AND METODOLOGICAL FRAMEWORK (2)
Standards of the Institute of Internal Auditors
1320 – Reporting on the Quality Assurance and Improvement ProgramThe chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.1322 – Disclosure of NonconformanceWhen nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.
LEGAL AND METODOLOGICAL FRAMEWORK (3)
The IIA Practice Advisories The IIA’s Quality assurance and improvement program Practice
Guide 2012 National laws National Standards Guidance documents, ordinances, IA Charters, manuals
National rules follow and specified the IPPF Standards requirements
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (1)
The program is the key tool for maintaining quality and developing the Internal Audit function
Aims of the QAIP:
• To evaluate conformity with the Definition, The Standards and the Code of Ethics
• To assess the efficiency and effectiveness of IA activity
• To identify opportunities for improvement
Communication of the QAIP
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (2)
Content of the QAIP:
• Internal Assessment
• External Assessment, the both focus on:
The purpose and position of the IA unit;
The unit’s structure and resources for delivering the service expected of it;
The efficiency and effectiveness of the output-oriented auditing process;
Positive demonstrable impact on governance, risk management and control processes
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (3)
SCOPE / PERSPECTIVES OF THE QAI PROGRAM:
Internal Audit Engagement level
• Planning• Fieldwork conduct• Reporting• Follow-up actions
Internal Audit Organizational level
• Written policies and procedures
• IA work meets stakeholders expectations
• The IA activity adds value and improves the organization
External perspective
• Independent external assessment
• Of the entire IA activity• Conformity, efficiency,
effectiveness, meeting expectations
4. INTERNAL ASSESSMENTS (1)
ONGOING MONITORING OF IA ACTIVITY
An integral part of day-to-day work
Consists of supervision, review and measurement of the IA engagements
Is incorporated into the routine policies and practices
The procedures should be clear, applicable and not overly complex
Performed by Chief Audit Executive or another internal auditor appointed by CAE
4. INTERNAL ASSESSMENTS (2)
PERIODIC SELF-ASSESSMENT
Review of selected part of documentation of the IA engagement;
Questionnaires, interviews, survey, including feedback from the audit entities;
Comparison with the best professional practices
ASSESSMENT BY OTHER PERSONS WITHIN THE ORGANIZATION WITH SUFFICIENT KNOWLEDGE OF IA PRACTICE
Appropriate method for small IA units
5. EXTERNAL ASSESSMENTS (1)
Two types External assessments
• Full external assessment by an independent competent assessor or team
• Self-assessment with independent external validation
Frequency – at least once every five years
Evaluation of conformity with the Standards, legislation, Code of Ethics and effectiveness of the IA activity too
Aimed to find opportunities for improvement
5. EXTERNAL ASSESSMENTS (2)
What is the scope of the External assessment ?
• Purpose and positioning
• Structure and resources
• Audit execution
• Impact
Procedures
Recommendations and Action plan for improvement
Different practices and approaches ( peer reviews)
5. BENCHMARKS FOR THE ASSESSMENT
Combination of quantitative and qualitative indicators:
Numbers of audits performed
Number of recommendation issued and implemented
Quality of the findings in terms of materiality
Quality of recommendations in terms of impact
Degree of risks covered
Amendments to the management and control set-up resulting from IA activities
bnbnb
Policy MethodologyAnd Process
People Systems and Information
Communication and Reporting
The Chief Audit Executive establishes and maintains a QAIP
The methodology upon which the QAIP is based is based is derived from the IIA Standards
IA staff are aware of their responsibilities related to the QAIP
A standardized audit management system is used to document work papers
The results of periodic internal assessment are summarized and discussed with audit management
CAE communicates the results of the QAIP to senior management and the board
The process to execute the QAIP is documented in the IA Policy and Procedure Manual
Responsibility for implementation of the QAIP is assigned to personnel who are independent and objective
Significant company systems are used to derive relevant Performance Indicators that are monitored and used during the IAQA process
The results of periodic internal assessments are reported to and reviewed with senior management and the Audit Commitee
The IA Policy and Procedure Manual describes the QAIP requirements
The process is reviewed periodically to ensure it is current with the Standards requirements
External assessments are conducted by qualified personnel who are independent from the organization
External assessment provides deliver qualitative and quantitative benchmarks that are reported to management
The IA activity charter establishes the requirements for the QAIP
Fully dedicated IA staff are assigned to perform the periodic internal quality assessment with strong experience in IA and performing QA
Client Feedback forms are solicited and received back from each client to assist in continuous improvement
bnbnb
OVERALL MATURITY
LEVEL
Policy Methodology and Process
People Systems and Information
Communication and Reporting
Optimized Continuous monitoring and updating
Continuous monitoring and updating
Training and development monitored
Extensive use of data mining and analytics;
Communication and reporting highly effective
Managed Policies are communicated to personnel
Methodology and processes are communicated to personnel
All resources have appropriate skills and credentials; targeted training in place
Data integrity is high
Quality an timeliness metrics defined and monitored
Defined Policies are defined and in place and documented
Uniform methodology and processes are defined, in place and documented
Appropriate skills and credentials are in place; training requirements documented
Stable systems in place
C and R processes are defined, in place and documented
Repeatable Policies are defined and in place but may not be documented
Uniform methodology and processes are defined and in place
Some specialized technical skills and credentials
Fairly effective systems are in place; low reliance on data
C and R processes are defined and in place but may not be documented
initial Policies are not defined or in place
Methodology and processes are not defined or in place
Resource skills and credentials do not match process requirements
High reliance on manual systems and spreadsheets
C and R done on an ad hoc basis; no validation of results or focus on quality
8. ROLE OF THE CENTRAL COORDINATION UNITS FOR QUALITY ASSURANCE PROCESS
To develop guidelines
To collect information
To provide examples of good practice
To monitor and review
To participate in peer reviews