1

Quality evaluation and improvement for Internal AuditSvilena Simeonova

CONTENTS

1. Quality of Internal Audit – review

2. Legal and methodological framework

3. Quality Assurance and Improvement Program (QAIP)

4. Internal assessments

5. External assessments

6. Benchmarks for the assessment

7. Internal Audit maturity model of the IIA related to QAIP

8. Role of the central coordination units for Quality assurance process

1. QUALITY OF INTERNAL AUDIT – REVIEW

Meeting expectations of the head of the organisation, audit entities, Audit Committee and other stakeholders;

Conformity with the standards, definition and Code of Ethics;

Conformity with legal requirements

Adding value for the organization

Contribution to the effectiveness and efficiency of the governance, risk management and control processes

Providing relevant assurance and consultancy

LEGAL AND METHODOLOGICAL FRAMEWORK (1)

International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors

1300 – Quality Assurance and Improvement ProgramThe chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.1310 – Requirements of the Quality Assurance and Improvement ProgramThe quality assurance and improvement program must include both internal and external assessments.1311 – Internal AssessmentsInternal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.1312 - External AssessmentsExternal assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

LEGAL AND METODOLOGICAL FRAMEWORK (2)

Standards of the Institute of Internal Auditors

1320 – Reporting on the Quality Assurance and Improvement ProgramThe chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.1322 – Disclosure of NonconformanceWhen nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.

LEGAL AND METODOLOGICAL FRAMEWORK (3)

The IIA Practice Advisories The IIA’s Quality assurance and improvement program Practice

Guide 2012 National laws National Standards Guidance documents, ordinances, IA Charters, manuals

National rules follow and specified the IPPF Standards requirements

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (1)

The program is the key tool for maintaining quality and developing the Internal Audit function

Aims of the QAIP:

• To evaluate conformity with the Definition, The Standards and the Code of Ethics

• To assess the efficiency and effectiveness of IA activity

• To identify opportunities for improvement

Communication of the QAIP

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (2)

Content of the QAIP:

• Internal Assessment

• External Assessment, the both focus on:

The purpose and position of the IA unit;

The unit’s structure and resources for delivering the service expected of it;

The efficiency and effectiveness of the output-oriented auditing process;

Positive demonstrable impact on governance, risk management and control processes

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (3)

SCOPE / PERSPECTIVES OF THE QAI PROGRAM:

Internal Audit Engagement level

• Planning• Fieldwork conduct• Reporting• Follow-up actions

Internal Audit Organizational level

• Written policies and procedures

• IA work meets stakeholders expectations

• The IA activity adds value and improves the organization

External perspective

• Independent external assessment

• Of the entire IA activity• Conformity, efficiency,

effectiveness, meeting expectations

4. INTERNAL ASSESSMENTS (1)

ONGOING MONITORING OF IA ACTIVITY

An integral part of day-to-day work

Consists of supervision, review and measurement of the IA engagements

Is incorporated into the routine policies and practices

The procedures should be clear, applicable and not overly complex

Performed by Chief Audit Executive or another internal auditor appointed by CAE

4. INTERNAL ASSESSMENTS (2)

PERIODIC SELF-ASSESSMENT

Review of selected part of documentation of the IA engagement;

Questionnaires, interviews, survey, including feedback from the audit entities;

Comparison with the best professional practices

ASSESSMENT BY OTHER PERSONS WITHIN THE ORGANIZATION WITH SUFFICIENT KNOWLEDGE OF IA PRACTICE

Appropriate method for small IA units

5. EXTERNAL ASSESSMENTS (1)

Two types External assessments

• Full external assessment by an independent competent assessor or team

• Self-assessment with independent external validation

Frequency – at least once every five years

Evaluation of conformity with the Standards, legislation, Code of Ethics and effectiveness of the IA activity too

Aimed to find opportunities for improvement

5. EXTERNAL ASSESSMENTS (2)

What is the scope of the External assessment ?

• Purpose and positioning

• Structure and resources

• Audit execution

• Impact

Procedures

Recommendations and Action plan for improvement

Different practices and approaches ( peer reviews)

5. BENCHMARKS FOR THE ASSESSMENT

Combination of quantitative and qualitative indicators:

Numbers of audits performed

Number of recommendation issued and implemented

Quality of the findings in terms of materiality

Quality of recommendations in terms of impact

Degree of risks covered

Amendments to the management and control set-up resulting from IA activities

bnbnb

Policy MethodologyAnd Process

People Systems and Information

Communication and Reporting

The Chief Audit Executive establishes and maintains a QAIP

The methodology upon which the QAIP is based is based is derived from the IIA Standards

IA staff are aware of their responsibilities related to the QAIP

A standardized audit management system is used to document work papers

The results of periodic internal assessment are summarized and discussed with audit management

CAE communicates the results of the QAIP to senior management and the board

The process to execute the QAIP is documented in the IA Policy and Procedure Manual

Responsibility for implementation of the QAIP is assigned to personnel who are independent and objective

Significant company systems are used to derive relevant Performance Indicators that are monitored and used during the IAQA process

The results of periodic internal assessments are reported to and reviewed with senior management and the Audit Commitee

The IA Policy and Procedure Manual describes the QAIP requirements

The process is reviewed periodically to ensure it is current with the Standards requirements

External assessments are conducted by qualified personnel who are independent from the organization

External assessment provides deliver qualitative and quantitative benchmarks that are reported to management

The IA activity charter establishes the requirements for the QAIP

Fully dedicated IA staff are assigned to perform the periodic internal quality assessment with strong experience in IA and performing QA

Client Feedback forms are solicited and received back from each client to assist in continuous improvement

bnbnb

OVERALL MATURITY

LEVEL

Policy Methodology and Process

People Systems and Information

Communication and Reporting

Optimized Continuous monitoring and updating

Continuous monitoring and updating

Training and development monitored

Extensive use of data mining and analytics;

Communication and reporting highly effective

Managed Policies are communicated to personnel

Methodology and processes are communicated to personnel

All resources have appropriate skills and credentials; targeted training in place

Data integrity is high

Quality an timeliness metrics defined and monitored

Defined Policies are defined and in place and documented

Uniform methodology and processes are defined, in place and documented

Appropriate skills and credentials are in place; training requirements documented

Stable systems in place

C and R processes are defined, in place and documented

Repeatable Policies are defined and in place but may not be documented

Uniform methodology and processes are defined and in place

Some specialized technical skills and credentials

Fairly effective systems are in place; low reliance on data

C and R processes are defined and in place but may not be documented

initial Policies are not defined or in place

Methodology and processes are not defined or in place

Resource skills and credentials do not match process requirements

High reliance on manual systems and spreadsheets

C and R done on an ad hoc basis; no validation of results or focus on quality

8. ROLE OF THE CENTRAL COORDINATION UNITS FOR QUALITY ASSURANCE PROCESS

To develop guidelines

To collect information

To provide examples of good practice

To monitor and review

To participate in peer reviews

Thank you!