www.theiia.org external quality assessments. session overview quality standards internal quality...

22
www.theiia.org External Quality Assessments

Upload: erick-harrison

Post on 22-Dec-2015

215 views

Category:

Documents


0 download

TRANSCRIPT

www.theiia.org

External Quality Assessments

www.theiia.org

Session Overview

• Quality Standards• Internal Quality Assessments• External Quality Assessments• Peer Reviews• Common Problems Observed• Online Resources Available

www.theiia.org

Professional Practices Framework

• International Standards for the Professional Practice of Internal Auditing (Standards)– Mandatory Guidance

• Attribute• Performance• Implementation

– Assurance– Consulting

• Practice Advisories• Development and Practice Aids

www.theiia.org

Quality Standards

• 1300 - Quality Assurance and Improvement Program• 1310 - Quality Program Assessments• 1311 - Internal Assessments• 1312 - External Assessments• 1320 - Reporting on the Quality Program• 1321 - Use of “Conducted in Accordance with the

Standards”• 1322 - Disclosure of Noncompliance

www.theiia.org

Standard 1311 Internal Quality Assessments

• Ongoing• Work Paper Reviews• Performance Evaluations• Actual vs. Budgeted Analysis• Various Monitoring Metrics• Customer Surveys

• Periodic • Self-Assessment

– Annually – Covering all Standards over 5 years– Quarterly/Semi-Annual – Portions of Standards each

year– Assess compliance with IA Activity Charter

www.theiia.org

Standard 1312 External Quality Assessments

• Required every 5 years• Standard enacted January 1, 2002 • Two methods:

– External Quality Assessment with the review and report by an independent team

– Self Assessment with report validation by an Independent Validator

www.theiia.org

Objectives of External Reviews

• Provide an opinion on the internal audit activity’s conformance to the spirit and intent of the Standards.

• Assess the efficiency and effectiveness of the internal audit activity in light of:– Its charter– Expectations of the board, executive management,

and the CAE• Identify opportunities and offer ideas and

counsel to the CAE and staff for:– Improving their performance– Increasing the value they add to the enterprise

www.theiia.org

Why Conduct an External Quality Assessment?

To provide independent analyses:– Do we meet professional standards?– Can things be done better?– Should more be done?– Is maximum value being received for each

dollar of expense?– Can we add more value to management and

the audit committee?– Can we enhance our image, perceptions,

and credibility within the organization?

www.theiia.org

Standard 1321Use of "Conforms with the

Standards"

• Internal auditors are encouraged to report that activities are in conformance with the Standards

• However, internal auditors may use the statement only if assessments of the quality assurance and improvement program demonstrates conformance with Standards.

www.theiia.org

External Quality Assessment

• Contract with outside provider to perform review, write the report and determine the compliance with the Standards:

– Regional accounting firms– Outsource providers– Independent consultants– Independent Peers

www.theiia.org

Self Assessment with Independent Validation

• Internal Audit Activity conducts their own Self assessment, determines compliance with the Standards and writes the report

• Internal Audit Activity then engages an independent Validator to review documentation and perform limited testing

• Validator concurs with report or disagrees and issues own report (opinion)

• Validator can be an external service provider or from a peer pool

www.theiia.org

Peer Reviews

• Peer reviews between three or more organizations does meet the requirements of an external quality assessment.

• Reciprocal peer reviews between two organizations would not pass the independence test.

• Contract between three (3) or more companies within the same industry or other affinity group, regional association, or other group of organizations.

www.theiia.org

Competence of Assessors and Validators

• Practice Advisory 1312-1 recommends:– Be a competent, certified audit professional.– Be well versed in the best practices of the

profession.– Have at least three years of recent experience in the

practice of internal auditing at a management level.– Have additional competence gained from working

previously as a team member on an external quality assessment.

www.theiia.org

Independence of Assessors and Validators

• Practice Advisory 1312-1 recommends:– “be free from any obligation to, or interest

in, the organization whose internal audit activity is the subject of the assessment …”

www.theiia.org

A 12-Point Process

1. Select and train a QA team2. Have the CAE complete the QA self-study3. Make a preliminary visit to the organization4. Use customer and staff surveys5. Perform the on-site work including:

– Review of administrative policies and procedures– Consideration of enterprise risk’– Evaluation of risk assessment in audit planning– Review of working papers and final reports for selected

engagements– Review of number and skills of internal audit staff– Evaluate adequacy of IT audit coverage

www.theiia.org

A 12-Point Process6. Evaluate the internal audit activity’s effectiveness at

remaining current and adding value through interviews with:

– Selected members of the board– Executive management– Operating managers– Internal audit staff

7. Consider other monitoring functions, and evaluate coordination of internal audit work with that of independent auditors.

8. Evaluate the internal audit activity’s conformance with IIA Standards and other relevant standards.

www.theiia.org

A 12-Point Process

9. Review quality/process improvement actions currently underway

10. Provide a summary of issues and recommendations, and hold a closing conference with the CAE and/or other requestors.

11. Draft a report, obtain comments, and issue a final report

12. Hold a follow-up executive conference (optional)

www.theiia.org

Common Problems Observed by IIA External Assessment Teams

• Inappropriate CAE reporting relationships• Out-of-date charters for internal audit activity• Lack of board approved policy on internal control

responsibility• Client perception of inadequate audit staff knowledge • Lack of a formalized risk assessment process • Lack of understanding regarding:

– Internal audit activity’s consulting responsibilities– Reflection of consulting in the mission and charter

• Inadequate IT coverage or technical skills

www.theiia.org

Quality Assessment Resources at

www.theiia.org/quality

• Frequently Asked Questions about Quality

• Providers of External Quality Assessments

• List of Organizations with Completed External Quality Assessments

• Becoming a QA Volunteer

www.theiia.org

Quality Assessment Resources at

www.theiia.org/quality• Sample request for a quality assessment proposal• Quality Assessment Advanced Preparation• Audit Customer (Client) Survey• Internal Audit Staff Survey• Self-Assessment Guide• Models

– Model Audit Committee Charter– Model Internal Audit Activity Charter– Model Management Control Policy– Model Quality Assurance and Improvement Program

www.theiia.org

Questions?

www.theiia.org

IIA Contact

247 Maitland AvenueAltamonte Spring, Florida 32701-4201 USA

Tel + 1.407.937.1399Fax +1.407.937.1101

E-mail: [email protected]