Driving Changes from Quality Assurance Reviews: How to Transform Your Department from a Pinto to a Porsche Texas Association of College and University Auditors March 6, 2014 Objectives  Identify Standards and Practice Advisories related to a Quality Assurance and Improvement Program.  Recognize the benefits associated with a QAIP that help create value and buy-in from management for your organization.  Enhance the internal audit department’s operations.  Learn the best practices of the most mature audit groups.  Position your audit group to an outstanding quality assurance review. A little about Toni… A little about Polly… Questions for the Audience • Who has actually performed a QAR? • Who has participated in a QAR of your own? • How many of scared of QARs? What is Quality? “The standard of something as measured against other things of a similar kind; the degree of excellence of something” YMMV! 1300: The CAE is REQUIRED to develop and maintain a Quality Assurance and Improvement Program (QAIP) “designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.” But…it’s not just the CAE is it? Other Guidance Practice Advisory 1310 • To provide accountability and transparency, the CAE communicates the results of external and, as appropriate, internal quality program assessments to the various stakeholders of the activity (such as senior management, the board, and external auditors). • At least annually, the CAE reports to senior management and the board on the quality program efforts and results. 1311: Internal Assessments Ongoing Monitoring 1311: Internal Assessments Periodic Self-assessments 1312: External Assessments • Once every 5 years by qualified, independent assessor or team from outside the organization. – Full external assessment • Peer review • External Assessor – Self-assessment with independent external validation • Practice Advisories 1312-2, -3, -4 Texas Internal Auditing Act What Happens During an External QAR? • Planning • Surveys Planning • Interviews Fieldwork • Review of Working Papers • Review of Documents • Draft Report • Exit Conference Reporting • Report Issued What Kinds of Things Will They Focus On Besides the Standards? Strategies Technology Processes Structure People Benefits of a QAIP? • • • • • • Enhancements to operations Benchmarking Humbling Credibility Resources You get to say, “conforms with the International Standards for the Professional Practice of Internal Auditing,” in your internal audit charter or reports • You get a refresher course on the Standards! • You’re an auditor – that’s what we do! Common External QA Findings • Update IA charter on annual basis • Reporting/independence issues • Staff knowledge, skills, competencies lacking to perform job responsibilities. • IT audits, including staff experience • No performance metrics • Set up formal QAIP • Risk assessment • Audit universe not identified • Policies and procedures • Timeliness of report issuance • • • • • • Audit Committee Charters No governance audits Lack of alignment with strategy Consulting not in charter Limited budget vs. expectations Unclear expectations from the Audit Committee • Internal Audit not regarded as an agent of change Management of the Audit Department 6% 5% Technology 5% 2% 23% Communicating Results & Follow-Up 8% Annual Audit Plan & Risk Assessment 9% 17% Audit Committee Engagement Audit Plan & Risk Assessment 12% 13% Code of Ethics Charter Policies and Procedures QAIP Are We There Yet? How do we get there? Quality is never an accident. It is always the result of intelligent effort. John Ruskin 1819-1900 poet, writer, social thinker Foundation for Quality • Reporting relationships – INDEPENDENCE • Commitment to quality – Do you have a statement? • Charters • Audit committee & senior management – Have you engaged them? • Monitoring for effectiveness - QAIP Key Components of Quality • Policy on quality assurance • Internal Audit policies/manual • Engagement supervision • Working paper reviews • Engagement performance measures • Independence and Code of Ethics compliance • Report writing procedures • Client surveys/evaluations • Self-assessments • Training • Peer Reviews  External Assessment • Risk assessment drives plans – annual and engagement level • Engagement of audit committee and senior management • Performance metrics Performance Metrics: UT Dallas Quality Effectiveness Efficiency Sustainability Management % of recommendations implemented on time Client perception surveys – response rate and “good” responses % audit plan completed Direct audit labor cost as % of total budget % of professional staff certified as CPA, CIA, CISA, or CFE Audit committee surveys Institutional riskbased audits as a % of audit plan Direct audit time as % of total time Total type of certifications (includes others – CISSP, CRMA, CFAP, CMA, CISM, CGAP, etc.) Development as a % of total time Administrative time as a % of total time Performance Metrics IIA’s Global Internal Audit Survey – Measuring Internal Audit’s Value (2010): • % of the audit plan completed • acceptance and implementation of recommendations • surveys/feedback from – the board/audit committee/senior management – audited departments • assurance of sound risk management • reliance by external auditors on the internal audit activity Overall Maturity Level Optimized Managed Defined Repeatable Initial Policy Methodology and Process Systems & Information Communication & Reporting People Continuous monitoring and updating for necessary changes and emerging leading practices Continuous monitoring and updating for necessary changes and emerging leading practices SMEs identified and used; training and development monitored; robust succession planning in place Extensive use of data mining and analytics; continuous audit and monitoring processes in place driving value Communications and reporting highly effective; high level of quality demonstrated in timely reports Policies are communicated to personnel and training occurs as necessary Methodology and processes are communicated to personnel and training occurs as necessary All resources have appropriate skills and credentials; targeted training and development in place Data integrity is high; automated reports are reliable; key data is monitored continuously Communication and reporting highly effective; quality and timeliness metrics defined and monitored Policies are defined, in place, and documented Uniform methodology and processes are defined, in place, and documented Appropriate skills and credentials in place; training requirements documented and executed Stable systems in place; information generated is reliable and relied upon Communication and reporting processes are defined, in place, and documented; effective us of reporting templates Policies are defined and in place but may not be documented Uniform methodology and processes are defined and in place but may not be documented Some specialized technical skills and credentials; training and development defined but may not be documented Fairly effective systems are in place; low reliance on data and information generated from systems Communication and reporting processes are defined and in place but may not be documented Policies are not defined or in place Methodology and processes are not defined or in place Resource skills and credentials do not match process requirements; training programs not defined High reliance on manual systems and spreadsheets; critical information not readily available Communication and reporting done on an ad hoc basis; no validation of results or focus on quality IIA Internal Audit Process Maturity - QAIP Success Stories • New ideas for improved internal operations—follow up processes, review processes, and opportunities to balance workload. • An opportunity for the audit team to feel like they are contributing to the success of the audit function. • An opportunity to validate that your audit shop is doing the right things. • An opportunity for stakeholders to share information which they may not have shared otherwise so that the audit team can enhance stakeholder relationships. • Effectiveness and efficiency of the coordination between audit and compliance groups. • Define the role of audit in advising management . • Develop a formal succession plan • Validation of the initiatives we lead or participate in as valuable contributions to the organization’s goals. • Job title from Director to CAE • Hot topics from benchmarking, best practices • Good heads-up for governing boards to remind them of their oversight responsibility of the IA function • Evaluation for CAE • Independence from the VPBA’s role in approving all audit report responses • Additional funding for training • Establishment of an IT Audit Function • Participation in the President’s Cabinet • Audit measuring our compliance program against the Federal Sentencing Guidelines to open a discussion with the board of regents about compliance issues • Individual briefings for regents in advance of audit committee meetings, thus strengthening relationships between audit and the board • Focusing our follow-up reporting to the board on the most significant issues vs. all issues • Increasing our efficiency by eliminating second review on low risk audits Other Success Stories to Share? Are you ready to be a Porsche? Contact Information & Resources The IIA Find us at www.utdallas.edu/audit-compliance Polly Atchsion, CPA, CIA UT Dallas Audit Manager [email protected] 972-883-2240 Toni Stephens, CPA, CIA, CRMA Executive Director of Audit & Compliance, UT Dallas [email protected] 972-883-4876