Quality evaluation and improvement for Internal Audit Svilena Simeonova 1

Quality evaluation and improvement for Internal
Audit
Svilena Simeonova
1
CONTENTS
1. Quality of Internal Audit – review
2. Legal and methodological framework
3. Quality Assurance and Improvement Program (QAIP)
4. Internal assessments
5. External assessments
6. Benchmarks for the assessment
7. Internal Audit maturity model of the IIA related to QAIP
8. Role of the central coordination units for Quality assurance process
1. QUALITY OF INTERNAL AUDIT – REVIEW
 Meeting expectations of the head of the organisation, audit entities,
Audit Committee and other stakeholders;
 Conformity with the standards, definition and Code of Ethics;
 Conformity with legal requirements
 Adding value for the organization
 Contribution to the effectiveness and efficiency of the governance, risk
management and control processes
 Providing relevant assurance and consultancy
LEGAL AND METHODOLOGICAL FRAMEWORK (1)
 International Standards for Professional Practice of Internal Auditing
of the Institute of Internal Auditors
1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.
1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external
assessments.
1311 – Internal Assessments
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit activity; and
Periodic self-assessments or assessments by other persons within the organization with
sufficient knowledge of internal audit practices.
1312 - External Assessments
External assessments must be conducted at least once every five years by a qualified,
independent assessor or assessment team from outside the organization.
LEGAL AND METODOLOGICAL FRAMEWORK (2)
 Standards of the Institute of Internal Auditors
1320 – Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and improvement
program to senior management and the board.
1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal
Auditing”
The chief audit executive may state that the internal audit activity conforms with the International
Standards for the Professional Practice of Internal Auditing only if the results of the quality
assurance and improvement program support this statement.
1322 – Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the
Standards impacts the overall scope or operation of the internal audit activity, the chief audit
executive must disclose the nonconformance and the impact to senior management and the
board.
LEGAL AND METODOLOGICAL FRAMEWORK (3)
 The IIA Practice Advisories
 The IIA’s Quality assurance and improvement program Practice
Guide 2012
 National laws
 National Standards
 Guidance documents, ordinances, IA Charters, manuals
 National rules follow and specified the IPPF Standards
requirements
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (1)
 The program is the key tool for maintaining quality and developing
the Internal Audit function
 Aims of the QAIP:
•
To evaluate conformity with the Definition, The Standards and the
Code of Ethics
•
To assess the efficiency and effectiveness of IA activity
•
To identify opportunities for improvement
 Communication of the QAIP
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (2)
 Content of the QAIP:
•
Internal Assessment
•
External Assessment, the both focus on:
 The purpose and position of the IA unit;
 The unit’s structure and resources for delivering the service expected
of it;
 The efficiency and effectiveness of the output-oriented auditing
process;
 Positive demonstrable impact on governance, risk management and
control processes
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (3)
SCOPE / PERSPECTIVES OF THE QAI PROGRAM:
Internal Audit
Engagement level
•
•
•
•
Planning
Fieldwork conduct
Reporting
Follow-up actions
Internal Audit
Organizational level
• Written policies and
procedures
• IA work meets
stakeholders
expectations
• The IA activity adds value
and improves the
organization
External perspective
• Independent external
assessment
• Of the entire IA activity
• Conformity, efficiency,
effectiveness, meeting
expectations
4. INTERNAL ASSESSMENTS (1)
 ONGOING MONITORING OF IA ACTIVITY
 An integral part of day-to-day work
 Consists of supervision, review and measurement of the IA
engagements
 Is incorporated into the routine policies and practices
 The procedures should be clear, applicable and not overly complex
 Performed by Chief Audit Executive or another internal auditor
appointed by CAE
4. INTERNAL ASSESSMENTS (2)
 PERIODIC SELF-ASSESSMENT
 Review of selected part of documentation of the IA engagement;
 Questionnaires, interviews, survey, including feedback from the audit
entities;
 Comparison with the best professional practices
 ASSESSMENT BY OTHER PERSONS WITHIN THE ORGANIZATION WITH
SUFFICIENT KNOWLEDGE OF IA PRACTICE
 Appropriate method for small IA units
5. EXTERNAL ASSESSMENTS (1)
 Two types External assessments
•
Full external assessment by an independent competent assessor or
team
•
Self-assessment with independent external validation
 Frequency – at least once every five years
 Evaluation of conformity with the Standards, legislation, Code of Ethics
and effectiveness of the IA activity too
 Aimed to find opportunities for improvement
5. EXTERNAL ASSESSMENTS (2)
 What is the scope of the External assessment ?
•
Purpose and positioning
•
Structure and resources
•
Audit execution
•
Impact
 Procedures
 Recommendations and Action plan for improvement
 Different practices and approaches ( peer reviews)
5. BENCHMARKS FOR THE ASSESSMENT
 Combination of quantitative and qualitative indicators:
 Numbers of audits performed
 Number of recommendation issued and implemented
 Quality of the findings in terms of materiality
 Quality of recommendations in terms of impact
 Degree of risks covered
 Amendments to the management and control set-up resulting from IA
activities
Policy
The
Chief bnbnb
Audit
Executive establishes
and maintains a QAIP
CAE
communicates
the results of the QAIP
to senior management
and the board
Methodology
And Process
People
Systems and
Information
Communication
and Reporting
The
methodology
upon which the QAIP
is based is based is
derived from the IIA
Standards
IA staff are aware of their
responsibilities related to
the QAIP
A standardized audit
management
system is used to
document work
papers
The results of periodic
internal assessment
are summarized and
discussed with audit
management
The
process
to
execute the QAIP is
documented in the IA
Policy and Procedure
Responsibility
implementation of
QAIP is assigned
personnel
who
independent
objective
Significant company
systems are used to
derive
relevant
Performance
Indicators that are
monitored and used
during the IAQA
process
The results of periodic
internal assessments
are reported to and
reviewed with senior
management and the
Audit Commitee
Manual
The IA Policy and
Procedure
Manual
describes the QAIP
requirements
The IA activity charter
establishes
the
requirements for the
QAIP
The process is
reviewed periodically
to ensure it is current
with the Standards
requirements
for
the
to
are
and
External assessments are
conducted by qualified
personnel
who
are
independent from the
organization
External assessment
provides deliver
qualitative and
quantitative
benchmarks that are
reported to
management
Fully dedicated IA staff
are assigned to perform
the periodic internal
quality assessment with
strong experience in IA
and performing QA
Client Feedback forms
are solicited and
received back from
each client to assist in
continuous
improvement
OVERALL
Policy
MATURITY
LEVEL bnbnb
Methodology
and Process
People
Systems
and
Information
Communication
and Reporting
Optimized
Continuous
monitoring and
updating
Continuous
monitoring and
updating
Training and
development
monitored
Extensive use of
data mining and
analytics;
Communication and
reporting highly
effective
Managed
Policies are
communicated to
personnel
Methodology and
processes are
communicated to
personnel
All resources have
appropriate skills
and credentials;
targeted training in
place
Data integrity is
high
Quality an
timeliness metrics
defined and
monitored
Defined
Policies are defined
and in place and
documented
Uniform
methodology and
processes are
defined, in place
and documented
Appropriate skills
and credentials are
in place; training
requirements
documented
Stable systems in
place
C and R processes
are defined, in place
and documented
Repeatable
Policies are defined
and in place but
may not be
documented
Uniform
methodology and
processes are
defined and in place
Some specialized
technical skills and
credentials
Fairly effective
systems are in
place; low reliance
on data
C and R processes
are defined and in
place but may not
be documented
initial
Policies are not
defined or in place
Methodology and
processes are not
defined or in place
Resource skills and
credentials do not
match process
requirements
High reliance on
manual systems and
spreadsheets
C and R done on an
ad hoc basis; no
validation of results
or focus on quality
8. ROLE OF THE CENTRAL COORDINATION UNITS FOR QUALITY
ASSURANCE PROCESS
 To develop guidelines
 To collect information
 To provide examples of good practice
 To monitor and review
 To participate in peer reviews
Thank you!