–
97 KB – 16 Pages
PAGE – 1 ============
OVERVIE W Standard 1300 Œ Quality Assurance and Improvement Program states, fi˜e chief audit exec -utive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.fl ˜e QAIP should encompass all aspects of operating and managing the internal audit activityŠincluding consulting engagementsŠas found in the mandatory elements of the IPPF. It may also be bene˛cial for the QAIP to consider best practices in the internal audit profession. Implementation Guide 1300 states, fi˜e QAIP is designed to enable an evaluation of the internal audit activity™s conformance with the International Standards for the Professional Practice of Internal Auditing (Standards) and whether internal auditors apply ˜e IIA™s Code of Ethics.fl ˜rough conformance with the Standards and the Code of Ethics, the internal audit activity also achieves alignment with the De˛nition of Internal Auditing and the Core Principles. Establishing a Quality Assurance and Improvement Program 172
PAGE – 2 ============
˜e QAIP must include ongoing and periodic internal assessments, and external assessments by a quali˛ed independent assessor or assessment team from outside the organization. Quality should be built into , not onto , the way the activity conducts its businessŠthrough its internal audit methodology, policies and procedures, and human resource practices. Building quality into a process is essential to validate and continuously improve the internal audit activity, demonstrating value as de˛ned by stakeholders. Delivering quality requires a systematic and disciplined approach as professionals. Quality does not just happen; it is the combination of the right people, the right systems, and a commitment to excellence. Building an e˚ective QAIP is similar to establishing a total quality management program where products and services are analyzed to verify that they meet stake -holder expectations, operations are evaluated to determine their e˙ciency and e˚ectiveness, and practices are assessed to con˛rm their conformance to standards. Maintaining an e˚ec -tive QAIP also requires leaders who are responsible for setting the proper tone in support of quality and continuous improvement. Using key concepts of quality as a foundation in establishing a QAIP, the internal audit activity should consider all mandatory and recommended guidance elements of the IPPF that support: Ł Conformance with the Standards and the Code of Ethics. It is further under -stood that through conformance with the Standards and the Code of Ethics, the internal audit activity also achieves alignment with other mandatory elements of the IPPF. Ł Stakeholder satisfaction de˛ned by expected and preferred internal audit deliv – erables that produce value for the organization. Ł Operational e˚ectiveness achieved by building quality fiintofl internal audit processes. Preventing mistakes is generally less costly than correcting mistakes. Ł Continuous improvement of internal audit activities accomplished through quality initiatives identi˛ed during the quality assessment process. Ł Management commitment to provide resources and tools necessary for a QAIP to succeed. Participation is expected by all members of the internal audit activity. Quality Assessment Manual for the Internal Audit Activity18
PAGE – 3 ============
For the internal audit profession, it is important to ensure that internal audit activities glob -ally maintain the highest possible standards of service delivery to the organizations they support. ˜e IIA established the IPPF to guide the internal audit profession, and the manda -tory elements of the IPPFŠsupported by recommended guidanceŠare the foundation for developing an internal audit activity™s QAIP. THE QAIP F RAME WORK Standard 1300 Œ Quality Assurance and Improvement Program states that the CAE must develop and maintain a QAIP that covers all aspects of the internal audit activity. Common elements of all QAIPs include: Ł A scope that includes all aspects of the internal audit activity. Ł An evaluation of conformance with the Standards and the Code of Ethics. Ł An appraisal of the e˙ciency and e˚ectiveness of the internal audit activity. Ł ˜e identi˛cation of opportunities for continuous improvement. Ł Involvement by the board in oversight of the QAIP. A framework is oftentimes used to describe the complete environment for developing and imple -menting the QAIP. An example of such a framework, consisting of Governance, Professional Practice, and Communication, is shown in ˜gure 2-1. ˜is framework is intended as guid -ance only. CAEs may develop their own QAIP structure in conformance with the Standards .19Chapter 2 Establishing a Quality Assurance and Improvement Program
PAGE – 4 ============
Figure 2-1: Quality Assurance and Improvement Program FrameworkGovernanceOngoing MonitoringProfessional PracticePeriodic Self-AssessmentCommunicationExternal AssessmentQuality AssessmentsInternal Audit ActivityContinuous Improvement of IA ProcessesQuality Assurance Over Entire IA ActivityContinuous Improvement of QAIPReporting & Follow-UpFindings, Observations, & RecommendationsTo construct a QAIP framework, the internal audit activity universe must be considered. ˜is universe must include the IPPF, and may include the legal requirements of the speci˛c country and/or industry where the activity is operating, stakeholder expectations, use of third-party subject matter experts, co-source partners for internal audit services, and the size and structure of the overall organization. Implementation Guides for the 1300 series of the Standards provide more detail and insight. INTERN AL A SSESSMENTS Two key elements of the quality assessment process comprise the internal assessment portion of the internal audit activity™s QAIP: ongoing monitoring and periodic self-assessments. Quality Assessment Manual for the Internal Audit Activity20
PAGE – 5 ============
Ongoing Monitoring What is important to remember is that a QAIP must be built into the processes of the internal audit activity and not onto the way the activity conducts its business. ˜e most obvious internal method for continuously assessing quality is management oversight of internal audit work. Adequate supervision from the beginning through the end of the engagements is a fundamental element of a QAIP. ˜e Deming Cycle (or Plan-Do-Check-Act cycle) provides a possible structure in establishing the QAIP. Applying the Deming Cycle to the ongoing monitoring portion of the QAIP might look like ˜gure 2-2 (Ongoing Monitoring). ˜e steps in the Deming Cycle are as follows: 1. Plan means establishing expectations for operating a process to meet speci˛c objectives, goals, or deliverables. 2. Do means executing the process and collecting data for analysis and follow-up in the Check and Act steps of the cycle. 3. Check is the step where actual results are compared to expected outcomes and di˚erences are analyzed. 4. Act is where feedback is provided to the operators of the process to reinforce expectations established in the previous Plan step. It is in this step that improve – ments to the process are identi˛ed and implemented. 21Chapter 2 Establishing a Quality Assurance and Improvement Program
PAGE – 6 ============
Figure 2-2: Ongoing MonitoringPlan ˜Establish department standards for engagements. ˜Create checklists (planning, meeting agenda, and engagement closeout procedures). ˜Design templates (risk control matrix, test plans, and process documentation). ˜Develop tools (data mining and sampling techniques). ˜Design formats (issues/˚ndings and reports). Act ˜Provide coaching and take corrective action. ˜Reinforce standards through communication and training. ˜Revise checklists, templates, tools, and formats as needed.Do ˜Plan, perform, and report engagements. ˜Use checklists, templates, tools, and formats. ˜Collect data on engagement process performance.Check ˜Verify department standards are met or exceeded. ˜Con˚rm use of checklists, templates, tools, and formats. ˜Document supervisory review. ˜Record, report, and analyze metrics.Note: Examples are for discussion purposes; they are not intended as a comprehensive or complete list of activities.˜e ongoing monitoring element of the QAIP would primarily address conformance with the following Standards since they are intended to address quality on an audit-by-audit basis and relate primarily to engagement activities: 2200: Engagement Planning 2300: Performing the Engagement 2400: Communicating Results 2500: Monitoring Progress Quality Assessment Manual for the Internal Audit Activity22
PAGE – 8 ============
Results of ongoing monitoring must be reported to the board or the audit committee at least annually. ˜e adequacy and e˚ectiveness of the ongoing monitoring portion of the QAIP should also be evaluated as part of periodic self-assessments described in the next section. PERIODI C SEL F-A SSESSMENTS Implementation Guide 1311 Œ Internal Assessments states, fiPeriodic self-assessments have a di˚erent focus than ongoing monitoring in that they generally provide a more holistic, comprehensive review of the Standards and the internal audit activity. In contrast, ongoing monitoring is generally focused on reviews conducted at the engagement level. Additionally, periodic self-assessments address conformance with every standard, whereas ongoing moni -toring frequently is more focused on the performance standards at the engagement level.fl ˜e internal audit activity conducts periodic self-assessments to validate its continued confor -mance with the Standards and Code of Ethics. ˜rough conformance with the Standards and Code of Ethics, the internal audit activity also achieves alignment with the De˛nition of Internal Auditing and the Core Principles. In addition, periodic self-assessments may evaluate: Ł ˜e quality and supervision of work performed. Ł ˜e adequacy and appropriateness of internal audit policies and procedures. Ł ˜e ways in which the internal audit activity adds value. Ł ˜e achievement of KPIs. Ł ˜e degree to which stakeholder expectations are met. ˜e QAIP should document and de˛ne a systematic and disciplined approach to the peri -odic self-assessment process, which may incorporate programs provided in the appendices of this manual.Successful internal audit practice is for periodic self-assessment to be performed at least annu -ally. ˜is provides an annual basis for assurance that the internal audit activity continues to operate in a manner consistent with requirements of the Standards and the Code of Ethics. ˜is is especially important during periods of change in the Standards or in the organization.Quality Assessment Manual for the Internal Audit Activity24
PAGE – 9 ============
Many internal audit activities ˛nd it valuable to review and update their infrastructure, meth -odology, and processes on an annual basis as a component of their periodic self-assessment to ensure these elements are current with the requirements of the Standards . ˜is annual peri-odic self-assessment process provides the board with assurance that the internal audit activity maintains the standard of performance that is required by ˜e IIA. Recommendations for improvement should be tracked by a follow-up report, and the results of which listed at each board meeting. ˜e periodic self-assessment element of the QAIP would primarily address conformance with the following series of Standards :1000: Purpose, Authority, and Responsibility 1100: Independence and Objectivity 1200: Pro˛ciency and Due Professional Care 1300: Quality Assurance and Improvement Program 2000: Managing the Internal Audit Activity 2100: Nature of Work 2200: Engagement Planning 2300: Performing the Engagement 2400: Communicating Results 2500: Monitoring Progress 2600: Communicating the Acceptance of Risks Code of Ethics ˜e periodic self-assessment should also assess results of ongoing monitoring. Applying the Deming Cycle to these additional elements of the QAIP might look like ˜gure 2-3.25Chapter 2 Establishing a Quality Assurance and Improvement Program
PAGE – 10 ============
Figure 2-3: Periodic Self-AssessmentPlan ˜Create internal audit activity charter. ˜Adopt The IIA™s Code of Ethics. ˜Establish internal audit activity structure, policies, and procedures. ˜Agree on value-added activities with stakeholders. ˜Establish appropriate measures to track value-added activities. ˜De˚ne relevant quality metrics.Act ˜Assess and report on conformance with IPPF mandatory guidance. ˜Identify gaps in conformance and develop road maps to close gaps. ˜Revise internal audit activity structure, policies, and procedures as needed.Do ˜Perform annual audit planning. ˜Schedule engagements and assign staff. ˜Hire, train, and develop staff. ˜Perform ongoing monitoring of engagements. ˜Communicate and meet with stakeholders.Check ˜Conduct surveys and interviews with stakeholders to con˚rm value is delivered. ˜Review a sample of engagement to assure ongoing monitoring is effective. ˜Record, report, and analyze metrics. ˜Assess internal audit activity structure, policies, and procedures conformance with IPPF mandatory guidance. Note: Examples are for discussion purposes; they are not intended as a comprehensive or complete list of activities.ASSESSMENT , EVALU ATION , AND REPORTING Establishing an internal assessment process, both ongoing monitoring and periodic self- assessments, coupled with the reporting of KPIs, culminates in an evaluation of the internal audit activity™s QAIP, with results reported to appropriate stakeholders. Quality Assessment Manual for the Internal Audit Activity26
PAGE – 11 ============
Two questions the CAE should consider when performing a QAIP evaluation are: Ł Is the evaluation to be a comprehensive or partial assessment of the QAIP and the internal audit activity?Ł What rating scale will be used to support a conclusion regarding the QAIP and the internal audit activity™s conformance with the Standards and the Code of Ethics? Answering the ˛rst question will depend on the design of the internal audit activity™s QAIP and the level of resources devoted to the internal assessment process. As noted previously, a successful internal audit practice is to perform annual self-assessments; the Standards do not speci˛cally state a frequency. Some CAEs may view internal self-assessments as action taken during years when an external assessment is not performed. Certain parts of the QAIP may be evaluated every year, while other portions may be evaluated less frequently. ˜e planning guides described in appendix A and the programs described in appendix D can be used to plan and perform an internal assessment and evaluation of the QAIP and the internal audit activity. ˜e second question is not speci˛cally addressed in the Standards, as they do not prescribe an assessment scale; however, the Standards do require the degree of conformance with the Standards and the Code of Ethics be assessed. Appendix E has an evaluation summary frame -work that contains conformance criteria linked with the Standards and the Code of Ethics, which CAEs can use to assess the conformance with these mandatory elements of the IPPF. Appendix E describes an assessment scale of Generally Conforms, Partially Conforms, and Does Not Conform. ˜is discussion of rating scales leads back to the concept of a maturity model, which was introduced in chapter 1. Internal audit activities in the early stages of establishing their QAIP might use a maturity model to help them achieve general conformance with the Standards and the Code of EthicsŠcon˛rmed by their internal self-assessment process and eventually assessed by a quali˛ed, independent assessor or assessment team from outside the organization. Internal audit activities with mature QAIPs, where multiple internal and external assessments have been completed, might use a maturity model as a way to demonstrate di˚erent levels of quality to their stakeholders. 27Chapter 2 Establishing a Quality Assurance and Improvement Program
97 KB – 16 Pages