Quality evaluation and improvement for Internal Audit

Svilena Simeonova

1

CONTENTS

1. Quality of Internal Audit – review 2. Legal and methodological framework 3. Quality Assurance and Improvement Program (QAIP) 4. Internal assessments 5. External assessments 6. Benchmarks for the assessment 7. Internal Audit maturity model of the IIA related to QAIP 8. Role of the central coordination units for Quality assurance process

1. QUALITY OF INTERNAL AUDIT – REVIEW

 Meeting expectations of the head of the organisation, audit entities, Audit Committee and other stakeholders;  Conformity with the standards, definition and Code of Ethics;  Conformity with legal requirements  Adding value for the organization  Contribution to the effectiveness and efficiency of the governance, risk management and control processes  Providing relevant assurance and consultancy

LEGAL AND METHODOLOGICAL FRAMEWORK (1)



International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors

1300

– Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.

1310 1311

– Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments.

– Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.

1312

- External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

LEGAL AND METODOLOGICAL FRAMEWORK (2)



Standards of the Institute of Internal Auditors

1320

– Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.

1321

– Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.

1322

– Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board .

LEGAL AND METODOLOGICAL FRAMEWORK (3)

     The IIA Practice Advisories The IIA’s Quality assurance and improvement program Practice Guide 2012 National laws National Standards Guidance documents, ordinances, IA Charters, manuals  National rules follow and specified the IPPF Standards requirements

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (1)



The program is the key tool for maintaining quality and developing the Internal Audit function



Aims of the QAIP:

• To evaluate conformity with the Definition, The Standards and the Code of Ethics • To assess the efficiency and effectiveness of IA activity • To identify opportunities for improvement 

Communication of the QAIP

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (2)

• • 

Content of the QAIP:

Internal Assessment External Assessment, the both focus on:  The purpose and position of the IA unit;  The unit’s structure and resources for delivering the service expected of it;  The efficiency and effectiveness of the output-oriented auditing process;  Positive demonstrable impact on governance, risk management and control processes

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (3)

SCOPE / PERSPECTIVES OF THE QAI PROGRAM:

Internal Audit Engagement level

• Planning • Fieldwork conduct • Reporting • Follow-up actions

Internal Audit Organizational level

• Written policies and procedures • IA work meets stakeholders expectations • The IA activity adds value and improves the organization

External perspective

• Independent external assessment • Of the entire IA activity • Conformity, efficiency, effectiveness, meeting expectations

4. INTERNAL ASSESSMENTS (1)



ONGOING MONITORING OF IA ACTIVITY

 An integral part of day-to-day work  Consists of supervision, review and measurement of the IA engagements  Is incorporated into the routine policies and practices  The procedures should be clear, applicable and not overly complex  Performed by Chief Audit Executive or another internal auditor appointed by CAE

4. INTERNAL ASSESSMENTS (2)



PERIODIC SELF-ASSESSMENT

 Review of selected part of documentation of the IA engagement;  Questionnaires, interviews, survey, including feedback from the audit entities;  Comparison with the best professional practices 

ASSESSMENT BY OTHER PERSONS WITHIN THE ORGANIZATION WITH SUFFICIENT KNOWLEDGE OF IA PRACTICE

 Appropriate method for small IA units

5. EXTERNAL ASSESSMENTS (1)

 Two types External assessments • Full external assessment by an independent competent assessor or team • Self-assessment with independent external validation  Frequency – at least once every five years  Evaluation of conformity with the Standards, legislation, Code of Ethics and effectiveness of the IA activity too  Aimed to find opportunities for improvement

5. EXTERNAL ASSESSMENTS (2)

• •  What is the scope of the External assessment ?

Purpose and positioning Structure and resources • Audit execution • Impact  Procedures  Recommendations and Action plan for improvement  Different practices and approaches ( peer reviews)

5.

BENCHMARKS FOR THE ASSESSMENT

 Combination of quantitative and qualitative indicators:  Numbers of audits performed  Number of recommendation issued and implemented  Quality of the findings in terms of materiality  Quality of recommendations in terms of impact  Degree of risks covered  Amendments to the management and control set-up resulting from IA activities

Policy

The Chief bnbnb Executive establishes and maintains a QAIP CAE communicates the results of the QAIP to senior management and the board The IA Procedure describes Policy and Manual the requirements QAIP The IA activity charter establishes QAIP the requirements for the

Methodology And Process

The methodology upon which the QAIP is based is based is derived from the IIA Standards The process to execute the QAIP is documented in the IA Policy and Procedure Manual The process is reviewed periodically to ensure it is current with the Standards requirements

People

IA staff are aware of their responsibilities related to the QAIP Responsibility implementation QAIP is of assigned personnel independent who objective for the to are and External assessments are conducted by qualified personnel independent organization who from are the Fully dedicated IA staff are assigned to perform the periodic internal quality assessment with strong experience in IA and performing QA

Systems and Information Communication and Reporting

A standardized audit management system is used to document work papers Significant company systems are used to derive relevant Performance Indicators that are monitored and used during the IAQA process The results of periodic internal assessment are summarized and discussed with audit management The results of periodic internal assessments are reported to and reviewed with senior management and the Audit Commitee External assessment provides deliver qualitative and quantitative benchmarks that are reported to management Client Feedback forms are solicited and received back from each client to assist in continuous improvement

OVERALL MATURITY LEVEL

bnbnb

Policy

Optimized Managed Defined Repeatable initial Continuous monitoring and updating

Methodology and Process

Continuous monitoring and updating

People

Training and development monitored

Systems and Information

Extensive use of data mining and analytics;

Communication and Reporting

Communication and reporting highly effective Policies are communicated to personnel Policies are defined and in place and documented Policies are defined and in place but may not be documented Policies are not defined or in place Methodology and processes are communicated to personnel Uniform methodology and processes are defined, in place and documented Uniform methodology and processes are defined and in place Methodology and processes are not defined or in place All resources have appropriate skills and credentials; targeted training in place Appropriate skills and credentials are in place; training requirements documented Some specialized technical skills and credentials Resource skills and credentials do not match process requirements Data integrity is high Stable systems in place Quality an timeliness metrics defined and monitored C and R processes are defined, in place and documented Fairly effective systems are in place; low reliance on data High reliance on manual systems and spreadsheets C and R processes are defined and in place but may not be documented C and R done on an ad hoc basis; no validation of results or focus on quality

8. ROLE OF THE CENTRAL COORDINATION UNITS FOR QUALITY ASSURANCE PROCESS

 To develop guidelines  To collect information  To provide examples of good practice  To monitor and review  To participate in peer reviews

Thank you!