[Agency logo]
ANNUAL ASSESSMENT OF
THE INTERNAL AUDIT
FUNCTION – [2014–15]
INTRODUCTION:
The primary audience for this assessment is the [CEO], who will use the collated results as
an input to the Chief Audit Executive’s performance review and as the basis for an annual
discussion with the Audit & Risk Committee (ARC) about the direction, focus and quality of
the internal audit program. Feedback will subsequently be supplied to [IA service provider],
along with collated, de-identified survey results, to help them find best alignment with the
type and standard of service required.
This questionnaire is in two parts:
1. Assessment of [IA service provider]’s performance in undertaking the internal audit
program
2. Assessment of the performance of the CAE, the [Branch] and the overall internal
audit function
HOW TO COMPLETE THE QUESTIONNAIRE:
It is suggested that Audit & Risk Committee members individually fill out both Parts, and that
the Committee then arrive at an agreed set of answers from the ARC as a whole, through a
members-only session following the [date] ARC meeting.
The CAE and Audit Program Manager will likewise provide one joint return, as will the team
from [service provider].
The section at the end of Part 1 for audited areas will, of course, be completed by them only
(one return per area, even if it had more than one audit, unless the quality varied
dramatically between audits).
RECOMMENDATION:
That the Committee complete the questionnaire as suggested above, and agree to the
distribution of the appropriate sections to [IA service provider] and audited areas.
1
PART 1: ASSESSMENT OF THE INTERNAL AUDIT PROGRAM IN [2014–15]
Key: 1 = Poor and 7 = outstanding

Observation
Rating
Comment (if any)
To be answered by CAE and Audit Program Manager (1 return), and by the ARC as an entity (1
return). Also by [IA service provider] as a self-assessment (1 return).
Risk management and the Audit Program
1.
Rate the [Agency] cluster’s risk maturity
1 2 3 4 5 6 7
2.
[Agency] has made progress in risk
management during the year
1 2 3 4 5 6 7
3.
The audit program was well planned and
prioritised, with risk as the main driver
1 2 3 4 5 6 7
Contribution of [IA service provider] to the audit program
4.
[IA service provider] audits were conducted
and reported according to appropriate
professional standards
1 2 3 4 5 6 7
5.
8-10 audits1 were concluded by 30 June,
as planned
Y/N
6.
[IA service provider] incorporated
unanticipated projects without overly
disrupting the main audit program
1 2 3 4 5 6 7
7.
[IA service provider]’s final audit reports
matched or exceeded their scopes
1 2 3 4 5 6 7
8.
The vast majority of deliverables arrived by
the deadlines agreed in the scopes
1 2 3 4 5 6 7
9.
Audit reports rated the risk exposure of the
entity and provided recommendations to
manage risks rated more than “Low”
1 2 3 4 5 6 7
10.
Very few recommendations in final audit
reports were rejected by management
1 2 3 4 5 6 7
11.
Communication between [IA service
provider] and the rest of the audit function
was satisfactory at all levels
1 2 3 4 5 6 7
12.
[IA service provider] management (partner
and director) displayed a good
understanding of the [Agency] cluster’s
business and risks
1 2 3 4 5 6 7
The term “audit” here also encompasses reviews undertaken where reasonable or limited assurance audits were not possible.
8-10 is an average for Treasury, but this may vary according to cluster (and audit) size and complexity.
1
2
Observation
Rating
13.
[IA service provider] audit staff (eg for field
work) displayed a good understanding of
each audited area’s business and the risks
it faces
1 2 3 4 5 6 7
14.
[IA service provider] audits provided value
for money
1 2 3 4 5 6 7
15.
Rate the overall contribution made by [IA
service provider] to [Agency]’s business in
[2014-15]
1 2 3 4 5 6 7
16.
Rate the overall contribution made by the
audit program to [Agency]’s business in
2014-15 (ie what audits were chosen as
well as how well they were implemented)
1 2 3 4 5 6 7
16.
Any further comments about [IA service provider]
Comment (if any)
3
ASSESSMENT OF 2014–15 INTERNAL AUDITS2
To be answered by Audited Areas only
Key: 1 = Poor and 7 = outstanding (except for Q13)
Observation
Rating
1.
Number of [IA service provider] audits in which
my area had some participation in 2014-15
[Write number]
2.
Overall rating of the contribution those audits
made to my (and my team’s) understanding
and management of our business
1 2 3 4 5 6 7
3.
[IA service provider] staff behaved
professionally and I had confidence in the
quality of their work
1 2 3 4 5 6 7
4.
[IA service provider] staff demonstrated the
necessary skills and knowledge to competently
complete the audit
1 2 3 4 5 6 7
5.
The scope of the audit and its requirements
of us were fully explained at the outset
1 2 3 4 5 6 7
6.
The timing of the audit was as unintrusive as
possible
1 2 3 4 5 6 7
7.
The amount of testing done and the elements
chosen for testing seemed appropriate to
provide reasonable assurance
1 2 3 4 5 6 7
8.
[IA service provider] liaised effectively with me
and my staff throughout the field work phase
1 2 3 4 5 6 7
9.
The report(s) was informative and well written
1 2 3 4 5 6 7
10.
I was able to accept most of the recommenddations (if not please explain main reasons)
1 2 3 4 5 6 7
11.
I had no difficulty implementing the agreed
recommendations (if a low score, please
explain why in the Comment column)
1 2 3 4 5 6 7
12.
The audit improved my team’s understanding
of better practice
1 2 3 4 5 6 7
13.
[IA service provider]’s audits took up about
as much staff time as I expected.
1 2 3 4 5 6 7
14.
Any other comments:
2
Comment (if any)
(Score 4 if “as expected”,
lower if it took more time
than expected.)
The term “audit” here encompasses reviews undertaken where reasonable or limited assurance audits were not possible.
4
PART 2:
Assessment of the environment and work of the Audit &
Risk Branch
To be answered by the Audit & Risk Committee, [IA service provider] and the CAE.
Key: 1 = Poor and 7 = outstanding
Name or Position of respondent:
Proposition
#
Rating
Comment
Operating context of the Internal Audit (IA) function3
1.
[Agency] is compliant with TPP 15-03
and TPP 12-04.
1 2 3 4 5 6 7
2.
The IA function has the confidence
and support of the Secretary and the
Executive team
1 2 3 4 5 6 7
3.
The IA function receives a
satisfactory level of support from
senior and line management
1 2 3 4 5 6 7
4.
The IA function is accorded a
satisfactory level of independence
1 2 3 4 5 6 7
5.
The CAE has direct access to the
Secretary and the Chair of the Audit
Committee
1 2 3 4 5 6 7
6.
The IA function is part of an integrated
governance framework in [Agency]
1 2 3 4 5 6 7
7.
Internal audit has a clear relationship
with [Agency]’s Risk Management
Framework
1 2 3 4 5 6 7
8.
The Branch has access to sufficient
skilled and experienced staff and
financial resources to meet its
responsibilities and the expectations
of its stakeholders.
1 2 3 4 5 6 7
9.
The role of the CAE is well defined
and well understood by management
1 2 3 4 5 6 7
10.
[Agency] provides a good induction
for ARC members and keeps them
up to date with its business
1 2 3 4 5 6 7
11.
Management’s progress against the
Action List and Registers of
Recommendations is generally
satisfactory
1 2 3 4 5 6 7
3
The “internal audit function” means the combined efforts of the ARC, the Branch and EY as the IA service provider.
5
Name or Position of respondent:
#
Proposition
Rating
12.
Any other comments about operating context:
Comment
Contribution of the [Agency] Audit & Risk Branch
13.
The Internal Audit Function Charter is
up-to-date and clearly articulates the
roles, responsibilities and reporting
lines of the CAE and the function
1 2 3 4 5 6 7
14.
The Branch plans and organises its
work effectively and works within its
resource allocation
1 2 3 4 5 6 7
15.
The Branch manages the contracts
of service providers so that the audit
program meets time and quality
expectations
1 2 3 4 5 6 7
16.
The Branch manages its other
stakeholders effectively to further the
work of the IA function
1 2 3 4 5 6 7
17.
The Audit Manual clearly articulates
[Agency]’s expectations of its IA
service providers
1 2 3 4 5 6 7
18.
There is an internal audit strategy
and at least a 1-year internal audit
work plan that are aligned with the
business objectives, risks and major
business systems and processes of
the [Agency] cluster
1 2 3 4 5 6 7
19.
Liaison between internal and external
audit is optimised for the efficiency of
the function
1 2 3 4 5 6 7
20.
Overall rating of the contribution of
the Branch to the success of the
internal audit function
1 2 3 4 5 6 7
21.
Any other comments about the contribution of the Branch
6
Name or Position of respondent:
#
Proposition
Rating
Comment
ARC Meetings
22.
The annual meeting plan is well
organised: dates are agreed far in
advance, venues and meeting times
are clearly signalled, issues conveyed
to Chair before meetings etc
1 2 3 4 5 6 7
23.
Agendas clearly reflect (a) the
business of the Committee as set out
in its charter and (b) any specific
requests made through the Chair
1 2 3 4 5 6 7
24.
Meeting papers and Minutes are
distributed at the agreed times
1 2 3 4 5 6 7
25.
The accuracy and quality of meeting
papers and Minutes is high
1 2 3 4 5 6 7
26.
Meeting papers provide the right
amount and type of information
1 2 3 4 5 6 7
27.
Invitees to meetings arrive on time, are
well informed about what is required
and are generally well prepared
1 2 3 4 5 6 7
28.
The Branch makes appropriate use
of technology in supporting the
Committee
1 2 3 4 5 6 7
29.
The Branch follows up Action List
and Register of Recommendations
items in a timely manner, and the
current status of each item is always
clear
1 2 3 4 5 6 7
30.
The CAE and the other observers
add value by being at the meeting
but do not attempt to dominate
discussion
1 2 3 4 5 6 7
31.
Overall rating of Branch support for
the Committee
1 2 3 4 5 6 7
32.
Overall rating of [Agency] support for
the Committee’s work
1 2 3 4 5 6 7
33.
Any other comments about Audit & Risk Committee meetings
7
Tool for Annual Assessment of Internal Audit Function
Review History
Prepared/Reviewed by
Review Date
Approved by
Approval Date
Audit & Risk Branch
Developed
September 2013
Piloted before
posting
Nadia Fletcher, CAE
23/12/2013 for
posting March
2014
Internal Audit Branch
September 2015
Nadia Fletcher, CAE
14 Sept 2015.
Annual review was
delayed till TPP 1503 was introduced.
Next review due: September 2016
8