QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP) AGA Austin CPE Luncheon February 13, 2014 Presented by: Paul Morris, CIA, CPA Priscilla Suggs, MBA Presentation Objectives o Quality Assurance - what is it and why do we need a program? o Understanding the Quality Assurance requirements per Red Book and Yellow Book standards o Review an example of an Internal Audit QAIP process - DFPS Audit Standards and GAGAS Standards (Red Book) 1300 – Quality Assurance and Improvement Program (QAIP) o 1310 – Requirements of the QAIP o 1311 – Internal Assessments o 1312 – External Assessments o 1320 – Reporting on the QAIP GAGAS (Yellow Book) Standards 3.82 through 3.107 - ‘Quality Control and Assurance’ Why do we need a QAIP? To ensure the Internal Audit Director (IAD) has established an internal audit activity “whose scope of work includes activities found in the Standards and in the Definition of Internal Auditing.” IPPF, Practice Advisory 1300-1 Why do we need a QAIP? “Each audit organization performing audits in accordance with GAGAS must: a. establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and b. have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.” GAGAS, Standard 3.82 A QAIP can improve processes. The QAIP Objective (Red Book) To provide reasonable assurance to our stakeholders that Internal Audit: o o o Performs in accordance with the internal audit Charter Operates in an effective and efficient manner, and Is perceived by stakeholders as adding value and improving the organization’s operations IPPF, Practice Advisory 1300-1 The QAIP Objective (Red Book) o It is an evaluation of the division’s processes o It is comprehensive and covers all aspects of the operation and management of the internal audit activity, and o It is performed by or under the direct supervision of the IAD IPPF, Practice Advisory 1300-1 The QAIP Objective (Red Book) o The QAIP is not an attempt to reinvent the wheel but rather to ensure that Internal Audit consistently provides quality and valueadded services to its stakeholders. o Begins with instituting policies, procedures and practices that are consistent with the Standards Requirements of QAIP The quality assurance and improvement program must include both internal and external assessments IPPF, Standard 1310; Practice Advisory 1310-1 Internal Assessments Must include: o Ongoing monitoring of the performance of the internal audit activity; and o Periodic reviews performed through selfassessment or by other persons within the organization with sufficient knowledge of internal audit practices. IPPF, Standard 1311; Practice Advisory 1311-1 Internal Assessments – Ongoing Monitoring o Supervision of audits, regular, documented reviews of work papers; o IA checklists and policies/procedures to ensure compliance with applicable standards; o Feedback from customers (surveys) and other stakeholders; o Selective workpaper peer reviews; o Management tools: time budgets, time tracking systems, measuring audit plan completion o Analysis of performance metrics. Internal Assessments – Periodic Reviews o Stakeholder surveys and interviews; o Can be performed by members of the IA activity; o Can be performed by CIAs currently assigned elsewhere in the organization; o Can include combination of self-assessment and preparation of materials for others to review; o Benchmarking IA’s practice and performance against relevant best practices of the profession Internal Assessments – GAGAS “Audit organizations should establish policies and procedures for monitoring of quality in the audit organization. Monitoring of quality is an ongoing, periodic assessment of work completed on audits designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice.” GAGAS, Standard 3.93 External Assessments o Must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. o The reviewer or review team should be qualified, independent and from outside the agency. IPPF, Standard 1312; Practice Advisory 1312-1 External Assessments “The audit organization should obtain an external peer review at least once every 3 years that is sufficient in scope to provide a reasonable basis for determining whether, for the period under review, the reviewed audit organization’s system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards.” GAGAS, Standard 3.96 Considerations for External Review The qualifications of external reviewers as noted in The IIA’s Practice Advisory 1312-1 should be considered when contracting with an outside party to conduct the assessment. Scope of the External Assessment o Conformance with the Standards, Definition of Internal Auditing, the Code of Ethics, and internal audit’s Charter, plans policies, procedures, practices, and any applicable legislative and regulatory requirements. o Expectations of Internal Audit as expressed by the Governance and Management (Executive Team) o Integration of the Internal Audit activity into DFPS’s governance process, including the audit relationship between and among the key groups involved in the process. Scope of the External Assessment o Tools and techniques used by Internal Audit. o The mix of knowledge, experiences, and disciplines within the staff, including staff focus on process improvement. o A determination whether Internal Audit adds value and improves DFPS’s operations. IPPF Practice Advisory 1312-1 Reporting on the QAIP Internal Assessment Reporting oResults of internal assessments will be reported to the Audit Committee and to senior management at least annually. IPPF, Standard 1320 and Interpretation External Assessment Reporting oResults which include the reviewer’s or review team ’ s assessment of conformance, is communicated to senior management upon completion. Implementing Corrective Action If there are any recommendations, the IAD should implement appropriate follow-up actions to ensure action plans are developed and implemented in a reasonable timeframe. Example – Internal Monitoring Process DFPs Internal Audit uses a team approach to the annual internal monitoring approach. Each team member is assigned a portion of the QAIP, conducts review, and reports results to the Internal Audit Director. The Director consolidates results and reports annually to the Commissioner and DFPS Executive Leadership Team. Copies of the DFPS QAIP policy/procedure, assignments and final report are included for discussion. Questions?