Sample Quality Assurance Improvement Program ABC ORGANIZATION (ABC) – INTERNAL AUDIT (INTERNAL AUDIT) QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (QAIP) – GENERAL Internal Audit’s Quality Assurance and Improvement Program (QAIP) is designed to provide reasonable assurance to the various stakeholders of the Internal Audit activity that Internal Audit: (1) Performs its work in accordance with its Charter, which is consistent with The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (Standards), Definition of Internal Auditing and Code of Ethics; (2) Operates in an effective and efficient manner; and (3) Is perceived by stakeholders as adding value and improving Internal Audit’s operations. To that end, Internal Audit’s QAIP will cover all aspects of the Internal Audit activity (1300). In this regard, a list of the features to be considered for the QAIP: Monitors the Internal Audit activity to ensure it operates in an effective and efficient manner (1300). Assures compliance with the Standards, Definition of Internal Auditing and Code of Ethics (1300). Helps the Internal Audit activity add value and improve organizational operations (1300). Includes both periodic and ongoing internal assessments (1311). Includes an external assessment at least once every five years, the results of which are communicated to the Board of Directors (BOD) through the Audit Committee of the Board of Directors (Audit Committee) (1312, 1320). The Chief Audit Executive (CAE) is ultimately responsible for the QAIP, which covers all types of INTERNAL AUDIT activities, including consulting. INTERNAL ASSESSMENTS A. Ongoing Reviews – Ongoing assessments are conducted through: Supervision of engagements Regular, documented review of work papers during engagements by appropriate Internal Audit staff Audit Policies and Procedures used for each engagement to ensure compliance with applicable planning, fieldwork and reporting standards Feedback from customer survey on individual engagements Analyses of performance metrics established to improve the IAA effectiveness and efficiency All final reports and recommendations are reviewed and approved by a CAE B. Periodic Reviews – Periodic assessments are designed to assess conformance with Internal Audit’s Charter, the Standards, Definition of Internal Auditing, the Code of Ethics, and the efficiency and effectiveness of internal audit in meeting the needs of its various stakeholders. Periodic assessments will be conducted through: Revised: 9/22/2009 The Institute of Internal Auditors Page 1 of 3 Bi-annual customer survey Annual risk assessments for purposes of annual audit planning Semi-annual work paper reviews for performance in accordance with internal audit policies and with the Standards (using Tool 17 of The IIA Quality Assessment Manual) Review of internal audit performance metrics and benchmarking of best practices, prepared and analyzed in accordance with Audit Policies and Procedures Periodic activity and performance reporting to the President and the Audit Committee EXTERNAL ASSESSMENTS A. General Considerations – External assessments will appraise and express an opinion about internal audit’s conformance with the Standards, Definition of Internal Auditing and Code of Ethics and include recommendations for improvement, as appropriate. B. Timing – An external assessment will be conducted every five years. C. Scope of External Assessment – The external assessment will consist of a broad scope of coverage that includes the following elements of Internal Audit activity: Conformance with the Standards, Definition of Internal Auditing, the Code of Ethics, and internal audit’s Charter, plans policies, procedures, practices, and any applicable legislative and regulatory requirements. Expectations of Internal Audit as expressed by the BOD, executive management, and operational managers. Integration of the Internal Audit activity into ABC’s governance process, including the audit relationship between and among the key groups involved in the process. Tools and techniques used by Internal Audit. The mix of knowledge, experiences, and disciplines within the staff, including staff focus on process improvement. A determination whether Internal Audit adds value and improves ABC’s operations. D. Considerations – The qualifications and considerations of external reviewers as noted in The IIA’s Practice Advisory 1312-1 will be considered when contracting with an outside party to conduct the review. REPORTING ON QUALITY PROGRAM A. Internal Assessments – Results of internal assessments will be reported to the Audit Committee and to the senior management at least annually. B. External Assessments – Results of external assessments will be provided to the senior management and the Audit Committee. The external assessment report will be accompanied by a written action plan in response to significant comments and recommendations contained in the report. C. Follow-up – The CAE will implement appropriate follow-up actions to ensure that recommendations made in the report and action plans developed are implemented in a reasonable timeframe. Revised: 9/22/2009 The Institute of Internal Auditors Page 2 of 3 ADMINISTRATIVE MATTERS This policy will be appropriately updated for changes in the Standards or internal audit’s operating environment. QUALITY ASSURANCE AND IMPROVEMENT (QA&I) PROGRAM POTENTIAL INTERNAL AUDIT COMPONENTS Oversee the development and implementation of Internal Audit policies/procedures; administer/maintain the Policy/Procedures manual. Assist the chief audit executive (CAE) and audit managers with budgeting and financial administration for internal audit. Maintain and update the comprehensive audit risk universe, including gathering and incorporating new information impacting the universe; oversee the division of labor among internal audit, external audit, evaluation and investigation functions, etc. Administer the general operation of the system for evaluation of audit risk and long-range planning – assisting the CAE and the audit managers in this area. Assist internal audit management in the acquisition and maintenance of audit tools and use of technology. Administer external recruitment and internal audit’s participation in the organization’s internal staff rotation and management development programs. Oversee the training/development of staff, including selection and administration of training courses; administration of the career planning and performance evaluation processes in internal audit. Oversee the system(s) for internal audit statistics/metrics; administer the system for post-audit and other surveys of internal audit customers. Administer/monitor quality assurance and process improvement activities, including formal quality assessment processes (using the tools from The IIA’s Quality Assessment Manual). Oversee/administer information gathering and preparation of the periodic summary reports by internal audit to senior management and the audit committee (including reports of the results of internal and external quality assessments). Administer/maintain the comprehensive follow-up database for recommendations and action plans resulting from internal audit engagements and the work of external auditors and other internal evaluation and investigation functions. Assist the CAE, audit managers, and internal audit staff in keeping current on changes and emerging best practices of the internal auditing profession; undertake research into other emerging issues and opportunities – under the direction of internal audit management. The QAIP function would be performed by a relatively small staff (from one, part-time, to two-three people, depending on the size of internal audit activity and the extent to which the chief audit executive wishes to delegate administrative matters). The words “assist, administer, oversee, monitor, and maintain” are intended to indicate that the internal audit person(s) responsible for QAIP would not physically perform much of this work. It would be assigned – either ad-hoc for particular task or on a longer-term basis – to other internal audit executives and staff, but overseen, administered, etc., by the QAIP function. Revised: 9/22/2009 The Institute of Internal Auditors Page 3 of 3