_________________________________________Tool 2A: Self-assessment Guide 2A-1 TOOL 2A SELF-ASSESSMENT GUIDE INTRODUCTION This checklist provides a step-by-step process to prepare for and perform a self-assessment. It is designed for: The chief audit executive (CAE) who is considering using the “Self-assessment with Independent Validation” option for complying with The Institute of Internal Auditors’ (IIA’s) International Standards for the Professional Practice of Internal Auditing (Standards), or The CAE who is considering self-assessment as part of the ongoing quality program. Internal self-assessment is a critical element of an internal audit (IA) activity’s overall quality assessment and improvement program, which should be established in accordance with The IIA’s Standards and the related Practice Advisories (1300 series). A self-assessment can be performed either solely with resources internal to the organization served by the IA activity (organization) or as an engagement to be subsequently tested by an independent validator. It should be performed under the direction of the CAE. While a full external review achieves maximum benefits for the activity and should be included in the activity’s quality program, the self-assessment with independent validation provides an alternative means of complying with Standard 1312 – External Assessments. It also serves as a part of the activity’s ongoing quality program. The principal features of the self-assessment with independent validation are patterned after those followed by an independent reviewer or review team, and include: The self-assessment follows a full external quality assessment process but is performed under the direction of the CAE by competent in-house audit professionals. Because of extensive knowledge of the IA activity’s policies, practices, and its application of the Standards, the time required for the internal team to conduct the review might be less than for an external review. The self-assessment must be adequately documented. The self-assessment checklist provides the basis for much of this documentation, along with the interviews, workpapers, and client surveys. Like an external quality assessment, the self-assessment should result in conclusions (by the self-assessment team and the CAE) as to the IA activity’s conformity to the Standards, its charter, and other relevant criteria, as well as recommendations for improvement and plans for their implementation. 2A-2 Quality Assessment Manual, 6th Edition___________________________________ A report of the results of the self-assessment should be drafted for presentation to the board (audit committee or other body with oversight of the IA activity) and senior management. Because IA activities differ so much in size, nature of authority and responsibility, scope of work, staff skills, and other features, a self-assessment program must be flexible and adapted to those differing conditions. The principal steps outlined in this checklist will be needed in most cases and represent a starting point for planning the self-assessment project and design of the selfassessment program. Self-assessment Process 1. Specify the scope and objectives of the engagement. This written plan should include designation of the team leader and members, and the content and recipients of the selfassessment report. The CAE may delegate the preparation of this checklist, but should review it for accuracy and completeness. 2. Establish the engagement schedule, incorporating the objectives as major elements of an engagement work program. 3. Review and modify, as appropriate, the self-assessment checklist. Because the selfassessment teams should have extensive knowledge of the IA activity (particularly its mission/charter, structure, processes, and staffing), it may not be necessary to perform all of the program steps to evaluate and reach valid conclusions on those areas. Also consider pertinent “successful practices” from professional literature and other benchmarking sources. 4. Review the Standards in relation to the engagement’s scope and objectives. The CAE and self-assessment team should refresh their understanding of the applicable Standards and the criteria used to judge the IA activity’s conformity to each of them. 5. Review the Quality Assessment Manual for relevant guidance and tools. 6. Complete the self-assessment checklist. Consider all questions and requests for information and evaluative comments in relation to the assessment’s scope and objectives. Respond to the questions, etc. to the extent the responses are necessary to facilitate and document the work of the internal assessment team. Attach the requested documentation or ensure it will be available as needed. Whenever a brief response will suffice, in lieu of an attachment, write it in the space provided. The attachments furnished should be described briefly within the checklist and clearly labeled. If the requested document/information is not attached to the checklist (i.e., not considered relevant or to be made available later), so state on the checklist where the attachment is called for and ensure that it will be readily available for later reference. 7. Prepare a gap analysis between the internal audit activities’ current state and their desired state. 8. Decide on the size and composition of the sample survey group and send out the client (Tool 4) and staff (Tool 5) surveys. 9. If interviews are to be conducted, decide on which ones and schedule the times for the interviews (Tools 6-11). _________________________________________Tool 2A: Self-assessment Guide 2A-3 10. Complete the analysis (Tools 12-17). Develop any observations using Tool 18; one Tool 18 should be used for each observation. 11. Determine the opinion on conformance with the Standards using Tool 19. 12. Discuss potential report items with the CAE. 13. Draft the report and discuss it with the CAE and others from within and outside the IA activity who may have useful input or may be impacted by potential changes. 14. Coordinate the final review, reconciliation, and issuance of the self-assessment report. To the extent possible, include actions to be taken in response to report recommendations, along with a schedule of implementation follow-up and closure of the agreed actions. SELF-ASSESSMENT GUIDE Organization ___________________________________________ Date prepared ___________________________________________ The key aspects of the self-assessment are: I. Positioning – Is the internal audit activity strategically positioned within the organization to enable it to contribute to the organization’s objectives and performance? II. People – Does the internal audit activity have the right people to deliver the approved audit objectives and annual audit plan? III. Processes – Do the internal audit activity processes enable achievement of their objectives and audit plan and allow the activity to be responsive to the changing needs of the organization? I. POSITIONING A. Risk Management, Governance, Accountability, and Oversight 1. Describe the process to identify, measure, and manage enterprise risk in the organization; list the most significant risks that have been identified (Attachment 1). 2. Describe how the organization’s strategies are selected, how objectives are established, measured, and reported, and indicate how managers are held accountable for achievement of their assigned objectives (Attachment 2). 3. Attach a copy of the policy for controlling the organization (e.g., management control policies, delegations of authority, or accountabilities) (Attachment 3). Do you consider it adequate (e.g., covering enterprise risk, authorities, management controls, and accountabilities)? If there is no written control policy, what policies are in place to ensure appropriate management control processes? 2A-4 Quality Assessment Manual, 6th Edition___________________________________ 4. Describe the extent to which the IA activity’s priorities, scope of work, and use of resources are aligned with the organization’s enterprise risk management framework; describe how the IA activity contributes to achievement of the organization’s goals (Attachment 4). Comment on potential or planned changes to the IA activity’s priorities, scope, or use of resources to enhance that alignment. Compare alignment of the IA activity’s risk and planning universe with the organization’s enterprise risk universe and management control structure. 5. Attach a copy of the audit committee’s charter or similar document relating to board oversight of the IA activity and other monitoring functions in the organization (Attachment 5). Compare this charter to a model audit committee charter and comment as to the extent to which this current audit committee charter gives the audit committee adequate authority, scope, resources, information, and access to management to discharge its responsibilities. Comment on any proposed or potential enhancements to the audit committee’s current charter. B. Background of the IA Activity 1. Give a brief history of the IA activity, including when it was started, any change(s) of CAEs during the past 10 years, an indication of its growth in the past 10 years, and significant changes in its lines of reporting, authority, scope of work, and internal organization (Attachment 6). Comment on how these changes have enhanced the IA activity’s effectiveness. 2. Name and title of the person to whom the CAE administratively reports. ________________________________________________________________________________ 3. Name and address of the chair of the audit committee or other board member(s) with oversight of the IA activity. ________________________________________________________________________________ 4. Name of the organization’s external auditing firm. ________________________________________________________________________________ 5. Person who heads up the external audit (e.g., partner-in-charge). _________________________________________________________________________ C. Internal Audit Practice Environment (including Support, Authority, and Scope) 1. Attach the entity’s organization chart showing placement of the IA activity (Attachment 7). Comment as to whether or not this is the optimum placement of the department to ensure independence, access to appropriate executives, ease of communication, support, and resources. Comment on any proposed or potential enhancements in these areas. _________________________________________Tool 2A: Self-assessment Guide 2A-5 2. Attach a copy of the IA activity’s charter or similar authorities document (Attachment 8). Compare this charter to a model IA activity charter and comment on how the IA activity’s charter fosters the independence, access, resources, etc. necessary to the effective functioning of the IA activity. Mention any proposed or potential enhancements to the IA activity’s charter. 2.1 Does the IA charter set the tone for the mission of the IA activity and your interaction with the board and senior management, and have their formal approval? Yes____ No _____ 2.2 Is the charter current and relevant in view of any significant changes in the organization and in the Standards? Yes____No_____ 2.3 Does the charter establish an adequate role, authority, and scope of work of the IA activity, and provide unrestricted access to records, information, locations, and employees? Yes_____No______ 3. Does the IA activity have full access to all areas of the organization? Yes____ No ____ If not, describe restrictions on the IA activity regarding access to information considered necessary to conduct audits and consulting engagements or access to relevant managers and employees (Attachment 9). 4. List other oversight/monitoring units outside the IA activity. Describe their authority, scope, and functions (e.g., safety, environment, evaluation, security, investigations, process improvement, and other compliance/consulting activities) (Attachment 10). Describe (a) how their separation from the IA activity impacts their overall effectiveness, (b) how they relate to senior management, the board, and other governance responsibilities and accountabilities, (c) how the separation impacts risk management, management control, efficiency, or resource utilization, and (d) comment on the potential for combining (any of) these functions and whether or not this is planned in the near future. 5. Is the IA activity adequately funded to perform the desired scope of work? D. Relationship of the IA Activity with Senior Management and the Board (Audit Committee) 1. Describe interactions of the CAE and senior management involvement in management meetings for strategic and technology planning, periodic management briefings, etc. (Attachment 11). 2. Describe how senior management and the board (audit committee) are kept informed about the work of the IA activity (Attachment 12). Include how often the CAE is scheduled to meet with them, who attends such meetings, what is typically discussed, how often senior management and the board receive status reports, etc. Comment on any additional formal or informal contacts. 2A-6 Quality Assessment Manual, 6th Edition___________________________________ 3. Select executives/staff for on-site interviews. Determine who will receive the surveys and who the self-assessment team plans to interview. Determine whether “customer satisfaction” surveys and formal staff performance reviews are conducted routinely by the IA activity. Use this information as the basis for selecting interview candidates. To the extent practicable, include the CEO or other head of the organization, the executive to whom the CAE reports, the chair of the audit committee or other appropriate board member, a representative of the organization’s external auditor, and one or two of the IA activity’s customers/stakeholders. II. PROCESSES A. Internal Audit Activity Documentation 1. Attach a copy of the table of contents of the IA activity’s practices and procedures manual. Provide explanatory comments on plans for significant revisions or additions to that manual (Attachment 13). 2. Describe the procedures to ensure that the IA activity’s staff is objective (e.g., conflict of interest statements or auditor rotation). Describe the procedure for reporting conflicts of interest or bias to the CAE and subsequently dealing with them (Attachment 14). 3. Describe the philosophy of the IA activity, its core values, and mission/goals/objectives for serving its customers (Attachment 15). 4. Describe (and provide documentation of) the IA activity’s planning, administration, supervision, communicating results, and follow-up of remedial implementation for individual assurance and consulting engagements (Attachment 16). 5. Describe (and provide documentation of) the IA activity’s quality improvement processes, including internal quality assessments, benchmarking, measurement criteria, empowerment policies, and accountability mechanisms (Attachment 17). 6. Review and perform limited tests of audit workpapers. Pay particular attention to issues bearing on the IA activity’s charter, conformity to the Standards, enterprise and audit risk assessment, planning, scope and quality of services to customers, communication of results, and other “successful practice” matters appropriate to the situation (Attachment 18). B. Internal Audit Activity Effectiveness and Performance Measurements 1. Describe the objectives against which the IA activity periodically measures its performance and describe how management evaluates the performance of the IA activity (Attachment 19). 2. Review the engagement plan vs. actual for the current period, including engagements currently in progress and details of engagements completed and reports issued (Attachment 20). Understand and comment on differences. _________________________________________Tool 2A: Self-assessment Guide 2A-7 3. Review the engagement plan vs. actual for the prior period, including details of engagements completed and reports issued (Attachment 21). Understand and comment on differences. 4. Review the IA activity’s financial budget vs. actual for the current period (Attachment 22). Understand and comment on differences. 5. Review the IA activity’s financial budget vs. actual for the prior period (Attachment 23). Understand and comment on differences. 6. List the IA activity’s successful practices (Attachment 24) and indicate how these practices enhance the IA activity’s effectiveness. Comment on any proposed or potential additional practices that would add further value and/or enhance effectiveness. If there are such practices that the IA activity is not planning to implement (or if it is prevented from doing so), discuss the related reasons and the potential impact of the decisions not to implement them. C. Planning 1. Provide a brief description of risk assessment and engagement planning (Attachment 25). Discuss how the IA activity’s assurance/consulting universe is determined, and how the planning considers alignment of the IA activity’s risk assessment and engagement planning with the organization’s strategic plans, objectives, and enterprise risk framework. Consider whether this risk assessment and planning process optimizes the use of IA resources and the value added by the IA activity. 2. Perform an in-depth evaluation of the IA activity’s coverage of all areas of technology, including plans, current systems, systems under development, and technology management issues within the organization, as well as its own use of technology in performing its assurance and consulting work. Is sufficient attention given to auditing information technology? Yes______No_______ 3. Perform an in-depth evaluation of the IA activity’s coverage of the management control environment and accountability processes. 4. Review the extent, usefulness, and timeliness of management input related to management’s plans, concerns, priorities, etc., to the IA activity’s planning process. 5. Perform an in-depth evaluation of staffing numbers and skills needed to perform long-range audit plans compared to current staffing and skills availability. Does the IA activity look for opportunities to leverage IA resources through empowerment, partnering, joint efforts with customers, selective outsourcing, fostering self-assessment, etc.? 6. Perform an in-depth evaluation of the IA activity’s ability to achieve appropriate coverage of the organization’s audit universe based on their long-range engagement planning. 2A-8 Quality Assessment Manual, 6th Edition___________________________________ 7. Review the type of engagement, customer name, staff assigned, time budgets, starting, completion, and report issuance dates, etc. for a sample of completed audit assignments. 8. Describe the relationship between the IA activity and the organization’s external auditors, covering coordination of audit work, reciprocal review of audit universe and annual plans, reliance placed on the work of the IA activity, loaning or exchange of staff, joint training, joint engagements, compatibility of methodologies and tools, sharing of reports, and remedial implementation follow-up (Attachment 26). 9. Assess the IA activity’s accomplishment of its plans and objectives, as well as the effectiveness of its reporting and implementation follow-up. III. PEOPLE 1. Provide a list of the IA’s activity’s staff, classified by staff level and type, along with an indication of time in the IA activity and prior experience (Attachment 27). Review the IA activity’s organization chart, job descriptions, records showing skills requirements, staff qualifications, sources of staff, unfilled positions, use of outside services, recent turnover, and outplacement of staff. 2. Show the percentage of the IA activity’s staff time and contract (outsourced) services applied to each of the following types of assurance and consulting activities. (Note: If the IA activity’s timekeeping system does not facilitate classifying time in this manner, provide a rough estimate and show a separate breakdown based on the IA activity’s system.) Percentage Results of operations, programs, or projects, including accomplishment of objectives and effective use of resources Reliability and integrity of financial and operating information Compliance with policies, laws, regulations, and ethical standards The means to safeguard assets, loss prevention, and fraud detection Management of technology and information systems audits Process improvement and related consulting activities Other productive time (describe) Training, vacations, illness, general management, and other “unassigned” Total __________ __________ __________ __________ __________ __________ __________ __________ __________ 100% ===== _________________________________________Tool 2A: Self-assessment Guide 2A-9 3. Describe the IA activity’s staff development policies and programs, including use of the IA activity as a part of management training in the organization, compensation, and other staff rotation programs (Attachment 28). Have available for later review information on internal and external staff training courses, staff performance appraisal and career planning, staff surveys, and related records. 4. Interview a few representative members of the IA activity’s staff. The purpose of the interviews is to obtain a broad perspective of the IA activity’s management of its resources and the adequacy of its staff in relation to its charter mandates, expectations of its customers, and professional development needs. If the IA activity conducts formal, documented performance evaluations and career development sessions with its staff, a review of the related documentation can serve to reduce the need for staff interviews. 5. Evaluate the IA activity’s staff size and competency. Consider such elements as staff sources, numbers, skills mix, continuing professional education, executive development, and leveraging these elements by partnering with customers, using external expertise, etc.