Self Assessment Guide - The Institute of Internal Auditors

advertisement
_________________________________________Tool 2A: Self-assessment Guide 2A-1
TOOL 2A
SELF-ASSESSMENT GUIDE
INTRODUCTION
This checklist provides a step-by-step process to prepare for and perform a self-assessment. It is
designed for:


The chief audit executive (CAE) who is considering using the “Self-assessment with
Independent Validation” option for complying with The Institute of Internal Auditors’
(IIA’s) International Standards for the Professional Practice of Internal Auditing
(Standards), or
The CAE who is considering self-assessment as part of the ongoing quality program.
Internal self-assessment is a critical element of an internal audit (IA) activity’s overall quality
assessment and improvement program, which should be established in accordance with The IIA’s
Standards and the related Practice Advisories (1300 series). A self-assessment can be performed
either solely with resources internal to the organization served by the IA activity (organization) or
as an engagement to be subsequently tested by an independent validator. It should be performed
under the direction of the CAE.
While a full external review achieves maximum benefits for the activity and should be included
in the activity’s quality program, the self-assessment with independent validation provides an
alternative means of complying with Standard 1312 – External Assessments. It also serves as a
part of the activity’s ongoing quality program.
The principal features of the self-assessment with independent validation are patterned after those
followed by an independent reviewer or review team, and include:


The self-assessment follows a full external quality assessment process but is performed
under the direction of the CAE by competent in-house audit professionals. Because of
extensive knowledge of the IA activity’s policies, practices, and its application of the
Standards, the time required for the internal team to conduct the review might be less
than for an external review.
The self-assessment must be adequately documented. The self-assessment checklist
provides the basis for much of this documentation, along with the interviews,
workpapers, and client surveys. Like an external quality assessment, the self-assessment
should result in conclusions (by the self-assessment team and the CAE) as to the IA
activity’s conformity to the Standards, its charter, and other relevant criteria, as well as
recommendations for improvement and plans for their implementation.
2A-2 Quality Assessment Manual, 6th Edition___________________________________

A report of the results of the self-assessment should be drafted for presentation to the
board (audit committee or other body with oversight of the IA activity) and senior
management.
Because IA activities differ so much in size, nature of authority and responsibility, scope of work,
staff skills, and other features, a self-assessment program must be flexible and adapted to those
differing conditions. The principal steps outlined in this checklist will be needed in most cases
and represent a starting point for planning the self-assessment project and design of the selfassessment program.
Self-assessment Process
1. Specify the scope and objectives of the engagement. This written plan should include
designation of the team leader and members, and the content and recipients of the selfassessment report. The CAE may delegate the preparation of this checklist, but should review
it for accuracy and completeness.
2. Establish the engagement schedule, incorporating the objectives as major elements of an
engagement work program.
3. Review and modify, as appropriate, the self-assessment checklist. Because the selfassessment teams should have extensive knowledge of the IA activity (particularly its
mission/charter, structure, processes, and staffing), it may not be necessary to perform all of
the program steps to evaluate and reach valid conclusions on those areas. Also consider
pertinent “successful practices” from professional literature and other benchmarking sources.
4. Review the Standards in relation to the engagement’s scope and objectives. The CAE and
self-assessment team should refresh their understanding of the applicable Standards and the
criteria used to judge the IA activity’s conformity to each of them.
5. Review the Quality Assessment Manual for relevant guidance and tools.
6. Complete the self-assessment checklist. Consider all questions and requests for information
and evaluative comments in relation to the assessment’s scope and objectives. Respond to the
questions, etc. to the extent the responses are necessary to facilitate and document the work of
the internal assessment team. Attach the requested documentation or ensure it will be
available as needed. Whenever a brief response will suffice, in lieu of an attachment, write it
in the space provided. The attachments furnished should be described briefly within the
checklist and clearly labeled. If the requested document/information is not attached to the
checklist (i.e., not considered relevant or to be made available later), so state on the checklist
where the attachment is called for and ensure that it will be readily available for later
reference.
7. Prepare a gap analysis between the internal audit activities’ current state and their desired
state.
8. Decide on the size and composition of the sample survey group and send out the client (Tool
4) and staff (Tool 5) surveys.
9. If interviews are to be conducted, decide on which ones and schedule the times for the
interviews (Tools 6-11).
_________________________________________Tool 2A: Self-assessment Guide 2A-3
10. Complete the analysis (Tools 12-17). Develop any observations using Tool 18; one Tool 18
should be used for each observation.
11. Determine the opinion on conformance with the Standards using Tool 19.
12. Discuss potential report items with the CAE.
13. Draft the report and discuss it with the CAE and others from within and outside the IA
activity who may have useful input or may be impacted by potential changes.
14. Coordinate the final review, reconciliation, and issuance of the self-assessment report. To the
extent possible, include actions to be taken in response to report recommendations, along
with a schedule of implementation follow-up and closure of the agreed actions.
SELF-ASSESSMENT GUIDE
Organization
___________________________________________
Date prepared
___________________________________________
The key aspects of the self-assessment are:
I. Positioning – Is the internal audit activity strategically positioned within the organization to
enable it to contribute to the organization’s objectives and performance?
II. People – Does the internal audit activity have the right people to deliver the approved audit
objectives and annual audit plan?
III. Processes – Do the internal audit activity processes enable achievement of their objectives
and audit plan and allow the activity to be responsive to the changing needs of the
organization?
I. POSITIONING
A. Risk Management, Governance, Accountability, and Oversight
1. Describe the process to identify, measure, and manage enterprise risk in the organization; list
the most significant risks that have been identified (Attachment 1).
2. Describe how the organization’s strategies are selected, how objectives are established,
measured, and reported, and indicate how managers are held accountable for achievement of
their assigned objectives (Attachment 2).
3. Attach a copy of the policy for controlling the organization (e.g., management control
policies, delegations of authority, or accountabilities) (Attachment 3). Do you consider it
adequate (e.g., covering enterprise risk, authorities, management controls, and
accountabilities)? If there is no written control policy, what policies are in place to ensure
appropriate management control processes?
2A-4 Quality Assessment Manual, 6th Edition___________________________________
4. Describe the extent to which the IA activity’s priorities, scope of work, and use of resources
are aligned with the organization’s enterprise risk management framework; describe how the
IA activity contributes to achievement of the organization’s goals (Attachment 4). Comment
on potential or planned changes to the IA activity’s priorities, scope, or use of resources to
enhance that alignment. Compare alignment of the IA activity’s risk and planning universe
with the organization’s enterprise risk universe and management control structure.
5. Attach a copy of the audit committee’s charter or similar document relating to board
oversight of the IA activity and other monitoring functions in the organization (Attachment
5). Compare this charter to a model audit committee charter and comment as to the extent to
which this current audit committee charter gives the audit committee adequate authority,
scope, resources, information, and access to management to discharge its responsibilities.
Comment on any proposed or potential enhancements to the audit committee’s current
charter.
B. Background of the IA Activity
1. Give a brief history of the IA activity, including when it was started, any change(s) of CAEs
during the past 10 years, an indication of its growth in the past 10 years, and significant
changes in its lines of reporting, authority, scope of work, and internal organization
(Attachment 6). Comment on how these changes have enhanced the IA activity’s
effectiveness.
2. Name and title of the person to whom the CAE administratively reports.
________________________________________________________________________________
3. Name and address of the chair of the audit committee or other board member(s) with
oversight of the IA activity.
________________________________________________________________________________
4. Name of the organization’s external auditing firm.
________________________________________________________________________________
5. Person who heads up the external audit (e.g., partner-in-charge).
_________________________________________________________________________
C. Internal Audit Practice Environment (including Support, Authority, and Scope)
1. Attach the entity’s organization chart showing placement of the IA activity (Attachment 7).
Comment as to whether or not this is the optimum placement of the department to ensure
independence, access to appropriate executives, ease of communication, support, and
resources. Comment on any proposed or potential enhancements in these areas.
_________________________________________Tool 2A: Self-assessment Guide 2A-5
2. Attach a copy of the IA activity’s charter or similar authorities document (Attachment 8).
Compare this charter to a model IA activity charter and comment on how the IA activity’s
charter fosters the independence, access, resources, etc. necessary to the effective functioning
of the IA activity. Mention any proposed or potential enhancements to the IA activity’s
charter.
2.1 Does the IA charter set the tone for the mission of the IA activity and your interaction
with the board and senior management, and have their formal approval? Yes____ No _____
2.2 Is the charter current and relevant in view of any significant changes in the organization
and in the Standards? Yes____No_____
2.3 Does the charter establish an adequate role, authority, and scope of work of the IA
activity, and provide unrestricted access to records, information, locations, and employees?
Yes_____No______
3. Does the IA activity have full access to all areas of the organization? Yes____ No ____ If
not, describe restrictions on the IA activity regarding access to information considered
necessary to conduct audits and consulting engagements or access to relevant managers and
employees (Attachment 9).
4. List other oversight/monitoring units outside the IA activity. Describe their authority, scope,
and functions (e.g., safety, environment, evaluation, security, investigations, process
improvement, and other compliance/consulting activities) (Attachment 10). Describe (a) how
their separation from the IA activity impacts their overall effectiveness, (b) how they relate to
senior management, the board, and other governance responsibilities and accountabilities, (c)
how the separation impacts risk management, management control, efficiency, or resource
utilization, and (d) comment on the potential for combining (any of) these functions and
whether or not this is planned in the near future.
5. Is the IA activity adequately funded to perform the desired scope of work?
D. Relationship of the IA Activity with Senior Management and the Board (Audit
Committee)
1. Describe interactions of the CAE and senior management involvement in management
meetings for strategic and technology planning, periodic management briefings, etc.
(Attachment 11).
2. Describe how senior management and the board (audit committee) are kept informed about
the work of the IA activity (Attachment 12). Include how often the CAE is scheduled to meet
with them, who attends such meetings, what is typically discussed, how often senior
management and the board receive status reports, etc. Comment on any additional formal or
informal contacts.
2A-6 Quality Assessment Manual, 6th Edition___________________________________
3. Select executives/staff for on-site interviews. Determine who will receive the surveys and
who the self-assessment team plans to interview. Determine whether “customer satisfaction”
surveys and formal staff performance reviews are conducted routinely by the IA activity. Use
this information as the basis for selecting interview candidates. To the extent practicable,
include the CEO or other head of the organization, the executive to whom the CAE reports,
the chair of the audit committee or other appropriate board member, a representative of the
organization’s external auditor, and one or two of the IA activity’s customers/stakeholders.
II. PROCESSES
A. Internal Audit Activity Documentation
1. Attach a copy of the table of contents of the IA activity’s practices and procedures manual.
Provide explanatory comments on plans for significant revisions or additions to that manual
(Attachment 13).
2. Describe the procedures to ensure that the IA activity’s staff is objective (e.g., conflict of
interest statements or auditor rotation). Describe the procedure for reporting conflicts of
interest or bias to the CAE and subsequently dealing with them (Attachment 14).
3. Describe the philosophy of the IA activity, its core values, and mission/goals/objectives for
serving its customers (Attachment 15).
4. Describe (and provide documentation of) the IA activity’s planning, administration,
supervision, communicating results, and follow-up of remedial implementation for individual
assurance and consulting engagements (Attachment 16).
5. Describe (and provide documentation of) the IA activity’s quality improvement processes,
including internal quality assessments, benchmarking, measurement criteria, empowerment
policies, and accountability mechanisms (Attachment 17).
6. Review and perform limited tests of audit workpapers. Pay particular attention to issues
bearing on the IA activity’s charter, conformity to the Standards, enterprise and audit risk
assessment, planning, scope and quality of services to customers, communication of results,
and other “successful practice” matters appropriate to the situation (Attachment 18).
B. Internal Audit Activity Effectiveness and Performance Measurements
1. Describe the objectives against which the IA activity periodically measures its performance
and describe how management evaluates the performance of the IA activity (Attachment 19).
2. Review the engagement plan vs. actual for the current period, including engagements
currently in progress and details of engagements completed and reports issued (Attachment
20). Understand and comment on differences.
_________________________________________Tool 2A: Self-assessment Guide 2A-7
3. Review the engagement plan vs. actual for the prior period, including details of engagements
completed and reports issued (Attachment 21). Understand and comment on differences.
4. Review the IA activity’s financial budget vs. actual for the current period (Attachment 22).
Understand and comment on differences.
5. Review the IA activity’s financial budget vs. actual for the prior period (Attachment 23).
Understand and comment on differences.
6. List the IA activity’s successful practices (Attachment 24) and indicate how these practices
enhance the IA activity’s effectiveness. Comment on any proposed or potential additional
practices that would add further value and/or enhance effectiveness. If there are such
practices that the IA activity is not planning to implement (or if it is prevented from doing
so), discuss the related reasons and the potential impact of the decisions not to implement
them.
C. Planning
1. Provide a brief description of risk assessment and engagement planning (Attachment 25).
Discuss how the IA activity’s assurance/consulting universe is determined, and how the
planning considers alignment of the IA activity’s risk assessment and engagement planning
with the organization’s strategic plans, objectives, and enterprise risk framework. Consider
whether this risk assessment and planning process optimizes the use of IA resources and the
value added by the IA activity.
2. Perform an in-depth evaluation of the IA activity’s coverage of all areas of technology,
including plans, current systems, systems under development, and technology management
issues within the organization, as well as its own use of technology in performing its
assurance and consulting work. Is sufficient attention given to auditing information
technology? Yes______No_______
3. Perform an in-depth evaluation of the IA activity’s coverage of the management control
environment and accountability processes.
4. Review the extent, usefulness, and timeliness of management input related to management’s
plans, concerns, priorities, etc., to the IA activity’s planning process.
5. Perform an in-depth evaluation of staffing numbers and skills needed to perform long-range
audit plans compared to current staffing and skills availability. Does the IA activity look for
opportunities to leverage IA resources through empowerment, partnering, joint efforts with
customers, selective outsourcing, fostering self-assessment, etc.?
6. Perform an in-depth evaluation of the IA activity’s ability to achieve appropriate coverage of
the organization’s audit universe based on their long-range engagement planning.
2A-8 Quality Assessment Manual, 6th Edition___________________________________
7. Review the type of engagement, customer name, staff assigned, time budgets, starting,
completion, and report issuance dates, etc. for a sample of completed audit assignments.
8. Describe the relationship between the IA activity and the organization’s external auditors,
covering coordination of audit work, reciprocal review of audit universe and annual plans,
reliance placed on the work of the IA activity, loaning or exchange of staff, joint training,
joint engagements, compatibility of methodologies and tools, sharing of reports, and remedial
implementation follow-up (Attachment 26).
9. Assess the IA activity’s accomplishment of its plans and objectives, as well as the
effectiveness of its reporting and implementation follow-up.
III. PEOPLE
1. Provide a list of the IA’s activity’s staff, classified by staff level and type, along with an
indication of time in the IA activity and prior experience (Attachment 27). Review the IA
activity’s organization chart, job descriptions, records showing skills requirements, staff
qualifications, sources of staff, unfilled positions, use of outside services, recent turnover, and
outplacement of staff.
2. Show the percentage of the IA activity’s staff time and contract (outsourced) services applied
to each of the following types of assurance and consulting activities. (Note: If the IA
activity’s timekeeping system does not facilitate classifying time in this manner, provide a
rough estimate and show a separate breakdown based on the IA activity’s system.)
Percentage
Results of operations, programs, or projects, including
accomplishment of objectives and effective use of resources
Reliability and integrity of financial and operating information
Compliance with policies, laws, regulations, and
ethical standards
The means to safeguard assets, loss prevention,
and fraud detection
Management of technology and information systems audits
Process improvement and related consulting activities
Other productive time (describe)
Training, vacations, illness, general management,
and other “unassigned”
Total
__________
__________
__________
__________
__________
__________
__________
__________
__________
100%
=====
_________________________________________Tool 2A: Self-assessment Guide 2A-9
3. Describe the IA activity’s staff development policies and programs, including use of the IA
activity as a part of management training in the organization, compensation, and other staff
rotation programs (Attachment 28). Have available for later review information on internal
and external staff training courses, staff performance appraisal and career planning, staff
surveys, and related records.
4. Interview a few representative members of the IA activity’s staff. The purpose of the
interviews is to obtain a broad perspective of the IA activity’s management of its resources
and the adequacy of its staff in relation to its charter mandates, expectations of its customers,
and professional development needs. If the IA activity conducts formal, documented
performance evaluations and career development sessions with its staff, a review of the
related documentation can serve to reduce the need for staff interviews.
5. Evaluate the IA activity’s staff size and competency. Consider such elements as staff sources,
numbers, skills mix, continuing professional education, executive development, and
leveraging these elements by partnering with customers, using external expertise, etc.
Download