External Quality Assessments www.theiia.org Session Overview • Quality Standards • Internal Quality Assessments • External Quality Assessments • Peer Reviews • Common Problems Observed • Online Resources Available www.theiia.org Professional Practices Framework • International Standards for the Professional Practice of Internal Auditing (Standards) – Mandatory Guidance • Attribute • Performance • Implementation – Assurance – Consulting • Practice Advisories • Development and Practice Aids www.theiia.org Quality Standards • 1300 - Quality Assurance and Improvement Program • 1310 - Quality Program Assessments • 1311 - Internal Assessments • 1312 - External Assessments • 1320 - Reporting on the Quality Program • 1321 - Use of “Conducted in Accordance with the Standards” • 1322 - Disclosure of Noncompliance www.theiia.org Standard 1311 Internal Quality Assessments • Ongoing • • • • • Work Paper Reviews Performance Evaluations Actual vs. Budgeted Analysis Various Monitoring Metrics Customer Surveys • Periodic • Self-Assessment – Annually – Covering all Standards over 5 years – Quarterly/Semi-Annual – Portions of Standards each year – Assess compliance with IA Activity Charter www.theiia.org Standard 1312 External Quality Assessments • Required every 5 years • Standard enacted January 1, 2002 • Two methods: – External Quality Assessment with the review and report by an independent team – Self Assessment with report validation by an Independent Validator www.theiia.org Objectives of External Reviews • Provide an opinion on the internal audit activity’s conformance to the spirit and intent of the Standards. • Assess the efficiency and effectiveness of the internal audit activity in light of: – Its charter – Expectations of the board, executive management, and the CAE • Identify opportunities and offer ideas and counsel to the CAE and staff for: – Improving their performance – Increasing the value they add to the enterprise www.theiia.org Why Conduct an External Quality Assessment? To provide independent analyses: – Do we meet professional standards? – Can things be done better? – Should more be done? – Is maximum value being received for each dollar of expense? – Can we add more value to management and the audit committee? – Can we enhance our image, perceptions, and credibility within the organization? www.theiia.org Standard 1321 Use of "Conforms with the Standards" • Internal auditors are encouraged to report that activities are in conformance with the Standards • However, internal auditors may use the statement only if assessments of the quality assurance and improvement program demonstrates conformance with Standards. www.theiia.org External Quality Assessment • Contract with outside provider to perform review, write the report and determine the compliance with the Standards: – Regional accounting firms – Outsource providers – Independent consultants – Independent Peers www.theiia.org Self Assessment with Independent Validation • Internal Audit Activity conducts their own Self assessment, determines compliance with the Standards and writes the report • Internal Audit Activity then engages an independent Validator to review documentation and perform limited testing • Validator concurs with report or disagrees and issues own report (opinion) • Validator can be an external service provider or from a peer pool www.theiia.org Peer Reviews • Peer reviews between three or more organizations does meet the requirements of an external quality assessment. • Reciprocal peer reviews between two organizations would not pass the independence test. • Contract between three (3) or more companies within the same industry or other affinity group, regional association, or other group of organizations. www.theiia.org Competence of Assessors and Validators • Practice Advisory 1312-1 recommends: – Be a competent, certified audit professional. – Be well versed in the best practices of the profession. – Have at least three years of recent experience in the practice of internal auditing at a management level. – Have additional competence gained from working previously as a team member on an external quality assessment. www.theiia.org Independence of Assessors and Validators • Practice Advisory 1312-1 recommends: – “be free from any obligation to, or interest in, the organization whose internal audit activity is the subject of the assessment …” www.theiia.org A 12-Point Process 1. 2. 3. 4. 5. Select and train a QA team Have the CAE complete the QA self-study Make a preliminary visit to the organization Use customer and staff surveys Perform the on-site work including: – – – – – – Review of administrative policies and procedures Consideration of enterprise risk’ Evaluation of risk assessment in audit planning Review of working papers and final reports for selected engagements Review of number and skills of internal audit staff Evaluate adequacy of IT audit coverage www.theiia.org A 12-Point Process 6. Evaluate the internal audit activity’s effectiveness at remaining current and adding value through interviews with: – Selected members of the board – Executive management – Operating managers – Internal audit staff 7. Consider other monitoring functions, and evaluate coordination of internal audit work with that of independent auditors. 8. Evaluate the internal audit activity’s conformance with IIA Standards and other relevant standards. www.theiia.org A 12-Point Process 9. Review quality/process improvement actions currently underway 10. Provide a summary of issues and recommendations, and hold a closing conference with the CAE and/or other requestors. 11. Draft a report, obtain comments, and issue a final report 12. Hold a follow-up executive conference (optional) www.theiia.org Common Problems Observed by IIA External Assessment Teams • Inappropriate CAE reporting relationships • Out-of-date charters for internal audit activity • Lack of board approved policy on internal control responsibility • Client perception of inadequate audit staff knowledge • Lack of a formalized risk assessment process • Lack of understanding regarding: – Internal audit activity’s consulting responsibilities – Reflection of consulting in the mission and charter • Inadequate IT coverage or technical skills www.theiia.org Quality Assessment Resources at www.theiia.org/quality • Frequently Asked Questions about Quality • Providers of External Quality Assessments • List of Organizations with Completed External Quality Assessments • Becoming a QA Volunteer www.theiia.org Quality Assessment Resources at www.theiia.org/quality • • • • • • Sample request for a quality assessment proposal Quality Assessment Advanced Preparation Audit Customer (Client) Survey Internal Audit Staff Survey Self-Assessment Guide Models – – – – Model Model Model Model Audit Committee Charter Internal Audit Activity Charter Management Control Policy Quality Assurance and Improvement Program www.theiia.org Questions? www.theiia.org IIA Contact 247 Maitland Avenue Altamonte Spring, Florida 32701-4201 USA Tel + 1.407.937.1399 Fax +1.407.937.1101 E-mail: quality@theiia.org www.theiia.org