Who Audits the Auditors - The Value of Internal and External QAs
advertisement
Who Audits the Auditors? The value of Internal and External Quality Assessments Speaker: www.theiia.org/Quality Speaker Background Information www.theiia.org/Quality Topics we will cover Today www.theiia.org/Quality Key Areas of Discussion Today Quality Improvement & Assurance Program External quality assessments and why your audit group should have one What to expect from an external QA How to get the most value from a QA How an Audit professional should prepare for a QA www.theiia.org/Quality Some areas we will NOT talk about today All of the Standards with which you need to comply to pass a QA All of the components of an effective quality program There just isn’t enough time to do this and the IIA and other organizations have seminars, books and CDs covering these topics www.theiia.org/Quality A Show of Hands How many Internal Audit Activities have a QA&IP in place today? www.theiia.org/Quality A Show of Hands How many work for an organization that has had an external QA? www.theiia.org/Quality A Show of Hands How many work for an organization that has not had an external QA? Is anyone planning to have one? www.theiia.org/Quality A Show of Hands How many have been part of an external QA team? www.theiia.org/Quality Does this look familiar? http://www.theiia.org/guidance/standards-and-practices/professional-practices-framework/ www.theiia.org/Quality Have you read the Quality Standards? Standard 1300 Quality Assurance and Improvement Standard 1310 Quality Program Assessments Standard 1311 Internal Assessments Standard 1312 External Assessments www.theiia.org/Quality Standard 1300: Quality Assurance and Improvement Program (QA&IP) The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program must be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics. www.theiia.org/Quality Quality Assurance and Improvement Program Why is a Quality Assurance & Improvement Program necessary? As an Organization and its Internal Audit shops grow, its operations undergo refinement, and its internal processes change and evolve, its quality monitoring process must keep pace. www.theiia.org/Quality Quality and Improvement Program What would be the elements of a Quality and Improvement Program? QA www.theiia.org/Quality 1311: Internal Assessments Must include: • Ongoing reviews of the performance of the internal audit activity; and • Periodic reviews performed through selfassessment or by other persons within the organization, with knowledge of internal auditing practices and the Standards. • Person(s) conducting assessment can be part of internal audit activity or from another area in the company. www.theiia.org/Quality Some Elements of a QA&IP • Staff Information (education, skills, certifications) • Audit Plan Budget to Actual • Audit Cycle Time • Issues and Recommendations Tracking • Customer Satisfaction Survey • Staff Meeting • Benchmarking to Best Practices • Training • Work Paper Review (ongoing) • QA Review Action Plan www.theiia.org/Quality Balanced Scorecard for Internal Auditing Board/Audit Committee • Expectations OBJECTIVES • Perspective on IA Roles • Satisfaction Surveys • List here. MEASURES • Perspective on IA Roles • List here. • Satisfaction Surveys • Requests • Risk Concerns • Complaints • CAE/AC Private Meetings Management/Audit Customers OBJECTIVES • List here. CORPORATE STRATEGY MEASURES INTERNAL AUDIT STRATEGY • Experience • Reporting Relationships MEASURES • List here. • Importance Levels • Improvements • Education • Certification OBJECTIVES • List here. • List here. • Training Internal Audit Processes Innovation/Capabilities OBJECTIVES • List here. MEASURES • List here • Findings • Repeat Findings • Savings • Quality Assessment www.theiia.org/Quality What is the Value of Quality to Internal Audit ABC Organization Executive Level Internal Audit At this level Internal Audit is not considered a valued resource to the Organization www.theiia.org/Quality What is the Value of Quality to Internal Audit ABC Organization Executive Level Internal Audit As the Quality of Internal Audit increases the acceptance at the Executive Level gets Internal Audit closer www.theiia.org/Quality What is the Value of Quality to Internal Audit ABC Organization Executive Level Internal Audit Once Quality is achieved Internal Audit is embraced by the Executive Level as a valuable resource within the Organization www.theiia.org/Quality Who’s Responsible for the Quality of Internal Audit? • Organization • Chief Audit Executive (CAE) Who Will Benefit? • Internal Audit Profession • IA Stakeholders (AC, BOD, Regulatory Body, Sr. Mgmt) • Internal Auditor specially CIA’s www.theiia.org/Quality Professionalism & Commitment • The Drive to be the Best • Success (individual & organization) • “Persistence with a Purpose” • Professional Development • The Pride to be an Internal Auditor www.theiia.org/Quality By the way, what’s an external quality assessment (QA)? Professional standards require each internal audit function to obtain an external quality assessment at least once every five years (Standard 1312) www.theiia.org/Quality What’s the focus of an external QA? IIA Code of Ethics International Standards for the Professional Practice of Internal Auditing Audit committee & internal audit charters Professional certification and education Process improvement & best practices www.theiia.org/Quality What happens in an external QA? Interview & survey stakeholders Assess compliance with the IIA Code of Ethics and the Standards Assess charters, policies & procedures Review staff experience & qualifications Inspect workpapers www.theiia.org/Quality What are the benefits of an external QA? Expert advice & counsel from practitioners with decades of experience and broad exposure to the best IA functions Sounding Board Leverage for funding, authority, independence & training Visibility Pipeline to the audit committee & senior management www.theiia.org/Quality Making a difference… HBS or equivalent executive training program for CAE Staffing increases Training and certification support Implementation of CAATs www.theiia.org/Quality Why have an external QA? Professional credibility Organizational credibility Legal liability Compliance with Standards Continuous improvement Audit Committee oversight www.theiia.org/Quality Why are some IA functions not in compliance? (The IIA Common Body of Knowledge survey reports 39% of IA functions have never had an external QA) 28% of IA functions are less than 5 years old Internal audit is not regulated Unaware of the requirement Unfazed by the penalty Costs in money and time www.theiia.org/Quality What problems are commonly found? Inadequate Quality Assurance & Improvement Program Consulting omitted from the mission and charter Inadequate IT coverage or technical skills Lack of performance measures www.theiia.org/Quality What problems are commonly found? Inappropriate CAE reporting relationships Out-of-date charters Client perception of inadequate audit staff knowledge No formalized risk assessment process www.theiia.org/Quality What Does It *Cost? Number of Internal Audit Staff Average Size of External QA Team Average IA Staff Preparation (Hours) Avg IA Staff Support of QA Team (Hrs) 1 to 2 2 200 33.5 6.6 $13,000 3 to 6 3 110 40 4.2 $15,000 7 to 15 4 100 60 5 $22,000 16 to 20 3 90 70 9.2 $35,000 21 to 30 6 135 60 9 $42,000 31 to 50 5 N/A N/A 10.5 51 to 70 6 80 50 13 $75,000 71 to 100 3 200 120 20 $80,000 *Source: IIARF Survey April 2007 Average Time to Complete QA (Days) Average Cost N/A www.theiia.org/Quality How long does an external QA take? A sample timeline… RFP 8/1 – 8/15 Prepare background info 9/1- 9/15 Stakeholder surveys 9/15 – 9/30 GAIN data input on IIA website 9/15 Preliminary meeting 10/15 On-site fieldwork 10/30 – 11/3 Issue draft report 11/15 Receive reply to draft report 11/22 Issue final report 11/29 www.theiia.org/Quality What is a self-assessment with independent validation (SAIV)? Perform your own internal assessment and then… Engage an independent party to review your work www.theiia.org/Quality What’s the advantage of the SAIV? It costs less! www.theiia.org/Quality What’s the trade-off for a SAIV? Requires IAA to budget more resources Diminished: Independence Outside perspective Expertise Board leverage Senior management leverage Oomph www.theiia.org/Quality What should you do? If you can’t get the budget for an external QA, go the SAIV route to get into compliance Consider SAIV for your 1st QA and follow-up with an external QA in 2-3 years www.theiia.org/Quality What about peer reviews? “Even if he is lucky, the best barber can count on no more than the 2nd best haircut” Issues: quality, independence, experience, industry knowledge, confidentiality, etc. www.theiia.org/Quality How long does an SAIV take? A sample timeline… RFP 8/1 – 8/31 Prepare self-assessment 9/1- 9/30 Stakeholder surveys 9/15 – 9/30 GAIN data input on IIA website 9/15 Preliminary meeting 10/15 On-site validation 10/30 – 11/1 Issue draft report 11/15 Receive reply to draft report 11/22 Issue final report 11/29 www.theiia.org/Quality IIA Recognition Plaque Organizations that have an external quality assessment completed by The IIA with a “General Conformance” opinion will receive a recognition plaque www.theiia.org/Quality Where to Find Quality Resources? • Free Web-Based Resources by IIA Inc. and IIA Affiliates (www.theiia.org /Quality) • QA training seminars by IIA Inc. and IIA Affiliates • Local Chapters and Study Groups • Quality Services by IIA Inc., Affiliates, and Other Service Providers www.theiia.org/Quality Time for…. Questions??? www.theiia.org/Quality This presentation is from The Institute of Internal Auditors Global Headquarters www.theiia.org Contact us at Quality@theiia.org www.theiia.org/Quality
