How to Survive an External Quality Assessment Hans Nieuwlands CIA CGAP CCSA CEO IIA Netherlands Budapest, 19 September 2014
Outline Introduction Definition of Quality Guidance from The IIA QAIP Framework Common improvement areas Conclusion The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
Quality is not an act, it is a habit. What is Quality? Quality is not an act, it is a habit. Aristotle The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
Quality means doing it right when nobody is watching. What is Quality? Quality means doing it right when nobody is watching. Henry Ford The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
What is Quality? Quality in a product or service is not what the supplier puts in. It is what the customer gets out and is willing to pay for. Peter F. Drucker The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
What is Quality? Quality in internal audit is guided by both an obligation to meet customer expectations as well as professional responsibilities inherent in conforming to the Standards. Practice Guide The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
Professional Guidance The International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing. QAIP - Yerevan, May 15, 2014
Standards 1300 – Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Standards Interpretation 1300: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Standards 1310 – Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments.
Standards 1311 – Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Standards Interpretation 1311: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards… Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Standards 1312 – External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment and the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Standards 1320 – Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Practice Guides Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
QAIP Framework Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
QAIP Components Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
QAIP Assessment
The Value of a QAIP
Assessments Standard 1311 – Internal Assessments Standard 1312 – External Assessments Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
Common improvement areas Definition - Discuss with (Supervisory) Board - Include in Charter Code of Ethics - Include in manual - Include in job descriptions - All staff should acknowledge compliance annually
Attribute Standards 1000: Purpose, Authority and Responsibility 1100: Independence and Objectivity - Define reporting line to CEO and Audit Committee (AC) - Define attendance at AC meetings - Include hiring/firing of the CAE
Attribute Standards 1200: Proficiency and Due Professional Care - Stimulate Professional Certification - Create Personal Development plan - Take into account external developments - Develop new competencies and skills(e.g. soft controls) - Utilize opportunities created by the employer
Attribute Standards 1300: Quality Assessment and Improvement Program (QAIP) - Do the self assessment frequently - Include Quality aspects in operational processes - Check periodically if the manual needs an update - Communicate results of quality assessments to the CEO and AC
Performance Standards 2000: Managing the Internal Audit Function - Ensure audit universe is complete up to date and accurate - Describe the methodology used for the risk assessment - Document the trail from universe to audit plan - Document the reasons for dropped audits
Performance Standards 2100: Nature of Work Include in every audit: - Governance aspects - Risk Management processes Advice on these matters in the report
Performance Standards 2200: Engagement Planning - Substantiate the Planning Memorandum, including interviews - Document red flags used to identify potential fraud - Align the audit program with the specific risk assessment made - Document manager’s approval of the audit program, prior to fieldwork
Performance Standards 2300: Performing the Engagement - Document field work done - Substantiate sampling method used - Ensure complete cross references - Document supervision of fieldwork - Create a trail from findings to the report and vice versa - Finalize all supervision before issuance of the draft report
Performance Standards 2400: Communicating Results Ask stakeholders for feedback on the reports, e.g.: - Overall quality of report - Extend to what risks are addressed - Level of detail - Clarity of audit opinion - Readability
Performance Standards 2500: Monitoring Progress - Communicate frequently follow up activities on audit recommendations to appropriate levels of management - Report periodically on high risk and overdue issues to CEO and AC
Performance Standards 2600: Communicating the Acceptance of Risks - Include in the Audit Charter the escalation procedure to be used when senior management and the CAE disagree on the acceptance of business risks - Include this disagreement in the audit report
Good luck with the External Quality Assessment
Thank you for your attention!