Panel discussion: Organising internal audit system and performing audit engagements Ciaran SPILLANE, Principal Advisor, Internal Audit Service of the European Commission PEMPAL Audit in Practice Working Group – 46th IACOP meeting, Brussels 1 March 2018
Overview of European Commission's IAS We are the European Commission’s internal auditors; We were founded in 2001 after the Reform process in the Commission; today we are a mature public sector audit service; We give recommendations, opinions and advice to Commission Directorate Generals and EU agencies; Our independence is provided for in our Mission Charter, adopted by the Commission.
Strategic Audit Plan 2016-2018 – Risk Assessment Generally consists of a bottom-up approach, including a review and update of the audit universe (financial and non-financial activities and processes). Top-down steer: after stakeholder consultation IAS Senior Management identified number of themes/risks considered key for EC in coming years. Commission-wide themes {Better Regulation; Performance culture; IT systems} whilst others were DG-Specific ones Consultation of audited entities: Broadly classified under four categories: political, performance, financial and IT risks. Within these, the main issues raised were External (Political), Performance and IT ones. IAS focus more on Performance & IT risks.
Risk Assessment and Audit universe Financial processes Non Financial processes Grants Procurement Ethics Communication IAS Strategic Audit Plan Risk assessment Risk Assessment and Audit universe IT BCP Financial statements HR Payroll Monitoring EU law Risk factors Audit Results REPORTING Performance Indicators 80% Financial 20% Non-financial (C1/C2) 276 auditable entities representing commitments of €139bn and payments of €122bn in 2010 135 auditable entities
Quality Assurance and Improvement Programme (QAIP) External assessments can take the form of a full external assessment performed by an independent qualified external assessor or a self-assessment validated by an independent qualified external assessor. They are performed once every five years and cover all IAS operations. The key objective of the external assessment is to evaluate and conclude on conformance with the MA Definition of Internal Auditing, the Code of Ethics and the Standards. The external assessment may nevertheless also consist of a broader scope. The precise nature and scope of 1 the external assessment are determined and approved by the Internal Auditor before the start of the exercise. As appropriate, the evaluation report should include recommendations for improvement. Quality Assurance and Improvement Programme (QAIP) Primary objective of this QAIP = promote continuous improvement. Designed to assess efficiency and effectiveness of internal audit activity and enable an evaluation of: • Conformance with the IIA Definition of Internal Auditing, the Code of Ethics and the Standards; • The adequacy of the internal audit charters, goals, objectives, policies and procedures; • The contribution to the governance, risk management and control processes of all audit entities in the IAS portfolio; • The coverage of the audit universe; • Compliance with applicable laws, regulations and standards to which the internal audit activity may be subject; • The risks affecting the operation of the IAS; • The effectiveness of continuous improvement activities and adoption of best practices; • The extent to which the internal audit activity adds value, improves the organisation's operations and contributes to the attainment of objectives.
QAIP: External Assessments Either full external assessment performed by an independent qualified external assessor or a self-assessment validated by an independent qualified external assessor. Performed once every five years and cover all IAS operations. Key objective of the external assessment is to evaluate and conclude on conformance with the IIA Definition of Internal Auditing, the Code of Ethics and the Standards. Evaluation report should include recommendations for improvement. IAS EQAs were in 2008, 2011 (Dir.A), 2013 (Dir.B) and 2016. Generally conforms (GC): highest level of conformance possible the assessor has concluded for individual standards that the internal audit activity complies with the requirements of the standard or elements of the Code of Ethics (both Principles and Rules of Conduct) and the Definition of Internal Auditing in all material respects. RESULTS: 2008 =GC; 2011 = GC, PC with 7 Standards; 2013 = GC with all 50 Standards 2016 = GC with all 50 Standards
Certification: Professional qualifications of IAS Staff
Certification: Internal Audit Training Programme (IATP) Objective of in-house IATP: guarantee continuous professional development of our IAs to meet professional standards set by the Institute of Internal Auditors (IIA) for internal auditing. Ultimate goal of IATP: prepare IAs for internationally recognised audit certification and to pass a certification test either for: Certified Government Auditing Professional (CGAP®), Certified Internal Auditor (CIA®), Certified Information Systems Auditor (CISA®), and/or other certification programmes (e.g. Chartered Accountant 8th Dir.). Strengthens the credibility of our auditors and increases leverage in making IAS' recommendations accepted. Continuing Professional Education (CPE) Participation to IATP courses entitles the holders of IIA professional certifications (CIA, CGAP, CCSA, CFSA, etc.) to CPE points. IATP in 6 constituent parts
Questions?
Contact the Internal Audit Service: ias-europa@ec.europa.eu