Quality Assurance and Improvement Program Tr How State Bank and Trust Documents Compliance With the Standards Each of the panelist provide a brief introduction as to our experience – and reason for on the panel.
1300 – Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement program. Debi to discuss the standards
1311 – Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity. Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.
1312 – External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment. The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
1312 – External Assessments Interpretation: External assessments may be accomplished through a full external assessment, or a self-assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having either an actual or a perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The chief audit executive should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest.
1320 – Reporting on the QAIP The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include: The scope and frequency of both the internal and external assessments. The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest. Conclusions of assessors. Corrective action plans. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments, and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s evaluation with respect to the degree of conformance.
Top 10 Standards with Lowest Conformance Level 5 years IIA Standards Description GC % PC % DNC% 1311 Internal Assessments 62% 36% 2% 1320 Reporting on the Quality Assurance and Improvement Program 69% 30% 1% 1010 Recognition of the Definition of Internal Auditing 75% 25% 0% 2020 Communication and Approval 83% 17% 1312 External Assessments 2240 Engagement Work Program 84% 16% 1310 Requirements of the Quality Assurance and Improvement Program 1300 Quality Assurance/Improvement Program 85% 15% 2340 Engagement Supervision 87% 13% 2010 Planning 89% 11% Richard Lane to cover
Top 10 Standards with Lowest Conformance 2017 Only IIA Standards Description GC % PC % DNC% 1311 Internal Assessments 58% 42% 0% 1320 Reporting on the Quality Assurance and Improvement Program 70% 30% 1312 External Assessments 77% 23% 1010 Recognition of the Definition of Internal Auditing 81% 19% 2240 Engagement Work Program 1300 Quality Assurance/Improvement Program 83% 17% 1310 Requirements of the Quality Assurance and Improvement Program 2340 Engagement Supervision 85% 14% 1% 2020 Communication and Approval 86% 1110 Organizational Independence 90% 10% Richard Lane to cover
Top 10 Standards with Highest Conformance Level 5 years IIA Standards Description GC % PC % DNC% 1120 Individual Objectivity 100% 0% 2440 Disseminating Results 1200 Proficiency and Due Professional Care 99% 1% 2400 Communicating Results 1111 Direct Interaction with the Board 98% 2% 1130 Impairments to Independence or Objectivity 2600 Management's Acceptance of Risks 2060 Reporting to the Board and Senior Management 2130 Control 2310 Indentifying Information Richard Lane to cover
Conformance Level in Attribute/Performance Standards, Code of Ethics and Overall Opinion 5 Years IIA Standards GC % PC % DNC % Attribute Standards 98% 2% 0% Performance Standards 97% 3% Code of Ethics 100% Overall Opinion 96% 4% Richard Lane to cover
State Bank and Trust Company Payroll/ Insurance/ Equip Leasing/ ABL 5 Bank Acquisitions 13 Failed Banks State Bank and Trust Company was formed with the purchase of 13 failed backs from the FDIC. Beginning as a multi-billion dollar community bank, there were immediate needs on day one which required out-sourcing solutions, including Internal Audit. As the bank has matured, in-sourcing these functions became a priority.
Small Audit Department One element of Mandatory Guidance is the Core Principles for the Professional Practice of Internal Auditing. These principles articulate internal audit effectiveness in accomplishing the Mission of Internal Audit. For the internal audit activity to be considered effective, all Principles should be present and operating effectively. The Core Principles include: Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement.
SBT QAIP History Highlights $3.9 Billion in assets – acquired from FDIC Immediate need for functional departments 2010 Risk Management outsourced November 2012 Director of Internal Audit hired 2013 New audit methodology/hire internal staff Audit Committee asked for external quality assessment (EQA) for 2015 completion
The External Quality Assessment Overall rating: Generally Conforms Relevant structures, policies, and procedures of the activity, as well as the process by which they are applied, comply with the requirements of the individual Standards and/ or elements of the Code of Ethics in all material respects
Opportunities Presented by EQA 1300 QAIP (overall) 1310 Requirements of QAIP 1311 Internal Assessments 1320 Reporting on QAIP 1321 Use of “Conforms with ISPPIA” 2010 Planning 2201 Planning Considerations 2230 Engagement Resource Allocation 2240 Engagement Work Program 2330 Documenting Information
EQA Implementations 2010 Planning Audit approach documented for each audit 2201 Planning considerations Auditee signs engagement letter with scope listed 2230 Resource allocation Rotation conflicts with proficiency Standard (1210) in small department 2240 Engagement work program Improvement noted over exam period 2330 Documenting Information
Standard 1300 Compliance Stats 5 of 10 top nonconformance issues cited by EQA are Standard 1300 – “Conformance to the Standards” Internal Auditor Feb 2016 29% of CAEs say QAIP nonexistent or ad hoc – “Core Principles and the QAIP” Internal Auditor Feb 2017 37% of organizations are not in conformance with Standard 1300 – “Core Principles and the QAIP” Internal Auditor Feb 2017 Many audit departments struggle with this, inherently more difficult for the small audit departments Most information on QAIP is for the larger audit departments
Opportunities Presented by EQA 1300 QAIP (overall) 1 1310 Requirements of QAIP 2 1311 Internal Assessments 3 1320 Reporting on QAIP 4 1321 Use of “Conforms with ISPPIA” 5 2010 Planning 2201 Planning Considerations 2230 Engagement Resource Allocation 2240 Engagement Work Program 2330 Documenting Information
Resources for QAIP $35 FSAC membership Required for Knowledge Brief access This article was reprinted with permission from the October 2015 issue of the Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., www.theiia.org.
This article was reprinted with permission from the February 2017 issue of the Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., www.theiia.org.
This article was reprinted with permission from the February 2016 issue of the Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., www.theiia.org.