Quality evaluation and improvement for Internal Audit Svilena Simeonova

CONTENTS Quality of Internal Audit – review Legal and methodological framework Quality Assurance and Improvement Program (QAIP) Internal assessments External assessments Benchmarks for the assessment Internal Audit maturity model of the IIA related to QAIP Role of the central coordination units for Quality assurance process

1. QUALITY OF INTERNAL AUDIT – REVIEW Meeting expectations of the head of the organisation, audit entities, Audit Committee and other stakeholders; Conformity with the standards, definition and Code of Ethics; Conformity with legal requirements Adding value for the organization Contribution to the effectiveness and efficiency of the governance, risk management and control processes Providing relevant assurance and consultancy

LEGAL AND METHODOLOGICAL FRAMEWORK (1) International Standards for Professional Practice of Internal Auditing of the Institute of Internal Auditors 1300 – Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. 1310 – Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. 1311 – Internal Assessments Internal assessments must include:  Ongoing monitoring of the performance of the internal audit activity; and  Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. 1312 - External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization.

LEGAL AND METODOLOGICAL FRAMEWORK (2) Standards of the Institute of Internal Auditors 1320 – Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. 1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. 1322 – Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.

LEGAL AND METODOLOGICAL FRAMEWORK (3) The IIA Practice Advisories The IIA’s Quality assurance and improvement program Practice Guide 2012 National laws National Standards Guidance documents, ordinances, IA Charters, manuals National rules follow and specified the IPPF Standards requirements

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (1) The program is the key tool for maintaining quality and developing the Internal Audit function Aims of the QAIP: To evaluate conformity with the Definition, The Standards and the Code of Ethics To assess the efficiency and effectiveness of IA activity To identify opportunities for improvement Communication of the QAIP

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (2) Content of the QAIP: Internal Assessment External Assessment, the both focus on: The purpose and position of the IA unit; The unit’s structure and resources for delivering the service expected of it; The efficiency and effectiveness of the output-oriented auditing process; Positive demonstrable impact on governance, risk management and control processes

Internal Audit Engagement level Internal Audit Organizational level QUALITY ASSURANCE AND IMPROVEMENT PROGRAM (3) SCOPE / PERSPECTIVES OF THE QAI PROGRAM: Internal Audit Engagement level Planning Fieldwork conduct Reporting Follow-up actions Internal Audit Organizational level Written policies and procedures IA work meets stakeholders expectations The IA activity adds value and improves the organization External perspective Independent external assessment Of the entire IA activity Conformity, efficiency, effectiveness, meeting expectations

4. INTERNAL ASSESSMENTS (1) ONGOING MONITORING OF IA ACTIVITY An integral part of day-to-day work Consists of supervision, review and measurement of the IA engagements Is incorporated into the routine policies and practices The procedures should be clear, applicable and not overly complex Performed by Chief Audit Executive or another internal auditor appointed by CAE

4. INTERNAL ASSESSMENTS (2) PERIODIC SELF-ASSESSMENT Review of selected part of documentation of the IA engagement; Questionnaires, interviews, survey, including feedback from the audit entities; Comparison with the best professional practices ASSESSMENT BY OTHER PERSONS WITHIN THE ORGANIZATION WITH SUFFICIENT KNOWLEDGE OF IA PRACTICE Appropriate method for small IA units

5. EXTERNAL ASSESSMENTS (1) Two types External assessments Full external assessment by an independent competent assessor or team Self-assessment with independent external validation Frequency – at least once every five years Evaluation of conformity with the Standards, legislation, Code of Ethics and effectiveness of the IA activity too Aimed to find opportunities for improvement

5. EXTERNAL ASSESSMENTS (2) What is the scope of the External assessment ? Purpose and positioning Structure and resources Audit execution Impact Procedures Recommendations and Action plan for improvement Different practices and approaches ( peer reviews)

5. BENCHMARKS FOR THE ASSESSMENT Combination of quantitative and qualitative indicators: Numbers of audits performed Number of recommendation issued and implemented Quality of the findings in terms of materiality Quality of recommendations in terms of impact Degree of risks covered Amendments to the management and control set-up resulting from IA activities

Communication and Reporting Policy Methodology And Process People Systems and Information Communication and Reporting The Chief Audit Executive establishes and maintains a QAIP The methodology upon which the QAIP is based is based is derived from the IIA Standards IA staff are aware of their responsibilities related to the QAIP A standardized audit management system is used to document work papers The results of periodic internal assessment are summarized and discussed with audit management CAE communicates the results of the QAIP to senior management and the board The process to execute the QAIP is documented in the IA Policy and Procedure Manual Responsibility for implementation of the QAIP is assigned to personnel who are independent and objective Significant company systems are used to derive relevant Performance Indicators that are monitored and used during the IAQA process The results of periodic internal assessments are reported to and reviewed with senior management and the Audit Commitee The IA Policy and Procedure Manual describes the QAIP requirements The process is reviewed periodically to ensure it is current with the Standards requirements External assessments are conducted by qualified personnel who are independent from the organization External assessment provides deliver qualitative and quantitative benchmarks that are reported to management The IA activity charter establishes the requirements for the QAIP Fully dedicated IA staff are assigned to perform the periodic internal quality assessment with strong experience in IA and performing QA Client Feedback forms are solicited and received back from each client to assist in continuous improvement bnbnb

OVERALL MATURITY LEVEL Policy Methodology and Process People Systems and Information Communication and Reporting Optimized Continuous monitoring and updating Training and development monitored Extensive use of data mining and analytics; Communication and reporting highly effective Managed Policies are communicated to personnel Methodology and processes are communicated to personnel All resources have appropriate skills and credentials; targeted training in place Data integrity is high Quality an timeliness metrics defined and monitored Defined Policies are defined and in place and documented Uniform methodology and processes are defined, in place and documented Appropriate skills and credentials are in place; training requirements documented Stable systems in place C and R processes are defined, in place and documented Repeatable Policies are defined and in place but may not be documented Uniform methodology and processes are defined and in place Some specialized technical skills and credentials Fairly effective systems are in place; low reliance on data C and R processes are defined and in place but may not be documented initial Policies are not defined or in place Methodology and processes are not defined or in place Resource skills and credentials do not match process requirements High reliance on manual systems and spreadsheets C and R done on an ad hoc basis; no validation of results or focus on quality bnbnb

8. ROLE OF THE CENTRAL COORDINATION UNITS FOR QUALITY ASSURANCE PROCESS To develop guidelines To collect information To provide examples of good practice To monitor and review To participate in peer reviews

Thank you!