Independent Internal Audit Quality Reviews June 2018

Independent Internal Audit Quality Reviews Internal Auditing A definition Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Success determined by “adding value in helping an organisation accomplish its objectives” IA - an integral player in the team Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews Quality is a key pillar for IA to achieve success 1300 – Quality Assurance & Improvement Program The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The CAE should encourage board oversight in the quality assurance and improvement program. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews Conformance with the IIA Standards Structure of the IIA Standards 1. Attributable standards 2. Performance standards Attributable standards address the attributes of organisations and individuals performing internal auditing. The performance standards describe the nature of internal auditing and provide quality criteria against which the performance of these services can be measured. 1000 – Purpose, Authority & Responsibility 1100 – Independence & Objectivity 1200 – Proficiency & Due Professional Care 1300 – Quality Assurance & Improvement Program (1310 – must include both internal and external assessments) 2000 – Managing the Internal Audit Activity 2100 – Nature of work 2200 – Engagement Planning 2300 – Performing the Engagement 2400 – Communicating Results 2500 – Monitoring Progress 2600 – Communicating the Acceptance of Risk Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews 1311 – Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. Some processes and tools used in internal assessments Engagement supervision – checklists and procedures Feedback from audit customers and other stakeholders Project budgets, timekeeping systems, audit plan completion, cost recoveries, Analysis of other performance metrics (such as cycle time and recommendations accepted) Benchmarking against relevant best practices of the internal audit profession At least annually, the CAE reports the results of the internal assessments, necessary action plans, and their successful implementation to senior management and the Board Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews 1312 – External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. The chief audit executive must discuss with the board: The form and frequency of such external assessment. The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. Interpretation External assessments contain an expressed opinion as to the entire spectrum of assurance and consulting work performed by the internal audit activity The scope of work should also include benchmarking, identification, and reporting of leading practices that could assist the internal audit activity in becoming more efficient and/or effective External assessments may be accomplished through a full external assessment, or a self- assessment with independent external validation Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews External Assessor - competencies required Performing and communicating the results of an external assessment require the exercise of professional judgement. Accordingly, an individual serving as an external reviewer should be: A competent, certified internal audit professional, who posses in-depth knowledge of the Standards Well versed in the best practices of the profession Have at least three years of recent experience in the practice of internal auditing or related consulting at a management level Independent of the organisation, not part of or under the control of the organisation Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews External Assessments – Gathering of information When performing an external assessment, amongst others the Assessor would: Undertake a review of the Internal Audit Charter and Audit Committee meeting minutes Conduct interviews with the CAE, Audit Committee Chair, CEO and C-Suite, Co. Secretary, Statutory auditors and internal audit personnel, Review internal audit’s risk assessment and audit planning processes Understand the extent to which key internal policies and procedures are documented Understand the IT processes and infrastructure supporting the operations Assess the entity’s internal governance set-up and understand the extent to which reporting lines and responsibilities are clearly defined Review a representative sample of working files and IA reports Assess how and the extent to which adequate follow-up action is undertaken by the CAE in conjunction with the respective process owners in addressing gaps and recommendations identified in prior audits Review staff management and training processes Review any additional documentation which will be deemed useful for formulating a ‘baseline’ understanding of the internal audit function. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews External Assessments – Analysing information gathered Presented above is EY’s proprietary IA framework, demonstrating how the functions assessed when undertaking such assessments are mapped directly to the IIA Standards. Each Standard is then individually scored as either; generally conforms, partially conforms or does not conform. Institute of Internal Auditors Standards AS1000 Purpose, authority & responsibility AS1010 Discuss purpose AS1100 Independence & objectivity AS1110 Organisational independence AS1111 Interaction with the Board AS1120 Individual objectivity AS1130 Impairment to objectivity AS1311 Internal assessments AS1312 External assessments AS1320 Quality reporting AS1200 Proficiency & due professional care AS1210 Proficiency AS1220 Due professional care AS1230 Continuing Professional Development AS1300 QA and improvement program AS1310 QA assessments PS2000 Managing IA activity PS2010 Planning PS2030 Resource management PS2050 Coordination & reliance PS2100 Nature of work PS2110 Governance PS2120 Risk management PS2130 Control PS2200 Engagement planning PS2300 Performing the Engagement PS2400 Communicating Results PS2500 Monitoring Progress PS2600 Communicating the Acceptance of Risk Purpose People Process Reporting Quality and risk assurance Knowledge management Tools and technology IA methodology and delivery Stakeholder reporting People and skills development Team/org structure Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews Some key areas of focus when assessing the work carried out by Internal Audit Effective corporate governance structure Whether the Internal Audit function is strongly supported by an effective corporate governance structure within the company which ensures that contentious issues and top risks are identified and effectively addressed by all departments on a timely basis. Strong communication links between IA function and the executive management Assess whether there appears to be good communication links between the IA functions and the executive management. Technical competence and training of IA staff Assess whether the Internal Audit staff are technically competent and have a sound knowledge of the company’s business processes. Risk identification and Engagement scoping Maturity of risk identification process (auditing the key risks – risk based auditing) and that the engagement scoping is wide-encompassing, i.e. addressing the identifiable risks related to the specific audit areas. Structure of Internal Audit documentation Internal Audit documentation retention is well structured and precise clearly delineating the internal audit procedures, sample testing assumptions used and risks identified. Adequately reviewed. Reporting protocol framework Reports should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. Follow-ups to ensure that agreed action plans are implemented. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews 1320 – Reporting on the Quality Assurance and Improvement program The CAE must communicate the results of the quality assurance and improvement program to senior management and the board (at least annually). Disclosure should include: The scope and frequency of both the internal and external assessments The qualifications and independence of the assessors, including potential conflicts of interest Conclusions of assessors and corrective action plans Interpretation The preliminary results of the external review should be discussed with the CAE during, and at the conclusion of the assessment process. Final report should be communicated to the CAE, preferably with copies sent directly to appropriate members of senior management and the board. The CAE should communicate the results of the external quality assessment, including any significant remedial action to be taken to the various stakeholders such as senior management, the board and external auditors. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews 1320 – Reporting on the Quality Assurance and Improvement program Assessor’s conformity opinion The expression of an opinion requires the application of sound business judgement, integrity, and due professional care. The Assessor’s opinion on the IA activity’s conformance with the definition of Internal Auditing, the Code of Ethics and the Standards should be based on a structured rating process. The term “conformance” means that the practices of the IA activity taken as a whole, satisfy the above requirements. “Non-conformance” means that the impact and severity of the deficiencies are so significant that they impair the IA activity’s ability to discharge its responsibilities. A “partial conformance” opinion can also be expressed which should point out the areas of partial compliance and the improvements required. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews 1300 – Quality Assurance & Improvement Program 1321 – Use of ‘Conforms with the International Standards for the Professional Practice of Internal Auditing’ Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program. 1322 – Disclosure of non-conformance When nonconformance with the Code of Ethics or the Standards impact the overall scope or operation of the internal audit activity, the chief audit executive must disclose nonconformance and the impact to senior management and the board. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews Self-assessment with independent external validation (option to a full external assessment) A team fully under the direction of the CAE performs and fully documents the self- assessment process. A draft report, similar to that for an external assessment, is prepared including the CAE’s judgement on conformance with the Standards. An independent external reviewer will review the CAE’s draft report and attempts to reconcile unresolved (open) issues if any. If the reviewer is in agreement with the CAE’s opinion of conformance this should be stated accordingly and added on to the CAE’s conformance report. If not in agreement, the reviewer should specify the points of disagreement and add on his recommendations to address the findings, the CAE’s report to be updated accordingly and signed off by CAE and independent reviewer. Alternatively if there are significant dissenting opinions the reviewer may prepare a separate independent validation report expressing his disagreement with the CAE’s opinion. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews The Assessor’s opinion also refers to conformance with the Code of Ethics Integrity - The integrity of internal auditors establishes trust and provides the basis for reliance on their judgement. Objectivity - Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors are expected to apply and uphold the following principles: Confidentiality -  Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. Competency - Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services. Measuring the success of the Internal Audit function

Independent Internal Audit Quality Reviews Kevin Mallia EY – Partner, Advisory kevin.mallia@mt.ey.com Thank you Measuring the success of the Internal Audit function