1. Tom Taylor – Mutual of Enumclaw, ttaylor@mutualofenumclaw.com Annette Mumford – HomeStreet Bank, annette.mumford@homestreet.com

2.  Overview of the QAR standards  Full external assessment – HomeStreet Bank ◦ Approach ◦ Scope ◦ Preparation ◦ Deliverables ◦ Pros/Cons/Rewards/Challenges  Self-Assessment with independent external validation – Mutual of Enumclaw ◦ Approach ◦ Considerations ◦ Stakeholders ◦ Challenges ◦ Pros  Reviewer qualifications  Work program  Recommended Steps

3. 1. Does your audit function report to the Audit Committee (AC)? 2. How many CAEs here have educated their AC’s on Standards and the QAR process? 3. How many have had a QAR of their audit department? 4. Who is preparing for or planning on doing this? 5. Who has received training or received the accreditation as an independent assessor or validator?

4.  QAR required under the IPPF  Standards are mandatory for auditors who are CIA’s or members of the institute  An external review once every five years

5. # 1300 – Quality Assurance and Improvement Program  The CAE is responsible for developing and maintaining a quality assurance and improvement program  Covers all aspects of the internal audit activity and continuously monitoring its effectiveness  Provides assurance of conformity with IIA Standards and Code of Ethics  Assesses efficiency and effectiveness

6. # 1310 – Quality Program Assessments  Process to monitor and assess the overall effectiveness of the quality program. Includes both:  #1311 - Internal Assessments  #1312 - External Assessments # 1320 – Reporting on the Quality Program  The CAE reports the results of the assessments to the board and senior management.

7. # 1321 – Use of “Conforms with International Standards for the Professional Practice of Internal Auditing”  Not required language but if used, must have an assessment that demonstrates in compliance with the Standards. # 1322 – Disclosure of Noncompliance  To Senior management and board if noncompliance with the Standards impact overall scope or operation of the internal audit activity.

8. # 1312 – External Assessments External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.

9. Practice Advisories

10.  What: Engaged a third party for an independent assessment of compliance with IIA Standards and use of best practices  Who: We used the IIA. Services can be provided by accounting firms, IA Services firms, IIA, independent consultants, NALGA Peer Review (government).  How Long: Approximately 3 months start to finish. On-site work completed in 1 week. HomeStreet Approach

11.  Compliance with IIA Standards and Code of Ethics.  Use of best/leading practices  Expectations of IA’s stakeholders – interviews and surveys.  IA’s Charter, plans, policies, procedures, practices, including QA program. Any regulatory requirements.  IA’s reports to management and the AC.  Integration of IA into organization’s corporate governance and risk management processes. HomeStreet – Approach

12.  Audit universe, risk assessment, annual audit planning  Staff credentials and experience. Staff development.  Information technology  Evaluation of IA’s use of best practices/value added  Workpaper review HomeStreet Approach

13. Long Lead Time Items:  At least one year before, establish internal QAR processes – ongoing and periodic.  Well in advance, perform a self-assessment against the standards to gauge preparedness. (Remediate if needed/Report Gaps.)  Discuss QAR standards and your plans with the Audit Committee and other key stakeholders HomeStreet - Approach

14. Engagement Specific Prep:  Review bios/resumes of QAR team to ensure they have the right experience. These individuals will meet with your AC Chair, Senior managers, etc. Needs to be a good fit.  Respond to the QAR team’s requests for information (complete questionnaires, assemble documentation, etc.)  Communicate internally with the Audit Committee, members of management, and the internal audit team on the process, timing, etc. HomeStreet – Approach

15. Report issued that includes:  Opinion on compliance to the Standards. ◦ Best Rating - “Generally Conforms”  Assessment and evaluation of the use of best practices.  Recommendations for improvement.  Responses from CAE that include action plans and implementation dates.  Report is issued to the Board & CAE. HomeStreet Approach

16.  Pros/Considerations  Robust value-added for CAE and IA customers – best practices, benchmarking.  Experienced team – composed of other CAEs with prior QAR experience, and in our case bank audit experience  Efficient process  Felt an outside party would be more willing to provide more constructive input – more value  Credible assurance to stakeholders  For large audit departments, may be best choice.

17.  Cons/Considerations  Likely more expensive both for the engagement itself and travel costs.  Potential consultant bias to sell services (influenced our decision to use the IIA)  May have less flexibility on scheduling as QAR team is likely not local. Some senior managers were not available for interviews the week of the on site work. HomeStreet Approach

18.  Be sure to allocate enough time for the preparation and on site work. It is a big time commitment!  Be open for both validation of those things your shop does well and opportunities for improvement/best practices – this is where the value lies.

19.  CAE/auditor performs self-assessment and independent reviewer validates with testing.  Same criteria evaluated as in the full external assessment.  Accounting firms, IA services firms, independent consultants, Puget Sound IIA Chapter, auditors from other companies can validate. MOE Approach

20.  Three local firms utilized.  Non-competitive industries.  From each company, one CAE and one Sr. or Manager.  All signed NDAs.  Each company first completed a self-assessment.  Utilized the test plan provided by the IIA.  Gathered supporting evidence and self-scored.  All materials digital and cross referenced.  Kick off meeting with all three companies present. MOE Approach

21.  2-4 weeks of internal self-assessment time prior to validator.  Validation step did not include auditors from company being assessed.  Allowed for one week on-site for each company.  Another one/two weeks offsite to compile, vet and create report.  CAE’s contributed to the governance sections.  Having CAE sit in on interviews with audit committee chair and c-suite executives was good. Helped build trust and credibility with executives. MOE Approach

22.  Validator documents agreement or disagreement with conclusions in the self- assessment report.  Issued separate final from the self- assessment report.  Validation report went to the Board. ◦ I also shared report with Management.  CAE also received a separate report from the other CAE’s on general tips/observations. MOE Approach

23. Critical to manage expectations!!! Educate!  CAE & Internal Audit Department ◦ Is a reflection on leadership & staff skills  CEO  Management ◦ Answers question of “Who audits the Auditor?” Can give the department credibility.  Board ◦ Provides confidence that the audit shop is in fact functioning according to best practice standards MOE Stakeholders

24. ◦ Company’s appetite for a QAR? Audit Committee? ◦ Do you need a little time to prep (i.e., fix known issues). ◦ Consider a pre-QAR to get your house in order. ◦ Best for the CAE to be championing vs. Audit Committee. ◦ As a CAE, you should have a clear picture of “Why.” ◦ Be passionate about the why! ◦ You are putting all of your laundry out for others to see. Could impact your reputation and career. Must take seriously! MOE Considerations

25.  Multi-year journey.  Timing is a consideration.  Is the CAE new to the role? (can be a good time to engage) - provides great feedback or a road map on where to focus energy.  If CAE has been in the role for a while, there are additional considerations. MOE Considerations

26.  Assessment format to adopt?  Reporting format for final presentation?  Scheduling conflicts come up given multiple organizations.  Merging different auditing styles (black and white vs gray).  Often, this is the first time groups have engaged in such review activities. MOE Challenges

27.  Less expensive.  I liked being a little closer to the review.  Sharing of best practice, peer to peer.  I felt I could relate better to local teams vs. an academic approach or consultant.  Local companies brought a lot of credibility vs. an unknown.  Value-add for CAE and IA stakeholders comes from the input of local practitioners, benchmarking, interviews.  May be best for smaller IA Departments. MOE Self-Assessment Pros

28.  Independence ◦ Reciprocal arrangements between 3 or more can be ok.  Integrity and Objectivity.  Competence – certified (CIA, CPA, CISA), knowledgeable of IA Standards, current with IA best practices, 3 or more years IA experience recommended.  Relevant industry experience – recommended but not necessary.  IT Audit experience - recommended but not necessary.

29.  Perform periodic Internal Assessments (see 1311-1) to review IA practices and compliance with the Standards and Code of Ethics.  Determine whether performance is consistent with Charter and stakeholder expectations. Consider surveying stakeholders.  Assess use of best practices and value added to organization.

30. There are six Program Segments: 1. Assessing the Organization 2. Risk Assessment & Engagement Planning 3. Staff Professional Proficiency 4. Information Technology 5. Assessing Production & Value Added 6. Individual Workpaper File Review

31. In preparing for a QAR, it is helpful to understand the relationship between the Program Segments and the Internal Auditing Standards

32. This program segment addresses compliance with six separate standards: ◦ 1000 Purpose Authority & Responsibility ◦ 1110 Organizational Independence ◦ 1210 Proficiency ◦ 1220 Due Professional Care ◦ 1230 Continuing Professional Development ◦ 2040 Policies & Procedures

33. The Risk Assessment & Engagement Planning Segment addresses the following standards: ◦ 1230 Continuing Professional Education ◦ 2010 Planning ◦ 2010.A1 Engagement Planning based on Risk Assessment ◦ 2020 Communication and Approval ◦ 2030 Resource Management ◦ 2050 Coordination ◦ 2060 Reporting to the Board & Senior Management ◦ 2110 Risk Management ◦ 2340 Engagement Supervision

34. The Staff Professional Proficiency Segment addresses the following standards: ◦ 1120 Individual Objectivity ◦ 1210 Proficiency ◦ 1220 Due Professional Care ◦ 1230 Continuing Professional Development

35. The IT segment, although not specifically referenced to any of the standards, evaluates the IT audit function’s compliance with the following standards: ◦ 1000 Purpose Authority & Responsibility ◦ 1110 Organizational Independence ◦ 1200-1230 Proficiency & Due Professional Care ◦ 2200 – 2240 Engagement Planning

36. The program segment for “Assessing Production & Value Added relates to the following standards :  1110.A1 Independence in determining audit scope & communicating results  2030 Resource Management  2400 Communicating Results

37. The program segment for “Assessing Production & Value Added” relates to the following standards:  1220 - Due Professional Care  2030 - Resource Management  2112 – 2130 – Scope of Work  2200 – 2240 - Planning the Engagement  2300 – Performing the Engagement  2310 – 2340 – Examining & Evaluating Information  2400 – 2500 – Communicating Results & Follow up

38.  Brief your audit committee on the requirement and how you plan to meet it.  Compare your practices against standards, address any gaps.  Consider taking the IIA’s QAR class and/or purchasing the IIA QAR Manual  Identify who will perform your QAR or validation