Presentation on theme: ". . . key messages for CAEs, Senior Management and the Board"— Presentation transcript:
1 . . . key messages for CAEs, Senior Management and the Board Setting a Standard forQuality. . . key messages for CAEs, SeniorManagement and the Board
2 Internal Auditing Independent Objective Assurance and consulting activityAdds valueImproves operationsHelps accomplish objectivesThe International Standards for the Professional Practice of Internal Auditing support this definition of internal auditing.
3 and disciplined approach to evaluate and improve the effectiveness Internal AuditingBrings a systematicand disciplined approach to evaluate and improve the effectivenessof theGovernance,Risk Management,& ControlThis definition of internal auditing was approved by The IIA Board of Directors 6/26/99.
4 Professionalism Means: Adherence to the Standards.Compliance with the Definition of Internal Auditing and the Code of Ethics.Competency, evidenced by certification (CIA).Maintaining a “Quality Assurance and Improvement Program.”Relevance, ongoing professional development.Internal auditing is a true profession, guided by Standards and a Code of Ethics, and clearly defined.
5 Internal Auditing and Quality Nobody in the organization better understands the need for independent and objective assessment of quality than do the internal auditors.They audit, review, and assess the work of others on a daily basis. They understand the great value this can bring to the entire organization.To ensure consistent quality in this dynamic environment, an ongoing commitment to growth and improvement is essential.
6 Internal Auditing and Quality The International Standards for the Professional Practice of Internal Auditing mandate that the internal audit activity be assessed for quality.This presentation explains why quality is so important to internal audit professionalism and performance.To ensure consistent quality in this dynamic environment, an ongoing commitment to growth and improvement is essential.
7 Internal Auditing and Quality Q. Why is a quality assurance and improvement program necessary?A. As an organization grows, its operations undergo refinement, and its internal processes change and evolve, its quality monitoring process must keep pace.To ensure consistent quality in this dynamic environment, an ongoing commitment to growth and improvement is essential.
8 Internal Auditing and Quality Q. What does a quality assurance and improvement program include?A. The required elements of the program are periodic internal and external quality assessments, ongoing internal monitoring, and assurance that the internal audit activity is complying with the Standards, the definition of internal auditing and the Code of Ethics. (Standards 1300 & 1310)
9 Internal Auditing and Quality Q. What is a quality assessment?A. A quality assessment, or QA, evaluates compliance with the Standards, the definition of internal auditing, the Code of Ethics, the internal audit & audit committee charters, the organization’s governance, risk and control assessment, and the use of successful practices.Regardless of industry, sector, or size of staff, a QA can provide valuable insights in regard to:Control frameworks.Enterprise risk management (ERM).Internal audit report writing and communication.Partnering with management.Performance improvement.Information technology.Departmental operations, costs, and productivity.Quality assurance programs.Customer relations.Control self-assessment (CSA).Implementation of regulatory requirements.Emerging trends and adding value.Staff development and other issues relating to human resources.
10 Internal Auditing and Quality Q. Which organizations should obtain QAs?A. All internal audit departments, even those outsourced or co-sourced, must undergo internal & external quality assessments.Ongoing and periodic internal assessments lay the foundation for external assessments, and together, internal and external QAs make up the quality assurance and improvement program.
11 Internal Auditing and Quality Q. If an organization has not yet established a Quality Assurance and Improvement Program, how can it start the process?A. A good first-step is to assess the level of compliance with the definition of internal auditing, the Standards and the Code of Ethics.Practice AdvisoryAccording to the Standards, the QA process should include both internal and external assessments.
12 Internal Auditing and Quality Q. How do internal and external QAs differ?A. Internal Assessments comprise ongoing internal evaluations of the internal audit activity, coupled with periodic self-assessments and/or reviews.Practice AdvisoryThese internal assessments are conducted by persons within the organization’s internal audit activity under the direction of the CAE. Involvement, however, precludes total objectivity.
13 Internal Auditing and Quality Q. How do internal and external QAs differ?A. External Assessments require an outside team of independent reviewers to evaluate compliance with the Standards, the definition of internal auditing, the Code of Ethics, the use of successful practices and the efficiency and effectiveness of the internal audit activity.Practice Advisory &2
14 Internal Auditing and Quality Q. What are the benefits of an independent external QA?A. It allows the internal auditors to state that their activities are conducted “in accordance with the International Standards for the Professional Practice of Internal Auditing.”It also builds stakeholder confidence by documenting management’s commitment to quality and best practices, and the internal auditors’ mindset for professionalism.Obtaining an external QA provides evidence to the board, management, and staff that the audit committee and the internal audit activity are concerned about the organization’s internal controls, ethics, governance, and risk management processes.
15 Internal Auditing and Quality Q. When must an internal audit shop have an external QA?A. It is mandatory that every internal audit activity have an external quality assessment at least every five years to be in compliance with the Standards (Standard 1312).According to the requirement, internal audit departments in existence when Standard 1312 was adopted on January 1, 2002, must have an external QA by January 1, Departments established later, have five years from the date they were formed to comply with the requirement. Subsequently, all internal audit shops should have an external QA every five years.
16 Internal Auditing and Quality Q. How is an external QA conducted?A. There are various acceptable methods of performing external QAs. One typical methodology includes advanced preparation, on-site activities, and the reporting process.The preparation stage entails a self-study, preliminary meeting, audit customer survey, and internal audit staff survey.The on-site activities comprise interviews, reviews of records, policies, and procedures; and a closing meeting.The final stage is delivery of a written report on the findings with recommendations for improvement.
17 Internal Auditing and Quality Q. What are appropriate external QA approaches?A. Regardless of an organization’s industry or the internal audit activity’s complexity or size, there are two approved approaches for external QAs.Practice Advisory External AssessmentsPractice Advisory Self Assessment with Independent ValidationThe first approach — an independent assessment with independent validation — involves an outside team under the leadership of an experienced and professional project manager. The team members should be competent professionals who are well versed in best internal audit practices.The second approach seeks out an objective outside party for independent validation of the internal self assessment and report completed by the internal audit activity. This approach brings in a competent independent evaluator who is well versed in quality assessment methodology to validate the aforementioned self-assessment of the internal audit activity. In addition to reviewing the self-assessment, the validator substantiates some of the work done by the self-assessment team, makes an on-site visit, interviews senior management, and either co-signs the CAE’s report regarding conformity to the Standards, or issues a separate report on the disparities.Integral to both external QA approaches is the element of objectivity. Without this, the Standards have not been met. The CAE should fully explain to the audit committee why the QA is necessary and valuable, how the approaches to external QAs differ, and which of the approaches is deemed most appropriate for the organization.NOTE: It is important that the CAE receive board approval for the chosen approach.
18 Internal Auditing and Quality Q. What are the selection criteria for external QA providers?A. At a minimum, the QA provider should use a methodology that includes compliance with the Standards, definition of internal auditing and the Code of Ethics as the benchmark for quality.All team members should be competent in the professional practice of internal auditing, knowledgeable about the external assessment process, and independent of both the organization and the internal audit activity to be assessed.
19 Internal Auditing and Quality Q. How do peer reviews fit into the QA process?A. External quality assessments or self assessments can be conducted through peer reviews instead of utilizing an external service providers.Although peer reviews among three or more organizations meet the external QA requirements, reciprocal peer reviews between two organizations do not pass the independence test.Internal auditors from at least three different organizations come together to form a pool of professionals, all of whom are qualified to conduct external assessments.One type of peer review team consists of members from different organizations within an industry or other affinity group, regional association, or other group of organizations. Because assuring appropriate composition and assignments of the teams is imperative, administration of this process can be quite challenging.
20 Internal Auditing and Quality Q. What are the repercussions of not acquiring an external QA?A. If the internal audit activity does not acquire the external assessment at least every five years, it is forbidden to use the phrase, “conforms with the International Standards for the Professional Practice of Internal Auditing,” in its internal audit charter or reports.Practice AdvisoryThe CAE should report to the board and management the rationale for noncompliance with the external QA requirement.A CAE who uses the statement, “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing,” while not in compliance is subject to ethical disciplinary sanctions by The IIA.
21 Internal Auditing and Quality Q. What if the results of an external QA are negative?A. The organization should create an action plan that specifically addresses each opportunity for improvement cited in the assessment. The CAE must disclose nonconformance and the impact with Senior Management and the board. (Standard 1322)Both the results and the corrective action plan should be reported to the audit committee. Until corrections have been made and compliance has been achieved, the internal auditors may not indicate in any documents that their internal audit work has been “conducted in accordance with the Standards.”
22 Internal Auditing and Quality Q. What is the next step to the process if the results of an external QA are positive?A. Once the QA has been completed; the CAE must communicate the results to the senior management and the board. (Standard 1320)The internal audit activity charter and all audit reports may include the phrase, “Conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.” The organization may choose to publicize compliance in its annual report. Although The IIA neither reports nor posts whether the QA results were positive or negative, it does maintain a list of organizations with the year in which they received their most recent external assessment.After you have obtained an external assessment, please notify to be included in the online list.
23 Internal Auditing and Quality Q. What QA resources are available?A. The IIA provides free samples, models, and other resources, based on quality assessment successful practices. Visit the QA section of to access and/or download these valuable tools.
24 This presentation is from The Institute of Internal Auditors Global Headquarters Questions? Contact -