the guide to an effective internal audit activity · 2240- engagement work program internal audit...
TRANSCRIPT
Classification: Public عام
The Guide to an
Effective Internal
Audit Activity
May 7th ,2018
Farah AlRuwaily
Classification: Public عام
Objectives Of The Session
Understand Std. 1300 -Quality Assurance and Improvement Program (QAIP)
Understand the types of QAIP:
Internal Assessments
o Ongoing monitoring
o Periodic review
External Assessments
Benefits and Challenges
2
Classification: Public عام
How can we achieve
credibility?
How can we be perceived
as professionals?
How can we implement the
standards? QAIP
3
What Is The Internal Audit’s Major Asset?
Classification: Public عام
“ To provide Credible assistance and constructive challenge to management, auditors must be perceived as professionals.
Professionalism Requires Conforming to a set of professional standards”
4
According To The IIA’s Quality
Assessment Manual
Classification: Public عام
1300- Quality Assurance and Improvement
Program (QAIP)
Elements of QAIP include
1. A scope that includes all aspects of the IA activity
2. An evaluation of conformance with Std. & Code of Ethics,
3. An assessment of the efficiency and effectiveness of IA activity, &
4. The identification of opportunities for continuous improvement.
5. Involvement by the Board in oversight of QAIP.
The CAE must develop and maintain QAIP that covers all aspects
of the internal audit activity.
12
Classification: Public عام
1310- Requirements Of The Quality
Assurance And Improvement Program
QAIP must include both internal and external assessments.
14
Classification: Public عام
Elements Of QAIP
Quality Assurance & Improvement
Program (QAIP)
Internal Assessments
1- Ongoing Monitoring of performance
2- Periodic Self-Assessment
External Assessment
16
Classification: Public عام
1311- Internal Assessments
Internal assessments must include:
• An ongoing monitoring of the performance of the IA activity.
• Periodic self-assessments or assessments by other persons
within the Org. with sufficient knowledge of internal audit
practices.
17
Classification: Public عام
• Addresses Quality on an audit-by-audit basis
• Address conformance with 4 Performance standards at the
engagement level
2200: Engagement Planning
2300:Performing the Engagement
2400:Communitcating Results
2500:Monitoring Progress
1- Ongoing Monitoring
18
Classification: Public عام
No Standards Tools and/or processes in place
1 2200-Engagement Planning
2201-Planning Considerations 2210-Engagement Objectives 2220-Engagement Scope 2230- Engagement Resource Allocation 2240- Engagement Work Program
Internal audit department implement the standard through
preparation of the Opening letter, Planning Memorandum,
& Audit Program.
2 2300-Performing the Engagement
2310-Identifying Information 2320- Analysis and Evaluation 2330- Documenting Information 2340- Engagement Supervision
Internal audit department implement the standard through
performing Information request, data analysis, risk and
control assessment, execution of audit program, working
papers, signoffs and saving engagement records.
IAD- Ongoing Monitoring
19
Classification: Public عام
No Standards Tools and/or processes in place
3 2400-Communicating Results
2410- Criteria for Communicating 2420- Quality of Communications 2421- Errors and Omissions 2430- Use of “Conducted in Conformance with the IIA Standards” 2431- Engagement Disclosure of Nonconformance 2440- Disseminating Results 2450-Overall Opinion
Results of audit engagements are communicated to the audit
clients during both field work and reporting stages. Internal
audit department reports and communication processes are
designed to conform with standards.
4 2500- Monitoring Progress CAE must maintain a system to monitor disposition of results
communicated to Mgmt. this can be achieved by the
“Quarterly Reports” as a follow-up process to monitor and
ensure that management actions have been implemented.
IAD-Ongoing Monitoring (Cont’d.)
20
Classification: Public عام
How To Achieve Ongoing Monitoring?
• Proper engagement planning and supervision,
• Standardized work practices(e.g. workpapers and signoffs),
• Checklists to provide assurance on compliance with establish P&P & to
ensure consistency in the application of performance Std.
• Feedback from internal audit clients on the efficiency and effectiveness
of the audit team,
• Analyses of Staff and engagement (KPIs) (e.g. CIA holders,Y of
experience in IA, stakeholder satisfaction, timeliness of the engagement)
• Other measurements in determining the effectiveness and efficiency are
time keeping system, audit plan completion, budget – to –actual variances.
21
Classification: Public عام
Important Facts
• By CAE to the BOD or Audit Committee. Result Reported
• With each audit engagement. How often is it
performed?
• Conclusion, recommendations, &corrective action plan.
What to Include in the Report?
22
Classification: Public عام
Planning
Performing
Communicating
Monitoring Quality
Assurance
Ongoing Monitoring
23
Classification: Public عام
Mandatory Guidance
Definition of Internal Auditing & Code of Ethics
Attribute Standards
1000: Purpose, Authority, and Responsibility.
1100: Independence and Objectivity.
1200: Proficiency and Due Professional Care.
1300: Quality Assurance and Improvement Program.
Performance Standards
2000: Managing the Internal Audit Activity
2100: Nature of Work 2600: Communicating the Acceptance of Risk
2- Periodic Self-Assessment
24
Classification: Public عام
Periodic self-assessment should also:
• Review results of the ongoing monitoring.
• Include a selection of various audit types and consulting projects.
2- Periodic Self-Assessment
25
Classification: Public عام
No Mandatory Guidance Tools and/or processes in place
1
Definition of Internal Auditing
1010- Recognizing Mandatory Guidance in the IA Charter.
The internal audit department charter should state
clearly the Institute of Internal Auditors (IIA) definition.
2
Code of Ethics
1010- Recognizing Mandatory Guidance in the IA Charter
The internal audit department charter should state
clearly the Institute of Internal Auditors (IIA) code of
ethics which highlights major principles such as
integrity, objectivity, confidentiality , and competency.
IAD- Periodic Self-Assessment
26
Classification: Public عام
No Attribute Standards Tools and/or processes in place
3 1000- Purpose, Authority, and
Responsibility
Internal audit department charter should state clearly the purpose,
mission , vision, authority, responsibility, etc. of the internal audit
department.
4 1100- Independence and Objectivity
1110-Organizational Independence 1111-Direct Interaction with the Board 1120-Individual Objectivity
CAE reports administratively to the chairman and functionally to the
Board of Commissioners (Audit Committee).
5 1200- Proficiency and Due
Professional Care 1210- Proficiency 1220-Due Professional Care 1230- Continuing Professional Development
• IAD collectively possess the skills, knowledge, and competencies
needed to perform responsibilities.
• Auditors should apply due professional care.
• IAD should constantly encourage auditors to maintain technical
competencies through continuous education.
IAD- Periodic Self-Assessment (Cont’d.)
27
Classification: Public عام
No Attribute Standards Tools and/or processes in place
6 1300- Quality Assurance and
Improvement Program (QAIP)
1310-Requierments of QAIP 1311-Internal Assessment 1312-External Assessment 1320- Reporting on QAIP
The internal audit department ensures quality of the audit activity
through conducting internal ongoing assessments, which is imbedded
into the daily internal audit activities/procedures, and periodic
assessments of conformance with internal audit definition, code of ethics
and standards. Moreover, the department undertake external
assessments once every five years.
IAD- Periodic Self-assessment (Cont’d.)
28
Classification: Public عام
No Performance Standards Tools and/or processes in place
7 2000- Managing the Internal Audit Activity
2010-Planning 2020-Communication and Approval 2030- Resource Management 2040- Policies and Procedures 2050- Coordination & Reliance 2060- Reporting to Senior Management and the Board 2070-External Service Provider and Organizational Responsibility for Internal Auditing
• CAE establish a Risk-based IA plan and communicate it to
Audit Committee for review and approval,
• CAE ensure IA resources are appropriate, sufficient, and
effectively deployed to achieve the approved plan. (IA annual
plan-team allocation),
• P&P are in place,
• CAE periodically report to Audit Committee on IA activities.
• Internal Audit Department clearly states the relation with
External Auditors.
IAD- Periodic Self-Assessment (Cont’d.)
29
Classification: Public عام
No Performance Standards Tools and/or processes in place
8 2100- Nature of Work
2110- Governance 2120- Risk Management 2130- Control
The internal audit activity continuously
• Assess and make recommendations to improve governance in the
organization.
• Assist in identifying, evaluating, and implementing risk management
methodologies and controls to address risks.
• Evaluate the effectiveness and efficiency of controls.
9 2600- Communicating the Acceptance
of Risk
When the CAE become in disagreement with the auditee regarding
certain issues, the CAE will escalate the matter through the audit report
to the Audit Committee.
IAD- Periodic Self-Assessment (Cont’d.)
30
Classification: Public عام
Important Facts
• By CAE to the BOD or Audit Committee Result Reported
• At least annually, must be included in the IA Annual Plan.
How often is it performed?
• Independent senior members of the IA activity qualified in the IPPF, & not necessarily CIAs, or
• Individuals from within the Org. Assessment Team
• Objectives, scope, frequency, qualification and independence of the assessors, conclusion, recommendations,& corrective action plan.
What to Include in the Report?
31
Classification: Public عام
Reasons For Conducting Periodic
Self-Assessments
To Validate conformance with the Std. and Code of Ethics,& Evaluate
• Quality and supervision of work performed.
• Adequacy of IA P&P.
• Achievement of KPIs.
• The degree to which stakeholders expectations are met.
32
Classification: Public عام
• Staff availability,
• Industry and organizational knowledge,
• Difficult to objectively evaluate colleagues,
• Reporting to the CAE,
• Cost of training.
Periodic Self-Assessment Challenges
33
Classification: Public عام
• Continuous Improvement.
• Becoming more forward-looking in approach and experiencing greater
alignment with Org. strategies and objectives.
• Enhanced IA productivity by eliminating non-value-added activities.
• Improved IA staff morale due to the focus on process improvement.
• Greater adaptability in implementing incremental changes resulting in
greater responsiveness to stakeholders expectations.
Benefits Of Internal Assessments
34
Classification: Public عام
Elements Of QAIP
Quality Assurance & Improvement
Program (QAIP)
Internal Assessments
Ongoing Monitoring
Periodic Self-Assessment
External Assessments
36
Classification: Public عام
Must be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the
organization.
1312- External Assessments
37
Classification: Public عام
Types Of External Assessments
1. Full external assessment conducted by a qualified, independent
external reviewer or review team under the leadership of
experienced Project Manager.
2. Use of a qualified, independent external reviewer or review team to
conduct a self-assessment with independent validation (SAIV).
38
Classification: Public عام
• Identification and reporting of leading practices that could assist the IA activity
in becoming more efficient and effective.
• It builds stakeholder confidence by documenting management's commitment
to quality and successful leadership practices, and the internal auditors'
mindset for professionalism.
• It also provides evidence to the board, management, and staff that the audit
committee and the internal audit activity adds value through improving an
organization's operations and contributing to the attainment of objectives.
• It allows the internal auditors to state that their activity “conforms to the
International Professional Practice Framework of Internal Auditing.”
Benefits Of The External Assessment
39
Classification: Public عام
1320- Reporting On The QAIP
CAE must communicate QAIP results to senior management and the board.
Report should consider
• Scope and frequency (e.g. ongoing at least annually, periodic based on
agreement, external at least every 5 years)
• Qualifications and independence of the assessors including potential
COI.
• Conclusions and recommendations.
• Corrective action plans.
40
Classification: Public عام
1321- CAE may state that the IA activity conforms with the standards of
internal auditing only if QAIP results support the statement.
1322- When nonconformance with the Code of Ethics, or the Standards
impacts the overall scope or operation of IA activity, the CAE must disclose
the nonconformance and the impact to senior management and the board.
Reporting On Quality Assurance
41
Classification: Public عام
• International professional Practices Framework (IPPF)
• Quality Assessment Manual for the Internal Audit Activity (IIA)
• The IIA Global website (https://na.theiia.org/Pages/IIAHome.aspx)
• Internal Audit Quality Assurance and Improvement (CBOK)
• IIA’s Quality Assurance and Improvement Program Practice Guide
References
43
Classification: Public عام
Glossary
Board
The highest level of governing body charged with the responsibility to direct and/or
oversee the activities and management of the organization. Typically, this includes an
independent group of directors (e.g., a board of directors, a supervisory board, or a
board of governors or trustees). If such a group does not exist, the “board” may refer
to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions.
Quality Assurance and Improvement Program (QAIP)
Chief Audit Executive(CAE) Internal Audit Head/Director
Internal Audit Department(IAD)
The Institute of Internal Auditors( IIA)
44