the guide to an effective internal audit activity · 2240- engagement work program internal audit...

Classification: Public عام

The Guide to an

Effective Internal

Audit Activity

May 7th ,2018

Farah AlRuwaily


Objectives Of The Session

Understand Std. 1300 -Quality Assurance and Improvement Program (QAIP)

Understand the types of QAIP:

Internal Assessments

o Ongoing monitoring

o Periodic review

External Assessments

Benefits and Challenges

2


How can we achieve

credibility?

How can we be perceived

as professionals?

How can we implement the

standards? QAIP

3

What Is The Internal Audit’s Major Asset?


“ To provide Credible assistance and constructive challenge to management, auditors must be perceived as professionals.

Professionalism Requires Conforming to a set of professional standards”

4

According To The IIA’s Quality

Assessment Manual


Overview- IPPF

5


Global Internal Audit Common Body Of

Knowledge (CBOK)

6


CAE - How Developed Is QAIP In Your

Organization?

7


Conformance With QAIP Based On

Regions

8


Conformance By Organization Type

9


Conformance By Department Size

10


Quality Assurance & Improvement

Program (QAIP)

11


1300- Quality Assurance and Improvement

Program (QAIP)

Elements of QAIP include

1. A scope that includes all aspects of the IA activity

2. An evaluation of conformance with Std. & Code of Ethics,

3. An assessment of the efficiency and effectiveness of IA activity, &

4. The identification of opportunities for continuous improvement.

5. Involvement by the Board in oversight of QAIP.

The CAE must develop and maintain QAIP that covers all aspects

of the internal audit activity.

12


QAIP Framework

13


1310- Requirements Of The Quality

Assurance And Improvement Program

QAIP must include both internal and external assessments.

14


Internal Assessment

15


Elements Of QAIP


Program (QAIP)


1- Ongoing Monitoring of performance

2- Periodic Self-Assessment

External Assessment

16


1311- Internal Assessments

Internal assessments must include:

• An ongoing monitoring of the performance of the IA activity.

• Periodic self-assessments or assessments by other persons

within the Org. with sufficient knowledge of internal audit

practices.

17


• Addresses Quality on an audit-by-audit basis

• Address conformance with 4 Performance standards at the

engagement level

2200: Engagement Planning

2300:Performing the Engagement

2400:Communitcating Results

2500:Monitoring Progress

1- Ongoing Monitoring

18


No Standards Tools and/or processes in place

1 2200-Engagement Planning

2201-Planning Considerations 2210-Engagement Objectives 2220-Engagement Scope 2230- Engagement Resource Allocation 2240- Engagement Work Program

Internal audit department implement the standard through

preparation of the Opening letter, Planning Memorandum,

& Audit Program.

2 2300-Performing the Engagement

2310-Identifying Information 2320- Analysis and Evaluation 2330- Documenting Information 2340- Engagement Supervision

Internal audit department implement the standard through

performing Information request, data analysis, risk and

control assessment, execution of audit program, working

papers, signoffs and saving engagement records.

IAD- Ongoing Monitoring

19


No Standards Tools and/or processes in place

3 2400-Communicating Results

2410- Criteria for Communicating 2420- Quality of Communications 2421- Errors and Omissions 2430- Use of “Conducted in Conformance with the IIA Standards” 2431- Engagement Disclosure of Nonconformance 2440- Disseminating Results 2450-Overall Opinion

Results of audit engagements are communicated to the audit

clients during both field work and reporting stages. Internal

audit department reports and communication processes are

designed to conform with standards.

4 2500- Monitoring Progress CAE must maintain a system to monitor disposition of results

communicated to Mgmt. this can be achieved by the

“Quarterly Reports” as a follow-up process to monitor and

ensure that management actions have been implemented.

IAD-Ongoing Monitoring (Cont’d.)

20


How To Achieve Ongoing Monitoring?

• Proper engagement planning and supervision,

• Standardized work practices(e.g. workpapers and signoffs),

• Checklists to provide assurance on compliance with establish P&P & to

ensure consistency in the application of performance Std.

• Feedback from internal audit clients on the efficiency and effectiveness

of the audit team,

• Analyses of Staff and engagement (KPIs) (e.g. CIA holders,Y of

experience in IA, stakeholder satisfaction, timeliness of the engagement)

• Other measurements in determining the effectiveness and efficiency are

time keeping system, audit plan completion, budget – to –actual variances.

21


Important Facts

• By CAE to the BOD or Audit Committee. Result Reported

• With each audit engagement. How often is it

performed?

• Conclusion, recommendations, &corrective action plan.

What to Include in the Report?

22


Planning

Performing

Communicating

Monitoring Quality

Assurance

Ongoing Monitoring

23


Mandatory Guidance

Definition of Internal Auditing & Code of Ethics

Attribute Standards

1000: Purpose, Authority, and Responsibility.

1100: Independence and Objectivity.

1200: Proficiency and Due Professional Care.

1300: Quality Assurance and Improvement Program.

Performance Standards

2000: Managing the Internal Audit Activity

2100: Nature of Work 2600: Communicating the Acceptance of Risk


24


Periodic self-assessment should also:

• Review results of the ongoing monitoring.

• Include a selection of various audit types and consulting projects.


25


No Mandatory Guidance Tools and/or processes in place

1

Definition of Internal Auditing

1010- Recognizing Mandatory Guidance in the IA Charter.

The internal audit department charter should state

clearly the Institute of Internal Auditors (IIA) definition.

2

Code of Ethics

1010- Recognizing Mandatory Guidance in the IA Charter

The internal audit department charter should state

clearly the Institute of Internal Auditors (IIA) code of

ethics which highlights major principles such as

integrity, objectivity, confidentiality , and competency.

IAD- Periodic Self-Assessment

26


No Attribute Standards Tools and/or processes in place

3 1000- Purpose, Authority, and

Responsibility

Internal audit department charter should state clearly the purpose,

mission , vision, authority, responsibility, etc. of the internal audit

department.

4 1100- Independence and Objectivity

1110-Organizational Independence 1111-Direct Interaction with the Board 1120-Individual Objectivity

CAE reports administratively to the chairman and functionally to the

Board of Commissioners (Audit Committee).

5 1200- Proficiency and Due

Professional Care 1210- Proficiency 1220-Due Professional Care 1230- Continuing Professional Development

• IAD collectively possess the skills, knowledge, and competencies

needed to perform responsibilities.

• Auditors should apply due professional care.

• IAD should constantly encourage auditors to maintain technical

competencies through continuous education.

IAD- Periodic Self-Assessment (Cont’d.)

27


No Attribute Standards Tools and/or processes in place

6 1300- Quality Assurance and

Improvement Program (QAIP)

1310-Requierments of QAIP 1311-Internal Assessment 1312-External Assessment 1320- Reporting on QAIP

The internal audit department ensures quality of the audit activity

through conducting internal ongoing assessments, which is imbedded

into the daily internal audit activities/procedures, and periodic

assessments of conformance with internal audit definition, code of ethics

and standards. Moreover, the department undertake external

assessments once every five years.

IAD- Periodic Self-assessment (Cont’d.)

28


No Performance Standards Tools and/or processes in place

7 2000- Managing the Internal Audit Activity

2010-Planning 2020-Communication and Approval 2030- Resource Management 2040- Policies and Procedures 2050- Coordination & Reliance 2060- Reporting to Senior Management and the Board 2070-External Service Provider and Organizational Responsibility for Internal Auditing

• CAE establish a Risk-based IA plan and communicate it to

Audit Committee for review and approval,

• CAE ensure IA resources are appropriate, sufficient, and

effectively deployed to achieve the approved plan. (IA annual

plan-team allocation),

• P&P are in place,

• CAE periodically report to Audit Committee on IA activities.

• Internal Audit Department clearly states the relation with

External Auditors.


29


No Performance Standards Tools and/or processes in place

8 2100- Nature of Work

2110- Governance 2120- Risk Management 2130- Control

The internal audit activity continuously

• Assess and make recommendations to improve governance in the

organization.

• Assist in identifying, evaluating, and implementing risk management

methodologies and controls to address risks.

• Evaluate the effectiveness and efficiency of controls.

9 2600- Communicating the Acceptance

of Risk

When the CAE become in disagreement with the auditee regarding

certain issues, the CAE will escalate the matter through the audit report

to the Audit Committee.


30


Important Facts

• By CAE to the BOD or Audit Committee Result Reported

• At least annually, must be included in the IA Annual Plan.

How often is it performed?

• Independent senior members of the IA activity qualified in the IPPF, & not necessarily CIAs, or

• Individuals from within the Org. Assessment Team

• Objectives, scope, frequency, qualification and independence of the assessors, conclusion, recommendations,& corrective action plan.

What to Include in the Report?

31


Reasons For Conducting Periodic

Self-Assessments

To Validate conformance with the Std. and Code of Ethics,& Evaluate

• Quality and supervision of work performed.

• Adequacy of IA P&P.

• Achievement of KPIs.

• The degree to which stakeholders expectations are met.

32


• Staff availability,

• Industry and organizational knowledge,

• Difficult to objectively evaluate colleagues,

• Reporting to the CAE,

• Cost of training.

Periodic Self-Assessment Challenges

33


• Continuous Improvement.

• Becoming more forward-looking in approach and experiencing greater

alignment with Org. strategies and objectives.

• Enhanced IA productivity by eliminating non-value-added activities.

• Improved IA staff morale due to the focus on process improvement.

• Greater adaptability in implementing incremental changes resulting in

greater responsiveness to stakeholders expectations.

Benefits Of Internal Assessments

34


External Assessment

35


Elements Of QAIP


Program (QAIP)


Ongoing Monitoring

Periodic Self-Assessment

External Assessments

36


Must be conducted at least once every five years by a qualified,

independent reviewer or review team from outside the

organization.

1312- External Assessments

37


Types Of External Assessments

1. Full external assessment conducted by a qualified, independent

external reviewer or review team under the leadership of

experienced Project Manager.

2. Use of a qualified, independent external reviewer or review team to

conduct a self-assessment with independent validation (SAIV).

38


• Identification and reporting of leading practices that could assist the IA activity

in becoming more efficient and effective.

• It builds stakeholder confidence by documenting management's commitment

to quality and successful leadership practices, and the internal auditors'

mindset for professionalism.

• It also provides evidence to the board, management, and staff that the audit

committee and the internal audit activity adds value through improving an

organization's operations and contributing to the attainment of objectives.

• It allows the internal auditors to state that their activity “conforms to the

International Professional Practice Framework of Internal Auditing.”

Benefits Of The External Assessment

39


1320- Reporting On The QAIP

CAE must communicate QAIP results to senior management and the board.

Report should consider

• Scope and frequency (e.g. ongoing at least annually, periodic based on

agreement, external at least every 5 years)

• Qualifications and independence of the assessors including potential

COI.

• Conclusions and recommendations.

• Corrective action plans.

40


1321- CAE may state that the IA activity conforms with the standards of

internal auditing only if QAIP results support the statement.

1322- When nonconformance with the Code of Ethics, or the Standards

impacts the overall scope or operation of IA activity, the CAE must disclose

the nonconformance and the impact to senior management and the board.

Reporting On Quality Assurance

41


Thank you

42


• International professional Practices Framework (IPPF)

• Quality Assessment Manual for the Internal Audit Activity (IIA)

• The IIA Global website (https://na.theiia.org/Pages/IIAHome.aspx)

• Internal Audit Quality Assurance and Improvement (CBOK)

• IIA’s Quality Assurance and Improvement Program Practice Guide

References

43

https://na.theiia.org/Pages/IIAHome.aspx




Glossary

Board

The highest level of governing body charged with the responsibility to direct and/or

oversee the activities and management of the organization. Typically, this includes an

independent group of directors (e.g., a board of directors, a supervisory board, or a

board of governors or trustees). If such a group does not exist, the “board” may refer

to the head of the organization. “Board” may refer to an audit committee to which the governing body has delegated certain functions.

Quality Assurance and Improvement Program (QAIP)

Chief Audit Executive(CAE) Internal Audit Head/Director

Internal Audit Department(IAD)

The Institute of Internal Auditors( IIA)

44

the guide to an effective internal audit activity · 2240- engagement work program internal audit...

Documents