Internal Audit

Quality Assurance Review: What Internal Auditing Standards RequireIIA Austin Chapter February 24, 2009

David J. MacCabe, CIA, CGAP, MPA Internal Audit Consultant

www.theiia.org/Quality

Speaker Background Information CAE at Texas Teacher Retirement System (19982007) and two other Texas state agencies Participated in 30 QARs; recipient of 6 QARs Founding Chair, Texas State Agency Internal Audit Forum (1983) Founding Member, IIA Austin Chapter (1978) and Member, IIA Board of Research & Education Advisers


Topics We Will Cover Today Quality Assessment Reviews Internal Auditing Standards QAR References & Links Path to Quality


Key Areas of Discussion TodayQuality Assurance & Improvement Program External Quality Assessments and why your audit group should have one What to expect from an External QAR How to get the most value from a QAR How an audit professional should prepare for a QARwww.theiia.org/Quality

Some areas we will NOT talk about todayAll of the Standards with which you need to comply to be successful in a QAR All the components of an effective Quality Program

There just isnt enough time to do this and The IIA and other organizations have CDs, books, and seminars on these topics.www.theiia.org/Quality

A Show of Hands

How many Internal Audit Activities have a QA&IP in place today?


A Show of Hands

How many work for an organization that has had an external QAR?


A Show of Hands

How many work for an organization that has not had an external QAR?


A Show of Hands

How many have been part of an external QAR team?


Signs of a Profession Commitment to Serving Others Code of Ethics Professional Standards Professional Certification Process Continuing Education Requirements Quality Assessment Reviewswww.theiia.org/Quality

What is Quality? Quality is the essence of excellence in the business environment Processes must be measured and evaluated objectively Includes ongoing commitment to growth and improvement


Why Implement a Quality Program?To provide continuous improvement: Can things be done better? Should more be done? Is maximum value being received for resources expended ?


Why Implement a Quality Program? (Continued) Do we meet professional standards? Can we add value to management, the Audit Committee, and the organization? Can we enhance our image, perceptions, credibility, and influence?


Does this look familiar?

http://www.theiia.org/guidance/standards-and-practices/professional-practices-framework/


Did you know the IIA Standards have been revised?The new International Professional Practices Framework (IPPF) was approved by The IIA Board of Directors in July 2007. The proposed revision to the IPPF Standards was exposed for comment in January 2008. The new IPPF Standards were released on September 30, 2008 and were effective in January 2009. See the IIA web site for more info.


Have you read the Quality Standards?Standard 1300 Quality Assurance and Improvement Program Standard 1310 Requirements of the Quality Assurance and Improvement Program Standard 1311 Internal Assessments Standard 1312 External Assessments


Have you read the Quality Standards?Standard 1320 Reporting on the Quality Assurance & Improvement Program Standard 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing Standard 1322 Disclosure of Nonconformance


Standard 1300: Quality Assurance and Improvement Program (QA&IP)The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.


1300: QA&IP InterpretationA quality assurance and improvement program is designed to enable an evaluation of the internal audit activitys conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.


Quality Assurance and Improvement ProgramWhy is a Quality Assurance & Improvement Program necessary? As an organization and its Internal Audit shop grow, operations undergo refinement, and internal processes change and evolve. Quality monitoring processes must keep pace.www.theiia.org/Quality

Quality Assurance and Improvement ProgramWhat are the elements of a Quality Assurance and Improvement Program?

QA


1310: Requirements of the QA&IPThe quality assurance and improvement program must include both internal and external assessments.


1311: Internal AssessmentsInternal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through selfassessment or by other persons within the organization, with sufficient knowledge of internal audit practices.


1311: Internal Assessments InterpretationOngoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine processes used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Periodic reviews are assessments to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.


1312: External AssessmentsExternal assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board: The need for more frequent external assessments; and The qualifications and independence of the external reviewer or review team, including any potential conflict of interest.www.theiia.org/Quality

1312: External Assessments InterpretationA qualified, independent reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review.


1312: External Assessments Interpretation (Continued)The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge. An independent reviewer or review team means not having either a real or apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs.www.theiia.org/Quality

Some Elements of a QA&IP Staff Information (education, skills, certifications) Audit Plan Budget to Actual Audit Cycle Time Issues and Recommendations Tracking Customer Satisfaction Survey Staff Meeting Benchmarking to Best Practices Training Work Paper Review (ongoing) QA Review Action Planwww.theiia.org/Quality

1320: Reporting on the Quality Assurance & Improvement Program

The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. (Also includes Interpretation)


1321: Use of Conforms with the International Standards for the Professional Practice of Internal Auditing (former Standard 1330) The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.


1322: Disclosure of Nonconformance (former Standard 1340)When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope of operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.


What is the Value of Quality to Internal AuditABC Organization Executive Level

Internal Audit

At this level Internal Audit is not considered a valued resource to the Organization


What is the Value of Quality to Internal AuditABC Organization Executive Level

Internal AuditAs the Quality of Internal Audit increases the acceptance at the Executive Level gets Internal Audit closer


What is the Value of Quality to Internal AuditABC Organization Executive Level Internal Audit

Once Quality is achieved Internal Audit is embraced by the Executive Level as a valuable resource within the Organization


Whos Responsible for the Quality of Internal Audit? Organization Chief Audit Executive (CAE)

Who Will Benefit? Internal Audit Profession IA Stakeholders (Audit Committee, Board of Directors, Regulatory Body, Senior Mgmt) Internal Auditors especially CIAswww.theiia.org/Quality

Professionalism & Commitment The Drive to be the Best Success (individual & organization) Persistence with a Purpose Professional Development The Pride to be an Internal Auditor


Whats the focus of an External QA?IIA Code of Ethics Definition of Internal Auditing International Standards for the Professional Practice of Internal Auditing Audit Committee & Internal Audit Charters Professional certifications and education Process improvement & best practiceswww.theiia.org/Quality

What happens in an External QA?Interview & survey stakeholders Assess compliance with the IIA Code of Ethics and the Standards Assess charters, policies & procedures Review staff experience & qualifications Inspect workpapers


What are the benefits of an External QA?Expert advice & counsel from practitioners with decades of experience and broad exposure to the best IA functions Sounding board Leverage for funding, authority, independence & training Visibility Pipeline to the audit committee & senior mgt


Why have an External QA?Professional credibility Organizational credibility Compliance with Standards Continuous improvement Audit Committee oversightwww.theiia.org/Quality

Why are some IA functions not in compliance?(IIA Common Body of Knowledge survey reports that

39% of IA functions have never had an External QA)28% of IA functions are less than 5 years old Internal Audit is not regulated Unaware of the requirement Unfazed by the penalty Costs in money and time


What problems are commonly found?Inadequate QA & IP Consulting omitted from the mission & charter Inadequate IT coverage or technical skills Lack of IAA performance measures


What problems are commonly found?Inappropriate CAE reporting relationships Out-of-date charters Client perception of inadequate audit staff knowledge No formalized risk assessment process


How long does an External QA take? A sample timeline RFP Prepare background info Stakeholder surveys

8/1 8/15 9/1- 9/15 9/15 9/30

GAIN data input on IIA website 9/15 Preliminary meeting 10/15 On-site fieldwork 10/30 11/3 Issue draft report 11/15 Receive reply to draft report 11/22 Issue final report 11/29www.theiia.org/Quality

What Does an IIA QAR Cost? *Number of Internal Audit Staff Average Size of External QA Team Average IA Staff Preparation (Hours) Avg IA Staff Support of QA Team (Hrs) Average Time to Complete QA (Days)

Average Cost

1 to 2 3 to 6 7 to 15 16 to 20 21 to 30 31 to 50 51 to 70 71 to 100

2 3 4 3 6 5 6 3

200 110 100 90 135 N/A 80 200

33.5 40 60 70 60 N/A 50 120

6.6 4.2 5 9.2 9 10.5 13 20

$13,000 $15,000 $22,000 $35,000 $42,000 N/A $75,000www.theiia.org/Quality

*Source: IIARF Survey April 2007

$80,000

IIA Recognition PlaqueOrganizations that have an external quality assessment completed by The IIA with a General Conformance opinion receive a recognition plaque


What is a self-assessment with independent validation (SAIV)?Perform your own internal assessment and then

Engage an independent party to review your workwww.theiia.org/Quality

Whats the advantage of the SAIV?

It costs less!www.theiia.org/Quality

Whats the trade-off for a SAIV?Requires IAA to budget more resources

Diminished:Independence Outside perspective Expertise Board leverage Senior management leverage Oomphwww.theiia.org/Quality

What should you do?If you cant get the budget for an external QA, go either the SAIV or the peer review route to get into compliance.

Consider SAIV for your 1st QA and then follow-up with an external QA in 2-3 years


What about peer reviews?Peer reviews are conducted by some state and local government entities. Examples include city and county governments, public transit authorities, state transportation agencies, public pension funds, and Texas state agencies and universities.www.theiia.org/Quality

Where to Find Resources about Quality ? Free web-based resources by the IIA (www.theiia.org/Quality) QAR training seminars by the IIA and local chapters QAR services by peers, the IIA, and service providers


The Path to Quality. . . a step-by-step guide to world-class internal auditing


QUALITY CAPABILITY MATURITY MODELFor further information, see:http://www.theiia.org/guidance/quality/the-external-quality-assessmentprocess/path-to-quality/?search=quality%20capability%20maturity%20model


What is Quality? Exceeding stakeholder expectations. Ensuring value is added to all areas of the IAA and the IAA adds value to the organization. Competency and proficiency to the organizations risk management, controls and governance processes.


Maturity Model Levels to QualityLevel 1: Introductory Level 2: Emerging Level 3: Established Level 4: Progressive Level 5: Advancedwww.theiia.org/Quality

QUALITY CAPABILITY MATURITY MODELLEVEL FIVE

Beyond ConformanceLEVEL FOUR

ADVANCED Produces Best Practices Strategic Partner Leader in IA Profession

PROGRESSIVE Implements Best Practices Anticipates Change Expanding RoleLEVEL THREE

ConformingLEVEL TWO

ESTABLISHED Generally Conforms External Assessment Continuous Improvement EMERGING Partially Conforms Self Assessments Action Plans

Non-ConformingLEVEL ONE

INTRODUCTORY Does Not Conform New Internal Audit Activity (IAA) Quality Assurance & Improvement Program


Level 1 Introductory Maturity Fairly new shop or new CAE adopting the IIA Standards Organization lacks understanding of importance Senior Management/Board dont understand value IAA has not established a QAIP Not complying with requirementswww.theiia.org/Quality

Level 1 Key Messages Have not adopted quality in IAA Might be a new internal audit shops or a new CAE Need to assess and to document Understand the Standards Critical to begin a QAIPwww.theiia.org/Quality

Steps to Introductory Quality1. Adopt the definition 2. Achieve appropriate reporting structure 3. Commit to quality through the Audit Charter 4. Acquire managements buy-in 5. Educate the audit committee






ConformingLEVEL TWO





Level 2 Emerging Maturity The QAIP must include periodic and ongoing self-assessments Compliance monitoring with the Standards is in place Annual presentation of self assessment results is completed to senior management and Audit Committee


Level 2 Key Messages Ongoing monitoring of Standards/Ethics Self Assessment determines strength & weaknesses IAA has found whats working, whats not working Report results of self assessments Maintain documentation and detailed improvement plans IAA completes presentation of results annually


Steps to Emerging Quality1. IAA gets involved with The IIA and local chapter 2. CAE works toward certification 3. CAE attends QA Self Assessment training and/or seminar 4. Assign monitoring responsibilities 5. Use the Self-Assessment Checklist 6. Obtain feedback from otherswww.theiia.org/Quality





ConformingLEVEL TWO





Level 3 Established Maturity Annually obtain internal independent validation of IAA ongoing self-assessment CAE, senior management & the Audit Committee support and are involved in the quality assessment process Committed to obtaining an external independent validation every five years.


Level 3 Key Messages CAE is committed to the professionalism and quality of IAA Audit Committee directly involved Rigorous IAA self assessment reviewed and tested Peer review performed with qualified participants


Steps to Established Quality1. IAA staff certifications demonstrate IAA professionalism and competency 2. IAA uses Balanced Scorecard 3. Requires proper qualifications for validator 4. Develops plan for improvements and establishes timeline for implementation 5. Report QA validation to The IIA Quality ([email protected])www.theiia.org/Quality





ConformingLEVEL TWO





Level 4 Progressive Maturity QAIP is now a well developed, defined and documented program IAA is well recognized within the organization as a value added function IAA has an external QA conducted every five years


Level 4 Key Messages IIA has an established a mindset for professionalism and demonstrates it in their activities Audit Committee, management and staff all support the commitment to Quality Stakeholder confidence is high because of quality and successful & leading practices IAA is in compliance with Standards & Ethicswww.theiia.org/Quality

Steps to Progressive Quality1. CAE has CIA certification 2. Any gaps have been addressed and action plans are in place 3. IAA ollows best & leading practices 4. A qualified external QA provider is used 5. Report completion of external QA to The IIA ([email protected])www.theiia.org/Quality





ConformingLEVEL TWO





Level 5 Advanced Maturity IAA has a active and fully integrated QA & IP External QAR are performed every three years All IAA staff have certifications and rigorous continuing educationwww.theiia.org/Quality

Level 5 Key Messages IAA raises the bar for professionalism Respect by organization and Board CAE is a respected member of executive management IAA shows an unrelenting commitment to growth, development, and improvement Exemplary Audit Committeewww.theiia.org/Quality

Steps to Advanced Quality1. IAA maintains an appropriate mix of professional designations 2. IAA is a benchmark for progress to others in and out of their industry 3. IAA share tools and success stories 4. Serve on QA review teams 5. Mentor, speak, research, and write for the internal auditing professionwww.theiia.org/Quality





ConformingLEVEL TWO





The Path to Quality. . . a step-by-step guide to world-class internal auditing


The Path to Quality Add value Be perceived as adding value Ensure the value you add in the future


The Institute of Internal AuditorsGlobal Headquarters www.theiia.org [email protected]


Contact InformationDavid J. MacCabe, CIA, CGAP, MPA Phone: (512) 567-1593 E-mail: [email protected]


Documents

Internal Audit