Embed Size (px)
Citation preview
Guideline for Conducting a Quality Assessment (QA)Addendum to DIIR Standard No. 3(“Quality Management in the internal audit activity”)3rd revised and amended edition, as of July 1st, 2012
Deutsches Institut fürInterne Revision e.V.
Quality Assessment QA
© 2013 DIIR – Deutsches Institut für Interne Revision e. V., Ohmstrasse 59, D-60486 Frankfurt am Main
Table of Contents
Preliminary remark 4
A Assessment process 6
B Requirements for accredited quality assessors 9
C Assessment procedure 10
D Quality criteria/minimum standards 12
E Criteria Catalogue 13
Basic principles 14I. Organisation, integration into the company and responsibilities 14
II. Budget/Resources 15
III. Planning 16
Implementation 17IV. Preparation 17
V. Audit 18
VI. Reporting 19
VII. Post-audit activities 20
VIII. Follow-up 20
Employees 21IX. Selection 21
X. Development/Advanced Training 22
XI. Management of the internal audit activity 23
Glossary 24
Exhibit
1 QA certificate for certified companies – example 25
2 Evaluation list 26
3
QA Guideline © 2013
Preliminary remark
This guideline defines the professional requirements for the implementation of a quality assessment
in accordance with the DIIR Standard No. 3 “Quality Management in the internal audit activity”
and the International Standards for Professional Practice of Internal Audit (IIA Standards; specifically
1.300 et seq.). In particular, they require that a quality assessment is performed at least every five
years.
This guideline shall be in effect bindingly as of January 1st, 2013.
The guideline is structured in such a way that it can be applied to organizations of different sizes,
industries and types. Therefore public as well as private concepts of corporate governance can be
taken into consideration.
It is the quality assessor’s responsibility to take these special features into account during the
assessment of the individual criteria in the areas under review. The assessment process does
not relieve the quality assessor of issuing a well-supported founded and traceable overall appraisal,
as the responsibility for the overall assessment is exclusively that of the quality assessor.
Due to the change to legal frameworks, such as the Law on the Modernisation of Company Annual
Accounts (BilMoG), new requirements arise particularly for capital market oriented companies.
According to them the supervisory board or an appointed audit committee must monitor the
effectiveness of the internal audit system.
A quality assessment (QA) with a positive result emphasizes that internal audit consistently applies
international standards and therefore provides reliable audit and advisory services.
An adequate and effective internal audit system reduces liability for the organization and internal
audit management.
4
QA Guideline © 2013
The Federal Financial Supervisory Authority (BaFin) for German credit institutions, financial
services companies, capital investment companies and insurance companies has issued
the “Minimum Requirements for Risk Management”, which partially cover the requirements for
the quality assessment.
The third revised edition of this guideline contains substantiations and changes to the assessment.
Furthermore, criteria have been combined, deleted and newly added, in order to reflect the feedback
obtained from quality assessments previously conducted.
Further information for how to use this guideline will be provided during the QA seminar.
Latest information on the QA-Guideline and related topics and questions are available at the
DIIRnet and on the DIIR website.
5
QA Guideline © 2013
A Assessment process
A.1 Forms of audit
A quality assessment can be conducted
by independent third parties or
in the form of a self-assessment with independent validation. Here, the results of the
self-assessment are validated by independent third parties with the same qualification
as described under B.
A.2 Assignment
Upon request, the DIIR can provide a list of accredited quality assessors.
The contracts are established by the contracting parties.
During the assignment of resources, it must be ensured that the team of assessors meets
the following requirements:
Experience in all functions of internal audit or audit-related areas
(leadership, management, auditing, quality management)
Sufficient knowledge about the unit to be assessed
(e. g. company size, industry, IT, finance and accounting, et al.)
At a minimum, the head of the operational team of assessors must hold
the accreditation as described under B, as well as an additional certification
regarding management/leadership experience
Independence of the assessors from the unit to be assessed.
6
QA Guideline © 2013
A.3 QA preparation
Prior to a QA, the internal audit unit to be assessed (“client”) should familiarise itself with
the procedure and requirements of the assessment using the QA Guideline.
The client shall provide in advance and if possible the necessary documentation/evidence
and information to the assessor.
The client shall ensure that needed office space and any necessary hardware are made
available, and shall further ensure that any required IT system access rights are obtained, and
that all parties relevant to the QA are informed.
The contracted assessor shall in advance provide the documentation (questionnaires, tools,
templates), request any required information and schedule meetings.
The planning and implementation of the assessment should take place in a standardised and
risk-oriented form (in line with the requirements for the audits by internal audit).
A.4 QA implementation
During the QA itself, interviews shall be conducted with all levels of internal audit employees
including management, as well as at least the responsible member of the management board,
members of management of the audited departments and the external auditors or audit
courts. In consultation with the management board, representatives of supervisory bodies
of the organisation shall also be interviewed.
Processes, methods and documentation shall be assessed in accordance with the quality
criteria.
For this, random samples should be taken from several years, if possible.
The implementation of measures from previous assessments should also be taken into
consideration.
The client can arrange a follow-up to the findings listed in the report.
7
QA Guideline © 2013
A.5 QA reporting
Reporting of the assessment results shall include the following minimum aspects:
Description of the structure and organisational integration of the assessed internal audit
activity (also reflecting on its independence).
Description of the audit strategy and the audit program, as well as the risk analysis.
Main findings, in particular found deficiencies and measures for their rectification with
responsibility and implementation date.
Documentation of the rectification of determined deficiencies from previous QAs.
Description of the results for the individual areas under review. For these, material results
shall be presented accordingly.
Summarising final remark on adequacy and effectiveness of the internal audit activity
for the assessment period.
If the target achievement according to the assessment model is at least 50 percent, the certificate
as shown in the exhibit can be issued by the quality assessor upon request.
8
QA Guideline © 2013
B Requirements for accredited quality assessors
Requirements for the first-time accreditation of quality assessors are:
Personal membership with the DIIR
Acknowledgement and commitment to comply with the professional standards of
internal audit as per formal application
Participation in a specific training (QA seminar) that is acknowledged by the DIIR
Evidence of a minimum of five years of practical experience within internal audit,
confirmed by the company by which the quality assessor is/was employed (e. g. letters
of reference, et al.)
Formal application and approval by the DIIR
(for application form, refer to the DIIR website/DIIRnet)
Requirements for maintaining the accreditation are:
QA practice (participation in one internal self-assessment or an external
quality assessment within three years)
and
Participation in the QA conference (event at three-year intervals)
or
Participation in seminars acknowledged by the DIIR as QA-relevant advanced training
(four days in three years).
In the event of non-fulfilment of the requirements listed above, the accreditation shall be revoked
and deleted from the register administered by the DIIR. In order to reinstate the accreditation,
a one-day refresher course must be attended no later than five years after participating in the
QA seminar and the aforementioned requirements must be fulfilled. The respective calendar year
shall apply. After expiration of the five-year period, a completely new accreditation becomes
necessary.
A review of the fulfilment of these accreditation requirements shall take place for the first time
after December 31st, 2014.
If all requirements are fulfilled, the quality assessor will be captured in the DIIR register as an
accredited quality assessor and can be added to the list published by the DIIR.
9
QA Guideline © 2013
C Evaluation procedure
The evaluation procedure described here is for the purpose of supporting the quality assessor in
order to reach an overall assessment in the form of the summarising final remark. The evaluation of
individual criteria, as well as the overall assessment, is not exclusively the result of a mathematical
process, but features specific to the organisation, size and industry must also be taken into
consideration. In order to ensure this, a high level of personal and technical expertise and ideally
industry knowledge are requirements for quality assessors (please refer to Section B).
In order to evaluate the quality criteria, a scale from 0 to 3 is used as a basis, where the scale has
the following meaning:
3 = completely fulfilled
2 = slight improvement potential
1 = significant improvement potential
0 = deficient
n. a. = not applicable
The attribute ”n. a.“ is only used in exceptional cases and must always be justified.
The evaluation procedure is based on a model using an equally weighted average, i. e. it is not
comprised of any explicit weighting factors for the individual criteria, but rather, it implicitly
calculates with a weighting of “1” for all criteria. A variance is not taken into consideration; poor
values can be compensated with good ones, except for the minimum criteria. However, it must be
understood that the quality criteria are interconnected, i. e. larger deficiencies have an effect on
several quality criteria and therefore will also sustainably influence the overall result.
Approach
The respective evaluations of the quality criteria are entered in the assessment column.
In the respective analysis field (the eleven analysis fields correspond to the classification
points shown in the table of contents) the points are added up and summarised accordingly.
The assessment is the result of the percentage target achievement per analysis field.
The procedure conforms to the IIA assessment model.
10
QA Guideline © 2013
Target achievement Assessment> = 90 % Completely fulfilled
75 % – < 90 % Slight improvement recommended
50 % – < 75 % Significant improvement recommended
< 50 % Insufficient
A full mapping of achieved points (in the individual analysis fields) to the assessment is shown
in Exhibit 2.
11
QA Guideline © 2013
D Quality criteria/minimum standards
The quality criteria represent concrete forms of the requirements for an effective and efficient
internal audit activity and apply to auditing and advisory activities.
For the assessment of the effectiveness of an internal audit activity, compliance with specific
minimum standards must be ensured. Therefore, non-compliance with one of these criteria
ultimately leads to the overall assessment “insufficient”. “Non-compliance” is regarded as the
“0” evaluation.
The minimum standards are:
1. An official, written, adequate regulation (rules of procedure, internal audit guideline
or similar) is available (please refer to I.1).
2. Neutrality, independence from other functions and unlimited right to access information
are ensured (please refer to I.5).
3. The internal audit activity has adequate personnel, in terms of quantity and quality
(please refer to II.10).
4. The audit plan of the internal audit activity is prepared on the basis of a standardised
and risk-oriented planning process (please refer to III.15).
5. The type and scope of the audit activities and results are documented in a standardised,
proper and orderly manner (please refer to V.37).
6. The implementation of the measures documented in the report is monitored by the
internal audit activity through an effective follow-up process (please refer to VIII.57).
If one of these minimum standards noted above is not fulfilled at the time of the assessment
(evaluation 0), but is already intended to be implemented within an adequate time period
determined by the quality assessor, this shall be taken into account for the overall assessment
and evidenced to the quality assessor after the expiration of this period. The final report
is prepared after successful verification. If this verification does not take place, this shall be
reported by the quality assessor to the client with the note “insufficient”.
12
QA Guideline © 2013
E Criteria Catalogue 13
QA Guideline © 2013
Basic principles
I. Organisation, integration into the company and responsibilities
1. An official, written, adequate regulation (rules of procedure, internal audit guideline
or similar) is available (Minimum Standard 1).
2. The regulation is approved by the management board. It is reviewed for topicality and
adequacy on a regular basis.
3. The main tasks of the internal audit activity are the auditing of the adequacy and
effectiveness of the internal control system, the management and monitoring processes
and the effectiveness of the risk management system in place. This also includes the
assessment of the effectiveness of the measures for preventing and discovering fraud.
4. The internal audit activity covers all of the company’s/organisation’s activities and any
activities that have been outsourced to third parties (unlimited audit right).
5. Neutrality, independence from other functions and an unlimited right to access
information are ensured (Minimum Standard 2).
6. The internal audit employees have no responsibility for operations and do not review
any activities that they are biased in.
7. The internal audit activity is included in the distribution list for important company
information.
8. The internal audit activity has an audit manual with the following main contents:
Regulations and/or methods for audit planning, preparation, implementation, follow-up,
reporting, documentation, access to and archiving of audit results.
9. The internal audit employees are familiar with the audit manual. It is reviewed on
a regular basis to ensure that it is current and adequate. Adherence to the manual is
monitored on a regular basis.
Assessment/Comment
14
QA Guideline © 2013
Assessment/CommentII. Budget/Resources
10. The internal audit activity has adequate personnel, in terms of quantity and quality
(Minimum Standard 3).
11. The personnel expense budget corresponds to the tasks and requirements of the
internal audit activity and is suitable for recruiting and retaining qualified staff.
12. The IT equipment for administrative processes (e. g. audit planning, audit control) is
useful and adequate.
13. The IT equipment for the operational processes (e. g. analysis software, reporting and
follow-up process) is useful and adequate.
14. The general operating expense budget (e. g. travel costs, training and advanced
training, external resources) corresponds to the tasks and requirements of the internal
audit activity.
15
QA Guideline © 2013
III. Planning
15. The audit plan of the internal audit activity is prepared on the basis of a standardised
and risk-oriented planning process (Minimum Standard 4).
16. The audits for the planning period are systematically compiled at least once per year
and presented to the management board for approval.
17. During the planning, legal requirements, requests by the management board as
well as suggestions from inside and outside of the internal audit activity are taken into
consideration.
18. The audit objects (audit universe) are fully covered within the context of the planning.
19. A standardised methodology exists for the systematic analysis of the risk potential
of the audit objects.
20. Regular checks are established to ensure that the scope and assessment of the audit
objects are current and complete.
21. The authorities to change the risk assessment method and the audit objects are defined.
22. Unscheduled audits that become necessary on short notice are adequately taken into
consideration.
23. Subsequent changes/adjustments to the audit plan, e. g. the cancellation or
addition of audits are adequately documented. These changes are communicated to
the responsible management board on a regular basis.
Assessment/Comment16
QA Guideline © 2013
Implementation
IV. Preparation
24. The audit plan is the basis for developing timeframes and prioritisation of the audit
objects, resources and responsibilities are allocated in a traceable manner.
25. The audit objects are analysed, information are obtained and the audit methods are
defined.
26. Prior to starting the audit, milestones and the anticipated audit duration are determined.
27. In general, audits are announced to the auditee with sufficient advance notice.
Deviations from this procedure are plausible and adequate for individual cases
(e. g. audit of fraudulent acts).
28. A kick-off meeting with the department to be audited is part of the audit process
(possible also via telephone or video conference).
29. The objectives and scope of the audit are defined and documented.
30. The work program is approved by internal audit management or by an appointed person.
Assessment/Comment
17
QA Guideline © 2013
Assessment/CommentV. Audit
31. The audit is conducted in accordance with the approved work program.
32. Legal stipulations and internal company regulations are assessed during the audit
to determine if they have been implemented and adhered to (compliance).
33. Aspects such as efficiency, profitability, corporate objectives, security, risk appetite,
effectiveness of controls in place to prevent and discover fraudulent acts are audited.
34. Measures/recommendations are provided for any negative audit findings.
35. If necessary, the audit results are reconciled with the audited department and the
person responsible for the audit.
36. Major deviations between the audit steps and the work program are documented
and approved.
37. The type and scope of the audit activities and results are documented in a
standardised, proper and orderly manner (Minimum Standard 5).
38. A standardised rating of the audit results (system for all types of audits and audit
objects) is implemented.
39. The audit results can be clearly derived from the working papers and therefore are
traceable for knowledgeable third parties within an adequate period of time.
40. The methods and checklists used are systematic, up-to-date and adequate.
41. A closing meeting with the auditee, if necessary, is conducted in a timely manner.
Any changes to the audit results are reconciled and documented.
42. In the closing meeting, adequate measures are agreed with implementation dates
and clear responsibilities. Agreement or differences in opinion are documented with
regard to the audit results.
43. If a closing meeting is waived, another traceable and documented form for
reconciliation of the audit results is ensured.
18
QA Guideline © 2013
VI. Reporting
44. The report is comprised of the following components:
Assignment and implementation (audit objective and scope) including
definition of topics (what?), audit team (who?), audit period (when?), audit
location (where?), audit reason (why?), type of audit (how?)
Management Summary
Detailed report incl. findings, risks, measures/recommendations with
implementation dates (action plan), responsible persons and rating, if applicable
45. The form of the audit reports is standardised.
46. Preliminary audit results, e. g. in the form of draft reports, are presented to the
management of the audited unit in good time prior to the closing meeting.
47. In case of disagreement it is possible for the auditee to include a comment in
the report explaining the differences in opinion.
48. The finalisation and distribution of the report including the list of measures
takes place in a timely manner.
49. Prior to distribution the audit report is approved by the Chief Audit Executive
or a person authorised.
50. A standard distribution list is established and used for the regular distribution
of audit reports.
51. An audit report or memorandum is available for each completed audit.
52. The reports or a summary of the reports (e. g. in annual reports) are distributed
to the executive board.
Assessment/Comment 19
QA Guideline © 2013
Assessment/CommentVII. Post-audit activities
53. The Chief Audit Executive or a responsible person conducts feedback meetings with
the audit team.
54. Based on these feedback meetings, potential for improvement is derived to further
develop the internal audit activity (e. g. risk assessment, audit methods and processes,
as well as resource planning).
55. Any insights gained during the audits are made available to the employees of the internal
audit activity (knowledge management).
56. Retention methods and timeframes for audit reports and working papers are defined
and adhered to.
VIII. Follow-up
57. The implementation of measures documented in the report is monitored by the
internal audit activity through an effective follow-up process (Minimum Standard 6).
58. Deadline extensions for the implementation of measures are justified and documented.
59. Notification regarding measures which were – without justification – not implemented
is provided to the management board on a regular basis.
60. On-site audits are conducted as a supplemental instrument to the follow-up process.
20
QA Guideline © 2013
Employees
IX. Selection
61. A personnel planning process exists in the internal audit activity, which considers
factors such as average fluctuation, retirement, training level, professional experience
and foreign language qualifications, or similar.
62. Job or functional descriptions are available for all employees within the internal
audit activity.
63. The selection of personnel takes place on the basis of the job or functional descriptions.
64. The employee’s professional experience and qualification is suitable to ensure fulfilment of
the internal audit activity’s tasks.
65. If the necessary professional experience and qualification is not available to fulfil the
audit assignment/advisory assignment, the internal audit activity does engage competent
third parties.
Assessment/Comment
21
QA Guideline © 2013
X. Development/Advanced Training
66. The functional and audit-related staff qualification is ensured through regular internal
or external training measures.
67. The further development of social skills and management qualifications is ensured
through targeted internal or external measures.
68. Obtaining audit-related qualifications (e. g. Interner RevisorDIIR, CIA, CISA, and CFE)
is promoted.
69. Annual reviews and target-setting take place on a regular basis with each staff
member, and include aspects such as audit tasks, strengths-weaknesses analysis,
assessment of personal development and training measures.
70. The internal audit personnel also ensures that they develop their skills and qualifications
further.
Assessment/Comment22
QA Guideline © 2013
Assessment/CommentXI. Management of the internal audit activity
71. The Chief Audit Executive is qualified in accordance with the requirements of the
position.
72. The internal audit activity is accepted and highly regarded by the management board.
73. The Chief Audit Executive has developed quality standards that are documented in the
internal audit manual and are the basis on which quality checks are conducted.
74. The Chief Audit Executive must develop and maintain a quality assurance and
improvement program, which covers all areas of internal audit.
75. The activities of the internal audit activity, current developments and the main
risks are reported periodically to the management board and the audit committee
(or comparable bodies).
76. The Chief Audit Executive ensures the implementation of the principles defined in the
audit manual through process-integrated measures of quality management.
77. The Chief Audit Executive or a representative appointed by him/her conducts feedback
meetings with the audited departments and audit report recipients on a regular basis.
78. Laws, publications with legislative character, as well as national and international
standards for professional practice of internal audit of the DIIR and the IIA, are complied
with. Deviations from the standards are communicated adequately.
79. The Chief Audit Executive ensures a regular exchange of information with external
third parties, such as the company’s external auditor.
80. The Chief Audit Executive ensures a regular exchange of information with internal
departments and functions, such as compliance, risk management, security and data
protection.
23
QA Guideline © 2013
Glossary
AccreditationThe confirmation by the DIIR, which formally
states that the accredited quality assessor has the
authorisation and competence to conduct quality
assessments in accordance with the guideline.
Working papersComprise the information and documents
received during an audit, the analyses conducted
and the resulting conclusions.
Work programDocument in which the procedural steps to
be conducted during an audit are listed. The audit
objectives are also formulated in the work
program.
BilMoG (Law on the Modernisation of Company Annual Accounts)The main objectives include the improvement
of the meaningfulness of the annual financial
statements as well as the expansion of corporate
governance. These specifically include alterations
regarding appointments to the supervisory
board and its monitoring functions. Specified
disclosure duties and report elements with regard
to the accounting-related internal control and risk
management system, as well as the internal audit
system, play an important role in this.
Follow-upProcess in which the internal audit activity
determines whether the actions taken by
management as a result of the reported audit
findings were executed appropriately, effectively
and timely.
Management board”Management board“ is synonymous with the
executive board of a joint-stock corporation,
managing directors of a limited liability company,
the executive board of a cooperative, management
of an administrative authority, management
of a corporate entity, the board of directors of
a registered association.
Audit plan (audit program)Comprises several audits in a specific time period
(e. g. annual audit program).
Quality assessmentDescription of the audit practice for reviewing
activities, working and control frameworks of an
internal audit activity by qualified assessors.
It involves a quality review by external assessors
regarding the quality and compliance with and
observance of prescribed and generally accepted
standards.
Quality assessorA person who has the qualification in accordance
with this guideline to assess internal audit activities
and evaluating whether and to what extent
the professional requirements of the DIIR/IIA are
fulfilled.
Quality managementProgram for quality assurance and improvement,
which comprises all aspects of audit activities and
the continuous monitoring of their effectiveness.
The purpose of quality management is to sufficiently
ensure that the activities of the internal audit
activity correspond to the set objectives.
RegularThis is basically regarded as one year, e. g. for the
revision period of the internal audit manual.
RegulationThe regulation (”rules of procedure“, ”internal audit
guideline“ or similar) of the internal audit activity is
an official written document which defines the tasks,
authorities and responsibility of the internal audit
activity. The regulation must (a) define the position
of the internal audit activity within the company,
(b) secure access to the records, to the workforce
and to the assets that are relevant for the fulfilment
of audit and advisory assignments and (c) define
the scope of the internal audit activity’s activities.
In comparison to the audit manual, the regulation
regarding the internal audit activity in the company
is determined (external presentation).
Internal audit manualIs for the purpose of summarising the definitions
applicable for an internal audit activity regarding
the tasks, structure and organisational procedure
regulations (for the internal audit activity
employees).
Risk-oriented planning processForms the basis for risk-oriented and targeted
audit planning and is based on the systematic
analysis of all business processes and corporate
entities, under specific consideration of e. g.
economic, operational or other corporate risks.
CertificationCertification is a procedure with which compliance
with specific standards can be demonstrated. The
certification generally implies the issuance of a
certificate by a certification centre.
24
QA Guideline © 2013
CertifiCate
The internal audit activity of
Company Name
has undertaken and passed a quality assessment, that was conducted
from to fulfilling the requirements of
the International Standards for the Professional Practice
for Internal Auditing based on the DIIR Standard No. 3
”Quality Management in the internal audit activity“
as recommended by DIIR – Deutsches Institut für Interne Revision e.V.
Date of the Certification
Quality Assessor
Appendix 1:
QA Certificate for Certified Companies – Example
Assessor Company Logo
25
QA Guideline © 2013
Points reached
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Rating(in %)
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
0,00 %
unsatisfactory*
Points achievable
27
15
27
69
21
39
27
12
12
111
15
15
30
60
240
Appendix 2:
Evaluation list
Basic principles
I. Organisation, integration into the company and
responsibilities:
Minimum standard not adhered to
(criteria 1, criteria 5)*
II. Budget/Resources:
Minimum standard not adhered to (criteria 10)*
III. Planning:
Minimum standard not adhered to (criteria 15)*
subtotal:
Implementation
IV. Preparation:
V. Audit:
Minimum standard not adhered to (criteria 37)*
VI. Reporting:
VII. Post-audit activities:
VIII. Follow:
Minimum standard not adhered to (criteria 57)*
subtotal:
Employees
IX. Selection:
X. Development/Advanced Training:
XI. Management of the internal audit activity:
subtotal:
Overall Result
Rating:
Evaluation:
26
QA Guideline © 2013
Deutsches Institut für Interne Revision e.V.
Ohmstrasse 59D-60486 Frankfurt am MainPhone +49 69 7137 69-0Fax +49 69 7137 [email protected]
