Download pdf - Quality Assurance and Improvement Programme Guideline for

Ministry of FinanceDecember 2019

Quality Assurance and Improvement Programme Guideline for Internal Audit Services of RGoB

Ministry of FinanceDecember 2019

Quality Assurance and Improvement Programme Guideline for Internal Audit

Services of RGoB


@CCA, Ministry of Finance, December 2019 Page i

Post Box No 117. Tel # PABX: 00975-2- 322271/322285/322223/322514/327763. Fax: 323154. www.mof.gov.bt

“Public

he stakeholders’

s’ (IIA) International

Quality Assurance and Improvement Guideline for RGoB Internal Audit Service

@CCA, Ministry of Finance, December 2019 Page i

Post Box No 117. Tel # PABX: 00975-2- 322271/322285/322223/322514/327763. Fax: 323154. www.mof.gov.bt

“Public

he stakeholders’

s’ (IIA) International


@CCA, Ministry of Finance, December 2019 Page iii

Table of ContentsPreface .................................................................................................................................................... v

Abbreviations .....................................................................................................................................vii

Chapter 1: About the guideline ...................................................................................................... 11.1. Background .............................................................................................................................21.2. Quality in Internal Audit ....................................................................................................31.3. Requirements and Characteristics of QAIP ...............................................................4

Chapter 2: Establishment of Quality Assurance and Improvement Programme .......... 72.1. Considerations in Developing a QAIP ..........................................................................82.2. Responsibility of QAIP ........................................................................................................92.3. Objective of the QAIP...........................................................................................................92.4. QAIP Framework ................................................................................................................ 102.5. Some International Best Practices on QAIP ........................................................... 102.6. International Standards on QAIP ................................................................................ 132.7. Components of QAIP ........................................................................................................ 14

Chapter 3: Internal Assessment ...................................................................................................173.1. Implementation of Internal Assessment ................................................................. 183.2. Benefits of Internal Assessment .................................................................................. 183.3. Ongoing Monitoring ........................................................................................................ 193.4. Periodic Self-Assessment ............................................................................................... 223.5. Considerations for Demonstrating Conformance ................................................ 27

Chapter 4: External Assessment ..................................................................................................294.1. External Assessment ........................................................................................................ 304.2. Implementation of External Assessment ................................................................ 314.3. Full External Assessment ............................................................................................... 324.4. Self-Assessment with Independent Validation ..................................................... 38

Chapter 5: Reporting and Follow-up of QAIP ...........................................................................435.1. Overview of QAIP reporting ......................................................................................... 455.2. Activities of Quality Assurance and Improvement Programme Reporting

Timelines ................................................................................................................................ 455.3. Consideration for reporting QAIP ............................................................................... 465.4. Periodic Internal Assessment Report Contents .................................................... 495.5. External Assessment Report Contents ..................................................................... 495.6. Review of the QAIP ............................................................................................................ 50

Chapter 6: Measuring Internal Audit Effectiveness and Efficiency ..................................516.1. Internal Audit Stakeholders .......................................................................................... 526.2. Measuring Internal Audit Effectiveness and Efficiency..................................... 536.3. Performance Measures / Key Performance Indicators ..................................... 536.4. Characteristics of Performance Measures: Quantitative vs. Qualitative .... 536.5. Types of Performance Measures ................................................................................. 546.6. Monitoring and Reporting of Internal Audit Effectiveness and Efficiency 596.7. Internal Audit Capability Model (IA-CM) .............................................................. 60


@CCA, Ministry of Finance, December 2019Page iv

Chapter 7: Measuring Internal Audit Effectiveness and Efficiency ..................................63Appendix 1: QAIP Components ...................................................................................................................... 64Appendix 2: Checklist on Ongoing Monitoring ....................................................................................... 66Appendix 3: Example of Stakeholder Survey sent after Internal Audit is completed ............ 70Appendix 4: Checklist on Periodic Self-Assessment ............................................................................. 72Appendix 5: Self-Assessment QAIP Report ............................................................................................... 78Appendix 6: Full External Assessment Reporting Template ............................................................. 79Appendix 7: Self-Assessment with Independent Validation QAIP Report .................................. 84Appendix 8: Examples of Internal Audit Effectiveness and Efficiency Metrics ......................... 86Appendix 9: Example of Reporting Internal Audit Effectiveness and Efficiency Dashboard .......................................................................................................................................................................................... 88Appendix 10: Guidance on Internal Audit Self-Assessment Methodology.................................. 89Appendix 11: Internal Audit Capability Model Matrix ......................................................................... 91Appendix 12: Internal Audit Capability Model Levels ......................................................................... 93Appendix 13: Internal Audit Maturity Assessment ............................................................................... 95Appendix 14: Standard Conformance Evaluation Summary (Table) Template ..................... 100Appendix 15: Standard Conformance Evaluation Summary Template ..................................... 101Appendix 16: Standard Rating Criteria ................................................................................................... 103Appendix 17: Checklist on External Quality Assessment ................................................................ 104Reference Material ........................................................................................................................ 153


@CCA, Ministry of Finance, December 2019 Page v

Preface

The RGoB has recognised the strengthening of quality assurance system of the public sector internal audit activity as a priority area. It also specified development of quality assurance guidelines as a part of “Strengthening the Effectiveness and Capacity of Internal Audit in the Royal Government of Bhutan”. The project is supported by Multi Donor Grant Funds - “Public Financial Management Multi Donor Fund (PFM-MDF) and administered by World Bank.

A critical asset for an internal audit activity is its credibility with stakeholders. As a coordinating agency for Internal Audit Service under the RGoB, the Central Coordinating Agency under Ministry of Finance must develop and maintain a Quality Assurance and Improvement Programme that covers all aspects of the internal audit activity. Chief Internal Auditor of CCA needs assurance that their internal audit activity and each internal auditor conforms to all mandatory elements of the IIA’s International Professional Practices Framework (IPPF), and they need to demonstrate this conformance to their stakeholders.

The only way to meet these expectations is with a comprehensive QAIP that comprises of conducting internal assessment for internal audit units under the RGoB including ongoing monitoring of performance, periodic internal assessments, along with external assessment conducted in IAUs every five years by a qualified and independent assessor/team from outside the organization.

The QAIP guideline is developed based on IIA’s International Professional Practices Framework (IPPF). It explains various components of QAIP such as Internal Assessment, External Assessment, Performance Monitoring of Internal Auditors, etc and how to apply these components without compromising conformance with the Standards. Particularly, it presents and discusses the 1300 series of the Standards that deal specifically with quality assurance.


@CCA, Ministry of Finance, December 2019Page vi

The guideline comprises 7 chapters which set out the entire requirement of implementing the effective Quality Assurance and Improvement Programme. It includes templates, a set of forms, practical examples and checklists. The structure of the Quality Assurance and Improvement Programme guideline is as follows: -

This guideline will fulfil the objectives and demonstrates the commitment of RGoB to improve the Internal Audit services in the country. The RGoB hopes that users will find it valuable for establishing and / or improving the quality assurance and improvement programme for internal auditing in the public sector.

This guideline will bring out a uniform procedure for quality assurance in the Internal Audit which will help in achieving the objectives of Internal Audit. Users of this guideline are expected to have a comprehensive understanding of the International standards on Internal Audit and guidelines, policies & procedures, regulations and rules as issued by the Internal Audit Services of RGoB.

The guideline is designed to be flexible and unrestrictive. The Internal Auditors are encouraged to exercise professional judgment where they face any difficulty in understanding or complying with the guideline, and then seek appropriate clarifications or assistance from CCA.

The Central Coordinating Agency for Internal Audit Services is expected to keep updating this guideline regularly and incorporate any suggestions or modify the contents of the guideline as and when required.


@CCA, Ministry of Finance, December 2019 Page vii

AbbreviationsAbbreviations Full FormACC Anti-Corruption Commission AMS Audit Management SystemAuditCom Audit CommitteeBGIAS Bhutan Government Internal Audit StandardCAAT Computer Assisted Audit TechniquesCCA Central Coordinating AgencyCGA Controller General of IndiaCIA Chief Internal AuditorCOA Commission on AuditCPE Continuing Professional EducationCSA Control Self-AssessmentDBM Department of Budget and ManagementDNC Does not ConformDS Department SecretaryEU European UnionGAIT Guides to the Assessment of IT RiskGB Governing BoardGC Generally ConformsGG Good GovernanceGTAG Global Technology Audit GuidesHoA Head of AgencyHoIA Head of Internal AuditIA Internal Audit / Internal AuditorIA-CM Internal Audit Capability ModelIAS Internal Audit ServiceIAU Internal Audit UnitIAW Internal Audit WingIIA Institute of Internal AuditorIPPF International Professional Practices FrameworkISPPIA International Standards for the Professional Practice of Internal AuditingIT Information TechnologyKPI Key Performance IndicatorMoF Ministry of FinanceNICF National Internal Control FrameworkPC Partially ConformsQAIP Quality Assurance and Improvement ProgrammeRAA Royal Audit AuthorityRGoB Royal Government of Bhutan

CH

AP

TE

R 1

Page viii @CCA, Ministry of Finance, December 2019


CH

AP

TE

R 1

Page 1 @CCA, Ministry of Finance, December 2019


1 About the guideline

CH

AP

TE

R 1



Chapter 1: About the guideline

1.1 Background

The Internal Audit Service was first instituted in the Royal Government of Bhutan with seventeen internal auditors spread across seven ministries in the year 2000 ensuing the Good Governance initiatives undertaken by the Government. The IA service was further reinforced and the 86th session of National Assembly, June 2007, passed a resolution to have internal auditors in all Dzongkhags. The Public Finance Act came into force in the year 2007. With the enactment of the Public Finance Act 2007, the responsibility of administering the Internal Audit service was vested to the Ministry of Finance. Accordingly, MoF established the Central Coordinating Agency (CCA) in the year 2010.

The Ministry of Finance in keeping with the principle of transparency, accountability, efficiency and professionalism enunciated in the GG Plus (2005), published the National Internal Control Framework (NICF) in December 2013. As part of paradigm shift in the internal audit approach based on the NICF document, theme-based audit approach was also initiated from the fiscal year 2015-16. In order to ensure that the internal audit services are provided in a professional manner and in accordance with best international practices, the Ministry of Finance adopted the International Professional Practices Framework (IPPF), issued by the Institute of Internal Auditors to regulate the work of the IAS. Accordingly, they issued Internal Audit guidelines and Standards in line with the IPPF framework.

The expansion of scope and reach of internal auditing requires that Internal Auditors demonstrate high level of credibility to the stakeholders. The Chief Internal Auditor (CIA) needs assurance that their internal audit activity and each member of their staff conforms to all mandatory elements of the IPPF, and they need to demonstrate this conformance to their stakeholders. Further, the IPPF was recently updated in the year 2017 and it states that evaluating risk management and governance processes is much more challenging and meaningful than control alone. It requires internal audit to operate at a higher, more strategic level. To operate at this level, internal auditors need a higher level of credibility with their stakeholders.

The requirements and characteristics of quality in an internal audit activity are defined by the IPPF, which includes mandatory and recommended guidance, all provided within the context of the Mission of Internal Audit as defined in the IPPF. Further, the Internal Auditing Standards and the Manual of RGoB require the implementation of a Quality Assurance and Improvement Programme (QAIP) to ensure conformance with the Definition of Internal Audit, the Code of Ethics for Internal Auditors and the Auditing Standards. The only way to meet these is with a comprehensive quality assurance and improvement programme (QAIP) that includes ongoing monitoring of performance, periodic internal assessments, external assessments conducted by a qualified, independent assessor or assessment team from outside the organization, and communication of the results.

CH

AP

TE

R 1



1.2 Quality in Internal Audit

Quality in internal audit is guided by both an obligation to meet stakeholder expectations as well as professional responsibilities inherent in conforming to the Standards. Quality in internal audit begins with the structure and organization of the audit activity. The QAIP should measure whether internal audit is meeting its own objectives, as well as those of the broader organization.

Internal Auditing Standards 1300 through 1312 on Internal Audit issued by IIA specifically require the Chief Internal Auditor to develop a QAIP, incorporating both internal (self) assessments and external assessments. However, beyond these specific standards, internal audit as a profession should maintain a formal and structured approach to quality. This includes operating with proficiency and due professional care, undertaking continuing professional development, and conforming to a set of recognized standards.

Under the QAIP, an internal audit activity need not assess whether each individual engagement conforms to the Standards or not. Rather, engagements should be undertaken in accordance with an established methodology that promotes quality and, by default, conformance with the Standards.

Building an effective QAIP is similar to establishing a total quality management programme where products and services are analyzed to verify that they meet stakeholder expectations, operations are evaluated to determine their efficiency and effectiveness, and practices are assessed to confirm their conformance to the standards. Maintaining an effective QAIP also requires leaders who are responsible for setting the proper tone in support of quality and continuous improvement.

The internal audit activity should consider all mandatory and recommended guidance elements of the IPPF to ensure that:

It is understood that through conformance with the Standards and the Code of Ethics, the internal audit activity also achieves alignment with other mandatory elements of the IPPF.

Stakeholder satisfaction defined by expected and preferred internal audit deliverables that produce value for the organization.

Operational effectiveness achieved by building quality “into” internal audit processes. Preventing mistakes is generally less costly than correcting mistakes.

Continuous improvement of internal audit activities accomplished through quality initiatives identified during the quality assessment process.

Management commitment to provide resources and tools necessary for a QAIP to succeed. Participation is expected by all members of the internal audit activity.

Key Tips:For the internal audit profession, it is important to ensure that internal audit activities maintain the highest possible standards of service delivery to the organizations they support. The IIA established the IPPF to guide the internal audit profession, and the mandatory elements of the IPPF—supported by recommended guidance—are the foundation for developing an internal audit activity’s QAIP.

CH

AP

TE

R 1



1.3 Requirements and Characteristics of QAIP

The requirements and characteristics of quality in an internal audit activity are defined by the IPPF, which consists of mandatory and recommended guidance, all provided within the context of the Mission of Internal Audit as defined in the IPPF. The Ministry of Finance has developed and issued Bhutan Government Internal Audit Standards contextualizing both Attributes and Performance Standards to the local requirements without undermining the integrity of the mandatory elements of the International Professional Practices Framework (IPPF).

Figure 1: IIA, International Professional Practices Framework

1.3.1 Mandatory Guidance

Mandatory guidance is considered essential for the professional practice of internal auditing. It consists of four elements:

Core Principles: The Core Principles for the Professional Practice of Internal Auditing are the foundation of the IPPF and support internal audit effectiveness.

Definition of Internal Auditing: The Internal Audit in Bhutan adopted the definition of Internal Audit as issued by IIA and accordingly developed their guidelines and policies. “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Code of Ethics: The Principles and Rules of Conduct of the Code of Ethics define ethical behavior for a professional internal auditor. The Internal Audit Charter and Internal Audit Code of Ethics issued by the Ministry of Finance are in line with the IPPF framework.

CH

AP

TE

R 1



Standards: The Standards are the central criteria that define the attributes and characteristics of performance for an internal audit activity, including the requirements for a QAIP. The Ministry of Finance has issued Bhutan Government Internal Audit Standards contextualizing both Attributes and Performance Standards to the local requirements without undermining the integrity of the mandatory elements of the International Professional Practices Framework (IPPF). The objectives of the BGIAS are to:● Establish a framework for providing internal audit service under the Royal

Government of Bhutan.● Establish basis for evaluation of internal audit performance.

1.3.2 Recommended Guidance

Recommended guidance describes practices for the effective implementation of the Core Principles, the Definition of Internal Audit, the Code of Ethics, and the Standards. It helps internal auditors to understand and apply the Standards, may provide insights into going beyond conformance to a higher level of value addition or may help in addressing issues of concern not related to a specific standard. It consists of two elements:

Implementation Guidance: Implementation Guides exist for each standard. They are intended to provide guidance to internal audit practitioners with regard to conformance with the Standards.

Supplemental Guidance: Supplemental guidance provides detailed guidance for conducting internal audit activities. Supplemental guidance includes topical areas, sector-specific issues, as well as processes and procedures, tools and techniques, programs, step-by-step approaches, and examples of deliverables. Examples of supplemental guidance currently include Practice Guides, Global Technology Audit Guides (GTAGs), and Guides to the Assessment of IT Risk (GAIT).

CH

AP

TE

R 2

@CCA, Ministry of Finance, December 2019Page 6


CH

AP

TE

R 2

@CCA, Ministry of Finance, December 2019 Page 7


2Establishment of Quality Assurance and Improvement Programme

CH

AP

TE

R 2



Chapter 2: Establishment of Quality Assurance and Improvement Programme

ISPPIA 1300 - Quality Assurance and Improvement Programme

The chief audit executive must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity.

Interpretation:

A quality assurance and improvement programme is designed to enable an evaluation of the internal audit activity’s conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The programme also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The chief audit executive should encourage board oversight in the quality assurance and improvement programme.

ISPPIA 1310 - Requirements of the Quality Assurance and Improvement Programme

The quality assurance and improvement programme must include both internal and external assessments.

The QAIP should encompass all aspects of operating and managing the internal audit activity—including consulting engagements—as found in the mandatory elements of the IPPF. Through conformance with the Standards and the Code of Ethics, the internal audit activity also achieves alignment with the Definition of Internal Audit and the Core Principles.

The CIA must develop and maintain QAIP that covers all aspects of the internal audit activity.

Elements of QAIP includes: A scope that includes all aspect of the IA activity, An evaluation of conformance with Standards & Code of Ethics, An assessment of the efficiency and effectiveness of Internal Audit activity, The identification of opportunities for continuous improvement. Involvement by the senior management (in case of Bhutan - Secretary of Finance) in

oversight of QAIP.

2.1 Considerations in Developing a QAIP

There are numerous ways to develop a QAIP, and the design should be appropriate to the size, structure, and nature of the internal audit activity. A key aspect to developing a QAIP is to determine:

The role of internal audit management and staff in the quality process.

The activities that are covered through ongoing monitoring, periodic self-assessment, or external assessments.

The frequency of self-assessments and external assessments.

The level of quality, or maturity, desired by the internal audit activity and expected by its stakeholders.

CH

AP

TE

R 2



2.2 Responsibility of QAIP

According to auditing standards, the CIA is responsible for developing and maintaining a quality assurance improvement programme (QAIP) so as to provide reasonable assurance to the stakeholders that the internal audit activity:

Performs in accordance with the Internal Audit Charter, which is consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Operates in an effective and efficient manner. Is perceived by the stakeholders as adding value and improving the organization’s

operations.

Internal auditors, as professionals, should be committed to delivering quality services. Allocating specific responsibilities for developing, delivering, and monitoring the QAIP will vary for each internal audit activity. Regardless, these accountabilities should be articulated in audit planning documentation to allow for the allocation of appropriate resources, as well as within the documented QAIP. Responsibility for specific QAIP activities should take into account the qualifications and experience of staff. It is important that all staff members are fully acquainted with the QAIP, and that specific staff members responsible for activities, such as periodic self-assessments, have appropriate credibility and authority within the internal audit activity.

2.3 Objective of the QAIP

The objective of the QAIP is to assess the internal audit activity, identify weaknesses and opportunities and make recommendations for the improvement of its effectiveness and efficiency. The assessments are focused on determining the internal audit activities:

It enables an evaluation of: Conformance with the Definition of Internal Auditing, the Code of Ethics, and

Standards. Adequacy of the charter, goals, objectives, policies, and procedures. Integration into the governance, risk management and control environment of the

entity. Compliance with applicable laws, regulations, and government or industry

standards. Contribution to the organization’s governance, risk management, and control

processes. Meeting the expectations of the Chief Executive, senior management and other

stakeholders, particularly in adding value and improving the organizations operations.

Efficiency and effectiveness in performing its mandate and has processes to facilitate continuous improvement, including adoption of best practices.

Effectiveness in staff development and the adoption of new audit methodologies and techniques.

CH

AP

TE

R 2



2.4 QAIP Framework

The framework for embedding quality assurance and continuous improvement into an internal audit activity considers three separate activities or sections within an internal audit activity: governance, professional practice, and communication. These activities are discussed further in Appendix 1: QAIP Components.

The QAIP framework assumes that quality is built in to (and not on to) the structure of the internal audit activity and that quality assessments are undertaken over the entire activity. As per the Standards, quality assessments take the form of ongoing monitoring, periodic self-assessment, and external assessment.

In order to assess that the internal audit activity has quality assurance and continuous improvement program embedded into the system, the QAIP Framework should cover at least the mandatory common elements, which are:

Coverage of the entire audit universe; Evaluation of conformance with the Definition of Internal Auditing, the Code of

Ethics, and the Standards; Assessment of the efficiency and effectiveness of the internal audit activity; and Identifying opportunities for improvement and involving senior management in

oversight of QAIP.

Figure 2: Quality Assurance and Continuous Improvement Program (QAIP) Framework

2.5 Some International Best Practices on QAIP

A quality assurance and improvement programme supports the conduct of internal audits that effectively and consistently result in value-addition to the internal audit functions. Some of the international best practices on QAIP followed by other countries

CH

AP

TE

R 2



2.5.1 India: Public Sector Internal Audit function in Central Civil Ministries / Departments

The quality assurance function followed in in Central Civil Ministries / Departments is summarized below:

S. No.

Control Element Control Objective SourceAssurance

Level1 Professionalism

(Due Care)Individual Auditor’s Work

Individual Individual Auditor

2 Supervisory Review

Engagement Supervisor within Line of responsibility

Audit Function Management

3 Internal Review Aggregate of Engagements or divisional Offices or Autonomous Audit Units

Supervisor/Peer Outside Line of Responsibility

Chief Audit Executive

4 External Review Audit Function as a whole

Qualified persons from Outside the Ministry/Department

Audit Committee

The primary quality assurance activities in public sector Internal Audit function in India includes training workshops and seminars, feedback from users of audit services, peer review and external reviews. The main objective of self-assessment, peer review and external reviews is to improve audit quality as a whole. While self-assessment is the responsibility of the Chief Audit Executive, peer reviews is conducted by members of IAWs of Ministries/Departments. External reviews are done by O/o CGA or outsourced reviewers from the IIA and comprise an examination of the audit plan, working papers, related audit report and follow-up activities and may be performed either prior to reports being finalized or at any time after they have been finalized. The deficiencies noted are rectified timely manner.

2.5.2 Philippines: Public Sector Internal Audit function

The Philippines government internal audit function has Internal chapter on Internal Audit Performance Monitoring and Evaluation as a part of their internal audit manual which covers the quality assurance mechanisms in public sector internal audit function. The public sector IA function of Philippines government is periodically assessed for performance and addressing opportunities for improvement which can help maximize the efficiency and effectiveness of the internal audit function. Following is the key activities of Philippines government IA function under Internal Audit Performance Monitoring and Evaluation:

The DS/HoA or GB/AuditCom is responsible for periodically reviewing the performance of the internal audit. They also approve the performance indicators used for Internal Audit Performance Monitoring and Evaluation.

Performance Monitoring by the Head of Internal Audit: The Head of IA have the responsibility over the performance and discipline of the IA staff. Head of IA directs the conduct of audit progress assessment based on a monitoring plan utilizing KPIs and conduct two types of performance monitoring, as follows: ● Review of Progress Assessment Report: It focuses on whether or not,

Audit objectives are met, Findings and recommendations are based on facts

CH

AP

TE

R 2



and substantial evidence, auditing standards are followed properly, Findings and recommendations promote the adequacy of internal control pursuant to applicable rules and regulations and High standards of ethics and efficiency of public officials and employees are observed pursuant to applicable rules and regulations. The Report is subject to the approval of the HoIA and audit team leaders ensures that audit engagements are assessed at the stage before exit conference.

● Review of Completion Assessment Report: It focuses on the Overall effectiveness and efficiency of the IAS/IAU in accordance with applicable rules and regulations, Findings and recommendations should be based on facts and substantial evidence, application of auditing standards, Findings and recommendations promote the adequacy of internal control pursuant to applicable rules and regulations and High standards of ethics and efficiency of public officials and employees are observed pursuant to applicable rules and regulations. The Report is subject to the approval of the HoIA and audit team leaders ensures that audit engagements are assessed at the conclusion of the activity.

Performance Evaluation by the DS/HoA or GB/AuditCom: The Secretary has the power for supervision and control of the Department. The IAS/IAU is an integral part of the Department which provides assistance to the DS/HoA or GB/AuditCom and performs functions delegated by the DS/HoA or GB/AuditCom. Work performance of the IAS/IAU is evaluated by the DS/HoA or GB/AuditCom as part of supervision and control. They monitor and evaluate the performance of the IAS/IAU either through: ● Review of the Internal Audit Report: During the review of the Internal

Audit Report submitted by IAU/IAS, the DS/HoA or GB/AuditCom ensures the following:- The internal auditing standards are adhered while performing IA

engagement.- All audit findings are formulated based on the 4Cs (criteria, condition,

conclusion, cause).- Findings are supported by sufficient audit evidence and the quantum of

evidence required to support an audit finding is substantial evidence. - Its recommendations are feasible, cost-effective and cost-efficient, find

sufficient basis in law, evidence-based and classified.- The audit risk and limitations are properly highlighted in the audit report

that may affect the conduct of the audit and may expose the organization to considerable risks.

● Review of the IAS/IAU Performance Report: At the close of every fiscal year, the DS/HoA or GB/AuditCom shall review the performance of the IAS/IAU through the various reports/outputs (i.e., baseline assessment report, assessment of control significance and materiality and control risk report, assessment of internal audit risk report, annual audit plan, audit engagement report, audit follow-up report and performance monitoring evaluation report) that are submitted to their office.

Oversight over IAS/IAU: In addition to the performance monitoring and evaluation conducted by the HoIA and the DS/HoA or GB/AuditCom, oversight functions over the IAS/IAU are also performed by the COA and the DBM.

CH

AP

TE

R 2



2.5.3 European Countries: Public Sector Internal Audit function

In accordance with Discussion paper no. 3 on Public Internal Control Systems in the European Union on Quality Assurance for Internal Audit (Ref. 2014-3), most of the members countries public sector Internal Audit function bases itself on the standards for the Professional Practice of Internal Auditing (part of the IIA’s International Professional Practices Framework – IPPF). In some countries, these internationally recognized standards are directly applicable in national legislation, while others have incorporated them into their national standards. Consequently, the basic IA standards referred to in this paper are these IPPF Standards. The IIA Standards on QAIP stress on the importance of quality assurance and improving IA, but which of the various approaches is actually taken depends on the level of maturity of the IA function.

In most of the countries, the Standards on Quality Assurance and Improvement issued by the Institute of Internal Auditors (IIA) is the starting point for development of QAIP framework for internal audit function. The QAIP practice followed by Internal Audit functions of Civil Ministries / Departments and most of EU countries are in line with IIA standards on QAIP. The process of monitoring and evaluation of Internal Audit functions of Philippines government is also based on the IPPF framework which requires to development of KPI by adopting appropriate indicators, implementing a rigorous performance measurement regime and acting on the results, can thus encourage acceptance of IA role within the organization. Further, the QAIP process in the above countries internal audit function is given in a chapter forming part of Internal Audit Manual issued by respective authority.

2.6 International Standards on QAIP

The Ministry of Finance has developed and issued Bhutan Government Internal Audit Standards contextualizing both Attributes and Performance Standards to the local requirements without undermining the integrity of the mandatory elements of the International Professional Practices Framework (IPPF). The standards are discussed in detail in subsequent chapters. The following International Standards for the Professional Practice of Internal Auditing (Standards) are relevant to the development of a QAIP:

CH

AP

TE

R 2



Figure 3: International Standards for the Professional Practice of Internal Auditing issued by IIA

2.7 Components of QAIP

A comprehensive QAIP normally includes three components as follows: Ongoing supervision and monitoring of quality assurance by the CIA and senior

auditors. Periodic internal assessments of the internal audit activities. Periodic external assessments of the internal audit activities and validation of

conformance with the Standards.

Figure 4: Component of QAIP

CH

AP

TE

R 2



To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP must effectively be applied at three fundamental levels (or perspectives):

2.7.1 Internal Audit Engagement Level (self-assessment at the audit, engagement, or operational level):

The engagement supervisor (either a Senior Internal Auditor or the CIA) is responsible for providing assurance that:

Appropriate processes have been used to translate audit plans into specific, appropriately resourced audit engagements.

Planning, fieldwork conduct, and reporting/communicating results conform to the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Appropriate mechanisms are established and used to follow-up management actions in response to audit recommendations.

Post-engagement client surveys, lessons learned, self-assessments, and other mechanisms to support continuous improvement are completed.

2.7.2 Internal Audit Activity Level (self-assessment at the internal audit activity or organizational level):

The CIA is responsible for providing assurance that: Written policies and procedures, covering both technical and administrative

matters, are formally documented to guide audit staff in consistent conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.

Audit work conforms to written policies and procedures. Audit work achieves the general purposes and responsibilities described in the

internal audit charter. Audit work conforms to the Definition of Internal Auditing, the Code of Ethics, and

the Standards. Internal audit work meets stakeholder expectation. The internal audit activity adds value and improves the organization’s operations. Resources for the internal audit activity are efficiently and effectively utilized.

2.7.3 External Perspective (independent external assessment of the entire internal audit activity including individual engagements):

The CIA must ensure that the internal audit activity undergoes an external assessment (either an independent external assessment or a self-assessment with independent validation), at least once every five years by an independent assessor or assessment team from outside the organization that is qualified in the practice of internal auditing as well as quality assessment process.

External assessors express an opinion on the entire spectrum of assurance and consulting work performed (or that should have been performed) by the internal audit activity, including its conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. Assessors also conclude on the efficiency and effectiveness of the internal audit activity in following its charter and meeting the expectations of stakeholders.

CH

AP

TE

R 3



CH

AP

TE

R 3

Page 17@CCA, Ministry of Finance, December 2019


3 Internal Assessment

CH

AP

TE

R 3



Chapter 3: Internal Assessment

ISPPIA 1311 – Internal assessments

Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization

with sufficient knowledge of internal audit practices.

Interpretation:

Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity by the Internal Auditors of IAUs. The Internal Auditors of IAUs should incorporate ongoing monitoring into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards.

Periodic self-assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. The Chief Internal Auditor of IAU/CCA and senior Internal Auditor of IAUs should have sufficient knowledge of internal audit practices which requires at least an understanding of all elements of the International Professional Practices Framework to conduct an effective periodic self-assessment.

As Standard 1311 indicates, the Chief Internal Auditor is responsible for ensuring that the internal audit activity conducts an internal assessment that includes both ongoing monitoring and periodic self-assessments. Internal assessments validate that the internal audit activity continues to conform with the International Standards for the Professional Practice of Internal Auditing (Standards) and the Code of Ethics. The Chief Internal Auditor understands that the internal assessments focus on continuous improvement of the internal audit activity and involve monitoring its efficiency and effectiveness.

3.1 Implementation of Internal Assessment

The two parts of internal assessments, ongoing monitoring and periodic self-assessments, provide an effective structure for the internal audit activity to continuously assess its conformance with the Standards and check whether internal auditors of IAU apply the Code of Ethics or not. Additionally, the Internal Auditors of IAU may allow for identification of opportunities for improvement.

3.2 Benefits of Internal Assessment

Following are the key benefits of an internal assessment: Continuous Improvement; Becoming more forward-looking in approach and experiencing greater alignment

with Internal Audit activity’s strategies and objectives; Enhanced Internal Audit productivity by eliminating non-value-added activities; Improved Internal Audit staff morale due to the focus on process improvement; Greater adaptability in implementing incremental changes resulting in greater

responsiveness to stakeholders’ expectations.

CH

AP

TE

R 3



3.3 Ongoing Monitoring

The most important method for continuously assessing quality is management oversight of internal audit work. Adequate monitoring from the beginning to the end of the engagements is a fundamental element of a QAIP. The objective of ongoing monitoring is to be achieved by CIA or Internal Auditors of IAUs through continuous activities such as proper engagement planning and supervision, standardized work practices, workpaper procedures and signoffs, report reviews, as well as identification of any weaknesses or areas in need of improvement and action plans to address them. Ongoing monitoring helps the Internal Auditors/Chief Internal Auditor of IAUs to determine whether internal audit processes are delivering quality on an engagement-by-engagement basis.

Ongoing monitoring provides assurance that the processes in place are working effectively to ensure quality is delivered on an audit-by-audit basis. It is primarily achieved through continuous monitoring activities. The ongoing monitoring element of the QAIP would primarily address conformance with the following Standards since they are intended to address quality on an audit-by-audit basis and relate primarily to engagement activities:

ISPPIA 2200- Engagement Planning ISPPIA 2300- Performing the Engagement ISPPIA 2400- Communicating Results ISPPIA 2500- Monitoring Progress

3.3.1 Some Important facts about Ongoing Monitoring

In addition to validating conformance with the Standards, ongoing monitoring may identify opportunities to improve the internal audit activity. In such cases, the CIA typically addresses these opportunities and may develop an action plan. Results of ongoing monitoring should be reported to the Chief Internal Auditor at least annually, as required by Standard 1320 – Reporting on the Quality Assurance and Improvement Programme.

Figure 5: Ongoing Monitoring Reporting Aspects

CH

AP

TE

R 3



The Deming Cycle (or Plan-Do-Check-Act cycle) provides a possible structure in establishing the QAIP. An internal auditor needs to apply the Deming Cycle to the ongoing monitoring portion of the QAIP. The steps in the Deming Cycle are as follows:

Plan means establishing expectations for operating a process to meet specific objectives, goals, or deliverables.

Do means executing the process and collecting data for analysis and follow-up in the Check and Act steps of the cycle.

Check is the step where actual results are compared to expected outcomes and differences are analyzed.

Act is where feedback is provided to the operators of the process to reinforce expectations established in the previous Plan step. It is in this step that improvements to the process are identified and implemented.

Figure 6: Example of Deming Cycle to the ongoing monitoring

Note: The above examples are for illustrative purpose and reference only and are not intended as a comprehensive or complete list of activities. The actual deeming cycle at respective Internal Audit unit may vary.

Key Tips:

Generally, ongoing monitoring occurs routinely throughout the year via the implementation of standard work practices. To facilitate this, the CIA of CCA may develop templates for internal auditors to use throughout engagements, ensuring consistency in the application of the Standards.

Adequate supervision is a fundamental element of any quality assurance and improvement programme (QAIP). Supervision begins with planning and continues throughout the performance and communication phases of the engagement. Adequate supervision is ensured through expectation-setting, ongoing communications among internal auditors throughout the engagement, and workpaper review procedures, including timely sign-off by the individual responsible for supervising engagements.

CH

AP

TE

R 3



ISPPIA 2340 – Engagement Supervision provides further guidance on internal audit supervision

The ongoing monitoring applies to all assurance and consulting assignments and should achieve the objectives described in Standard 2340 – Engagement Supervision which states,

“Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.”

This standard also requires that appropriate evidence of supervision is documented and retained. This documentation provides assurance that ongoing monitoring is incorporated into the routine policies and practices that are used to manage the internal audit activity. In other words, a quality review must be performed for each engagement. This review provides an opportunity for ongoing evaluation, coaching, and feedback for each auditor assigned to the engagement.

3.3.2 Mechanisms of Ongoing Monitoring

The mechanisms commonly used for ongoing monitoring include: Checklists or automation tools to provide assurance on internal auditors’

compliance with established practices and procedures and to ensure consistency in the application of performance standards. Refer Appendix 2 for checklist on Ongoing Monitoring for details.

Feedback from internal audit clients and other stakeholders regarding the efficiency and effectiveness of the internal audit team. Feedback may be solicited immediately following the engagement or on a periodic basis (e.g., semi-annually or annually) via survey tools or conversations between the CIA and management. Refer Appendix 3 for example of Stakeholder Survey sent after Internal Audit is completed for details.

Staff and engagement key performance indicators (KPIs), such as the number of certified internal auditors on staff, their years of experience in internal auditing, the number of continuing professional development hours they earned during the year, timeliness of engagements, and stakeholder satisfaction.

Other measurements that may be valuable in determining the efficiency and effectiveness of the internal audit activity. Measures of project budgets, timekeeping systems, and audit plan completion may help to determine whether the appropriate amount of time is spent on all aspects of the audit engagement. Budget-to-actual variance can also be a valuable measurement to determine the efficiency and effectiveness of the internal audit activity.

The IT application such as Audit Management System can also support Internal Auditors of IAU or CIA to perform ongoing monitoring of Internal Audit activity. The AMS is a work flow which contains the entire life cycle of the Internal Audit starting from planning, execution, and reporting to monitoring. Hence, IA of IAU can perform the Ongoing Monitoring with the use of AMS. Following are the activities of ongoing monitoring that can be monitored in AMS:

Engagement Planning (ISPPIA 2200): The AMS has functionality of setting the risk parameters for whole of the audit universe of a government agency. The risk parameters can be ranked in terms of high, medium or low. The audit units can

CH

AP

TE

R 3



be selected based on audit-risk ranking. This activity is considered as risk-based selection of audit units. It can be monitored through AMS, whether Internal Auditor has given due consideration while identifying the risk parameters by assigning suitable weights whether Internal Auditor has selected the audit unit based on results of AMS risk ranking , and whether the annual plan prepared are through the risk ranking shown by AMS or based on deviations, if any..

The Audit Engagement letter can be prepared and sent through AMS to respective audit units. It can be monitored whether all the engagement letters are sent through AMS. The progress of audit planning can also be monitored in AMS (for example, status on which of the planned audits have been initiated and engagement letter sent to audit units). Further, it can be used to identify whether the engagement letter contains audit objective, audit scope, tentative work programme, etc. as required by the ISPPIA 2210 – Engagement Objectives, ISPPIA Engagement Scope, ISPPIA 2240 – Engagement Work Programme.

Performing Engagement (ISPPIA 2300): The IA can perform the audit, maintain a daily diary, issue audit memos and fill checklist (i.e. documenting audit unit response) through AMS. The audit unit can view the number of audit memos issued and provide responses to the auditor with documentary evidence. The ongoing monitoring includes review of the process of reporting the audit memo and the basis of dropping the audit observation. The AMS contains a log on number of audit memos issued along with the number of audit memos converted to audit paras. This trail will help auditors in monitoring whether sufficient and appropriate response has been obtained, which let the auditor to believe that the observations should or should not be reported.

Communicating Results (ISPPIA 2400): The proposed AMS system has functionality of preparing audit reports from the AMS itself. This will help in achieving standardization. The report should be based on 5 Cs. i.e. Criteria (what should be), Condition (the current state), Cause (the reason for the difference), Consequence (effect) and Corrective action plans/recommendations. During ongoing monitoring, the auditor can review whether the reporting has been done on the basis of 5 Cs or not. The auditor can also monitor from AMS if all the observations from audit memos for which sufficient and appropriate evidence was not provided has been reported as audit para in the audit report. This can be done by comparing the number of audit paras with the number of audit memos not rejected and selected as “reported as audit para” in the system.

Monitoring Progress (ISPPIA 2500): Through AMS the CIA/IA of IAU can monitor the progress of audit, determine the current stage of audit, status of audit para compliance and identify the audits due in next month / quarter. Through the dashboard the auditor can monitor the number of audit recommendations implemented, identify which has most of the observations, and which amongst them are the repetitive observations. All these shall help in monitoring the audit and develop an action plan for an efficient and effective internal audit.

3.4 Periodic Self-Assessment

Periodic self-assessments have a different focus than ongoing monitoring in the sense that they generally provide a more holistic, comprehensive review of the Standards and the internal audit activity. In contrast, ongoing monitoring is generally focused on reviews conducted at the engagement level. Additionally, periodic self-assessments address

CH

AP

TE

R 3



conformance with every standard, whereas frequent ongoing monitoring is more focused on the performance standards at the engagement level.

Periodic self-assessments should be conducted by Chief Internal Auditor or Senior Internal Auditor of the IAU/CCA. A dedicated quality assurance team or individual within the internal audit activity who has extensive experience with the International Professional Practices Framework (IPPF), Certified Internal Auditors, or other competent internal audit professionals may be assigned.

Key Tips:

Periodic self-assessments may be conducted by a Senior Internal Auditor/CIA of IAU / Chief Internal Auditor or by other persons within the organization with sufficient knowledge of internal audit practices, specifically the Standards and Code of Ethics.

3.4.1 Some Important facts about Periodic Self-Assessment

Figure 7: Periodic Self-Assessment Reporting Aspects

3.4.2 Focus of Periodic Self-Assessment

The internal audit activity conducts periodic self-assessments to validate its continued conformance with the Standards and Code of Ethics and to evaluate:

Conformance with the internal audit charter and the IIA’s Definition of Internal Auditing;

The quality of the audit work, including adherence to the internal audit methodology for selected engagements;

The quality of supervision; The adequacy and appropriateness of internal audit policies and procedures; The way the internal audit function adds value; The achievement of key performance standards/indicators; The degree to which stakeholder expectations are met.

CH

AP

TE

R 3



The periodic self-assessment elements of QAIP address conformance with the following Standards:

Figure 8: Periodic Self-Assessment element of QAIP

Refer Appendix 4 checklist on Periodic Self-Assessment to assess each of the above standards.

Refer Appendix 10 Guidance on Internal Audit Self-Assessment Methodology.

The periodic self-assessment should also assess results of ongoing monitoring. Applying the Deming Cycle to these additional elements of the QAIP might look like:

Figure 9: Example of Deming Cycle to the Periodic Self-Assessment

Note: The above examples are for illustrative purposes and reference only and are not intended as a comprehensive or complete list of activities. The actual deeming cycle at respective Internal Audit unit may vary.

CH

AP

TE

R 3



Following a periodic self-assessment, where appropriate, the CIA of CCA may develop an action plan to address opportunities for improvement. This plan should include proposed timelines for actions. Results of periodic self-assessments, which indicate the internal audit activity’s level of conformance with the Standards and Code of Ethics, must be communicated to the board upon completion, as required by Standard 1320.

Example

Case Study 1While performing periodic-self assessment of one of the IAUs at Ministry, CIA comes across a situation where he/she finds that the Internal Audit staff member is not aware of due professional care standards (e.g. extent of work needed to achieve the engagement’s objectives, use of technology-based audit and data analysis techniques, cost of assurance in relation to potential benefits as required by Standard 1220). What would you Recommend in this case?

Recommendation: Perform a competency assessment to identify competency gaps and develop a formal Internal Audit training programme by level and competency for the Internal Audit Staff.

Case Study 2Internal Audit plan of a government agency historically has covered mostly financial and compliance risks and had limited coverage of operation or strategic risks. What would be the corrective action plan in this scenario?

Recommendation: The scope of the future IA plans should cover key risks across the agency (strategic, operations, compliance and financial). In addition, IA should consider including “strategic” as an audit category so that there is a clear linkage between audit-risk categories.

Further, there should be a clear linkage of top tier risks to audit plan and those risks not covered by IA. Also, there should be a provision to identify who is providing assurance related to those risks.

Case Study 3What if

a) Internal Audit function is heavily reliant on a few key people.b) A formal IA training programme does not exist. Additionally, there is no formal

competency assessment performed on a periodic basis to identify resource or knowledge gaps.

Recommendations: Implement one of the following models to bridge the competency gap:

Implement a formal people-rotational model in which resources rotate between IA and other entities (Ministry, Dzongkhag etc.) for an extended period of time.

Utilize a guest auditor programme that allows subject matter resources to supplement core team for specific audits that require a certain expertise that the government agency has in-house.

CH

AP

TE

R 3



Develop a competency assessment model to identify gaps in skill sets of IA and determine appropriate way to obtain that skill set to effectively audit key risks of the entity.

Develop a formal IA training programme by level (e.g., management/business acumen skills for auditors in supervisory roles) and competency.

Case Study 4The audit plan of IAU at an autonomous body is consistent with the IA Charter and department goals, and is developed using a risk-based approach, and the risk assessment is updated annually. The Audit plan is approved by the head of government agency and consists of matters needed or requested by the management. Also, the Chief Internal Auditor /Senior Internal Auditor of IAU regularly communicates the results of Internal Audit activities to the head of government agency. However, the observation during periodic self- assessment are as follows:

Complex risk assessment process, causing difficulty to align audits to the risks that matter.

Internal Audit policies and procedures are not adequately documented. Efforts with respect to follow-up, analysis of deviations from budget and corrective

actions is inadequate. Internal Audit reports are not issued timely. Internal Audit group is not actively involved in new system implementations and

significant change initiatives.

What will you recommend in this scenario?

Recommendations: Review policies and procedures for missing components and details to expand

Internal Audit function. Include procedures to update the audit plan based on re-evaluation of key risks. Update to include full coordination and integration of risk assessment / audit

planning in internal audit activities. Consider placing more emphasis on performing follow-ups, analysis of deviations

from budget and corrective actions. Change model to be an annual risk assessment versus a project risk assessment. Change risk assessment process. Reduce the length of time needed to perform the risk assessment. While the

Internal Audit risk assessment process covers a broad array of the enterprise risks, the process could be further reduced to focus on linking potential audits to enterprise risks, rather than taking time to plan, scope and validate audits to be performed.

Revisit risk universe not just annually, but as and when needed throughout the year.

Internal audit risk assessment should be linked to the organization’s risk management framework and the identified risks.

CH

AP

TE

R 3



3.5 Considerations for Demonstrating Conformance

Multiple items may indicate conformance with Standard 1311, including any evidence that ongoing monitoring activities were completed according to the internal audit activity’s QAIP. Examples may include completed checklists that support workpaper reviews, survey results, and KPIs related to the efficiency and effectiveness of the internal audit activity, such as an analysis of budget-to-actual engagement hours. In addition, conformance may be demonstrated by documentation of completed periodic assessments, which include the scope of the review and approach plan, workpapers, and communication reports. Finally, presentations to the Secretary of Finance, meeting minutes, and the results of both ongoing monitoring and periodic self-assessment — including corrective action plans and corrective actions taken to improve conformance, efficiency, and effectiveness — may indicate conformance.

CH

AP

TE

R 4



CH

AP

TE

R 4



4 External Assessment

CH

AP

TE

R 4



Chapter 4: External Assessment

ISPPIA 1312– External Assessments

External assessments must be conducted at least once every five years by a qualified, in-dependent assessor or assessment team from outside the organization. The chief Internal Auditor must discuss with the Finance Secretary:

The form and frequency of external assessment. The qualifications and independence of the external assessor or assessment team,

including any potential conflict of interest.

Interpretation: External assessments can be accomplished through a full external assessment, or a self-assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments.

A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The Chief Internal Auditor uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified.

An independent assessor or assessment team means, not having either an actual or a perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The Chief Internal Auditor should encourage Finance Secretary’s oversight in the external assessment to reduce perceived or potential conflicts of interest.

4.1 External Assessment

External quality assessments evaluate conformance of the internal audit function with the Internal Audit Charter, guidelines and directives issued by the MoF, definition of Internal Auditing, the Code of Ethics, the Standards and additionally with internal auditing best practices.

As a coordinating agency for Internal Audit Service under the Royal Government of Bhutan, the Central Coordinating Agency under Ministry of Finance must develop and maintain a quality assurance and improvement programme that covers all aspects of the internal audit activity. Along with conducting internal assessment for internal audit units under the Royal Government of Bhutan, CCA must also make arrangements to conduct external assessment in IAUs every five years by a qualified and independent reviewer from outside the organization.

The provision of an effective internal audit service is a government objective, provided for in the Public Finance Act. It would be more useful, effective and cost-efficient if a unified External Assessment of the overall function of the IAS within RGoB, and encompassing all

CH

AP

TE

R 4



the IAUs within the service, were conducted as a whole. The CCA should coordinate with all IAUs and arrange for a unified External Assessment at least once every five years.

The CIA of CCA must discuss with the top management of the line agency on scope, form and also qualification and independence of the external assessor including possible conflict of interest.

The CCA and all the IAUs should cooperate with and facilitate the work of the reviewers appointed to conduct the external assessment so that the exercise will be useful in helping further strengthening the Internal Audit Services as an effective organ of the RGoB.

Key Tips:

1. For a QAIP to be deemed effective, CIA of CCA should expect external assessors to affirm what the CIA of CCA is measuring in regard to conformance with the Standards and the Code of Ethics through the periodic self-assessment process and reporting of results to key stakeholders. The CIA’s report of the periodic self-assessment may be used as a basis for assessment by an external assessor.

2. Proper documentation should be maintained by the CIA of CCA as evidence of an effective QAIP in the established Internal Audit activity. This includes charters, policies, procedures, metrics, audit reports, annual audit plans, engagement workpapers, staff training records, etc. External assessors would want to examine relevant documentation that describes key elements of the QAIP.

4.2 Implementation of External Assessment

The decision to schedule an external assessment often results from the CIA’s requirement to perform an external assessment every five years. The CIA of CCA might consider other factors when determining specific timing and scope for this review:

Does the CIA believe that the internal audit activity generally conforms with the Standards and the Code of Ethics?

Is the documentation describing the QAIP comprehensive and complete? Have feedbacks from key stakeholders been incorporated into the QAIP? Have discussions with the Finance Secretary established additional expectations

related to operational or strategic goals?

As noted in Standard 1312 – External Assessments, CIAs can choose from two methodologies for external assessments.

A full external assessment, or An independent, external validation of the CIA’s self-assessment of the internal

audit activity.

Both the methodologies require that they can be conducted by a qualified, independent assessor or assessment team from outside the organization. The qualified, independent assessor or assessment team must demonstrate competence in two areas:

The professional practice of internal auditing and; The external assessment processes.

CH

AP

TE

R 4



Several factors may influence the CIA’s decision in selecting an appropriate external assessment method to review the internal audit activity’s QAIP. This is an area where the Finance Secretary might take an active role in oversight of the QAIP as suggested in the Standards.

Some Important facts about External Assessment

Figure 10: External Assessment Reporting Aspects

4.3 Full External Assessment

The external assessment process, including planning, fieldwork, and reporting activities, are described to facilitate the execution of a full external assessment. Where appropriate, references are made to Appendices used to document the assessment. These appendices are found in the last chapter of this guideline.

Figure 11: Approach to the full external assessment process

CH

AP

TE

R 4



4.3.1 Planning

The five points of the planning process, if followed by the external assessment team leader, enhance the customer’s involvement in and satisfaction with a value-added experience:

Set scope and objectives: Agree on the scope, objectives, and timing of the full external assessment.

Select and prepare the team: Select and train (as needed) the full external assessment team.

Request planning documents: Request and review the planning guides completed by the internal audit activity and clarify any questions or concerns.

Arrange preliminary visit: Conduct a preliminary visit or teleconference to gather further information, finalize the work plan, select and schedule interviews with the internal audit activity’s key stakeholders and internal audit management and staff, and prepare for the on-site visit.

Distribute surveys: Distribute the executive leadership and operating management and Internal Audit staff surveys to participants.

4.3.1.1 Set Scope and Objectives

The scope includes key elements: The internal audit activity charter that documents the purpose, authority, and

responsibility of the internal audit activity and is approved by the board. The expectations of the internal audit activity expressed by the oversight group,

executive management, and any other stakeholders. The entity’s control environment and the CIA’s audit practice environment. The focus on evaluating governance processes, risk, and assessing organizational

controls in audit plans. The integration of internal audit into the organization’s governance processes,

including the combined assurance relationships and communications between the key governance groups and assurance providers involved in that process, and the alignment of audit objectives and plans with the objectives of the entity as a whole.

The IPPF and any other legal requirements laid down for the internal audit activity within Bhutan.

The objectives achieved in a full external assessment: Provide an opinion on the internal audit activity’s conformance with the Standards

and the Code of Ethics. Assess the efficiency and effectiveness of the internal audit activity in light of its

charter; its processes and infrastructure, including the QAIP; the mix of knowledge, experience, and expertise, and the expectations of the Finance Secretary, management, other stakeholders & assurance providers, and the CIA.

Consider the internal audit activity’s current needs and objectives, as well as the future direction and goals of the organization. Appraise the risk to the organization if the results indicate that the internal audit activity is performing at a less than effective level or is not in conformance with one or more of the Standards.

If applicable, identify opportunities and offer ideas to the CIA and staff for improving the effectiveness of the internal audit activity, thereby raising the value added to the management and the audit committee.

CH

AP

TE

R 4



The objectives listed can be modified and others can be added based on the scope and terms of reference as agreed between Chief Internal Auditor of CCA and External Assessor.

4.3.1.2 Select and Prepare the Team

As noted in the Interpretation to Standard 1312 – External Assessments, “A qualified assessor or assessment team demonstrates competence in two areas:

the professional practice of internal auditing and ; the external assessment processes. Competence can be demonstrated through a

mixture of experience and theoretical learning.

Key Tips:

Qualified individuals are persons with the technical proficiency, internal audit experience, business experience, and educational background appropriate for the audit activities to be assessed. This could include internal auditors from outside the organization, independent consultants, or independent external auditors, but preferably not the external audit firm that audits the organization’s financial statements, or consultants providing any co-sourcing for the entity. “From outside the organization” means not a part of, or under the control of, the corporate entity.

The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified.

Standard 1312 – External Assessments specifies that the full external assessment must be conducted by a qualified, independent assessor or assessment team from outside the organization.

Example:

Following is a list of the possible qualifications and criteria by which the CIA can assess the competence of a full external assessment team. Specific engagements may require additional unique qualifications.

Experience ● The full external assessment team should comprise personnel of at least

managerial level. ● The team leader should have experience that is comparable to that of the CIA

of the internal audit activity being assessed. ● The team leader should be a competent, and certified Internal Audit

professional. ● Each team member should have a thorough understanding of current internal

audit practices, the IPPF and its application, sound judgment, and good communication and analytical skills.

● The full external assessment team should possess or have ready access to all of the necessary technical expertise (e.g., governance, IT, risk management, internal audit attributes, management consulting, and internal audit management).

● Knowledge of the organization’s industry, service, or internal audit activity by at least one team member is an important consideration to be evaluated by the customer.

CH

AP

TE

R 4



Objectivity● The full external assessment team should objectively consider the

expectations of the Finance Secretary, and the CIA; the audit structure, the policies & procedures of the organization and the internal audit activity.

● To ensure freedom from bias in the full external assessment, there should not be any relationship, either directly or indirectly, between the organization and the full external assessment team that is, or appears to be, a conflict of interest. Such relationships could significantly negate the benefits of the full external assessment.

4.3.1.3 Request the Planning Documents Completed by the Internal Audit Activity

The full external assessment process becomes easier when planning documentation is completed by the internal audit activity before the on-site visit by the team. The team leader requests relevant documentation from the CIA of CCA to enable work to begin on the full external assessment prior to the on-site visit. A comprehensive list of planning documentation necessary for the full external assessment is provided to the CIA for completion, as well as survey invitations to be responded to by executive leadership, operating management, and internal audit staff.

4.3.1.4 Arrange a Preliminary Visit (or Teleconference)

The full external assessment team leader should arrange a preliminary visit or teleconference with the CIA to:

Meet the CIA and other staff that may be assisting the team during the on-site visit. Clarify any misunderstandings regarding the planning documentation. Ensure that all documents requested per the checklist can be provided. Ensure that there are no misunderstandings regarding the time, venue, scope, and

objectives of the full external assessment. Identify the executive leadership, operating management, internal audit activity

staff, and other key stakeholders with whom meetings will be arranged. Agree on the list of participants for the surveys: executive leadership, operating

management, and internal audit activity staff.

The full external assessment team leader should keep minutes (or a summary) of the meeting for later attention and impressions of the organization.

4.3.1.5 Distribute Surveys

Distribute the Executive Leadership, Operating Management and Internal Audit Staff surveys to participants.

CH

AP

TE

R 4



4.3.2 Off-Site Work (To be completed prior to On-site Visit)

The full external assessment team leader should review the planning documentation and all planning guides and documents noted on the document request list provided by the CIA before visiting the organization. This will help to plan the work outlined in the programmes that will be performed on-site.

The CIA should complete the two surveys and provide his or her best assessment of how executive leadership, operating management, and the internal audit activity staff will respond to each statement. Comparing the CIA’s responses with survey results from the executives, operating managers, and internal audit staff, will provide the full external assessment team with possible opportunities for improvement and would help identify areas of strength for the internal audit activity.

Summarize the survey results for feedback to the CIA. Areas of significant divergence between CIA responses and those of survey participants should be investigated by the full external assessment team during their interviews.

The full external assessment team (with input from the CIA during the on-site visit) will need to interpret whether survey information has identified positive or negative ratings or trends. The CIA should be encouraged to use this information during training sessions with internal audit activity staff to emphasize positive results and highlight areas that need improvement.

4.3.3 On-Site Work

On-site work is the most comprehensive element of a quality assessment and includes the following:

Interview selected members of the management, operating managers, and internal audit units and staff, and focus on organizational risks, objectives, and the internal audit activity’s effectiveness for staying current and adding value, with respect thereto is one of the most valuable on-site activities. Interviews allow for in-depth exploration of issues raised by survey results, and the perceptions gathered from interviews should be investigated further and corroborated whenever possible, complete with hard evidence. It is best to conduct these interviews at the beginning of the on-site visit, but they may continue throughout the visit to accommodate the busy schedules of executive management.

Consider the work of other monitoring and assurance functions. Determine if any reliance is placed on the work of other assurance functions and the mechanisms in place to support this reliance. ● Determine if the CIA is responsible for other areas beyond internal auditing;

and if so, the mechanisms in place to actively manage the actual or perceived impairments to independence or objectivity this might cause.

● Review the internal audit activity’s audits and consulting engagements, reports, and supporting documentation and its administrative and operating policies, practices, procedures, and records.

Determine if the staffing knowledge and skills, especially in IT, risk assessment, controls monitoring, interaction with governance participants, successful practices, and other areas, will pinpoint evidence of continuous improvement.● Review reports and communicate with management and the board (audit

committee) to assess the extent that the internal audit activity meets objectives and adds value.

CH

AP

TE

R 4



● Review and assess the coordination of the internal audit activity with the work of the independent auditors.

● Evaluate the internal audit activity’s conformance with the Standards and Code of Ethics and other relevant policies and procedures,

● Review the quality/process improvement actions currently underway and planned for the near term. Also consider successful practices appropriate to the organization’s environment.

The on-site process is a cumulative experience for the team. Therefore, frequent discussions are held, and information is assessed to offer practical suggestions reflecting the current thinking of the profession.

The time spent for on-site work should be determined by such factors as the size of the internal audit activity, workpaper reviews, and interview schedules. On-site work typically lasts for one to two weeks, depending on the scope of work, objectives of the full external assessment, the size & geographic dispersion, and structure of the internal audit activity.

4.3.4 Evaluate and Report

4.3.4.1 Evaluate Against the IPPF

The most important aspect of the full external assessment is the team’s evaluation of the internal audit activity’s conformity with the Standards and the Code of Ethics, its adherence to its charter, the extent of its adoption of successful practices, and its programme of continuous improvement. These evaluations may also identify additional opportunities for continuous improvement. This process is the culmination of the full external assessment team’s analysis of surveys, interviews, and documentation.

As appropriate, the full external assessment team will provide the CIA with recommendations for the internal audit activity to enhance conformance with the Standards & the Code of Ethics, add value for clients, and be a catalyst for positive change in the organization. Finally, the full external assessment team will exercise its professional judgment to render an opinion as to the level of conformance with the Standards and the Code of Ethics by the internal audit activity.

4.3.4.2 Summary of Issues, Recommendations, and Closing Conference

Issues should be brought to the attention of the CIA and discussed as appropriate as they come up throughout the full external assessment. The closing conference should be regarded as an opportunity to summarize and formalize the views of the full external assessment team and the CIA.

The full external assessment team’s evaluation process emphasizes successful practices and the issues that require attention. It is desirable to prepare a written summary of the successful practices, observations, and recommendations for those attending the closing conference. This written summary provides the team leader and team members with a framework for the closing conference.

The CIA, with advice from the full external assessment team leader, will decide who will attend the closing conference. Since the individual observations should have been discussed with internal audit management throughout the full external assessment, the closing conference should hold no surprises. It should be an orderly discussion of the significant issues, conclusions, and recommendations. It also provides the CIA with an opportunity to comment on the observations and recommendations.

CH

AP

TE

R 4



4.3.4.3 Reporting

A draft report is prepared either before or after the closing conference. When the full external assessment team leader completes the draft, copies are sent to the team for comment within a specific time frame. Comments are considered and, as appropriate, incorporated into the draft report before it is sent to the CIA. The CIA is asked to respond to the recommendations and provide an action plan.

The final report, in conjunction with the CIA’s response or action plan, will typically be addressed to the CIA with the expectation that copies will be distributed to representatives of the internal audit oversight body and the executives to whom the CIA reports (i.e. Finance Secretary). Copies of the full external assessment report should also be addressed to the individuals or groups initiating the full external assessment.

4.4 Self-Assessment with Independent Validation

As noted in Standard 1312 – External Assessments, “External assessments may be accomplished through a full external assessment, or a self-assessment with independent validation.”

A self-assessment with independent validation includes a comprehensive and fully documented self-assessment process that requires the CIA to complete the self-assessment work, and normally provides limited attention to benchmarking, review, and consultation related to successful internal audit practice. Essentially, the CIA oversees the efforts of an internal assessment team that completes planning documentation, performs assessment work programmes, evaluates conformance with the Standards and Code of Ethics, and produces a report summarizing assessment results.

The same work needs to be performed and documented for a self-assessment with inde-pendent validation as for a full external assessment (see section 4.3 Full External Assess-ment). The self-assessment should be performed with the same level of due professional care found in performing other internal audit engagements and should be structured in a manner that fully documents and supports planning, fieldwork, and reporting activities.

The independent external assessor or assessment team validates the work of the internal assessment team through review of assessment planning documentation, re-performing a sample of assessment work programme steps, conducting interviews with key stakeholders (Finance Secretary, executive leadership, operating management, internal audit management and staff), and assessing the conformance conclusions reported by the internal assessment team.

The internal assessment team should expect to submit all of its documentation related to assessment planning, assessment work programmes, and its final assessment report to the independent external assessor or assessment team well in advance of any on-site visit by the external assessor to perform the validation activities.

4.4.1 Defining the Scope of Assessment

The primary objective is to assess conformance with the Standards and Code of Ethics. Through consultation with the senior management, the CIA should define the scope of the self-assessment with independent validation, which may include feedback on potential leading practices or identification of opportunities for enhancing existing internal audit activity processes.

CH

AP

TE

R 4



4.4.2 Planning

A well-established QAIP provides a solid framework for achieving a successful self-assessment with independent validation. The documentation, assessments, metrics, and reporting that comprises of internal audit activity’s QAIP should be useful in preparing much of the material required to perform the assessment.

Planning, scheduling, and staffing the self-assessment should follow the same process the internal audit activity uses to execute and control any assurance or consulting engagement. Assigning resources necessary to complete the self-assessment should be part of the annual plan for the internal audit activity for the year in which the self-assessment with independent validation is to be performed. Progress updates regarding the self-assessment should be included with status reporting for all other engagements in the process as a component of periodic reporting to senior management and the board.

Key considerations for determining resource requirements and preparing a schedule of activities for self-assessment with independent validation include:

An evaluation of additional documentation and analysis required by the planning tools beyond what is readily available from the internal audit activity’s existing QAIP documentation.

An estimate of time required for distributing, collecting, and analysing survey tools. This activity should be coordinated with the external independent assessor as discussed below.

A proposal from the independent external assessor regarding the number of interviews they wish to conduct with the senior executives, operating management, internal audit activity management and staff. This activity should be coordinated with the external independent assessor.

An estimate of the time required for the internal assessment team to complete the assessment programmes. A critical assumption for this estimate is the number of engagement files to be reviewed as part of the internal audit process programme.

A discussion with the independent external assessor regarding how much time they need for their on-site work, and how far in advance of the on-site work they want to receive documentation prepared by the internal audit activity’s internal assessment team.

Upon completion of the on-site work by the independent external assessor, the self-assessment with independent validation’s schedule should allow time for the external assessor to complete the Independent Validation Statement.

4.4.3 Selecting the Independent External Assessor for A Self-Assessment with Independent Validation

The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified.

The CAE should consult with the Finance Secretary and senior leadership regarding selection of the external assessor or assessment team based on a thorough review of their qualifications and experience. The CIA should also obtain a signed statement from the external assessor or assessment team confirming their independence as defined in the Standards. This is typically done during the contracting process.

CH

AP

TE

R 4



4.4.4 Communication and Coordination with the External Validation Assessor

Most of the work in performing a self-assessment with independent validation is completed by the internal audit activity’s internal assessment team. However, the external assessor will perform some work during the on-site visit, and coordination with the internal assessment team will facilitate completion of the external assessor’s work.

Coordination in the completion of surveys. The internal assessment team (or CIA) and the external assessor should agree on who will be asked to participate in the surveys and on the schedule for completing the surveys. The internal assessment team would be responsible for sending out the surveys. Survey participants shall normally send their responses directly to the external assessor for collation and evaluation of results. The external assessor will review results of the surveys with the CIA and the internal assessment team during the on-site visit. The external assessor will also use information gained from the surveys in completing interviews with key stakeholders.

Coordination in scheduling and conducting interviews with key stakeholders. The internal assessment team (or CIA) and the external assessor should agree on who will be interviewed and on the schedule for completing the interviews. Interviews are normally conducted by the external assessor during the on-site visit.

At a minimum, the external assessor or assessment team will interview the Finance Secretary, the CIA, the person to whom the internal audit activity reports to administratively within the organization, and the external audit partner. Other interviews of key stakeholders are specifically coordinated with the CIA.

During the on-site visit, the external assessor will review tests of audit engagement files prepared by the internal assessment team. The external assessor may also want to review other audit engagement files not reviewed by the internal assessment team. To enable the external assessor to complete this review, the internal assessment team should provide the external assessor with appropriate access to any relevant application.

4.4.5 Work to be completed before the On-Site Visit

The CIA should oversee completion of the self-assessment of internal audit activity. Key elements of the self-assessment to be performed and documented by the internal audit activity’s internal assessment team include:

Completing the planning which includes an analysis of the internal audit activity’s operations and answers to a series of questions that provide insight into the CIA’s views regarding specific conformance criteria related to the Standards or the Code of Ethics.

Conducting surveys that collect information from senior leadership, operating management, internal audit management and staff regarding various aspects of the internal audit activity. Use of the surveys should be coordinated with the external assessor or assessment team as described above.

Executing the assessment programmes that are intended to collect, evaluate, and document evidence of conformance with the Standards and the Code of Ethics.

Summarizing results of the evaluation. Preparing a report of the results of the self-assessment to be validated by the

external assessor and eventually distributed to the board and other appropriate stakeholders.

CH

AP

TE

R 4



All of the above materials should be made available to the external assessor for use in completing the review and validation of the self-assessment. The internal audit activity should coordinate with the external assessor or assessment team as to which documents will be supplied to the external assessor before the on-site visit. The external assessor will also schedule interviews to be conducted during the on-site visit.

4.4.6 Work Completed during the On-Site Visit

During the on-site visit, the external assessor will review documentation prepared by the internal assessment team and perform sufficient tests of the self-assessment to validate results and express an opinion regarding conformance with the Standards and the Code of Ethics to include:

Exercising professional judgment in determining the extent of testing of the self-assessment based on the size and complexity of the internal audit activity.

Conducting interviews with key stakeholders to follow up on any issues or opportunities identified from the surveys—all within the agreed-upon scope of the self-assessment with independent validation.

As nearly all of the work performed during a self-assessment with independent validation is completed by the internal audit activity’s internal assessment team, the amount of time required on site by the external assessor is normally much less than that required by an external assessment team performing a full external assessment.

4.4.7 Reporting and Follow-up

Upon completion of fieldwork, the independent external assessor will provide an opinion confirming the results, or expressing disagreement with the self-assessment, as appropriate. If the external assessor is not in agreement with the self-assessment report, the external assessor can add dissenting wording to the report, specifying the points of disagreement.

The final report of the self-assessment with independent validation should be signed by the internal audit activity’s internal assessment team and the independent external assessor and should be issued by the CIA to Finance Secretary.

Refer Appendix 14 on Standard Conformance Evaluation Summary (Table) Template

Refer Appendix 15 on Standard Conformance Evaluation Summary Template

Refer Appendix 16 on Standard Rating Criteria

Refer Appendix 17 on Checklist on External Quality Assessment

CH

AP

TE

R 5



CH

AP

TE

R 5



5 Reporting and Follow-up of QAIP

CH

AP

TE

R 5



Chapter 5: Reporting and Follow-up of QAIP

ISPPIA 1320 – Reporting on the Quality Assurance and Improvement Programme

The Chief Internal Auditor must communicate the results of the quality assurance and improvement programme to senior management and the Finance Secretary. Disclosure should include:

The scope and frequency of both the internal and external assessments. The qualifications and independence of the assessor(s) or assessment team,

including potential conflicts of interest. Conclusions of assessors. Corrective action plans.

Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement programme is established through discussions with senior management and considers the responsibilities of the internal audit activity and Chief Internal Auditor as contained in the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments, and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s evaluation with respect to the degree of conformance.

ISPPIA 1321: Use of Conformance with the International Standards for the Professional Practice of Internal Auditing

Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement programme.

Interpretation: The internal audit activity conforms with the Code of Ethics and the Standards when it achieves the outcomes described therein. The results of the quality assurance and improvement programme include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments.

ISPPIA 1322: Disclosure of Nonconformance

When non-conformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board.

CH

AP

TE

R 5



2500 - Monitoring Progress

The Chief Internal Auditor must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 - The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 - The internal audit activity must monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

’5.1 Overview of QAIP reporting

Standard 1320 communicates the minimum criteria that the Chief Internal Auditor must communicate to senior management related to the QAIP. Reviewing the requirements related to each element in the standard may help the CIA prepare to implement this standard.

As this standard indicates, the CIA of CCA is responsible for communicating the results of the entire QAIP. To do this, the CIA must understand the requirements of the QAIP. Generally, CIA meets regularly with senior management to understand and agree upon the expectations for communications surrounding the internal audit activity, including those regarding the QAIP. The CIA also considers the responsibilities related to the QAIP that are outlined in the Internal Audit Charter.

The CIA should be aware of any internal assessments, including periodic assessments and ongoing monitoring, as well as completed external assessments. As such, the CIA should have an understanding of the internal audit activity’s degree of conformance with the International Standards for the Professional Practice of Internal Auditing (Standards) and The IIA’s Code of Ethics.

5.2 Activities of Quality Assurance and Improvement Programme Reporting Timelines

Quality Assurance & Improvement Programme

Ongoing Monitoring of Performance

Activity Frequency Responsibility Reporting

Review of the audit universe

Annual Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

N/A

Identification of risks affecting the operation of the Internal Audit Service

Quarterly Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

N/A

Review of audit engagements

Each engagement

Chief Internal Auditor/Senior Internal Auditor of IAU

N/A

Progress against the audit plan

Monthly Chief Internal Auditor/Senior Internal Auditor of IAU

Quarterly report to Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

CH

AP

TE

R 5



Progress against Key Performance Indicators

Quarterly Chief Internal Auditor/Senior Internal Auditor of IAU


Discuss performance of internal audit activity

Monthly Chief Internal Auditor/Senior Internal Auditor of IAU

Annual report to Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

Customer survey / questionnaire

Each engagement

Chief Internal Auditor/Senior Internal Auditor of IAU


Review of Internal Audit Charter, policies & procedures


Annual report to Secretary Finance

Personal Development Review

Annual Secretary of respective government agency

Documentation to RCSC

Continuous improvement activity and adoption of best practice

Continuous Chief Internal Auditor/Senior Internal Auditor of IAU


Identification of value added to the Internal Audit Services operations

Continuous Chief Internal Auditor/Senior Internal Auditor of IAUOr Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

Annual report to Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)Or Annual Report to Secretary Finance

Periodic Self-Assessments

Self-assessment against the Public Bhutan Government Internal Audit Standards (BGIAS)


Annual Report to Secretary Finance

Benchmarking review of Internal Audit Services

Every 3 years

Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

Report to Finance Secretary

External Assessments Assessment against the BGIAS

Every 5 years

Chief Internal Auditor of CCA (i.e. Head of Internal Audit Services)

Report to the Secretary Finance

5.3 Consideration for reporting QAIP

The detailed Quality Assurance and Improvement Programme are documented in the policies and procedures for the internal audit activity (ISPPIA 2040 – Policies and Procedures) and the Internal Audit Charter (ISPPIA 1010 – Recognizing Mandatory Guidance in the Internal Audit Charter). The CIA may begin by reviewing this information to understand

CH

AP

TE

R 5



the communication requirements related to reporting on the QAIP, which includes four core elements:

Scope and frequency of internal and external assessments. Qualifications and independence of the assessors. Conclusions of assessors. Corrective action plans.

5.3.1 Scope and Frequency of Internal and External Assessments

The scope and frequency of both internal and external assessments must be discussed with the senior management (i.e. Finance Secretary) (ISPPIA 1311 – Internal Assessments and Standard 1312 – External Assessments). The scope should consider the responsibilities of the internal audit activity and the CIA, as contained in the Internal Audit Charter.

The scope may include senior management’s expectations of the internal audit activity, as well as expectations expressed by other stakeholders. It may also include internal audit practices assessed against the Standards, as well as any other regulatory requirements that may impact the internal audit activity.

5.3.1.1 Internal Assessments

The CIA must establish a means for communicating the results of internal assessments to enhance credibility and objectivity of the internal audit activity at least annually. The Interpretation of Standard 1320 states that the results of periodic internal assessment should be communicated upon completion of such assessments, and the results of ongoing monitoring should be completed at least annually.

Ongoing monitoring includes reporting on internal audit’s key performance indicators. The CIA of CCA provide an annual report to senior management (i.e. Finance Secretary) regarding the results of ongoing monitoring and include any recommendations for improvement.

The results of internal assessments include, where appropriate, corrective action plans and progress against completion. The CIA of CCA may distribute internal assessment reports to various stakeholders, including senior management (i.e. Finance Secretary), government agency and external auditors.

Auditing Standards require the CIA to report to the Chief Executive of the entity, the results of all the periodic assessments, including internal and external assessments, together with a plan of action for the implementation of all recommendations arising from the assessments. The actions resulting from the recommendations could include modification of resources, technology, processes, and procedures.

5.3.1.2 External Assessments

The CIA must discuss the frequency of external assessments with senior management (i.e. Finance Secretary). The Standards require the internal audit activity to undergo an external assessment at least once every five years. However, upon discussing these requirements with the senior management, the CIA may determine if it is appropriate to conduct an external assessment more frequently. There are several reasons to consider a more frequent review, including changes in leadership (e.g., senior management or the CIA), significant changes in internal audit policies or procedures, the merger of two or more audit organizations into one internal audit activity, or significant staff turnover.

CH

AP

TE

R 5



The CCA must submit the Report resulting from the External Assessment on the IAS as a whole to the Secretary of the MoF, other central agencies of the RGoB, and the Chief Executives of all RGoB entities where there is an IAU. The CCA should prepare an action plan to implement the recommendations of the External Assessment report. After the approvals of the Secretary, MoF, the action plan should be communicated to the Chief Executives of all RGoB entities where there are IAUs. The implementation of the action plan should be monitored and reported to the Secretary, MoF.

]5.3.2 Qualifications and Independence of the Assessors

When selecting an external assessor or assessment team, the CAE discusses with senior management (i.e. Finance Secretary) the qualifications of the potential assessor and several factors related to independence and objectivity, including actual, potential, or perceived conflicts of interest.

Afterward, when reporting the results of the external assessment, the CIA confirms the qualifications and independence of the external assessor or assessment team. Any actual, potential, or perceived conflicts of interest should be reported to senior management.

5.3.3 Conclusion of Assessors

External assessment reports include the expression of an opinion or conclusion on the results of the external assessment. In addition to concluding the internal audit activity’s overall degree of conformance with the Standards, the report includes an assessment of each standard and/or standard series. The CIA should explain the rating conclusions to senior management (i.e. Finance Secretary), as well as the impact of the results. An example of a rating scale that may be used to show the degree of conformance is:

Generally Conforms: This is the top rating, which means that an internal audit activity has a charter, policies, and processes, and the execution & results of these are judged to be in conformance with the Standards.

Partially Conforms: Deficiencies in practice are judged to deviate from the Standards, but these deficiencies do not preclude the internal audit activity from performing its responsibilities.

Does not Conform: Deficiencies in practice are judged to be so significant, that they seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities.

5.3.4 Corrective Action Plans

In order to ensure better coordination and development of quality internal audit services across the RGoB, CIAs should submit the results of all assessments, both internal and external, to the Finance Secretary for review, so that, if necessary, action may be taken to modify policies issued by the MoF, advocate the allocation of additional resources for the IAUs at the level of central agencies and also formulate and develop more effective staff development and training programmes. The CIA should also submit a copy of the proposed plan of action with respect to the recommendations and proposed action plan.

The CIA should report periodically to the Senior Management on the progress made in the implementation of the action plan. The CCA should submit an annual report to the Finance Secretary containing a summary of significant findings and recommendations resulting from internal assessments completed during the year. The CCA should also identify if any

CH

AP

TE

R 5



action is required either by the MoF or any other central agency and propose an action plan for their consideration, approval and implementation.

5.4 Periodic Internal Assessment Report Contents

Generally, the overall report on quality assurance and improvement programme shall be communicated by the Chief of CCA. However, it is the assessment teams from CCA or the respective IAUs who shall prepare individual Assessment Reports. The Report may broadly include the following:

Executive Summary; Objectives of the assessment task; Scope and Methodology; Data collections and reviews conducted; Key observations under legal considerations, human resource (against levels of

Internal Audit Capability Model) consideration, financial consideration (budgetary implications), risk Management considerations (IA policies, procedures and methodologies), and ethical considerations;

Incorporation of IAU Chief/Internal Auditor’s feedback on the observations; Action Plan from the IAU Chief/Internal Auditors; Conclusions and recommendations for improvements; and Appendices.

A suggestive format of reporting details of Self-Assessment Findings is provided in Appendix 5.

5.5 External Assessment Report Contents

5.5.1 Full External Assessment Report Content

Following is the Full External Assessment Report content: Executive Summary● Overview of Internal Audit Activities● Objectives● Data Collection and Review● Sample Selection● Assessment● Reporting● Overall Opinion as to conformance to the standards● Internal Audit Capability Model● Key Observations● Key Recommendations● Way Forward

Detailed Report ● Detail report on each Standards on Internal Audit ● Code of Ethics

Annexures

A suggestive format of reporting details for an Independent Validation Team is provided in Appendix 6.

CH

AP

TE

R 5



5.5.2 Self-Assessment with Independent Validation

The report content of periodic Internal Assessment may be adopted by the independent validation team to prepare the QAIP report. However, the report from Independent Validation team may be prepared in the form of a Memorandum or Memo, covering the following contents:

Background; Scope and methodology; Key observations under successful audit practices, gaps to conformance, and

opportunities for improvements; Conclusions and recommendations for improvement; and Appendices.

A suggestive format of reporting details for an Independent Validation Team is provided in Appendix 7.

5.6 Review of the QAIP

The QAIP also should be reviewed at least annually and individual sections of the programme should be updated throughout the year as required. The inputs of the review include, but shall not be limited to:

Results from quality assessments Customer (user) feedback; Status of resulting action plans; Follow-up actions from previous assessments and/or reviews; Other changes that could impact the quality management system; Recommendations for improvement; New and revised standards, policies, and procedures.

CH

AP

TE

R 6



6 Measuring Internal Audit Effectiveness and Efficiency

CH

AP

TE

R 6



Chapter 6: Measuring Internal Audit Effectiveness and Efficiency

A general description of effectiveness and efficiency is “the degree (including quality) to which established objectives are achieved.” The same description can be used for internal audit effectiveness and efficiency. Internal audit should establish performance metrics and related measurement criteria appropriate to its environment/organization to measure the degree (including quality) of achievement of objectives for which the internal audit activity is established. Internal audit effectiveness and efficiency should be monitored and assessed periodically as part of the internal audit process.

6.1 Internal Audit Stakeholders

Generally, the key stakeholders for the internal audit activity are divided into internal and external.

Internal stakeholders may include: A committee such as the audit committee; Senior management; Operations and support management; Internal auditors.

External stakeholders may include: Regulatory bodies; External auditors; Third-party vendors; Citizens.

The internal audit activity should identify all relevant stakeholders and their respective interests in the work or support from the internal audit activity and should solicit feedback from each of these stakeholders as appropriate. Specific feedback will provide insight into:

The purpose and responsibility of internal auditing and whether that is understood by different levels within the organization.

Adequacy of internal audit independence and objectivity. Target deliverables and expectations of the internal audit activity. Current or planned business priorities and correlation of those with the activity’s

scope, as appropriate. Current shortcomings, if any, of the internal audit activity. Quality and sufficiency of communication from the activity. Current level of satisfaction, or lack thereof, with the frequency and nature of

engagements planned and performed. Current level of satisfaction, or lack thereof, with the internal audit activity’s

resources. Changing needs of business, related risks, and ability of internal auditing to provide

assurance and consulting services.

CH

AP

TE

R 6



Considerations in identifying relevant stakeholders and their satisfaction include:

The extent of regulation of the organization and internal audit activity. Internal auditing’s relationship with key internal and external stakeholders and

establishment of functional expectations and objectives with these groups. Consideration of the authority and relevance of the stakeholder to the internal audit

activity. The activity’s internal feedback from key individuals, groups, or standard setters

that will help further optimize the activity’s quality, scope, and effectiveness. The nature of the organization (e.g., public or privately held and levels of

management/management hierarchies). Types of engagements performed by the internal audit activity. Specific stakeholders identified within the internal audit activity’s charter. Applicable content of the board’s charter.

6.2 Measuring Internal Audit Effectiveness and Efficiency

Internal auditing must effectively demonstrate its value as a key component of the organization’s governance framework. The audit activity can lead by example with strong, relevant, and reliable performance measures. The internal audit activity may perform additional steps to support the periodic self-assessment, such as analyzing key performance indicators (KPIs). IPPF – Practice Guide for Measuring Internal Audit Effectiveness and Efficiency provides that the Chief Internal Auditor (CIA) needs to establish a certain process to create effective performance measures. Such process shall entail the following: Identifying critical performance categories such as stakeholder satisfaction, internal

audit processes, and innovation and capabilities; Identifying performance category strategies and measurements. Strategies should be

pursued in compliance with IIA Standards, other applicable professional standards, applicable laws & regulations, and should ensure stakeholder satisfaction; and

Routinely monitoring, analyzing, and reporting performance measures.

6.3 Performance Measures / Key Performance Indicators

The internal audit activity may also monitor and analyze KPIs related to the efficiency of standard internal audit work practices (e.g., budget-to-actual engagement hours, percentage of the audit plan completed, number of days between fieldwork completion and report issuance, percentage of audit observations implemented, and timeliness of corrections related to audit observations). Other commonly used metrics include the number of certified internal auditors in an IAU, their years of experience in internal auditing, and the number of continuing professional development hours they earned during the year.

6.4 Characteristics of Performance Measures: Quantitative vs. Qualitative

Both quantitative and qualitative metrics are important in demonstrating an internal audit activity’s performance to key stakeholders, and both can be benchmarked against accepted standards, prior performance, and/or agreed upon expectations.

Quantitative performance metrics are often based on existing or obtainable data and are easily understood (e.g., percentage of completed vs. planned audits). They

CH

AP

TE

R 6



often require less effort to collect and are readily comparable to the same metrics in other organizations.

Qualitative performance metrics are often based on the collection of unique information through more time intensive methods such as survey research or interviews. They offer a broad view of performance on a range of topics that can provide depth to quantitative metrics.

6.5 Types of Performance Measures

Following are the broad key performance indicators: Strategy and Planning Indicators; Areas of Responsibility Indicators; Policy and Procedure Indicators; Resourcing Indicators Agency-wise (Budget and Staffing/Human Resource); Engagement Planning Indicators; Engagement Performance Indicators; Communication Indicators; and Awareness Indicators.

These processes would be executed through assessing the following Internal Audit Key Performance Indicators.

6.5.1 Strategy and Planning Indicators

Annual review of the internal audit strategy by CCA and Heads of IAUs; Endorsement of the strategy by Chief of CCA; Internal audit risk assessments conducted annually by CCA and Heads of IAUs; and Capability and resource planning undertaken annually by CCA and Heads of IAUs.

Sl. No. Review Steps

Assessment Outcomes

Yes No Partial

I Is there an Internal Audit Strategy for the Internal Audit Service?

Ii Is Strategy reviewed annually by CCA/IAU Chiefs?iii Do IAUs have their own respective Internal Audit Strategy? iv Has CCA reviewed IAUs’ internal audit strategy?v Are risk assessments conducted by IAUs prior to

preparation of their annual internal audit plan? vi Has CCA consolidated the overall risk assessments of IAUs

prior to preparation of the overall Internal Audit Annual Plan?

vii Do the CCA and IAUs possess necessary capability and skills to prepare annual plans and strategies?

CH

AP

TE

R 6



6.5.2 Areas of Responsibility Indicators

Total number of engagements completed by the Internal Audit Service (include target);

Time spent on normal internal audit engagements, i.e., assurance provider role, and other engagements such as theme-based performance auditing, collaboration with Anti-Corruption Commission and other oversight bodies, i.e., consulting/advisory roles (include target);

Number of normal internal audit engagements completed by the internal audit service (include target);

Number of normal internal audit engagements performed by the internal audit service as a proportion of overall plan (include target); and

Time spent on follow-up audits (include target).

Sl. No. Indicators

Assessment Outcomes

Target Actual Variance

i Total number of annual audit engagements during the yearii Total number of normal internal audit completed

(Assurance providing activity) during the yeariii Total number of theme-based (performance audit)

completed (Assurance providing activity) during the yeariv Total number of other engagements (Consulting activity

for ACC and other oversight bodies) during the yearv Total number of other engagements completed (Consulting

activity for ACC and other oversight bodies) during the year

vi Total number of follow-up audits during the yearvii Time spent on follow-up audits during the year

6.5.3 Policy and Procedure Indicators

The number of times the Chief of CCA meets with the Heads of agencies and other senior management (include target);

The number of times the Chief of CCA meets with the Finance Secretary and the respective Chiefs of IAUs (include target); and

Compliance with Internal Audit Charter, Internal Audit Manual, Bhutan Government Internal Audit Standards and other relevant government orders and directives.

Sl. No. Indicators

Assessment OutcomesTarget Actual Variance

I Number of times the CCA Chief meets with the Finance Secretary during the year

ii Number of times the CCA Chief meets with the Chiefs of IAUs during the year

iii Compliance with relevant Sections of the Charter, Manual and Standards

CH

AP

TE

R 6



6.5.4 Resourcing Indicators Auditee Agency-wise

i. Budget Delivery of operations in accordance with approved budget; Levels of expenditure (budget versus actual, costs per auditor day, ratio of

payroll to other costs, comparison between IAUs, comparison with previous periods);

Cost of audit as a proportion of total Internal Audit Services operating costs (include target);

Comparison of audit budget to actual audit costs; Ratio of audit payroll costs to other audit costs (include target); and Ratio of outputs (Audit Reports and other services, if any) to inputs

(resources utilized).

Sl. No. Indicators

Assessment OutcomesBudget Actual Variance

I Total expenditure for overall annual audit engagements during the year

ii Total expenditure on specific audit assignments (Assurance providing activity) during the year

iii Total expenditure on overall theme-based Performance audit assignments during the year

iv Total expenditure on specific theme-based Performance audit assignments during the year

iii Total expenditure on overall other engagements (Consulting activity for ACC and other oversight bodies) during the year

iv Total expenditure on specific other engagements completed (Consulting activity for ACC and other oversight bodies) during the year

v Total expenditure of CCA/IAUs during the year

ii. Staffing

Capability plan reviewed on an annual basis; Number of auditors as a percentage of total manpower strength of the

agency (include target); Average years of audit staff experience (include target); Number of years in the present audit agency (include target); Number of internal auditors by qualifications (include target); Number of professional certifications/percentage of staff certified (include

target); Absenteeism rates (include target); Level of internal audit staff turnover (include target); Number of new recruits versus total number of internal auditors (include

target); Levels of internal audit staff satisfaction and grievances (include targets, if

practical); and Number of internal auditors seconded to other organizations.

CH

AP

TE

R 6



Sl. No. Indicators

Assessment OutcomesTarget/Plan Actual Variance

i Total number of auditors as a percentage of total staff strength of the agency

ii Average number of years of audit staff experience in CCA/IAUs

iii Average number of years of in the present agency (CCA/IAUs)

iv Number of internal auditors by different qualifications

v Total number of working days of leave availed by staff

vi Total number of staff who left the agency for different reasons

vii Total number of new recruits during the yearviii Total number of internal auditors seconded to

other organizations

6.5.5 Engagement Planning Indicators

Engagement client consulted prior to the engagement commencing; Risk assessments conducted of the auditable areas as part of engagement planning; Analytical procedures and CAATs are used in a minimum number of engagements; Total hours used in planning versus scheduled hours used (include target); and Total hours planning versus total engagement hours (include target)

Sl. No. Indicators


I Total number of annual audit engagements during the year

Ii Total number of internal audit (Assurance providing activity) during the year with prior risk-assessments conducted

iii Total number of internal audit assignments where analytical procedures and CAATs/AMS are used

iv Total number of hours used for planning a specific audit engagement (by audit assignments)

6.5.6 Engagement Performance Indicators

The cause and effect of all findings and observations documented within working papers;

Audit Exit Meetings held for all audit engagements; Chiefs of IAUs attending all Exit Meetings; Working papers completed and appropriately reviewed for all engagements;

CH

AP

TE

R 6



Timeliness of fieldwork; Percentage of audit plan completed (include target); Number of audits completed (include target); Number of audits completed within prescribed time frames (include target); Number of audits completed within the approved budget (include target); Level of engagement client satisfaction (include target); and Actual audit time spent versus budget time (include target)

Sl. No. Indicators


I Total number of audit exit meetings against total number of audit engagements

Ii Total number of audit exit meetings against total number of audit engagements attended by Chief

iii Total number of audits completediv Total number of audits completed within prescribed

time framesv Total number of audits completed within the approved

budgets

6.5.7 Communication Indicators

Number of times the Chief of CCA meets with the agency heads and other senior management (include target, if practical);

Number of times the CCA meets with IAU Chiefs and internal auditors (include target, practical);

Number of times the CCA and IAUs meet with stakeholders; Elapsed time for issue of reports (i.e., from completion of engagement fieldwork to

issue of draft report (include target); Elapsed time for finalization of report (i.e., from issue of draft report to issue of final

report (include target); and Percentage of recommendations accepted by the auditee.

Sl. No. Indicators


I Total number of times the Chief of CCA meets with the agency heads and other senior management for annual audit engagements during the year

Ii Total number of times the Chief of CCA meets with the IAU Chiefs and internal auditors during the year

iii Total number of times the CCA and IAUs meet with stakeholders during the year

iv Total number of reports issued within the prescribed timeframe

v Percentage of recommendations accepted by the auditee

CH

AP

TE

R 6



6.5.8 Awareness Indicators

Level of awareness of internal audit across the organization; and Proportion of internal audit time devoted to advocacy and awareness programme

activities (include target).

Sl. No. Indicators


I Total number of awareness programmes conducted by CCA and IAU Chief during the year

Ii Total number of working days devoted by CCA and IAU Chief in awareness programmes during the year

6.6 Monitoring and Reporting of Internal Audit Effectiveness and Efficiency

Internal auditing’s effectiveness and efficiency should be reported to its stakeholders periodically. The CIA should obtain feedback from key stakeholders on internal auditing’s effectiveness and efficiency in reporting (e.g., format, timing, metrics) and make efforts to align reporting to their needs.

6.6.1 Contents

What should be reported varies based on stakeholder requirements and the organization’s specific needs. A good practice is to survey key stakeholders to determine their needs and expectations, which then helps define the criteria upon which internal auditing should be measured (Refer Appendix 3, Survey Example). Appendix 8 provides examples of effectiveness and efficiency measurement criteria.

6.6.2 Type of reporting

The CIA should evaluate stakeholders to whom reporting is required and customize the reporting package to their individual needs.

6.6.3 Frequency

The frequency of reporting should be based on stakeholder needs. Quarterly reporting on internal audit effectiveness and efficiency could be a good starting point.

6.6.4 Format

Standards for reporting internal audit effectiveness and efficiency should be similar to standards followed for reporting other audit-related information. There are many formats for reporting, including Word, PowerPoint, dashboards based on automated tools, and e-mail. The chosen format should be tailored to meet stakeholders’ specific needs. For example, reporting to the Finance Secretary might be less frequent and, in less detail, to meet its needs in overseeing the activities of internal auditing. Reporting to management would likely be much more detailed. Refer to Appendix 9 for a dashboard reporting example.

CH

AP

TE

R 6



6.7 Internal Audit Capability Model (IA-CM)

The IA-CM is a framework for strengthening or enhancing internal auditing through many small evolutionary steps. These steps have been organized into five progressive capability levels illustrating the stages through which an Internal Audit activity can evolve as it defines, implements, measures, controls, and improves its processes and practices.

Improvements in processes and practices at each stage provide the foundation to progress to the next capability level. Hence, it is a “building block” approach to establish effective internal auditing in an organization. A fundamental premise underlying the IA-CM is that a process or practice cannot be improved if it cannot be repeated.

Therefore, IA-CM shows the steps in progressing from a level of internal auditing typical of a less established organization to the strong, effective, internal audit capabilities generally associated with a more mature and complex organization.

The five progressive capability levels are:

Level 1. Initial

This level is relevant in small organizations where there is no infrastructure and institutional capability is not developed. With no professional practices established, audits and reviews are conducted on isolated cases and outputs are dependent on the skills of individual auditors involved in the assignment. Hence, there is no sustainable repeatable capabilities and the function is dependent on individual efforts.

Level 2. Infrastructure

There is some degree of establishment of management and administrative infrastructures, professional practices and processes. For instance, internal audit guidance, processes and procedures are present where audit planning is done based on management priorities. However, execution of auditing task continues to rely on the skills and competence of specific auditors. Therefore, the key challenge for this level is to establish and maintain repeatability of internal audit practice, procedures and capability. In all practicality, this level is relevant to most of the IAUs in different agencies.

Level 3. Integrated

At this level, the conduct of internal audit activity would indicate general conformance with the Standards where the Internal Audit policies, processes and procedures are defined, documented and integrated with each other and with organization’s infrastructure. Internal audit management and professional practices are uniformly applied across the IA activity and the IA aligns with the organization’s business and the risks it faces. As a result, there will be more focus on team building to enhance capacity of IA activity leveraging on its independence and objectivity.

Level 4. Managed

By this Level, IA functions are acknowledged as an integral part of the organization’s governance and risk management. Some notable capabilities are:

- IA and stakeholders’ expectations are in alignment;- IA is recognised as adding value to the organization;- As a well-managed business unit in the IA, risks are measured and managed quan-

CH

AP

TE

R 6



titatively; - Requisite skills and competencies are in place with a capacity for renewal and

knowledge sharing.

Level 5. Optimizing

Internal audit function is learning from inside and outside the organization for continuous improvement. With top-level professional and specialised skills of internal auditors, IA is considered a critical part of the organization’s governance structure and they are fully integrated with overall organizational performance measures.

These five capability levels are expressed as below:

63 | P a g e

www.theiia.org/research

8

LEVEL 5 Optimizing

LEVEL 4 Managed

LEVEL 3 Integrated

LEVEL 2 Infrastructure

LEVEL 1 Initial

No sustainable, repeatable

capabilities – dependent upon

individual efforts

Sustainable and repeatable IA practices and procedures

IA management and professional practices uniformly applied

IA learning from inside and outside the organization for continuous improvement

IA integrates information from across the organization to improve governance and risk management

IA Capability Model Levels

IA-CM

Refer Appendix 11 for details on Internal Audit Capability Model Matrix and Appendix 12 for details on Internal Audit Capability Model Levels

The IA-CM provides a tool that a public sector organization can use to: Determine its internal audit requirements according to the nature, complexity, and

associated risks of its operations. Assess its existing internal audit capabilities against the requirements it has

determined. Identify significant gaps between those requirements and its existing internal audit

capabilities and work towards developing the appropriate level of internal audit capability.

CH

AP

TE

R 6



The Assessment Report may indicate the Internal Audit Capability Maturity level depending on the overall assessment outcome of the quality assurance and improvement programme.

Refer Appendix 13 for details on Internal Audit Maturity Assessment.

CH

AP

TE

R 7



7 Measuring Internal Audit Effectiveness and Efficiency

CH

AP

TE

R 7



Chapter 7: Checklists and Appendices

Appendix 1: QAIP Components

Section I: Governance

The main elements, along with some of the key objectives, to be assessed in the Governance section include: Internal Audit Charter:● Internal audit’s purpose, authority, and responsibility are formally defined in a

charter, consistent with the Definition of Internal Auditing, Code of Ethics, and the Standards.

● The internal audit strategy is aligned with the organizational strategy.● The internal audit activity’s charter provides assurance that the internal audit

activity will add value and improve the organization’s operations.● The internal audit activity’s charter, mission statement, goals, and similar documents

are implemented in an effective manner. International Professional Practices Framework (IPPF):● The internal audit activity is in conformance with the Definition of Internal Auditing,

Code of Ethics, and the Standards. Legislation:● The internal audit activity is in compliance with other applicable laws, regulations,

or policies. Independence and Objectivity:● The internal audit activity’s structure, objectivity, roles and responsibilities, and

key governance processes are appropriate for managing the function.● The internal audit activity is independent and objective in the performance of its

work.● The organizational status of the internal audit activity is sufficient to permit

accomplishment of the objectives. ● Broader organizational governance arrangements provide assurance regarding

auditor independence and objectivity. Risk Impacting the Internal Audit Activity:● Risks impacting the internal audit activity have been identified and managed.

Resourcing:● The appropriate level of financial and IT resources is available to the internal audit

activity to enable it to achieve its objectives in an efficient and effective manner.

Section II: Professional Practice

The main elements, along with some of the key objectives, to be assessed in the Professional Practice section include: Roles and Responsibilities:● Roles and responsibilities of staff within the internal audit activity are formally

documented.● The internal audit activity has fulfilled its responsibilities in regard to governance,

risk management, and control.

CH

AP

TE

R 7



Risk-based Audit Planning:● The audit planning process is aligned with the organization’s strategic objectives.● The perspectives of senior management and the board are considered in audit

planning.● The process of audit planning ensures that all activities of the organization are

considered for audit, subjected to a risk assessment, ranked in order of priority, and that appropriate audit objectives for each audit selected have been established. This may include documentation of an audit universe.

● An effective annual planning process exists including appropriate processes for the reporting of progress toward achieving the established plan.

Coordination with Other Assurance Providers:● Internal audit activities are coordinated with those of other assurance providers.

Audit Engagement Planning:● Risks relevant to the activity under review are assessed. The engagement objectives

reflect the results of the assessment. ● Appropriate resources are allocated for audit work to identify significant issues. ● Work programmes to achieve the engagement objectives are developed.

Performing the Engagement:● Engagement processes, including identifying information, analysis, and evaluation,

ensure that the steps in the audit programme developed at the end of the planning phase are completed in an effective and efficient manner.

● Audit techniques, including the use of internal audit automation and computer assisted auditing techniques (CAAT), are used as appropriate to provide assurance that work is performed efficiently and effectively.

● The evidence gathered substantiates the audit findings and establishes the cause and effect of issues identified as needing improvement.

● Information acquired when the audit is conducted is described and retained in working papers to clearly document the audit process and identify findings.

● Audit records are appropriately maintained. ● Audits are appropriately supervised for professional development and to provide

assurance that due professional care is applied. Proficiency and Due Professional Care:● The internal audit activity collectively possesses or sources the knowledge, skills,

and other competencies to perform its responsibilities.● Internal auditors display due professional care in the performance of their

responsibilities.● Continuing professional development is provided to allow internal auditors to

enhance their knowledge, skills, and other competencies. ● Management and leadership development are embedded within the internal audit

activity. Quality Assurance: ● A QAIP is in place that covers all aspects of the internal audit activity and the QAIP

effectiveness is continuously monitored.● Internal audit has processes in place to track and record progress toward established

objectives, plans, and budgeted resources.

CH

AP

TE

R 7



Section III: Communication

The main elements, along with some of the key objectives, to be assessed in the Communication section include: Audit Engagement Reports:● The final report presents the purpose, scope, and significant findings, including

the causes and effects, conclusions, recommendations, and the engagement client’s action plans to address the issues outlined.

● An effective process is in place to ensure that the audit results are presented to the appropriate level of management timely for discussion and response.

● Reports are provided to and/or are reviewed by senior management and the board. ● The form and content of audit communications meet stakeholder expectations.● The phrase “conducted in accordance with the Standards” is utilized only under

appropriate circumstances. Follow-up Phase:● An appropriate follow-up process to ensure that management actions have been

effectively implemented has been established and is being maintained. Stakeholder Communications:● The internal audit activity’s communication practices inform the board and

appropriate stakeholders of work undertaken.● A performance management and measurement process are in place to ensure that

the effectiveness of the internal audit activity is optimized and recognized.● Engagement client satisfaction with the audit process is measured by the internal

audit activity, including the level of professionalism demonstrated by the internal auditors and opportunities for improvement.

● The extent of satisfaction of other stakeholders with the internal audit process and products is measured (this may include a self-assessment questionnaire and a satisfaction survey for engagement clients).

● The role and services offered by internal audit are understood by stakeholders and considered to be value-added.

Appendix 2: Checklist on Ongoing Monitoring

Note: This checklist is for guidance purpose only. The Internal Auditor of IAU or CIA may take reference from this checklist to develop a detailed checklist specific to Internal Audit activity performed.

Sl. No. Standards Tools and/or processes in

place

A 2200: Engagement Planning 2201: Planning Considerations 2210: Engagement Objectives 2220: Engagement Scope 2230: Engagement Resource Allocation 2240: Engagement Work Programme

Internal Audit Department implements the standard through preparation of the Opening Letter, Planning Memorandum, & Audit Programme

Standard 2200 series shall generally require the QAIP to assess if the internal auditors have followed the internal auditing guidelines, manuals and frameworks. The standard also requires the programme to assess if the guidelines, manuals and frameworks are exhaustive and updated regularly. For this, the following sample areas may be assessed to fulfill the requirements of the above Standard 2200 series:

CH

AP

TE

R 7



S.No. Questions to Consider Response

1 Are individual internal audit engagements adequately resourced and properly monitored?

2 Whether planning is done following the risk-based approach?3 Does the plan align with organizational risk?4 Are the internal auditors familiar with the processes under

review?5 Will the audit objectives allow auditors to provide assurance?6 Is the scope sufficient to satisfy the audit objectives?7 Will the audit programme allow internal auditors to achieve

the audit objectives and reach a conclusion?8 Have auditees been informed about the planned audit?9 Were the objectives clearly explained to auditees during the

kick-off meeting?10 Are planning approved by head of agency?

S.No. Standards Tools and/or processes in place

B 2300: Performing the Engagement 2310: Identifying Information 2320: Analysis and Evaluation 2330: Documenting Information 2340: Engagement Supervision

Internal Audit Department implements the standards through performing information request, data analysis, risk and control assessment, execution of audit programme, working papers, signoffs, and saving engagement records.

Standard 2300 series require that Internal auditors identify, analyze, evaluate, and document sufficient information during the audit engagement. For this, the programme shall assess the following sample questions.S.No. Questions to Consider Response

1 Are all executed steps properly documented?2 Is the prescribed methodology being applied and are

appropriate audit techniques being used?3 Have the internal auditors properly assessed auditees’

procedures with regard to the processes under review?4 In the absence of auditees’ procedures, have the internal

auditors discussed with the auditees the assessment criteria that should be used?

5 Is the obtained evidence sufficient to express an opinion?6 Do internal auditors differentiate between critical and less

critical findings?7 Were findings immediately communicated and discussed with

the auditees?8 Has the work programme been carried out as intended?9 Are changes to audit objectives, scope and work programme

justified and properly approved?

CH

AP

TE

R 7




C 2400: Communicating Results 2410: Criteria for Communicating 2420: Quality of Communications 2421: Errors and Omissions 2430: Use of “Conducted in conformance with the IIA

standards” 2431: Engagement Disclosure of Non- Conformance 2440: Disseminating Results 2450: Overall Opinion

Results of Audit Engagement are communicated to the audit client during both fieldwork and reporting stages. Internal audit departments report, and communication processes are designed to conform with standards.

Standard 2400 series require the internal auditors to communicate the results of engagements with certain criteria that ensures requisite quality and without errors and omissions. For this, the following sample questions shall be assessed.S.No. Questions to Consider Response

1 Were the findings and final conclusion presented to the auditees at a closing meeting?

2 Do the recommendations address the root cause of the findings?

3 Are the recommendations practical?4 Does the audit achieve its objectives of being able to issue

negative or positive assurance?5 Has a draft report been sent to auditees, allowing them to

review and comment on the findings and recommendations?6 Have the internal auditors incorporated the auditees’

comments?7 Do internal auditors agree on the action plan?8 Is the audit report accurate, objective, clear, concise,

constructive and timely?9 Has the audit report been signed according to the relevant

policies?10 Have audit objectives been achieved within allocated resource

budgets and by agreed target dates, as much as possible?


D 2500: Monitoring Progress CIA must maintain a system to monitor disposition of results communicated to Management. This can be achieved by the “Quarterly Reports” as a follow-up process to monitor and ensure that management actions have been implemented.

Standard 2500 requires the chief audit executive to establish and maintain a system to monitor the disposition of results communicated to management so that the audit recommendations are effectively implemented by the auditee agency. For this, the QAIP shall assess the following sample questions.

CH

AP

TE

R 7



S.No. Questions to Consider Response

1 Have the internal auditors monitored whether the deadlines of the action plan were respected?

2 Have the internal auditors assessed whether a follow-up audit may be needed?

3 Have follow-up activities been duly executed by the internal auditors?

CH

AP

TE

R 7



Appendix 3: Example of Stakeholder Survey sent after Internal Audit is completed

Sample questions on quality criteria for an audited entity survey

Note: This checklist is for guidance purpose only. The Internal Auditor of IAU or CIA may take reference from this checklist to develop a detailed checklist specific to Internal activity performed.

Please provide feedback on your recent experience with the internal audit unit by choosing one of the following four ratings to answer the questions:

Re: Internal Audit Feedback Survey

Dear XXXXX:

We recently performed an internal audit in your area. To continue to improve the level of service we provide our customers, we would appreciate your candid feedback on the attached Internal Audit Feedback Survey.

We value the opinions of our clients and stakeholders and will use your feedback to continually evaluate the quality of our audit services. Please send the completed survey back to me by (date).

If you have any questions, please do not hesitate to call me at (phone number).

Sincerely,

CIA / Internal Auditor of IAU

Internal Audit Feedback Survey

AUDIT REPORT TITLE: __________________________________________

Audit Unit / Manager: _____________________________________________

The rating scale provided below is from 4 (Very Satisfied), 3 (Satisfied), 2 (Dissatisfied) and 1 (very Dissatisfied).

S. No. Questions

4Very

Satisfied

3Satisfied

2Dissatisfied

1Very

Dissatisfied

1 How satisfied are you that adequate notice was given of the timing and duration of the audit?

2 To what extent are you satisfied that the auditors had sufficient knowledge of the organization activity/process?

3 How satisfied are you that the draft report was received within an acceptable timeframe?

CH

AP

TE

R 7



4 How satisfied are you that the recommendations provided practical and constructive solutions to the issues identified?

5 How satisfied are you that implementation of recommendations will contribute to improvements in your unit’s risk management, control and governance processes?

6 If you used the consultancy services provided by the internal audit unit, were you satisfied with the input provided?

CH

AP

TE

R 7



Appendix 4: Checklist on Periodic Self-Assessment

Note: This checklist is for guidance purpose only. The Internal Auditor of IAU or CIA may take reference from this checklist to develop a detailed checklist specific to Internal activity performed.

S. No. Standards Tools and/or processes in place

A 1000: Purpose, Authority and Responsibility

1010: Definition of internal Auditing 1020: Code of Ethics

The internal audit service charter should state clearly the purpose, mission, vision, authority, responsibility, etc. of the internal audit department.

The internal audit services charter should state clearly the Institute of Internal Auditors (IIA) definition.

The internal audit services charter should state clearly the Institute of Internal Auditors (IIA) Code of Ethics which highlights major principles such as Integrity, Objectivity, Confidentiality and Competency.

Standard 1000 outlines the purpose, mission, vision, authority, responsibility, etc. of the internal audit department. It recognizes Mandatory Guidance in the IA Charter.

S. No. Questions to Consider Response

1 Is the role of internal audit clearly defined in a document (a law, an act or a charter)?

2 Does this document also explain that internal auditors should not be responsible for any operational activities?

3 Does this document provide internal auditors with unlimited access to information, assets and people?

4 Does this document describe internal auditors’ reporting line(s)?

5 Do auditees know about this document?6 Does this document cover the delivery of both

assurance and consulting services by internal auditors?

7 Does this document refer to national or international internal auditing standards?

8 Does this document refer to a code of conduct for internal auditors?


B 1100: Independence and Objectivity 1110: Organizational Independence 1111: Direct Interaction with the

Board 1120: Individual Objectivity

IA reports to head of agency

CH

AP

TE

R 7



Standard 1100 stresses on independence and objectivity of the Internal Auditor. The aspects of qualification and competence of the internal audit is discussed in the above standard.


1 Does the document grant independence to internal auditors?

2 What measures are in place to guarantee internal auditors’ objectivity?

3 Are internal auditors independent on paper and in reality?

4 Do internal auditors experience difficulties getting their audit plans, budget and headcount approved?

5 Is the head of internal audit (HIA) appointed solely on experience, skills and competence?

6 What is the process for dismissal of the HIA, including who has authority to remove him/her?

7 Is there an escalation process in case internal auditors feel their independence is threatened?

8 Are internal auditors allowed to report on actual findings, that is, can they tell things as they are?

9 Can the CIA help internal auditors in cases where they feel threatened by senior management?

10 Are internal auditors invited to participate (as observers) in senior management meetings?

11 Is there a process in place to deal with conflicts of interest?

12 Are internal auditors responsible for any operational activities that in principle should not be part of internal audit’s responsibilities?

13 Do internal auditors regularly design procedures for the auditees?

14 Is there a process in place to disclose any potential impairment to independence and objectivity?

15 Do internal auditors experience any significant scope limitation(s)?

16 Is there a process in place to deal with gifts received from auditees or others?

17 Do internal auditors respect a cooling-off period for internal auditors who transfer from operational units?

18 Do internal auditors respect a cooling-off period for internal auditors who transfer to operational units?

19 In situations where, internal auditors are responsible for operational activities, does a third party oversee these activities?

CH

AP

TE

R 7




C 1200: Proficiency and Due Professional Care

1210: Proficiency 1220: Due Professional Care 1230: Continuing Professional

Development

IA collectively possess the skills, knowledge and competence needed to perform responsibilities.

Auditors should apply due professional care.

IA should constantly encourage auditors to maintain technical competencies through continuous education.

Standard 1200 describes the Proficiency and Due Professional Care required to be taken care by the Internal Auditor while conducting Internal Audit.


1 Do internal auditors collectively possess the necessary knowledge and skills to fulfill the role of internal auditing within their organization?

2 Are internal auditors capable of applying the prescribed audit methodology?

3 Are internal auditors attentive to fraud indicators (red flags)?

4 Do internal auditors have sufficient skills to audit the information technology environment?

5 Do internal auditors use IT tools and techniques to perform internal audit engagements?

6 Do internal auditors have the skills to deal with (difficult) people?

7 Do internal auditors possess the necessary soft skills?

8 Do internal auditors possess a professional certification and do they have access to continuous professional development programmes for internal auditors?

9 Does the internal audit unit have the authority to hire external experts when internal auditors lack the appropriate knowledge and skills for certain internal audit engagements?

10 Are audit objectives focused on the main risk(s) to the organization?


D 1300: Quality Assurance and Improvement Programme (QAIP)

1310: Requirements of QAIP 1311: Internal Assessment 1312: External Assessment 1320: Reporting on QAIP

The internal audit service ensures quality of the audit activity through conducting internal ongoing assessments, which is imbedded into the daily internal audit activities/procedures, and periodic assessments of conformance with internal audit definition, code of ethics and standards. Moreover, the department undertakes external assessments once every five years.

CH

AP

TE

R 7



Standard 1300 outlines that the CIA must develop and maintain QAIP that covers all aspects of the internal audit activity.

S. No.

Questions to Consider Response

1 Is there a quality assurance and improvement programme in place?

2 Is the programme established in the audit policies and procedures?

3 Does the programme include ongoing monitoring, periodic internal quality self-assessments and periodic external quality assessments?

4 Are all aspects of the internal audit unit (role, risk assessment, planning, execution of engagements, reporting and training) covered in the programme?

5 Do meaningful key performance indicators exist in order to measure the performance of the internal audit activity?

6 Are the results of the quality assurance and improvement programme communicated regularly to senior management?

7 Is feedback periodically solicited from auditees and senior management?

8 Does the internal audit unit periodically benchmark itself against peers?

9 Is there evidence that shows that the internal audit function adds value to the organization?

10 Is it stated that internal auditing activities conform to international standards? If yes, is this statement supported by internal and external quality assessments?

11 Are instances of non-conformance with international standards disclosed?


E 2000: Managing the Internal Audit Activity 2010: Planning 2020: Communication and Approval 2030: Resource Management 2040: Policies and Procedures 2050: Coordination &

Reliance 2060: Reporting to Senior

Management and the Board 2070: External Service Provider and

Organizational Responsibility for Internal Auditing

IA establish a Risk Based IA plan and communicate it to the CCA for information and approval for Secretary

IA of IAU ensure IA resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. (IA annual plan – team allocation)

P&P are in place to conduct the audit IA periodically reports to CIA. Internal Audit Department clearly

states the relation with External Auditors.

Standard 2000 outlines managing the internal audit activity. It details the task required to be done before the start of internal audit.

CH

AP

TE

R 7




1 Is the audit universe known and documented by the internal audit unit? Is the document updated periodically to reflect changes in the audit universe?

2 Is a risk-based plan established for internal audit activities?

3 Does the risk-based plan take into consideration any risk management framework that exists within the organization?

4 Does the internal audit unit solicit input from senior management during the development of the internal audit plan?

5 Are adequate risk factors used for risk assessments?

6 Does the internal audit unit identify the key controls in the organization?

7 Are all areas of the organization given appropriate audit coverage?

8 Is the impact of resource limitations communicated to senior management by the internal audit unit?

9 Is the audit plan periodically reviewed?10 Does the internal audit unit have appropriate

and sufficient audit resources to conduct its activities?

11 Does the internal audit unit make use of ‘guest’ auditors from other parts of the organization?

12 Are adequate audit policies and procedures in place, and are they updated on a regular basis?

13 Does the internal audit unit coordinate its audit activities with other internal assurance providers?

14 Does the internal audit unit coordinate its audit activities with the Supreme Audit Institution (SAI)?

15 Do the external auditors rely on the work of internal auditors?

16 Are internal auditors involved in the development and maintenance of a risk register or assurance map?

17 Do internal auditors also audit the “second lines of defense” within the organization?

18 Does the internal audit function periodically report to senior management on its activities?

19 Do internal auditors rely on the work of other assurance providers?

CH

AP

TE

R 7




F 2100: Nature of Work 2110: Governance 2120: Risk Management 2130: Control

The internal audit activity continuously: Assesses and make recommendations

to improve governance in the organization.

Assists in identifying, evaluating, and implementing risk management methodologies and controls to address risks.

Evaluates the effectiveness and efficiency of controls.

Standard 2100 outlines the nature of work which includes governance, risk management and control required to be complied during the conduct of internal audit.


1 Does the internal audit unit assess the design and effectiveness of ethics programmes within the organization?

2 Does the internal audit unit assess how risk ownership and accountability are established within the organization?

3 Does the internal audit unit provide assurance on the risk management process?

4 Do internal auditors assess the potential for fraud?

5 Does the internal audit unit assess the effectiveness and the efficiency of the internal control system?

6 Do internal auditors provide an opinion on the adequacy and the effectiveness of the internal control system?

7 Do internal auditors assess the reliability and the integrity of information?

8 Does the internal audit unit assess the respect for privacy of information?


G 2600: Communicating the Acceptance of Risk

When the CIA become in disagreement with the auditee regarding certain issues, the CIA will escalate the matter through the audit report to the audit committee.

Standard 2600 outlines the provision of communicating the risk to the higher management.S.

No. Questions to Consider Response

1 Is there an escalation process in case management is accepting a risk level, which is above the risk appetite of the organization?

CH

AP

TE

R 7



Appendix 5: Self-Assessment QAIP Report

Table of Contents

xxxx

Executive Summary

Xxxxx

Objectives/Purpose

Xxxx

Scope and methodology

Xxx

Data Collection and reviews

Xxx

Assessment Opinion

Main observations

i. Legal consideration (conforming legislations and professional Standards);ii. Human resource consideration (capability of Internal Auditors);iii. Financial considerations (budgetary implications);iv. Risk management considerations (Internal Audit policies, procedures and meth-

odologies); andv. Ethical considerations (Internal Audit Charter, Code of Ethics).

Successful Internal Audit Attributes

xxx

Conformance

i. IIA’s/BGIAS’ Attribute Standards Conformity;ii. IIA’s/BGIAS’ Performance Standards Conformity; andiii. IIA’s/BGIAS’ Code of Ethics.

Incorporation of IAU Chief/Internal Auditor’s feedback on the observations

xxxx

Action Plan from the IAU Chief/Internal Auditors

xxx

Conclusions and recommendations for improvements

xxx

Appendices

xxxx

CH

AP

TE

R 7



Appendix 6: Full External Assessment Reporting Template

External Quality Assessment report

Internal Audit Services

Central Coordinating Agency

Ministry of Finance

Royal Government of Bhutan

(“RGoB”)

Month/Year

1. EXECUTIVE SUMMARY

XXXX

2. OVERVIEW OF INTERNAL AUDIT ACTIVITIES

xxxxx

3. OBJECTIVES

xxx

4. DATA COLLECTION AND REVIEW

Details of Survey conducted Details of Interviews conducted Policy and practices review Audit work paper review

5. SAMPLES SELECTION

Sample selection method and number of sample selected including basis of selection.

CH

AP

TE

R 7



6. ASSESSMENT

IPPF – we compared RGoB’s present practices for conformance with the IPPF Standards and framework as well as its Bhutan Government Internal Audit Standards, the Internal Audit Manual, Internal Audit Charter and Code of Ethics.

7. REPORTING

Final report – we have summarised the results of our assessment, including detailed observations and recommendations.

8. OVERALL OPINION AS TO CONFORMANCE TO THE STANDARDS

The overall assessment is that the CCA “Conforms” to the Standards. Please refer to Attachment XX and XX for the Standard Conformance Evaluation Summary (Table), Standard Conformance Evaluation Summary and Attachment XX for the Standard Ratings Definition. The individual assessment is provided as follow:

StandardsGenerallyConforms

PartiallyConforms

Does Not Conform

Attribute Standards

Performance Standards

Code of Ethics

9. INTERNAL AUDIT CAPABILITY MODEL

Report on IA capability.

10. KEY OBSERVATIONS

10.1. Resource Management

xxxx

Quality Assurance and Improvement Programme

xxx

Annual Audit Planning

xxxx

Performance of Audit Engagements

xxx

11. KEY RECOMMENDATIONS

11.1. Resource Management

xxxx

11.2. Quality Assurance and Improvement Programme

xxxx

CH

AP

TE

R 7



11.3. Annual Audit Planning

xxxx

11.4. Enhancing the Performance of Audit Engagements

xxxx

12. WAY FORWARD

Some key next steps for consideration are in the following sequence:

xxx

13. Quality Assessment Team Members:

(i) xxx(ii) xxx

14. DETAIL REPORT

xxxx

Standard Standard Requirement Observation

Opportunities for

Continuous Improvement

Chief Internal Auditor

Response

Standard 1000: Purpose, Authority and Responsibility Standard 1010: Recognizing Mandatory Guidance in the Internal Audit Charter Standard 1100: Independence and ObjectivityStandard 1110: Organizational IndependenceStandard 1111: Direct Interaction with the Board Standard 1112: Chief Audit Executive Roles Beyond Internal AuditingStandard 1120: Individual ObjectivityStandard 1130: Impairment to Independence or Objectivity Standard 1200: Proficiency and Due Professional Care Standard 1210: ProficiencyStandard 1220: Due Professional CareStandard 1230: Continuing Professional Development Standard 1300: Quality Assurance and Improvement Programme (“QAIP”) Standard 1310: Requirements of the Quality Assurance and Improvement Programme

CH

AP

TE

R 7



Standard 1311: Internal AssessmentsStandard 1312: External AssessmentsStandard 1320: Reporting on the Quality Assurance and Improvement ProgrammeStandard 1321: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”Standard 1322: Disclosure of Non-conformanceStandard 2000: Managing the Internal Audit Activity Standard 2010: Planning Standard 2020: Communication and ApprovalStandard 2030: Resource ManagementStandard 2040: Policies and ProceduresStandard 2050: Coordination and RelianceStandard 2060: Reporting to Senior Management and the BoardStandard 2070: External Service Provider and Organizational Responsibility for Internal AuditingStandard 2100: Nature of WorkStandard 2110: GovernanceStandard 2120: Risk ManagementStandard 2200: Engagement PlanningStandard 2201: Planning ConsiderationsStandard 2210: Engagement ObjectivesStandard 2220: Engagement ScopeStandard 2230: Engagement Resource AllocationStandard 2240: Engagement Work ProgrammeStandard 2300: Performing the Engagement Standard 2310: Identifying InformationStandard 2320: Analysis and EvaluationStandard 2330: Documenting Information

CH

AP

TE

R 7



Standard 2340: Engagement SupervisionStandard 2400: Communicating Results Standard 2410: Criteria for CommunicatingStandard 2420: Quality CommunicationsStandard 2421: Errors and OmissionsStandard 2430: Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”Standard 2431: Engagement Disclosure of Non-conformanceStandard 2440: Disseminating ResultsStandard 2450: Overall OpinionsStandard 2500: Monitoring ProgressStandard 2600: Communicating the Acceptance of RisksCode of Ethics

15. Annexure

Annexure XX:

Annexure XX:

CH

AP

TE

R 7



Appendix 7: Self-Assessment with Independent Validation QAIP Report

Table of Contents

xxx

Background;

xxx

Scope and methodology;

Xxxx

Key observations:

I. Successful Audit Practices;II. Gaps to Conformance; and III. Opportunities for improvements;

Conclusions and recommendations for improvement

xxx

Appendices.

xxxx

IIA’s/BGIAS’ Attribute Standards Conformity

Standards Observation ConformityOpportunities

for Improvement

IAU’s Response

IAU’s Action

Plan

1000 – Purpose. Authority, and Responsibility1100 – Independence and Objectivity1200 – Proficiency and Due Professional Care1300 – Quality Assurance and Improvement Programme

IIA’s/BGIAS’ Performance Standards Conformity

Standards Observation ConformityOpportunities

for Improvement

IAU’s Response

IAU’s Action

Plan

2000 – Managing the Internal Audit Activity2100 – Nature of Work2200 – Engagement Planning2300 – Performing the Engagement2400 – Communicating Results2500 – Monitoring Progress2600 – Communicating the Acceptance of Risks

CH

AP

TE

R 7



Code of Ethics Conformity

The purpose of the Code of Ethics for Internal Auditors, Royal Government of Bhutan, is to promote an ethical culture in the profession of internal auditing. A code of ethics is necessary and appropriate for the profession of internal auditing, as it is founded on the trust placed in its objective assurance about risk management, control and governance. The Code of Ethics extends beyond the Definition of Internal Auditing to include two essential components:

Principles that are relevant to the profession and practice of internal auditing. Rules of Conduct that describe behavior norms expected of internal auditors. These

rules are an aid in interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors. Internal Auditors are ex-pected to apply and uphold the principles.

Principles:

1. Integrity

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

2. Objectivity

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

3. Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

4. Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.

Rules of Conduct:

Rules of Conduct describes above principles in greater detail with the behavioral norms expected of internal auditors. The Rules of Conduct are an aid to interpreting the principles into practical applications and are intended to guide the ethical conduct of internal auditors.

The Internal Audit Unit, Ministry of …… .. generally conforms to the Code of Ethics which includes the two essential components – Principles and Rules of Conduct.

CH

AP

TE

R 7



Appendix 8: Examples of Internal Audit Effectiveness and Efficiency Metrics

Examples of Internal Audit Effectiveness and Efficiency Metrics

Performance management

categoryMeasures of efficiency Measures of

effectiveness

Measures of efficiency and effectiveness

Basic Measures

Number of audits scheduled. Number of audits completed Timeliness of performance feedback. Staff utilization – direct vs. indirect time. Completed audits per auditor. Actual hours vs budgeted hours. Audit report cycle time: elapsed time from opening conference to fieldwork completion and elapse time from fieldwork completion to final report. Number of internal audit reports issued vs. planned internal audits.

Client satisfaction ratings. Staff satisfaction ratings. Number of significant audit findings. Percent of recommendations implemented. Number of repeat findings. Number of open audits findings past planned corrective action date. Number of unsatisfactory internal audit opinions.

Training / CPE hours. Staff turnover / retention.

Service to Stakeholders

Responsiveness to special requests. Average response time to management request. Number of control self-assessment (CSA) sessions conducted. Number of auditors per 1,000 employees. Number of auditors per $1 million of revenue/$1 million of assets. Completed vs. planned audits. Cost savings as a percentage of department budget.

Delivery of high-quality service. Management of auditee expectations. Building strong relationships. Number of management requests. Number of committees and task forces audit is involved in. Amount of identified cost savings and percent of recoveries

Client survey scores (see example survey letter in Appendix 3). Senior management survey scores. Audit committee survey scores. Number of positive and negative feedback about audits/ auditors.

Knowledge of business

Applying that knowledge to help solve complex client issues Development of deep industry knowledge Developing and contributing best practices, emerging issues, and industry trends Best practices benchmarked

CH

AP

TE

R 7



Technical Development

Development of relevant technical knowledge Internal auditing Accounting Regulator Business Compliance with audit methodology set.

Innovation Use of technology in audits. Creativity and efficiency. Number of internal audit improvement teams and time spent (by team).

Enhanced audit process. Number of Best practices identified and communicated within an organization or internal audit activity. Number of hours spent in industry or other specialized training. Involvement in professional organizations (e.g. IIA, auditor roundtables). Thought leadership.

People Development

Number of coaching sessions in a year. Tracking of development plan (plan vs. actual). Achievement of minimum training hours required.

Average months in position. Number of staff rotations in and out of the internal audit activity. Average years of audit experience. Percent of auditors with professional certifications. Percent of auditors with advanced degrees. Training hours per auditor. Auditor turnover. Number/percent of auditors transferred promoted to other functions in the organization vs. the number that left the company.

Assistance in recruiting by team members (participation in review of resume, interview etc.).

CH

AP

TE

R 7



Appendix 9: Example of Reporting Internal Audit Effectiveness and Efficiency Dashboard

Quantitative Measures

Area Measure Target Actual

Q1 Q2 Q3 Q4

Budget management. Budget vs. actualDelivering the annual audit plan

Percent of audit plan delivered during the year

Customer Services


Q1 Q2 Q3 Q4

Number/types of ad-hoc requests received for non-routine work.

Record to be kept of ad-hoc non-routine requests by the management

Staff Satisfaction and Development


Q1 Q2 Q3 Q4

Staff training hours / year. Actual training hours vs. budgetStaffing plan (hiring).

Plan vs. actual hired

Audit Delivery / Efficiency


Q1 Q2 Q3 Q4

Audit reviews completed within budget and to agreed target date.

Budget vs. actual

Revise the audit methodology.

Plan vs. actual revision

Relation with Third Party


Q1 Q2 Q3 Q4

Use of Subject Matter Experts

Use of Subject Matter Experts for Specialized work

CH

AP

TE

R 7



Appendix 10: Guidance on Internal Audit Self-Assessment Methodology

Element: Risk-Based Audit Planning

Objective: An effective annual planning process exists including appropriate processes for the reporting of progress toward the established plan.

Draft Criteria Preliminary Methodology IIA Standard

A process is in place and is used to develop the annual internal audit plan to verify that: All organizational components, programmes, and activities were considered. Senior management was involved in the process. The plan was prepared timely and distributed to the appropriate levels of management.

In consultation with internal audit, determine the audit plan development process used (obtain any process documentation available).

Review any minutes or follow-up correspondence/confirmations of planning process meetings and verify: Attendance by all parties to the process. Input was requested from all stakeholders The plan from the previous fiscal year was reviewed to identify any engagements not yet completed for consideration for the current year’s plan. A formal risk analysis and assessment of all suggested projects was performed and documented. Organizational components, programmes, and activities were considered. A draft annual plan was presented to senior management and the board and subsequently approved. The distribution list for the draft annual plan as well as the approved audit plan.

2010

A process for selection of engagements to be conducted is documented and includes criteria such as: Past audit coverage and results. Materiality Significance to management. Risk (based on a standardized methodology) Auditability Engagements not completed from the previous year’s plan Organizational priorities Opportunities for improvement Legislative or other mandated obligations

Review last year’s plan and results. Review annual report on progress made from previous fiscal year. Review documented risk analysis and assessment to determine criteria applied. Confirm that justification was documented for engagements cancelled or deferred that were either brought forward from last year’s plan or were proposed in the current year process. Review approved annual plan to determine engagements to be conducted. Review the process used to ensure that a formal risk Analysis and assessment of all suggested projects was performed and documented.

2010

2050

For each audit selected for the plan, the plan provides: A clear indication of the objective and scope. An estimate of resource requirements, in terms of direct time, to conduct the engagements. The number of auditors and the skills required.

Review the annual plan to confirm that all required details have been incorporated. Compare the details approved to the relevant details on a sample of audit planning memorandums and document any variances. Determine that variances were accounted for and approved.

2030

CH

AP

TE

R 7



The process for tracking the progress made in support of the annual plan results in reports that: Provide an objective statement describing each engagement, and indicate the status by showing key deliverable dates, designated contacts, as well as relevant narrative comments. Are timely, accurate, and disseminated to the appropriate levels of management.

Through interviews, determine and document the process for reporting on progress against the annual plan. Compare monthly status reports to the annual plan. Review documentation on presentations made to senior management and the board. Assess effectiveness of the process in achieving the criteria addressed.

2020

2060

Reports prepared on the results achieved in support of the annual plan are appropriately used for decision making, and resources are appropriately utilized.

Interview members of senior management and the board to determine the utilization of monthly status reports content. Review minutes or emails regarding any pertinent meetings.

2020

2060

CH

AP

TE

R 7



Ap

pen

dix

11

: In

tern

al A

ud

it C

apab

ilit

y M

odel

Mat

rix

Mat

rix

Leve

lSe

rvic

es a

nd

Rol

e of

IA

Peo

ple

M

anag

emen

t P

rofe

ssio

nal

P

ract

ices

Per

form

ance

M

anag

emen

t an

d

Acc

oun

tab

ilit

y

Org

aniz

atio

nal

R

elat

ion

ship

s an

d

Cult

ure

Gov

ern

ance

St

ruct

ure

s

Leve

l 5 –

Op

tim

izin

gIA

Rec

ogni

zed

as K

ey

Agen

t of C

hang

e Le

ader

ship

In

volv

emen

t with

Pr

ofes

sion

al

Bodi

es

Wor

kfor

ce

Proj

ectio

nTa

lent

M

anag

emen

tRo

bust

Suc

cess

ion

Plan

ning

Cont

inuo

us

Impr

ovem

ent

in P

rofe

ssio

nal

Prac

tices

St

rate

gic I

A Pl

anni

ngTe

chno

logy

Ad

vanc

es

Repo

rtin

g of

IA

Effe

ctiv

enes

sEf

fect

ive

and

Ongo

ing

Rela

tions

hips

Tru

sted

Adv

isor

Inde

pend

ence

, Pow

er

and

Auth

ority

of t

he IA

Ac

tivity

Leve

l 4 –

Man

aged

Over

all

Assu

ranc

e on

Go

vern

ance

, Ri

sk M

anag

emen

t an

d Co

ntro

l

IA C

ontr

ibut

es to

M

anag

emen

t De

velo

pmen

t IA

Act

ivity

Su

ppor

ts

Prof

essi

onal

Bo

dies

W

orkf

orce

Pl

anni

ng

Audi

t Str

ateg

y Le

vera

ges

Orga

niza

tion’

s M

anag

emen

t of

Risk

Inte

grat

ion

of

Qual

itativ

e an

d Qu

antit

ativ

e Pe

rfor

man

ce

Mea

sure

s

CIA

Advi

ses a

nd

Influ

ence

s Top

-le

vel M

anag

emen

t

Inde

pend

ent O

vers

ight

of

the

IA A

ctiv

ity

CIA

Repo

rts t

o To

p-le

vel A

utho

rity

Leve

l 3 -

Inte

grat

edAd

viso

ry S

ervi

ces

Perf

orm

ance

/ Va

lue-

for-

Mon

ey A

udits

Team

Bui

ldin

g an

d Co

mpe

tenc

y

Prof

essi

onal

ly

Qual

ified

Sta

ff

Wor

kfor

ce

Coor

dina

tion

Qual

ity

Man

agem

ent

Fram

ewor

k

Risk

-Bas

ed

Audi

t Pla

ns

Perf

orm

ance

M

easu

res

Cost

Info

rmat

ion

IA M

anag

emen

t Re

port

s

Coor

dina

tion

with

Ot

her R

evie

w

Grou

ps

Inte

gral

Co

mpo

nent

of

Man

agem

ent

Team

CIA

Repo

rts t

o To

p-Le

vel A

utho

rity

Man

agem

ent O

vers

ight

an

d Su

ppor

t of t

he IA

Ac

tivity

Fund

ing

Mec

hani

sms

CH

AP

TE

R 7



Mat

rix

Leve

lSe

rvic

es

and

Rol

e of

IA

Peo

ple

M

anag

emen

t P

rofe

ssio

nal

P

ract

ices

Per

form

ance

M

anag

emen

t an

d

Acc

oun

tab

ilit

y

Org

aniz

atio

nal

R

elat

ion

ship

s an

d

Cult

ure

Gov

ern

ance

St

ruct

ure

s

Leve

l 2 -

Infr

astr

uct

ure

Leve

l 1 –

Init

ial

Com

plia

nce

Audi

ting

Indi

vidu

al

Prof

essi

onal

De

velo

pmen

t

Skill

ed P

eopl

e Id

entif

ied

and

Recr

uite

d

Prof

essi

onal

Pr

actic

es a

nd

Proc

esse

s Fr

amew

ork

Audi

t Pla

n Ba

sed

on M

anag

emen

t/

Stak

ehol

der

Prio

ritie

s

IA O

pera

ting

Budg

et

IA B

usin

ess P

lan

Man

agin

g w

ithin

th

e IA

Act

ivity

Full

Acce

ss to

the

Orga

nisa

tion’

s In

form

atio

n, A

sset

s, an

d Pe

ople

Repo

rtin

g Re

latio

nshi

ps

Esta

blis

hed

Ad h

oc a

nd u

nstr

uctu

red;

isol

ated

sin

gle

audi

ts o

r re

view

s of

doc

umen

ts a

nd tr

ansa

ctio

ns fo

r ac

cura

cy a

nd c

ompl

ianc

e;

outp

uts d

epen

dent

upo

n th

e ski

lls o

f spe

cific

indi

vidu

als h

oldi

ng th

e pos

ition

; no

spec

ific p

rofe

ssio

nal p

ract

ices

esta

blis

hed

othe

r th

an t

hose

pro

vide

d by

pro

fess

iona

l as

soci

atio

ns;

fund

ing

appr

oved

by

man

agem

ent,

as n

eede

d; a

bsen

ce o

f in

fras

truc

ture

; aud

itors

like

ly p

art o

f a la

rger

org

anis

atio

nal u

nit;

no e

stab

lishe

d ca

pabi

litie

s; th

eref

ore,

no

spec

ific

key

proc

ess a

reas

.

CH

AP

TE

R 7



Ap

pen

dix

12

: In

tern

al A

ud

it C

apab

ilit

y M

odel

Lev

els

Leve

lD

escr

ipti

on o

f Cap

abil

itie

s

5 –

Optim

isin

g

•IA

is a

trus

ted

advi

sor.

•IA

is a

lear

ning

org

anis

atio

n w

ith co

ntin

uous

pro

cess

impr

ovem

ents

and

inno

vatio

n.•

IA u

ses i

nfor

mat

ion

from

insi

de a

nd o

utsi

de th

e or

gani

satio

n to

cont

ribu

te to

ach

ievi

ng st

rate

gic o

bjec

tives

.•

Wor

ld-c

lass

/rec

omm

ende

d/be

st p

ract

ice

perf

orm

ance

.•

IA is

a cr

itica

l par

t of t

he o

rgan

isat

ion’

s gov

erna

nce

stru

ctur

e.•

Top-

leve

l pro

fess

iona

l and

spec

ialis

ed sk

ills.

•In

divi

dual

, uni

t, an

d or

gani

satio

nal p

erfo

rman

ce m

easu

res a

re fu

lly in

tegr

ated

to d

rive

per

form

ance

impr

ovem

ents

.

4 –

Man

aged

•IA

and

key

stak

ehol

ders

’ exp

ecta

tions

are

in a

lignm

ent.

•Pe

rfor

man

ce m

etri

cs a

re in

pla

ce to

mea

sure

and

mon

itor I

A pr

oces

ses a

nd re

sults

. •

IA is

reco

gnis

ed a

s del

iver

ing

sign

ifica

nt co

ntri

butio

ns th

roug

h va

lue-

adde

d se

rvic

es to

the

orga

nisa

tion.

•IA

has

dev

elop

ed a

fram

ewor

k br

oad

enou

gh to

enc

ompa

ss ri

sk a

nd co

ntro

l con

side

ratio

ns a

t all

leve

ls o

f the

org

anis

atio

n’s g

over

nanc

e,

risk

man

agem

ent,

and

cont

rol p

roce

sses

.•

IA fu

nctio

ns a

s an

inte

gral

par

t of t

he o

rgan

isat

ion’

s gov

erna

nce

and

risk

man

agem

ent.

•IA

is a

wel

l-man

aged

bus

ines

s uni

t.•

Risk

s are

mea

sure

d an

d m

anag

ed q

uant

itativ

ely.

•Re

quis

ite sk

ills a

nd co

mpe

tenc

ies a

re in

pla

ce w

ith a

capa

city

for r

enew

al an

d kn

owle

dge s

hari

ng (w

ithin

IA an

d ac

ross

the o

rgan

isat

ion)

.

3 –

Inte

grat

ed

•IA

pol

icie

s, pr

oces

ses,

and

proc

edur

es a

re d

efin

ed, d

ocum

ente

d, a

nd in

tegr

ated

into

eac

h ot

her a

nd th

e or

gani

satio

n’s i

nfra

stru

ctur

e.•

IA m

anag

emen

t and

pro

fess

iona

l pra

ctic

es a

re w

ell e

stab

lishe

d an

d un

iform

ly a

pplie

d ac

ross

the

IA a

ctiv

ity.

•IA

is st

artin

g to

alig

n w

ith th

e or

gani

satio

n’s b

usin

ess a

nd th

e ri

sks i

t fac

es.

•IA

evo

lves

from

con

duct

ing

only

trad

ition

al IA

to in

tegr

atin

g as

a te

am p

laye

r, co

nduc

ting

perf

orm

ance

or p

roce

ss-b

ased

aud

iting

, and

pr

ovid

ing

advi

ce o

n pe

rfor

man

ce a

nd m

anag

emen

t of r

isks

.•

Focu

s is o

n te

am b

uild

ing

and

capa

city

of t

he IA

act

ivity

and

its i

ndep

ende

nce

and

obje

ctiv

ity.

•IA

supp

orts

the

impl

emen

tatio

n an

d co

ordi

natio

n of

an

effe

ctiv

e Th

ree

Line

s of D

efen

se m

odel

.•

Gene

rally

conf

orm

s with

the

Stan

dard

s.

2 –

Infr

astr

uc-

ture

•Ke

y qu

estio

n or

chal

leng

e fo

r Lev

el 2

is h

ow to

est

ablis

h an

d m

aint

ain

repe

atab

ility

of p

roce

sses

and

thus

a re

peat

able

capa

bilit

y.•

IA r

epor

ting

rela

tions

hips

, m

anag

emen

t an

d ad

min

istr

ativ

e in

fras

truc

ture

s an

d pr

ofes

sion

al p

ract

ices

and

pro

cess

es a

re b

eing

es

tabl

ishe

d (I

A gu

idan

ce, p

roce

sses

and

pro

cedu

res)

.•

Audi

t pla

nnin

g is

bas

ed p

rinc

ipal

ly o

n m

anag

emen

t pri

oriti

es.

•Co

ntin

ued

relia

nce

esse

ntia

lly o

n th

e sk

ills a

nd co

mpe

tenc

ies o

f spe

cific

per

sons

.•

Cond

ucts

pri

ncip

ally

com

plia

nce

or co

ntro

ls-b

ased

aud

iting

.•

Part

ial c

onfo

rman

ce w

ith th

e St

anda

rds.

CH

AP

TE

R 7



Leve

lD

escr

ipti

on o

f Cap

abil

itie

s

1 - I

nitia

l

•Ad

hoc

or u

nstr

uctu

red.

•Is

olat

ed si

ngle

aud

its o

r rev

iew

s of d

ocum

ents

and

tran

sact

ions

for a

ccur

acy

and

com

plia

nce.

•Ou

tput

dep

ende

nt u

pon

the

skill

s of t

he sp

ecifi

c per

son

hold

ing

the

posi

tion.

•N

o pr

ofes

sion

al p

ract

ices

est

ablis

hed

othe

r tha

n th

ose

prov

ided

by

prof

essi

onal

ass

ocia

tions

.•

Fund

ing

appr

oval

by

man

agem

ent,

as n

eede

d.•

Abse

nce

of in

fras

truc

ture

.•

Audi

tors

like

ly p

art o

f a la

ger o

rgan

isat

iona

l uni

t.•

Inst

itutio

nal c

apab

ility

is n

ot d

evel

oped

.

CH

AP

TE

R 7



Ap

pen

dix

13

: In

tern

al A

ud

it M

atu

rity

Ass

essm

ent

Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d

10

00

Pu

rpos

e,

Au

thor

ity,

an

d

Res

pon

sib

ilit

y

Stan

dar

ds

11

00

,11

30

Ind

epen

den

ce a

nd

O

bje

ctiv

ity

Stan

dar

d 1

20

0

Pro

fici

ency

an

d D

ue

Pro

fess

ion

al C

are

Stan

dar

d 1

30

0

Qu

alit

y A

ssu

ran

ce

and

Imp

rove

men

t P

rogr

amm

e

Stan

dar

d 2

00

0

Man

agin

g th

e In

tern

al A

ud

it

Act

ivit

y

Stan

dar

d 2

10

0

Nat

ure

of W

ork

Op

tim

ized

Inte

rnal

Aud

it Ch

arte

r in

plac

e,

revi

ewed

and

ap

prov

ed b

y Au

dit C

omm

ittee

on

ann

ual b

asis

, cl

early

link

ed

to co

rpor

ate

gove

rnan

ce

obje

ctiv

es,

spec

ifies

goo

d pr

actic

e In

tern

al

Audi

t rep

ortin

g ar

rang

emen

ts.

Inte

rnal

Aud

it re

port

ing

arra

ngem

ents

def

ined

in

Inte

rnal

Aud

it Ch

arte

r, sp

ecifi

es g

ood

prac

tice

repo

rtin

g ar

rang

emen

ts,

inde

pend

ence

an

d ob

ject

ivity

re

quir

emen

ts d

efin

ed

by In

tern

al A

udit

polic

y in

clud

ing

the

requ

irem

ent f

or co

nflic

t of

inte

rest

dis

clos

ure,

an

nual

att

esta

tion

requ

ired

by

Inte

rnal

Au

dit s

taff.

Inte

rnal

Aud

it re

sour

ces a

re

cred

entia

led,

sp

ecia

list r

esou

rces

ar

e av

aila

ble

whe

n re

quir

ed, a

nnua

l Ri

sk A

sses

smen

t co

nduc

ted,

ong

oing

an

d pe

riod

ic

Qual

ity A

ssur

ance

pr

oces

ses i

n pl

ace,

tr

aini

ng p

rogr

amm

es

rein

forc

e In

tern

al

Audi

t cre

dent

ials

and

su

ppor

t exe

cutio

n of

In

tern

al A

udit

Wor

k.

Docu

men

ted

ongo

ing

and

peri

odic

Qu

ality

Ass

uran

ce

Prog

ram

me

in p

lace

, Qu

ality

Ass

uran

ce

activ

ities

occ

ur

for i

nter

nal a

udit

enga

gem

ents

, In

tern

al A

sses

smen

t co

nduc

ted

annu

ally

, Ex

tern

al A

sses

smen

t co

nduc

ted

at le

ast

ever

y 5

year

s.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

in p

lace

, In

tern

al A

udit

plan

s lin

ked

to co

rpor

ate

obje

ctiv

es,

effe

ctiv

e In

tern

al

Audi

t rep

ortin

g ar

rang

emen

ts,

audi

t clie

nt

feed

back

soug

ht,

perf

orm

ance

m

easu

res i

n pl

ace

and

used

to

driv

e co

ntin

uous

im

prov

emen

t.

Inte

rnal

Aud

it fo

cuse

s on

cont

rols

, ris

k,

and

gove

rnan

ce,

Inte

rnal

Aud

it pl

ans a

re

clea

rly li

nked

to

ent

erpr

ise-

wid

e vi

ew o

f ri

sk a

nd p

lans

ar

e pe

riod

ical

ly

adju

sted

, Int

erna

l Au

dit u

ses

reco

gniz

ed co

ntro

l fr

amew

orks

in it

s w

ork.

Man

aged

Inte

rnal

Aud

it Ch

arte

r in

plac

e,

revi

ewed

and

ap

prov

ed b

y Au

dit C

omm

ittee

on

ann

ual b

asis

, cl

early

link

ed

to co

rpor

ate

gove

rnan

ce

obje

ctiv

es.

Inte

rnal

Aud

it re

port

ing

arra

ngem

ents

def

ined

in

Inte

rnal

Aud

it Ch

arte

r, sp

ecifi

es g

ood

prac

tice

repo

rtin

g ar

rang

emen

ts,

inde

pend

ence

an

d ob

ject

ivity

re

quir

emen

ts d

efin

ed

by In

tern

al A

udit

polic

y in

clud

ing

the

requ

irem

ent f

or co

nflic

t of

inte

rest

dis

clos

ure.

Inte

rnal

Aud

it re

sour

ces a

re

cred

entia

led,

som

e sp

ecia

list r

esou

rces

ar

e av

aila

ble,

ann

ual

Risk

Ass

essm

ent

cond

ucte

d, o

ngoi

ng

and

peri

odic

Qua

lity

Assu

ranc

e pr

oces

ses

in p

lace

.

Docu

men

ted

ongo

ing

and

peri

odic

Qu

ality

Ass

uran

ce

Prog

ram

me

in p

lace

, Qu

ality

Ass

uran

ce

activ

ities

occ

ur

for i

nter

nal a

udit

enga

gem

ents

, In

tern

al A

sses

smen

t co

nduc

ted

annu

ally

.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

in p

lace

, In

tern

al A

udit

plan

s lin

ked

to co

rpor

ate

obje

ctiv

es,

effe

ctiv

e In

tern

al

Audi

t rep

ortin

g ar

rang

emen

ts, a

udit

clie

nt fe

edba

ck

soug

ht.

Inte

rnal

Aud

it fo

cuse

s on

cont

rols

, ris

k,

and

gove

rnan

ce,

Inte

rnal

Aud

it pl

ans a

re

clea

rly li

nked

to

ent

erpr

ise-

wid

e vi

ew o

f ri

sk a

nd p

lans

ar

e pe

riod

ical

ly

adju

sted

.

CH

AP

TE

R 7



Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d

10

00

Pu

rpos

e,

Au

thor

ity,

an

d

Res

pon

sib

ilit

y

Stan

dar

ds

11

00

,11

30

Ind

epen

den

ce a

nd

O

bje

ctiv

ity

Stan

dar

d 1

20

0

Pro

fici

ency

an

d D

ue

Pro

fess

ion

al C

are

Stan

dar

d 1

30

0

Qu

alit

y A

ssu

ran

ce

and

Imp

rove

men

t P

rogr

amm

e

Stan

dar

d 2

00

0

Man

agin

g th

e In

tern

al A

ud

it

Act

ivit

y

Stan

dar

d 2

10

0

Nat

ure

of W

ork

Imp

lem

ente

d

Inte

rnal

Aud

it Ch

arte

r in

plac

e,

revi

ewed

and

ap

prov

ed b

y Au

dit

Com

mitt

ee o

n a

peri

odic

bas

is.

Inte

rnal

Aud

it re

port

ing

arra

ngem

ents

def

ined

in

Inte

rnal

Aud

it Ch

arte

r spe

cifie

s goo

d pr

actic

e re

port

ing

arra

ngem

ents

.

Som

e In

tern

al

Audi

t res

ourc

es a

re

cred

entia

led,

som

e sp

ecia

list r

esou

rces

ar

e av

aila

ble,

ann

ual

Risk

Ass

essm

ent

cond

ucte

d, o

ngoi

ng

Qual

ity A

ssur

ance

pr

oces

ses i

n pl

ace.

Ongo

ing

and

peri

odic

Qu

ality

Ass

uran

ce

Prog

ram

me

elem

ents

in

pla

ce, Q

ualit

y As

sura

nce

activ

ities

oc

cur f

or in

tern

al

audi

t eng

agem

ents

.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

in p

lace

, In

tern

al A

udit

plan

s lin

ked

to co

rpor

ate

obje

ctiv

es,

effe

ctiv

e In

tern

al

Audi

t rep

ortin

g ar

rang

emen

ts.

Inte

rnal

Aud

it fo

cuse

s on

cont

rols

, ris

k, a

nd

gove

rnan

ce.

Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d

10

00

Pu

rpos

e,

Au

thor

ity,

an

d

Res

pon

sib

ilit

y

Stan

dar

ds

11

00

,11

30

In

dep

end

ence

an

d

Ob

ject

ivit

y

Stan

dar

d 1

20

0

Pro

fici

ency

an

d

Du

e P

rofe

ssio

nal

Ca

re

Stan

dar

d 1

30

0

Qu

alit

y A

ssu

ran

ce

and

Imp

rove

men

t P

rogr

amm

e

Stan

dar

d 2

00

0

Man

agin

g th

e In

tern

al A

ud

it

Act

ivit

y

Stan

dar

d 2

10

0

Nat

ure

of W

ork

Def

ined

Inte

rnal

Aud

it Ch

arte

r in

plac

e an

d ap

prov

ed b

y Au

dit C

omm

ittee

.

Inte

rnal

Aud

it re

port

ing

arra

ngem

ents

def

ined

in

Inte

rnal

Aud

it Ch

arte

r, bu

t not

goo

d pr

actic

e re

port

ing

arra

ngem

ents

.

Inte

rnal

Aud

it re

sour

ces

are

part

ially

cr

eden

tiale

d,

spec

ialis

t re

sour

ces m

ay b

e av

aila

ble,

ann

ual

Risk

Ass

essm

ent

cond

ucte

d, so

me

ongo

ing

Qual

ity

Assu

ranc

e pr

oces

ses

in p

lace

.

Som

e on

goin

g Qu

ality

Ass

uran

ce

Prog

ram

me

elem

ents

in

pla

ce, s

ome

Qual

ity A

ssur

ance

ac

tiviti

es o

ccur

fo

r int

erna

l aud

it en

gage

men

ts.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

in

plac

e, In

tern

al

Audi

t pla

ns li

nked

to

corp

orat

e ob

ject

ives

.

Inte

rnal

Aud

it fo

cuse

s on

cont

rols

and

risk

.

CH

AP

TE

R 7



Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d

10

00

Pu

rpos

e,

Au

thor

ity,

an

d

Res

pon

sib

ilit

y

Stan

dar

ds

11

00

,11

30

In

dep

end

ence

an

d

Ob

ject

ivit

y

Stan

dar

d 1

20

0

Pro

fici

ency

an

d

Du

e P

rofe

ssio

nal

Ca

re

Stan

dar

d 1

30

0

Qu

alit

y A

ssu

ran

ce

and

Imp

rove

men

t P

rogr

amm

e

Stan

dar

d 2

00

0

Man

agin

g th

e In

tern

al A

ud

it

Act

ivit

y

Stan

dar

d 2

10

0

Nat

ure

of W

ork

Init

ial

No

Inte

rnal

Aud

it Ch

arte

r or i

n dr

aft

or n

ot a

ppro

ved

by

Audi

t Com

mitt

ee.

Inte

rnal

Aud

it re

port

ing

arra

ngem

ents

not

de

fined

in In

tern

al

Audi

t Cha

rter

or

repo

rtin

g ar

rang

emen

ts

not i

n lin

e w

ith g

ood

prac

tice.

Inte

rnal

Aud

it re

sour

ces n

ot

cred

entia

led,

no

spec

ialis

t res

ourc

es,

no a

nnua

l Ris

k As

sess

men

t, lim

ited

ongo

ing

Qual

ity

Assu

ranc

e pr

oces

ses

in p

lace

.

No

form

al Q

ualit

y As

sura

nce

Prog

ram

me

in

plac

e, so

me

Qual

ity

Assu

ranc

e ac

tiviti

es

may

occ

ur fo

r in

tern

al a

udit

enga

gem

ents

.

No

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

in

plac

e, In

tern

al

Audi

t pla

ns n

ot

linke

d to

corp

orat

e ob

ject

ives

.

Inte

rnal

Aud

it fo

cuse

s on

com

plia

nce/

co

ntro

l.

Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d 2

20

0

Enga

gem

ent

Pla

nn

ing

Stan

dar

d 2

30

0

Per

form

ing

the

Enga

gem

ent

Stan

dar

d 2

40

0

Com

mu

nic

atin

g R

esu

lts

Stan

dar

d 2

50

0

Mon

itor

ing

Pro

gres

s

Stan

dar

d 2

60

0

Com

mu

nic

atin

g th

e A

ccep

tan

ce o

f R

isk

s

Cod

e of

Eth

ics

Op

tim

ized

Plan

ning

pe

rfor

med

in

colla

bora

tion

with

st

akeh

olde

rs,

plan

ning

adj

uste

d fo

r diff

erin

g ci

rcum

stan

ces,

plan

ning

do

cum

ente

d,

the

cons

iste

nt

met

hodo

logy

ap

plie

d to

in

tern

al a

udit

enga

gem

ents

, su

perv

isor

y re

view

, and

sign

– of

f occ

urs.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

clea

rly

defin

e in

tern

al a

udit

enga

gem

ent p

roce

ss,

Audi

t Wor

k Pl

ans

are

tailo

red

for

each

eng

agem

ent,

supe

rvis

ory

revi

ew

and

sign

–off

occu

rs,

auto

mat

ed a

udit

wor

king

pap

er

syst

em in

pla

ce,

CAAT

s and

oth

er

audi

t tec

hniq

ues

activ

ely

used

.

Repo

rtin

g pr

otoc

ol

esta

blis

hed

for

com

mun

icat

ing

resu

lts, r

epor

ting

done

co

nsis

tent

ly fr

om co

nten

t an

d fo

rmat

per

spec

tive,

CA

E re

view

s and

sign

s–of

f aud

it re

port

s bef

ore

issu

e, m

anag

emen

t inp

ut

to re

port

ing

is a

ctiv

ely

soug

ht, r

epor

ts co

ntai

n m

anag

emen

t com

men

ts

and

agre

ed a

ctio

ns,

Inte

rnal

Aud

it pr

epar

es

repo

rts t

hat s

how

sy

stem

ic is

sues

foun

d th

roug

h its

wor

k.

Follo

w–u

p pr

otoc

ol

esta

blis

hed,

follo

w–u

p on

impl

emen

tatio

n of

aud

it re

com

men

datio

ns

perf

orm

ed

cons

iste

ntly

, rep

ortin

g to

Aud

it Co

mm

ittee

on

the

stat

us o

f aud

it re

com

men

datio

ns,

auto

mat

ed sy

stem

fo

r rec

eivi

ng

prog

ress

upd

ates

fr

om m

anag

emen

t, hi

gh ra

te o

f aud

it re

com

men

datio

n cl

eara

nce.

Esca

latio

n pr

otoc

ol

defin

ed, t

he

proc

ess c

lear

ly

unde

rsto

od b

y In

tern

al A

udit

and

man

agem

ent,

colla

bora

tive

appr

oach

to

reso

lutio

n, cl

ear

defin

ition

of t

he

leve

l of r

isk

that

ca

n be

ass

umed

by

Man

agem

ent

that

pre

clud

es th

e ne

ed fo

r esc

alat

ion

prot

ocol

.

Orga

niza

tion

Code

of C

ondu

ct

esta

blis

hed,

IIA

Code

of E

thic

s is

em

bedd

ed

in In

tern

al

Audi

t pol

icie

s, et

hics

trai

ning

is

cond

ucte

d,

Inte

rnal

Aud

it st

aff c

ompl

ete

annu

al C

ode

of E

thic

s de

clar

atio

n.

CH

AP

TE

R 7



Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d 2

20

0

Enga

gem

ent

Pla

nn

ing

Stan

dar

d 2

30

0

Per

form

ing

the

Enga

gem

ent

Stan

dar

d 2

40

0

Com

mu

nic

atin

g R

esu

lts

Stan

dar

d 2

50

0

Mon

itor

ing

Pro

gres

s

Stan

dar

d 2

60

0

Com

mu

nic

atin

g th

e A

ccep

tan

ce o

f R

isk

s

Cod

e of

Eth

ics

Man

aged

Plan

ning

pe

rfor

med

in

colla

bora

tion

with

st

akeh

olde

rs,

plan

ning

do

cum

ente

d,

the

cons

iste

nt

met

hodo

logy

ap

plie

d to

in

tern

al a

udit

enga

gem

ents

, su

perv

isor

y re

view

, and

sign

– of

f occ

urs.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

clea

rly

defin

e in

tern

al a

udit

enga

gem

ent p

roce

ss,

Audi

t Wor

k Pl

ans

are

tailo

red

for

each

eng

agem

ent,

supe

rvis

ory

revi

ew

and

sign

–off

occu

rs,

may

hav

e au

tom

ated

au

dit w

orki

ng p

aper

sy

stem

in p

lace

.

Repo

rtin

g pr

otoc

ol

esta

blis

hed

for

com

mun

icat

ing

resu

lts, r

epor

ting

done

co

nsis

tent

ly fr

om co

nten

t an

d fo

rmat

per

spec

tive,

CA

E re

view

s and

sign

s–of

f aud

it re

port

s bef

ore

issu

e, re

port

s con

tain

m

anag

emen

t com

men

ts

and

actio

ns to

impl

emen

tRe

com

men

datio

ns.

Follo

w–u

p pr

otoc

ol

esta

blis

hed,

follo

w–u

p on

impl

emen

tatio

n of

aud

it re

com

men

datio

ns

perf

orm

ed

cons

iste

ntly

, rep

ortin

g to

Aud

it Co

mm

ittee

on

the

stat

us o

f aud

it re

com

men

datio

ns.

Esca

latio

n pr

otoc

ol

defin

ed, p

roce

ss

clea

rly u

nder

stoo

d by

Inte

rnal

Aud

it an

d M

anag

emen

t, co

llabo

rativ

e ap

proa

ch to

re

solu

tion.

Orga

niza

tion

Code

of C

ondu

ct

esta

blis

hed,

IIA

Code

of E

thic

s is

em

bedd

ed in

In

tern

al A

udit

polic

ies,

ethi

cs

trai

ning

is

cond

ucte

d.

Imp

lem

ente

d

Plan

ning

pe

rfor

med

and

do

cum

ente

d,

the

cons

iste

nt

met

hodo

logy

ap

plie

d to

in

tern

al a

udit

enga

gem

ents

, su

perv

isor

y re

view

, and

sign

– of

f occ

urs.

Inte

rnal

Aud

it po

licie

s and

pr

oced

ures

clea

rly

defin

e in

tern

al a

udit

enga

gem

ent p

roce

ss,

Audi

t Wor

k Pl

ans

are

tailo

red

for

each

eng

agem

ent,

supe

rvis

ory

revi

ew

and

sign

–off

occu

rs.

Repo

rtin

g pr

otoc

ol

esta

blis

hed

for

com

mun

icat

ing

resu

lts, r

epor

ting

done

co

nsis

tent

ly fr

om co

nten

t an

d fo

rmat

per

spec

tive,

CA

E re

view

s and

sign

s–of

f au

dit r

epor

ts b

efor

e th

e is

sue.

Follo

w–u

p pr

otoc

ol

esta

blis

hed,

follo

w–u

p on

impl

emen

tatio

n of

aud

it re

com

men

datio

ns

perf

orm

ed

cons

iste

ntly

.

Esca

latio

n pr

otoc

ol

defin

ed, t

he

proc

ess c

lear

ly

unde

rsto

od b

y In

tern

al A

udit

and

Man

agem

ent.

Orga

niza

tion

Code

of C

ondu

ct

esta

blis

hed,

IIA

Code

of E

thic

s is

em

bedd

ed in

In

tern

al A

udit

polic

ies.

CH

AP

TE

R 7



Inte

rnal

Au

dit

M

atu

rity

R

atin

g

Stan

dar

d 2

20

0En

gage

men

t P

lan

nin

g

Stan

dar

d 2

30

0P

erfo

rmin

g th

e En

gage

men

t

Stan

dar

d 2

40

0Co

mm

un

icat

ing

Res

ult

s

Stan

dar

d 2

50

0M

onit

orin

g P

rogr

ess

Stan

dar

d 2

60

0Co

mm

un

icat

ing

the

Acc

epta

nce

of

Ris

ks

Cod

e of

Eth

ics

Def

ined

Plan

ning

pe

rfor

med

and

do

cum

ente

d;

cons

iste

nt

met

hodo

logy

ap

plie

d to

in

tern

al a

udit

enga

gem

ents

.

Som

e el

emen

ts

of In

tern

al a

udit

enga

gem

ent p

roce

ss

defin

ed, s

tand

ard

Audi

t Wor

k Pl

ans

used

.

Repo

rtin

g pr

otoc

ol

esta

blis

hed

for

com

mun

icat

ing

resu

lts, r

epor

ting

done

in

cons

iste

ntly

from

co

nten

t and

form

at

pers

pect

ive.

Follo

w–u

p pr

otoc

ol

esta

blis

hed,

follo

w–u

p on

impl

emen

tatio

n of

aud

it re

com

men

datio

ns

occu

rs b

ut n

ot

perf

orm

ed

cons

iste

ntly

.

Esca

latio

n pr

otoc

ol

esta

blis

hed;

M

anag

emen

t m

ay a

ssum

e in

appr

opri

ate

leve

l of

risk

.

Orga

niza

tion

Code

of C

ondu

ct

esta

blis

hed,

IIA

Code

of E

thic

s re

ceiv

es so

me

atte

ntio

n.

Init

ial

Plan

ning

not

pe

rfor

med

or

docu

men

ted,

no

cons

iste

nt

met

hodo

logy

ap

plie

d to

in

tern

al a

udit

enga

gem

ents

.

Inte

rnal

aud

it en

gage

men

t pro

cess

no

t cle

arly

def

ined

or

Aud

it W

ork

Plan

s not

pre

pare

d fo

r int

erna

l aud

it en

gage

men

ts.

Repo

rtin

g pr

otoc

ol

not e

stab

lishe

d fo

r co

mm

unic

atin

g re

sults

, re

port

ing

is a

d ho

c.

No

follo

w–u

p pr

otoc

ol

esta

blis

hed,

follo

w–u

p on

impl

emen

tatio

n of

aud

it re

com

men

datio

ns

not p

erfo

rmed

co

nsis

tent

ly o

r not

pe

rfor

med

.

No

esca

latio

n pr

otoc

ol

esta

blis

hed.

Orga

niza

tion

Code

of C

ondu

ct

not e

stab

lishe

d,

IIA C

ode

of E

thic

s do

es n

ot re

ceiv

e fo

rmal

att

entio

n.

CH

AP

TE

R 7



Appendix 14: Standard Conformance Evaluation Summary (Table) Template

Conformance Standards Generally Conforms

Partially Conforms

Does Not Conform

Not Applicable Total

Definition of IA and Code of Ethics

Rule of Conduct

Purpose 1000-1130People 1200-1230Performance 1300-1322Planning 2000-2130Process 2200-2600Total

CH

AP

TE

R 7



Appendix 15: Standard Conformance Evaluation Summary Template

Quality Assessment Evaluation Summary - Major/ Supporting StandardsEvaluation

GC PC DNC

A. ATTRIBUTE STANDARDS

1000 Purpose, Authority, and Responsibility1010 Recognizing Mandatory Guidance in the Internal Audit Charter1100 Independence and Objectivity1110 Organizational Independence1111 Direct Interaction with the Board1112 Chief Audit Executive Roles Beyond Internal Auditing1120 Individual Objectivity1130 Impairment to Independence or Objectivity1200 Proficiency and Due Professional Care1210 Proficiency1220 Due Professional Care1230 Continuing Professional Development1300 Quality Assurance and Improvement Programme1310 Requirements of the Quality Assurance and Improvement Programme1311 Internal Assessments1312 External Assessments1320 Reporting on the Quality Assurance and Improvement Programme

1321 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

1322 Disclosure of NonconformanceB PERFORMANCE STANDARDS

2000 Managing the Internal Audit Activity2010 Planning2020 Communication and Approval2030 Resource Management2040 Policies and Procedures2050 Coordination and Reliance2060 Reporting to Senior Management and the Board

2070 External Service Provider and Organizational Responsibility for Internal Auditing

2100 Nature of Work2110 Governance2120 Risk Management2130 Control2200 Engagement Planning2201 Planning Considerations2210 Engagement Objectives

CH

AP

TE

R 7



2220 Engagement Scope2230 Engagement Resource Allocation2240 Engagement Work Programme2300 Performing the Engagement2310 Identifying Information2320 Analysis and Evaluation2330 Documenting Information2340 Engagement Supervision2400 Communicating Results2410 Criteria for Communicating2420 Quality of Communications2421 Errors and Omissions

2430 Use of “Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing”

2431 Engagement Disclosure of Nonconformance2440 Disseminating Results2450 Overall Opinions2500 Monitoring Progress2600 Communicating the Acceptance of Risks

The IIA’s Code of Ethics

CH

AP

TE

R 7



Appendix 16: Standard Rating Criteria

Following are the Standards rating criteria:

Rating Definition

Generally Conforms

GC – “Generally Conforms” means the assessor has concluded the following: For individual standards, the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the IIA Code of Ethics (both Principles and Rules of Conduct) in all material respects. For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity to a majority of the individual standards and/or elements of the IIA Code of Ethics, and at least partial conformity to others, within the section/category. For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity has not implemented the Standards or the IIA Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.

Partially Conforms

PC – “Partially Conforms” means the assessor has concluded the following: For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or element of the IIA Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives. For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves conformance with a majority of the individual standards within the section/category and/or elements of the IIA Code of Ethics. For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or IIA Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organization.

Does Not Conform

DNC – “Does Not Conform” means the assessor has concluded the following: For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the IIA Code of Ethics (both Principles and Rules of Conduct). For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve conformance with a majority of the individual standards within the section/category and/or elements of the IIA Code of Ethics. For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness and its potential to add value to the organization. These may also represent significant opportunities for improvement, including actions by senior management or the board.

CH

AP

TE

R 7



Ap

pen

dix

17

: Ch

eck

list

on

Ext

ern

al Q

ual

ity

Ass

essm

ent

Not

e: T

his

chec

klis

t is

for

guid

ance

pur

pose

onl

y. Th

e In

tern

al A

udito

r of

IAU

or C

IA m

ay ta

ke r

efer

ence

from

this

che

cklis

t to

deve

lop

a de

taile

d ch

eckl

ist s

peci

fic to

Inte

rnal

act

ivity

per

form

ed.

17

.1.

ISP

PIA

13

00

– Q

ual

ity

Ass

ura

nce

an

d Im

pro

vem

ent

Pro

gram

me

Esse

ntia

lly, S

tand

ard

1300

seri

es sh

all r

equi

re th

e CC

A an

d th

e IA

Us to

ens

ure

the

follo

win

g as

sess

men

ts:

17

.1.1

Th

e in

tern

al a

ud

it a

ctiv

ity

has

an

ad

equ

ate

qu

alit

y as

sura

nce

an

d im

pro

vem

ent

pro

gram

me

in p

lace

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

CIA

mai

ntai

ns

an

esta

blis

hed

Qual

ity A

ssur

ance

and

Impr

ovem

ent P

rogr

amm

e.

Ch

eck

whe

ther

all

audi

tors

are

acq

uain

ted

with

the

co

ncep

t and

com

pone

nts o

f the

QAI

P;

Ch

eck

whe

ther

the

QAIP

is fu

lly o

pera

tiona

l.

The

inte

rnal

aud

it ac

tivity

has

a Q

AIP

in p

lace

. All

inte

rnal

au

dito

rs a

re fa

mili

ar w

ith th

e pr

ogra

mm

e.

Inte

rnal

aud

it do

es n

ot h

ave

a QA

IP in

pla

ce.

QAIP

pro

gram

me

exis

ts b

ut th

e in

tern

al a

udito

rs a

re n

ot

fam

iliar

with

it.

17

.1.2

Th

e q

ual

ity

assu

ran

ce a

nd

imp

rove

men

t p

rogr

amm

e is

em

bed

ded

in a

ll in

tern

al a

ud

it p

olic

ies

and

pro

ced

ure

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he Q

AIP

is s

peci

fied

in a

ny l

egal

or

othe

r rel

evan

t doc

umen

t.

Ch

eck

whe

ther

the

con

cept

of

QAIP

is

embe

dded

th

roug

hout

all

step

s of t

he in

tern

al a

udit

met

hodo

logy

.

The

QAIP

is e

mbe

dded

in a

ll st

eps

of t

he in

tern

al a

udit

met

hodo

logy

.

The

QAIP

is n

ot e

mbe

dded

in th

e m

ost i

mpo

rtan

t ste

ps o

f th

e in

tern

al a

udit

met

hodo

logy

.

CH

AP

TE

R 7



17

.1.3

T

he

qu

alit

y as

sura

nce

an

d i

mp

rove

men

t p

rogr

amm

e in

clu

de

on

goin

g m

on

ito

rin

g, p

erio

dic

in

tern

al s

elf-

asse

ssm

ents

an

d

ind

epen

den

t ex

tern

al q

ual

ity

asse

ssm

ents

.

Rev

iew

ste

ps

Ass

essm

ent

ou

tco

me

Gen

eral

ly

Co

nfo

rm

– G

C

Par

tial

ly

Co

nfo

rm

- PC

Do

es N

ot

Co

nfo

rm

- DN

C

Chec

k th

e co

nten

t and

met

hodo

logy

of t

he Q

AIP.

Chec

k w

heth

er o

ngoi

ng m

onito

ring

is d

efin

ed a

s an

impo

rtan

t com

pone

nt

of th

e da

ily in

tern

al a

udit

activ

ities

.

As

sess

resp

onsi

bilit

ies

for o

ngoi

ng m

onito

ring

.

As

sess

the

tem

plat

es a

nd to

ols

that

are

use

d fo

r ong

oing

mon

itori

ng.

Asse

ss t

he q

ualit

y of

ong

oing

mon

itori

ng a

nd w

heth

er a

con

sist

ent

appr

oach

is a

pplie

d.

Ch

eck

whe

ther

per

iodi

c se

lf-as

sess

men

t is

wel

l def

ined

as

part

of t

he Q

AIP.

Chec

k w

heth

er th

e pe

riod

ic s

elf-a

sses

smen

t is

incl

uded

in th

e an

nual

aud

it pl

an.

Asse

ss w

heth

er t

he i

nter

nal

audi

tors

who

are

res

pons

ible

for

per

iodi

c in

tern

al s

elf-a

sses

smen

ts a

re i

ndep

ende

nt,

obje

ctiv

e an

d ex

erci

se d

ue

prof

essi

onal

car

e.

As

sess

the

tem

plat

es a

nd t

ools

tha

t ar

e us

ed f

or p

erio

dic

inte

rnal

sel

f-as

sess

men

ts.

Asse

ss th

e ov

eral

l qua

lity

of th

e pe

riod

ic in

tern

al s

elf-a

sses

smen

ts.

Chec

k w

heth

er t

he r

esul

ts o

f th

e pe

riod

ic i

nter

nal

self-

asse

ssm

ents

are

pr

oper

ly re

port

ed.

Chec

k w

heth

er d

ue c

onsi

dera

tion

has

been

giv

en to

the

reco

mm

enda

tions

th

at re

sult

from

the

peri

odic

inte

rnal

sel

f-ass

essm

ents

.

Ch

eck

whe

ther

pe

riod

ic

exte

rnal

qu

ality

as

sess

men

ts

cond

ucte

d by

in

depe

nden

t rev

iew

ers

are

a w

ell-d

efin

ed c

ompo

nent

of t

he Q

AIP.

Chec

k w

heth

er th

e pr

ogra

mm

e en

visa

ges

that

ext

erna

l ass

essm

ents

cou

ld

be p

erfo

rmed

as

com

plet

ely

inde

pend

ent e

xter

nal a

sses

smen

ts o

r as

sel

f-as

sess

men

ts w

ith in

depe

nden

t ext

erna

l val

idat

ion.

Chec

k w

heth

er th

e ex

tern

al a

sses

smen

t has

bee

n in

clud

ed in

the

budg

et.

Chec

k w

heth

er t

he p

rogr

amm

e in

clud

es i

ndep

ende

nce

and

com

pete

ncy

crite

ria

for t

he p

erso

ns w

ho w

ill p

erfo

rm th

e ex

tern

al a

sses

smen

t.

Ch

eck

whe

ther

the

resu

lts o

f the

exte

rnal

ass

essm

ent a

re p

rope

rly

repo

rted

.

Ch

eck

whe

ther

due

con

side

ratio

n ha

s be

en g

iven

to th

e re

com

men

datio

ns

that

resu

lt fr

om th

e ex

tern

al a

sses

smen

t.

The

QAIP

in

clud

es

ongo

ing

mon

itori

ng,

peri

odic

in

tern

al

self-

asse

ssm

ents

an

d in

depe

nden

t ex

tern

al q

ualit

y as

sess

men

ts. I

nter

nal

audi

t co

nsis

tent

ly p

erfo

rms

all

thes

e co

mpo

nent

s.

The Q

AIP

incl

udes

ong

oing

mon

itori

ng,

peri

odic

inte

rnal

self-

asse

ssm

ents

and

in

depe

nden

t ex

tern

al

asse

ssm

ents

. In

tern

al a

udit

cons

iste

ntly

per

form

s on

goin

g m

onito

ring

an

d se

lf-as

sess

men

ts.

How

ever

, ex

tern

al

asse

ssm

ents

are

not

per

form

ed.

The

QAIP

do

es

not

incl

ude

all

com

pone

nts

(ong

oing

m

onito

ring

, pe

riod

ic in

tern

al se

lf-as

sess

men

ts a

nd

inde

pend

ent

exte

rnal

as

sess

men

ts).

Inte

rnal

aud

it co

nsis

tent

ly p

erfo

rms

ongo

ing

mon

itori

ng, b

ut in

tern

al s

elf-

asse

ssm

ents

and

ext

erna

l ass

essm

ents

ha

ve n

ot b

een

perf

orm

ed.

The

QAIP

do

es

not

incl

ude

all

com

pone

nts

(ong

oing

m

onito

ring

, pe

riod

ic in

tern

al se

lf-as

sess

men

ts a

nd

inde

pend

ent

exte

rnal

as

sess

men

ts).

Inte

rnal

aud

it do

es n

ot c

onsi

sten

tly

perf

orm

on

goin

g m

onito

ring

, an

d ne

ither

in

tern

al

self-

asse

ssm

ents

no

r ex

tern

al a

sses

smen

ts h

ave

been

pe

rfor

med

.

CH

AP

TE

R 7



17

.1.4

Th

e q

ual

ity

assu

ran

ce a

nd

imp

rove

men

t p

rogr

amm

e co

ver

all a

spec

ts o

f th

e in

tern

al a

ud

it fu

nct

ion

(ro

le, r

isk

ass

essm

ent,

p

lan

nin

g an

d e

xecu

tion

of e

nga

gem

ents

, rep

orti

ng

and

tra

inin

g).

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss th

e co

nten

t and

met

hodo

logy

of t

he Q

AIP.

Asse

ss w

heth

er a

ctua

l pe

rfor

man

ce o

f th

e QA

IP i

s co

nsis

tent

with

the

pres

crib

ed m

etho

dolo

gy.

Asse

ss t

he t

rain

ing

and

prof

essi

onal

dev

elop

men

t pr

ogra

mm

e.

The

met

hodo

logy

of t

he Q

AIP

is a

dequ

ate

and

cons

iste

ntly

ap

plie

d.

The

met

hodo

logy

of t

he Q

AIP

is n

ot a

dequ

ate.

The

met

hodo

logy

is

adeq

uate

, but

it

is n

ot c

onsi

sten

tly

appl

ied.

17

.1.5

Th

e in

tern

al a

ud

it fu

nct

ion

has

mea

nin

gfu

l key

per

form

ance

ind

icat

ors

to m

easu

re it

s p

erfo

rman

ce.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er k

ey p

erfo

rman

ce in

dica

tors

are

de

fined

in th

e in

tern

al a

udit

met

hodo

logy

and

pr

oced

ures

.

As

sess

the

crite

ria

of th

e in

dica

tors

esp

ecia

lly

with

rega

rd to

thei

r use

fuln

ess.

Chec

k w

heth

er re

gula

r rep

ortin

g on

key

pe

rfor

man

ce in

dica

tors

occ

urs.

Mea

ning

ful

key

perf

orm

ance

ind

icat

ors

are

wel

l de

fined

. The

y ar

e co

nsis

tent

ly m

easu

red

and

repo

rted

.

Perf

orm

ance

indi

cato

rs d

o no

t exi

st o

r are

poo

rly d

efin

ed.

CH

AP

TE

R 7



17

.1.6

Th

e re

sult

s of

th

e q

ual

ity

assu

ran

ce a

nd

imp

rove

men

t p

rogr

amm

e ar

e re

gula

rly

com

mu

nic

ated

to s

enio

r m

anag

emen

t.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er s

enio

r man

agem

ent i

s aw

are

of

the

exis

tenc

e of

a Q

AIP.

Chec

k w

heth

er re

gula

r rep

ortin

g oc

curs

.

Ch

eck

whe

ther

the

CIA

regu

larly

repo

rts

on th

e im

plem

enta

tion

of t

he r

ecom

men

datio

ns t

hat

aris

e fr

om th

e va

riou

s ass

essm

ents

.

The

resu

lts o

f th

e QA

IP a

re c

onsi

sten

tly c

omm

unic

ated

to

seni

or m

anag

emen

t. M

anag

emen

t is

als

o in

form

ed a

bout

the

im

plem

enta

tion

of re

com

men

ded

actio

ns.

The

resu

lts o

f th

e QA

IP a

re n

ot c

onsi

sten

tly c

omm

unic

ated

to

seni

or m

anag

emen

t.

17

.1.7

Th

at in

tern

al a

ud

it p

erio

dic

ally

sol

icit

s fe

edb

ack

from

au

dit

ees

and

sen

ior

man

agem

ent.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

n au

dite

e su

rvey

is c

ondu

cted

af

ter

com

plet

ion

of

each

in

tern

al

audi

t en

gage

men

t.

Ch

eck

whe

ther

an

au

dit

surv

ey

is

sent

pe

riod

ical

ly to

seni

or m

anag

emen

t.

Ch

eck

whe

ther

the

res

ults

of t

he a

udit

surv

eys

are

prop

erly

ana

lyze

d an

d gi

ven

due

atte

ntio

n by

th

e CI

A.

Ch

eck

whe

ther

th

e re

sults

of

th

e su

rvey

s ar

e pe

riod

ical

ly

com

mun

icat

ed

to

seni

or

man

agem

ent.

Inte

rnal

au

dit

regu

larly

so

licits

fe

edba

ck

from

se

nior

m

anag

emen

t and

from

aud

itees

. The

resu

lts o

f the

feed

back

are

co

mm

unic

ated

to se

nior

man

agem

ent.

Inte

rnal

audi

t doe

s not

solic

it fe

edba

ck fr

om se

nior

man

agem

ent

and

audi

tees

on

a re

gula

r bas

is.

CH

AP

TE

R 7



17

.1.8

Eac

h in

tern

al a

ud

it u

nit

per

iod

ical

ly b

ench

mar

ks

itse

lf a

gain

st c

omp

arab

le u

nit

s (n

atio

nal

ly a

nd

inte

rnat

ion

ally

).

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e in

tern

al a

udit

unit

part

icip

ates

in

nat

iona

l an

d in

tern

atio

nal

even

ts w

here

bes

t pr

actic

es a

re p

rese

nted

and

dis

cuss

ed.

Chec

k w

heth

er in

tern

al a

udito

rs m

aint

ain

regu

lar

cont

act w

ith p

eers

.

Ch

eck

whe

ther

th

e in

tern

al

audi

t fu

nctio

n be

nchm

arks

its

elf

peri

odic

ally

ag

ains

t be

st

prac

tices

.

Inte

rnal

aud

it ke

eps a

brea

st o

f cur

rent

tren

ds a

nd a

ppro

ache

s in

inte

rnal

aud

iting

. Int

erna

l aud

it be

nchm

arks

itse

lf ag

ains

t be

st p

ract

ices

and

inf

orm

s se

nior

man

agem

ent

abou

t th

e re

sults

of s

uch

benc

hmar

king

exe

rcis

es.

Inte

rnal

aud

it do

es n

ot k

eep

abre

ast

of r

ecen

t tr

ends

in

inte

rnal

aud

iting

.

17

.1.9

Th

e in

tern

al a

ud

it b

rin

gs r

eal v

alu

e to

th

e in

stit

uti

on.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss

whe

ther

in

tern

al

audi

t car

es a

bout

the

valu

e it

prov

ides

, for

exa

mpl

e th

roug

h co

llect

ing

feed

back

with

in th

e or

gani

zatio

n.

As

sess

ho

w

inte

rnal

au

dit

mea

sure

s its

val

ue.

Inte

rvie

w

user

s of

in

tern

al

audi

t se

rvic

es (

agen

cy h

eads

, se

nior

m

anag

emen

t, an

d op

erat

iona

l m

anag

emen

t) o

n th

e va

lue

they

rec

eive

fro

m

inte

rnal

aud

it.

Inte

rnal

aud

it ca

res

abou

t the

val

ue it

pro

vide

s an

d ho

w s

take

hold

ers

perc

eive

the

bene

fits a

nd th

e va

lue

adde

d by

inte

rnal

aud

iting

. It m

easu

res i

ts v

alue

via

feed

back

ob

tain

ed fr

om v

ario

us s

take

hold

ers.

All s

take

hold

ers

conf

irm

the

valu

e of

inte

rnal

au

dit.

Inte

rnal

aud

it ca

res

abou

t the

val

ue it

pro

vide

s an

d ho

w s

take

hold

ers

perc

eive

the

bene

fits a

nd th

e val

ue ad

ded

by in

tern

al au

ditin

g. T

he st

akeh

olde

rs p

erce

ive t

hat t

he

perf

orm

ance

of i

nter

nal a

udit

is a

vera

ge a

nd th

ere

is m

uch

room

for i

mpr

ovem

ent.

Inte

rnal

aud

it ca

res

abou

t th

e va

lue

it pr

ovid

es b

ut d

oes

not

take

int

o ac

coun

t st

akeh

olde

rs’ p

erce

ptio

n of

its v

alue

s. St

akeh

olde

rs d

o no

t see

any

val

ue in

inte

rnal

au

ditin

g and

are n

ot in

tere

sted

in th

e ser

vice

s pro

vide

d by

the i

nter

nal a

udit

activ

ity.

Inte

rnal

aud

it do

es n

ot c

are

abou

t whe

ther

it d

eliv

ers

valu

e to

its

stak

ehol

ders

. It

has a

cont

rolli

ng/i

nspe

ctio

n ap

proa

ch a

nd th

eref

ore

the

valu

e of

its p

erfo

rman

ce is

no

t rel

evan

t. St

akeh

olde

rs co

nfir

m th

is a

ttitu

de.

CH

AP

TE

R 7



17

.1.1

0 A

ny s

tate

men

t on

com

pli

ance

wit

h I

nte

rnat

ion

al S

tan

dar

ds

for

the

Pro

fess

ion

al P

ract

ice

of I

nte

rnal

Au

dit

ing

is s

up

por

ted

by

th

e re

sult

s of

inte

rnal

an

d e

xter

nal

qu

alit

y as

sura

nce

ass

essm

ents

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e us

age

of th

e st

atem

ent

“con

duct

ed

in

acco

rdan

ce

with

th

e In

tern

atio

nal S

tand

ard

for t

he P

rofe

ssio

nal

Prac

tice

of In

tern

al A

uditi

ng”

is d

efin

ed in

th

e m

etho

dolo

gy.

Asse

ss

whe

ther

in

tern

al

audi

tors

ar

e fa

mili

ar w

ith th

e us

e of

this

term

.

Ch

eck

a fe

w in

tern

al a

udit

repo

rts

for

the

pres

ence

of t

his s

tate

men

t.

Ch

eck

whe

ther

this

stat

emen

t is s

uppo

rted

by

the

res

ults

of

inte

rnal

and

ext

erna

l qu

ality

ass

uran

ce a

sses

smen

ts.

Inte

rnal

aud

it do

es n

ot u

se th

e st

atem

ent “

cond

ucte

d in

acc

orda

nce

with

the

Int

erna

tiona

l St

anda

rds

for

the

Prof

essi

onal

Pra

ctic

e of

In

tern

al A

uditi

ng”,

unle

ss th

e us

e of

this

stat

emen

t is s

uppo

rted

by

the

resu

lts o

f bot

h in

tern

al a

nd e

xter

nal q

ualit

y as

sura

nce

asse

ssm

ents

.

Inte

rnal

aud

it us

es t

he s

tate

men

t “c

ondu

cted

in

acco

rdan

ce w

ith

the

Inte

rnat

iona

l Sta

ndar

ds fo

r th

e Pr

ofes

sion

al P

ract

ice

of I

nter

nal

Audi

ting”

in it

s rep

orts

alth

ough

use

of t

he st

atem

ent i

s not

supp

orte

d by

the

resu

lts o

f int

erna

l and

ext

erna

l qua

lity

assu

ranc

e as

sess

men

ts.

17

.1.1

1 A

ny n

onco

mp

lian

ce w

ith

In

tern

atio

nal

Sta

nd

ard

s fo

r th

e P

rofe

ssio

nal

Pra

ctic

e of

In

tern

al A

ud

itin

g (I

SPP

IA)

is p

rop

erly

d

iscl

osed

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er d

iscl

osur

e of

non

com

plia

nce

with

IS

PPIA

is d

efin

ed in

the

met

hodo

logy

.

Ch

eck

a fe

w in

tern

al a

udit

repo

rts f

or th

e pr

esen

ce o

f su

ch d

iscl

osur

es.

Chec

k w

heth

er t

he r

easo

n fo

r no

ncom

plia

nce

has

been

clea

rly e

xpla

ined

.

Ch

eck

whe

ther

th

e im

pact

of

no

ncom

plia

nce

is

desc

ribe

d.

Inte

rnal

au

dit

prop

erly

di

sclo

ses

nonc

ompl

ianc

e w

ith

ISPP

IA a

s nec

essa

ry.

Inte

rnal

aud

it do

es n

ot d

iscl

ose

nonc

ompl

ianc

e w

ith IS

PPIA

as

nec

essa

ry.

CH

AP

TE

R 7



17

.2.

ISP

PIA

22

00

– E

nga

gem

ent

Pla

nn

ing

Chec

klis

ts to

ass

ess c

ompl

ianc

e of

eng

agem

ent p

lann

ing

requ

irem

ents

are

as u

nder

:

17

.2.1

En

sure

th

at in

tern

al a

ud

it d

evel

ops

a d

etai

led

pla

n fo

r ev

ery

aud

it e

nga

gem

ent.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k fo

r the

exi

sten

ce o

f det

aile

d pl

ans f

or a

few

rand

om o

f in

tern

al a

udit

enga

gem

ents

;

Ch

eck

whe

ther

the

tea

m l

eade

r ha

d si

gned

off

on t

hose

en

gage

men

t pla

ns;

Chec

k w

heth

er t

he C

hief

of

IAU

had

sign

ed o

ff on

tho

se

enga

gem

ent p

lans

;

Ch

eck

whe

ther

tho

se r

ando

mly

sel

ecte

d en

gage

men

t pl

ans

incl

ude

the

requ

ired

info

rmat

ion

to co

nduc

t the

aud

it.

Inte

rnal

aud

it de

velo

ps d

etai

led

plan

s fo

r al

l aud

it en

gage

men

ts. T

hese

pla

ns a

re p

rope

rly a

utho

rize

d.

Inte

rnal

aud

it do

es n

ot d

evel

op d

etai

led

plan

s fo

r al

l au

dit

enga

gem

ents

or

plan

s ar

e no

t pr

oper

ly

auth

oriz

ed.

17

.2.2

To

ensu

re t

hat

a p

reli

min

ary

surv

ey is

con

du

cted

bef

ore

dev

elop

ing

the

aud

it o

bje

ctiv

es.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he m

etho

dolo

gy p

resc

ribe

s a

stan

dard

ap

proa

ch fo

r con

duct

ing

a pr

elim

inar

y su

rvey

;

Ch

eck

whe

ther

app

ropr

iate

que

stio

nnai

res

exis

t fo

r th

e pr

elim

inar

y su

rvey

;

Ch

eck

a sa

mpl

e of

file

s to

det

erm

ine

whe

ther

pre

limin

ary

surv

eys w

ere

cond

ucte

d.

Inte

rnal

aud

it pe

rfor

ms a

pre

limin

ary

surv

ey b

efor

e th

e de

velo

pmen

t of t

he a

udit

obje

ctiv

es.

Inte

rnal

aud

it do

es n

ot s

yste

mat

ical

ly p

erfo

rm a

pr

elim

inar

y su

rvey

bef

ore

the

deve

lopm

ent

of t

he

audi

t obj

ectiv

es.

CH

AP

TE

R 7



17

.2.3

To

ensu

re th

at in

tern

al a

ud

it c

onsi

der

s th

e p

rob

abil

ity

of s

ign

ific

ant e

rror

s an

d fr

aud

bef

ore

dev

elop

ing

the

aud

it o

bje

ctiv

es.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

inte

rnal

au

dit

asse

sses

th

e pr

obab

ility

of

sign

ifica

nt e

rror

s an

d fr

aud

whe

n co

nduc

ting

its o

wn

risk

ass

essm

ent

prio

r to

the

de

velo

pmen

t of t

he a

udit

enga

gem

ent p

lan.

Inte

rnal

aud

it as

sess

es th

e pr

obab

ility

of s

igni

fican

t err

ors a

nd

frau

d pr

ior t

o th

e de

velo

pmen

t of t

he a

udit

obje

ctiv

es.

Inte

rnal

aud

it do

es n

ot s

yste

mat

ical

ly a

sses

s th

e pr

obab

ility

of

sign

ifica

nt e

rror

s and

frau

d pr

ior t

o th

e de

velo

pmen

t of t

he

audi

t obj

ectiv

es.

17

.2.4

To

ensu

re th

at th

e in

tern

al a

ud

it e

nga

gem

ent p

lan

incl

ud

es c

lear

au

dit

ob

ject

ives

an

d a

n a

pp

rop

riat

e d

efin

itio

n o

f th

e au

dit

sc

ope.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er t

he a

udit

obje

ctiv

es a

re a

ligne

d w

ith

the

risk

(s)

iden

tifie

d du

ring

th

e ri

sk

asse

ssm

ent p

roce

ss;

Chec

k w

heth

er a

pro

per

prel

imin

ary

surv

ey t

ook

plac

e;

As

sess

whe

ther

the r

isk(

s) id

entif

ied

duri

ng th

e ris

k as

sess

men

t pr

oces

s is

upd

ated

with

inf

orm

atio

n ac

quir

ed d

urin

g th

e pr

elim

inar

y su

rvey

;

As

sess

whe

ther

all

stru

ctur

al u

nits

, do

cum

ents

an

d as

sets

tha

t w

ill b

e su

bjec

t to

the

aud

it ha

ve

been

def

ined

, in

clud

ing

the

peop

le w

ho w

ill b

e in

terv

iew

ed;

Asse

ss w

heth

er th

e du

ratio

n an

d sc

ope

of th

e au

dit

have

bee

n de

fined

;

Ch

eck

whe

ther

th

e im

pact

of

po

ssib

le

scop

e lim

itatio

ns h

as b

een

asse

ssed

Inte

rnal

aud

it de

fines

cle

ar a

udit

obje

ctiv

es i

n lin

e w

ith

the

resu

lts o

f th

e an

nual

ris

k as

sess

men

t pr

oces

s an

d th

e pr

elim

inar

y su

rvey

. The

sco

pe is

suf

ficie

nt to

sat

isfy

the

audi

t ob

ject

ives

.

Inte

rnal

aud

it de

fines

cle

ar a

udit

obje

ctiv

es in

line

with

the

re

sults

of t

he a

nnua

l ris

k as

sess

men

t pro

cess

but

not

with

the

resu

lts o

f th

e pr

elim

inar

y su

rvey

. The

sco

pe i

s su

ffici

ent

to

satis

fy th

e au

dit o

bjec

tives

.

Inte

rnal

aud

it de

fines

aud

it ob

ject

ives

, whi

ch a

re n

ot in

line

w

ith th

e re

sults

of t

he a

nnua

l ris

k as

sess

men

t pro

cess

and

the

prel

imin

ary

surv

ey. T

he s

cope

is s

uffic

ient

to s

atis

fy th

e au

dit

obje

ctiv

es.

Inte

rnal

aud

it do

es n

ot d

efin

e au

dit

obje

ctiv

es i

n lin

e w

ith

the

resu

lts o

f th

e an

nual

ris

k as

sess

men

t pr

oces

s an

d th

e pr

elim

inar

y su

rvey

. Th

e sc

ope

is i

nsuf

ficie

nt t

o sa

tisfy

the

au

dit o

bjec

tives

.

CH

AP

TE

R 7



17

.2.5

To

ensu

re t

hat

au

dit

ee m

anag

emen

t is

pro

per

ly in

form

ed a

bou

t th

e u

pco

min

g in

tern

al a

ud

it e

nga

gem

ent.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

pro

cedu

re is

in p

lace

to

info

rm m

anag

emen

t ab

out

the

upco

min

g in

tern

al a

udit

enga

gem

ent;

Asse

ss w

heth

er th

is p

roce

dure

is co

nsis

tent

ly a

nd fu

lly a

pplie

d;

Ch

eck

whe

ther

the o

bjec

tives

and

the s

cope

of t

he in

tern

al au

dit e

ngag

emen

t ar

e pr

esen

ted

to th

e m

anag

emen

t of t

he a

udite

d pr

oces

s/st

ruct

ure

as e

arly

as

pos

sibl

e;

Ch

eck

whe

ther

the

audi

t tea

m m

embe

rs a

nd th

e du

ratio

n of

the

audi

t hav

e be

en sp

ecifi

ed;

Chec

k w

heth

er a

kic

k-of

f mee

ting

was

hel

d to

dis

cuss

issu

es r

elat

ed to

the

inte

rnal

aud

it en

gage

men

t.

Inte

rnal

au

dit

prop

erly

in

form

s m

anag

emen

t ab

out

the

obje

ctiv

es,

scop

e an

d tim

ing

of u

pcom

ing

audi

t en

gage

men

ts.

Inte

rnal

aud

it do

es n

ot s

yste

mat

ical

ly

or

prop

erly

in

form

m

anag

emen

t ab

out t

he o

bjec

tives

, sco

pe a

nd ti

min

g of

upc

omin

g au

dit e

ngag

emen

ts.

17

.2.6

To

ensu

re th

at th

e au

dit

sco

pe

is s

uff

icie

nt a

nd

ap

pro

pri

ate

to a

chie

ve th

e au

dit

ob

ject

ives

an

d in

clu

des

sig

nif

ican

t sys

tem

s,

reco

rds,

ass

ets

and

peo

ple

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Revi

ew a

sam

ple

of a

udit

files

an

d ch

eck

whe

ther

si

gnifi

cant

sy

stem

s, re

cord

s, as

sets

an

d pe

rson

nel

are

incl

uded

in

th

e sc

ope.

The

audi

t sc

ope

is s

uffic

ient

and

app

ropr

iate

to

achi

eve

audi

t ob

ject

ives

and

in

clud

es a

revi

ew o

f sig

nific

ant s

yste

ms,

reco

rds,

asse

ts a

nd p

eopl

e.

The

audi

t sc

ope

is n

ot a

lway

s su

ffici

ent

and

appr

opri

ate

to a

chie

ve a

udit

obje

ctiv

es o

r do

es n

ot a

lway

s in

clud

e a

revi

ew o

f sig

nific

ant s

yste

ms,

reco

rds,

asse

ts a

nd p

eopl

e.

CH

AP

TE

R 7



17

.2.7

To

ensu

re t

hat

su

ffic

ien

t an

d a

pp

rop

riat

e re

sou

rces

are

all

ocat

ed to

per

form

inte

rnal

au

dit

en

gage

men

ts.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

audi

tors

w

ith

appr

opri

ate

skill

s w

ere

sele

cted

for i

nter

nal a

udit

enga

gem

ents

;

Ch

eck

whe

ther

ext

erna

l ex

pert

s w

ith s

peci

fic s

kills

wer

e hi

red

whe

n th

e ne

ed a

rose

;

Ch

eck

whe

ther

the

ava

ilabl

e re

sour

ces

are

suffi

cien

t to

de

al w

ith t

he n

atur

e an

d co

mpl

exity

of

inte

rnal

aud

it en

gage

men

ts.

Appr

opri

ate

and

suffi

cien

t aud

it re

sour

ces

have

bee

n al

loca

ted

to p

erfo

rm in

tern

al a

udit

enga

gem

ents

.

The

audi

t re

sour

ces

allo

cate

d to

per

form

int

erna

l au

dit

enga

gem

ents

are

not

con

sist

ently

app

ropr

iate

or

suffi

cien

t.

17

.2.8

To

ensu

re t

hat

a d

etai

led

au

dit

pro

gram

me

is d

evel

oped

, wh

ich

iden

tifi

es a

ll s

tep

s n

eed

ed to

ach

ieve

th

e au

dit

ob

ject

ives

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e au

dit p

rogr

amm

e in

clud

es m

etho

ds a

nd

tech

niqu

es th

at a

re to

be

used

dur

ing

the

audi

t eng

agem

ent;

Chec

k w

heth

er a

udit

step

s ar

e co

mpl

ete

and

suffi

cien

tly

deta

iled

to e

nabl

e ac

hiev

emen

t of t

he a

udit

obje

ctiv

es;

Chec

k w

heth

er t

he s

teps

in

the

audi

t pr

ogra

mm

e w

ere

allo

cate

d to

ind

ivid

ual

inte

rnal

aud

itors

on

the

team

for

ex

ecut

ion.

Deta

iled

audi

t pr

ogra

mm

es a

re d

evel

oped

for

ever

y in

tern

al a

udit

enga

gem

ent.

Audi

t pr

ogra

mm

es a

re n

ot d

evel

oped

or

are

not

spec

ific e

noug

h to

ena

ble

the

achi

evem

ent o

f the

aud

it ob

ject

ives

.

CH

AP

TE

R 7



17

.2.9

To

ensu

re t

hat

th

e au

dit

pro

gram

mes

are

pro

per

ly a

pp

rove

d.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

CIA

appr

oves

th

e de

taile

d au

dit

prog

ram

mes

tha

t in

tern

al a

udito

rs p

repa

re f

or i

nter

nal

audi

t eng

agem

ents

;

Ch

eck

whe

ther

cha

nges

to a

ppro

ved

audi

t pro

gram

mes

are

au

thor

ized

.

The

CIA

appr

oves

all

audi

t pr

ogra

mm

es. C

hang

es t

o ex

istin

g pr

ogra

mm

es a

re p

rope

rly a

utho

rize

d.

Audi

t pro

gram

mes

or c

hang

es to

exis

ting

prog

ram

mes

ar

e no

t con

sist

ently

app

rove

d.

17

.3.

ISP

PIA

23

00

– P

erfo

rmin

g th

e En

gage

men

t

Chec

klis

t for

revi

ew st

eps a

nd a

sses

smen

t out

com

es n

eces

sary

to fu

lfill

requ

irem

ents

of S

tand

ard

2300

seri

es a

re a

s bel

ow.

This

can

be a

chie

ved

by co

nduc

ting

the

follo

win

g as

sess

men

ts.

17

.3.1

To

ensu

re t

hat

in

tern

al a

ud

it h

as a

pro

cess

in

pla

ce t

o id

enti

fy r

elev

ant,

su

ffic

ien

t, r

elia

ble

an

d u

sefu

l in

form

atio

n d

uri

ng

inte

rnal

au

dit

en

gage

men

ts.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er i

nter

nal

audi

tors

acq

uire

the

nec

essa

ry

info

rmat

ion

by h

oldi

ng in

terv

iew

s, m

akin

g us

eful

enq

uiri

es

from

rel

evan

t em

ploy

ees,

obse

rvin

g th

e cu

rren

t pro

cess

es,

and

by re

view

ing

rele

vant

doc

umen

ts (i

nter

nal p

roce

dure

s an

d re

port

s).

Inte

rnal

aud

it id

entif

ies

and

anal

yzes

all

rele

vant

in

form

atio

n du

ring

the

inte

rnal

aud

it en

gage

men

ts.

Inte

rnal

au

dit

som

etim

es

over

look

s re

leva

nt

info

rmat

ion

or

spen

ds

too

muc

h tim

e an

alyz

ing

irre

leva

nt in

form

atio

n.

CH

AP

TE

R 7



17

.3.2

To

ensu

re t

hat

inte

rnal

au

dit

ors

use

an

alyt

ical

pro

ced

ure

s w

hen

per

form

ing

thei

r en

gage

men

ts.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he m

etho

dolo

gy d

escr

ibes

whi

ch

anal

ytic

al

proc

edur

es

can

be

used

in

sp

ecifi

c ci

rcum

stan

ces;

Asse

ss w

heth

er in

tern

al a

udito

rs u

nder

stan

d th

e us

e an

d va

lue

of a

naly

tical

pro

cedu

res.

Inte

rnal

audi

tors

use

anal

ytic

al p

roce

dure

s in

an ap

prop

riat

e w

ay.

Inte

rnal

aud

itors

do

not u

nder

stan

d ho

w a

nd w

hen

to u

se

anal

ytic

al p

roce

dure

s.

17

.3.3

To

ensu

re t

hat

inte

rnal

au

dit

ors

pre

par

e an

d u

se a

deq

uat

e w

ork

ing

pap

ers

to d

ocu

men

t th

eir

aud

it w

ork

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e m

etho

dolo

gy c

lear

ly

defin

es

the

form

at

and

cont

ent

of

wor

king

pap

ers;

Revi

ew a

sam

ple

of a

udit

files

for

the

co

mpl

eten

ess

and

adeq

uacy

(p

rope

r cr

oss-

refe

renc

ing)

of

th

e w

orki

ng

pape

rs;

Revi

ew

a sa

mpl

e of

au

dit

files

fo

r ev

iden

ce o

f ade

quat

e su

perv

isio

n of

the

wor

king

pap

ers.

Inte

rnal

aud

it m

aint

ains

pro

per

wor

king

pap

ers

that

doc

umen

t th

e ex

ecut

ion

of th

e ap

prov

ed a

udit

prog

ram

me.

Pre

para

tion

of th

e w

orki

ng

pape

rs i

s m

onito

red

on a

reg

ular

bas

is a

nd t

hey

are

prop

erly

cro

ss-

refe

renc

ed.

Inte

rnal

aud

it m

aint

ains

wor

king

pap

ers

that

dev

iate

from

the

appr

oved

au

dit p

rogr

amm

e.

The

wor

king

pap

ers a

re cr

oss-

refe

renc

ed a

nd re

gula

rly su

perv

ised

.

Inte

rnal

aud

it m

aint

ains

wor

king

pap

ers

that

dev

iate

from

the

appr

oved

au

dit

prog

ram

me.

Pre

para

tion

of t

he w

orki

ng p

aper

s is

sup

ervi

sed

but

they

are

not

cros

s-re

fere

nced

.

Inte

rnal

aud

it do

es n

ot m

aint

ain

wor

king

pap

ers.

CH

AP

TE

R 7



17

.3.4

To

ensu

re t

hat

acc

ess

to t

he

wor

kin

g p

aper

s is

pro

per

ly c

ontr

olle

d.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

ppro

pria

te p

olic

ies

exis

t for

acc

ess

to in

tern

al

audi

tors

’ wor

king

pap

ers;

Chec

k w

heth

er m

anua

l wor

king

pap

ers a

re p

rope

rly se

cure

d;

Ch

eck

whe

ther

pro

per a

cces

s ri

ghts

con

trol

acc

ess

to e

lect

roni

c w

orki

ng p

aper

s;

As

sess

whe

ther

int

erna

l au

dito

rs a

re a

war

e of

the

sec

urity

re

quir

emen

ts a

nd a

rran

gem

ents

for w

orki

ng p

aper

s.

Acce

ss to

aud

it w

orki

ng p

aper

s is

wel

l org

aniz

ed

and

resp

ecte

d.

Acce

ss t

o au

dit

wor

king

pap

ers

is n

ot o

rgan

ized

or

resp

ecte

d.

17

.3.5

To

ensu

re t

hat

pro

per

ret

enti

on r

equ

irem

ents

exi

st fo

r au

dit

wor

kin

g p

aper

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

ppro

pria

te p

olic

ies

exis

t fo

r th

e re

tent

ion

of

wor

king

pap

ers (

FRR

2016

);

As

sess

whe

ther

the C

IA se

eks l

egal

advi

ce re

gard

ing t

he re

tent

ion

timef

ram

e fo

r wor

king

pap

ers w

here

unc

erta

intie

s exi

st;

Chec

k w

heth

er

the

inte

rnal

au

dito

rs

com

ply

with

th

e re

quir

emen

ts fo

r the

rete

ntio

n pr

oced

ure.

Rete

ntio

n of

au

dit

wor

king

pa

pers

is

w

ell

orga

nize

d an

d re

spec

ted.

Rete

ntio

n of

audi

t wor

king

pap

ers i

s not

org

aniz

ed

or re

spec

ted.

17

.3.6

To

ensu

re t

hat

au

dit

en

gage

men

ts a

re a

deq

uat

ely

sup

ervi

sed

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he m

etho

dolo

gy p

resc

ribe

s th

at a

ll au

dit

enga

gem

ents

shou

ld b

e ad

equa

tely

supe

rvis

ed;

Inte

rvie

w st

aff a

bout

how

supe

rvis

ion

and

coac

hing

take

pla

ce.

Audi

t en

gage

men

ts a

re a

dequ

atel

y su

perv

ised

, an

d ap

prop

riat

e co

achi

ng o

f in

tern

al a

udito

rs

take

s pla

ce.

Audi

t eng

agem

ents

are

not

wel

l sup

ervi

sed

CH

AP

TE

R 7



17

.3.7

To

ensu

re t

hat

evi

den

ce o

f su

per

visi

on is

doc

um

ente

d.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Revi

ew a

sam

ple

of a

udit

files

and

che

ck fo

r ev

iden

ce o

f pro

per

supe

rvis

ion.

Evid

ence

of s

uper

visi

on is

pro

perly

doc

umen

ted.

Evid

ence

of s

uper

visi

on is

not

doc

umen

ted.

17

.4.

ISP

PIA

24

00

– C

omm

un

icat

ing

Res

ult

s

Sugg

estiv

e ch

eckl

ists

are

as u

nder

:

17

.4.1

To

ensu

re t

hat

inte

rnal

au

dit

cle

arly

com

mu

nic

ates

th

e im

pac

t of

its

fin

din

gs.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er th

e aud

it fin

ding

s dis

tingu

ish

betw

een

sign

ifica

nt

and

less

sign

ifica

nt is

sues

;

As

sess

whe

ther

inte

rnal

aud

it cl

early

sta

tes

wha

t the

impa

ct o

n th

e in

stitu

tion

will

be

if th

e si

gnifi

cant

issu

es h

ighl

ight

ed b

y th

e fin

ding

s are

not

add

ress

ed;

Inte

rvie

w s

enio

r m

anag

emen

t ab

out

the

sign

ifica

nce

of a

udit

findi

ngs;

Asse

ss w

heth

er t

he a

udit

conc

lusi

on i

nclu

des

a cl

ear

and

subs

tant

iate

d m

essa

ge.

The

impa

ct o

f cr

itica

l au

dit

findi

ngs

is c

lear

ly

com

mun

icat

ed

to

the

audi

t cl

ient

or

se

nior

m

anag

emen

t.

Inte

rnal

aud

it do

es n

ot k

now

how

to d

iffer

entia

te

betw

een

sign

ifica

nt a

nd le

ss s

igni

fican

t fin

ding

s. Th

e im

pact

of cr

itica

l fin

ding

s is n

ot co

mm

unic

ated

to

aud

it cl

ient

s or s

enio

r man

agem

ent.

CH

AP

TE

R 7



17

.4.2

To

ensu

re t

hat

inte

rnal

au

dit

ack

now

led

ges

sati

sfac

tory

per

form

ance

of t

he

aud

itee

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er in

tern

al a

udit

focu

ses

on b

oth

posi

tive

and

nega

tive

findi

ngs;

Asse

ss w

heth

er a

sat

isfa

ctor

y op

inio

n is

bas

ed o

n su

ffici

ent e

vide

nce;

Chec

k w

heth

er in

tern

al a

udit

clea

rly p

rovi

des p

ositi

ve o

r ne

gativ

e as

sura

nce.

The

audi

t rep

orts

pre

sent

s a b

alan

ced

view

.

Inte

rnal

aud

it fo

cuse

s onl

y on

neg

ativ

e as

pect

s.

17

.4.3

To

ensu

re t

hat

inte

rnal

au

dit

rep

orts

are

acc

ura

te, c

onst

ruct

ive,

ob

ject

ive,

cle

ar, c

onci

se, c

omp

lete

an

d t

imel

y.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Revi

ew

a sa

mpl

e of

au

dit

repo

rts

usin

g th

e de

fined

qu

ality

crite

ria.

The

audi

t rep

orts

mee

t all

the

desi

red

qual

ity cr

iteri

a an

d ar

e ac

cura

te, c

onst

ruct

ive,

ob

ject

ive,

clea

r, co

ncis

e an

d tim

ely.

One

or m

ore

of th

e de

sire

d qu

ality

crite

ria

is m

issi

ng in

the

inte

rnal

aud

it re

port

s.

17

.4.4

To

ensu

re t

hat

au

dit

rec

omm

end

atio

ns

are

pra

gmat

ic.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er t

he r

ecom

men

datio

ns c

onta

in

cons

truc

tive

prop

osal

s on

how

to im

prov

e is

sues

id

entif

ied

in th

e au

dit f

indi

ngs;

Asse

ss

whe

ther

th

e re

com

men

datio

ns

can

cont

ribu

te t

o im

prov

emen

ts in

the

inst

itutio

n’s

activ

ities

.

The

audi

t re

com

men

datio

ns a

re p

ragm

atic

and

will

hel

p to

im

prov

e th

e co

ntro

ls w

ithou

t jeo

pard

izin

g th

e or

gani

zatio

n.

The

audi

t re

com

men

datio

ns a

re n

ot im

plem

enta

ble

in p

ract

ice

or th

ey d

o no

t add

ress

the

root

cau

se o

f the

pro

blem

s th

at a

re

iden

tifie

d.

CH

AP

TE

R 7



17

.4.5

To

ensu

re t

hat

man

agem

ent’

s re

spon

se is

incl

ud

ed in

th

e fi

nal

au

dit

rep

orts

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er th

e au

dite

es a

re g

iven

the

oppo

rtun

ity

to

expr

ess

thei

r op

inio

ns

on

audi

t fin

ding

s an

d re

com

men

datio

ns;

Asse

ss w

heth

er d

isag

reem

ents

on

audi

t fin

ding

s an

d re

com

men

datio

ns th

at a

re n

ot re

solv

ed a

re in

clud

ed in

th

e fin

al a

udit

repo

rt.

Man

agem

ent’s

res

pons

es a

re a

lway

s in

clud

ed in

the

final

au

dit r

epor

ts.

Man

agem

ent’s

res

pons

es a

re n

ot s

yste

mat

ical

ly in

clud

ed

in th

e fin

al a

udit

repo

rts.

17

.5.

ISP

PIA

25

00

– M

onit

orin

g P

rogr

ess

Sugg

estiv

e ch

eckl

ists

to e

nsur

e ef

fect

ive

cond

uct o

f ass

essm

ent a

re a

s fol

low

s:

17

.5.1

To

ensu

re t

hat

inte

rnal

au

dit

has

a p

roce

ss in

pla

ce t

o m

onit

or m

anag

emen

t’s

acti

ons

wit

h r

egar

d t

o th

e au

dit

fin

din

gs a

nd

re

com

men

dat

ion

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e m

etho

dolo

gy p

resc

ribe

s a sp

ecifi

c pro

cess

for

the

mon

itori

ng o

f man

agem

ent’s

follo

w-u

p on

aud

it fin

ding

s and

re

com

men

datio

ns;

Chec

k w

heth

er in

tern

al a

udit

has a

man

ual o

r aut

omat

ed sy

stem

in

pla

ce to

follo

w u

p on

aud

it fin

ding

s and

reco

mm

enda

tions

;

Ch

eck

whe

ther

int

erna

l au

dit

take

s pr

oper

act

ion

whe

n th

e im

plem

enta

tion

of re

com

men

datio

ns fr

om th

e au

dit i

s ove

rdue

;

Ch

eck

whe

ther

in

tern

al

audi

t re

view

s th

e ad

equa

cy

of

man

agem

ent’s

rem

edia

tion.

Inte

rnal

aud

it ha

s a

prop

er p

roce

ss in

pla

ce t

o fo

llow

up

on m

anag

emen

t’s a

ctio

ns w

ith r

egar

d to

aud

it fin

ding

s an

d re

com

men

datio

ns f

rom

as

sura

nce

enga

gem

ents

.

Inte

rnal

aud

it do

es n

ot h

ave

a pr

oces

s in

pla

ce

to m

onito

r m

anag

emen

t’s f

ollo

w-u

p on

aud

it fin

ding

s and

reco

mm

enda

tions

.

CH

AP

TE

R 7



17

.5.2

To

ensu

re t

hat

it

is m

ade

clea

r to

au

dit

ees

that

th

ey b

ear

the

risk

an

d r

esp

onsi

bil

ity

for

the

tim

ely

imp

lem

enta

tion

of

rem

edia

tin

g ac

tion

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

this

re

spon

sibi

lity

is

clea

rly

defin

ed in

the

inte

rnal

aud

it ch

arte

r an

d ot

her

rele

vant

doc

umen

ts;

Inte

rvie

w s

ome

audi

tees

and

ass

ess

whe

ther

th

ey a

re a

war

e of

the

ir r

espo

nsib

ility

in

this

re

gard

.

The

audi

tees

are

fully

aw

are

of th

eir r

espo

nsib

ility

with

rega

rd to

th

e (n

on-)

impl

emen

tatio

n of

aud

it re

com

men

datio

ns.

The

audi

tees

bel

ieve

the

y m

ust

follo

w t

he r

ecom

men

datio

ns

mad

e by

int

erna

l au

dit

and

ther

efor

e th

ey a

re n

ot u

ltim

atel

y re

spon

sibl

e fo

r im

plem

enta

tion

risk

s.

17

.6.

ISP

PIA

10

00

– P

urp

ose,

Au

thor

ity

and

Res

pon

sib

ilit

y

The

follo

win

g ch

eckl

ists

are

pro

vide

d to

fulfi

l ISP

PIA

1000

.

17

.6.1

To

ensu

re t

hat

th

e ro

le o

f in

tern

al a

ud

it i

s cl

earl

y d

efin

ed i

n a

fou

nd

ing

doc

um

ent

(for

exa

mp

le,

a ch

arte

r or

in

tern

al

regu

lati

ons)

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

ll fo

undi

ng d

ocum

ents

tha

t de

scri

be t

he r

ole

of in

tern

al a

udit

are

prop

erly

al

igne

d an

d co

nsis

tent

;

As

sess

whe

ther

ther

e is

a d

ue p

roce

ss in

pla

ce to

up

date

the

se d

ocum

ents

whe

neve

r ch

ange

s to

st

anda

rds o

ccur

;

As

sess

whe

ther

man

agem

ent c

lear

ly u

nder

stan

ds

the

role

, aut

hori

ty a

nd r

espo

nsib

ility

of i

nter

nal

audi

t.

Prop

er d

ocum

ents

exi

st,

and

they

are

per

iodi

cally

rev

iew

ed.

Man

agem

ent f

ully

und

erst

ands

the

role

of i

nter

nal a

udit.

Prop

er d

ocum

ents

exi

st b

ut t

hey

are

not

revi

ewed

per

iodi

cally

an

d up

date

d w

here

nec

essa

ry. M

anag

emen

t fu

lly u

nder

stan

ds

the

role

of i

nter

nal a

udit.

Prop

er d

ocum

ents

exi

st b

ut m

anag

emen

t do

es n

ot u

nder

stan

d w

ell t

he ro

le o

f int

erna

l aud

it.

Prop

er d

ocum

ents

do

not e

xist

.

CH

AP

TE

R 7



17

.6.2

To

ensu

re t

hat

inte

rnal

au

dit

is n

ot r

esp

onsi

ble

for

any

oper

atio

nal

act

ivit

ies.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he r

espo

nsib

ilitie

s of

int

erna

l au

dit

are

clea

rly

defin

ed in

the

foun

ding

doc

umen

ts;

Asse

ss w

heth

er th

e cu

rren

t res

pons

ibili

ties a

nd jo

b de

scri

ptio

ns o

f th

e in

tern

al a

udit

staf

f exc

lude

s ope

ratio

nal a

ctiv

ities

;

As

sess

whe

ther

inte

rnal

aud

itors

are

not

taki

ng p

art,

in fa

ct o

r in

ap

pear

ance

, in

any

deci

sion

-mak

ing

proc

ess;

Asse

ss w

heth

er in

tern

al a

udito

rs a

re r

equi

red

to r

egul

arly

sig

n a

decl

arat

ion

of in

depe

nden

ce;

Chec

k w

heth

er c

ases

exi

st i

n w

hich

int

erna

l au

dito

rs w

ere

held

re

spon

sibl

e fo

r ope

ratio

nal a

ctiv

ities

.

Inte

rnal

aud

itors

do

not

have

ope

ratio

nal

resp

onsi

bilit

ies.

Inte

rnal

au

dito

rs

have

pe

rman

ent

or

occa

sion

al o

pera

tiona

l res

pons

ibili

ties,

in fa

ct

or in

app

eara

nce.

1.1.

1 To

en

sure

th

at in

tern

al a

ud

it h

as u

nli

mit

ed a

cces

s to

info

rmat

ion

, ass

ets

and

peo

ple

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he f

ound

ing

docu

men

ts g

rant

int

erna

l au

dito

rs

unlim

ited

acce

ss to

info

rmat

ion,

ass

ets a

nd p

eopl

e;

Ch

eck

whe

ther

the

ter

m ‘

unlim

ited’

acc

ess

has

been

pro

perly

de

fined

;

Ch

eck

whe

ther

the

acce

ss to

info

rmat

ion

is li

nked

to a

clas

sific

atio

n of

the

info

rmat

ion

(con

fiden

tial,

clas

sifie

d, e

tc.);

Chec

k w

heth

er i

nter

nal

audi

tors

hav

e th

e ri

ght

auth

oriz

atio

n to

ac

cess

conf

iden

tial i

nfor

mat

ion;

Chec

k w

heth

er t

here

hav

e be

en o

ccur

renc

es in

whi

ch a

cces

s ha

s be

en d

enie

d.

Ther

e ar

e no

res

tric

tions

for

inte

rnal

aud

itors

to

acc

ess i

nfor

mat

ion,

ass

ets a

nd p

eopl

e.

Acce

ss

exis

ts

in

prin

cipl

e,

but

spec

ific

auth

oriz

atio

n is

re

quir

ed

for

each

au

dit

enga

gem

ent.

Acce

ss e

xist

s but

not

to a

ll in

form

atio

n.

Acce

ss is

res

tric

ted,

and

the

scop

e of

inte

rnal

au

dit m

ay b

e lim

ited.

CH

AP

TE

R 7



17

.6.3

To

ensu

re t

hat

th

e re

por

tin

g li

nes

of i

nte

rnal

au

dit

are

cle

arly

def

ined

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e fo

undi

ng d

ocum

ents

pro

vide

for a

repo

rtin

g lin

e to

the

top

offic

ial

in th

e or

gani

zatio

n (f

or e

xam

ple,

the

Min

iste

r) fo

r the

inte

rnal

aud

it fu

nctio

n;

Ch

eck

whe

ther

the

repo

rtin

g lin

e of

the

inte

rnal

aud

it fu

nctio

n to

the

CCA

has

been

cl

early

def

ined

;

As

sess

whe

ther

all

repo

rtin

g lin

es w

ork

in p

ract

ice;

Chec

k w

heth

er th

e fo

undi

ng d

ocum

ents

des

crib

e th

e co

mm

unic

atio

n be

twee

n in

tern

al

audi

t and

aud

itees

/ a

udit

clie

nts;

Chec

k w

heth

er th

e fo

undi

ng d

ocum

ents

des

crib

e th

e re

spon

sibi

litie

s of

the

audi

tees

(a

udit

obje

cts)

to re

spon

d to

aud

it fin

ding

s;

As

sess

whe

ther

int

erna

l au

dit

prod

uces

per

iodi

c ac

tivity

rep

orts

, whi

ch h

ighl

ight

ca

paci

ty co

nstr

aint

s, bu

dget

ary

chal

leng

es, a

nd o

ther

reso

urce

issu

es.

The

repo

rtin

g lin

es

of

inte

rnal

au

dit

are

wel

l de

fined

and

are

res

pect

ed

in p

ract

ice.

The

repo

rtin

g lin

es

of

inte

rnal

au

dit

are

not

wel

l de

fined

or

ar

e no

t ad

equa

tely

resp

ecte

d.

17

.6.4

To

ensu

re t

hat

all

em

plo

yees

are

aw

are

of t

he

role

an

d r

esp

onsi

bil

itie

s of

inte

rnal

au

dit

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er a

ll em

ploy

ees

have

acc

ess

to,

and

are

know

ledg

eabl

e ab

out,

the

foun

ding

doc

umen

ts, w

hich

des

crib

e th

e ro

le a

nd re

spon

sibi

litie

s of i

nter

nal a

udit;

Asse

ss w

heth

er a

ll em

ploy

ees a

re m

ade

awar

e of

chan

ges t

o th

e fo

undi

ng d

ocum

ents

;

As

sess

whe

ther

the

rol

e of

inte

rnal

aud

it is

cle

arly

exp

lain

ed to

the

new

rec

ruits

of

inte

rnal

aud

itors

;

Ch

eck

whe

ther

inte

rnal

audi

t em

ploy

s a va

riet

y of

mec

hani

sms t

o ra

ise a

war

enes

s of i

ts

role

and

resp

onsi

bilit

ies i

n th

e or

gani

zatio

n. F

or e

xam

ple,

has

inte

rnal

aud

it de

velo

ped

a br

ochu

re o

r a

flyer

, whi

ch is

ava

ilabl

e on

the

intr

anet

(el

ectr

onic

ally

), an

d in

clud

es

freq

uent

ly a

sked

que

stio

ns th

at ex

plai

n in

pla

in w

ords

the

role

of i

nter

nal a

udit

and

the

righ

ts a

nd d

utie

s of t

he a

udite

es?

Asse

ss w

heth

er in

tern

al a

udit

rout

inel

y re

itera

tes i

ts ro

le d

urin

g th

e ki

ck-o

ff m

eetin

gs

with

aud

it cl

ient

s at t

he b

egin

ning

of e

ach

audi

t eng

agem

ent.

Inte

rnal

aud

it us

es m

any

mec

hani

sms

and

take

s ad

vant

age

of a

var

iety

of

oppo

rtun

ities

to e

xpla

in it

s ro

le. E

mpl

oyee

s thr

ough

out

the

orga

niza

tion

are

wel

l aw

are

of it

s rol

e.

No

effo

rts

exis

t to

exp

lain

th

e ro

le o

f int

erna

l aud

it or

em

ploy

ees a

re n

ot a

war

e of

it.

CH

AP

TE

R 7



17

.6.5

To

ensu

re t

hat

th

ere

is c

lear

un

der

stan

din

g of

th

e va

riou

s se

rvic

es t

hat

inte

rnal

au

dit

can

pro

vid

e.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e fo

undi

ng d

ocum

ents

est

ablis

h th

e pr

ovis

ion

of b

oth

assu

ranc

e an

d co

nsul

ting

serv

ices

by

the

inte

rnal

aud

it un

it;

Ch

eck

whe

ther

the

fou

ndin

g do

cum

ents

cle

arly

sta

te t

hat

man

agem

ent i

s so

lely

res

pons

ible

for

any

actio

n th

at it

take

s ba

sed

on t

he a

dvic

e or

rec

omm

enda

tions

rec

eive

d fr

om

inte

rnal

aud

it;

As

sess

whe

ther

the

re i

s a

prop

er p

roce

dure

in

plac

e fo

r m

anag

emen

t to

req

uest

con

sulti

ng s

ervi

ces

from

int

erna

l au

dit;

Asse

ss w

heth

er th

e in

tern

al a

udit

plan

inco

rpor

ates

a p

rope

r ba

lanc

e be

twee

n as

sura

nce

and

cons

ultin

g se

rvic

es;

Asse

ss a

ctiv

ity re

port

s on

the

deliv

ery

of co

nsul

ting

serv

ices

.

Inte

rnal

au

dit

prov

ides

bo

th

assu

ranc

e an

d co

nsul

ting

serv

ices

. In

tern

al

audi

t be

ars

no

resp

onsi

bilit

y fo

r ac

tions

tak

en b

y m

anag

emen

t, in

fact

or

in a

ppea

ranc

e, a

s a

resu

lt of

con

sulti

ng

serv

ices

pro

vide

d.

Inte

rnal

aud

it do

es n

ot p

rovi

de co

nsul

ting

serv

ices

at

all,

or

if it

does

the

re e

xist

s a

perc

eptio

n of

re

spon

sibi

lity

for

actio

ns t

aken

by

man

agem

ent

follo

win

g in

tern

al a

udit

advi

ce.

17

.6.6

To

ensu

re t

hat

th

e fo

un

din

g d

ocu

men

ts r

efer

to n

atio

nal

or

inte

rnat

ion

al in

tern

al a

ud

itin

g st

and

ard

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

ll fo

undi

ng d

ocum

ents

that

des

crib

e th

e ro

le

of i

nter

nal

audi

t ar

e pr

oper

ly a

ligne

d w

ith n

atio

nal

and/

or

inte

rnat

iona

l int

erna

l aud

iting

stan

dard

s;

As

sess

whe

ther

nat

iona

l or

othe

r st

anda

rds,

if ap

plie

d, d

epar

t fr

om in

tern

atio

nal i

nter

nal a

uditi

ng st

anda

rds.

The

foun

ding

do

cum

ents

re

fer

to

gene

rally

ac

cept

ed in

tern

atio

nal i

nter

nal a

uditi

ng s

tand

ards

an

d th

ese

stan

dard

s are

app

lied.

The

foun

ding

doc

umen

ts d

o no

t ref

er to

gen

eral

ly

acce

pted

inte

rnat

iona

l int

erna

l aud

iting

stan

dard

s, or

if t

hey

are

refe

rred

to

they

are

not

app

lied

in

prac

tice.

CH

AP

TE

R 7



17

.6.7

To

ensu

re t

hat

th

e fo

un

din

g d

ocu

men

ts r

efer

to a

cod

e of

con

du

ct fo

r in

tern

al a

ud

itor

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k th

e fo

undi

ng d

ocum

ents

for

refe

renc

e to

a c

ode

of

cond

uct f

or in

tern

al a

udito

rs;

Chec

k w

heth

er t

his

code

of

cond

uct

is i

n lin

e w

ith t

he

Code

of E

thic

s fo

r In

tern

al A

udito

rs p

rom

ulga

ted

by th

e IIA

;

As

sess

w

heth

er

inte

rnal

au

dito

rs

mus

t co

nfir

m

peri

odic

ally

thei

r com

plia

nce

with

the

code

.

The

foun

ding

doc

umen

ts r

efer

to a

cod

e of

con

duct

for

inte

rnal

aud

it. T

his

code

is in

line

with

the

IIA

’s Co

de

of E

thic

s. In

tern

al a

udito

rs p

erio

dica

lly c

onfir

m t

heir

co

mpl

ianc

e w

ith th

e Co

de o

f Eth

ics.

The

foun

ding

doc

umen

ts d

o no

t re

fer

to a

cod

e of

co

nduc

t fo

r in

tern

al a

udito

rs a

nd in

tern

al a

udito

rs d

o no

t con

firm

any

kin

d of

com

plia

nce

with

eth

ical

val

ues.

17

.7.

ISP

PIA

11

00

– In

dep

end

ence

an

d O

bje

ctiv

ity

The

follo

win

g ch

eckl

ists

are

pro

vide

d to

ass

ess t

he in

depe

nden

ce a

nd o

bjec

tivity

of i

nter

nal a

udit

activ

ity.

17

.7.1

To

ensu

re t

hat

th

e in

dep

end

ence

of i

nte

rnal

au

dit

is g

ran

ted

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k th

e fo

undi

ng d

ocum

ents

for r

efer

ence

to

the

inde

pend

ence

of i

nter

nal a

udit;

Chec

k w

heth

er th

e Ch

ief o

f CCA

has

dir

ect a

nd

unre

stri

cted

acc

ess

to a

genc

y he

ads

and

othe

r se

nior

man

agem

ent p

erso

nnel

.

The f

ound

ing

docu

men

ts d

escr

ibe t

he im

port

ance

of i

ndep

ende

nce

of th

e in

tern

al a

udit

activ

ity a

nd in

tern

al a

udit

has a

cces

s to

seni

or

man

agem

ent.

The

foun

ding

doc

umen

ts d

o no

t cl

early

des

crib

e th

e ne

ed f

or

inde

pend

ence

of

the

inte

rnal

aud

it ac

tivity

, or

acce

ss t

o se

nior

m

anag

emen

t app

ears

to b

e a

chal

leng

e fo

r int

erna

l aud

it.

CH

AP

TE

R 7



17

.7.2

To

ensu

re t

hat

th

ere

are

mea

sure

s in

pla

ce to

gu

aran

tee

the

ind

epen

den

ce o

f in

tern

al a

ud

itor

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

C

Chec

k w

heth

er

the

exta

nt

regu

latio

ns

and

proc

edur

es

allo

w

inde

pend

ence

to

th

e in

tern

al

audi

t ac

tivity

. St

ate

the

rele

vant

re

gula

tion(

s) th

at g

rant

inde

pend

ence

to th

e in

tern

al a

udit

activ

ity;

Chec

k w

heth

er th

e ex

tant

reg

ulat

ions

and

pro

cedu

res

stat

e bo

th th

e or

gani

zatio

nal

and

func

tiona

l in

depe

nden

ce o

f th

e in

tern

al a

udit

activ

ity;

Asse

ss w

heth

er a

ny i

mpr

ovem

ent

is n

eede

d in

the

reg

ulat

ions

and

pr

oced

ures

.

The

foun

ding

doc

umen

ts d

escr

ibe

prop

er

mea

sure

s to

be

appl

ied

in s

ituat

ions

whe

re

the

inde

pend

ence

of i

nter

nal a

udit

is a

t ris

k.

The

foun

ding

doc

umen

ts d

o no

t re

fer

to

any

mea

sure

s or

esc

alat

ion

proc

ess

whe

n th

e in

depe

nden

ce

of

inte

rnal

au

dit

is

jeop

ardi

zed.

17

.7.3

To

ensu

re t

hat

th

e in

tern

al a

ud

it a

ctiv

ity

is in

dep

end

ent

in t

heo

ry a

nd

in p

ract

ice.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er in

tern

al a

udit

is o

rgan

izat

iona

lly p

ositi

oned

und

er

the

head

of t

he in

stitu

tion;

Asse

ss th

e fre

quen

cy o

f mee

tings

bet

wee

n th

e hea

d of

the i

nstit

utio

n an

d in

tern

al a

udit;

Chec

k w

heth

er i

nter

nal

audi

t ha

s re

ceiv

ed a

ny r

eque

st f

rom

m

anag

emen

t to

be in

volv

ed in

the

daily

act

iviti

es o

f the

inst

itutio

n;

As

sess

the f

requ

ency

of r

eque

sts i

ssue

d by

the h

ead

of th

e ins

titut

ion

for t

he p

erfo

rman

ce o

f ad

hoc a

udits

in th

e pe

riod

und

er re

view

;

As

sess

whe

ther

the

freq

uenc

y an

d du

ratio

n of

ad

hoc a

udits

hav

e an

im

pact

on

the

fulfi

llmen

t of t

he in

tern

al a

udit

plan

;

Id

entif

y an

y ob

stac

les

that

thr

eate

ned

the

inde

pend

ence

of

the

inte

rnal

aud

it ac

tivity

in th

e pe

riod

und

er re

view

;

As

sess

whe

ther

the

Chie

f of C

CA ca

n ne

gotia

te m

itiga

ting

mea

sure

s to

the

thre

ats

to in

depe

nden

ce o

f the

inte

rnal

aud

it ac

tivity

whe

n an

y de

ficie

ncie

s are

iden

tifie

d.

The

inte

rnal

au

dit

activ

ity

is

not

only

in

depe

nden

t in

theo

ry b

ut a

lso

in p

ract

ice.

The

inte

rnal

au

dit

activ

ity

seem

s to

be

in

depe

nden

t bu

t fin

ds i

t di

fficu

lt to

dis

agre

e w

ith th

e he

ad o

f the

inst

itutio

n.

The

inte

rnal

aud

it ac

tivity

is

inde

pend

ent

in

theo

ry, b

ut th

e he

ad o

f the

inst

itutio

n di

rect

s its

role

and

act

iviti

es.

Alth

ough

ind

epen

denc

e of

the

int

erna

l au

dit

activ

ity is

gra

nted

in th

e fo

undi

ng d

ocum

ents

in

rea

lity

this

is

not

the

case

. Th

e in

tern

al

audi

tors

of

IAU,

inc

ludi

ng t

he C

hief

, may

be

repl

aced

at

the

disc

retio

n of

the

hea

d of

the

in

stitu

tion.

CH

AP

TE

R 7



17

.7.4

To

ensu

re t

hat

au

dit

pla

ns,

bu

dge

t an

d h

ead

cou

nt

are

app

rove

d in

a t

imel

y m

ann

er.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er a

udit

plan

s are

bas

ed o

n an

inde

pend

ent a

nd o

bjec

tive

risk

as

sess

men

t;

Ch

eck

whe

ther

the

audi

t pla

ns, b

udge

t and

hea

dcou

nt a

re a

ppro

ved

with

out

any

seri

ous d

elay

to th

e st

art o

f pla

nned

inte

rnal

aud

it ac

tiviti

es;

Iden

tify

the

mai

n ob

stac

les

to a

ppro

val

of t

he a

udit

plan

s, bu

dget

and

he

adco

unt;

Asse

ss w

heth

er in

tern

al a

udit

is fr

ee to

sele

ct a

udits

with

out i

nter

fere

nce;

Asse

ss w

heth

er i

nter

nal

audi

t pe

rcei

ves

that

the

re i

s pr

essu

re f

rom

m

anag

emen

t or t

he h

ead

of th

e ag

ency

to ch

ange

its a

udit

plan

s;

Ch

eck

whe

ther

the

re a

re c

ases

in w

hich

the

hea

d of

the

age

ncy

did

not

appr

ove

a pl

anne

d au

dit

that

was

incl

uded

in t

he a

udit

plan

bas

ed o

n a

risk

ass

essm

ent.

Stat

e th

e re

ason

(s) g

iven

for

not g

rant

ing

appr

oval

of t

he

plan

ned

audi

t.

Audi

t pl

ans,

incl

udin

g bu

dget

an

d he

adco

unts

, are

app

rove

d in

a t

imel

y m

anne

r whe

n ju

stifi

ed.

Audi

t pl

ans,

incl

udin

g bu

dget

an

d he

adco

unts

, are

not

alw

ays

appr

oved

w

hen

just

ified

, or

som

etim

es in

tern

al

audi

t is

pre

ssur

ed t

o ex

clud

e sp

ecifi

c au

dits

from

the

audi

t pla

n.

17

.7.5

To

ensu

re t

hat

th

e ap

poi

ntm

ent

of C

hie

f of C

CA a

nd

IAU

s is

bas

ed s

olel

y on

mer

it.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er p

roce

dure

s for

app

oint

ing

Chie

fs o

f CCA

an

d IA

Us a

re s

peci

fied

in a

ny b

indi

ng d

ocum

ent

(for

ex

ampl

e a

law

, rul

eboo

k or

char

ter)

;

Ch

eck

whe

ther

the

re a

re r

equi

rem

ents

tha

t sp

ecify

th

e co

mpe

tenc

ies

and

skill

s th

at C

hief

Aud

itors

sho

uld

poss

ess;

Chec

k w

heth

er th

e in

cum

bent

Chi

ef h

as b

een

appo

inte

d ac

cord

ing

to th

e st

ated

requ

irem

ents

.

Ther

e ar

e ad

equa

te s

kills

and

com

pete

ncie

s re

quir

emen

ts

for

the

appo

intm

ent

of C

CA C

hief

and

IAU

Chi

efs.

Thes

e re

quir

emen

ts a

re a

pplie

d w

ithou

t exc

eptio

n.

Ther

e ar

e no

ski

lls a

nd c

ompe

tenc

ies

requ

irem

ents

for

th

e ap

poin

tmen

t of

CCA

Chi

ef a

nd I

AU C

hief

s. O

r th

e re

quir

emen

ts a

re n

ot c

onsi

sten

tly a

dher

ed t

o w

hen

they

ex

ist.

CH

AP

TE

R 7



7.7

.1

To e

nsu

re t

hat

th

e Ch

ief o

f CCA

an

d IA

U C

hie

fs c

ann

ot b

e tr

ansf

erre

d/c

han

ged

in a

ran

dom

man

ner

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er p

roce

dure

s fo

r th

e tr

ansf

er/c

hang

e of

CCA

Chi

ef a

nd IA

U Ch

iefs

are

in a

ccor

danc

e w

ith B

CSR;

Chec

k w

heth

er

any

Chie

f w

as

dism

isse

d or

tra

nsfe

rred

dur

ing

the

peri

od u

nder

revi

ew.

Adeq

uate

regu

latio

ns e

xist

whi

ch o

utlin

e th

e co

nditi

ons a

nd th

e pr

oces

s by

whi

ch C

hief

of C

CA an

d IA

Us m

ay b

e tra

nsfe

rred

/cha

nged

. The

se re

gula

tions

ar

e ap

plie

d w

ithou

t any

exc

eptio

ns.

No

regu

latio

ns e

xist

whi

ch o

utlin

e th

e co

nditi

ons

and

the

proc

ess

by w

hich

Ch

ief o

f CCA

and

IAUs

may

be

tran

sfer

red/

chan

ged.

Or e

xist

ing

regu

latio

ns

are

not c

ompl

ied

with

cons

iste

ntly

.

17

.7.6

To

ensu

re t

hat

a p

rop

er e

scal

atio

n p

roce

ss e

xist

s w

her

e in

tern

al a

ud

it p

erce

ives

th

at it

s in

dep

end

ence

is t

hre

aten

ed.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

here

are

pro

visi

ons

for

esca

latio

n in

IA

Char

ter,

Man

ual,

BGIA

S, a

nd B

CSR;

Chec

k w

heth

er t

here

wer

e ca

ses

of

esca

latio

n in

the

peri

od u

nder

revi

ew.

Asse

ss th

e re

sults

of t

hese

case

s.

A pr

oper

esc

alat

ion

proc

ess

exis

ts in

cas

es w

here

the

inde

pend

ence

of t

he

inte

rnal

aud

it ac

tivity

is

thre

aten

ed. T

his

proc

ess

is c

onsi

sten

tly a

pplie

d w

hen

nece

ssar

y in

acc

orda

nce

with

the

rele

vant

pro

visi

ons.

Ther

e is

no

prop

er e

scal

atio

n pr

oces

s in

cas

es w

here

the

inde

pend

ence

of

inte

rnal

aud

it ac

tivity

is th

reat

ened

. If a

n es

cala

tion

proc

ess

exis

ts, i

t is

not

carr

ied

out c

onsi

sten

tly.

CH

AP

TE

R 7



17

.7.7

To

ensu

re t

hat

inte

rnal

au

dit

is a

llow

ed to

rep

ort

on a

ctu

al fi

nd

ings

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er s

peci

fic r

ules

for

ind

epen

denc

e an

d ob

ject

ivity

are

stip

ulat

ed i

n th

e in

tern

al

audi

t cha

rter

and

ass

ess

whe

ther

thes

e ru

les

are

adeq

uate

;

Ch

eck

whe

ther

the

re a

re c

ases

in

whi

ch t

he

inte

rnal

aud

itors

hav

e re

port

ed t

hat

atte

mpt

s w

ere

mad

e to

inte

rfer

e w

ith th

eir w

ork.

The

inte

rnal

aud

it ch

arte

r co

ntai

ns s

peci

fic p

rovi

sion

s to

sa

fegu

ard

the

inde

pend

ence

and

obj

ectiv

ity o

f in

tern

al a

udit.

Th

e he

ad o

f th

e ag

ency

doe

s no

t in

terf

ere

with

the

wor

k of

in

tern

al a

udit.

Ther

e ar

e no

pro

per p

rovi

sion

s in

the

inte

rnal

aud

it ch

arte

r tha

t re

fer

to t

he in

depe

nden

ce a

nd o

bjec

tivity

of i

nter

nal a

udit.

Or

ther

e ha

ve b

een

case

s w

here

att

empt

s w

ere

mad

e to

inte

rfer

e w

ith th

e w

ork

of in

tern

al a

udit.

17

.7.8

To

ensu

re t

hat

th

e CC

A c

an a

ssis

t in

tern

al a

ud

it in

cas

es w

her

e it

s in

dep

end

ence

is t

hre

aten

ed b

y se

nio

r m

anag

emen

t.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss t

he r

ight

s of

inte

rnal

aud

it an

d po

ssib

le

appr

oach

es f

or e

scal

atin

g ca

ses

to t

he C

CA i

n ac

cord

ance

with

app

licab

le le

gisl

atio

n.

As

sess

whe

ther

thr

eats

to

inde

pend

ence

are

re

view

ed

duri

ng

the

exte

rnal

as

sess

men

ts

perf

orm

ed b

y th

e CC

A;

As

sess

whe

ther

the

CCA

has

the

auth

ority

to g

ive

reco

mm

enda

tions

on

inde

pend

ence

to

the

head

of

the

agen

cy.

Ther

e is

an

appr

opri

ate

esca

latio

n pr

oces

s to

the

leve

l of C

CA

in c

ases

whe

re t

he in

depe

nden

ce o

f the

inte

rnal

aud

it ac

tivity

is

thr

eate

ned.

The

CCA

has

the

aut

hori

ty t

o ad

dres

s is

sues

of

inde

pend

ence

of

the

inte

rnal

aud

it ac

tivity

to

the

head

of

the

agen

cy.

Ther

e is

no

esca

latio

n pr

oces

s to

the

leve

l of t

he C

CA.

CH

AP

TE

R 7



17

.7.9

To

ensu

re t

hat

inte

rnal

au

dit

is in

form

ed a

bou

t im

por

tan

t d

ecis

ion

s th

at a

re b

ein

g m

ade

by a

n a

gen

cy in

a t

imel

y m

ann

er.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he C

hief

of

IAU

take

s pa

rt i

n se

nior

m

anag

emen

t mee

tings

in th

e ag

ency

.

Ch

eck

whe

ther

th

e ro

le

of

the

IAU

Chie

f in

se

nior

m

anag

emen

t m

eetin

gs a

re d

escr

ibed

in

a re

gula

tion

or

othe

r int

erna

l pro

cedu

res d

ocum

ent (

man

ual);

Asse

ss w

heth

er th

e IA

U Ch

ief’s

role

in s

enio

r man

agem

ent

mee

tings

is li

mite

d to

obs

erve

r sta

tus o

nly.

Inte

rnal

aud

it is

syst

emat

ical

ly in

vite

d to

att

end

seni

or

man

agem

ent m

eetin

gs.

Inte

rnal

aud

it is

rar

ely

or n

ever

inv

ited

to s

enio

r m

anag

emen

t mee

tings

.

17

.7.1

0 T

o en

sure

th

at t

her

e is

a d

ue

pro

cess

in p

lace

to d

eal w

ith

inte

rnal

au

dit

ors’

pot

enti

al c

onfl

icts

of i

nte

rest

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

ther

e ar

e re

gula

tions

re

gard

ing

the

impo

rtan

ce o

f obj

ectiv

ity o

f int

erna

l aud

itors

.

Ch

eck

whe

ther

int

erna

l au

dito

rs a

re r

equi

red

to s

ign

a de

clar

atio

n re

gard

ing

any

conf

licts

of

inte

rest

bef

ore

star

ting

each

aud

it en

gage

men

t.

Ch

eck

whe

ther

all

inte

rnal

aud

itors

in

prac

tice

sign

thi

s de

clar

atio

n pr

ior t

o th

e st

art o

f eac

h au

dit e

ngag

emen

t.

Ch

eck

whe

ther

ther

e w

ere

any

case

s of

con

flict

of i

nter

est.

If th

ere

wer

e co

nflic

t of

int

eres

t ca

ses,

asse

ss h

ow t

hey

wer

e ha

ndle

d.

The

prin

cipl

es o

f obj

ectiv

ity a

nd co

nflic

t of i

nter

est a

re

docu

men

ted

in r

egul

atio

ns. I

nter

nal a

udito

rs c

ompl

y w

ith th

ese

regu

latio

ns.

The

prin

cipl

es o

f obj

ectiv

ity a

nd co

nflic

t of i

nter

est a

re

not d

efin

ed in

regu

latio

ns. I

f the

y ar

e de

fined

, int

erna

l au

dito

rs d

o no

t com

ply

with

them

cons

iste

ntly

.

CH

AP

TE

R 7



17

.7.1

1 T

o en

sure

th

at in

tern

al a

ud

it is

not

res

pon

sib

le fo

r an

y op

erat

ion

al a

ctiv

itie

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

ere

is a

pro

hibi

tion

in th

e la

w o

r in

any

reg

ulat

ion

for

inte

rnal

aud

it to

be

assi

gned

fu

nctio

ns a

nd a

ctiv

ities

oth

er t

han

inte

rnal

aud

it ac

tiviti

es.

Chec

k w

heth

er i

nter

nal

audi

t ha

s be

en a

ssig

ned

func

tions

oth

er th

an in

tern

al a

udit

activ

ities

.

Ch

eck

if in

tern

al

audi

tors

w

ere

assi

gned

op

erat

iona

l wor

k an

d w

heth

er th

is w

as ta

ken

into

co

nsid

erat

ion

whe

n as

sign

ing

and

plan

ning

futu

re

audi

t en

gage

men

ts.

Asse

ss w

heth

er a

ltern

ativ

e ar

rang

emen

ts w

ere

mad

e in

suc

h in

stan

ces,

and

the

adeq

uacy

of t

hose

arr

ange

men

ts.

Inte

rnal

aud

it is

not

res

pons

ible

for

oper

atio

nal a

ctiv

ities

. In

spec

ific

situ

atio

ns i

n w

hich

int

erna

l au

dit

has

resp

onsi

bilit

y fo

r op

erat

iona

l act

iviti

es, t

he is

sues

con

cern

ing

obje

ctiv

ity a

re

reso

lved

dur

ing

the

plan

ning

pha

se.

Inte

rnal

aud

it is

resp

onsi

ble

for s

ome

oper

atio

nal a

ctiv

ities

. Or

in sp

ecifi

c situ

atio

ns w

here

inte

rnal

aud

it ha

s res

pons

ibili

ty fo

r op

erat

iona

l tas

ks, i

ssue

s re

late

d to

obj

ectiv

ity h

ave

not

been

re

solv

ed.

17

.7.1

2 T

o en

sure

th

at in

tern

al a

ud

it is

not

invo

lved

in t

he

regu

lar

des

ign

of p

roce

du

res

for

the

aud

itee

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

ere

is a

pro

hibi

tion

in th

e la

w o

r in

any

ot

her r

egul

atio

n fo

r int

erna

l aud

it to

be

assi

gned

func

tions

an

d ac

tiviti

es o

ther

than

inte

rnal

aud

it ac

tiviti

es.

Chec

k w

heth

er th

ere

are

mec

hani

sms i

n pl

ace

for a

udite

es

to t

ake

full

owne

rshi

p in

tho

se c

ircu

mst

ance

s w

here

in

tern

al a

udit

occa

sion

ally

des

igns

pro

cedu

res

for

the

audi

tees

.

Ch

eck

whe

ther

in s

ituat

ions

whe

re in

tern

al a

udito

rs h

ave

desi

gned

pro

cedu

res

for

audi

t clie

nts

this

was

con

side

red

whe

n pl

anni

ng f

utur

e au

dit

enga

gem

ents

. As

sess

the

al

tern

ativ

e ap

proa

ches

that

wer

e us

ed to

add

ress

pos

sibl

e im

pair

men

t of o

bjec

tivity

.

Inte

rnal

aud

it do

es n

ot ro

utin

ely

desi

gn p

roce

dure

s fo

r au

dit c

lient

s. W

here

inte

rnal

aud

it oc

casi

onal

ly d

esig

ns

proc

edur

es f

or t

he a

udit

clie

nt, t

he i

ssue

s re

late

d to

im

pair

men

t of o

bjec

tivity

are

add

ress

ed w

hen

plan

ning

au

dit a

ctiv

ities

.

Inte

rnal

aud

it fr

eque

ntly

des

igns

pro

cedu

res

for

audi

t cl

ient

s. Or

whe

re i

nter

nal

audi

t oc

casi

onal

ly d

esig

ns

proc

edur

es, p

ossi

ble

impa

irm

ents

to o

bjec

tivity

are

not

ad

dres

sed

whe

n pl

anni

ng a

udit

activ

ities

.

CH

AP

TE

R 7



17

.7.1

3 T

o en

sure

th

at t

her

e is

a p

roce

ss in

pla

ce to

dis

clos

e an

y p

oten

tial

imp

airm

ent

to in

dep

end

ence

or

obje

ctiv

ity.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he l

aw,

the

char

ter

or a

ny o

ther

re

leva

nt r

egul

atio

n cl

early

def

ines

the

dis

clos

ure

proc

ess

for

impa

irm

ents

to

in

depe

nden

ce

or

obje

ctiv

ity.

Chec

k w

heth

er th

e dis

clos

ure p

olic

ies a

nd p

roce

dure

s in

clud

e th

e re

quir

emen

t to

re

port

m

atte

rs

of

impa

irm

ent t

o th

e CC

A.

As

sess

thro

ugh

inte

rvie

ws

with

the

inte

rnal

aud

itors

w

heth

er th

ey k

now

wha

t to

do w

hen

inde

pend

ence

or

obj

ectiv

ity is

impa

ired

.

An o

ffici

al d

iscl

osur

e pr

oces

s th

at c

over

s th

e im

pair

men

t of

inde

pend

ence

or

obje

ctiv

ity is

spe

cifie

d an

d in

clud

es th

e re

quir

emen

t to

rep

ort

all i

mpa

irm

ents

to t

he C

CA. I

nter

nal

audi

tors

are

fully

aw

are

of th

e di

sclo

sure

pro

cess

.

Ther

e is

no

offic

ial d

iscl

osur

e pr

oces

s to

repo

rt im

pair

men

ts

to in

depe

nden

ce o

r obj

ectiv

ity. I

f the

pro

cess

is e

stab

lishe

d it

does

not

incl

ude

the

requ

irem

ent t

o re

port

to th

e CC

A, o

r the

in

tern

al a

udito

rs a

re n

ot fu

lly a

war

e of

the

proc

ess.

17

.7.1

4 T

o en

sure

th

at n

o si

gnif

ican

t sc

ope

lim

itat

ion

(s)

exis

t.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

sign

ifica

nt

scop

e lim

itatio

n(s)

oc

curr

ed in

the

peri

od u

nder

revi

ew.

Asse

ss w

heth

er t

he a

udite

es h

ave

been

pro

perly

in

form

ed a

bout

the

righ

ts o

f int

erna

l aud

itors

to h

ave

full

acce

ss to

info

rmat

ion,

ass

ets a

nd p

eopl

e.

Ch

eck

whe

ther

the

audi

tors

rout

inel

y in

form

the

IAU

Chie

f of

sco

pe l

imita

tions

tha

t ar

e im

pose

d du

ring

au

dit e

ngag

emen

ts.

Chec

k w

heth

er t

he I

AU C

hief

inf

orm

s th

e he

ad o

f th

e ag

ency

whe

n sc

ope

limita

tions

are

im

pose

d du

ring

inte

rnal

aud

it en

gage

men

ts. A

sses

s w

heth

er

appr

opri

ate

mea

sure

s wer

e ap

plie

d.

No

sign

ifica

nt sc

ope

limita

tions

occ

urre

d in

the

peri

od u

nder

re

view

. If

scop

e lim

itatio

ns o

ccur

red,

the

y w

ere

prop

erly

ad

dres

sed

thro

ugh

the

esca

latio

n pr

oces

s.

Sign

ifica

nt s

cope

lim

itatio

ns o

ccur

red,

and

the

y w

ere

not

prop

erly

add

ress

ed

CH

AP

TE

R 7



17

.7.1

5 T

o en

sure

th

at t

her

e is

a p

roce

ss in

pla

ce to

dea

l wit

h g

ifts

rec

eive

d fr

om a

ud

itee

s or

oth

ers.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he o

rgan

izat

ion

has

esta

blis

hed

rule

s on

rece

ipt o

f gift

s by

empl

oyee

s as r

equi

red

by

the

ACC’

s Gift

Rul

es.

Chec

k w

heth

er t

he c

ode

of c

ondu

ct f

or i

nter

nal

audi

tors

stip

ulat

es t

he p

roce

dure

s th

at e

mpl

oyee

s sh

ould

fol

low

the

Gift

Rul

es i

ssue

d by

ACC

whe

n th

ey a

re o

ffere

d gi

fts.

Asse

ss w

heth

er th

ere

have

bee

n in

stan

ces

in w

hich

in

tern

al a

udito

rs w

ere

offe

red

gifts

dur

ing

the

peri

od u

nder

revi

ew. A

sses

s the

app

ropr

iate

ness

of

the

actio

ns th

at w

ere

take

n w

hen

inte

rnal

aud

itors

w

ere

offe

red

gifts

.

Ther

e ar

e cl

ear p

roce

dure

s in

plac

e th

at a

ddre

ss th

e re

ceip

t of

gifts

by

inte

rnal

audi

tors

. The

se p

roce

dure

s are

as st

ipul

ated

in

the

ACC’

s Gift

Rul

es a

nd ro

utin

ely

appl

ied

by in

tern

al a

udito

rs.

Ther

e ar

e no

cle

ar p

roce

dure

s tha

t add

ress

the

rece

ipt o

f gift

s by

int

erna

l au

dito

rs. A

CC’s

Gift

Rule

s ar

e no

t fo

llow

ed. O

r in

tern

al a

udito

rs a

re n

ot fu

lly a

war

e of

the

proc

edur

es th

at d

o ex

ist.

Or th

ere

have

bee

n si

tuat

ions

in w

hich

inte

rnal

aud

itors

ac

cept

ed g

ifts

and

ther

e w

ere

conc

erns

abo

ut t

he p

erce

ived

ob

ject

ivity

of t

he in

tern

al a

udito

r.

17

.7.1

6 T

o en

sure

th

at t

her

e is

a c

ooli

ng-

off

per

iod

for

in

tern

al a

ud

itor

s w

ho

are

tran

sfer

red

fro

m o

per

atio

nal

un

its

wit

hin

th

e or

gan

izat

ion

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

a co

olin

g-of

f pe

riod

ha

s be

en e

stab

lishe

d fo

r au

dito

rs w

ho

are

tran

sfer

red

from

ope

ratio

nal

units

w

ithin

the

orga

niza

tion.

Chec

k w

heth

er th

is c

oolin

g-of

f per

iod

is

com

plie

d w

ith in

pra

ctic

e.

As

sess

whe

ther

pro

per d

iscl

osur

es w

ere

mad

e in

cas

es w

here

inte

rnal

aud

itors

co

uld

not

com

ply

with

the

coo

ling-

off

peri

od.

Ther

e ar

e cl

ear p

olic

ies a

nd p

roce

dure

s in

plac

e th

at a

ddre

ss a

man

dato

ry

cool

ing-

off

peri

od

for

inte

rnal

au

dito

rs

who

ar

e tr

ansf

erre

d fr

om

oper

atio

nal u

nits

with

in t

he o

rgan

izat

ion.

The

se p

roce

dure

s ar

e kn

own

and

com

plie

d w

ith b

y in

tern

al a

udito

rs.

Ther

e are

no

clea

r pro

cedu

res t

hat a

ddre

ss a

cool

ing-

off p

erio

d fo

r int

erna

l au

dito

rs u

pon

tran

sfer

from

ope

ratio

nal u

nits

with

in th

e or

gani

zatio

n. O

r in

tern

al a

udito

rs a

re n

ot fu

lly aw

are

of a

pplic

able

pol

icie

s and

pro

cedu

res.

Or in

tern

al a

udito

rs w

ho t

rans

ferr

ed fr

om o

pera

tiona

l uni

ts w

ithin

the

or

gani

zatio

n di

d no

t com

ply

with

the

requ

ired

coo

ling-

off p

erio

d an

d th

is

affe

cted

the

perc

eive

d ob

ject

ivity

of t

he in

tern

al a

udito

rs.

CH

AP

TE

R 7



17

.7.1

7 T

o en

sure

th

at t

her

e is

a c

ooli

ng-

off

per

iod

for

in

tern

al a

ud

itor

s w

ho

are

tran

sfer

red

to

oper

atio

nal

un

its

wit

hin

th

e or

gan

izat

ion

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

coo

ling-

off

peri

od h

as b

een

esta

blis

hed

for

audi

tors

who

are

tra

nsfe

rred

to

oper

atio

nal u

nits

with

in th

e or

gani

zatio

n.

Ch

eck

whe

ther

the

req

uire

d co

olin

g-of

f per

iod

is

com

plie

d w

ith in

pra

ctic

e.

Ther

e ar

e cl

ear p

olic

ies

and

proc

edur

es in

pla

ce th

at a

ddre

ss a

co

olin

g-of

f per

iod

for

inte

rnal

aud

itors

who

are

tran

sfer

red

to

oper

atio

nal u

nits

with

in th

e org

aniz

atio

n. T

hese

pro

cedu

res a

re

know

n an

d co

mpl

ied

with

by

inte

rnal

aud

itors

.

Ther

e ar

e no

cle

ar p

olic

ies

and

proc

edur

es t

hat

addr

ess

a co

olin

g-of

f per

iod

for

inte

rnal

aud

itors

who

are

tran

sfer

red

to

oper

atio

nal u

nits

with

in th

e or

gani

zatio

n. O

r in

tern

al a

udito

rs

are

not

fully

aw

are

of t

he a

pplic

able

pol

icie

s an

d pr

oced

ures

. Or

inte

rnal

aud

itors

tran

sfer

red

to o

pera

tiona

l uni

ts w

ithin

the

orga

niza

tion

and

did

not c

ompl

y w

ith th

e re

quir

ed c

oolin

g-of

f pe

riod

and

this

affe

cted

the

perc

eive

d ob

ject

ivity

of t

he in

tern

al

audi

tors

.

CH

AP

TE

R 7



17

.8.

ISP

PIA

12

00

– P

rofi

cien

cy a

nd

Du

e P

rofe

ssio

nal

Car

e

The

follo

win

g as

sess

men

ts a

re su

gges

ted

to e

nsur

e th

at in

tern

al a

udito

rs’ e

ngag

emen

ts a

re b

acke

d w

ith p

rofic

ienc

y an

d pr

ofes

sion

al ca

re.

17

.8.1

To

ensu

re t

hat

inte

rnal

au

dit

ors

coll

ecti

vely

pos

sess

th

e n

eces

sary

kn

owle

dge

an

d s

kil

ls to

fulf

ill t

hei

r ro

le.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

com

pete

ncy

mod

el h

as b

een

deve

lope

d w

hich

cove

rs a

ll th

e ne

cess

ary

skill

s and

kn

owle

dge t

hat a

re cr

itica

l for

the p

rope

r exe

cutio

n of

aud

it en

gage

men

ts. C

heck

whe

ther

the

mod

el is

up

date

d re

gula

rly;

Chec

k w

heth

er p

rope

r jo

b de

scri

ptio

ns e

xist

for

in

tern

al a

udito

rs;

Asse

ss w

heth

er in

tern

al au

dito

rs ar

e kno

wle

dgea

ble

abou

t the

ir ro

le a

nd re

spon

sibi

litie

s;

As

sess

whe

ther

inte

rnal

audi

tors

have

the n

eces

sary

ex

peri

ence

and

pro

fess

iona

l cer

tific

atio

n;

As

sess

w

heth

er

inte

rnal

au

dito

rs

poss

ess

the

nece

ssar

y kn

owle

dge

to p

erfo

rm th

eir j

ob;

Chec

k w

heth

er r

equi

red

know

ledg

e is

ass

esse

d pr

ior t

o th

e in

tern

al a

udit

enga

gem

ent;

Asse

ss w

heth

er th

ere

is o

n-th

e-jo

b tr

aini

ng fo

r les

s ex

peri

ence

d in

tern

al a

udito

rs.

Inte

rnal

aud

it ha

s de

velo

ped

a co

mpe

tenc

y m

odel

of

all

requ

ired

skill

s and

exp

erie

nce

for t

he co

nduc

t of i

nter

nal a

udit

enga

gem

ents

. Thi

s m

odel

is r

egul

arly

upd

ated

and

com

pare

d w

ith

the

avai

labl

e re

sour

ces.

Solu

tions

ar

e fo

und

to

fill

iden

tifie

d sk

ills g

ap o

n a

timel

y ba

sis.

Inte

rnal

aud

it ha

s no

t de

velo

ped

a su

stai

nabl

e co

mpe

tenc

y m

odel

but

fin

ds a

ccep

tabl

e so

lutio

ns t

o de

al w

ith i

dent

ified

sk

ills g

ap.

Inte

rnal

aud

itors

do

not

colle

ctiv

ely

poss

ess

the

nece

ssar

y kn

owle

dge

and

skill

s to

per

form

pla

nned

aud

it en

gage

men

ts.

The

scop

e of

aud

it en

gage

men

ts is

adj

uste

d to

mat

ch th

e sk

ills

of th

e in

tern

al a

udito

rs.

Inte

rnal

aud

itors

do

not

colle

ctiv

ely

poss

ess

the

nece

ssar

y kn

owle

dge

and

skill

s to

fulfi

ll th

eir

role

, and

aud

itors

who

do

not

poss

ess

the

requ

ired

kno

wle

dge

and

skill

s pe

rfor

m a

udit

enga

gem

ents

.

CH

AP

TE

R 7



17

.8.2

To

ensu

re t

hat

inte

rnal

au

dit

ors

are

cap

able

of a

pp

lyin

g th

e p

resc

rib

ed in

tern

al a

ud

it m

eth

odol

ogy.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e In

tern

al A

udit

Man

ual a

nd B

huta

n Go

vern

men

t In

tern

al A

uditi

ng S

tand

ards

hav

e be

en

adap

ted

to th

e sp

ecifi

c env

iron

men

t of t

he a

genc

y;

As

sess

whe

ther

inte

rnal

aud

itors

fully

und

erst

and

the

pres

crib

ed in

tern

al a

udit

met

hodo

logy

;

Ch

eck

whe

ther

app

ropr

iate

trai

ning

is p

rovi

ded

on th

e pr

escr

ibed

audi

t met

hodo

logy

and

subs

eque

nt u

pdat

es;

Chec

k w

heth

er a

ppro

pria

te in

tern

al a

udit

proc

edur

es

and

tem

plat

es e

xist

;

As

sess

whe

ther

int

erna

l au

dito

rs a

re a

war

e of

the

se

proc

edur

es a

nd te

mpl

ates

.

An

inte

rnal

au

dit

man

ual

and

gove

rnm

ent

inte

rnal

au

ditin

g st

anda

rds

exis

t w

ith a

ppro

pria

te p

roce

dure

s an

d te

mpl

ates

ada

pted

to th

e en

viro

nmen

t of t

he a

genc

y. In

tern

al a

udito

rs a

re w

ell t

rain

ed to

app

ly th

e pr

escr

ibed

m

etho

dolo

gy.

Ther

e is

no

in

tern

al

audi

t m

anua

l ad

apte

d to

th

e en

viro

nmen

t of

the

age

ncy.

Or t

here

is

an a

ppro

pria

te

inte

rnal

aud

it m

anua

l but

inte

rnal

aud

itors

do

not

know

ho

w to

app

ly th

e pr

escr

ibed

met

hodo

logy

.

17

.8.3

To

ensu

re t

hat

inte

rnal

au

dit

ors

are

atte

nti

ve to

frau

d in

dic

ator

s (r

ed fl

ags)

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er in

tern

al a

udito

rs a

re a

war

e th

at fr

aud

is a

n im

port

ant r

isk

to co

nsid

er w

hen

perf

orm

ing

audi

t en

gage

men

ts.

Asse

ss w

heth

er in

tern

al a

udito

rs k

now

how

to id

entif

y fr

aud

risk

s and

the

way

s in

whi

ch it

may

occ

ur.

Asse

ss w

heth

er in

tern

al a

udito

rs k

now

how

to re

spon

d to

frau

d in

dica

tors

.

Inte

rnal

aud

itors

are

wel

l aw

are

of fr

aud

mec

hani

sms

and

indi

cato

rs. T

hey

cons

iste

ntly

con

side

r th

e ri

sk o

f fra

ud in

in

tern

al a

udit

enga

gem

ents

.

The

risk

of f

raud

is n

ot c

onsi

sten

tly c

onsi

dere

d in

inte

rnal

au

dit e

ngag

emen

ts.

CH

AP

TE

R 7



17

.8.4

To

ensu

re t

hat

inte

rnal

au

dit

ors

pos

sess

th

e n

eces

sary

sk

ills

an

d c

omp

eten

cies

to a

ud

it t

he

IT e

nvir

onm

ent.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss

whe

ther

in

tern

al

audi

tors

po

sses

s ap

prop

riat

e kn

owle

dge

of th

e IT

env

iron

men

t.

Ch

eck

whe

ther

the

int

erna

l au

dit

unit

has

a ce

rtifi

ed IT

spec

ialis

t.

As

sess

whe

ther

an

appr

opri

ate

fram

ewor

k, s

uch

as,

Cont

rol

Obje

ctiv

es f

or I

nfor

mat

ion

Rela

ted

Tech

nolo

gy (C

OBIT

) is b

eing

app

lied.

Chec

k w

heth

er IT

aud

its a

re o

utso

urce

d.

Ch

eck

whe

ther

pro

per

trai

ning

on

IT a

udit

is

prov

ided

to in

tern

al a

udito

rs.

Chec

k w

heth

er

the

pres

crib

ed

met

hodo

logy

co

ntai

ns a

dequ

ate

guid

ance

on

IT a

udit.

Inte

rnal

aud

itors

pos

sess

gen

eral

kno

wle

dge

of I

T ri

sks

and

proc

esse

s. Th

e in

tern

al a

udit

unit

has

at le

ast

one

spec

ializ

ed

IT a

udito

r or a

ltern

ativ

ely

has a

cces

s to

co-s

ourc

ing

solu

tions

.

Inte

rnal

aud

itors

do

not

poss

ess

a ge

nera

l kn

owle

dge

of I

T ri

sks

and

proc

esse

s. Th

e in

tern

al a

udit

unit

has

at l

east

one

sp

ecia

lized

IT a

udito

r or a

ltern

ativ

ely

has a

cces

s to

co-s

ourc

ing

solu

tions

.

Inte

rnal

aud

itors

do

not p

osse

ss a

gen

eral

kno

wle

dge

of IT

risk

s an

d pr

oces

ses.

The i

nter

nal a

udit

unit

does

not

hav

e a sp

ecia

lized

IT

aud

itor.

The

unit

has a

cces

s to

co-s

ourc

ing

solu

tions

.

17

.8.5

To

ensu

re t

hat

inte

rnal

au

dit

ors

use

ap

pro

pri

ate

IT to

ols

and

tech

niq

ues

wh

en p

erfo

rmin

g in

tern

al a

ud

it e

nga

gem

ents

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he u

se o

f IT

too

ls a

nd t

echn

ique

s is

pr

oper

ly d

escr

ibed

in th

e in

tern

al a

udit

man

ual.

Chec

k th

at IT

tool

s an

d te

chni

ques

are

cur

rent

ly u

sed

by

inte

rnal

aud

itors

to co

nduc

t int

erna

l aud

it en

gage

men

ts.

Asse

ss w

heth

er in

tern

al a

udito

rs a

re fu

lly a

war

e of

the

ad

vant

ages

of u

sing

pro

per I

T to

ols a

nd te

chni

ques

.

Ch

eck

whe

ther

pro

per t

rain

ing o

n IT

tool

s and

tech

niqu

es

is i

nclu

ded

in t

he t

rain

ing

plan

for

the

per

iod

unde

r re

view

.

IT t

ools

and

tec

hniq

ues

are

avai

labl

e an

d ar

e cu

rren

tly

used

by

inte

rnal

aud

itors

for i

nter

nal a

udit

enga

gem

ents

.

IT to

ols a

nd te

chni

ques

are

not

ava

ilabl

e. O

r the

ava

ilabl

e IT

tool

s an

d te

chni

ques

are

eith

er n

ot u

sefu

l or

used

by

inte

rnal

aud

itors

.

CH

AP

TE

R 7



17

.8.6

To

ensu

re t

hat

inte

rnal

au

dit

ors

kn

ow h

ow to

inte

ract

ap

pro

pri

atel

y w

ith

au

dit

cli

ents

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er tr

aini

ng o

n pr

oble

m r

esol

utio

n is

incl

uded

in th

e tr

aini

ng p

lan.

Asse

ss

how

in

tern

al

audi

tors

de

al

with

ch

alle

nges

and

obs

tacl

es.

Inte

rnal

aud

itors

kno

w h

ow to

sol

ve p

robl

ems

and

perf

orm

thei

r du

ties.

Inte

rnal

aud

itors

are

not

wel

l pre

pare

d to

solv

e pr

oble

ms o

r do

not

perf

orm

thei

r dut

ies a

dequ

atel

y.

17

.8.7

To

ensu

re t

hat

inte

rnal

au

dit

ors

pos

sess

th

e n

eces

sary

com

mu

nic

atio

n s

kil

ls.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er tr

aini

ng o

n or

al a

nd w

ritt

en c

omm

unic

atio

n sk

ills

are

incl

uded

in

the

trai

ning

pla

n.

Ch

eck

whe

ther

ade

quat

e co

mm

unic

atio

n sk

ills

are

part

of

the

recr

uitm

ent

crite

ria

for i

nter

nal a

udito

rs.

Asse

ss w

heth

er t

he a

udit

findi

ngs

dem

onst

rate

the

pro

fess

iona

lism

of

the

inte

rnal

aud

itors

.

As

sess

whe

ther

the

aud

it re

com

men

datio

ns a

re u

sefu

l an

d pr

actic

al f

or t

he

audi

ted

entit

y.

In

terv

iew

empl

oyee

s of t

he au

dite

d en

titie

s in

orde

r to a

sses

s the

pro

fess

iona

lism

of

the

inte

rnal

aud

itors

.

Good

co

mm

unic

atio

n sk

ills

are

key

crite

ria

for

the

recr

uitm

ent

of i

nter

nal

audi

tors

. Al

l in

tern

al

audi

tors

po

sses

s th

e ne

cess

ary

com

mun

icat

ion

skill

s.

Not

all

inte

rnal

aud

itors

pos

sess

ad

equa

te co

mm

unic

atio

n sk

ills.

CH

AP

TE

R 7



17

.8.8

To

ensu

re t

hat

th

ere

are

cert

ific

atio

n a

nd

con

tin

uin

g p

rofe

ssio

nal

dev

elop

men

t p

rogr

amm

es in

pla

ce fo

r in

tern

al a

ud

itor

s.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er c

ertif

icat

ion

and

trai

ning

of

inte

rnal

aud

itors

are

re

gula

ted

thro

ugh

inte

rnal

pro

cedu

res.

Chec

k w

heth

er

plan

ned

trai

ning

pr

ogra

mm

es

are

actu

ally

im

plem

ente

d.

As

sess

int

erna

l au

dito

rs’

degr

ee o

f sa

tisfa

ctio

n w

ith t

he t

rain

ing

prog

ram

me.

Chec

k w

heth

er c

ertif

icat

ion

is m

aint

aine

d by

ade

quat

e co

ntin

uing

pr

ofes

sion

al d

evel

opm

ent.

Asse

ss w

heth

er th

e cu

rren

t tra

inin

g an

d ce

rtifi

catio

n pr

actic

es a

re in

lin

e w

ith th

e pr

escr

ibed

requ

irem

ents

.

Cert

ifica

tion

and

cont

inui

ng

prof

essi

onal

de

velo

pmen

t of

in

tern

al

audi

tors

ar

e re

gula

ted

and

requ

irem

ents

are

com

plie

d w

ith ro

utin

ely.

Cert

ifica

tion

and

cont

inui

ng

prof

essi

onal

de

velo

pmen

t of

int

erna

l au

dito

rs a

re n

ot

prop

erly

re

gula

ted.

Or

in

ca

ses

whe

re

regu

latio

ns d

o ex

ist,

the

requ

irem

ents

are

no

t adh

ered

to in

pra

ctic

e.

17

.8.9

To

ensu

re t

hat

ext

ern

al e

xper

ts a

re u

sed

wh

en in

tern

al a

ud

itor

s la

ck t

he

app

rop

riat

e k

now

led

ge a

nd

sk

ills

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

regu

latio

ns

and

proc

edur

es

esta

blis

h th

e rig

ht an

d ap

prop

riat

e pro

cess

es to

invi

te

expe

rts t

o as

sist

with

inte

rnal

aud

it en

gage

men

ts.

Asse

ss i

n w

hich

are

as o

utsi

de e

xper

tise

is n

eede

d.

Mat

ch th

e id

entif

ied

need

s with

act

ual u

se o

f exp

erts

.

Ch

eck w

heth

er th

e bud

get i

ncor

pora

tes c

ontin

genc

ies

for t

he u

se o

f ext

erna

l exp

erts

.

Ch

eck

whe

ther

the

role

and

the

obje

ctiv

es (t

erm

s of

re

fere

nce)

of t

he e

xter

nal e

xper

ts a

re c

lear

ly d

efin

ed

in a

cont

ract

or a

gree

men

t.

As

sess

whe

ther

the

exp

erts

per

form

in a

ccor

danc

e w

ith

the

job

spec

ifica

tions

an

d al

so

tran

sfer

kn

owle

dge

to th

e in

tern

al a

udit

unit.

Regu

latio

ns p

erm

it th

e us

e of

ext

erna

l au

dito

rs.

Exte

rnal

ex

pert

s are

use

d w

here

the

know

ledg

e, ex

pert

ise

and

skill

s of

the

inte

rnal

aud

itors

are

insu

ffici

ent t

o pe

rfor

m a

n in

tern

al

audi

t en

gage

men

t. Th

e ap

prop

riat

e bu

dget

for

the

use

of

expe

rt is

app

rove

d as

nec

essa

ry.

The

inte

rnal

reg

ulat

ions

do

not

fore

see

the

poss

ibili

ty o

f us

ing

exte

rnal

exp

erts

. Or

whe

re t

he r

egul

atio

ns p

erm

it th

e us

e of

ext

erna

l exp

erts

, the

re a

re b

udge

tary

lim

itatio

ns

that

rest

rict

the

use

of e

xter

nal e

xper

ts. O

r in

tern

al a

udito

rs

perf

orm

au

dit

enga

gem

ents

w

ithou

t in

volv

ing

exte

rnal

ex

pert

s on

cas

es in

whi

ch t

hey

do n

ot p

osse

ss a

ppro

pria

te

know

ledg

e, e

xper

tise

or sk

ills.

CH

AP

TE

R 7



17

.8.1

0 T

o en

sure

th

at t

he

aud

it o

bje

ctiv

es a

re fo

cuse

d o

n t

he

mai

n r

isk

(s).

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er i

nter

nal a

udit

has

an a

dequ

ate

met

hodo

logy

in p

lace

to

ide

ntify

, as

sess

and

pri

oriti

ze

risk

s.

As

sess

w

heth

er

inte

rnal

au

dit

has

an i

ndep

ende

nt a

nd u

nbia

sed

appr

oach

to

th

e as

sess

men

t of

ri

sks.

Asse

ss w

heth

er i

nter

nal

audi

tors

di

ffere

ntia

te b

etw

een

criti

cal

and

less

criti

cal r

isks

.

As

sess

w

heth

er

inte

rnal

au

dito

rs t

ake

into

acc

ount

sen

ior

man

agem

ent’s

vie

ws

on r

isk

and

risk

man

agem

ent.

Inte

rnal

aud

it ap

plie

s an

app

ropr

iate

ris

k as

sess

men

t m

etho

dolo

gy.

The

resu

lts o

f the

risk

ass

essm

ent p

erfo

rmed

by

inte

rnal

aud

itors

are

val

idat

ed b

y ri

sk m

anag

emen

t sta

ff an

d se

nior

man

agem

ent’s

vie

ws.

The

audi

t obj

ectiv

es

of in

divi

dual

eng

agem

ents

refle

ct th

e re

sults

of t

he ri

sk a

sses

smen

t exe

rcis

e.

Inte

rnal

aud

it ap

plie

s an

app

ropr

iate

ris

k as

sess

men

t m

etho

dolo

gy.

The

resu

lts o

f the

ris

k as

sess

men

t pe

rfor

med

by

inte

rnal

aud

it ar

e va

lidat

ed b

y ri

sk m

anag

emen

t sta

ff an

d se

nior

man

agem

ent’s

vie

ws.

The

audi

t obj

ectiv

es

of in

divi

dual

eng

agem

ents

do

not

refle

ct t

he r

esul

ts o

f th

e ri

sk a

sses

smen

t ex

erci

se.

Inte

rnal

aud

it ap

plie

s an

app

ropr

iate

ris

k as

sess

men

t met

hodo

logy

but

doe

s no

t so

licit

the

view

s of

ris

k m

anag

emen

t st

aff a

nd s

enio

r m

anag

emen

t w

ith

rega

rd to

risk

s.

Inte

rnal

aud

it do

es n

ot a

pply

an

appr

opri

ate

risk

ass

essm

ent m

etho

dolo

gy.

17

.9.

ISP

PIA

20

00

– M

anag

ing

the

Inte

rnal

Au

dit

Act

ivit

y

In o

rder

to a

sses

s if t

he in

tern

al a

udit

activ

ity is

add

ing

valu

e to

the

orga

niza

tion’

s ope

ratio

n, th

e fo

llow

ing

asse

ssm

ents

are

pro

vide

d un

der

ISPP

IA 2

000.

17

.9.1

To

ensu

re t

hat

a c

omp

lete

, mea

nin

gfu

l, m

anag

eab

le a

nd

su

stai

nab

le a

ud

it u

niv

erse

exi

sts.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

audi

t un

iver

se

has

been

de

term

ined

and

is re

gula

rly u

pdat

ed.

Chec

k w

heth

er t

he a

udit

univ

erse

con

sist

s of

al

l re

leva

nt o

bjec

tives

, pr

oces

ses,

activ

ities

and

de

part

men

ts/u

nits

in th

e ag

ency

.

Inte

rnal

aud

it ha

s de

velo

ped

a co

mpl

ete

audi

t uni

vers

e th

at is

up

date

d in

a ti

mel

y m

anne

r with

new

obj

ectiv

es, p

rogr

amm

es,

proc

esse

s and

ent

ities

.

Inte

rnal

aud

it do

es n

ot p

osse

ss a

com

plet

e au

dit u

nive

rse.

CH

AP

TE

R 7



17

.9.2

To

ensu

re t

hat

inte

rnal

au

dit

act

ivit

ies

are

dri

ven

by

a ri

sk-b

ased

pla

n.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k whe

ther

ther

e are

adeq

uate

pro

cedu

res

for

the

deve

lopm

ent

of a

ris

k-ba

sed

audi

t pl

an.

Chec

k w

heth

er p

rope

r ri

sk f

acto

rs, c

rite

ria

for

asse

ssm

ent,

risk

wei

ghts

and

sco

res

have

be

en d

efin

ed.

Chec

k w

heth

er th

e ri

sks

asso

ciat

ed w

ith th

e ob

ject

ives

, pr

oces

ses

and

activ

ities

of

the

agen

cy h

ave

been

iden

tifie

d an

d as

sess

ed.

Chec

k w

heth

er

chan

ges

in

obje

ctiv

es,

activ

ities

, re

sour

ces,

and

the

oper

atio

nal

envi

ronm

ent

are

take

n in

to

acco

unt

whe

n co

nduc

ting

the

risk

ass

essm

ent

and

deve

lopi

ng th

e ri

sk-b

ased

aud

it pl

an.

Chec

k w

heth

er t

he r

isk

asse

ssm

ent

proc

ess

has b

een

prop

erly

doc

umen

ted.

Chec

k w

heth

er th

e st

rate

gic a

nd a

nnua

l pla

ns

are

upda

ted

peri

odic

ally

.

Ch

eck

whe

ther

the

risk

-bas

ed a

udit

plan

s are

di

scus

sed

with

sen

ior

man

agem

ent

befo

re

final

rele

ase.

Inte

rnal

aud

it de

velo

ps ri

sk-b

ased

aud

it pl

ans u

sing

app

ropr

iate

risk

fa

ctor

s and

risk

cri

teri

a. S

enio

r man

agem

ent i

s con

sulte

d du

ring

the

proc

ess.

Chan

ges

in t

he o

rgan

izat

ion’

s ac

tiviti

es a

re i

mm

edia

tely

re

asse

ssed

. The

ent

ire

risk

ass

essm

ent p

roce

ss is

doc

umen

ted.

Inte

rnal

aud

it de

velo

ps ri

sk-b

ased

aud

it pl

ans u

sing

app

ropr

iate

risk

fa

ctor

s and

risk

cri

teri

a. S

enio

r man

agem

ent i

s con

sulte

d du

ring

the

proc

ess.

Chan

ges i

n th

e or

gani

zatio

n’s a

ctiv

ities

are

not

imm

edia

tely

re

asse

ssed

. Or

the

entir

e ri

sk a

sses

smen

t pr

oces

s is

not

pro

perly

do

cum

ente

d.

Inte

rnal

aud

it de

velo

ps r

isk-

base

d au

dit

plan

s us

ing

appr

opri

ate

risk

fact

ors

and

risk

cri

teri

a. S

enio

r m

anag

emen

t is

not

con

sulte

d du

ring

the

proc

ess.

Or ch

ange

s in

the

orga

niza

tion’

s act

iviti

es a

re n

ot

imm

edia

tely

reas

sess

ed. O

r the

ent

ire

risk

ass

essm

ent p

roce

ss is

not

do

cum

ente

d.

Inte

rnal

aud

it de

velo

ps r

isk-

base

d au

dit

plan

s bu

t do

es n

ot u

se

appr

opri

ate

risk

fac

tors

and

ris

k cr

iteri

a. S

enio

r m

anag

emen

t is

no

t co

nsul

ted

duri

ng t

he p

roce

ss.

Chan

ges

in t

he o

rgan

izat

ion’

s ac

tiviti

es a

re n

ot r

eass

esse

d. T

he e

ntir

e ri

sk a

sses

smen

t pro

cess

is

not d

ocum

ente

d.

CH

AP

TE

R 7



17

.9.3

To

ensu

re t

hat

th

e in

tern

al a

ud

it p

lan

tak

es i

nto

con

sid

erat

ion

any

ris

k m

anag

emen

t fr

amew

ork

th

at e

xist

s w

ith

in t

he

inst

itu

tion

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

ris

k m

anag

emen

t fr

amew

ork

exis

ts

with

in th

e ag

ency

.

Ch

eck

whe

ther

the

exi

stin

g ri

sk m

anag

emen

t fr

amew

ork

and

its re

sults

hav

e be

en a

sses

sed

by in

tern

al a

udit.

Chec

k w

heth

er th

e re

sults

of t

he e

xist

ing

risk

man

agem

ent

fram

ewor

k ar

e co

nsid

ered

dur

ing

the

deve

lopm

ent o

f the

st

rate

gic a

nd a

nnua

l aud

it pl

ans.

A ri

sk m

anag

emen

t fr

amew

ork

exis

ts a

nd i

s ta

ken

into

acc

ount

by

inte

rnal

aud

it. O

r a

risk

man

agem

ent

fram

ewor

k do

es n

ot e

xist

. Or

the

ris

k m

anag

emen

t fr

amew

ork

that

exi

sts

is n

ot u

sefu

l for

inte

rnal

aud

it pu

rpos

es.

A ri

sk m

anag

emen

t fra

mew

ork

exis

ts a

nd is

use

ful b

ut

is n

ot ta

ken

into

acc

ount

by

inte

rnal

aud

it.

17

.9.4

To

ensu

re t

hat

inp

ut

from

sen

ior

man

agem

ent

has

bee

n s

olic

ited

an

d c

onsi

der

ed fo

r th

e d

evel

opm

ent

of t

he

inte

rnal

au

dit

p

lan

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss th

e w

ays i

n w

hich

seni

or m

anag

emen

t’s in

put

is so

licite

d an

d co

nsid

ered

in th

e de

velo

pmen

t of t

he

inte

rnal

aud

it pl

an.

Asse

ss t

he j

ustif

icat

ion

prov

ided

to

incl

ude

area

s pr

opos

ed f

or a

udit

by s

enio

r m

anag

emen

t in

the

au

dit p

lan.

The

inpu

t fro

m se

nior

man

agem

ent i

s dul

y co

nsid

ered

in th

e de

velo

pmen

t of t

he in

tern

al a

udit

plan

.

The

inpu

t fro

m s

enio

r m

anag

emen

t is

not c

onsi

dere

d in

the

deve

lopm

ent o

f the

inte

rnal

aud

it pl

an.

CH

AP

TE

R 7



17

.9.5

To

ensu

re t

hat

ad

equ

ate

risk

fact

ors

are

use

d fo

r th

e ri

sk a

sses

smen

t p

roce

ss.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e ri

sk fa

ctor

s are

in a

ccor

danc

e w

ith th

e sp

ecifi

cs o

f the

pr

oces

ses o

f the

age

ncy.

Chec

k w

heth

er k

ey ri

sk fa

ctor

s hav

e be

en d

efin

ed.

Chec

k w

heth

er p

rope

r cr

iteri

a fo

r th

e as

sess

men

t of

the

sel

ecte

d ri

sk

fact

ors h

ave

been

iden

tifie

d.

Ch

eck

whe

ther

the

sig

nific

ance

/ w

eigh

t of

eac

h ri

sk f

acto

r ha

s be

en

rate

d.

Inte

rnal

aud

it ha

s de

velo

ped

adeq

uate

ri

sk

fact

ors

for

its

risk

as

sess

men

t pr

oces

s.

Inte

rnal

audi

t has

not

dev

elop

ed ad

equa

te

risk

fa

ctor

s fo

r its

ri

sk

asse

ssm

ent

proc

ess.

17

.9.6

To

ensu

re t

hat

key

con

trol

s ar

e id

enti

fied

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er c

ontr

ols

that

add

ress

a k

ey r

isk

or a

nu

mbe

r of r

isks

are

pro

perly

iden

tifie

d.

Ch

eck

whe

ther

the

ade

quac

y of

key

con

trol

s ar

e an

alyz

ed a

nd a

sses

sed.

Inte

rnal

aud

it id

entif

ies

key

cont

rols

as

part

of

its r

isk

asse

ssm

ent p

roce

ss.

Inte

rnal

aud

it do

es n

ot id

entif

y ke

y co

ntro

ls a

s par

t of i

ts ri

sk

asse

ssm

ent p

roce

ss.

17

.9.7

To

ensu

re t

hat

inte

rnal

au

dit

giv

es a

pp

rop

riat

e au

dit

cov

erag

e to

all

are

as o

f th

e in

stit

uti

on.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

otal

cov

erag

e of

the

aud

it un

iver

se

has b

een

outli

ned

in th

e st

rate

gic p

lan.

Chec

k w

heth

er cl

assi

ficat

ion

and

prio

ritiz

atio

n of

the

proc

esse

s, ac

tiviti

es, a

nd a

udite

es h

ave

been

mad

e in

ac

cord

ance

with

the

iden

tifie

d ri

sk le

vels

.

The

tota

l aud

it un

iver

se is

cov

ered

ove

r a

cert

ain

peri

od o

f tim

e.

The

tota

l aud

it un

iver

se is

not

cov

ered

ove

r a

cert

ain

peri

od

of ti

me.

CH

AP

TE

R 7



17

.9.8

To

ensu

re t

hat

th

e au

dit

pla

n is

rev

iew

ed p

erio

dic

ally

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Asse

ss w

heth

er t

he a

udit

plan

is

revi

ewed

in

the

even

t of

si

gnifi

cant

cha

nges

in

the

audi

t un

iver

se o

r w

hen

new

ris

ks

aris

e.

Ch

eck

whe

ther

seni

or m

anag

emen

t is i

nvol

ved

in th

e re

view

of

the

audi

t pla

n.

Ch

eck

whe

ther

the

head

of t

he a

genc

y ap

prov

es c

hang

es to

the

audi

t pla

n.

The

audi

t pl

an

is

revi

ewed

pe

riod

ical

ly

and

whe

neve

r maj

or ch

ange

s occ

ur in

the

orga

niza

tion.

The

audi

t pl

an i

s no

t re

view

ed p

erio

dica

lly o

r w

hen

maj

or ch

ange

s occ

ur in

the

orga

niza

tion.

17

.9.9

To

ensu

re t

hat

inte

rnal

au

dit

has

ap

pro

pri

ate

and

su

ffic

ien

t re

sou

rces

to c

ond

uct

its

acti

viti

es.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er in

tern

al a

udit

peri

odic

ally

an

alyz

es t

he r

esou

rces

tha

t it

need

s to

pe

rfor

m th

e au

dit a

ctiv

ities

out

lined

in th

e au

dit p

lan.

Chec

k w

heth

er

the

anal

ysis

co

nsid

ers

both

the

skill

s an

d th

e nu

mbe

r of

aud

itors

ne

eded

to

pe

rfor

m

the

inte

rnal

au

dit

activ

ities

acc

ordi

ng to

the

audi

t pla

n.

Ch

eck

whe

ther

kno

wle

dge

of IT

and

frau

d in

dica

tors

are

par

t of

the

ass

essm

ent

of

skill

s nee

ded.

Chec

k w

heth

er

succ

essi

on

plan

ning

is

in

corp

orat

ed in

the

asse

ssm

ent p

roce

ss.

Chec

k w

heth

er th

ere

are

reso

urce

s to

hir

e ex

tern

al e

xper

ts w

hen

nece

ssar

y.

Ch

eck

whe

ther

res

ourc

e lim

itatio

ns a

re

prom

ptly

repo

rted

to m

anag

emen

t.

Inte

rnal

aud

it pe

riod

ical

ly a

naly

zes w

heth

er it

s res

ourc

es a

re su

ffici

ent

in q

ualit

y an

d qu

antit

y to

per

form

its

audi

t act

iviti

es. T

he q

ualit

ativ

e an

alys

is c

onta

ins

an a

sses

smen

t of

IT

skill

s an

d fr

aud

awar

enes

s. Su

cces

sion

pla

nnin

g is

par

t of t

he p

roce

ss.

Inte

rnal

aud

it pe

riod

ical

ly a

naly

zes w

heth

er it

s res

ourc

es a

re su

ffici

ent

in q

ualit

y an

d qu

antit

y to

per

form

its

audi

t act

iviti

es. T

he q

ualit

ativ

e an

alys

is c

onta

ins

an a

sses

smen

t of

IT

skill

s an

d fr

aud

awar

enes

s. Su

cces

sion

pla

nnin

g is

not

par

t of t

his p

roce

ss.

Inte

rnal

aud

it pe

riod

ical

ly a

naly

zes w

heth

er it

s res

ourc

es a

re su

ffici

ent

in q

ualit

y an

d qu

antit

y to

per

form

its

audi

t act

iviti

es. T

he q

ualit

ativ

e an

alys

is d

oes

not

cont

ain

an a

sses

smen

t of

IT

skill

s an

d fr

aud

awar

enes

s. Su

cces

sion

pla

nnin

g is

not

par

t of t

his p

roce

ss.

Inte

rnal

aud

it do

es n

ot p

erio

dica

lly a

naly

ze w

heth

er it

s re

sour

ces

are

suffi

cien

t in

qual

ity a

nd q

uant

ity to

per

form

its a

udit

activ

ities

.

CH

AP

TE

R 7



17

.9.1

0 T

o en

sure

th

at t

he

imp

act

of r

esou

rce

lim

itat

ion

s is

com

mu

nic

ated

to s

enio

r m

anag

emen

t.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

n as

sess

men

t ha

s be

en m

ade

of t

he q

ualit

y an

d qu

antit

y of

reso

urce

s nee

ded

to im

plem

ent t

he a

udit

plan

.

Ch

eck

whe

ther

an

asse

ssm

ent h

as b

een

mad

e of

the

impa

ct o

f res

ourc

e lim

itatio

ns.

Chec

k w

heth

er s

enio

r m

anag

emen

t ha

s be

en i

nfor

med

in

a tim

ely

man

ner a

bout

reso

urce

lim

itatio

ns a

nd th

e im

pact

on

the

inst

itutio

n.

Seni

or

man

agem

ent

is

timel

y in

form

ed

abou

t an

y in

tern

al

audi

t re

sour

ce

limita

tions

.

Seni

or m

anag

emen

t is

not i

nfor

med

abo

ut

any

inte

rnal

aud

it re

sour

ce li

mita

tions

.

17

.9.1

1 T

o en

sure

th

at in

tern

al a

ud

it m

akes

use

of ‘

gues

t’ a

ud

itor

s co

min

g fr

om o

ther

par

ts o

f th

e or

gan

izat

ion

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he p

olic

ies

and

proc

edur

es a

llow

int

erna

l au

dit

to

invi

te e

xper

ts (

non-

audi

tors

) fr

om o

ther

par

ts o

f the

org

aniz

atio

n to

as

sist

the

audi

t tea

m w

ith te

chni

cal m

atte

rs.

Chec

k w

heth

er th

ese

expe

rts

have

any

con

flict

of i

nter

est w

ith re

spec

t to

the

audi

ted

area

.

Inte

rnal

au

dit

uses

‘g

uest

’ au

dito

rs

to

supp

lem

ent i

ts te

chni

cal c

ompe

tenc

e.

Inte

rnal

aud

it do

es n

ot u

se ‘g

uest

’ aud

itors

.

17

.9.1

2 T

o en

sure

th

at i

nte

rnal

au

dit

has

ad

equ

ate

aud

it p

olic

ies

and

pro

ced

ure

s, a

nd

th

at t

hes

e p

roce

du

res

are

up

dat

ed o

n a

re

gula

r b

asis

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e ex

istin

g pr

oced

ures

are

suffi

cien

t to

perf

orm

vari

ous t

ypes

of

inte

rnal

aud

it en

gage

men

ts.

Chec

k w

heth

er t

he c

urre

nt p

roce

dure

s re

quir

e th

e us

e an

d or

gani

zatio

n of

w

orki

ng p

aper

s.

Ch

eck

whe

ther

the

proc

edur

es p

resc

ribe

the

rete

ntio

n of

and

acc

ess

to a

udit

files

.

Ch

eck

whe

ther

the

proc

edur

es a

re u

pdat

ed o

n a

regu

lar b

asis

.

Inte

rnal

au

dit

has

adeq

uate

an

d up

date

d au

dit

polic

ies

and

proc

edur

es.

Inte

rnal

au

dit

does

no

t ha

ve

adeq

uate

au

dit

polic

ies

and

proc

edur

es

CH

AP

TE

R 7



17

.9.1

3 T

o en

sure

th

at i

nte

rnal

au

dit

act

ivit

ies

are

pro

per

ly c

oord

inat

ed w

ith

oth

er i

nte

rnal

ass

ura

nce

pro

vid

ers

(e.g

. Fin

ance

&

Acc

oun

ts U

nit

/Div

isio

n).

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he m

anda

tes

of o

ther

inte

rnal

ass

uran

ce p

rovi

ders

are

do

cum

ente

d.

Ch

eck

whe

ther

inte

rnal

aud

it ha

s con

duct

ed a

n as

sess

men

t of t

he w

ork

of

thes

e in

tern

al a

ssur

ance

pro

vide

rs.

Chec

k w

heth

er t

he i

nter

nal

audi

t un

it an

d ot

her

inte

rnal

ass

uran

ce

prov

ider

s exc

hang

e in

form

atio

n an

d re

port

s.

Ch

eck

whe

ther

int

erna

l au

dit

activ

ities

are

coo

rdin

ated

with

oth

er

inte

rnal

ass

uran

ce p

rovi

ders

in o

rder

to a

void

dup

licat

ion.

Chec

k w

heth

er in

tern

al a

udit

relie

s on

the

res

ults

of t

he w

ork

of o

ther

in

tern

al a

ssur

ance

pro

vide

rs.

Inte

rnal

aud

it ha

s as

sess

ed t

he w

ork

of o

ther

int

erna

l as

sura

nce

prov

ider

s. In

tern

al a

udit

coor

dina

tes

its a

ctiv

ities

w

ith th

ese

prov

ider

s.

Inte

rnal

aud

it do

es n

ot c

oord

inat

e its

ac

tiviti

es w

ith o

ther

inte

rnal

ass

uran

ce

prov

ider

s.

17

.9.1

4 T

o en

sure

th

at in

tern

al a

ud

it c

oord

inat

es it

s ac

tivi

ties

wit

h t

he

CCA

/IA

Us.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er c

oope

ratio

n be

twee

n in

tern

al a

nd e

xter

nal

audi

tors

is

desc

ribe

d in

any

offi

cial

doc

umen

t.

Ch

eck

whe

ther

con

side

ratio

n is

giv

en to

ext

erna

l aud

it ac

tiviti

es in

the

in

tern

al a

udit

plan

ning

pro

cess

.

Ch

eck

whe

ther

ext

erna

l aud

itors

hav

e ac

cess

to a

ll in

tern

al a

udit

files

.

Ch

eck

whe

ther

int

erna

l an

d ex

tern

al a

udito

rs s

hare

inf

orm

atio

n an

d re

port

s.

Ch

eck

whe

ther

inte

rnal

and

ext

erna

l aud

it ac

tiviti

es a

re c

oord

inat

ed in

or

der t

o av

oid

dupl

icat

ion.

Inte

rnal

aud

it co

ordi

nate

s its

act

iviti

es

with

the

exte

rnal

aud

itor.

Inte

rnal

aud

it do

es n

ot c

oord

inat

e its

ac

tiviti

es w

ith th

e ex

tern

al a

udito

r.

CH

AP

TE

R 7



17

.9.1

5 T

o fo

ster

res

pec

t fo

r th

e w

ork

of i

nte

rnal

au

dit

ors

by t

he

exte

rnal

au

dit

ors.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Inte

rvie

w th

e ex

tern

al a

udito

rs in

volv

ed in

the

audi

t of

the

agen

cy.

Inte

rvie

w t

he I

AU C

hief

abo

ut t

he S

upre

me

Audi

t In

stitu

tion’

s vie

w o

f the

inte

rnal

aud

it un

it.

Exte

rnal

aud

it re

spec

ts th

e w

ork

of in

tern

al a

udit

and

relie

s on

its w

ork.

Exte

rnal

aud

it do

es n

ot v

alue

the

wor

k of

inte

rnal

aud

it.

17

.9.1

6 T

o en

sure

that

inte

rnal

au

dit

pla

ys a

n a

pp

rop

riat

e ro

le in

the

dev

elop

men

t an

d m

ain

ten

ance

of a

ris

k r

egis

ter

or a

ssu

ran

ce

map

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er a

risk

regi

ster

exi

sts a

nd th

e ex

tent

of

inte

rnal

aud

it’s c

ontr

ibut

ion.

Chec

k w

heth

er a

n as

sura

nce

map

exi

sts

and

the

exte

nt o

f int

erna

l aud

it’s c

ontr

ibut

ion.

Inte

rnal

aud

it pl

ays

a ke

y ro

le in

the

deve

lopm

ent o

f a r

isk

regi

ster

and

ass

uran

ce m

ap w

hen

thes

e ex

ist.

Inte

rnal

aud

it do

es n

ot p

lay

a ro

le in

the

deve

lopm

ent o

f the

ex

istin

g ri

sk re

gist

er o

r ass

uran

ce m

ap fo

r the

org

aniz

atio

n.

17

.9.1

7 T

o en

sure

th

at t

he

seco

nd

lin

es o

f def

ense

wit

hin

th

e ag

ency

rec

eive

pro

per

au

dit

cov

erag

e.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

audi

t un

iver

se

incl

udes

th

e se

cond

line

s of d

efen

se.

Chec

k w

heth

er a

ppro

pria

te c

onsi

dera

tion

has

been

gi

ven

to th

e se

cond

line

s of

def

ense

dur

ing

the

risk

as

sess

men

t pro

cess

.

The

seco

nd l

ines

of

defe

nse

are

incl

uded

in

the

scop

e of

in

tern

al a

udit

activ

ities

and

are

revi

ewed

.

Inte

rnal

aud

it do

es n

ot a

udit

the

seco

nd li

nes o

f def

ense

.

CH

AP

TE

R 7



17

.9.1

8 T

o en

sure

that

inte

rnal

au

dit

act

ivit

ies

are

pro

per

ly c

oord

inat

ed w

ith

oth

er e

xter

nal

ass

ura

nce

pro

vid

ers,

e.g

. RA

A a

nd

ACC

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

the

man

date

of

ot

her

exte

rnal

as

sura

nce

prov

ider

s is

do

cum

ente

d.

Ch

eck

whe

ther

inte

rnal

aud

it ha

s con

duct

ed a

n as

sess

men

t of t

he w

ork

of th

ese

exte

rnal

pro

vide

rs.

Chec

k w

heth

er in

tern

al a

udit

and

othe

r ext

erna

l ass

uran

ce p

rovi

ders

exc

hang

e in

form

atio

n an

d re

port

s (E.

g. T

ripa

rtite

mee

tings

of t

he p

ast)

.

Ch

eck

whe

ther

the

act

iviti

es o

f in

tern

al a

udit

and

othe

r ex

tern

al a

ssur

ance

pr

ovid

ers a

re co

ordi

nate

d in

ord

er to

avo

id d

uplic

atio

n.

Ch

eck

whe

ther

inte

rnal

aud

it re

lies o

n th

e re

sults

of t

he w

ork

of o

ther

ext

erna

l as

sura

nce

prov

ider

s

Inte

rnal

aud

it ha

s as

sess

ed t

he

wor

k of

oth

er e

xter

nal a

ssur

ance

pr

ovid

ers.

Inte

rnal

au

dit

coor

dina

tes

its

activ

ities

w

ith

thes

e pr

ovid

ers.

Inte

rnal

aud

it do

es n

ot c

oord

inat

e its

act

iviti

es w

ith o

ther

exi

stin

g ex

tern

al a

ssur

ance

pro

vide

rs.

17

.9.1

9 T

o en

sure

th

at in

tern

al a

ud

it p

erio

dic

ally

rep

orts

to s

enio

r m

anag

emen

t on

its

acti

viti

es.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he c

hart

er a

nd t

he p

roce

dure

s de

fine

the

cont

ent a

nd th

e fr

eque

ncy

of a

udit

activ

ity

repo

rts

that

sho

uld

be c

omm

unic

ated

to th

e he

ad o

f th

e in

stitu

tion

by in

tern

al a

udit.

Asse

ss t

he u

sefu

lnes

s of

the

se r

epor

ts f

rom

sen

ior

man

agem

ent’s

poi

nt o

f vie

w.

Inte

rnal

aud

it pe

riod

ical

ly re

port

s to

sen

ior m

anag

emen

t on

its a

ctiv

ities

. Man

agem

ent v

alue

s the

se re

port

s.

Inte

rnal

aud

it do

es n

ot r

epor

t on

its

act

iviti

es t

o se

nior

m

anag

emen

t.

CH

AP

TE

R 7



17

.10

. ISP

PIA

21

00

– N

atu

re o

f Wor

k

Chec

klis

t for

ass

essm

ents

nec

essa

ry u

nder

Sta

ndar

d 21

00:

17

.10

.1 T

o en

sure

th

at in

tern

al a

ud

it r

evie

ws

the

des

ign

an

d e

ffec

tive

nes

s of

eth

ical

pro

gram

mes

wit

hin

th

e in

stit

uti

on.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er i

nter

nal

audi

tors

foc

us o

n et

hica

l is

sues

in th

eir

eval

uatio

n of

the

agen

cy’s

obje

ctiv

es,

prog

ram

mes

and

act

iviti

es.

Chec

k w

heth

er th

ere

is s

uffic

ient

em

phas

is o

n et

hics

in

inte

rnal

aud

it en

gage

men

ts a

nd re

port

s.

Inte

rnal

aud

it re

view

s th

e ef

fect

iven

ess

of v

ario

us e

thic

s pr

ogra

mm

es.

Inte

rnal

aud

it do

es n

ot re

view

eth

ics p

rogr

amm

es.

17

.10

.2 T

o en

sure

th

at in

tern

al a

ud

it r

evie

ws

how

ris

k o

wn

ersh

ip a

nd

acc

oun

tab

ilit

y ar

e es

tab

lish

ed w

ith

in t

he

agen

cy.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er i

nter

nal

audi

t pr

ovid

es a

n op

inio

n on

the

alig

nmen

t of v

ario

us p

rogr

amm

es, p

roce

sses

an

d ac

tiviti

es w

ith th

e m

issi

on a

nd o

bjec

tives

of t

he

inst

itutio

n.

As

sess

whe

ther

the

conc

epts

of r

isk

owne

rshi

p an

d ac

coun

tabi

lity

are

exam

ined

thro

ugho

ut th

e in

tern

al

audi

t eng

agem

ents

and

refle

cted

in a

udit

repo

rts.

Inte

rnal

audi

t rev

iew

s how

risk

ow

ners

hip

and

acco

unta

bilit

y ar

e es

tabl

ishe

d w

ithin

the

inst

itutio

n.

Inte

rnal

au

dit

does

no

t co

nsid

er

risk

ow

ners

hip

and

acco

unta

bilit

y in

its a

ctiv

ities

.

17

.10

.3 T

o en

sure

th

at in

tern

al a

ud

it p

rovi

des

ass

ura

nce

on

th

e ri

sk m

anag

emen

t p

roce

ss.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

CH

AP

TE

R 7



Chec

k w

heth

er t

he r

isk

man

agem

ent

proc

ess

is

incl

uded

in th

e au

dit u

nive

rse.

Chec

k w

heth

er t

he r

isk

man

agem

ent

proc

ess

is

give

n du

e co

nsid

erat

ion

duri

ng th

e ri

sk a

sses

smen

t ex

erci

se.

Asse

ss

whe

ther

in

tern

al

audi

t re

view

s th

e ef

fect

iven

ess o

f the

risk

man

agem

ent p

roce

ss.

Asse

ss w

heth

er in

tern

al a

udit

revi

ews t

he a

lignm

ent

of

resi

dual

ri

sk

with

th

e ri

sk

appe

tite

of

the

orga

niza

tion.

Asse

ss w

heth

er in

tern

al a

udit

revi

ews

the

exis

tenc

e an

d co

mpl

eten

ess o

f the

risk

regi

ster

s.

As

sess

the

rol

e th

at in

tern

al a

udit

play

s in

the

ris

k m

anag

emen

t pro

cess

.

Inte

rnal

aud

it pr

ovid

es re

gula

r ass

uran

ce o

n al

l com

pone

nts

of t

he r

isk

man

agem

ent

proc

ess.

Inte

rnal

aud

it pr

ovid

es

advi

sory

serv

ices

with

rega

rd to

risk

man

agem

ent.

Inte

rnal

audi

t pro

vide

s ass

uran

ce o

n so

me c

ompo

nent

s of t

he

risk

man

agem

ent

proc

ess.

Inte

rnal

aud

it pr

ovid

es a

dvis

ory

serv

ices

with

rega

rd to

risk

man

agem

ent.

Inte

rnal

aud

it do

es n

ot p

rovi

de a

ssur

ance

on

the

risk

m

anag

emen

t pr

oces

s bu

t pl

ays

an a

dvis

ory

role

in

the

proc

ess.

Inte

rnal

aud

it do

es n

ot p

rovi

de a

ssur

ance

on

the

risk

m

anag

emen

t pro

cess

and

doe

s no

t pla

y an

y ad

viso

ry ro

le in

th

e pr

oces

s.

17

.10

.4 T

o en

sure

th

at in

tern

al a

ud

it p

ays

suff

icie

nt

atte

nti

on to

th

e ri

sk o

f fra

ud

.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er t

he r

isk

of f

raud

is

cons

ider

ed

duri

ng th

e ri

sk a

sses

smen

t pro

cess

.

Ch

eck

whe

ther

the

ris

k of

fra

ud i

s co

nsid

ered

du

ring

the

pla

nnin

g pr

oces

s of

ind

ivid

ual

audi

t en

gage

men

ts.

Inte

rnal

aud

it co

nsid

ers

the

risk

of

frau

d du

ring

the

ris

k as

sess

men

t and

pla

nnin

g pha

se o

f ind

ivid

ual a

udit

enga

gem

ents

.

Inte

rnal

aud

it do

es n

ot p

ay sp

ecifi

c att

entio

n to

the

risk

of f

raud

.

CH

AP

TE

R 7



17

.10

.5 T

o en

sure

th

at in

tern

al a

ud

it r

evie

ws

the

effe

ctiv

enes

s an

d a

deq

uac

y of

th

e in

tern

al c

ontr

ol s

yste

m.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er

inte

rnal

au

dit

syst

emat

ical

ly

revi

ews

the

effe

ctiv

enes

s (d

o co

ntro

l ad

dres

s ri

sk?)

and

ade

quac

y (d

o co

ntro

ls w

ork

in p

ract

ice?

) of c

ontr

ols.

Chec

k w

heth

er

inte

rnal

au

dit

proa

ctiv

ely

prov

ides

ad

vice

on

ef

fect

ive

and

adeq

uate

cont

rols

dur

ing

the

deve

lopm

ent

of n

ew p

roce

sses

an

d sy

stem

s.

Inte

rnal

aud

it re

view

s bo

th th

e ef

fect

iven

ess

and

the

adeq

uacy

of c

ontr

ols.

Inte

rnal

aud

it pr

oact

ivel

y ad

vise

s th

e ag

ency

on

effe

ctiv

e an

d ad

equa

te

cont

rols

.

Inte

rnal

aud

it re

view

s bo

th t

he e

ffect

iven

ess

and

adeq

uacy

of

cont

rols

. In

tern

al a

udit

does

not

pro

activ

ely

prov

ide

advi

ce o

n ef

fect

ive

and

adeq

uate

co

ntro

ls.

Inte

rnal

aud

it re

view

s mai

nly

cove

r the

ade

quac

y of

cont

rols

.

Inte

rnal

audi

t doe

s not

syst

emat

ical

ly re

view

the e

ffect

iven

ess a

nd ad

equa

cy

of co

ntro

ls.

17

.10

.6 T

o en

sure

th

at in

tern

al a

ud

it c

ontr

ibu

tes

to t

he

del

iver

y of

an

op

inio

n o

n t

he

adeq

uac

y an

d t

he

effe

ctiv

enes

s of

th

e ov

eral

l in

tern

al c

ontr

ol s

yste

m.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e he

ad o

f the

age

ncy

requ

ires

an

opin

ion

on

the

effe

ctiv

enes

s and

ade

quac

y of

the

over

all i

nter

nal c

ontr

ol

syst

em.

Asse

ss t

he r

ole

of in

tern

al a

udit

in t

he p

roce

ss t

o ar

rive

at

an o

pini

on o

n th

e ef

fect

iven

ess

and

adeq

uacy

of t

he o

vera

ll in

tern

al co

ntro

l sys

tem

.

Ch

eck

whe

ther

inte

rnal

aud

it ca

n ex

pres

s an

opi

nion

bas

ed

on su

ffici

ent a

udit

cove

rage

of t

he o

rgan

izat

ion.

Inte

rnal

aud

it ex

pres

ses

an o

pini

on o

n th

e ov

eral

l sy

stem

of

inte

rnal

con

trol

whe

n re

quir

ed t

o do

so.

Th

is o

pini

on is

supp

orte

d by

suffi

cien

t aud

it co

vera

ge

of th

e or

gani

zatio

n.

Inte

rnal

aud

it pr

ovid

es a

n op

inio

n on

the

ent

ire

syst

em o

f in

tern

al c

ontr

ol w

ithou

t pr

oper

aud

it co

vera

ge.

CH

AP

TE

R 7



17

.10

.7 T

o en

sure

th

at in

tern

al a

ud

it p

rovi

des

ass

ura

nce

on

th

e re

liab

ilit

y an

d in

tegr

ity

of in

form

atio

n.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er in

form

atio

n in

tegr

ity a

nd re

liabi

lity

are

incl

uded

in th

e au

dit

univ

erse

.

Ch

eck

whe

ther

in

form

atio

n in

tegr

ity

and

relia

bilit

y ar

e gi

ven

due

cons

ider

atio

n du

ring

the

risk

ass

essm

ent e

xerc

ise.

Asse

ss w

heth

er i

nter

nal

audi

t re

view

s th

e ef

fect

iven

ess

of i

nfor

mat

ion

inte

grity

and

relia

bilit

y.

As

sess

the

role

that

inte

rnal

aud

it pl

ays w

ith re

spec

t to

info

rmat

ion

inte

grity

an

d re

liabi

lity.

Inte

rnal

au

dit

prov

ides

re

gula

r as

sura

nce

on i

nfor

mat

ion

inte

grity

an

d re

liabi

lity.

Inte

rnal

au

dit

does

no

t pr

ovid

e as

sura

nce

on i

nfor

mat

ion

inte

grity

an

d re

liabi

lity.

17

.10

.8 T

o en

sure

th

at in

tern

al a

ud

it p

rovi

des

ass

ura

nce

on

th

e p

riva

cy o

f in

form

atio

n.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er p

riva

cy o

f inf

orm

atio

n is

incl

uded

in th

e aud

it un

iver

se.

Chec

k w

heth

er t

he p

riva

cy o

f in

form

atio

n is

giv

en a

ppro

pria

te

cons

ider

atio

n du

ring

the

risk

ass

essm

ent e

xerc

ise.

Asse

ss w

heth

er in

tern

al au

dit r

evie

ws t

he ef

fect

iven

ess o

f inf

orm

atio

n pr

ivac

y.

As

sess

the

role

that

inte

rnal

aud

it pl

ays

with

res

pect

to in

form

atio

n pr

ivac

y.

Inte

rnal

aud

it pr

ovid

es re

gula

r ass

uran

ce o

n pr

ivac

y of

info

rmat

ion.

Inte

rnal

audi

t doe

s not

pro

vide

assu

ranc

e on

priv

acy

of in

form

atio

n.

CH

AP

TE

R 7



17

.11

. ISP

PIA

26

00

– C

omm

un

icat

ing

the

acce

pta

nce

of R

isk

s

The

follo

win

g as

sess

men

t gui

delin

es a

re p

rovi

ded

to e

nsur

e th

at le

vel o

f ris

k ac

cept

ed b

y th

e m

anag

emen

t is

with

in th

e ri

sk a

ppet

ite o

f the

ag

ency

.

17

.11

.1 T

o en

sure

th

at t

her

e is

an

esc

alat

ion

pro

cess

in

pla

ce i

n c

ase

man

agem

ent

choo

ses

to a

ccep

t a

risk

leve

l th

at i

s ab

ove

the

risk

ap

pet

ite

of t

he

agen

cy.

Rev

iew

ste

ps

Ass

essm

ent

outc

ome

Gen

eral

ly

Con

form

–

GC

Par

tial

ly

Con

form

- P

C

Doe

s N

ot

Con

form

- D

NC

Chec

k w

heth

er th

e m

etho

dolo

gy d

efin

es th

e st

eps

to b

e ta

ken

by in

tern

al a

udit

in s

uch

a si

tuat

ion.

Asse

ss w

heth

er i

nter

nal

audi

t im

plem

ents

th

e pr

escr

ibed

step

s whe

n ne

eded

.

Ther

e is

an

esca

latio

n pr

oces

s th

at i

nter

nal

audi

t fo

llow

s w

hen

man

agem

ent a

ssum

es r

isk

leve

ls th

at a

re b

eyon

d th

e ri

sk a

ppet

ite

of th

e or

gani

zatio

n.

Inte

rnal

aud

it do

es n

ot ta

ke a

ny s

teps

whe

n m

anag

emen

t ass

umes

ri

sk le

vels

that

are

bey

ond

the

risk

app

etite

of t

he o

rgan

izat

ion.

CH

AP

TE

R 7



Reference Material1. Internal Audit Manual, Ministry of Finance, Royal Government of Bhutan, 20142. Bhutan Government Internal Audit Standards, Ministry of Finance, Royal Government

of Bhutan, 20173. Internal Audit Annual Report 2016-17, Central Coordinating Agency Ministry of Finance,

Royal Government of Bhutan, June 20184. Quality Assessment Manual for the Internal Audit Activity issued by IIA 20185. IPPF – Practice Guide Quality Assurance and Improvement Programme – 2012, The IIA

Global6. International Standards for the Professional Practice of Internal Auditing (standards),

issued by IIA in January 20177. Implementation Guide on International Professional Practice Framework issued by IIA

in January 20178. Draft Quality Assessment Guide for Public Sector Internal Audit (A toolkit for quality

improvement {PEMPAL} 2016)9. Sample Quality Assurance Improvement Programme, IIA, 200910. USDA, 2008 Quality Assurance11. IIA 2012 – Quality Assurance and Improvement Programme, USA12. IIA 2006 External Quality Assessment, US13. IPPF – Practice Guide on Measuring Internal Audit Effectiveness and Efficiency, issued

IIA, December 201014. Ministry of Finance 2013: National Internal Control Framework, Bhutan15. Ministry of Finance, 2016: Performing an Effective Quality Assessment, Bhutan.16. Ministry of Finance, 2013: Performing an Effective Quality Assessment – Case Study,

Bhutan17. Internal Audit Handbook for Central Civil Ministries / Departments, Internal Audit

Division, Controller General of India, Department of Expenditure, Ministry of Finance, Government of India

18. Philippines Government Internal Audit Manual (PGIAM), Issued by Department of Budget and Management, in conjunction with the Office of the President – Internal Audit Office, the Commission on Audit, and the Reference Panel.

19. Discussion Paper No.3, Quality Assurance for Internal Audit, Public Internal Control Systems in the European Union, Public Internal Control an EU Approach. Reference 2014-3.

Central Coordinating Agency for Internal Audit ServiceMinistry of FinanceTashi Chhodzong, Thimphu, Bhutan

P.O.Box: 117Tel: +975-02-339729/ 330173Website: www.mof.gov.bt

Published by:Central Coordinating Agency for Internal Audit ServicesMinistry of FinancePost box # 117Contact: +975-02-330173

Designed and Printed at United Printing Press, [email protected]