Upload
transcendent-group
View
389
Download
3
Embed Size (px)
DESCRIPTION
Presentation från GRC 2014 den 15 maj. Kontakta gärna talaren om du har några frågor. Hela schemat för eventet hittar du här: http://www.transcendentgroup.com/sv/har-har-du-hela-schemat-for-grc-2014/
Citation preview
Kvalitet i internrevisions-
arbetet
15 maj 2014
Hans Löfgren
Vem är jag?
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Vad är kvalitet?
Definitionen enligt ISO 9000:
”Alla sammantagna egenskaper hos en produkt/prestation som ger den dess förmåga att tillfredsställa uttalade eller underförstådda behov.”
IIA QAIP - Practice Guide:
”Kvaliteten på en produkt eller tjänst utgörs av den grad som produkten eller tjänsten möter kundernas förväntningar.”
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Vad är kvalitet i
internrevisionsarbetet?
Quality in internal audit is guided by
both an obligation to meet
customer expectations as well as
professional responsibilities
inherent in conforming with the
Standards. While predominantly
complementary, it is the challenge
for the CAE to achieve both these
requirements.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Kvalitet i internrevisionsarbetet
• Standards 1300 to 1312 specifically require the CAE to develop a
QAIP incorporating both internal (self) assessments and external
assessments.
• Beyond these specific standards, internal audit as a profession,
should maintain a formal, structured approach to quality.
• Operating with proficiency and due professional care,
undertaking continuing professional development and
conforming with a set of recognised standards.
• Each of these allows internal audit to differentiate itself from
non-professional areas.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Hur uppfattar internrevisorer sitt värde?
– CBOK 2011
• Most respondents believe that their internal audit activities add
value to their organizations.
• Both independence and objectivity are viewed as key factors for
internal audit activities to add value.
• While most respondents view their internal audit activity as
contributing to controls, they do not to the same extent perceive
it as contributing to risk management or governance.
• The most important factors to the perceived contribution of the
internal audit activity are: having appropriate access to the audit
committee, functioning without coercion to change a rating
assessment or withdraw a finding and more audit tools or
technology used on a typical audit engagement.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Hur uppfattar kunderna
internrevisorernas värde?
Det finns studier som visar att
kunderna inte är lika positiva
till internrevisionens värde
som internrevisorerna tycker
själva.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
44%
56%
79%
21%
PwC:s undersökning 2013
I genomsnitt ansåg 37 procent att internrevisionen presterade bra eller mycket bra inom de 8 attributen.
I genomsnitt ansåg 56 procent att internrevisionen presterade bra eller mycket bra inom de 8 attributen.
2013 State of the Internal Audit Profession Study, PwC
Företagsledning och
styrelseledamöter är inte eniga i
sin uppfattning om intern-
revisionens värde och prestation.
En större procentuell andel av
styrelseledamöter jämfört med
företagsledningen anser att
internrevisionen ger ett väsentligt
värde.
Det är stor skillnad mellan
företagsledningen och
styrelseledamöterna i deras
bedömning av internrevisionens
prestationer.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
executive management
board members
Vad hindrar oss att arbeta
med ett systematiskt
kvalitetsarbete – CBOK 2011
The principle reasons for noncompliance
include:
• Small size of the organization or
internal audit staff,
• Cost of using the Standards,
• Amount of time required for
compliance, or
• Lack of management/board support.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Utveckla en kundkultur
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
It starts with relationships
• Understand and exceed stakeholder expectations
• Formal relationship management program—involve the whole team
Focus on people and talent development
• Training programs include business acumen and leadership
• Coaching and development programs to reinforce OTJ training
Establish credibility and earn a seat at the table
• Bring the right skills to cover a broader range of risks
• Ask for feedback and measure client satisfaction
• Balance independence, objectivity and value
Hur ledande internrevisionschefer arbetar för
att bli mer relevanta
• Recruiting from the business and sourcing externally for missing
capabilities.
• Continually improving executive and audit committee reports to
provide better context and insight.
• Maintaining close working relationships with the audit
committee.
• Participating in strategic growth, cost and compliance initiatives.
• Engaging legal and compliance expertise to address the complex
array of global compliance risks.
• Partnering with internal and external technology specialists to
address rapidly changing technical and business risks.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
2013 State of the Internal Audit Profession Study, PwC
Quality Assurance and Improvement program
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
A QAIP should conclude on the quality of the
internal audit activity
It enables an evaluation of:
• conformance with the Definition of Internal Auditing, the Code of Ethics and the
Standards,
• adequacy of the internal audit activity’s charter, goals, objectives, policies and
procedures,
• contribution to the organization’s governance, risk management, and control
processes,
• completeness of coverage of the entire audit universe,
• compliance with applicable laws, regulations, and government or industry standards to
which the internal audit activity may be subject,
• the risks affecting the operation of the internal audit activity itself,
• effectiveness of continuous improvement activities and adoption of best practices and
• whether the internal audit activity adds value, improves the organization’s operations,
and contributes to the attainment of objectives.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
A QAIP must effectively be applied at three
fundamental levels (or perspectives)
Internal Audit Engagement Level (self-assessment at the audit, engagement or
operational level):
The engagement supervisor (possibly a manager or the CAE) is responsible for
providing assurance that:
• appropriate processes have been used to translate audit plans into specific,
appropriately resourced audit engagements,
• planning, fieldwork/conduct and reporting/communicating results conforms
with the Definition of Internal Auditing, the Code of Ethics and the
Standards,
• appropriate mechanisms are established and used to follow-up management
actions in response to audit recommendations and
• post-engagement client surveys, lessons learned, self-assessments and other
mechanisms to support continuous improvement are completed.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
A QAIP must effectively be applied at three
fundamental levels (or perspectives)
Internal Audit Activity Level (self-assessment at the internal audit activity or organizational
level):
The CAE is responsible for providing assurance that:
• written policies and procedures, covering both technical and administrative matters, are
formally documented to guide audit staff in consistent conformance with the
Definition of Internal Auditing, the Code of Ethics and the Standards,
• audit work conforms with written policies and procedures,
• audit work achieves the general purposes and responsibilities described in the internal
audit charter,
• audit work conforms with the Definition of Internal Auditing, the Code of Ethics and
the Standards,
• internal audit work meets stakeholder expectation,
• the internal audit activity adds value and improves the organization’s operations and
• resources for the internal audit activity are efficiently and effectively utilized.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
A QAIP must effectively be applied at three
fundamental levels (or perspectives)
External Perspective (independent external assessment of the entire
internal audit activity including individual engagements):
• The CAE must ensure that the internal audit activity undergoes
an external assessment (either an independent external assessment
or a self-assessment with independent validation) at least once
every five years by an independent assessor or assessment team
from outside the organization that is qualified in the practice of
internal auditing as well as the quality assessment process.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
1311 – Interna bedömningar
(PA 1311-1)
Interna bedömningar ska innefatta:
• fortlöpande
övervakning/uppföljning av intern-
revisionsverksamheten och
• regelbundna granskningar som
genomförs som självutvärderingar
eller av andra personer inom
organisationen med kunskap om
internrevisionspraxis.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
1311– Interna bedömningar (PA 1311-1)
• Fortlöpande uppföljning är en integrerad del av den dagliga övervakningen
och uppföljningen av internrevisionsverksamheten. Fortlöpande uppföljning
är del av policys och praxis som används för att leda
internrevisionsverksamheten och använder de processer, verktyg och
information som kan anses nödvändig för att utvärdera överensstämmelsen
med Definitionen av internrevision, de Yrkesetiska Riktlinjerna samt
Riktlinjer för yrkesmässigt utövande av internrevision.
• Regelbundna granskningar är de utvärderingar som genomförs för att
utvärdera överensstämmelsen med Definitionen av internrevision, de
Yrkesetiska Riktlinjerna samt Riktlinjer för yrkesmässigt utövande av
internrevision.
• Tillräcklig kunskap om internrevisionspraxis kräver åtminstone en förståelse
för samtliga de delar som ingår i ”International Professional Practices
Framework”.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Ongoing Monitoring
Ongoing monitoring provides assurance that the processes in place
are working effectively to ensure quality is delivered on an audit-by-
audit basis. It is primarily achieved through:
• continuous monitoring activities including engagement planning
and supervision,
• standard working practices,
• working paper procedures and signoffs and
• report reviews.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Ongoing monitoring
Additional mechanisms include:
• acquiring feedback from audit clients and other stakeholders,
• assessing the audit engagement readiness prior to fieldwork by looking
for items like pre-approval of the audit scope, innovative best
practices, budgeted hours and assigned staff (expertise),
• using checklists or internal audit automation to give assurance on
whether processes adopted by the internal audit activity (e.g. in internal
audit policies and procedures manuals) are being followed,
• using measures of project budgets, timekeeping systems and audit plan
completion to determine if appropriate time is spent on different
aspects of the audit process as well as high risk and complex areas and
• analyzing other performance metrics to measure stakeholder value.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Periodic Self-Assessment
A periodic self-assessment has a different but interrelated focus to ongoing
monitoring. Periodic self-assessments focus on evaluating:
• conformance with the Internal Audit Charter, the IIA Definition of
Internal Auditing, the Code of Ethics and the Standards,
• the quality of the audit work, including adherence to the internal audit
methodology for selected engagements,
• the quality of supervision,
• the infrastructure, including the policies and procedures, supporting the
internal audit activity,
• the ways in which the internal audit function adds value to the
organization and
• the achievement of performance standards/indicators
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Periodic self-assessments should be
conducted through:
• working paper reviews for conformance with the Definition of
Internal Auditing, the Code of Ethics and the Standards and
internal audit policies and procedures, by staff not involved in the
respective audits,
• self-assessment of the internal audit activity with objectives/
criteria established as part of the QAIP,
• review of internal audit performance metrics and benchmarking
of best practices and
• periodic activity and performance reporting to the board and
other stakeholders as deemed necessary.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Performance methods – CBOK study
The internal audit activity performance methods most frequently
used include:
1) assessment by percentage of the audit plan completed,
2) acceptance and implementation of recommendations,
3) surveys/feedback from the board/audit committee/senior
management,
4) customer/auditee surveys from audited departments,
5) assurance of sound risk management and
6) reliance by external auditors on the internal audit activity.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Performance metrics
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Infrastructure
• number of audits scheduled/completed
• opportunities for cost reductions identified
Planning
• timeliness of audit notifications
• frequency of risk assessment updates
Fieldwork
• average time spent in field
• percentage of special requests fulfilled
Reporting and Communication
• average number of days to issue final report
• percent of issues past due
Client satisfaction
Client satisfaction surveys
• distributed to management and
the Audit Committee
• should provide a basis for
continuous improvement
• individual project satisfaction
surveys are often used on larger
projects.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Engagement Supervision,
Working Papers and Working
Paper Quality Review
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Engagement Supervision
• monitor progress
• assess quality
• provide coaching
• the work provided by consultants should also be supervised and monitored.
Working papers
• engagement working papers
Engagement Supervision,
Working Papers and Working
Paper Quality Review
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Working Papers Quality
Review
• quality checks
• management oversight
• should be performed on
selected audits
Små internrevisionsenheter
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
• In sole auditor activities, the internal auditor may seek assistance from other parts of the organisation to undertake quality assurance activities, provided this does not impact the independence of internal audit.
• The internal auditor may also look to peers in other organisations for support.
• Using checklists can also assist in providing assurance over audit quality.
Extern kvalitetsutvärdering
There are two approaches to the conduct of external assessments:
• A full external assessment involves the use of a qualified,
independent assessor or assessment team to conduct the full
assessment.
• A self-assessment with independent (external) validation involves
the use of a qualified, independent assessor or assessment team
to conduct an independent validation of the self-assessment
completed by the internal audit activity.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Syftet med en kvalitetssäkring?
Syftet med en kvalitetssäkring av en internrevision ska utifrån vår
erfarenhet utgå ifrån följande tre dimensioner för att
internrevisionen ska kunna bli ansedd som effektiv:
1. Effektiviteten i att möta uppdragsgivares och intressenters
krav och behov.
2. Förmågan att tillämpa senaste best practice inom
internrevisionsprofessionen.
3. Effektiviteten i efterlevnaden av tillämpliga professionella
och/eller regulatoriska internrevisionsstandards, t.ex. de
internationella riktlinjerna för yrkesmässigt utövande av
internrevision och/eller internrevisionsförordningen.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Utvärderingskriterier
• IIA Quality Assessment Manual Scale: Does Not
Conform/Partially Conforms/Generally Conforms.
• The IIA’s Assessment Scale — IIA Path to Quality:
Introductory/Emerging/Established/Progressive/ Advanced.
• IIA Capability Model for the Public Sector: Initial/
Infrastructure/Integrated/Managed/Optimizing.
• DIIR (IIA–Germany) Guideline for Conducting a Quality Assessment:
3–Satisfactory/2–Room for Improvement/1–Significant
Improvement Needed/ 0–Unsatisfactory/Not Applicable).
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
Vad har jag gjort för iakttagelser vid kvalitets-
genomgångar?
• Dialogen med styrelse/revisionsutskott och ledning är bristfällig.
• Utvecklingen av ett Audit Universe förekommer ej eller är bristfällig.
• Riskanalysen förankras inte i organisationen innan
internrevisionsplanen beslutas.
• Internrevisionsplanen kopplar inte till riskanalysen.
• Revisionsmålen är inte preciserade.
• Ojämn kvalitet på granskningsdokumentationen.
• Iakttagelserna matchar inte revisionsmålen.
• Rapporterna för långa, saknar sammanfattning, saknar prioriteringar.
• Uppföljning av beslutade åtgärder saknas.
© T
ran
scen
den
t G
rou
p S
veri
ge A
B 2
013
www.transcendentgroup.com