Vad är kvalitet i internrevision?

Kvalitet i internrevisions-

arbetet

15 maj 2014

Hans Löfgren

Vem är jag?

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Vad är kvalitet?

Definitionen enligt ISO 9000:

”Alla sammantagna egenskaper hos en produkt/prestation som ger den dess förmåga att tillfredsställa uttalade eller underförstådda behov.”

IIA QAIP - Practice Guide:

”Kvaliteten på en produkt eller tjänst utgörs av den grad som produkten eller tjänsten möter kundernas förväntningar.”

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Vad är kvalitet i

internrevisionsarbetet?

Quality in internal audit is guided by

both an obligation to meet

customer expectations as well as

professional responsibilities

inherent in conforming with the

Standards. While predominantly

complementary, it is the challenge

for the CAE to achieve both these

requirements.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Kvalitet i internrevisionsarbetet

• Standards 1300 to 1312 specifically require the CAE to develop a

QAIP incorporating both internal (self) assessments and external

assessments.

• Beyond these specific standards, internal audit as a profession,

should maintain a formal, structured approach to quality.

• Operating with proficiency and due professional care,

undertaking continuing professional development and

conforming with a set of recognised standards.

• Each of these allows internal audit to differentiate itself from

non-professional areas.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Hur uppfattar internrevisorer sitt värde?

– CBOK 2011

• Most respondents believe that their internal audit activities add

value to their organizations.

• Both independence and objectivity are viewed as key factors for

internal audit activities to add value.

• While most respondents view their internal audit activity as

contributing to controls, they do not to the same extent perceive

it as contributing to risk management or governance.

• The most important factors to the perceived contribution of the

internal audit activity are: having appropriate access to the audit

committee, functioning without coercion to change a rating

assessment or withdraw a finding and more audit tools or

technology used on a typical audit engagement.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Hur uppfattar kunderna

internrevisorernas värde?

Det finns studier som visar att

kunderna inte är lika positiva

till internrevisionens värde

som internrevisorerna tycker

själva.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

44%

56%

79%

21%

PwC:s undersökning 2013

I genomsnitt ansåg 37 procent att internrevisionen presterade bra eller mycket bra inom de 8 attributen.

I genomsnitt ansåg 56 procent att internrevisionen presterade bra eller mycket bra inom de 8 attributen.

2013 State of the Internal Audit Profession Study, PwC

Företagsledning och

styrelseledamöter är inte eniga i

sin uppfattning om intern-

revisionens värde och prestation.

En större procentuell andel av

styrelseledamöter jämfört med

företagsledningen anser att

internrevisionen ger ett väsentligt

värde.

Det är stor skillnad mellan

företagsledningen och

styrelseledamöterna i deras

bedömning av internrevisionens

prestationer.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

executive management

board members

Vad hindrar oss att arbeta

med ett systematiskt

kvalitetsarbete – CBOK 2011

The principle reasons for noncompliance

include:

• Small size of the organization or

internal audit staff,

• Cost of using the Standards,

• Amount of time required for

compliance, or

• Lack of management/board support.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Utveckla en kundkultur

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

It starts with relationships

• Understand and exceed stakeholder expectations

• Formal relationship management program—involve the whole team

Focus on people and talent development

• Training programs include business acumen and leadership

• Coaching and development programs to reinforce OTJ training

Establish credibility and earn a seat at the table

• Bring the right skills to cover a broader range of risks

• Ask for feedback and measure client satisfaction

• Balance independence, objectivity and value

Hur ledande internrevisionschefer arbetar för

att bli mer relevanta

• Recruiting from the business and sourcing externally for missing

capabilities.

• Continually improving executive and audit committee reports to

provide better context and insight.

• Maintaining close working relationships with the audit

committee.

• Participating in strategic growth, cost and compliance initiatives.

• Engaging legal and compliance expertise to address the complex

array of global compliance risks.

• Partnering with internal and external technology specialists to

address rapidly changing technical and business risks.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

2013 State of the Internal Audit Profession Study, PwC

Quality Assurance and Improvement program

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

A QAIP should conclude on the quality of the

internal audit activity

It enables an evaluation of:

• conformance with the Definition of Internal Auditing, the Code of Ethics and the

Standards,

• adequacy of the internal audit activity’s charter, goals, objectives, policies and

procedures,

• contribution to the organization’s governance, risk management, and control

processes,

• completeness of coverage of the entire audit universe,

• compliance with applicable laws, regulations, and government or industry standards to

which the internal audit activity may be subject,

• the risks affecting the operation of the internal audit activity itself,

• effectiveness of continuous improvement activities and adoption of best practices and

• whether the internal audit activity adds value, improves the organization’s operations,

and contributes to the attainment of objectives.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

A QAIP must effectively be applied at three

fundamental levels (or perspectives)

Internal Audit Engagement Level (self-assessment at the audit, engagement or

operational level):

The engagement supervisor (possibly a manager or the CAE) is responsible for

providing assurance that:

• appropriate processes have been used to translate audit plans into specific,

appropriately resourced audit engagements,

• planning, fieldwork/conduct and reporting/communicating results conforms

with the Definition of Internal Auditing, the Code of Ethics and the

Standards,

• appropriate mechanisms are established and used to follow-up management

actions in response to audit recommendations and

• post-engagement client surveys, lessons learned, self-assessments and other

mechanisms to support continuous improvement are completed.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013



Internal Audit Activity Level (self-assessment at the internal audit activity or organizational

level):

The CAE is responsible for providing assurance that:

• written policies and procedures, covering both technical and administrative matters, are

formally documented to guide audit staff in consistent conformance with the

Definition of Internal Auditing, the Code of Ethics and the Standards,

• audit work conforms with written policies and procedures,

• audit work achieves the general purposes and responsibilities described in the internal

audit charter,

• audit work conforms with the Definition of Internal Auditing, the Code of Ethics and

the Standards,

• internal audit work meets stakeholder expectation,

• the internal audit activity adds value and improves the organization’s operations and

• resources for the internal audit activity are efficiently and effectively utilized.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013



External Perspective (independent external assessment of the entire

internal audit activity including individual engagements):

• The CAE must ensure that the internal audit activity undergoes

an external assessment (either an independent external assessment

or a self-assessment with independent validation) at least once

every five years by an independent assessor or assessment team

from outside the organization that is qualified in the practice of

internal auditing as well as the quality assessment process.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

1311 – Interna bedömningar

(PA 1311-1)

Interna bedömningar ska innefatta:

• fortlöpande

övervakning/uppföljning av intern-

revisionsverksamheten och

• regelbundna granskningar som

genomförs som självutvärderingar

eller av andra personer inom

organisationen med kunskap om

internrevisionspraxis.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

1311– Interna bedömningar (PA 1311-1)

• Fortlöpande uppföljning är en integrerad del av den dagliga övervakningen

och uppföljningen av internrevisionsverksamheten. Fortlöpande uppföljning

är del av policys och praxis som används för att leda

internrevisionsverksamheten och använder de processer, verktyg och

information som kan anses nödvändig för att utvärdera överensstämmelsen

med Definitionen av internrevision, de Yrkesetiska Riktlinjerna samt

Riktlinjer för yrkesmässigt utövande av internrevision.

• Regelbundna granskningar är de utvärderingar som genomförs för att

utvärdera överensstämmelsen med Definitionen av internrevision, de

Yrkesetiska Riktlinjerna samt Riktlinjer för yrkesmässigt utövande av

internrevision.

• Tillräcklig kunskap om internrevisionspraxis kräver åtminstone en förståelse

för samtliga de delar som ingår i ”International Professional Practices

Framework”.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Ongoing Monitoring

Ongoing monitoring provides assurance that the processes in place

are working effectively to ensure quality is delivered on an audit-by-

audit basis. It is primarily achieved through:

• continuous monitoring activities including engagement planning

and supervision,

• standard working practices,

• working paper procedures and signoffs and

• report reviews.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Ongoing monitoring

Additional mechanisms include:

• acquiring feedback from audit clients and other stakeholders,

• assessing the audit engagement readiness prior to fieldwork by looking

for items like pre-approval of the audit scope, innovative best

practices, budgeted hours and assigned staff (expertise),

• using checklists or internal audit automation to give assurance on

whether processes adopted by the internal audit activity (e.g. in internal

audit policies and procedures manuals) are being followed,

• using measures of project budgets, timekeeping systems and audit plan

completion to determine if appropriate time is spent on different

aspects of the audit process as well as high risk and complex areas and

• analyzing other performance metrics to measure stakeholder value.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Periodic Self-Assessment

A periodic self-assessment has a different but interrelated focus to ongoing

monitoring. Periodic self-assessments focus on evaluating:

• conformance with the Internal Audit Charter, the IIA Definition of

Internal Auditing, the Code of Ethics and the Standards,

• the quality of the audit work, including adherence to the internal audit

methodology for selected engagements,

• the quality of supervision,

• the infrastructure, including the policies and procedures, supporting the

internal audit activity,

• the ways in which the internal audit function adds value to the

organization and

• the achievement of performance standards/indicators

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Periodic self-assessments should be

conducted through:

• working paper reviews for conformance with the Definition of

Internal Auditing, the Code of Ethics and the Standards and

internal audit policies and procedures, by staff not involved in the

respective audits,

• self-assessment of the internal audit activity with objectives/

criteria established as part of the QAIP,

• review of internal audit performance metrics and benchmarking

of best practices and

• periodic activity and performance reporting to the board and

other stakeholders as deemed necessary.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Performance methods – CBOK study

The internal audit activity performance methods most frequently

used include:

1) assessment by percentage of the audit plan completed,

2) acceptance and implementation of recommendations,

3) surveys/feedback from the board/audit committee/senior

management,

4) customer/auditee surveys from audited departments,

5) assurance of sound risk management and

6) reliance by external auditors on the internal audit activity.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Performance metrics

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Infrastructure

• number of audits scheduled/completed

• opportunities for cost reductions identified

Planning

• timeliness of audit notifications

• frequency of risk assessment updates

Fieldwork

• average time spent in field

• percentage of special requests fulfilled

Reporting and Communication

• average number of days to issue final report

• percent of issues past due

Client satisfaction

Client satisfaction surveys

• distributed to management and

the Audit Committee

• should provide a basis for

continuous improvement

• individual project satisfaction

surveys are often used on larger

projects.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Engagement Supervision,

Working Papers and Working

Paper Quality Review

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Engagement Supervision

• monitor progress

• assess quality

• provide coaching

• the work provided by consultants should also be supervised and monitored.

Working papers

• engagement working papers

Engagement Supervision,

Working Papers and Working

Paper Quality Review

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Working Papers Quality

Review

• quality checks

• management oversight

• should be performed on

selected audits

Små internrevisionsenheter

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

• In sole auditor activities, the internal auditor may seek assistance from other parts of the organisation to undertake quality assurance activities, provided this does not impact the independence of internal audit.

• The internal auditor may also look to peers in other organisations for support.

• Using checklists can also assist in providing assurance over audit quality.

Extern kvalitetsutvärdering

There are two approaches to the conduct of external assessments:

• A full external assessment involves the use of a qualified,

independent assessor or assessment team to conduct the full

assessment.

• A self-assessment with independent (external) validation involves

the use of a qualified, independent assessor or assessment team

to conduct an independent validation of the self-assessment

completed by the internal audit activity.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Syftet med en kvalitetssäkring?

Syftet med en kvalitetssäkring av en internrevision ska utifrån vår

erfarenhet utgå ifrån följande tre dimensioner för att

internrevisionen ska kunna bli ansedd som effektiv:

1. Effektiviteten i att möta uppdragsgivares och intressenters

krav och behov.

2. Förmågan att tillämpa senaste best practice inom

internrevisionsprofessionen.

3. Effektiviteten i efterlevnaden av tillämpliga professionella

och/eller regulatoriska internrevisionsstandards, t.ex. de

internationella riktlinjerna för yrkesmässigt utövande av

internrevision och/eller internrevisionsförordningen.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Utvärderingskriterier

• IIA Quality Assessment Manual Scale: Does Not

Conform/Partially Conforms/Generally Conforms.

• The IIA’s Assessment Scale — IIA Path to Quality:

Introductory/Emerging/Established/Progressive/ Advanced.

• IIA Capability Model for the Public Sector: Initial/

Infrastructure/Integrated/Managed/Optimizing.

• DIIR (IIA–Germany) Guideline for Conducting a Quality Assessment:

3–Satisfactory/2–Room for Improvement/1–Significant

Improvement Needed/ 0–Unsatisfactory/Not Applicable).

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

Vad har jag gjort för iakttagelser vid kvalitets-

genomgångar?

• Dialogen med styrelse/revisionsutskott och ledning är bristfällig.

• Utvecklingen av ett Audit Universe förekommer ej eller är bristfällig.

• Riskanalysen förankras inte i organisationen innan

internrevisionsplanen beslutas.

• Internrevisionsplanen kopplar inte till riskanalysen.

• Revisionsmålen är inte preciserade.

• Ojämn kvalitet på granskningsdokumentationen.

• Iakttagelserna matchar inte revisionsmålen.

• Rapporterna för långa, saknar sammanfattning, saknar prioriteringar.

• Uppföljning av beslutade åtgärder saknas.

© T

ran

scen

den

t G

rou

p S

veri

ge A

B 2

013

www.transcendentgroup.com

Leadership & Management

Vad är kvalitet i internrevision?