1. Standard 1311: Internal Assessments|
Internal assessments must include ongoing monitoring of the performance of the internal audit activity and periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. A comprehensive Quality Assurance and Improvement Program (QAIP) is not in place.
|Establish a formal QAIP that comprises two interrelated components of internal assessments: ongoing monitoring and periodic self-assessment. Ongoing monitoring incorporates activities necessary to evaluate the performance of routine policies and daily practices of internal audit. Periodic assessments are performed by competent audit professionals and are designed to evaluate conformance with the internal audit charter, the Standards, Definition of Internal Auditing, and the Code of Ethics. ||The internal assessment should be embedded in internal audit’s processes. In some large audit departments, an individual is appointed as the quality lead and has a specific focus on the QAIP. If this is not the case, the CAE should allocate time in the annual audit plan to conduct the ongoing and periodic assessments, as appropriate. The aim of ongoing monitoring is to provide assurance that the processes in place are working effectively to ensure quality is delivered on an audit-by-audit basis. It is primarily achieved through continuous monitoring activities, including engagement planning and supervision, standard work practices, working paper procedures and signoffs, and report reviews. Mechanisms/metrics may include:
A process that enables client and stakeholder feedback (e.g., client surveys) on individual engagements.
Assessment of audit engagement readiness prior to field work by ensuring items such as pre-approval of audit scope, budgeted hours, and resources.
The main objectives of periodic self-assessments are to identify the quality of ongoing performance and opportunities for improvement in internal audit processes and procedures. Check and validate the objectives and criteria used in the QAIP to determine whether they are still up to date, adequate, and valid. Periodic self-assessments may include:
In-depth interviews and surveys of stakeholder groups.
Benchmarking internal audit’s practices and performance metrics against relevant best practices.
Following an internal self-assessment, an action plan should be developed to address any identified areas for improvement.
2. Standard 1320: Reporting on the QAIP|
The CAE must communicate the results of the QAIP to senior management and the board. Most nonconformance issues noted relate to internal assessments required by Standard 1311.
|Implement consistent reporting of ongoing monitoring and periodic self-assessment results to the board.||Results of ongoing monitoring must be reported to the board at least annually. The result of the periodic self-assessment, and the level of conformance to the Standards, must be reported to the board at the completion of the self-assessment.
Don’t forget the reporting should include follow-up on previous recommendations.
3. Standard 1010: Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter|
The mandatory nature of the Definition of Internal Auditing, the Code of Ethics, and the Standards must be recognized in the internal audit charter. The CAE should discuss these with senior management and the board. In many instances, internal audit charters failed to recognize the mandatory nature of these elements.
|Update the Internal Audit Charter to include the language that recognizes the mandatory nature of the Definition of Internal Audit, Code of Ethics and the Standards.||Reference in the Internal Audit Charter:
Internal audit will govern itself by adherence to The IIA’s mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and Standards. This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of internal audit’s performance.
4. Standard 1312: External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The CAE must discuss with the board: |
• The form and frequency of external assessment.
• The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. An external assessment has been conducted outside the five-year requirement.
|The CAE must discuss with the audit committee the form and frequency of external assessment as well as the qualifications and independence of the external assessor or assessment team, including any potential conflicts of interest.||Internal audit management should plan future external quality assessments to ensure completion of the work within the five-year timeframe.
Note: The five-year requirement is based on a calendar year. The requirement should be reflected within the internal audit charter z
There are two methods for external assessments:
- EQA with the review and report performed by an independent team.
- Self-assessment with report validation by an independent validator
The CAE should determine which approach best fits internal audit’s needs.
5. Standard 1300: Quality Assurance and Improvement Program |
The CAE must develop and maintain a QAIP that covers all aspects of the internal audit activity. The internal audit manual doesn’t fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of the results. Reflection of a comprehensive QAIP in the manual will support its sustainability and consistent execution.
|Document the QAIP in the internal audit manual to fully describe all required elements such as objectives, scope, internal and external assessment components, and communication of results. Expand and formalize the current in-place quality related activities to form a comprehensive QAIP. ||The IIA Practice Guide, Quality Assurance and Improvement Program (March 2012), provides strongly recommended guidance on the topic of a QAIP. The scope of the QAIP should be the operation of internal audit as described in the internal audit charter. Objectives for the QAIP should be consistent with those described in Practice Advisory 1310-1 (JOYCE: 1300-1?).The processes used to support ongoing monitoring of internal audit performance, internal periodic assessment, external assessment, and communication of internal and external assessment results should be documented in sufficient detail to consistently guide execution.|
6. Standard 1310: Requirements of the QAIP |
The QAIP must include both internal and external assessments. The QAIP doesn’t include both ongoing monitoring of the internal audit function’s performance and periodic self-assessments, in addition to the requirement of an external assessment at least once every five years.
|Implement a comprehensive QAIP process including both ongoing monitoring of the performance of internal audit and periodic self-assessments. Internal audit must conduct an external assessment, at least once every five years, through a qualified, independent assessor or an assessment team from outside the organization. ||Please see #1, 4, and 5 above.|
7. Standard 2240: Engagement Work Program. Internal auditors must develop and document work programs that achieve the engagement objectives. Key issues noted include lack of: |
• Sufficient detail required to demonstrate the engagement objectives.
• Supervisor review of audit programs before audit testing. Supervisor approval for audit program/testing changes.
|Ensure the internal audit policies and procedures are consistently adhered to such that: |
• Work papers are complete.
• The CAE approves the audit programs before the start of fieldwork.
• Supervision is documented. Consider obtaining a formal automated audit work paper suite to facilitate the documentation, review, and approval of the work papers. Approval of work programs should be consistently maintained in the work papers.
|Standard 2240.A1 requires that work programs (i.e., audit programs) are approved before implementation and that any adjustments to the work program are promptly approved.
Internal audit should maintain a standard audit program library of manager approved audit programs. At the time of creating new audit programs or significantly modifying existing standard audit programs, the procedure should include a process of manager review and approval.
Audit policy and procedures should include flexibility when audit steps in programs require adjustments. In the case of a required adjustment to an audit program, manager review and approval should be requested and documented in the files. Standard audit programs should be adjusted, if applicable.
8. Standard 1000: Purpose, Authority, and Responsibility |
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The CAE must periodically review the internal audit charter and present it to senior management and the board for approval. Key issues noted include:
• Significant time has passed since the last review of the audit charter.
• Internal audit charters do not reference conformance with The IIA’s Code of Ethics. Internal audit charters do not have specific reference to the nature of consulting services.
|The CAE should establish a procedure to periodically review the internal audit charter to ensure it reflects current procedures and requirements of The IIA’s International Professional Practices Framework (IPPF). The procedure should include submitting the charter to senior management and the audit committee for approval. Ensure responsibility for final approval resides with the audit committee. Amend the charter to include conformance with The IIA Code of Ethics and the nature of consulting engagements as required by the Standards. ||On July 6, 2015, The IIA introduced updated guidance on the enhanced IPPF. Among the most significant enhancements are the introduction of a
Mission of Internal Audit and articulation of 10
Core Principles for the Professional Practice of Internal Auditing.|
Implementation Guidance to replace all existing Practice Advisories will be developed through 2016 and will be released quarterly. Members can continue to use existing Practice Advisories to support conformance with the Standards until such time as new Implementation Guides are issued.
Two new Implementation Guides are currently available. Of which, one directly addresses Standard 1000, the
Implementation Guide 1000: Purpose, Authority, and Responsibility. This guide supports the implementation of Standard 1000, including the internal audit charter, a formal document that defines internal audit’s purpose, authority, and responsibility. The new guide is the best place to begin to ensure conformance with Standard 1000. It provides an overview on how to get started with the right focus and considerations for implementation and for demonstrating conformance.
9. Standard 2050: Coordination |
The CAE should share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. The roles and responsibilities of assurance providers in an organization are not always well-documented and coordinated to ensure resources are used efficiently. Without coordination and reporting, work may be duplicated or key risks may be missed or misjudged.
|Foster more engaged coordination of activities with the external auditors, and with the other internal assurance providers where deemed appropriate. ||Increased focus on the roles and responsibilities of senior management and boards has prompted many organizations to place a greater emphasis on assurance activities. Boards often use multiple sources to gain reliable assurance, including management and internal and external audit, and also ask where the delineation is between these functions, and if there are any overlaps.
Aside from internal and external auditors, there are groups in many organizations that include assurance functions, such as health, safety, and environment, security and legal that perform what are considered “second line of defense” functions. They provide some type of assurance services to management to identify undue exposures, non-compliance issues, deviations, and other type of exceptions.
The different roles and responsibilities of these assurance providers are not always well documented and it is important that they are coordinated to ensure resources are used effectively. Without effective coordination and reporting, work can be duplicated or key risks may be missed or misjudged.
As an initial step, the CAE should prepare an assurance map to reflect all assurance providers’ mandates and responsibilities to better understand the scope and depth of their work and identify potential duplications or omissions in the coverage being provided.
10. Standard 2020: Communication and Approval |
The CAE must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and the board for review and approval. The CAE must also communicate the impact of resource limitations.
The annual internal audit planning process doesn’t begin with the complete audit universe indicating the high-risk areas followed by current audit resources’ coverage.
|Prepare initial annual audit plan proposal not influenced and/or restricted by existing resources. Present the complete audit universe to the audit committee to inform the committee of high-risk audits not included in the plan and the rationale. ||This standard is key to the internal audit department in the realm of functional reporting. Functional reporting is supported by the audit committee when approving the risk-based audit plan and changes to that plan.
Formal approval of the risk-based plan and the associated resource plan is a successful internal audit practice that demonstrates independent functional reporting and supports organizational independence and objectivity of internal audit. According to the recent 2015 Global Pulse of Internal Audit, internal audit needs to audit at the speed of risk, not at the speed of its traditional internal processes. More and more, internal audit activities see the need to build flexibility in their annual plan to respond to emerging risks. As noted in Imperatives for Change: The IIA’s Global Internal Audit Survey in Action 1: It is essential for the CAE to communicate with key stakeholders (executive management and the board) about changing risks and the need to revise the audit plan timely.
- Seek agreement on an appropriate balance between the need for internal audit to “complete the annual plan” and the need for internal audit to respond to emerging and changing risks.
- Report to key stakeholders on changing risk and directly link these changes in the annual audit plan.