Internal Audit Quality Assessment

© 2013 Protiviti Middle East Region
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
0
Internal Audit Quality Assessment

1
Mohammad Kamel AL-Draidi
Attend/Workshop
internal audit quality
assessment
18 November 2014
Riyadh, Saudi Arabia

2
We will focus on:
 Understand requirements of Quality in Internal Audit
 Understand what is Quality Assessment
 International Professional Practices Framework (IPPF) and International Standards
for the Professional Practice of Internal Auditing (International Standards)
 Quality Assessment & Improvement Program
 Familiarization of Quality Assessment Process of an Internal Audit Function
 Understand the Quality Assessment tools and techniques
 Common observations highlighted in Quality Assessment reviews
 Attributes of high performing Quality Assessment reviews
Objectives of the Workshop

3
Quality

4
• Quality is not absolute. The quality of a product or service is the degree to which the
product or service meets the customer’s expectations and the degree to which it is fit
for purpose.
• Delivering quality requires a systematic and disciplined approach as professionals —
quality does not just happen.
• It is the combination of the right people, the right systems, and a commitment to
excellence.
• It is driven by the leaders of the organization who are responsible for setting the
“tone at the top.”
What is Quality?
“Quality is never an accident, it is always an Intelligent Effort
– John Ruskin

5
• For an internal audit activity, Stakeholders could include the board, senior
management, the external auditor, and operational managers.
• Quality in internal audit is guided by both an obligation to meet customer
expectations as well as professional responsibilities inherent in conforming to the
Standards
• Quality in internal audit begins with the structure and organization of the audit
activity.
• Quality should be built in to, and not on to, the way the activity conducts its
business. This can be done through deploying:
• Internal audit methodology,
• Policies and procedures and
• Human resource practices.
• Each of these should be premised on a common understanding of quality and
stakeholder perception of value.
Quality in Internal Audit

6
DRIVERS
Stakeholders
Expectations
IA Charter, Policies
and Procedures
Leading Practices
IIA
Standards

7
Quality Assessment

8
5Ws of Quality Assessment (QA)
WHAT is QA?
A QA evaluates conformance with the International
Standards, the efficiency and effectiveness of the internal
audit activity, and the use of leading practices.
WHY undergo QA?
QAs are necessary in order to provide full objectivity.
# 2
They build stakeholder confidence by documenting the
internal audit function's commitment to quality and
leading practices, and the internal auditors' mindset for
professionalism.
Provides evidence to the board, management, and staff
that the internal audit activity is concerned about the
organization's internal controls, governance, and risk
management processes
# 1

9
WHO can conduct a QA?
The Professional Practices Framework defines the
required competency of the QA team leaders and team.
# 4
WHERE do I start?
To conduct an internal quality assessment, establishing a
benchmark of your internal audit activity that can be
used to establish metrics indicating improvement in
areas of partial compliance or noncompliance with the
International Standards.
# 5
WHEN does an Internal
Audit Activity need to
have a QA performed?
It is mandatory that every internal audit activity undergo
an QA conducted by an independent team or
independent validator once every five years to comply
with the International Standard.
# 3
The clock starts ticking for the five-year period when an
internal audit activity formally adopts the International
Standards.
5Ws of Quality Assessment [QA] (contd.)

10
Benefits of Quality Assurance

11
Internal
Auditors
Employees
Audit
Committee /
Board
Management
Beneficiaries of Quality Assurance
Beneficiaries
Internal
Auditors
Management
Employees
Internal
Auditors
Management
Audit
Committee /
Board
Employees
Internal
Auditors
Management

12
Benefits of Quality Assurance for Internal Auditors
 Ability to state conformance with the
International Standards
 Continuous improvement
 Obtaining best-practice recommendations
and benchmarks
 Gaining a sense of accomplishment and
satisfaction
 Better focus on the areas for further
improvement and new ideas on how to do
things better

13
Benefits of Quality Assurance for the Audit Committee & Board
 Assurance of the internal audit activity’s
quality, competence and professionalism
 Clarity for the internal audit and audit
committees roles and responsibilities and
their respective charters
 Receiving an independent assessment /
opinion of the effectiveness of the internal
audit activity
 Increased reliance upon the work of
internal audit activity and enhanced
credibility

14
Benefits of Quality Assurance for the Management
 Opportunity to provide anonymous
feedback to the internal audit activity
 Raised awareness among the
management about internal audit role
and professional standards
 Assurance that the auditors are being
audited
 Independent validation of the
effectiveness of the internal audit activity

15
Benefits of Quality Assurance for the Employees
 Assurance that the auditors are being
audited
 Gained more familiarity with the internal
auditor’s role
 Ability to express feedback on the
internal audit activity
 Assurance that the internal audit activity
can be trusted and is credible

16
International Professional Practices
Framework (IPPF)

17
 The International Professional Practices
Framework (IPPF) is the conceptual
framework that organizes authoritative
guidance promulgated by The Institute of
Internal Auditors. IPPF guidance includes:
 Mandatory Guidance
 Definition
 Code of Ethics
 International Standards
 Strongly Recommended Guidance
 Position Papers
 Practice Advisories
 Practice Guides
The International Professional Practices Framework

18
Internal auditing is an independent,
objective assurance and consulting activity
designed to add value and improve an
organization’s operations.
It helps an organization accomplish its
objectives by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and governance
processes.
IPPF – Definition of Internal Auditing

19
The Code of Ethics of The Institute of
Internal Auditors (IIA) are principles
relevant to the profession and practice of
internal auditing and Rules of Conduct that
describe behavior expected of internal
auditors.
The Code of Ethics apply to both parties
and entities that provide internal audit
services.
The purpose of the Code of Ethics is to
promote an ethical culture in the global
profession of internal auditing.
IPPF – Code of Ethics
CODE OF ETHICS.

20
The purpose of the International Standards for the
Professional Practice of Internal Auditing (International
Standards) is to:
• Delineate basic principles that represent the
practice of internal auditing as it should be.
• Provide a framework for performing and
promoting a broad range of value-added internal
audit activities.
• Establish the basis for the evaluation of internal
audit performance.
• Foster improved organizational processes and
operations.
The International Standards consists of following :
• Attribute Standards (Mandatory)
• Performance Standards (Mandatory)
IPPF – International Standards

21
Position Papers assist a wide range of interested
parties, including those not in the internal audit
profession, in understanding significant
governance, risk, or control issues and
delineating related roles and responsibilities of
internal auditing.
IPPF – Position Papers

22
Practice Advisories assist internal auditors in
applying the Definition of Internal Auditing, the
Code of Ethics, and the International Standards
and promoting good practices.
Practice Advisories address internal auditing
approach, methodologies, and consideration, but
not detail processes or procedures. They include
practices relating to:
• international, country, or industry-specific
issues;
• specific types of engagements;
• legal or regulatory issues.
IPPF – Practice Advisories

23
Practice Guides provide detailed guidance for
conducting internal audit activities.
They include detailed processes and procedures,
such as:
• tools and techniques;
• programs;
• step-by-step approaches; and
• examples of deliverables.
IPPF – Practice Guides

24
IPPF Standards

25
Attribute Standards explains the following:
Standard Title
1000 Purpose, Authority and Responsibility
1010 Recognition of the Definition of Internal
Auditing, the Code of Ethics, and the
Standards in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organisational Independence
1111 Direct Interaction with the Board
1120 Individual Objectivity
1130 Impairment to Independence or
Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
Standard Title
1230 Continuing Professional Development
1300 Quality Assurance and Improvement
Program (QAIP)
1310 Requirements of the Quality Assurance
and Improvement Program
1311 Internal Assessments
1312 External Assessments
1320 Reporting on the Quality Assurance and
Improvement Program
1321 Use of ‘Conforms with International
Standards for the Professional Practice of
Internal Auditing’
1322 Disclosure of Nonconformance

26
Performance Standards explains the following:
Standard Title
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination
2060 Reporting to Senior Management and the
Board
2070 External Service Provider and
Organizational Responsibility for Internal
Auditing
2100 Nature of Work
2110 Governance
2120 Risk Management
Standard Title
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
2300 Performing the Engagement
2310 Indentifying Information
2320 Analysis and Evaluation
2330 Documenting Information
2340 Engagement Supervision

27
Standard Title
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
2430 Use of ‘Conducted in Conformance with the International Standards for the Professional Practice
of Internal Auditing’
2431 Engagement Disclosure of Nonconformance
2440 Disseminating Results
2450 Overall opinions
2500 Monitoring Progress
2600 Resolution of Senior Management’s Acceptance of Risks
Performance Standards (contd.)

28
IPPF – Mandatory Guidance
for Quality Assurance

29
IPPF – Mandatory Guidance for Quality Assurance
Standard Title
1300 Quality Assurance and Improvement Program
1310 Requirements of the Quality Assurance and Improvement Program
1320 Reporting on the Quality Assurance and Improvement Program
1321 Use of ‘Conforms with International Standards for the Professional
Practice of Internal Auditing’

30
IPPF – Mandatory Guidance for Quality Assurance (contd.)
1300 Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and
improvement program that covers all aspects of the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of
the internal audit activity’s conformance with the Definition of Internal Auditing and
the Standards and an evaluation of whether internal auditors apply the Code of Ethics.
The program also assesses the efficiency and effectiveness of the internal audit activity
and identifies opportunities for improvement.

31
1310 Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external
assessments.
Internal Assessment are of two types:
• Ongoing as part of each audit review
• Periodic peer review

32
External assessments must be conducted at least once every five years by a qualified, independent
reviewer or review team from outside the organization.
Interpretation:
A qualified reviewer or review team consists of individuals who are competent in the professional
practice of internal auditing and the external assessment process.
The evaluation of the competency of the reviewer and review team is a judgment that considers the
professional internal audit experience and professional credentials of the individuals selected to
perform the review.
The evaluation of qualifications also considers the size and complexity of the organizations that the
reviewers have been associated with in relation to the organization for which the internal audit
activity is being assessed, as well as the need for particular sector, industry, or technical knowledge.
An independent reviewer or review team means not having either a real or an apparent conflict of
interest and not being a part of, or under the control of, the organization to which the internal audit
activity belongs.

33
1320 Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and
improvement program to senior management and the board.
Interpretation:
The form, content, and frequency of communicating the results of the quality
assurance and improvement program is established through discussions with senior
management and the board and considers the responsibilities of the internal audit
activity and chief audit executive as contained in the internal audit charter.
To demonstrate conformance with the Definition of Internal Auditing, the Code of
Ethics, and the Standards, the results of external and periodic internal assessments are
communicated upon completion of such assessments and the results of ongoing
monitoring are communicated at least annually. The results include the reviewer’s or
review team’s assessment with respect to the degree of conformance.

34
1321 Use of ‘Conforms with International Standards for the Professional Practice
of Internal Auditing’
The chief audit executive may state that the internal audit activity conforms with the
International Standards for the Professional Practice of Internal Auditing only if the
results of the quality assurance and improvement program support this statement.
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or
the Standards impacts the overall scope or operation of the internal audit activity, the
chief audit executive must disclose the nonconformance and the impact to senior
management and the board.

35
Quality Assurance & Improvement
Program (QAIP)

36
Quality Assurance & Improvement Program
• A QAIP should conclude on the quality of the internal audit activity and lead to
recommendations for appropriate improvements. It enables an evaluation of:
• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the
Standards.
• The adequacy of the internal audit activity’s charter, goals, objectives, policies
and procedures.
• The contribution to the organization’s governance, risk management, and control
processes.
• Completeness of coverage of the entire audit universe, risks faced by the
company.
• Whether the internal audit activity adds value, improves the organization’s
operations, and contributes to the attainment of objectives.

37
Quality Assurance & Improvement Program (contd.)
To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP
must effectively be applied at three fundamental levels (or perspectives):
• Internal Audit Engagement Level (self-assessment at the audit, engagement, or
operational level)
• Internal Audit Activity Level (self-assessment at the internal audit activity or
organizational level)
• External Perspective (independent external assessment of the entire internal
audit activity including individual engagements)
The CAE is responsible for developing the QAIP and should lead by example by
embedding quality into the internal audit activity.

38
QAIP Program (contd.)
Internal Audit Engagement Level (self-assessment at the audit, engagement, or
operational level) The engagement supervisor (possibly a manager or the CAE) is
responsible for providing assurance that:
• Appropriate processes have been used to translate audit plans into specific,
appropriately resourced audit engagements.
• Planning, fieldwork conduct, and reporting/communicating results conform to
the Definition of Internal Auditing, the Code of Ethics, and the Standards.
• Appropriate mechanisms are established and used to follow-up management
actions in response to audit recommendations.
• Post-engagement client surveys, lessons learned, self-assessments, and other
mechanisms to support continuous improvement are completed.
Quality Review Checkilist.doc

39
Internal Audit Activity Level (Periodic self-assessment at the internal audit activity or
organizational level). This can be conducted through:
• Working paper reviews for conformance with the Definition of Internal Auditing,
the Code of Ethics, the Standards, and internal audit policies and procedures by
staff not involved in the respective audits.
• Review of internal audit performance metrics and benchmarking of best
practices. Use of GAIN metrics and CMM model
• Client surveys.
• Interviews with various stakeholders.
• Periodic activity and performance reporting to the board and other stakeholders
as deemed necessary.

40
External Perspective (independent external assessment of the entire internal audit
activity including individual engagements).
The CAE must ensure that the internal audit activity undergoes an external
assessment at least once every five years by an independent assessor or assessment
team from outside the organization.

41
Quiz

42
Which of the following are the two approaches to external assessment?
A. A full external assessment conducted by a qualified, external independent reviewer or review
team.
B. The use of a qualified, independent external reviewer or review team to conduct an
independent validation of the internal self-assessment and a report completed by the internal
audit activity.
C. A full external assessment conducted by Certified Internal Auditors (CIAs) currently assigned
elsewhere in the organization
D. Independent validation of the internal self-assessment using the organization’s external
auditor firm.
Scenario 1
A & B
Practice Advisory 1312-1 #4

43
In addition to ongoing monitoring of the performance of the internal audit activity, which of the
following must be included as part of the internal audit activity’s internal assessment program
according to the Standards?
A. Review of the organization’s methods for communicating periodic financial reporting
information.
B. Periodic reviews performed through self-assessment or by other persons within the
organization with sufficient knowledge of internal audit practices.
C. Integration of the internal audit activity’s financial, operational, IT, and consulting services.
D. Researching and communicating new or updated accounting, auditing, and regulatory
standards to staff.
Scenario 2
Standard 1311
B

44
Three CAE’s, who are long time members of a regional industry association, want to use a peer
review approach to comply with Standard 1312. One of their Audit Committee’s is concerned
about the appearance of impaired independence. To overcome this concern they could add one or
more independent members to the external assessment team – or use the independent members
to validate the work of their peer review teams (True or False)?
A. True
B. False
Scenario 3
Practice Advisory 1312-1 #5 (last two bullet points).
A

45
Which of the following is not a part of the International Professional Practices Framework?
A. Code of Ethics
B. Position Papers
C. Development and Practice Aids
D. Practice Guides
Scenario 4
(IPPF Table of Contents): Also, per the Internal Audit Quality Assessment participant guide and the IIA
web-site. Development and Practice Aids have been dropped and Position Papers and Practice
Guides have been added.
C

46
According to the definition of Internal Auditing in the International Professional Practices
Framework (IPPF), the internal audit activity helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve the effectiveness of which
processes?
A. Risk management, guidance and leadership.
B. Governance, leadership and control.
C. Risk management, governance and control.
D. Financial reporting controls.
Scenario 5
Definition of Internal Auditing – Answers A, C, and D are parts of three processes that are
imbedded in the definition.
C

47
“The freedom from conditions that threaten objectivity or the appearance of objectivity. Such
threats to objectivity must be managed at the individual auditor, engagement, functional, and
organizational levels.” is the International Professional Practices Frameworks definition of –
A. Independence
B. Objectivity
C. Neither
Scenario 6
Glossary. These two terms are also defined in the “Interpretation” i of Standard 1100.*
A

48
“An unbiased mental attitude that allows internal auditors to perform engagements in such a
manner that they have an honest belief in their work product and that no significant quality
compromises are made. Objectivity requires internal auditors not to subordinate their judgment
on audit matters to that of others” is the International Professional Practices Frameworks
definition of –
A. Independence
B. Objectivity
C. Neither
Scenario 7
Glossary and the “Interpretation” to Standard 1100.
B

49
Quality Assessment Process

50
The Quality Assessment (QA) Process
Planning the
Review
• Selecting QA
team
• Self study
• Preliminary visit
• Surveys
Performing the
Review
• On-site
procedures
• Interviews
• Consider other
monitoring
functions
• Evaluate the
internal audit
activity’s
conformance
• Review quality
improvement
actions – and
consider best
practices
Communicating
the Results
• Closing
conference
• Draft / finalize
report
• Follow-up
executive
conference

51
Quality Assessment Process
vis-à-vis Tools

52
QAE Tool Description
Tool 1 Preparation and Planning for Conducting
External Quality Assessments
Tool 1A Preparation and Planning for Conducting a
Self-Assessment with Independent
Validation
Tool 2 Quality Assessment Advanced Preparation
Tool 2A Self-assessment Guide
Tool 3 Chief Audit Executive Questionnaire
Tool 4 Audit Client Survey
Tool 5 Internal Audit Activity Staff Survey
QA Process vis-à-vis Tools
Preparation
and
Preliminary
Phase

53
Tool 6 Interview Guide – Board (AC) Member
Tool 7 Interview Guide – Executive to Whom Chief
Audit Executive Reports
Tool 8 Interview Guide – Senior and Operating
Management
Tool 8A Interview Guide – Chief Information Officer
Tool 9 Interview Guide – Chief Audit Executive
Tool 10 Interview Guide – Internal Audit Activity
Staff
Tool 11 Interview Guide – External Auditor
Interview
Guides
QA Process vis-à-vis Tools (contd.)

54
Tool 12 IA Activity Structure and
Responsibilities
Tool 13 Risk Assessment and Audit Planning
Tool 14 Staff Professional Proficiency
Tool 15 Information Technology
Tool 16 Assessing Completion of Audit Plan and
Value Added
Tool 17 Planning and Executing the
Engagement, Workpaper Review, Audit
Report, and Monitoring Progress
Quality
Assessment
Program
Segments

55
Tool 18 Observations and Issues Worksheet
Tool 19 Standards Conformance Evaluation
Summary
Tool 20 External Assessment Sample Report
Tool 21 Self-assessment with External
Independent Validation
Evaluation and
Reporting

56
Preparation & Planning for QA
Review

57
 Quality Assessment team selection
 Information gathering and CAE questionnaire tool
 Preliminary visit
 Client and staff survey
Planning Activities

58
 Qualifications (Practice Advisories)
• Independence
• Integrity and objectivity
• Competence
• Size of the team depend on the scope of work, objectives, etc of the internal audit
activity and organization.
 Not required to be a CIA
Quality Assessment Team Selection

59
 Organization culture
 Independence
 Internal Audit Charter
 Audit Manual
 Risk assessment methodology / audit plan
 Objectivity and code of ethics
 Quality Assurance and Improvement Program
 Coordination
 Successful practices
Information Gathering
Tool 2

60
Key highlights
 Does the board (i.e., audit committee) get involved in the annual planning / budgeting
 Frequency of reporting to the board and meeting with it
 Involvement in senior management meetings
 Executive management’s expectations, support, and satisfaction
 Use of organization’s risk framework, strategic business plan, and technology plan all
used in the planning process
 Funding, staff mix and skills, technology, and resources
 Staff views in planning process
 Compliance with IIA
 Adequacy of training programs
Chief Audit Executive Questionnaire
Tool 3

61
 Tool 4 – Audit Client Survey
 Tool 5 – Internal Audit Activity Staff Survey
 Survey tools and techniques:
• Anonymity and reader comprehension
• Representative samples
• Evaluating responses
• Communicating results
Internal Audit Client and Staff Surveys

62
 Audit Client Survey
 This survey focuses on obtaining the perspectives of IA customers on the following:
 Relationship of IA with management
 Quality of Audit staff
 Scope of audit work / coverage
 Audit process and reporting
 Management of IA activity
 Value Added
 Areas of Improvement
Internal Audit Client and Staff Surveys (contd.)
Tool 4.doc

63
 IA Staff Survey
 This survey focuses on obtaining the perspectives of IA team on the following:
 Knowledge and Skills on IIA Standards
 Knowledge and Skills on Audit process (Risk assessment, execution, reporting etc.)
 Training and staff development process
 Internal and External Communication
 Interaction with Stakeholders
Internal Audit Client and Staff Surveys (contd.)
Tool 5.doc

64
Performing the Quality Assessment
Review

65
 To discuss and expand information gathered during the planning phase of the
assessment, interviews are conducted with significant stakeholders of the internal
audit activity and with the Chief Audit Executive.
 Interviews with the following stakeholders:
• Board / Audit Committee Member
• Executive to Whom Chief Audit Executive Reports
• Senior and Operating Management
• Chief Audit Executive
• Internal Audit Activity Staff
• External Auditor
• Audit file reviews
Conducting QA

66
The key objective of these interviews is to obtain independent perspectives of various
stakeholders towards internal audit performance. Some of these are listed below:
 Understand organization’s overall control environment, governance, and
management processes and assess whether considered by IA team.
 Key risks in the organization and assess whether considered by IA team.
 Independence, structure, and scope of work of the IA activity.
 Credibility and effectiveness of the CAE and the IA activity.
 Professionalism of IA staff
 Value added by IA
 Partnering with IA
 Improvement areas for IA
Interview highlights

67
Tool 6 – Interview Guide – Board / Audit Committee Member
Tool 6

68
Tool 7 – Interview Guide – Executive to Whom CAE Reports
Tool 7

69
 Comment on the organization’s overall control environment, governance, and
management processes.
 Comment on other oversight or monitoring functions (such as evaluation, process
improvement, control self-assessment, or special investigations) and the
independent audit firm, in relation to the IA activity.
Highlights of Tool 8 – Senior and Operating Management
Tool 8

70
Tool 9 - Interview Guide – Chief Audit Executive
Tool 9

71
 Comment on the IA activity’s charter and scope of work.
 Give your views on how you are managed and on how your skills are utilized and
developed.
Highlights of Tool 10 - Internal Audit Activity Staff
Tool 10

72
Tool 11 - Interview Guide – External Auditor
Tool 11

73
End to end review of sample audit files is a critical component to assess adherence to
standards. Following key components are reviewed in this process:
 Engagement Planning
 Process Understanding
 Process Risk Assessment
 Audit Program
 Work Paper documentation
 Reporting and Audit Closure
Workpaper review
Workpaper review checklist

74
 Program segments are used to document and validate conformity to the Standards
of the internal audit activity as well as the effectiveness of its policies and processes.
Detailed procedures are segmented into major areas to be reviewed to ensure
comprehensive of coverage.
 Tools to be used:
• Tool 12 – IA Activity Structure and Responsibilities
• Tool 13 – Risk Assessment and Audit Planning
• Tool 14 – Staff Professional Proficiency
• Tool 16 – Assessing Completion of Audit Plan and Value Added
• Tool 17 – Planning and Executing the Engagement, Workpaper Review, Audit
Report, and Monitoring Progress
Tailoring and Completing the QA Program Segment

75
 IA Structure, Independence and Objectivity
 IA Planning
 Internal audit staff core training
 Internal audit staff competence
 Engagement planning
 Workpapers
 Supervision
 Communication
 Audit reports
 Audit plan
 Monitoring progress
Areas to be Evaluated Using Tools 12 to 17

76
Tool 12 – IA Activity Structure and Responsibility
Tool 12

77
Tool 13 – Risk Assessment and Audit Planning
Tool 13.doc

78
Tool 14 – Staff Professional Proficiency
Tool 14

79
Tool 16 – Assessing Production and Value Added
Tool 16

80
Tool 17
Tool 17 – Planning and
Executing the Engagement,
Workpaper Review, Audit
Report, and Monitoring
Progress

81
Communicating the Results

82
 At the end of the QA project, the team:
• evaluates the overall results;
• summarizes the issues;
• has a closing conference; and
• issues a final report
TOOL 19 – STANDARDS CONFORMANCE EVALUATION – MASTER FRAMEWORK
Overview
AppendixD-Tool 19.doc

83
Tool 19 – Key Conformance Criteria
Standard Ref. Key conformance criteria
1000 Purpose, Authority & Responsibility
 There is a Charter containing the purpose, authority, and responsibility of the internal audit
activity.
 The Charter has been reviewed periodically and approved by the board.
 The Charter defines the nature of assurance and consulting services.
1010 Recognition of Definition of Internal Audit
The Charter includes reference to the definition of Internal Auditing and the Code of Ethics
consistent with the Standards.
1110 Organizational Independence
 The CAE reports to a level in the organization that is adequate to discharge his or her
responsibilities.
 Any reporting relationship (administrative or total) to management does not interfere with the
CAE’s responsibility to the board.
 There are no restrictions to the scope, resources, and access of internal audit activity.
 Direct Interaction with Board / Audit Committee

84
Tool 19 – Key Conformance Criteria (contd.)
1120 Individual Objectivity
 Auditors do not have assignments in conflict.
 Audit staff has background and experience that does not conflict with audit assignment.
 Results and conclusions of engagements are based on factual evidence and observation.
Inputs – Interviews, Evaluation of staff background, Resource allocation
1130 Impairment of Independence
 Auditors are aware they must report any real or perceived conflict of interest as soon as such
conflict arises.
 Assignment of internal audit personnel takes into account previous responsibilities.

85
1210 Proficiency
 Auditors undergo specific training based on collective staff training needs analysis.
 Staff performance is reviewed on a regular basis and criterion used is adequate and
appropriate for the needs of the activity.
 Auditors have fraud training or proficiency in identification of fraud indicators.
 Auditors have training or proficiency in IT concepts and computer aided audit tools.
1220 Professional Due Care
 Audit work papers provide evidence of due professional care in the conduct of the work
performed.
 Audit engagements are supported by appropriate tools, including information systems and
used in an appropriate manner.
 There is evidence of a risk assessment of the audit engagement.

86
1230 Continuing Professional Development - There is continuing professional development to
enhance the knowledge and competencies of internal auditors.
1310 QAIP - The internal audit activity has a process to monitor and assess the overall effectiveness of
the quality program.
1311  There is evidence of ongoing reviews of the performance of the internal audit activity.
 Periodic reviews were performed through self-assessment or by other persons within the
organization, with knowledge of internal audit practices and the Standards.
1312 There is evidence of comprehensive external reviews by qualified, independent reviewers.
1320 Reports of the results of external assessments are submitted to the board.
1321 There is appropriate wording in audit reports.
1322 There is appropriate wording in report to the board.

87
2010 Planning
 The CAE has established risk-based plans in consultation with the board and senior
management.
 Where appropriate, consulting engagements are in the annual audit plan
2020 Communication and Approval
 The CAE has communicated the internal audit activity’s annual plans, including significant
interim changes, to senior management and the board.
 The CAE also has communicated to senior management and the board the impact of resource
limitations.
2030 Resource Management
 Staffing plans and financial budgets are determined from annual audit plans and activities of
the internal audit department.
 The internal audit activity is organized to ensure proper coverage of the organization’s audit
universe.
2040 Policies and Procedures
There are appropriate policies and procedures and they are communicated to and understood
by the staff of the internal audit activity.

88
2050 Coordination - Internal audit work is coordinated with that of the external auditors and with
internal providers of assurance and consulting services.
2060 Reporting to Senior Management and Board
There is evidence that CAE reports appropriately to the board and senior management on the
internal audit activity purpose, authority, responsibility, and performance as well as significant
fraud and other risks.
2110 Governance
Internal audit activity assesses and makes appropriate recommendations for improving the
governance process in its accomplishment of the objectives specified in the Standards.
2120 Risk Management
 The scope of internal audit includes appropriate evaluation of risk management and control
systems.
 Consulting projects cover all significant risk activities within the scope.
 The potential for fraud and the organization’s fraud risk has been addressed.

89
2201 Planning Considerations (Objectives, Scope, Audit Program and Resource Allocation)
 Internal auditors systematically conduct a preliminary risk assessment of the organization’s
audit universe in order to determine the engagement objectives.
 Internal auditors develop and record a program for each engagement.
 In the case of outside engagements, the internal auditors establish a written understanding
about the objectives, scope, and respective responsibilities of each party.
 Engagement scope is consistent with objectives.
 Engagement staffing is consistent with the required skill sets.
2310 Identifying Information
Identify sufficient, relevant, reliable and useful information.
Intimation provided to audit client well in advance for the required information
Work papers include all the relevant information to achieve the objectives

90
2320 Analysis and Evaluation
Audit conclusions and engagement results are based on appropriate analyses and evaluations
that identify the root cause(s) of irregularities.
Appropriate use of tools.
2330 Documentation
 Sufficient information is documented to support the conclusions and audit results.
 Work papers have controlled access according to the policy of the organization.
 There is evidence that CAE obtains appropriate approvals prior to releasing records.
2340 Engagement Supervision - There is evidence engagements are properly supervised as specified
in the Standards.
2410 Criteria for Communication
 There is evidence of appropriate, timely communication with management.
 An overall opinion or conclusion is included in the audit report.
 Communications outside the organization are limited in distribution and use of results.

91
2420 Quality of Communications
 Communications are appropriate, clear and concise
 Audit reports contain condition, criteria, cause, corrective action and concerned person
2421 Errors and Omissions
Where appropriate, there is communication of corrected information to all parties.
2440 Disseminating Results
 Audit reports are distributed to an appropriate level of senior managers.
 If applicable, that the CAE properly considered the elements of the standard prior to
disclosure outside the organization.
2500 Progress monitoring
The CAE has established a follow-up process to monitor and ensure that management actions
have been effectively implemented or risk accepted.

92
Final Assessment
 A QAIP should include a rating scale to assess the level of conformance of the
internal audit activity with the Standards.
 Different options are available when deciding which assessment scale better suits
particular needs. Some of those options include:
 IIA Quality Assessment Manual Scale: Does Not Conform / Partially
Conforms / Generally Conforms.
 The IIA’s Assessment Scale — IIA Path to Quality: Introductory / Emerging /
Established / Progressive / Advanced.

93
Final Assessment (contd.)
IA Maturity Model.pdf

94
Common Observations Highlighted
in Quality Assessment

95
Common Observations
S. No. Standard Area Observations
1 2010 Planning • The IA activity does not have a formal,
documented risk assessment model for audit
planning.
• Senior management and ERM inputs not obtained.
• Audit universe does not represent the entire
business.
• IT Audit not integrated with business audit.
• Audit plan is often based on Resource availability.

96
Common Observations (contd.)
2 1000 Purpose,
Authority and
Responsibility
• The IA activity charter is not updated on an annual
basis.
• The IA activity charter requires revision to consider
IIA’s new definition of internal auditing, to reflect
the CAE’s responsibilities, and to obtain approval
from the Audit Committee.
3 1311 Internal
Assessments
• While several elements of the new Standards on
quality assurance may have been implemented by
the IA activity, the internal ongoing assessments
could be strengthened by additional monitoring
and benchmarking.

97
4 1230 Continuing
Professional
Development
• Internal Audit does not have a formal training
plan to ensure that staff members receive
training to satisfy departmental needs and
the annual audit plan.
5 1300 Quality
Assurance
and
Improvement
Program
• No set up for a formalized quality assurance
and improvement program.
• External assessments are performed but
ongoing and periodic reviews are not in
place.

98
6 2040 Policies and
Procedures
• There is no formal internal audit policies and
procedures manual governing the operating
activities of the IA activity.
• Manual is present but does not contain
detailed procedural aspects.
7 2030 Resource
Management
• The CAE should implement use of metrics to
measure actual internal auditing
performance against budget.
• KPIs defined for the IA function, however,
specific KPIs for audit staff not defined.

99
8 1110 Organizational
Independence
• The organization chart shows that the CAE
has a direct reporting relationship to the
Executive Vice President and Chief
Operating Officer and a dotted line
relationship to the Audit Committee.
9 1210 Proficiency • There is a perception on the part of clients,
based on the client survey results and
management interviews, that the IA activity
Staff does not possess the desired level of
business knowledge.

10
0
10 2110 Risk
Management
• There may be areas of IT risk that are not
included or may be expanded in the list of
auditable units, such as IT strategy,
enterprise application and organization.
11 2201 Planning
Considerations
• Review of working papers showed an
apparent lack of planning for engagements.
• Engagement level risk assessment not
performed.
12 2330 Recording
Information
• A set of working paper standards needs to
be developed and formally defined in the IA
activity policies and procedures. A review of
working papers indicated the quality varied
between audit staff.

10
1
13 2340 Engagement
Supervision
• Based on inspection, work papers are not
always reviewed during audits on a timely
basis.
14 2400 Communicating
Results
• Results of internal audit engagements
were not complete and/or were not
communicated to the appropriate parties.
15 2200 Engagement
Planning
• Review of work papers did not produce
consistent documentation of planning
considerations or the scope of audits.

10
2
High Performing Quality
Assessments

10
3
 They have dedicated staff who are passionate about quality assurance and
improvement. This person or group of individuals is responsible for
performing the internal self-assessment, gathering all information in
preparation for the external QA, and performing ongoing monitoring of the
internal audit activity.
 They leverage the use of technology and invest in the right technology tools
based on the internal audit activity’s quality assurance and improvement
needs. Tools are used to document all internal audit work papers as well as
secure information in a central location.
 They have the support of senior management and the audit committee.
Getting the support of these two entities is especially important when
performing an external QA and in ensuring internal auditors are onboard with
quality assurance activities.
Traits of Highly Effective QAIP

10
4
1. The CAE is actively involved in the organization, including involvement in initiatives intended
to strengthen the organization’s governance, risk management, and internal control
processes.
2. Similarly, the internal audit activity works closely with other governance and monitoring
functions, including the organization’s risk management unit or personnel.
3. The internal audit activity has an annual risk assessment process that is linked to the
organization’s risk management program or process.
4. The internal audit activity continuously monitors its audit universe and risk assessment
framework, resulting in more focused, long-term audit planning and efficient audit
schedules. Considers emerging risks.
5. The internal audit activity uses technology-based audit tools to enhance its productivity and
effectiveness.
Attributes of High Performing QAIP

10
5
5. The CAE has made a commitment to the continuing education and training of internal audit
staff and encourages internal auditors to acquire professional certifications.
6. The CAE also encourages internal auditors to be actively involved in the profession (e.g.,
holding leadership positions in The IIA and participating as volunteers for external QAs.)
7. The internal audit activity has a high level of credibility and excellent reputation with clients
and organization stakeholders.
8. The internal audit activity coordinates optimally with all Stakeholders.
9. The internal audit activity provides concise audit reports that focus on risk and timely
follows up on management action plans.
10. The internal audit plan outlines specific performance milestones to increase efficiencies
within the activity leading to the presence of highly productive staff.
11. The CAE holds open discussions with staff for the continuous improvement of the internal
audit activity. Topics discussed include future work plans, controls testing, and internal audit
techniques.
Attributes of High Performing QAIP (contd.)

10
6
12. There is excellent alignment among the internal audit activity, audit committee, and senior
management team. In addition, the CAE and internal audit activity conduct periodic training
for the audit committee.
13. The organization has a high level of confidence in the internal audit activity.
14. The internal audit activity has a high level of support from the organization’s senior
management team, audit committee and/or board, and other stakeholders.
15. The internal audit activity includes staff members with experience in IT, data analytics, or IT
auditing.
16. Uses technique of Control Self Assessment.
Attributes of High Performing Quality Assessment (contd.)

10
7
Quiz

10
8
Which of the following best represents one of the specific tools for quality assessment generally
used in the preparation and preliminary phase of a QA process?
A. Interview guide for senior and operating management.
B. Model information security policy.
C. Standards compliance evaluation summary.
D. Audit customer surveys.
Scenario 1
Internal Audit Quality Assessment participant guide. QA Process Overview and the QA Manual
references. Answer “A” is incorrect because it is normally used during the on-site review procedures.
D

10
9
When evaluating the activity’s conformance to the Standards, what main elements (at a minimum)
should a QA team member expect to see formally defined in an IA activity’s charter?
A. Mission/vision and individual engagement objectives.
B. Purpose, authority and responsibility.
C. Organization chart, reporting lines, and job descriptions.
D. Risk assessment methodology and engagement planning.
Scenario 2
Standard 1000. The purpose, authority and responsibility of the Internal Audit activity should be
formally defined in a charter. Answers A, C, and D would be reviewed when the QA team evaluates
conformance with other Standards.
B

11
0
You are validating the results of an internal self-assessment. You have received the IA activity’s
fully documented self-assessment. Which of the following QA Tools would you review to validate
their review of Standard 1300?
A. Tool 12: IA Activity Structure and Responsibilities
B. Tool 14: Staff Professional Proficiency
C. Tool 16: Assessing Production and Value-Added
Scenario 3
QA Manual Tool 12 “Objectives”
A

11
1
Which is not one of the lessons learned in performing an external quality assessment according to
IIA research?
A. Maintain a separate tracking system for the data typically needed in the external assessment
process.
B. Leverage the lessons learned from the first external quality assessment to make subsequent
processes more efficient.
C. Contract with an external quality assessment provider who can add value.
D. Recommend that the external quality assessment team spend more time in planning and less
time on-site.
Scenario 4
IIA Research Emerging Issues (External QA Results, Tools, Techniques and Lessons Learned). “D” is
incorrect because the lesson learned is that the team should spend more time on-site. A-C is from the
research survey (a copy is in your workbook).
D

11
2
Which of the following is true about a Generally Complies rating?
A. For the major Standards categories (e.g. 1200, 2000, etc.) there is general compliance with the
majority of the individual Standards and at least partial conformance with others.
B. There are no significant opportunities for improvement within the major categories or
individual Standards.
C. General compliance requires complete compliance with the individual Standard.
D. All of the above.
E. None of the above.
Scenario 5
Tool 19 Definitions
A

11
3
You are completing an internal assessment. Which of the following would you use as evidence or
consider as sound practices in evaluating 2030 Resource Management?
A. IA staffing analysis and annual operating plans
B. Program for selecting and developing IA human resources
C. Interviews with senior management and the CAE
D. All of the above
E. None of the above
Scenario 6
Tool 19 Examples of Evidence for Standard 2030.
D

11
4
The IPPF requires all internal audit shops to perform which types of audits?
A. Attestation
B. Compliance
C. Operational
D. Strategic
E. All of the Above
F. None of the Above
Scenario 7
Per the definition of IA is an “assurance and consulting” activity. Although none of the types of audits
listed is required by the IPPF some are types of assurance or consulting audit activities.
F

11
5
Which of the following best describes the required process for testing work papers for IPPF
compliance?
A. Substantive testing of work papers to ensure maximum error rate is within acceptable limits.
B. Random sampling of work papers to project error rates over the entire population.
C. 100% testing of all work papers files.
D. A statistically valid sample of work papers for each type of project performed to verify that the
overall process implemented by the IA department is functioning.
E. None of the Above
Scenario 8
None of answers is covered in the QA Manual or Tools 17 or 19.
E

11
6
For an independent assessor or validator to arrive at a conclusion that the Internal Audit Activity is
in conformance with the IPPF, interviews MUST BE conducted with:
A. The Chief Audit Executive
B. The Chairperson of the Audit Committee
C. The Chief Executive Officer
D. The Primary External Auditor
E. All of the Above
Scenario 9
The QA Manual is not mandatory guidance. In order to conduct an effective external QA all of the
individuals (A-D) “should” be interviewed.
F

11
7
The Standards required in the IPPF are best described as:
A. Standards for the Professional Practice of Internal Auditing
B. Internal Audit Essential Performance Requirements
C. International Internal Audit Practice Advisories
D. International Standards for the Professional Practice of Internal Auditing
E. Global Internal Auditing Guidance Principles
Scenario 10
IPPF Preface and Introduction to the International Standards
D

11
8
One of the principles Code of Ethics is Integrity. Which of the following is a rule of conduct related
to Integrity (select the two best answers)?
A. Internal Auditors shall be prudent in the use and protection of information acquired in the
course of their duties.
B. Internal Auditors shall perform their work with honesty, diligence, and responsibility.
C. Internal Auditors shall not accept anything that will impair or presume to impair their
professional judgment
D. Internal Auditors not knowingly be a party to any illegal activity or engage in any acts that are
discreditable to the profession of internal auditing or to the organization.
Scenario 11
Code of Ethics: Rules of Conduct. “A” is related to Confidentiality and “C” is related to Objectivity.
B & D

11
9
You are planning an external assessment. You have determined that the CAE reports to a CEO
(administratively) and Audit Committee (functionally). The CEO has informed the CAE that are
some activities that are not ready to be audited. The Audit Committee appears to be independent
but the AC Charter only requires them to meet with CAE once a year. The CAE is very confident
that IA has level of resources needed to carry out IA Charter. What are examples of the evidence
that your team will need to review to evaluate conformance to Standard 1110?
A. The annual audit plan
B. Interviews with the CEO, AC, CAE, Senior/Operating Management, IA Staff Members
C. Budgets and staffing resources
D. Reporting of the restrictions (areas not ready for auditing) to the AC.
E. A & D Only
F. A, B, C & D.
Scenario 12
IPPF Table of Contents
F

12
0
At Protiviti, we believe the organizations that
most effectively understand and manage their
risk are the companies that most often
succeed.

Internal Audit Quality Assessment

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Internal Audit Quality Assessment

Similar to Internal Audit Quality Assessment (20)

Internal Audit Quality Assessment