internal audit quality assessment

© 2013 Protiviti Middle East Region

CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.0

Internal Audit Quality Assessment



Mohammad Kamel AL-Draidi

Attend/Workshop

internal audit quality

assessment

18 November 2014

Riyadh, Saudi Arabia



We will focus on:

Understand requirements of Quality in Internal Audit

Understand what is Quality Assessment

International Professional Practices Framework (IPPF) and International Standards

for the Professional Practice of Internal Auditing (International Standards)

Quality Assessment & Improvement Program

Familiarization of Quality Assessment Process of an Internal Audit Function

Understand the Quality Assessment tools and techniques

Common observations highlighted in Quality Assessment reviews

Attributes of high performing Quality Assessment reviews

Objectives of the Workshop



Quality



• Quality is not absolute. The quality of a product or service is the degree to which the

product or service meets the customer’s expectations and the degree to which it is fit

for purpose.

• Delivering quality requires a systematic and disciplined approach as professionals —

quality does not just happen.

• It is the combination of the right people, the right systems, and a commitment to

excellence.

• It is driven by the leaders of the organization who are responsible for setting the

“tone at the top.”

What is Quality?

“Quality is never an accident, it is always an Intelligent Effort – John Ruskin



• For an internal audit activity, Stakeholders could include the board, senior

management, the external auditor, and operational managers.

• Quality in internal audit is guided by both an obligation to meet customer

expectations as well as professional responsibilities inherent in conforming to the

Standards

• Quality in internal audit begins with the structure and organization of the audit

activity.

• Quality should be built in to, and not on to, the way the activity conducts its

business. This can be done through deploying:

• Internal audit methodology,

• Policies and procedures and

• Human resource practices.

• Each of these should be premised on a common understanding of quality and

stakeholder perception of value.

Quality in Internal Audit



DRIVERS

Stakeholders Expectations

IA Charter, Policies and Procedures

Leading PracticesIIA

Standards



Quality Assessment



5Ws of Quality Assessment (QA)

WHAT is QA?A QA evaluates conformance with the InternationalStandards, the efficiency and effectiveness of the internalaudit activity, and the use of leading practices.

WHY undergo QA?

QAs are necessary in order to provide full objectivity.# 2

They build stakeholder confidence by documenting theinternal audit function's commitment to quality andleading practices, and the internal auditors' mindset forprofessionalism.

Provides evidence to the board, management, and staffthat the internal audit activity is concerned about theorganization's internal controls, governance, and riskmanagement processes

# 1



WHO can conduct a QA?

The Professional Practices Framework defines therequired competency of the QA team leaders and team.

# 4

WHERE do I start?

To conduct an internal quality assessment, establishing abenchmark of your internal audit activity that can beused to establish metrics indicating improvement inareas of partial compliance or noncompliance with theInternational Standards.

# 5

WHEN does an Internal Audit Activity need to have a QA performed?

It is mandatory that every internal audit activity undergoan QA conducted by an independent team orindependent validator once every five years to complywith the International Standard.

# 3

The clock starts ticking for the five-year period when aninternal audit activity formally adopts the InternationalStandards.

5Ws of Quality Assessment [QA] (contd.)



Benefits of Quality Assurance



Internal Auditors

Employees

Audit Committee /

BoardManagement

Beneficiaries of Quality Assurance

Beneficiaries

Internal Auditors

Management

Employees

Internal Auditors

Management

Audit Committee /

Board

Employees

Internal Auditors

Management



Benefits of Quality Assurance for Internal Auditors

Ability to state conformance with the

International Standards

Continuous improvement

Obtaining best-practice recommendations

and benchmarks

Gaining a sense of accomplishment and

satisfaction

Better focus on the areas for further

improvement and new ideas on how to do

things better



Benefits of Quality Assurance for the Audit Committee & Board

Assurance of the internal audit activity’s

quality, competence and professionalism

Clarity for the internal audit and audit

committees roles and responsibilities and

their respective charters

Receiving an independent assessment /

opinion of the effectiveness of the internal

audit activity

Increased reliance upon the work of

internal audit activity and enhanced

credibility



Benefits of Quality Assurance for the Management

Opportunity to provide anonymous

feedback to the internal audit activity

Raised awareness among the

management about internal audit role

and professional standards

Assurance that the auditors are being

audited

Independent validation of the

effectiveness of the internal audit activity



Benefits of Quality Assurance for the Employees

Assurance that the auditors are being

audited

Gained more familiarity with the internal

auditor’s role

Ability to express feedback on the

internal audit activity

Assurance that the internal audit activity

can be trusted and is credible



International Professional Practices

Framework (IPPF)



The International Professional Practices

Framework (IPPF) is the conceptual

framework that organizes authoritative

guidance promulgated by The Institute of

Internal Auditors. IPPF guidance includes:

Mandatory Guidance

Definition

Code of Ethics

International Standards

Strongly Recommended Guidance

Position Papers

Practice Advisories

Practice Guides

The International Professional Practices Framework



Internal auditing is an independent,

objective assurance and consulting activity

designed to add value and improve an

organization’s operations.

It helps an organization accomplish its

objectives by bringing a systematic,

disciplined approach to evaluate and

improve the effectiveness of risk

management, control, and governance

processes.

IPPF – Definition of Internal Auditing



The Code of Ethics of The Institute of

Internal Auditors (IIA) are principles

relevant to the profession and practice of

internal auditing and Rules of Conduct that

describe behavior expected of internal

auditors.

The Code of Ethics apply to both parties

and entities that provide internal audit

services.

The purpose of the Code of Ethics is to

promote an ethical culture in the global

profession of internal auditing.

IPPF – Code of Ethics

CODE OF ETHICS.

CODE OF ETHICS.doc



The purpose of the International Standards for the

Professional Practice of Internal Auditing (International

Standards) is to:

• Delineate basic principles that represent the

practice of internal auditing as it should be.

• Provide a framework for performing and

promoting a broad range of value-added internal

audit activities.

• Establish the basis for the evaluation of internal

audit performance.

• Foster improved organizational processes and

operations.

The International Standards consists of following :

• Attribute Standards (Mandatory)

• Performance Standards (Mandatory)

IPPF – International Standards



Position Papers assist a wide range of interested

parties, including those not in the internal audit

profession, in understanding significant

governance, risk, or control issues and

delineating related roles and responsibilities of

internal auditing.

IPPF – Position Papers



Practice Advisories assist internal auditors in

applying the Definition of Internal Auditing, the

Code of Ethics, and the International Standards

and promoting good practices.

Practice Advisories address internal auditing

approach, methodologies, and consideration, but

not detail processes or procedures. They include

practices relating to:

• international, country, or industry-specific

issues;

• specific types of engagements;

• legal or regulatory issues.

IPPF – Practice Advisories



Practice Guides provide detailed guidance for

conducting internal audit activities.

They include detailed processes and procedures,

such as:

• tools and techniques;

• programs;

• step-by-step approaches; and

• examples of deliverables.

IPPF – Practice Guides



IPPF Standards



Attribute Standards explains the following:


Standard Title

1000 Purpose, Authority and Responsibility

1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter

1100 Independence and Objectivity

1110 Organisational Independence

1111 Direct Interaction with the Board

1120 Individual Objectivity

1130 Impairment to Independence or Objectivity

1200 Proficiency and Due Professional Care

1210 Proficiency

1220 Due Professional Care

Standard Title

1230 Continuing Professional Development

1300 Quality Assurance and Improvement Program (QAIP)

1310 Requirements of the Quality Assurance and Improvement Program

1311 Internal Assessments

1312 External Assessments

1320 Reporting on the Quality Assurance and Improvement Program

1321 Use of ‘Conforms with International Standards for the Professional Practice of Internal Auditing’

1322 Disclosure of Nonconformance



Performance Standards explains the following:


Standard Title

2000 Managing the Internal Audit Activity

2010 Planning

2020 Communication and Approval

2030 Resource Management

2040 Policies and Procedures

2050 Coordination

2060 Reporting to Senior Management and the Board

2070 External Service Provider and Organizational Responsibility for Internal Auditing

2100 Nature of Work

2110 Governance

2120 Risk Management

Standard Title

2130 Control

2200 Engagement Planning

2201 Planning Considerations

2210 Engagement Objectives

2220 Engagement Scope

2230 Engagement Resource Allocation

2240 Engagement Work Program

2300 Performing the Engagement

2310 Indentifying Information

2320 Analysis and Evaluation

2330 Documenting Information

2340 Engagement Supervision




Standard Title

2400 Communicating Results

2410 Criteria for Communicating

2420 Quality of Communications

2421 Errors and Omissions

2430 Use of ‘Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing’

2431 Engagement Disclosure of Nonconformance

2440 Disseminating Results

2450 Overall opinions

2500 Monitoring Progress

2600 Resolution of Senior Management’s Acceptance of Risks

Performance Standards (contd.)



IPPF – Mandatory Guidance

for Quality Assurance



IPPF – Mandatory Guidance for Quality Assurance

Standard Title

1300 Quality Assurance and Improvement Program




1321 Use of ‘Conforms with International Standards for the ProfessionalPractice of Internal Auditing’




IPPF – Mandatory Guidance for Quality Assurance (contd.)

1300 Quality Assurance and Improvement Program

The chief audit executive must develop and maintain a quality assurance andimprovement program that covers all aspects of the internal audit activity.

Interpretation:

A quality assurance and improvement program is designed to enable an evaluation ofthe internal audit activity’s conformance with the Definition of Internal Auditing andthe Standards and an evaluation of whether internal auditors apply the Code of Ethics.The program also assesses the efficiency and effectiveness of the internal audit activityand identifies opportunities for improvement.




The quality assurance and improvement program must include both internal and externalassessments.

Internal Assessment are of two types:

• Ongoing as part of each audit review

• Periodic peer review





External assessments must be conducted at least once every five years by a qualified, independentreviewer or review team from outside the organization.

Interpretation:

A qualified reviewer or review team consists of individuals who are competent in the professionalpractice of internal auditing and the external assessment process.The evaluation of the competency of the reviewer and review team is a judgment that considers theprofessional internal audit experience and professional credentials of the individuals selected toperform the review.The evaluation of qualifications also considers the size and complexity of the organizations that thereviewers have been associated with in relation to the organization for which the internal auditactivity is being assessed, as well as the need for particular sector, industry, or technical knowledge.

An independent reviewer or review team means not having either a real or an apparent conflict ofinterest and not being a part of, or under the control of, the organization to which the internal auditactivity belongs.





The chief audit executive must communicate the results of the quality assurance andimprovement program to senior management and the board.

Interpretation:

The form, content, and frequency of communicating the results of the qualityassurance and improvement program is established through discussions with seniormanagement and the board and considers the responsibilities of the internal auditactivity and chief audit executive as contained in the internal audit charter.

To demonstrate conformance with the Definition of Internal Auditing, the Code ofEthics, and the Standards, the results of external and periodic internal assessments arecommunicated upon completion of such assessments and the results of ongoingmonitoring are communicated at least annually. The results include the reviewer’s orreview team’s assessment with respect to the degree of conformance.




1321 Use of ‘Conforms with International Standards for the Professional Practiceof Internal Auditing’

The chief audit executive may state that the internal audit activity conforms with theInternational Standards for the Professional Practice of Internal Auditing only if theresults of the quality assurance and improvement program support this statement.


When nonconformance with the Definition of Internal Auditing, the Code of Ethics, orthe Standards impacts the overall scope or operation of the internal audit activity, thechief audit executive must disclose the nonconformance and the impact to seniormanagement and the board.




Quality Assurance & Improvement

Program (QAIP)



Quality Assurance & Improvement Program

• A QAIP should conclude on the quality of the internal audit activity and lead to

recommendations for appropriate improvements. It enables an evaluation of:

• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the

Standards.

• The adequacy of the internal audit activity’s charter, goals, objectives, policies

and procedures.

• The contribution to the organization’s governance, risk management, and control

processes.

• Completeness of coverage of the entire audit universe, risks faced by the

company.

• Whether the internal audit activity adds value, improves the organization’s

operations, and contributes to the attainment of objectives.



Quality Assurance & Improvement Program (contd.)

To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP

must effectively be applied at three fundamental levels (or perspectives):

• Internal Audit Engagement Level (self-assessment at the audit, engagement, or

operational level)

• Internal Audit Activity Level (self-assessment at the internal audit activity or

organizational level)

• External Perspective (independent external assessment of the entire internal

audit activity including individual engagements)

The CAE is responsible for developing the QAIP and should lead by example by

embedding quality into the internal audit activity.



QAIP Program (contd.)

Internal Audit Engagement Level (self-assessment at the audit, engagement, or

operational level) The engagement supervisor (possibly a manager or the CAE) is

responsible for providing assurance that:

• Appropriate processes have been used to translate audit plans into specific,

appropriately resourced audit engagements.

• Planning, fieldwork conduct, and reporting/communicating results conform to

the Definition of Internal Auditing, the Code of Ethics, and the Standards.

• Appropriate mechanisms are established and used to follow-up management

actions in response to audit recommendations.

• Post-engagement client surveys, lessons learned, self-assessments, and other

mechanisms to support continuous improvement are completed.

Quality Review Checkilist.doc

Quality Review Checkilist.doc




Internal Audit Activity Level (Periodic self-assessment at the internal audit activity or

organizational level). This can be conducted through:

• Working paper reviews for conformance with the Definition of Internal Auditing,

the Code of Ethics, the Standards, and internal audit policies and procedures by

staff not involved in the respective audits.

• Review of internal audit performance metrics and benchmarking of best

practices. Use of GAIN metrics and CMM model

• Client surveys.

• Interviews with various stakeholders.

• Periodic activity and performance reporting to the board and other stakeholders

as deemed necessary.




External Perspective (independent external assessment of the entire internal audit

activity including individual engagements).

The CAE must ensure that the internal audit activity undergoes an external

assessment at least once every five years by an independent assessor or assessment

team from outside the organization.



Quiz



Which of the following are the two approaches to external assessment?

A. A full external assessment conducted by a qualified, external independent reviewer or review

team.

B. The use of a qualified, independent external reviewer or review team to conduct an

independent validation of the internal self-assessment and a report completed by the internal

audit activity.

C. A full external assessment conducted by Certified Internal Auditors (CIAs) currently assigned

elsewhere in the organization

D. Independent validation of the internal self-assessment using the organization’s external

auditor firm.

Scenario 1

A & BPractice Advisory 1312-1 #4



In addition to ongoing monitoring of the performance of the internal audit activity, which of the

following must be included as part of the internal audit activity’s internal assessment program

according to the Standards?

A. Review of the organization’s methods for communicating periodic financial reporting

information.

B. Periodic reviews performed through self-assessment or by other persons within the

organization with sufficient knowledge of internal audit practices.

C. Integration of the internal audit activity’s financial, operational, IT, and consulting services.

D. Researching and communicating new or updated accounting, auditing, and regulatory

standards to staff.

Scenario 2

Standard 1311

B



Three CAE’s, who are long time members of a regional industry association, want to use a peer

review approach to comply with Standard 1312. One of their Audit Committee’s is concerned

about the appearance of impaired independence. To overcome this concern they could add one or

more independent members to the external assessment team – or use the independent members

to validate the work of their peer review teams (True or False)?

A. True

B. False

Scenario 3

Practice Advisory 1312-1 #5 (last two bullet points).

A



Which of the following is not a part of the International Professional Practices Framework?

A. Code of Ethics

B. Position Papers

C. Development and Practice Aids

D. Practice Guides

Scenario 4

(IPPF Table of Contents): Also, per the Internal Audit Quality Assessment participant guide and the IIA

web-site. Development and Practice Aids have been dropped and Position Papers and Practice

Guides have been added.

C



According to the definition of Internal Auditing in the International Professional Practices

Framework (IPPF), the internal audit activity helps an organization accomplish its objectives by

bringing a systematic, disciplined approach to evaluate and improve the effectiveness of which

processes?

A. Risk management, guidance and leadership.

B. Governance, leadership and control.

C. Risk management, governance and control.

D. Financial reporting controls.

Scenario 5

Definition of Internal Auditing – Answers A, C, and D are parts of three processes that are

imbedded in the definition.

C



“The freedom from conditions that threaten objectivity or the appearance of objectivity. Such

threats to objectivity must be managed at the individual auditor, engagement, functional, and

organizational levels.” is the International Professional Practices Frameworks definition of –

A. Independence

B. Objectivity

C. Neither

Scenario 6

Glossary. These two terms are also defined in the “Interpretation” i of Standard 1100.*

A



“An unbiased mental attitude that allows internal auditors to perform engagements in such a

manner that they have an honest belief in their work product and that no significant quality

compromises are made. Objectivity requires internal auditors not to subordinate their judgment

on audit matters to that of others” is the International Professional Practices Frameworks

definition of –

A. Independence

B. Objectivity

C. Neither

Scenario 7

Glossary and the “Interpretation” to Standard 1100.

B



Quality Assessment Process



The Quality Assessment (QA) Process

Planning the Review

• Selecting QA team

• Self study

• Preliminary visit

• Surveys

Performing the Review

• On-site procedures

• Interviews

• Consider other monitoring functions

• Evaluate the internal audit activity’s conformance

• Review quality improvement actions – and consider best practices

Communicating the Results

• Closing conference

• Draft / finalize report

• Follow-up executive conference



Quality Assessment Process

vis-à-vis Tools



QAE Tool Description

Tool 1 Preparation and Planning for Conducting External Quality Assessments

Tool 1A Preparation and Planning for Conducting a Self-Assessment with Independent Validation

Tool 2 Quality Assessment Advanced Preparation

Tool 2A Self-assessment Guide

Tool 3 Chief Audit Executive Questionnaire

Tool 4 Audit Client Survey

Tool 5 Internal Audit Activity Staff Survey

QA Process vis-à-vis Tools

Preparation and

Preliminary Phase




Tool 6 Interview Guide – Board (AC) Member

Tool 7 Interview Guide – Executive to Whom Chief Audit Executive Reports

Tool 8 Interview Guide – Senior and Operating Management

Tool 8A Interview Guide – Chief Information Officer

Tool 9 Interview Guide – Chief Audit Executive

Tool 10 Interview Guide – Internal Audit Activity Staff

Tool 11 Interview Guide – External Auditor

Interview Guides

QA Process vis-à-vis Tools (contd.)




Tool 12 IA Activity Structure and Responsibilities

Tool 13 Risk Assessment and Audit Planning

Tool 14 Staff Professional Proficiency

Tool 15 Information Technology

Tool 16 Assessing Completion of Audit Plan and Value Added

Tool 17 Planning and Executing the Engagement, Workpaper Review, Audit Report, and Monitoring Progress

Quality Assessment

Program Segments





Tool 18 Observations and Issues Worksheet

Tool 19 Standards Conformance Evaluation Summary

Tool 20 External Assessment Sample Report

Tool 21 Self-assessment with External Independent Validation

Evaluation and Reporting




Preparation & Planning for QA

Review



Quality Assessment team selection

Information gathering and CAE questionnaire tool

Preliminary visit

Client and staff survey

Planning Activities



Qualifications (Practice Advisories)

• Independence

• Integrity and objectivity

• Competence

• Size of the team depend on the scope of work, objectives, etc of the internal audit

activity and organization.

Not required to be a CIA

Quality Assessment Team Selection



Organization culture

Independence

Internal Audit Charter

Audit Manual

Risk assessment methodology / audit plan

Objectivity and code of ethics

Quality Assurance and Improvement Program

Coordination

Successful practices

Information Gathering

Tool 2

AppendixA-Tool 2.doc




Key highlights

Does the board (i.e., audit committee) get involved in the annual planning / budgeting

Frequency of reporting to the board and meeting with it

Involvement in senior management meetings

Executive management’s expectations, support, and satisfaction

Use of organization’s risk framework, strategic business plan, and technology plan all

used in the planning process

Funding, staff mix and skills, technology, and resources

Staff views in planning process

Compliance with IIA

Adequacy of training programs

Chief Audit Executive Questionnaire

Tool 3





Tool 4 – Audit Client Survey

Tool 5 – Internal Audit Activity Staff Survey

Survey tools and techniques:

• Anonymity and reader comprehension

• Representative samples

• Evaluating responses

• Communicating results

Internal Audit Client and Staff Surveys



Audit Client Survey

This survey focuses on obtaining the perspectives of IA customers on the following:

Relationship of IA with management

Quality of Audit staff

Scope of audit work / coverage

Audit process and reporting

Management of IA activity

Value Added

Areas of Improvement

Internal Audit Client and Staff Surveys (contd.)

Tool 4.doc




IA Staff Survey

This survey focuses on obtaining the perspectives of IA team on the following:

Knowledge and Skills on IIA Standards

Knowledge and Skills on Audit process (Risk assessment, execution, reporting etc.)

Training and staff development process

Internal and External Communication

Interaction with Stakeholders

Internal Audit Client and Staff Surveys (contd.)

Tool 5.doc




Performing the Quality Assessment

Review



To discuss and expand information gathered during the planning phase of the

assessment, interviews are conducted with significant stakeholders of the internal

audit activity and with the Chief Audit Executive.

Interviews with the following stakeholders:

• Board / Audit Committee Member

• Executive to Whom Chief Audit Executive Reports

• Senior and Operating Management

• Chief Audit Executive

• Internal Audit Activity Staff

• External Auditor

• Audit file reviews

Conducting QA



The key objective of these interviews is to obtain independent perspectives of various

stakeholders towards internal audit performance. Some of these are listed below:

Understand organization’s overall control environment, governance, and

management processes and assess whether considered by IA team.

Key risks in the organization and assess whether considered by IA team.

Independence, structure, and scope of work of the IA activity.

Credibility and effectiveness of the CAE and the IA activity.

Professionalism of IA staff

Value added by IA

Partnering with IA

Improvement areas for IA

Interview highlights



Tool 6 – Interview Guide – Board / Audit Committee Member

Tool 6

AppendixC-Tool 12.doc

AppendixB-Tool 6.doc



Tool 7 – Interview Guide – Executive to Whom CAE Reports

Tool 7





Comment on the organization’s overall control environment, governance, and

management processes.

Comment on other oversight or monitoring functions (such as evaluation, process

improvement, control self-assessment, or special investigations) and the

independent audit firm, in relation to the IA activity.

Highlights of Tool 8 – Senior and Operating Management

Tool 8





Tool 9 - Interview Guide – Chief Audit Executive

Tool 9





Comment on the IA activity’s charter and scope of work.

Give your views on how you are managed and on how your skills are utilized and

developed.

Highlights of Tool 10 - Internal Audit Activity Staff

Tool 10





Tool 11 - Interview Guide – External Auditor

Tool 11





End to end review of sample audit files is a critical component to assess adherence to

standards. Following key components are reviewed in this process:

Engagement Planning

Process Understanding

Process Risk Assessment

Audit Program

Work Paper documentation

Reporting and Audit Closure

Workpaper review

Workpaper review checklist


Quality Assurance Work Paper Review Checklist.xls



Program segments are used to document and validate conformity to the Standards

of the internal audit activity as well as the effectiveness of its policies and processes.

Detailed procedures are segmented into major areas to be reviewed to ensure

comprehensive of coverage.

Tools to be used:

• Tool 12 – IA Activity Structure and Responsibilities

• Tool 13 – Risk Assessment and Audit Planning

• Tool 14 – Staff Professional Proficiency

• Tool 16 – Assessing Completion of Audit Plan and Value Added

• Tool 17 – Planning and Executing the Engagement, Workpaper Review, Audit

Report, and Monitoring Progress

Tailoring and Completing the QA Program Segment



IA Structure, Independence and Objectivity

IA Planning

Internal audit staff core training

Internal audit staff competence

Engagement planning

Workpapers

Supervision

Communication

Audit reports

Audit plan

Monitoring progress

Areas to be Evaluated Using Tools 12 to 17



Tool 12 – IA Activity Structure and Responsibility

Tool 12





Tool 13 – Risk Assessment and Audit Planning

Tool 13.doc




Tool 14 – Staff Professional Proficiency

Tool 14





Tool 16 – Assessing Production and Value Added

Tool 16





Tool 17

Tool 17 – Planning and

Executing the Engagement,

Workpaper Review, Audit

Report, and Monitoring

Progress





Communicating the Results



At the end of the QA project, the team:

• evaluates the overall results;

• summarizes the issues;

• has a closing conference; and

• issues a final report

TOOL 19 – STANDARDS CONFORMANCE EVALUATION – MASTER FRAMEWORK

Overview

AppendixD-Tool 19.doc

AppendixD-Tool 19.doc



Tool 19 – Key Conformance Criteria

Standard Ref. Key conformance criteria

1000 Purpose, Authority & Responsibility

There is a Charter containing the purpose, authority, and responsibility of the internal auditactivity.

The Charter has been reviewed periodically and approved by the board.

The Charter defines the nature of assurance and consulting services.

1010 Recognition of Definition of Internal Audit

The Charter includes reference to the definition of Internal Auditing and the Code of Ethicsconsistent with the Standards.

1110 Organizational Independence

The CAE reports to a level in the organization that is adequate to discharge his or herresponsibilities.

Any reporting relationship (administrative or total) to management does not interfere with theCAE’s responsibility to the board.

There are no restrictions to the scope, resources, and access of internal audit activity.

Direct Interaction with Board / Audit Committee



Tool 19 – Key Conformance Criteria (contd.)


1120 Individual Objectivity

Auditors do not have assignments in conflict.

Audit staff has background and experience that does not conflict with audit assignment.

Results and conclusions of engagements are based on factual evidence and observation.

Inputs – Interviews, Evaluation of staff background, Resource allocation

1130 Impairment of Independence

Auditors are aware they must report any real or perceived conflict of interest as soon as such conflict arises.

Assignment of internal audit personnel takes into account previous responsibilities.




1210 Proficiency

Auditors undergo specific training based on collective staff training needs analysis.

Staff performance is reviewed on a regular basis and criterion used is adequate and appropriate for the needs of the activity.

Auditors have fraud training or proficiency in identification of fraud indicators.

Auditors have training or proficiency in IT concepts and computer aided audit tools.

1220 Professional Due Care

Audit work papers provide evidence of due professional care in the conduct of the work performed.

Audit engagements are supported by appropriate tools, including information systems and used in an appropriate manner.

There is evidence of a risk assessment of the audit engagement.





1230 Continuing Professional Development - There is continuing professional development to

enhance the knowledge and competencies of internal auditors.

1310 QAIP - The internal audit activity has a process to monitor and assess the overall effectiveness of

the quality program.

1311 There is evidence of ongoing reviews of the performance of the internal audit activity.

Periodic reviews were performed through self-assessment or by other persons within the

organization, with knowledge of internal audit practices and the Standards.

1312 There is evidence of comprehensive external reviews by qualified, independent reviewers.

1320 Reports of the results of external assessments are submitted to the board.

1321 There is appropriate wording in audit reports.

1322 There is appropriate wording in report to the board.





2010 Planning

The CAE has established risk-based plans in consultation with the board and senior management.

Where appropriate, consulting engagements are in the annual audit plan

2020 Communication and Approval

The CAE has communicated the internal audit activity’s annual plans, including significant interim changes, to senior management and the board.

The CAE also has communicated to senior management and the board the impact of resource limitations.

2030 Resource Management

Staffing plans and financial budgets are determined from annual audit plans and activities of the internal audit department.

The internal audit activity is organized to ensure proper coverage of the organization’s audit universe.

2040 Policies and Procedures

There are appropriate policies and procedures and they are communicated to and understood by the staff of the internal audit activity.





2050 Coordination - Internal audit work is coordinated with that of the external auditors and with internal providers of assurance and consulting services.

2060 Reporting to Senior Management and Board

There is evidence that CAE reports appropriately to the board and senior management on the internal audit activity purpose, authority, responsibility, and performance as well as significant fraud and other risks.

2110 Governance

Internal audit activity assesses and makes appropriate recommendations for improving the governance process in its accomplishment of the objectives specified in the Standards.

2120 Risk Management

The scope of internal audit includes appropriate evaluation of risk management and controlsystems.

Consulting projects cover all significant risk activities within the scope.

The potential for fraud and the organization’s fraud risk has been addressed.





2201 Planning Considerations (Objectives, Scope, Audit Program and Resource Allocation)

Internal auditors systematically conduct a preliminary risk assessment of the organization’saudit universe in order to determine the engagement objectives.

Internal auditors develop and record a program for each engagement.

In the case of outside engagements, the internal auditors establish a written understandingabout the objectives, scope, and respective responsibilities of each party.

Engagement scope is consistent with objectives.

Engagement staffing is consistent with the required skill sets.

2310 Identifying Information

Identify sufficient, relevant, reliable and useful information.

Intimation provided to audit client well in advance for the required information

Work papers include all the relevant information to achieve the objectives





2320 Analysis and Evaluation

Audit conclusions and engagement results are based on appropriate analyses and evaluations that identify the root cause(s) of irregularities.

Appropriate use of tools.

2330 Documentation

Sufficient information is documented to support the conclusions and audit results.

Work papers have controlled access according to the policy of the organization.

There is evidence that CAE obtains appropriate approvals prior to releasing records.

2340 Engagement Supervision - There is evidence engagements are properly supervised as specified in the Standards.

2410 Criteria for Communication

There is evidence of appropriate, timely communication with management.

An overall opinion or conclusion is included in the audit report.

Communications outside the organization are limited in distribution and use of results.





2420 Quality of Communications

Communications are appropriate, clear and concise

Audit reports contain condition, criteria, cause, corrective action and concerned person

2421 Errors and Omissions

Where appropriate, there is communication of corrected information to all parties.

2440 Disseminating Results

Audit reports are distributed to an appropriate level of senior managers.

If applicable, that the CAE properly considered the elements of the standard prior to disclosure outside the organization.

2500 Progress monitoring

The CAE has established a follow-up process to monitor and ensure that management actions have been effectively implemented or risk accepted.




Final Assessment

A QAIP should include a rating scale to assess the level of conformance of the

internal audit activity with the Standards.

Different options are available when deciding which assessment scale better suits

particular needs. Some of those options include:

IIA Quality Assessment Manual Scale: Does Not Conform / Partially

Conforms / Generally Conforms.

The IIA’s Assessment Scale — IIA Path to Quality: Introductory / Emerging /

Established / Progressive / Advanced.



Final Assessment (contd.)

IA Maturity Model.pdf

IA Maturity Model.pdf



Common Observations Highlighted

in Quality Assessment



Common Observations

S. No. Standard Area Observations

1 2010 Planning • The IA activity does not have a formal, documented risk assessment model for audit planning.

• Senior management and ERM inputs not obtained.

• Audit universe does not represent the entire business.

• IT Audit not integrated with business audit.

• Audit plan is often based on Resource availability.



Common Observations (contd.)


2 1000 Purpose, Authority and Responsibility

• The IA activity charter is not updated on an annual basis.

• The IA activity charter requires revision to consider IIA’s new definition of internal auditing, to reflect the CAE’s responsibilities, and to obtain approval from the Audit Committee.

3 1311 Internal Assessments

• While several elements of the new Standards on quality assurance may have been implemented by the IA activity, the internal ongoing assessments could be strengthened by additional monitoring and benchmarking.





4 1230 Continuing Professional Development

• Internal Audit does not have a formal training plan to ensure that staff members receive training to satisfy departmental needs and the annual audit plan.

5 1300 Quality Assurance and Improvement Program

• No set up for a formalized quality assurance and improvement program.

• External assessments are performed but ongoing and periodic reviews are not in place.





6 2040 Policies and Procedures

• There is no formal internal audit policies and procedures manual governing the operating activities of the IA activity.

• Manual is present but does not contain detailed procedural aspects.

7 2030 Resource Management

• The CAE should implement use of metrics to measure actual internal auditing performance against budget.

• KPIs defined for the IA function, however, specific KPIs for audit staff not defined.





8 1110 Organizational Independence

• The organization chart shows that the CAE has a direct reporting relationship to the Executive Vice President and Chief Operating Officer and a dotted line relationship to the Audit Committee.

9 1210 Proficiency • There is a perception on the part of clients, based on the client survey results and management interviews, that the IA activity Staff does not possess the desired level of business knowledge.





10 2110 Risk Management

• There may be areas of IT risk that are not included or may be expanded in the list of auditable units, such as IT strategy, enterprise application and organization.

11 2201 Planning Considerations

• Review of working papers showed an apparent lack of planning for engagements.

• Engagement level risk assessment not performed.

12 2330 Recording Information

• A set of working paper standards needs to be developed and formally defined in the IA activity policies and procedures. A review of working papers indicated the quality varied between audit staff.





13 2340 Engagement Supervision

• Based on inspection, work papers are not always reviewed during audits on a timely basis.

14 2400 Communicating Results

• Results of internal audit engagements were not complete and/or were not communicated to the appropriate parties.

15 2200 Engagement Planning

• Review of work papers did not produce consistent documentation of planning considerations or the scope of audits.



High Performing Quality

Assessments



They have dedicated staff who are passionate about quality assurance and

improvement. This person or group of individuals is responsible for

performing the internal self-assessment, gathering all information in

preparation for the external QA, and performing ongoing monitoring of the

internal audit activity.

They leverage the use of technology and invest in the right technology tools

based on the internal audit activity’s quality assurance and improvement

needs. Tools are used to document all internal audit work papers as well as

secure information in a central location.

They have the support of senior management and the audit committee.

Getting the support of these two entities is especially important when

performing an external QA and in ensuring internal auditors are onboard with

quality assurance activities.

Traits of Highly Effective QAIP



1. The CAE is actively involved in the organization, including involvement in initiatives intended

to strengthen the organization’s governance, risk management, and internal control

processes.

2. Similarly, the internal audit activity works closely with other governance and monitoring

functions, including the organization’s risk management unit or personnel.

3. The internal audit activity has an annual risk assessment process that is linked to the

organization’s risk management program or process.

4. The internal audit activity continuously monitors its audit universe and risk assessment

framework, resulting in more focused, long-term audit planning and efficient audit

schedules. Considers emerging risks.

5. The internal audit activity uses technology-based audit tools to enhance its productivity and

effectiveness.

Attributes of High Performing QAIP



5. The CAE has made a commitment to the continuing education and training of internal audit

staff and encourages internal auditors to acquire professional certifications.

6. The CAE also encourages internal auditors to be actively involved in the profession (e.g.,

holding leadership positions in The IIA and participating as volunteers for external QAs.)

7. The internal audit activity has a high level of credibility and excellent reputation with clients

and organization stakeholders.

8. The internal audit activity coordinates optimally with all Stakeholders.

9. The internal audit activity provides concise audit reports that focus on risk and timely

follows up on management action plans.

10. The internal audit plan outlines specific performance milestones to increase efficiencies

within the activity leading to the presence of highly productive staff.

11. The CAE holds open discussions with staff for the continuous improvement of the internal

audit activity. Topics discussed include future work plans, controls testing, and internal audit

techniques.

Attributes of High Performing QAIP (contd.)



12. There is excellent alignment among the internal audit activity, audit committee, and senior

management team. In addition, the CAE and internal audit activity conduct periodic training

for the audit committee.

13. The organization has a high level of confidence in the internal audit activity.

14. The internal audit activity has a high level of support from the organization’s senior

management team, audit committee and/or board, and other stakeholders.

15. The internal audit activity includes staff members with experience in IT, data analytics, or IT

auditing.

16. Uses technique of Control Self Assessment.

Attributes of High Performing Quality Assessment (contd.)



Quiz



Which of the following best represents one of the specific tools for quality assessment generally

used in the preparation and preliminary phase of a QA process?

A. Interview guide for senior and operating management.

B. Model information security policy.

C. Standards compliance evaluation summary.

D. Audit customer surveys.

Scenario 1

Internal Audit Quality Assessment participant guide. QA Process Overview and the QA Manual

references. Answer “A” is incorrect because it is normally used during the on-site review procedures.

D



When evaluating the activity’s conformance to the Standards, what main elements (at a minimum)

should a QA team member expect to see formally defined in an IA activity’s charter?

A. Mission/vision and individual engagement objectives.

B. Purpose, authority and responsibility.

C. Organization chart, reporting lines, and job descriptions.

D. Risk assessment methodology and engagement planning.

Scenario 2

Standard 1000. The purpose, authority and responsibility of the Internal Audit activity should be

formally defined in a charter. Answers A, C, and D would be reviewed when the QA team evaluates

conformance with other Standards.

B



You are validating the results of an internal self-assessment. You have received the IA activity’s

fully documented self-assessment. Which of the following QA Tools would you review to validate

their review of Standard 1300?

A. Tool 12: IA Activity Structure and Responsibilities

B. Tool 14: Staff Professional Proficiency

C. Tool 16: Assessing Production and Value-Added

Scenario 3

QA Manual Tool 12 “Objectives”

A



Which is not one of the lessons learned in performing an external quality assessment according to

IIA research?

A. Maintain a separate tracking system for the data typically needed in the external assessment

process.

B. Leverage the lessons learned from the first external quality assessment to make subsequent

processes more efficient.

C. Contract with an external quality assessment provider who can add value.

D. Recommend that the external quality assessment team spend more time in planning and less

time on-site.

Scenario 4

IIA Research Emerging Issues (External QA Results, Tools, Techniques and Lessons Learned). “D” is

incorrect because the lesson learned is that the team should spend more time on-site. A-C is from the

research survey (a copy is in your workbook).

D



Which of the following is true about a Generally Complies rating?

A. For the major Standards categories (e.g. 1200, 2000, etc.) there is general compliance with the

majority of the individual Standards and at least partial conformance with others.

B. There are no significant opportunities for improvement within the major categories or

individual Standards.

C. General compliance requires complete compliance with the individual Standard.

D. All of the above.

E. None of the above.

Scenario 5

Tool 19 Definitions

A



You are completing an internal assessment. Which of the following would you use as evidence or

consider as sound practices in evaluating 2030 Resource Management?

A. IA staffing analysis and annual operating plans

B. Program for selecting and developing IA human resources

C. Interviews with senior management and the CAE

D. All of the above

E. None of the above

Scenario 6

Tool 19 Examples of Evidence for Standard 2030.

D



The IPPF requires all internal audit shops to perform which types of audits?

A. Attestation

B. Compliance

C. Operational

D. Strategic

E. All of the Above

F. None of the Above

Scenario 7

Per the definition of IA is an “assurance and consulting” activity. Although none of the types of audits

listed is required by the IPPF some are types of assurance or consulting audit activities.

F



Which of the following best describes the required process for testing work papers for IPPF

compliance?

A. Substantive testing of work papers to ensure maximum error rate is within acceptable limits.

B. Random sampling of work papers to project error rates over the entire population.

C. 100% testing of all work papers files.

D. A statistically valid sample of work papers for each type of project performed to verify that the

overall process implemented by the IA department is functioning.

E. None of the Above

Scenario 8

None of answers is covered in the QA Manual or Tools 17 or 19.

E



For an independent assessor or validator to arrive at a conclusion that the Internal Audit Activity is

in conformance with the IPPF, interviews MUST BE conducted with:

A. The Chief Audit Executive

B. The Chairperson of the Audit Committee

C. The Chief Executive Officer

D. The Primary External Auditor

E. All of the Above


Scenario 9

The QA Manual is not mandatory guidance. In order to conduct an effective external QA all of the

individuals (A-D) “should” be interviewed.

F



The Standards required in the IPPF are best described as:

A. Standards for the Professional Practice of Internal Auditing

B. Internal Audit Essential Performance Requirements

C. International Internal Audit Practice Advisories

D. International Standards for the Professional Practice of Internal Auditing

E. Global Internal Auditing Guidance Principles


Scenario 10

IPPF Preface and Introduction to the International Standards

D



One of the principles Code of Ethics is Integrity. Which of the following is a rule of conduct related

to Integrity (select the two best answers)?

A. Internal Auditors shall be prudent in the use and protection of information acquired in the

course of their duties.

B. Internal Auditors shall perform their work with honesty, diligence, and responsibility.

C. Internal Auditors shall not accept anything that will impair or presume to impair their

professional judgment

D. Internal Auditors not knowingly be a party to any illegal activity or engage in any acts that are

discreditable to the profession of internal auditing or to the organization.

Scenario 11

Code of Ethics: Rules of Conduct. “A” is related to Confidentiality and “C” is related to Objectivity.

B & D



You are planning an external assessment. You have determined that the CAE reports to a CEO

(administratively) and Audit Committee (functionally). The CEO has informed the CAE that are

some activities that are not ready to be audited. The Audit Committee appears to be independent

but the AC Charter only requires them to meet with CAE once a year. The CAE is very confident

that IA has level of resources needed to carry out IA Charter. What are examples of the evidence

that your team will need to review to evaluate conformance to Standard 1110?

A. The annual audit plan

B. Interviews with the CEO, AC, CAE, Senior/Operating Management, IA Staff Members

C. Budgets and staffing resources

D. Reporting of the restrictions (areas not ready for auditing) to the AC.

E. A & D Only

F. A, B, C & D.

Scenario 12

IPPF Table of Contents

F



At Protiviti, we believe the organizations that

most effectively understand and manage their

risk are the companies that most often

succeed.

internal audit quality assessment

Documents

professionals quality

requirements of quality

companys internal use

internal audit activity

quality assessment tools

internal audit methodology

internal auditunderstand

right systems