tom taylor – mutual of enumclaw, [email protected] annette mumford – homestreet bank,...
TRANSCRIPT
QAR – Two Alternate Paths to Accomplish the External Assessment
IIA Puget Sound Chapter LuncheonApril 2015
Tom Taylor – Mutual of Enumclaw, [email protected] Annette Mumford – HomeStreet Bank,
Overview of the QAR standards Full external assessment – HomeStreet Bank
◦ Approach◦ Scope◦ Preparation◦ Deliverables◦ Pros/Cons/Rewards/Challenges
Self-Assessment with independent external validation – Mutual of Enumclaw◦ Approach◦ Considerations◦ Stakeholders◦ Challenges◦ Pros
Reviewer qualifications Work program Recommended Steps
Agenda
1. Does your audit function report to the Audit Committee (AC)?
2. How many CAEs here have educated their AC’s on Standards and the QAR process?
3. How many have had a QAR of their audit department?
4. Who is preparing for or planning on doing this?
5. Who has received training or received the accreditation as an independent assessor or validator?
Audience Survey
QAR required under the IPPF Standards are mandatory for auditors who
are CIA’s or members of the institute An external review once every five years
Quality Assurance Requirements
# 1300 – Quality Assurance and Improvement Program
The CAE is responsible for developing and maintaining a quality assurance and improvement program
Covers all aspects of the internal audit activity and continuously monitoring its effectiveness
Provides assurance of conformity with IIA Standards and Code of Ethics
Assesses efficiency and effectiveness
International Professional Practice Standards
# 1310 – Quality Program Assessments Process to monitor and assess the overall effectiveness of
the quality program. Includes both: #1311 - Internal Assessments #1312 - External Assessments
# 1320 – Reporting on the Quality Program The CAE reports the results of the assessments to the
board and senior management.
International Professional Practice Standards
# 1321 – Use of “Conforms with International Standards for the Professional Practice of Internal Auditing”
Not required language but if used, must have an assessment that demonstrates in compliance with the Standards.
# 1322 – Disclosure of Noncompliance To Senior management and board if noncompliance
with the Standards impact overall scope or operation of the internal audit activity.
International Professional Practice Standards
# 1312 – External Assessments
External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.
International Professional Practice Standards
Practice Advisories
Additional Guidance
1300-1 Quality Assurance and Improvement Program January 2009
1310-1 Requirements of the Quality Assurance and Improvement Program January 2009
1311-1 Internal Assessments January 2009
1312-1 External Assessments January 2009
1312-2 External Assessments: Self-Assessment with Independent Validation January 2009
1312-3 Independence of External Assessment Team in the Private Sector June 2011
1312-4 Independence of the External Assessment Team in the Public Sector June 2011
1321-1 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
January 2009
What: Engaged a third party for an independent assessment of compliance with IIA Standards and use of best practices
Who: We used the IIA. Services can be provided by accounting firms, IA Services firms, IIA, independent consultants, NALGA Peer Review (government).
How Long: Approximately 3 months start to finish. On-site work completed in 1 week.
External Assessments – What, Who, How Long
HomeStreet Approach
Compliance with IIA Standards and Code of Ethics.
Use of best/leading practices Expectations of IA’s stakeholders – interviews
and surveys. IA’s Charter, plans, policies, procedures,
practices, including QA program. Any regulatory requirements.
IA’s reports to management and the AC. Integration of IA into organization’s corporate
governance and risk management processes.
External Assessments – Scope of Work
HomeStreet – Approach
Audit universe, risk assessment, annual audit planning
Staff credentials and experience. Staff development.
Information technology Evaluation of IA’s use of best
practices/value added Workpaper review
External Assessments – Scope of Work – (Continued)
HomeStreet Approach
Long Lead Time Items: At least one year before, establish internal
QAR processes – ongoing and periodic. Well in advance, perform a self-assessment
against the standards to gauge preparedness. (Remediate if needed/Report Gaps.)
Discuss QAR standards and your plans with the Audit Committee and other key stakeholders
External Assessments – Preparation
HomeStreet - Approach
Engagement Specific Prep: Review bios/resumes of QAR team to ensure
they have the right experience. These individuals will meet with your AC Chair, Senior managers, etc. Needs to be a good fit.
Respond to the QAR team’s requests for information (complete questionnaires, assemble documentation, etc.)
Communicate internally with the Audit Committee, members of management, and the internal audit team on the process, timing, etc.
External Assessments – Preparation
HomeStreet – Approach
Report issued that includes: Opinion on compliance to the Standards.
◦ Best Rating - “Generally Conforms” Assessment and evaluation of the use of
best practices. Recommendations for improvement. Responses from CAE that include action
plans and implementation dates. Report is issued to the Board & CAE.
External Assessments – Project Deliverables
HomeStreet Approach
Pros/Considerations Robust value-added for CAE and IA customers –
best practices, benchmarking. Experienced team – composed of other CAEs with
prior QAR experience, and in our case bank audit experience
Efficient process Felt an outside party would be more willing to
provide more constructive input – more value Credible assurance to stakeholders For large audit departments, may be best choice.
Pros and Cons External Assessments
Cons/Considerations Likely more expensive both for the engagement
itself and travel costs. Potential consultant bias to sell services
(influenced our decision to use the IIA) May have less flexibility on scheduling as QAR
team is likely not local. Some senior managers were not available for interviews the week of the on site work.
Pros and Cons External Assessments
HomeStreet Approach
Be sure to allocate enough time for the preparation and on site work. It is a big time commitment!
Be open for both validation of those things your shop does well and opportunities for improvement/best practices – this is where the value lies.
Challenges/Rewards
CAE/auditor performs self-assessment and independent reviewer validates with testing.
Same criteria evaluated as in the full external assessment.
Accounting firms, IA services firms, independent consultants, Puget Sound IIA Chapter, auditors from other companies can validate.
Self-Assessment with External Validation – What & Who
MOE Approach
Three local firms utilized. Non-competitive industries. From each company, one CAE and one Sr. or
Manager. All signed NDAs. Each company first completed a self-assessment. Utilized the test plan provided by the IIA. Gathered supporting evidence and self-scored. All materials digital and cross referenced. Kick off meeting with all three companies present.
Self-Assessment With Validation
MOE Approach
2-4 weeks of internal self-assessment time prior to validator.
Validation step did not include auditors from company being assessed.
Allowed for one week on-site for each company. Another one/two weeks offsite to compile, vet and
create report. CAE’s contributed to the governance sections. Having CAE sit in on interviews with audit committee
chair and c-suite executives was good. Helped build trust and credibility with executives.
Self-Assessment With Validation
MOE Approach
Validator documents agreement or disagreement with conclusions in the self-assessment report.
Issued separate final from the self-assessment report.
Validation report went to the Board.◦ I also shared report with Management.
CAE also received a separate report from the other CAE’s on general tips/observations.
Self-Assessment With Validation
MOE Approach
Critical to manage expectations!!! Educate! CAE & Internal Audit Department
◦ Is a reflection on leadership & staff skills CEO Management
◦ Answers question of “Who audits the Auditor?” Can give the department credibility.
Board◦ Provides confidence that the audit shop is in fact
functioning according to best practice standards
Self-Assessment With Validation
MOE Stakeholders
◦ Company’s appetite for a QAR? Audit Committee?◦ Do you need a little time to prep (i.e., fix known
issues).◦ Consider a pre-QAR to get your house in order.◦ Best for the CAE to be championing vs. Audit
Committee.◦ As a CAE, you should have a clear picture of
“Why.”◦ Be passionate about the why!◦ You are putting all of your laundry out for others
to see. Could impact your reputation and career. Must take seriously!
Self-Assessment With ValidationMOE Considerations
Multi-year journey. Timing is a consideration. Is the CAE new to the role? (can be a good time to
engage) - provides great feedback or a road map on where to focus energy.
If CAE has been in the role for a while, there are additional considerations.
Self-Assessment With Validation
MOE Considerations
Assessment format to adopt? Reporting format for final presentation? Scheduling conflicts come up given multiple organizations. Merging different auditing styles (black and white vs gray). Often, this is the first time groups have engaged in such
review activities.
Self-Assessment With Validation
MOE Challenges
Less expensive. I liked being a little closer to the review. Sharing of best practice, peer to peer. I felt I could relate better to local teams vs. an
academic approach or consultant. Local companies brought a lot of credibility vs. an
unknown. Value-add for CAE and IA stakeholders comes from the
input of local practitioners, benchmarking, interviews. May be best for smaller IA Departments.
Self-Assessment With Validation
MOE Self-Assessment Pros
Independence ◦ Reciprocal arrangements between 3 or more can be ok.
Integrity and Objectivity. Competence – certified (CIA, CPA, CISA),
knowledgeable of IA Standards, current with IA best practices, 3 or more years IA experience recommended.
Relevant industry experience – recommended but not necessary.
IT Audit experience - recommended but not necessary.
Qualified Reviewer Requirements
Perform periodic Internal Assessments (see 1311-1) to review IA practices and compliance with the Standards and Code of Ethics.
Determine whether performance is consistent with Charter and stakeholder expectations. Consider surveying stakeholders.
Assess use of best practices and value added to organization.
How to prepare? – It’s not all about the workpaper files
There are six Program Segments:
1. Assessing the Organization2. Risk Assessment & Engagement Planning3. Staff Professional Proficiency4. Information Technology5. Assessing Production & Value Added6. Individual Workpaper File Review
Overview of Program Segments
In preparing for a QAR, it is helpful to understand the relationship between the Program Segments and the Internal Auditing Standards
Relationship of Program Segments to Audit Standards
This program segment addresses compliance with six separate standards:
◦ 1000 Purpose Authority & Responsibility◦ 1110 Organizational Independence◦ 1210 Proficiency◦ 1220 Due Professional Care◦ 1230 Continuing Professional Development◦ 2040 Policies & Procedures
Assessing the Organization
The Risk Assessment & Engagement Planning Segment addresses the following standards:
◦ 1230 Continuing Professional Education◦ 2010 Planning◦ 2010.A1 Engagement Planning based on Risk
Assessment◦ 2020 Communication and Approval◦ 2030 Resource Management◦ 2050 Coordination◦ 2060 Reporting to the Board & Senior Management◦ 2110 Risk Management◦ 2340 Engagement Supervision
Risk Assessment & Engagement Planning
The Staff Professional Proficiency Segment addresses the following standards:
◦ 1120 Individual Objectivity◦ 1210 Proficiency◦ 1220 Due Professional Care◦ 1230 Continuing Professional Development
Staff Professional Proficiency
The IT segment, although not specifically referenced to any of the standards, evaluates the IT audit function’s compliance with the following standards:
◦ 1000 Purpose Authority & Responsibility◦ 1110 Organizational Independence◦ 1200-1230 Proficiency & Due Professional Care◦ 2200 – 2240 Engagement Planning
Information Technology
The program segment for “Assessing Production & Value Added relates to the following standards:
1110.A1 Independence in determining audit scope & communicating results
2030 Resource Management 2400 Communicating Results
Assessing Production & Value Added
The program segment for “Assessing Production & Value Added” relates to the following standards: 1220 - Due Professional Care 2030 - Resource Management 2112 – 2130 – Scope of Work 2200 – 2240 - Planning the Engagement 2300 – Performing the Engagement 2310 – 2340 – Examining & Evaluating Information 2400 – 2500 – Communicating Results & Follow up
Individual Workpaper File Review
Brief your audit committee on the requirement and how you plan to meet it.
Compare your practices against standards, address any gaps.
Consider taking the IIA’s QAR class and/or purchasing the IIA QAR Manual
Identify who will perform your QAR or validation
Recommended Steps