Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Internal Audit Quality Assessment

6,239 views

Published on

  • Login to see the comments

Internal Audit Quality Assessment

  1. 1. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 0 Internal Audit Quality Assessment
  2. 2. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 1 Mohammad Kamel AL-Draidi Attend/Workshop internal audit quality assessment 18 November 2014 Riyadh, Saudi Arabia
  3. 3. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 2 We will focus on:  Understand requirements of Quality in Internal Audit  Understand what is Quality Assessment  International Professional Practices Framework (IPPF) and International Standards for the Professional Practice of Internal Auditing (International Standards)  Quality Assessment & Improvement Program  Familiarization of Quality Assessment Process of an Internal Audit Function  Understand the Quality Assessment tools and techniques  Common observations highlighted in Quality Assessment reviews  Attributes of high performing Quality Assessment reviews Objectives of the Workshop
  4. 4. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 3 Quality
  5. 5. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 4 • Quality is not absolute. The quality of a product or service is the degree to which the product or service meets the customer’s expectations and the degree to which it is fit for purpose. • Delivering quality requires a systematic and disciplined approach as professionals — quality does not just happen. • It is the combination of the right people, the right systems, and a commitment to excellence. • It is driven by the leaders of the organization who are responsible for setting the “tone at the top.” What is Quality? “Quality is never an accident, it is always an Intelligent Effort – John Ruskin
  6. 6. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 5 • For an internal audit activity, Stakeholders could include the board, senior management, the external auditor, and operational managers. • Quality in internal audit is guided by both an obligation to meet customer expectations as well as professional responsibilities inherent in conforming to the Standards • Quality in internal audit begins with the structure and organization of the audit activity. • Quality should be built in to, and not on to, the way the activity conducts its business. This can be done through deploying: • Internal audit methodology, • Policies and procedures and • Human resource practices. • Each of these should be premised on a common understanding of quality and stakeholder perception of value. Quality in Internal Audit
  7. 7. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 6 DRIVERS Stakeholders Expectations IA Charter, Policies and Procedures Leading Practices IIA Standards
  8. 8. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 7 Quality Assessment
  9. 9. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 8 5Ws of Quality Assessment (QA) WHAT is QA? A QA evaluates conformance with the International Standards, the efficiency and effectiveness of the internal audit activity, and the use of leading practices. WHY undergo QA? QAs are necessary in order to provide full objectivity. # 2 They build stakeholder confidence by documenting the internal audit function's commitment to quality and leading practices, and the internal auditors' mindset for professionalism. Provides evidence to the board, management, and staff that the internal audit activity is concerned about the organization's internal controls, governance, and risk management processes # 1
  10. 10. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 9 WHO can conduct a QA? The Professional Practices Framework defines the required competency of the QA team leaders and team. # 4 WHERE do I start? To conduct an internal quality assessment, establishing a benchmark of your internal audit activity that can be used to establish metrics indicating improvement in areas of partial compliance or noncompliance with the International Standards. # 5 WHEN does an Internal Audit Activity need to have a QA performed? It is mandatory that every internal audit activity undergo an QA conducted by an independent team or independent validator once every five years to comply with the International Standard. # 3 The clock starts ticking for the five-year period when an internal audit activity formally adopts the International Standards. 5Ws of Quality Assessment [QA] (contd.)
  11. 11. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 Benefits of Quality Assurance
  12. 12. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 Internal Auditors Employees Audit Committee / Board Management Beneficiaries of Quality Assurance Beneficiaries Internal Auditors Management Employees Internal Auditors Management Audit Committee / Board Employees Internal Auditors Management
  13. 13. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 12 Benefits of Quality Assurance for Internal Auditors  Ability to state conformance with the International Standards  Continuous improvement  Obtaining best-practice recommendations and benchmarks  Gaining a sense of accomplishment and satisfaction  Better focus on the areas for further improvement and new ideas on how to do things better
  14. 14. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 13 Benefits of Quality Assurance for the Audit Committee & Board  Assurance of the internal audit activity’s quality, competence and professionalism  Clarity for the internal audit and audit committees roles and responsibilities and their respective charters  Receiving an independent assessment / opinion of the effectiveness of the internal audit activity  Increased reliance upon the work of internal audit activity and enhanced credibility
  15. 15. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 14 Benefits of Quality Assurance for the Management  Opportunity to provide anonymous feedback to the internal audit activity  Raised awareness among the management about internal audit role and professional standards  Assurance that the auditors are being audited  Independent validation of the effectiveness of the internal audit activity
  16. 16. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 15 Benefits of Quality Assurance for the Employees  Assurance that the auditors are being audited  Gained more familiarity with the internal auditor’s role  Ability to express feedback on the internal audit activity  Assurance that the internal audit activity can be trusted and is credible
  17. 17. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 16 International Professional Practices Framework (IPPF)
  18. 18. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 17  The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. IPPF guidance includes:  Mandatory Guidance  Definition  Code of Ethics  International Standards  Strongly Recommended Guidance  Position Papers  Practice Advisories  Practice Guides The International Professional Practices Framework
  19. 19. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 18 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. IPPF – Definition of Internal Auditing
  20. 20. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 19 The Code of Ethics of The Institute of Internal Auditors (IIA) are principles relevant to the profession and practice of internal auditing and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics apply to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. IPPF – Code of Ethics CODE OF ETHICS.
  21. 21. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 20 The purpose of the International Standards for the Professional Practice of Internal Auditing (International Standards) is to: • Delineate basic principles that represent the practice of internal auditing as it should be. • Provide a framework for performing and promoting a broad range of value-added internal audit activities. • Establish the basis for the evaluation of internal audit performance. • Foster improved organizational processes and operations. The International Standards consists of following : • Attribute Standards (Mandatory) • Performance Standards (Mandatory) IPPF – International Standards
  22. 22. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 21 Position Papers assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues and delineating related roles and responsibilities of internal auditing. IPPF – Position Papers
  23. 23. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 22 Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the International Standards and promoting good practices. Practice Advisories address internal auditing approach, methodologies, and consideration, but not detail processes or procedures. They include practices relating to: • international, country, or industry-specific issues; • specific types of engagements; • legal or regulatory issues. IPPF – Practice Advisories
  24. 24. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 23 Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as: • tools and techniques; • programs; • step-by-step approaches; and • examples of deliverables. IPPF – Practice Guides
  25. 25. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 24 IPPF Standards
  26. 26. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 25 Attribute Standards explains the following: IPPF – International Standards Standard Title 1000 Purpose, Authority and Responsibility 1010 Recognition of the Definition of Internal Auditing, the Code of Ethics, and the Standards in the Internal Audit Charter 1100 Independence and Objectivity 1110 Organisational Independence 1111 Direct Interaction with the Board 1120 Individual Objectivity 1130 Impairment to Independence or Objectivity 1200 Proficiency and Due Professional Care 1210 Proficiency 1220 Due Professional Care Standard Title 1230 Continuing Professional Development 1300 Quality Assurance and Improvement Program (QAIP) 1310 Requirements of the Quality Assurance and Improvement Program 1311 Internal Assessments 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of ‘Conforms with International Standards for the Professional Practice of Internal Auditing’ 1322 Disclosure of Nonconformance
  27. 27. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 26 Performance Standards explains the following: IPPF – International Standards Standard Title 2000 Managing the Internal Audit Activity 2010 Planning 2020 Communication and Approval 2030 Resource Management 2040 Policies and Procedures 2050 Coordination 2060 Reporting to Senior Management and the Board 2070 External Service Provider and Organizational Responsibility for Internal Auditing 2100 Nature of Work 2110 Governance 2120 Risk Management Standard Title 2130 Control 2200 Engagement Planning 2201 Planning Considerations 2210 Engagement Objectives 2220 Engagement Scope 2230 Engagement Resource Allocation 2240 Engagement Work Program 2300 Performing the Engagement 2310 Indentifying Information 2320 Analysis and Evaluation 2330 Documenting Information 2340 Engagement Supervision
  28. 28. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 27 IPPF – International Standards Standard Title 2400 Communicating Results 2410 Criteria for Communicating 2420 Quality of Communications 2421 Errors and Omissions 2430 Use of ‘Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing’ 2431 Engagement Disclosure of Nonconformance 2440 Disseminating Results 2450 Overall opinions 2500 Monitoring Progress 2600 Resolution of Senior Management’s Acceptance of Risks Performance Standards (contd.)
  29. 29. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 28 IPPF – Mandatory Guidance for Quality Assurance
  30. 30. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 29 IPPF – Mandatory Guidance for Quality Assurance Standard Title 1300 Quality Assurance and Improvement Program 1310 Requirements of the Quality Assurance and Improvement Program 1312 External Assessments 1320 Reporting on the Quality Assurance and Improvement Program 1321 Use of ‘Conforms with International Standards for the Professional Practice of Internal Auditing’ 1322 Disclosure of Nonconformance
  31. 31. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 30 IPPF – Mandatory Guidance for Quality Assurance (contd.) 1300 Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. Interpretation: A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
  32. 32. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 31 1310 Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. Internal Assessment are of two types: • Ongoing as part of each audit review • Periodic peer review IPPF – Mandatory Guidance for Quality Assurance (contd.)
  33. 33. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 32 1312 External Assessments External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. Interpretation: A qualified reviewer or review team consists of individuals who are competent in the professional practice of internal auditing and the external assessment process. The evaluation of the competency of the reviewer and review team is a judgment that considers the professional internal audit experience and professional credentials of the individuals selected to perform the review. The evaluation of qualifications also considers the size and complexity of the organizations that the reviewers have been associated with in relation to the organization for which the internal audit activity is being assessed, as well as the need for particular sector, industry, or technical knowledge. An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. IPPF – Mandatory Guidance for Quality Assurance (contd.)
  34. 34. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 33 1320 Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer’s or review team’s assessment with respect to the degree of conformance. IPPF – Mandatory Guidance for Quality Assurance (contd.)
  35. 35. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 34 1321 Use of ‘Conforms with International Standards for the Professional Practice of Internal Auditing’ The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. 1322 Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. IPPF – Mandatory Guidance for Quality Assurance (contd.)
  36. 36. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 35 Quality Assurance & Improvement Program (QAIP)
  37. 37. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 36 Quality Assurance & Improvement Program • A QAIP should conclude on the quality of the internal audit activity and lead to recommendations for appropriate improvements. It enables an evaluation of: • Conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards. • The adequacy of the internal audit activity’s charter, goals, objectives, policies and procedures. • The contribution to the organization’s governance, risk management, and control processes. • Completeness of coverage of the entire audit universe, risks faced by the company. • Whether the internal audit activity adds value, improves the organization’s operations, and contributes to the attainment of objectives.
  38. 38. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 37 Quality Assurance & Improvement Program (contd.) To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP must effectively be applied at three fundamental levels (or perspectives): • Internal Audit Engagement Level (self-assessment at the audit, engagement, or operational level) • Internal Audit Activity Level (self-assessment at the internal audit activity or organizational level) • External Perspective (independent external assessment of the entire internal audit activity including individual engagements) The CAE is responsible for developing the QAIP and should lead by example by embedding quality into the internal audit activity.
  39. 39. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 38 QAIP Program (contd.) Internal Audit Engagement Level (self-assessment at the audit, engagement, or operational level) The engagement supervisor (possibly a manager or the CAE) is responsible for providing assurance that: • Appropriate processes have been used to translate audit plans into specific, appropriately resourced audit engagements. • Planning, fieldwork conduct, and reporting/communicating results conform to the Definition of Internal Auditing, the Code of Ethics, and the Standards. • Appropriate mechanisms are established and used to follow-up management actions in response to audit recommendations. • Post-engagement client surveys, lessons learned, self-assessments, and other mechanisms to support continuous improvement are completed. Quality Review Checkilist.doc
  40. 40. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 39 QAIP Program (contd.) Internal Audit Activity Level (Periodic self-assessment at the internal audit activity or organizational level). This can be conducted through: • Working paper reviews for conformance with the Definition of Internal Auditing, the Code of Ethics, the Standards, and internal audit policies and procedures by staff not involved in the respective audits. • Review of internal audit performance metrics and benchmarking of best practices. Use of GAIN metrics and CMM model • Client surveys. • Interviews with various stakeholders. • Periodic activity and performance reporting to the board and other stakeholders as deemed necessary.
  41. 41. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 40 QAIP Program (contd.) External Perspective (independent external assessment of the entire internal audit activity including individual engagements). The CAE must ensure that the internal audit activity undergoes an external assessment at least once every five years by an independent assessor or assessment team from outside the organization.
  42. 42. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 41 Quiz
  43. 43. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 42 Which of the following are the two approaches to external assessment? A. A full external assessment conducted by a qualified, external independent reviewer or review team. B. The use of a qualified, independent external reviewer or review team to conduct an independent validation of the internal self-assessment and a report completed by the internal audit activity. C. A full external assessment conducted by Certified Internal Auditors (CIAs) currently assigned elsewhere in the organization D. Independent validation of the internal self-assessment using the organization’s external auditor firm. Scenario 1 A & B Practice Advisory 1312-1 #4
  44. 44. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 43 In addition to ongoing monitoring of the performance of the internal audit activity, which of the following must be included as part of the internal audit activity’s internal assessment program according to the Standards? A. Review of the organization’s methods for communicating periodic financial reporting information. B. Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices. C. Integration of the internal audit activity’s financial, operational, IT, and consulting services. D. Researching and communicating new or updated accounting, auditing, and regulatory standards to staff. Scenario 2 Standard 1311 B
  45. 45. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 44 Three CAE’s, who are long time members of a regional industry association, want to use a peer review approach to comply with Standard 1312. One of their Audit Committee’s is concerned about the appearance of impaired independence. To overcome this concern they could add one or more independent members to the external assessment team – or use the independent members to validate the work of their peer review teams (True or False)? A. True B. False Scenario 3 Practice Advisory 1312-1 #5 (last two bullet points). A
  46. 46. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 45 Which of the following is not a part of the International Professional Practices Framework? A. Code of Ethics B. Position Papers C. Development and Practice Aids D. Practice Guides Scenario 4 (IPPF Table of Contents): Also, per the Internal Audit Quality Assessment participant guide and the IIA web-site. Development and Practice Aids have been dropped and Position Papers and Practice Guides have been added. C
  47. 47. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 46 According to the definition of Internal Auditing in the International Professional Practices Framework (IPPF), the internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of which processes? A. Risk management, guidance and leadership. B. Governance, leadership and control. C. Risk management, governance and control. D. Financial reporting controls. Scenario 5 Definition of Internal Auditing – Answers A, C, and D are parts of three processes that are imbedded in the definition. C
  48. 48. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 47 “The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.” is the International Professional Practices Frameworks definition of – A. Independence B. Objectivity C. Neither Scenario 6 Glossary. These two terms are also defined in the “Interpretation” i of Standard 1100.* A
  49. 49. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 48 “An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others” is the International Professional Practices Frameworks definition of – A. Independence B. Objectivity C. Neither Scenario 7 Glossary and the “Interpretation” to Standard 1100. B
  50. 50. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 49 Quality Assessment Process
  51. 51. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 50 The Quality Assessment (QA) Process Planning the Review • Selecting QA team • Self study • Preliminary visit • Surveys Performing the Review • On-site procedures • Interviews • Consider other monitoring functions • Evaluate the internal audit activity’s conformance • Review quality improvement actions – and consider best practices Communicating the Results • Closing conference • Draft / finalize report • Follow-up executive conference
  52. 52. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 51 Quality Assessment Process vis-à-vis Tools
  53. 53. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 52 QAE Tool Description Tool 1 Preparation and Planning for Conducting External Quality Assessments Tool 1A Preparation and Planning for Conducting a Self-Assessment with Independent Validation Tool 2 Quality Assessment Advanced Preparation Tool 2A Self-assessment Guide Tool 3 Chief Audit Executive Questionnaire Tool 4 Audit Client Survey Tool 5 Internal Audit Activity Staff Survey QA Process vis-à-vis Tools Preparation and Preliminary Phase
  54. 54. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 53 QAE Tool Description Tool 6 Interview Guide – Board (AC) Member Tool 7 Interview Guide – Executive to Whom Chief Audit Executive Reports Tool 8 Interview Guide – Senior and Operating Management Tool 8A Interview Guide – Chief Information Officer Tool 9 Interview Guide – Chief Audit Executive Tool 10 Interview Guide – Internal Audit Activity Staff Tool 11 Interview Guide – External Auditor Interview Guides QA Process vis-à-vis Tools (contd.)
  55. 55. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 54 QAE Tool Description Tool 12 IA Activity Structure and Responsibilities Tool 13 Risk Assessment and Audit Planning Tool 14 Staff Professional Proficiency Tool 15 Information Technology Tool 16 Assessing Completion of Audit Plan and Value Added Tool 17 Planning and Executing the Engagement, Workpaper Review, Audit Report, and Monitoring Progress Quality Assessment Program Segments QA Process vis-à-vis Tools (contd.)
  56. 56. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 55 QAE Tool Description Tool 18 Observations and Issues Worksheet Tool 19 Standards Conformance Evaluation Summary Tool 20 External Assessment Sample Report Tool 21 Self-assessment with External Independent Validation Evaluation and Reporting QA Process vis-à-vis Tools (contd.)
  57. 57. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 56 Preparation & Planning for QA Review
  58. 58. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 57  Quality Assessment team selection  Information gathering and CAE questionnaire tool  Preliminary visit  Client and staff survey Planning Activities
  59. 59. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 58  Qualifications (Practice Advisories) • Independence • Integrity and objectivity • Competence • Size of the team depend on the scope of work, objectives, etc of the internal audit activity and organization.  Not required to be a CIA Quality Assessment Team Selection
  60. 60. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 59  Organization culture  Independence  Internal Audit Charter  Audit Manual  Risk assessment methodology / audit plan  Objectivity and code of ethics  Quality Assurance and Improvement Program  Coordination  Successful practices Information Gathering Tool 2
  61. 61. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 60 Key highlights  Does the board (i.e., audit committee) get involved in the annual planning / budgeting  Frequency of reporting to the board and meeting with it  Involvement in senior management meetings  Executive management’s expectations, support, and satisfaction  Use of organization’s risk framework, strategic business plan, and technology plan all used in the planning process  Funding, staff mix and skills, technology, and resources  Staff views in planning process  Compliance with IIA  Adequacy of training programs Chief Audit Executive Questionnaire Tool 3
  62. 62. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 61  Tool 4 – Audit Client Survey  Tool 5 – Internal Audit Activity Staff Survey  Survey tools and techniques: • Anonymity and reader comprehension • Representative samples • Evaluating responses • Communicating results Internal Audit Client and Staff Surveys
  63. 63. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 62  Audit Client Survey  This survey focuses on obtaining the perspectives of IA customers on the following:  Relationship of IA with management  Quality of Audit staff  Scope of audit work / coverage  Audit process and reporting  Management of IA activity  Value Added  Areas of Improvement Internal Audit Client and Staff Surveys (contd.) Tool 4.doc
  64. 64. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 63  IA Staff Survey  This survey focuses on obtaining the perspectives of IA team on the following:  Knowledge and Skills on IIA Standards  Knowledge and Skills on Audit process (Risk assessment, execution, reporting etc.)  Training and staff development process  Internal and External Communication  Interaction with Stakeholders Internal Audit Client and Staff Surveys (contd.) Tool 5.doc
  65. 65. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 64 Performing the Quality Assessment Review
  66. 66. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 65  To discuss and expand information gathered during the planning phase of the assessment, interviews are conducted with significant stakeholders of the internal audit activity and with the Chief Audit Executive.  Interviews with the following stakeholders: • Board / Audit Committee Member • Executive to Whom Chief Audit Executive Reports • Senior and Operating Management • Chief Audit Executive • Internal Audit Activity Staff • External Auditor • Audit file reviews Conducting QA
  67. 67. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 66 The key objective of these interviews is to obtain independent perspectives of various stakeholders towards internal audit performance. Some of these are listed below:  Understand organization’s overall control environment, governance, and management processes and assess whether considered by IA team.  Key risks in the organization and assess whether considered by IA team.  Independence, structure, and scope of work of the IA activity.  Credibility and effectiveness of the CAE and the IA activity.  Professionalism of IA staff  Value added by IA  Partnering with IA  Improvement areas for IA Interview highlights
  68. 68. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 67 Tool 6 – Interview Guide – Board / Audit Committee Member Tool 6
  69. 69. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 68 Tool 7 – Interview Guide – Executive to Whom CAE Reports Tool 7
  70. 70. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 69  Comment on the organization’s overall control environment, governance, and management processes.  Comment on other oversight or monitoring functions (such as evaluation, process improvement, control self-assessment, or special investigations) and the independent audit firm, in relation to the IA activity. Highlights of Tool 8 – Senior and Operating Management Tool 8
  71. 71. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 70 Tool 9 - Interview Guide – Chief Audit Executive Tool 9
  72. 72. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 71  Comment on the IA activity’s charter and scope of work.  Give your views on how you are managed and on how your skills are utilized and developed. Highlights of Tool 10 - Internal Audit Activity Staff Tool 10
  73. 73. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 72 Tool 11 - Interview Guide – External Auditor Tool 11
  74. 74. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 73 End to end review of sample audit files is a critical component to assess adherence to standards. Following key components are reviewed in this process:  Engagement Planning  Process Understanding  Process Risk Assessment  Audit Program  Work Paper documentation  Reporting and Audit Closure Workpaper review Workpaper review checklist
  75. 75. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 74  Program segments are used to document and validate conformity to the Standards of the internal audit activity as well as the effectiveness of its policies and processes. Detailed procedures are segmented into major areas to be reviewed to ensure comprehensive of coverage.  Tools to be used: • Tool 12 – IA Activity Structure and Responsibilities • Tool 13 – Risk Assessment and Audit Planning • Tool 14 – Staff Professional Proficiency • Tool 16 – Assessing Completion of Audit Plan and Value Added • Tool 17 – Planning and Executing the Engagement, Workpaper Review, Audit Report, and Monitoring Progress Tailoring and Completing the QA Program Segment
  76. 76. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 75  IA Structure, Independence and Objectivity  IA Planning  Internal audit staff core training  Internal audit staff competence  Engagement planning  Workpapers  Supervision  Communication  Audit reports  Audit plan  Monitoring progress Areas to be Evaluated Using Tools 12 to 17
  77. 77. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 76 Tool 12 – IA Activity Structure and Responsibility Tool 12
  78. 78. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 77 Tool 13 – Risk Assessment and Audit Planning Tool 13.doc
  79. 79. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 78 Tool 14 – Staff Professional Proficiency Tool 14
  80. 80. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 79 Tool 16 – Assessing Production and Value Added Tool 16
  81. 81. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 80 Tool 17 Tool 17 – Planning and Executing the Engagement, Workpaper Review, Audit Report, and Monitoring Progress
  82. 82. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 81 Communicating the Results
  83. 83. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 82  At the end of the QA project, the team: • evaluates the overall results; • summarizes the issues; • has a closing conference; and • issues a final report TOOL 19 – STANDARDS CONFORMANCE EVALUATION – MASTER FRAMEWORK Overview AppendixD-Tool 19.doc
  84. 84. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 83 Tool 19 – Key Conformance Criteria Standard Ref. Key conformance criteria 1000 Purpose, Authority & Responsibility  There is a Charter containing the purpose, authority, and responsibility of the internal audit activity.  The Charter has been reviewed periodically and approved by the board.  The Charter defines the nature of assurance and consulting services. 1010 Recognition of Definition of Internal Audit The Charter includes reference to the definition of Internal Auditing and the Code of Ethics consistent with the Standards. 1110 Organizational Independence  The CAE reports to a level in the organization that is adequate to discharge his or her responsibilities.  Any reporting relationship (administrative or total) to management does not interfere with the CAE’s responsibility to the board.  There are no restrictions to the scope, resources, and access of internal audit activity.  Direct Interaction with Board / Audit Committee
  85. 85. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 84 Tool 19 – Key Conformance Criteria (contd.) Standard Ref. Key conformance criteria 1120 Individual Objectivity  Auditors do not have assignments in conflict.  Audit staff has background and experience that does not conflict with audit assignment.  Results and conclusions of engagements are based on factual evidence and observation. Inputs – Interviews, Evaluation of staff background, Resource allocation 1130 Impairment of Independence  Auditors are aware they must report any real or perceived conflict of interest as soon as such conflict arises.  Assignment of internal audit personnel takes into account previous responsibilities.
  86. 86. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 85 Standard Ref. Key conformance criteria 1210 Proficiency  Auditors undergo specific training based on collective staff training needs analysis.  Staff performance is reviewed on a regular basis and criterion used is adequate and appropriate for the needs of the activity.  Auditors have fraud training or proficiency in identification of fraud indicators.  Auditors have training or proficiency in IT concepts and computer aided audit tools. 1220 Professional Due Care  Audit work papers provide evidence of due professional care in the conduct of the work performed.  Audit engagements are supported by appropriate tools, including information systems and used in an appropriate manner.  There is evidence of a risk assessment of the audit engagement. Tool 19 – Key Conformance Criteria (contd.)
  87. 87. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 86 Standard Ref. Key conformance criteria 1230 Continuing Professional Development - There is continuing professional development to enhance the knowledge and competencies of internal auditors. 1310 QAIP - The internal audit activity has a process to monitor and assess the overall effectiveness of the quality program. 1311  There is evidence of ongoing reviews of the performance of the internal audit activity.  Periodic reviews were performed through self-assessment or by other persons within the organization, with knowledge of internal audit practices and the Standards. 1312 There is evidence of comprehensive external reviews by qualified, independent reviewers. 1320 Reports of the results of external assessments are submitted to the board. 1321 There is appropriate wording in audit reports. 1322 There is appropriate wording in report to the board. Tool 19 – Key Conformance Criteria (contd.)
  88. 88. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 87 Standard Ref. Key conformance criteria 2010 Planning  The CAE has established risk-based plans in consultation with the board and senior management.  Where appropriate, consulting engagements are in the annual audit plan 2020 Communication and Approval  The CAE has communicated the internal audit activity’s annual plans, including significant interim changes, to senior management and the board.  The CAE also has communicated to senior management and the board the impact of resource limitations. 2030 Resource Management  Staffing plans and financial budgets are determined from annual audit plans and activities of the internal audit department.  The internal audit activity is organized to ensure proper coverage of the organization’s audit universe. 2040 Policies and Procedures There are appropriate policies and procedures and they are communicated to and understood by the staff of the internal audit activity. Tool 19 – Key Conformance Criteria (contd.)
  89. 89. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 88 Standard Ref. Key conformance criteria 2050 Coordination - Internal audit work is coordinated with that of the external auditors and with internal providers of assurance and consulting services. 2060 Reporting to Senior Management and Board There is evidence that CAE reports appropriately to the board and senior management on the internal audit activity purpose, authority, responsibility, and performance as well as significant fraud and other risks. 2110 Governance Internal audit activity assesses and makes appropriate recommendations for improving the governance process in its accomplishment of the objectives specified in the Standards. 2120 Risk Management  The scope of internal audit includes appropriate evaluation of risk management and control systems.  Consulting projects cover all significant risk activities within the scope.  The potential for fraud and the organization’s fraud risk has been addressed. Tool 19 – Key Conformance Criteria (contd.)
  90. 90. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 89 Standard Ref. Key conformance criteria 2201 Planning Considerations (Objectives, Scope, Audit Program and Resource Allocation)  Internal auditors systematically conduct a preliminary risk assessment of the organization’s audit universe in order to determine the engagement objectives.  Internal auditors develop and record a program for each engagement.  In the case of outside engagements, the internal auditors establish a written understanding about the objectives, scope, and respective responsibilities of each party.  Engagement scope is consistent with objectives.  Engagement staffing is consistent with the required skill sets. 2310 Identifying Information Identify sufficient, relevant, reliable and useful information. Intimation provided to audit client well in advance for the required information Work papers include all the relevant information to achieve the objectives Tool 19 – Key Conformance Criteria (contd.)
  91. 91. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 90 Standard Ref. Key conformance criteria 2320 Analysis and Evaluation Audit conclusions and engagement results are based on appropriate analyses and evaluations that identify the root cause(s) of irregularities. Appropriate use of tools. 2330 Documentation  Sufficient information is documented to support the conclusions and audit results.  Work papers have controlled access according to the policy of the organization.  There is evidence that CAE obtains appropriate approvals prior to releasing records. 2340 Engagement Supervision - There is evidence engagements are properly supervised as specified in the Standards. 2410 Criteria for Communication  There is evidence of appropriate, timely communication with management.  An overall opinion or conclusion is included in the audit report.  Communications outside the organization are limited in distribution and use of results. Tool 19 – Key Conformance Criteria (contd.)
  92. 92. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 91 Standard Ref. Key conformance criteria 2420 Quality of Communications  Communications are appropriate, clear and concise  Audit reports contain condition, criteria, cause, corrective action and concerned person 2421 Errors and Omissions Where appropriate, there is communication of corrected information to all parties. 2440 Disseminating Results  Audit reports are distributed to an appropriate level of senior managers.  If applicable, that the CAE properly considered the elements of the standard prior to disclosure outside the organization. 2500 Progress monitoring The CAE has established a follow-up process to monitor and ensure that management actions have been effectively implemented or risk accepted. Tool 19 – Key Conformance Criteria (contd.)
  93. 93. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 92 Final Assessment  A QAIP should include a rating scale to assess the level of conformance of the internal audit activity with the Standards.  Different options are available when deciding which assessment scale better suits particular needs. Some of those options include:  IIA Quality Assessment Manual Scale: Does Not Conform / Partially Conforms / Generally Conforms.  The IIA’s Assessment Scale — IIA Path to Quality: Introductory / Emerging / Established / Progressive / Advanced.
  94. 94. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 93 Final Assessment (contd.) IA Maturity Model.pdf
  95. 95. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 94 Common Observations Highlighted in Quality Assessment
  96. 96. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 95 Common Observations S. No. Standard Area Observations 1 2010 Planning • The IA activity does not have a formal, documented risk assessment model for audit planning. • Senior management and ERM inputs not obtained. • Audit universe does not represent the entire business. • IT Audit not integrated with business audit. • Audit plan is often based on Resource availability.
  97. 97. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 96 Common Observations (contd.) S. No. Standard Area Observations 2 1000 Purpose, Authority and Responsibility • The IA activity charter is not updated on an annual basis. • The IA activity charter requires revision to consider IIA’s new definition of internal auditing, to reflect the CAE’s responsibilities, and to obtain approval from the Audit Committee. 3 1311 Internal Assessments • While several elements of the new Standards on quality assurance may have been implemented by the IA activity, the internal ongoing assessments could be strengthened by additional monitoring and benchmarking.
  98. 98. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 97 Common Observations (contd.) S. No. Standard Area Observations 4 1230 Continuing Professional Development • Internal Audit does not have a formal training plan to ensure that staff members receive training to satisfy departmental needs and the annual audit plan. 5 1300 Quality Assurance and Improvement Program • No set up for a formalized quality assurance and improvement program. • External assessments are performed but ongoing and periodic reviews are not in place.
  99. 99. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 98 Common Observations (contd.) S. No. Standard Area Observations 6 2040 Policies and Procedures • There is no formal internal audit policies and procedures manual governing the operating activities of the IA activity. • Manual is present but does not contain detailed procedural aspects. 7 2030 Resource Management • The CAE should implement use of metrics to measure actual internal auditing performance against budget. • KPIs defined for the IA function, however, specific KPIs for audit staff not defined.
  100. 100. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 99 Common Observations (contd.) S. No. Standard Area Observations 8 1110 Organizational Independence • The organization chart shows that the CAE has a direct reporting relationship to the Executive Vice President and Chief Operating Officer and a dotted line relationship to the Audit Committee. 9 1210 Proficiency • There is a perception on the part of clients, based on the client survey results and management interviews, that the IA activity Staff does not possess the desired level of business knowledge.
  101. 101. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 0 Common Observations (contd.) S. No. Standard Area Observations 10 2110 Risk Management • There may be areas of IT risk that are not included or may be expanded in the list of auditable units, such as IT strategy, enterprise application and organization. 11 2201 Planning Considerations • Review of working papers showed an apparent lack of planning for engagements. • Engagement level risk assessment not performed. 12 2330 Recording Information • A set of working paper standards needs to be developed and formally defined in the IA activity policies and procedures. A review of working papers indicated the quality varied between audit staff.
  102. 102. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 1 Common Observations (contd.) S. No. Standard Area Observations 13 2340 Engagement Supervision • Based on inspection, work papers are not always reviewed during audits on a timely basis. 14 2400 Communicating Results • Results of internal audit engagements were not complete and/or were not communicated to the appropriate parties. 15 2200 Engagement Planning • Review of work papers did not produce consistent documentation of planning considerations or the scope of audits.
  103. 103. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 2 High Performing Quality Assessments
  104. 104. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 3  They have dedicated staff who are passionate about quality assurance and improvement. This person or group of individuals is responsible for performing the internal self-assessment, gathering all information in preparation for the external QA, and performing ongoing monitoring of the internal audit activity.  They leverage the use of technology and invest in the right technology tools based on the internal audit activity’s quality assurance and improvement needs. Tools are used to document all internal audit work papers as well as secure information in a central location.  They have the support of senior management and the audit committee. Getting the support of these two entities is especially important when performing an external QA and in ensuring internal auditors are onboard with quality assurance activities. Traits of Highly Effective QAIP
  105. 105. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 4 1. The CAE is actively involved in the organization, including involvement in initiatives intended to strengthen the organization’s governance, risk management, and internal control processes. 2. Similarly, the internal audit activity works closely with other governance and monitoring functions, including the organization’s risk management unit or personnel. 3. The internal audit activity has an annual risk assessment process that is linked to the organization’s risk management program or process. 4. The internal audit activity continuously monitors its audit universe and risk assessment framework, resulting in more focused, long-term audit planning and efficient audit schedules. Considers emerging risks. 5. The internal audit activity uses technology-based audit tools to enhance its productivity and effectiveness. Attributes of High Performing QAIP
  106. 106. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 5 5. The CAE has made a commitment to the continuing education and training of internal audit staff and encourages internal auditors to acquire professional certifications. 6. The CAE also encourages internal auditors to be actively involved in the profession (e.g., holding leadership positions in The IIA and participating as volunteers for external QAs.) 7. The internal audit activity has a high level of credibility and excellent reputation with clients and organization stakeholders. 8. The internal audit activity coordinates optimally with all Stakeholders. 9. The internal audit activity provides concise audit reports that focus on risk and timely follows up on management action plans. 10. The internal audit plan outlines specific performance milestones to increase efficiencies within the activity leading to the presence of highly productive staff. 11. The CAE holds open discussions with staff for the continuous improvement of the internal audit activity. Topics discussed include future work plans, controls testing, and internal audit techniques. Attributes of High Performing QAIP (contd.)
  107. 107. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 6 12. There is excellent alignment among the internal audit activity, audit committee, and senior management team. In addition, the CAE and internal audit activity conduct periodic training for the audit committee. 13. The organization has a high level of confidence in the internal audit activity. 14. The internal audit activity has a high level of support from the organization’s senior management team, audit committee and/or board, and other stakeholders. 15. The internal audit activity includes staff members with experience in IT, data analytics, or IT auditing. 16. Uses technique of Control Self Assessment. Attributes of High Performing Quality Assessment (contd.)
  108. 108. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 7 Quiz
  109. 109. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 8 Which of the following best represents one of the specific tools for quality assessment generally used in the preparation and preliminary phase of a QA process? A. Interview guide for senior and operating management. B. Model information security policy. C. Standards compliance evaluation summary. D. Audit customer surveys. Scenario 1 Internal Audit Quality Assessment participant guide. QA Process Overview and the QA Manual references. Answer “A” is incorrect because it is normally used during the on-site review procedures. D
  110. 110. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 10 9 When evaluating the activity’s conformance to the Standards, what main elements (at a minimum) should a QA team member expect to see formally defined in an IA activity’s charter? A. Mission/vision and individual engagement objectives. B. Purpose, authority and responsibility. C. Organization chart, reporting lines, and job descriptions. D. Risk assessment methodology and engagement planning. Scenario 2 Standard 1000. The purpose, authority and responsibility of the Internal Audit activity should be formally defined in a charter. Answers A, C, and D would be reviewed when the QA team evaluates conformance with other Standards. B
  111. 111. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 0 You are validating the results of an internal self-assessment. You have received the IA activity’s fully documented self-assessment. Which of the following QA Tools would you review to validate their review of Standard 1300? A. Tool 12: IA Activity Structure and Responsibilities B. Tool 14: Staff Professional Proficiency C. Tool 16: Assessing Production and Value-Added Scenario 3 QA Manual Tool 12 “Objectives” A
  112. 112. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 1 Which is not one of the lessons learned in performing an external quality assessment according to IIA research? A. Maintain a separate tracking system for the data typically needed in the external assessment process. B. Leverage the lessons learned from the first external quality assessment to make subsequent processes more efficient. C. Contract with an external quality assessment provider who can add value. D. Recommend that the external quality assessment team spend more time in planning and less time on-site. Scenario 4 IIA Research Emerging Issues (External QA Results, Tools, Techniques and Lessons Learned). “D” is incorrect because the lesson learned is that the team should spend more time on-site. A-C is from the research survey (a copy is in your workbook). D
  113. 113. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 2 Which of the following is true about a Generally Complies rating? A. For the major Standards categories (e.g. 1200, 2000, etc.) there is general compliance with the majority of the individual Standards and at least partial conformance with others. B. There are no significant opportunities for improvement within the major categories or individual Standards. C. General compliance requires complete compliance with the individual Standard. D. All of the above. E. None of the above. Scenario 5 Tool 19 Definitions A
  114. 114. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 3 You are completing an internal assessment. Which of the following would you use as evidence or consider as sound practices in evaluating 2030 Resource Management? A. IA staffing analysis and annual operating plans B. Program for selecting and developing IA human resources C. Interviews with senior management and the CAE D. All of the above E. None of the above Scenario 6 Tool 19 Examples of Evidence for Standard 2030. D
  115. 115. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 4 The IPPF requires all internal audit shops to perform which types of audits? A. Attestation B. Compliance C. Operational D. Strategic E. All of the Above F. None of the Above Scenario 7 Per the definition of IA is an “assurance and consulting” activity. Although none of the types of audits listed is required by the IPPF some are types of assurance or consulting audit activities. F
  116. 116. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 5 Which of the following best describes the required process for testing work papers for IPPF compliance? A. Substantive testing of work papers to ensure maximum error rate is within acceptable limits. B. Random sampling of work papers to project error rates over the entire population. C. 100% testing of all work papers files. D. A statistically valid sample of work papers for each type of project performed to verify that the overall process implemented by the IA department is functioning. E. None of the Above Scenario 8 None of answers is covered in the QA Manual or Tools 17 or 19. E
  117. 117. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 6 For an independent assessor or validator to arrive at a conclusion that the Internal Audit Activity is in conformance with the IPPF, interviews MUST BE conducted with: A. The Chief Audit Executive B. The Chairperson of the Audit Committee C. The Chief Executive Officer D. The Primary External Auditor E. All of the Above F. None of the Above Scenario 9 The QA Manual is not mandatory guidance. In order to conduct an effective external QA all of the individuals (A-D) “should” be interviewed. F
  118. 118. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 7 The Standards required in the IPPF are best described as: A. Standards for the Professional Practice of Internal Auditing B. Internal Audit Essential Performance Requirements C. International Internal Audit Practice Advisories D. International Standards for the Professional Practice of Internal Auditing E. Global Internal Auditing Guidance Principles F. None of the Above Scenario 10 IPPF Preface and Introduction to the International Standards D
  119. 119. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 8 One of the principles Code of Ethics is Integrity. Which of the following is a rule of conduct related to Integrity (select the two best answers)? A. Internal Auditors shall be prudent in the use and protection of information acquired in the course of their duties. B. Internal Auditors shall perform their work with honesty, diligence, and responsibility. C. Internal Auditors shall not accept anything that will impair or presume to impair their professional judgment D. Internal Auditors not knowingly be a party to any illegal activity or engage in any acts that are discreditable to the profession of internal auditing or to the organization. Scenario 11 Code of Ethics: Rules of Conduct. “A” is related to Confidentiality and “C” is related to Objectivity. B & D
  120. 120. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 11 9 You are planning an external assessment. You have determined that the CAE reports to a CEO (administratively) and Audit Committee (functionally). The CEO has informed the CAE that are some activities that are not ready to be audited. The Audit Committee appears to be independent but the AC Charter only requires them to meet with CAE once a year. The CAE is very confident that IA has level of resources needed to carry out IA Charter. What are examples of the evidence that your team will need to review to evaluate conformance to Standard 1110? A. The annual audit plan B. Interviews with the CEO, AC, CAE, Senior/Operating Management, IA Staff Members C. Budgets and staffing resources D. Reporting of the restrictions (areas not ready for auditing) to the AC. E. A & D Only F. A, B, C & D. Scenario 12 IPPF Table of Contents F
  121. 121. © 2013 Protiviti Middle East Region CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 12 0 At Protiviti, we believe the organizations that most effectively understand and manage their risk are the companies that most often succeed.

×