Standards 1300 – 1322
QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Presentation by SBA’s Office of Internal Audit
Topics
1. Introduction
2. Quality Assurance & Improvement Program
3. Internal Assessments-Ongoing Monitoring
4. Internal Assessments-Periodic Self-Assessments
5. External Assessments
6. New IPPF
2
SBA Functional Org Chart
3
SBA Functional Org Chart
4
Office of Internal Audit
5
Office of Internal Audit
6
Office of Internal Audit
Standard of Practice:
The Institute of Internal Auditors' (The IIA) International Professional Practices Framework (IPPF).
IPPF mandatory elements consisting of: Core Principles, Definition of Internal Auditing, Code of Ethics, and the International Standards for the Professional Practice of
Internal Auditing (Standards)
7
State Agencies
Section 20.055(6)(a), Florida Statutes ….the director of auditing shall perform the functions listed in this subsection. (a) Such audits shall be conducted in accordance with the current International Standards for the Professional Practice of Internal Auditing as published by the Institute of Internal Auditors, Inc., or, where appropriate, in accordance with generally accepted governmental auditing standards. All audit reports issued by internal audit staff shall include a statement that the audit was conducted pursuant to the appropriate standards.
8
Primary Objective of QAIP
The primary objective of QAIP is to promote continuous improvement. QAIP presumes that quality is built into the structure of the internal audit activity.
9
Conformance Built Into the Structure
OIA Manual
10
Conformance Built Into the Structure
OIA Manual Table of Contents
11
Conformance Built Into the Structure
OIA Manual
12
Conformance Built Into the Structure
13
Conformance Built Into the Structure
14
Conformance Built Into the Structure
15
Conformance Built Into the Structure
16
Conformance Built Into the Structure
17
Conformance Built Into the Structure
18
Conformance Built Into the Structure
19
IIA Standards 1300 to 1322
1300: Quality Assurance and Improvement Program 1310: Requirements of the Quality Assurance and
Improvement Program
1311: Internal Assessments
1312: External Assessments
1320: Reporting on the Quality Assurance and Improvement Program
1321: Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
1322: Disclosure of Nonconformance
20
Responsible for QAIP
Standard1300: Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
21
Requirements of the QAIP
1. Internal assessments - comprised of two interrelated parts:
a. ongoing monitoring and b. periodic self-assessments
2. External assessments – can be in the form of: a. A full external assessment, or b. A self-assessment with independent external
validation
22
Key Challenges Faced by Small Audit Shops
Adequacy of Resources Retention of Qualified Staff or Subject
Matter Experts Independence
23
Key Challenges Impact on Conformance with the Standards
24
INTERNAL ASSESSMENT - ONGOING MONITORING Internal Assessments must include ongoing monitoring of the performance of the internal audit activity
Internal Assessment – Ongoing Monitoring
Practice Advisory 1311-1 interpretation of ongoing monitoring:
Day-to-day supervision, review, and measurement of the internal audit activity
Routine policies and practices used to manage the internal audit activity
Processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards
26
Per Practice Advisory ongoing
monitoring achieved by: • Standard working practices • Engagement planning • Supervision • Assessing the audit engagement
action plan prior to fieldwork • Using checklists or automation
tools to provide assurance on compliance with established practices and procedures
• Working paper procedures and signoff by engagement supervisors
• Review of reports and supporting documentation for comments
• Assess the progress of the OIA Annual Audit Plan
• Maintain an updated OIA procedure manual
• Perform engagement-specific quality assurance assessments and related verifications
• Review working papers and audit reports
• Maintain a database of recommendations/action plans and related status
• Complete required continuing professional education
Internal Assessment – Ongoing Monitoring Examples of SBA OIA ongoing monitoring:
27
28
Engagement-Specific QA Assessment Example
29
Engagement-Specific QA Assessment Example (Continued)
30
Engagement-Specific QA Assessment Example (Continued)
31
Engagement-Specific QA Assessment Verification
INTERNAL ASSESSMENT - PERIODIC MONITORING Internal Assessments must include periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices
Assess conformance with:
• The Standards • Definition of Internal
Auditing • Code of Ethics • Internal audit’s charter,
plans, policies, procedures, practices, and applicable legislative/regulatory requirements
Be a self-assessment, or an assessment by a CIA (or other competent professional) from a different department
Encompass a combination of self-assessments
Include interviews and surveys
Serve to facilitate & reduce the cost for an external assessment
Internal Assessment – Periodic Monitoring
Assessment may:
33
How does the OIA perform periodic monitoring?
Annually review the OIA Charter.
Annually perform a self-assessment of the
internal audit activity.
34
Rating Methodology
Generally Conforms (GC)
Partially Conforms (PC)
Does Not Conform (DNC)
Conformance vs. Compliance
35
Conformance vs. Compliance
Conformance with standards is a technical term borrowed from the quality management discipline.
It is not about complying with the letter of the standard.
Someone who is in conformance with a standard is expected to achieve the spirit of the standard.
This is consistent with a principles-based approach of the IPPF
36
37
Annual Self-Assessment Example
38
Annual Self-Assessment Example
Annual Self-Assessment Example
39
Quality Initiatives Opportunities for improvement identified during the self-
assessment
Does not indicate nonconformance
40
EXTERNAL ASSESSMENT
External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization
Frequency, Scope & Form per Standard: • Once every 5 years • All aspects of internal
audit activity • Form
-full external assessment, or -self-assessment with independent external validation
Once every 5 years
All aspects of internal audit activity, i.e., audit and consulting work as prescribed in the OIA charter
Self-assessment with independent external validation
External Assessments OIA’s Frequency, Scope & Form
42
Qualifications of External Validator
• No Conflict of interest
• Integrity
• Objectivity
• Competence
• Technical expertise
43
CAE oversees work of the self-assessment team that:
• Completes planning documentation
• Performs work programs
• Evaluates conformance with The IIA’s Definition of Internal Auditing, Code of Ethics, and Standards
• Produces report assessing the conformance conclusion
Review of assessment planning documentation
Re-perform assessment work program steps for a sample of reports/wps selected, analyze survey results, and conduct interviews with key stakeholders
Assess the conformance conclusion reported by the self-assessment team
OIA Self-assessment with External Validation
External Assessor Validates through:
44
OIA self-assessment with external validation
45
OIA Self- Assessment with External Validation
46
Example of Internal Audit Process Planning Guide – A4
47
Example of Internal Audit Process Planning Guide – A4
48
Example of Internal Audit Process Evaluation Guide – D4
49
OIA Self-Assessment with Independent External Validation Quality Assurance Report
Expressed opinion on the internal audit activity’s conformance
Recommendations for improvement, as appropriate
CAE response to recommendations to include action plan and implementation date
50
OIA Self-Assessment with Independent External Validation Quality Assurance Report
51
Changes to the International Professional Practices Framework (IPPF)
Old IPPF Framework New IPPF Framework
52
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
1. Demonstrates integrity.
2. Demonstrates competence and due professional care.
3. Is objective and free from undue influence (independent).
4. Aligns with the strategies, objectives, and risks of the organization.
5. Is appropriately positioned and adequately resourced.
6. Demonstrates quality and continuous improvement.
7. Communicates effectively.
8. Provides risk-based assurance.
9. Is insightful, proactive, and future-focused.
10. Promotes organizational improvement.
10 Core Principles:
Internal Audit Mission Statement:
53
New IPPF Resources
Webinar Playback – What to Expect Internal Auditor Article New Guidance Video FAQs Press Release Brochure https://na.theiia.org/news/press-releases/Pages/IIA-Introduces-Updated-Guidance-Framework.aspx
54
ANY QUESTIONS OR COMMENTS?