10/5/2016. Quality Assessment Review. Agenda. What s the purpose of a QAR? Internal Audit Manager Training October 3-4, 2016

Transcription

1 Quality Assessment Review Internal Audit Manager Training October 3-4, 2016 Lori Clark CIGA, CCEP, CGAP Compliance & Audit Specialist State University System of Florida Agenda What s the purpose of a QAR? Do I have to have one? Who conducts the QAR? How and when to prepare? What "counts?" Did we pass? What next? What s the purpose of a QAR? Assess conformance with standards Meet legal requirements Meet professional standards requirements Allow use of conformance language Improve operations 1

2 Do I Have to Have One? Yes! Section 11.45(2)(i), Florida Statutes, requires review every three (3) years of internal audit reports at each state agency* to check for OIG compliance with the IPPF (IIA's Red Book), or GAS (Yellow Book), if appropriate. *s (1)(d) defines State Agency Do I Have to Have One? Standard External Assessments must be conducted at least once every 5 years by a qualified, independent assessor or assessment team from outside the organization. IIA vs. Statute Frequency: Statute IIA QAR Team: Statute IIA every 3 years every 5 years Auditor General qualified, independent assessor or external team 2

3 How and When to Prepare? Preparation is (ideally) continuous! But once you know the QAR is imminent Refer to the IIA's QAR Manual Ask other agencies for advice Review recently released QAR reports Complete questionnaires thoroughly How and When to Prepare? Gather info such as: Charter Policies and Procedures Manuals Org Chart Annual Report(s) QAIP and/or Last QAR Report & CAP What Counts? Per Engagement Letter: will begin a quality assessment review of the [IG office] internal audit activity in the near future. By law*, we are required to review a sample of each agency s internal audit reports once every 3 years. (Emphasis added.) *s.11.45(2)(i) 3

4 1300 Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. IIA QAIP Standard1300 All aspects of the internal audit activity IIA Standard 1000: Purpose, Authority, & Responsibility Requirement The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. 1100: Independence & Objectivity The internal audit activity must be independent, and internal auditors must be objective in performing their work. 1200: Proficiency & Due Professional Care Engagements must be performed with proficiency and due professional care. 1300: QAIP The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. IIA QAIP Standard1300 All aspects of the internal audit activity IIA Standard Requirement 2000: Managing the IA Activity The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. 2100: Nature of Work The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. 2200: Engagement Planning Internal auditors must develop and document a plan for each engagement, including the engagement s objectives, scope, timing, and resource allocations. 2300: Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement s objectives. 2400: Communicating Results Internal auditors must communicate the results of engagements. 2500: Monitoring Progress The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management. 2600: Communicating the Acceptance of Risks When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board. 4

5 1310 Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments. IIA QAIP Standard 1310 Internal assessments- comprised of two interrelated parts: a. ongoing monitoring, and b. periodic self-assessments. External assessments can be in the form of: a. A full external assessment, or b. A self-assessment with independent external validation Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices. 5

6 IIA QAIP Standard 1311 Ongoing Monitoring Practice Advisory Standard working practices Engagement planning Supervision Using checklists or automation tools to provide assurance on compliance with established practices and procedures Working paper procedures and signoff by engagement supervisors SBA OIA Assess the progress of the OIA Annual Audit Plan Maintain an updated OIA procedure manual Perform engagement-specific quality assurance assessments and related verifications Review working papers and audit reports Maintain a database of recommendations/action plans and related status Review of reports and supporting documentation for comments IIA QAIP Standard 1311 Periodic Assessments Assessment May SBA OIA Be a self-assessment, or an assessment by a CIA (or other competent professional) from a different Annual self-assessment department Encompass a combination of self-assessments Annual review of the OIA Charter Include interviews and surveys Serve to facilitate & reduce the cost for an external assessment External Assessments External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board: The form and frequency of external assessment; and The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. 6

7 IIA QAIP Standard 1312 External Assessment Forms per IIA Standard SBA OIA Full external assessment Self-assessment with independent external validation Self-assessment with independent external validation 1320 Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board. 7

8 Primary Objective of QAIP The primary objective of QAIP is to promote continuous improvement. QAIP presumes that quality is built into the structure of the internal audit activity. Benefits of Internal QA Demonstrate consistency across audit offices Increase audit oversight from audit senior management Foster a culture of continuous improvement in internal audit Identify professional development and training needs for the internal audit staff Lay the foundation for external QAR. Help IA achieve smooth review and clean opinion Benefits of External QA Increased stakeholder confidence Evidence of professional dedication Enhances ability of others to rely on your audit work 8

9 Did We Pass? What Next? 1321 Use of Conforms with the International Standards for the Professional Practice of Internal Auditing The CAE may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement. A Few Statistics For You AG Reports: QAR Summary 42 Generally Conforms results 6 Partially Conforms results 0 Did Not Conforms results Nature of Findings Statutory Non-compliance Imbalance of audit, investigative, and other accountability activities Inappropriate qualifications Lack of audit plan and identification of necessary resources Insufficient communication and reporting Non-existent documentation of risk assessment process and audit plan development. 9

10 Nature of Findings IIA Standards Non-compliance Lack of training and logging Inappropriate planning and documentation in engagement planning, field work, and reporting No reference of IA Definition or Code of Ethics in Charter In appropriate reporting lines Questions/Comments? Resources The IIA AUDITNET IIA QAR Manual - s/quality-assessment-manual.aspx New IPPF Resources releases/pages/iia-introduces-updated- Guidance-Framework.aspx 10

11 Thank you! Lori Clark Phone: (850)