TIAPS ALB_Module 2C. Quality Assurance

  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>2C</strong>. <strong>Quality</strong> <strong>Assurance</strong><br />

<strong>2C</strong> Learning Outcomes<br />

On completion of this section, students will be better able to:<br />

• Describe processes for establishing and maintaining quality assurance.<br />

• Evaluate internal audit performance.<br />

• Evaluate the internal audit function.<br />

<strong>2C</strong>.1 The Need for <strong>Quality</strong> <strong>Assurance</strong><br />

IIA Internal Audit Competency Framework: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program<br />

General Awareness: Describe requirements of the <strong>Quality</strong> <strong>Assurance</strong> and Improvement<br />

Program. Identify appropriate disclosure of conformance vs. nonconformance with The IIA’s<br />

International Standards for the Professional Practice of Internal Auditing.<br />

Applied Knowledge: Schedule and complete internal and external quality assessments to<br />

meet requirements and report results. Formulate appropriate disclosures of conformance vs.<br />

nonconformance with the Standards.<br />

Expert: Assess the internal audit activity’s quality assurance and improvement practices and<br />

assess conformance with the Standards. Assess the internal audit activity’s disclosures of<br />

conformance vs. nonconformance with the Standards. 26<br />

No amount of rigor, care, and attention can guarantee perfection. The goal of quality<br />

assurance is to ensure internal audit services are fit for purpose, meaning they should meet<br />

and ideally exceed stakeholder needs and expectations. The head of internal audit should<br />

engage regularly with stakeholders and seek their feedback – formally and informally – on<br />

their level of satisfaction. This can be achieved through structured surveys and discussions,<br />

questionnaires issued to clients after completion of engagements, and via continuous<br />

dialogue. In addition to the “pull” from customers, internal auditors should strive for<br />

continuous improvement and innovation in everything they do. Even if we are doing well,<br />

how can we do even better? The internal audit function is the champion of excellence and<br />

must lead by example.<br />

<strong>Quality</strong> assurance processes should operate at the individual engagement level as well as<br />

the internal audit function level. The following table highlights the key components of a<br />

quality assessment.<br />

Engagement Level <strong>Quality</strong> Assessment<br />

• Processes for planning, scoping, setting<br />

objectives, and resourcing engagements.<br />

• Conformance with the Standards.<br />

• <strong>Quality</strong> of work undertaken.<br />

• Processes used for follow-up.<br />

• Feedback collected from auditees.<br />

• Self-assessment conducted by auditors and<br />

supervisors.<br />

Internal Audit Activity Level <strong>Quality</strong> Assessment<br />

• Policies and procedures for all technical and<br />

administrative aspects.<br />

• Conformance with the Standards.<br />

• Conformance with policies and procedures.<br />

• Alignment of work with the internal audit charter.<br />

• Alignment with stakeholder needs and<br />

expectations.<br />

• Utilization of resources.<br />

26<br />

Internal Audit Competency Framework, The IIA, 2022.<br />


They should be built-in rather than bolt-on, meaning the processes are integrated into<br />

routine practices rather than something additional to be completed after the work is done.<br />

<strong>Quality</strong> assurance refers to the way we do things rather than something extra we do.<br />

There are many components contributing to quality.<br />

• A commitment to continuous improvement as reflected in the internal audit strategic<br />

plan and the behaviors of auditors, audit managers, and the head of the function.<br />

• The competency of internal auditors as well as their training and continuing<br />

professional education.<br />

• The leadership and direction given by audit managers.<br />

• Processes for audit and auditor supervision, performance evaluation, and feedback.<br />

• The design and requirements of policies, manuals, and templates.<br />

• Systematic reviews of every aspect both internally (through ongoing monitoring and<br />

periodic self-assessment) and externally (sometimes referred to as EQA (external<br />

quality assessment) or QAR (quality assessment review), conducted at least once<br />

every five years, either as a full review or an independently validated selfassessment).<br />

The approach, therefore, includes the need both to look backward in order to evaluate actual<br />

performance and to look forward to set goals for improvement.<br />

Aside from the requirements of the IPPF, internal audit functions may have additional<br />

organizational requirements to follow. They may also choose to adopt other standards and<br />

benchmarks, such as ISO. However, an important check on any quality system is a costbenefit<br />

analysis. At some point, extra rigor can be counter-productive, adding bureaucracy<br />

for limited gain in performance.<br />

<strong>2C</strong>.1: Reflection<br />

Why is quality assurance so important for internal audit?<br />

What are the best ways of measuring the quality of internal audit?<br />

Who is responsible for internal audit quality?<br />


<strong>2C</strong>.2 Elements of Internal Audit <strong>Quality</strong> <strong>Assurance</strong><br />

There is no single blueprint for quality assurance. Procedures should be appropriate for the<br />

size, resources, priorities, and maturity of the function and the needs and expectations of the<br />

organization it serves. The IPPF sets minimum expectations but practices should be<br />

relevant, right-sized, and tailored. It is about more than mere compliance with the wording of<br />

the Standards. It requires a dedicated mindset to delivering superior services.<br />

According to the International Professional Practices Framework, the quality assurance and<br />

improvement program (QAIP) for the internal audit function should include:<br />

• Ongoing and periodic assessment of all aspects of assurance and advisory services<br />

provided.<br />

• Rigorous, comprehensive processes.<br />

• Continuous supervision and testing of work undertaken.<br />

• Periodic validations of conformance with the Definition of Internal Auditing, the Code<br />

of Ethics, and the Standards.<br />

The head of the internal audit function is required to:<br />

• Develop and maintain a quality assurance and improvement program (QAIP)<br />

(Standard 1300 – <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program).<br />

• Discuss the form and frequency of external assessments and the qualifications and<br />

independence of assessors with the board and encourage board oversight of<br />

external assessments to reduce potential conflicts of interest (Standard 1312 –<br />

External Assessments).<br />

• Communicate results of the QAIP to senior management and the board (Standard<br />

1320 – Reporting on the <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program).<br />

• Disclose any nonconformance with the Code of Ethics of Standards and its impact<br />

with senior management and the board (1322 – Disclosure of Nonconformance).<br />

Any quality program needs to be kept up to date, reviewed regularly, and adjusted as<br />

internal and external conditions change.<br />

The QAIP is intended to ensure the following, as described in the IIA’s Practice Guide:<br />

<strong>Quality</strong> <strong>Assurance</strong> and Improvement Program:<br />

• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the<br />

Standards.<br />

• The adequacy of the internal audit activity’s charter, goals, objectives, policies, and<br />

procedures.<br />

• The contribution to the organization’s governance, risk management, and control<br />

processes.<br />

• Completeness of coverage of the entire audit universe.<br />

• Compliance with applicable laws, regulations, and government or industry standards<br />

to which the internal audit activity may be subject.<br />

• The risks affecting the operation of the internal audit activity itself.<br />

• The effectiveness of continuous improvement activities and adoption of best<br />

practices.<br />


• Whether the internal audit activity adds value, improves the organization’s<br />

operations, and contributes to the attainment of objectives. 27<br />

The external assessment (EQA/QAR) or validation of the self-assessment must be<br />

conducted by a competent and independent party. Self-assessment with independent<br />

validation is appropriate for smaller internal audit functions. Peer reviews must meet these<br />

same requirements as follows:<br />

• All members of the assessment team who perform the external assessment are to be<br />

independent of that organization and its internal audit activity personnel. Real,<br />

potential, and perceived conflicts of interest should be considered.<br />

• Individuals from within the same private sector organization but from another<br />

department or from a related organization (such as a parent organization, an affiliate<br />

in a group of entities, or an entity with regular oversight) are not considered<br />

independent for purposes of conducting an external assessment.<br />

• Within the public sector, individuals working in separate internal audit activities in a<br />

different entity within the same tier of government may be considered independent<br />

for purposes of conducting external assessments, as long as they do not report to the<br />

same CAE.<br />

• Two organizations may not review each other mutually. 28<br />

The outcome of an external review or validation can be expressed in several ways.<br />

• IIA <strong>Quality</strong> Assessment Manual Scale:<br />

o Does Not Conform.<br />

o Partially Conforms.<br />

o Generally Conforms. 29<br />

• IIA Capability Model for the Public Sector:<br />

o Initial.<br />

o Infrastructure.<br />

o Integrated.<br />

o Managed.<br />

o Optimizing. 30<br />

• DIIR (IIA–Germany) Guideline for Conducting a <strong>Quality</strong> Assessment:<br />

o 3–Satisfactory.<br />

o 2–Room for Improvement.<br />

o 1–Significant Improvement Needed.<br />

o 0–Unsatisfactory.<br />

o Not Applicable. 31<br />

• IIA Ambition Model:<br />

o 1 – Initial.<br />

o 2 – Infrastructure.<br />

o 3 – Integrated.<br />

o 4 – Managed.<br />

o 5 – Optimizing. 32<br />

27<br />

Practice Guide: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program, The IIA, 2012.<br />

28<br />

Practice Guide: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program, The IIA, 2012.<br />

29<br />

The Institute of Internal Auditors’ <strong>Quality</strong> Assessment Manual for the Internal Audit Activity, 6th Edition.<br />

30<br />

Internal Audit Capability Model (IA-CM) for the Public Sector, The IIA,<br />

31<br />

Guidelines for Conducting a <strong>Quality</strong> Assessment (QA), Deutsches Institut für Interne Revision e.V. (IIA –Germany), 2007.<br />


<strong>2C</strong>.2: Reflection<br />

Is your internal audit unit in full conformance with IIA Standards?<br />

Which Standards are the hardest to conform with and why?<br />

Are some Standards more important than others when you consider the priorities for your<br />

organization?<br />

Do your stakeholders know the quality assurance and improvement program for the<br />

internal audit unit?<br />

Have you ever used one or more of the models referenced (IIA <strong>Quality</strong> Assessment<br />

Manual, IIA Capability Model for the Public Sector, DIIR Guideline for Conducting a <strong>Quality</strong><br />

Assessment, and IIA Ambition Model) for a self-assessment or peer assessment of the<br />

internal audit unit?<br />

32<br />

Global Perspectives & Insights, From Conformance to Ambition: Applying the Internal Audit Ambition Model, The IIA, 2020.<br />


Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!