TIAPS ALB_Module 2C. Quality Assurance
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>2C</strong>. <strong>Quality</strong> <strong>Assurance</strong><br />
<strong>2C</strong> Learning Outcomes<br />
On completion of this section, students will be better able to:<br />
• Describe processes for establishing and maintaining quality assurance.<br />
• Evaluate internal audit performance.<br />
• Evaluate the internal audit function.<br />
<strong>2C</strong>.1 The Need for <strong>Quality</strong> <strong>Assurance</strong><br />
IIA Internal Audit Competency Framework: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program<br />
General Awareness: Describe requirements of the <strong>Quality</strong> <strong>Assurance</strong> and Improvement<br />
Program. Identify appropriate disclosure of conformance vs. nonconformance with The IIA’s<br />
International Standards for the Professional Practice of Internal Auditing.<br />
Applied Knowledge: Schedule and complete internal and external quality assessments to<br />
meet requirements and report results. Formulate appropriate disclosures of conformance vs.<br />
nonconformance with the Standards.<br />
Expert: Assess the internal audit activity’s quality assurance and improvement practices and<br />
assess conformance with the Standards. Assess the internal audit activity’s disclosures of<br />
conformance vs. nonconformance with the Standards. 26<br />
No amount of rigor, care, and attention can guarantee perfection. The goal of quality<br />
assurance is to ensure internal audit services are fit for purpose, meaning they should meet<br />
and ideally exceed stakeholder needs and expectations. The head of internal audit should<br />
engage regularly with stakeholders and seek their feedback – formally and informally – on<br />
their level of satisfaction. This can be achieved through structured surveys and discussions,<br />
questionnaires issued to clients after completion of engagements, and via continuous<br />
dialogue. In addition to the “pull” from customers, internal auditors should strive for<br />
continuous improvement and innovation in everything they do. Even if we are doing well,<br />
how can we do even better? The internal audit function is the champion of excellence and<br />
must lead by example.<br />
<strong>Quality</strong> assurance processes should operate at the individual engagement level as well as<br />
the internal audit function level. The following table highlights the key components of a<br />
quality assessment.<br />
Engagement Level <strong>Quality</strong> Assessment<br />
• Processes for planning, scoping, setting<br />
objectives, and resourcing engagements.<br />
• Conformance with the Standards.<br />
• <strong>Quality</strong> of work undertaken.<br />
• Processes used for follow-up.<br />
• Feedback collected from auditees.<br />
• Self-assessment conducted by auditors and<br />
supervisors.<br />
Internal Audit Activity Level <strong>Quality</strong> Assessment<br />
• Policies and procedures for all technical and<br />
administrative aspects.<br />
• Conformance with the Standards.<br />
• Conformance with policies and procedures.<br />
• Alignment of work with the internal audit charter.<br />
• Alignment with stakeholder needs and<br />
expectations.<br />
• Utilization of resources.<br />
26<br />
Internal Audit Competency Framework, The IIA, 2022.<br />
44
They should be built-in rather than bolt-on, meaning the processes are integrated into<br />
routine practices rather than something additional to be completed after the work is done.<br />
<strong>Quality</strong> assurance refers to the way we do things rather than something extra we do.<br />
There are many components contributing to quality.<br />
• A commitment to continuous improvement as reflected in the internal audit strategic<br />
plan and the behaviors of auditors, audit managers, and the head of the function.<br />
• The competency of internal auditors as well as their training and continuing<br />
professional education.<br />
• The leadership and direction given by audit managers.<br />
• Processes for audit and auditor supervision, performance evaluation, and feedback.<br />
• The design and requirements of policies, manuals, and templates.<br />
• Systematic reviews of every aspect both internally (through ongoing monitoring and<br />
periodic self-assessment) and externally (sometimes referred to as EQA (external<br />
quality assessment) or QAR (quality assessment review), conducted at least once<br />
every five years, either as a full review or an independently validated selfassessment).<br />
The approach, therefore, includes the need both to look backward in order to evaluate actual<br />
performance and to look forward to set goals for improvement.<br />
Aside from the requirements of the IPPF, internal audit functions may have additional<br />
organizational requirements to follow. They may also choose to adopt other standards and<br />
benchmarks, such as ISO. However, an important check on any quality system is a costbenefit<br />
analysis. At some point, extra rigor can be counter-productive, adding bureaucracy<br />
for limited gain in performance.<br />
<strong>2C</strong>.1: Reflection<br />
Why is quality assurance so important for internal audit?<br />
What are the best ways of measuring the quality of internal audit?<br />
Who is responsible for internal audit quality?<br />
45
<strong>2C</strong>.2 Elements of Internal Audit <strong>Quality</strong> <strong>Assurance</strong><br />
There is no single blueprint for quality assurance. Procedures should be appropriate for the<br />
size, resources, priorities, and maturity of the function and the needs and expectations of the<br />
organization it serves. The IPPF sets minimum expectations but practices should be<br />
relevant, right-sized, and tailored. It is about more than mere compliance with the wording of<br />
the Standards. It requires a dedicated mindset to delivering superior services.<br />
According to the International Professional Practices Framework, the quality assurance and<br />
improvement program (QAIP) for the internal audit function should include:<br />
• Ongoing and periodic assessment of all aspects of assurance and advisory services<br />
provided.<br />
• Rigorous, comprehensive processes.<br />
• Continuous supervision and testing of work undertaken.<br />
• Periodic validations of conformance with the Definition of Internal Auditing, the Code<br />
of Ethics, and the Standards.<br />
The head of the internal audit function is required to:<br />
• Develop and maintain a quality assurance and improvement program (QAIP)<br />
(Standard 1300 – <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program).<br />
• Discuss the form and frequency of external assessments and the qualifications and<br />
independence of assessors with the board and encourage board oversight of<br />
external assessments to reduce potential conflicts of interest (Standard 1312 –<br />
External Assessments).<br />
• Communicate results of the QAIP to senior management and the board (Standard<br />
1320 – Reporting on the <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program).<br />
• Disclose any nonconformance with the Code of Ethics of Standards and its impact<br />
with senior management and the board (1322 – Disclosure of Nonconformance).<br />
Any quality program needs to be kept up to date, reviewed regularly, and adjusted as<br />
internal and external conditions change.<br />
The QAIP is intended to ensure the following, as described in the IIA’s Practice Guide:<br />
<strong>Quality</strong> <strong>Assurance</strong> and Improvement Program:<br />
• Conformance with the Definition of Internal Auditing, the Code of Ethics, and the<br />
Standards.<br />
• The adequacy of the internal audit activity’s charter, goals, objectives, policies, and<br />
procedures.<br />
• The contribution to the organization’s governance, risk management, and control<br />
processes.<br />
• Completeness of coverage of the entire audit universe.<br />
• Compliance with applicable laws, regulations, and government or industry standards<br />
to which the internal audit activity may be subject.<br />
• The risks affecting the operation of the internal audit activity itself.<br />
• The effectiveness of continuous improvement activities and adoption of best<br />
practices.<br />
46
• Whether the internal audit activity adds value, improves the organization’s<br />
operations, and contributes to the attainment of objectives. 27<br />
The external assessment (EQA/QAR) or validation of the self-assessment must be<br />
conducted by a competent and independent party. Self-assessment with independent<br />
validation is appropriate for smaller internal audit functions. Peer reviews must meet these<br />
same requirements as follows:<br />
• All members of the assessment team who perform the external assessment are to be<br />
independent of that organization and its internal audit activity personnel. Real,<br />
potential, and perceived conflicts of interest should be considered.<br />
• Individuals from within the same private sector organization but from another<br />
department or from a related organization (such as a parent organization, an affiliate<br />
in a group of entities, or an entity with regular oversight) are not considered<br />
independent for purposes of conducting an external assessment.<br />
• Within the public sector, individuals working in separate internal audit activities in a<br />
different entity within the same tier of government may be considered independent<br />
for purposes of conducting external assessments, as long as they do not report to the<br />
same CAE.<br />
• Two organizations may not review each other mutually. 28<br />
The outcome of an external review or validation can be expressed in several ways.<br />
• IIA <strong>Quality</strong> Assessment Manual Scale:<br />
o Does Not Conform.<br />
o Partially Conforms.<br />
o Generally Conforms. 29<br />
• IIA Capability Model for the Public Sector:<br />
o Initial.<br />
o Infrastructure.<br />
o Integrated.<br />
o Managed.<br />
o Optimizing. 30<br />
• DIIR (IIA–Germany) Guideline for Conducting a <strong>Quality</strong> Assessment:<br />
o 3–Satisfactory.<br />
o 2–Room for Improvement.<br />
o 1–Significant Improvement Needed.<br />
o 0–Unsatisfactory.<br />
o Not Applicable. 31<br />
• IIA Ambition Model:<br />
o 1 – Initial.<br />
o 2 – Infrastructure.<br />
o 3 – Integrated.<br />
o 4 – Managed.<br />
o 5 – Optimizing. 32<br />
27<br />
Practice Guide: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program, The IIA, 2012.<br />
28<br />
Practice Guide: <strong>Quality</strong> <strong>Assurance</strong> and Improvement Program, The IIA, 2012.<br />
29<br />
The Institute of Internal Auditors’ <strong>Quality</strong> Assessment Manual for the Internal Audit Activity, 6th Edition.<br />
30<br />
Internal Audit Capability Model (IA-CM) for the Public Sector, The IIA,<br />
31<br />
Guidelines for Conducting a <strong>Quality</strong> Assessment (QA), Deutsches Institut für Interne Revision e.V. (IIA –Germany), 2007.<br />
47
<strong>2C</strong>.2: Reflection<br />
Is your internal audit unit in full conformance with IIA Standards?<br />
Which Standards are the hardest to conform with and why?<br />
Are some Standards more important than others when you consider the priorities for your<br />
organization?<br />
Do your stakeholders know the quality assurance and improvement program for the<br />
internal audit unit?<br />
Have you ever used one or more of the models referenced (IIA <strong>Quality</strong> Assessment<br />
Manual, IIA Capability Model for the Public Sector, DIIR Guideline for Conducting a <strong>Quality</strong><br />
Assessment, and IIA Ambition Model) for a self-assessment or peer assessment of the<br />
internal audit unit?<br />
32<br />
Global Perspectives & Insights, From Conformance to Ambition: Applying the Internal Audit Ambition Model, The IIA, 2020.<br />
48