challenge of a small internal audit activity - glc...
TRANSCRIPT
Internal Audit Forum - BerlinMay 9-11 2017
Nanna Huld AradottirChief Audit Executive
Challenge of a Small Internal Audit ActivityFacing External Quality Assessment
Central Bank of Iceland
CBOK 2015 Practitioner SurveyLooking to the future for Internal Audit Standards
CAEs who participated in the CBOK practitioner surveys used all of the IIA Standards at 54% of organizations in 2015. Approximately 11% stated they did not use any of the Standards.
Use of the IIA Standards %
All of the Standards 54%
Partial, some of the Standards 38%
Non of the Standards 11%
TOTAL 100%
Looking to the future for Internal Audit: Standards Updates, Usage and Conformance James A. Bailey PhD, CIA, CPA, CFE Copyright 2016: Internal Audit Foundation
CBOK 2015 Practitioner SurveyInternal Audit Quality Assurance and Improvement
34% of CAEs stated that their internal audit departments fully conformed to Standard 1300. 29% of CAEs surveyed reported that their QAIP was “nonexistent or ad hoc,” and an additional 37% stated that their program was “in the process of development.”
QAIP DEVELOPMENT %
Well-defined 34%
In the process of development 37%
Nonexistent or ad hoc 29%
TOTAL 100%Internal Audit Quality Assurance and Improvement: A call to Action Christie J. O‘Loughlin CGAP, CRMA; Jodie SwaugerCopyright 2016: Internal Audit Foundation
The Small-Department ChallengeCBOK 2015 Practitioner Survey
0
10
20
30
40
50
60
70
80
1 to 3 4 to 9 10 to 49 50 or more
%
Size of Internal Audit Departments
Use of all Standards Conformance to Standard 1300
Steps in conforming with the Standards before undergoing external quality assessment
1. Evaluate where the internal audit activity is to be positioned on a maturity model over time. A cost-benefit approach could be applied in this analysis.
2. Perform a detailed gap analysis to identify gaps in conformance to each Standard and develop an action plan of necessary improvements to ensure compliance.
3. Solicit advice and support from a peers who have undergone an external quality assessment and achieved conformance with the Standard.
4. Make this work a formal part of your annual audit plan.
Internal Audit Capability/Ambition ModelServices and
Role of IA
People
Management
Professional
Practices
Performance
Management
and
Accountability
Organizational
Relationships
and Culture
Governance
Structures
Level 5
OptimizingIA Recognized as
Key Agent of Change
Leadership
Involvement with
Professional Bodies
Workforce Projection
Continuous
Improvement in
Professional
Practices
Strategic IA Planning
Public Reporting of IA
Effectiveness
Effective and
Ongoing
Relationships
Independence,
Power, and Authority
of the IA Activity
Level 4
ManagedOverall Assurance on
Governance, Risk
Management, and
Control
IA Contributes to
Management
Development
IA Activity Supports
Professional Bodies
Workforce Planning
Audit Strategy
Leverages
Organization’s
Management of Risk
Integration of
Qualitative and
Quantitative
Performance
Measures
CAE Advises and
Influences Top-level
Management
Independent
Oversight of the IA
Activity
CAE Reports to Top-
level Authority
Level 3
IntegratedAdvisory Services
Performance/Value-
for-Money Audits
Team Building and
Competency
Professionally
Qualified Staff
Workforce
Coordination
Quality Management
Framework
Risk-based Audit
Plans
Performance
Measures
Cost Information
IA Management
Reports
Coordination with
Other Review Groups
Integral Component
of Management
Team
Management
Oversight of the IA
Activity
Funding Mechanisms
Level 2
InfrastructureCompliance Auditing
Individual
Professional
Development
Skilled People
Identified and
Recruited
IPPF Framework
Audit Plan Based on
Management/
Stakeholder Priorities
IA Operating Budget
IA Business Plan
Managing within the
IA Activity
Full Access to
Information, Assets,
and People
Reporting
Relationship
Established
Level 1
Initial
Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs dependent upon the
skills of specific individuals holding the position; no specific professional practices established other than those provided by professional associations;
funding approved by management, as needed; absence of infrastructure; auditors likely part of a larger organizational unit; no established capabilities;
therefore, no specific key process areas
Internal Audit Capability/Ambition ModelLevels and elements/themes
LEVEL 5
Optimizing
LEVEL 4
Managed
LEVEL 3
Integrated
LEVEL 2
Infrastructure
LEVEL 1
Initial
The International Professional Practices Framework (IPPF)
Updated framework with revised Standards in effect January 1st 2017.
Gap analysis of conformance to the Standards
Standard Standards TitleDegree of
Challenge
Conformance
to the Standards
Action plan for
conformance
Overall Conformance
Attribute Standards
1000 Purpose, Authority, and Responsibility L
1100 Independence and Objectivity H
1200 Proficiency and Due Professional Care M 1220 CP.1
1300 Quality Assurance and Improvement Program H 1312.CP.2
Performance Standards
2000 Managing the Internal Audit Activity H
2100 Nature of Work M 2130 IP.1
2200 Engagement Planning H 2201 CP.3
2300 Performing the engagement H
2400 Communicating results M 2420.CP.4
2500 Monitoring progress M 2500.IP.2
2600 Resolution of Management’s Acceptance of Risk M
Low degree
of challenge
Med. degree
of challenge
High degree
of challenge
Generally
Conforms
Partially
Conforms
Does not
Conform
Conformance to each of the IIA standard Standard 1000 Purpose, Authority, and Responsibility Ref
Statements of
core
requirements
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit
charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional
Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the
Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit
charter and present it to senior management and the board for approval.
Interpretation: The internal audit charter is a formal document that defines the internal audit activity's purpose, authority, and
responsibility. The internal audit charter establishes the internal audit activity's position within the organization, including
the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records,
personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit
activities. Final approval of the internal audit charter resides with the board.
1000.A1 The nature of assurance services provided to the organization must be defined in the internal audit charter. If assurances
are to be provided to parties outside the organization, the nature of these assurances must also be defined in the internal
audit charter.
1000.C1 The nature of consulting services must be defined in the internal audit charter.
Challenge: Conformance is not dependent upon the size of the audit activity and should present no unique challenges for the small
audit activity
Guidance: Need, purpose and benefits for a charter should be discussed with the board and senior management. Further, it is critical
that the CAE clearly communicate the activity’s vision, mission, and charter to key stakeholders. The CAE must periodically
review and assess the contents of the charter to ensure the content is relevant and submit it to the board for approval.
Documentation of communications with the board and senior management pertaining to the charter should be
maintained.
Compliance: 1000 The Central bank´s audit charter is formal and defines the purpose, authority, and responsibility of the activity and refers to
the mandatory elements of IPPF.
The internal audit activity has drafted a mission statement which serves to explicitly align its activities with those of the
bank and complements the activity charter.
The charter was approved by the supervisory board and the governors of the Central bank in year 2012 and reviewed on an
annual bases thereafter.
The charter is flexible and general enough to provide adaptability to the bank´s changing environment, if necessary
AC.1
1000.A1 The nature af Assurance service is defined in the charter AC.2
1000.C1 The nature af Consulting service is defined in the charter AC.3
Recommendation None AP.1
Opportunities None OP.1
Conformance to the Attribute StandardsCBOK 2015 Practitioner Survey
0
10
20
30
40
50
60
70
80
90
1000 1100 1200 1300
%
All IAA Small IAA
Challenge
Conformance to attribute standard 1200- Proficiency and due professional care
Challenge
1210 As part of the project planning and scoping process, the CAE considers the extent of the work required to achieve the audit objectives.
The IAA has in place a co-sourcing agreement with PwC which secures access to specialist to active the audit objectives of the yearly audit plan. Furthermore the CAE´s relies on the assistance of non-audit staff in areas were their knowledge is relevant.
1220 Well documented processes and work papers templates are implemented and are used to demonstrate due professional care when assurance and consulting engagements are performed. Stakeholder survey has not been performed.
Compliance The IIA Global Internal Audit Competency Framework
Conformance to attribute standard 1300- Quality Assurance and Improvement Program QAIP
Challenge
1310 Requirements of QAIP
1311 Internal Assessment
• The CAE has in place a working arrangement with the bank´s PMO to monitor the performance of the audit activity after each audit according to a predefined checklist.
• A contract has been signed with an external service provider to perform an internal assessment of the performance of the activity and its conformance to the IPPF on a yearly basis.
1312 External Assessment
• Will be performed by independent external Service provider in Q4 2017
1320 Reporting on QAIP
1321 Use “Conforms with the IPPF”
Compliance
Framework for QAIPIIA Practice Guide - Quality Assurance and Improvement Program
Quality Assurance and Improvement (QAIP) Framework
Reporting and Follow Up
Internal Audit Activity
Govern
ance
Pro
fessio
nal
Pra
ctice
Com
munic
ation
Findings Observation &
Reccomendation
Ongoin
g
Monitoring
Periodic
Self-
Assessm
ent
Exte
rnal
Assessm
ent
Qualit
y b
uilt
into
an I
A A
ctivity
Quality Assurance
Over Entire IA Activity
Continuous
Improvement of IA
ProcessesC
ontin
uous
Impro
vem
ent o
f QA
IP
1311 Internal assessment – Ongoing monitoring- Challenges for small audit activities
A small internal audit activity can do the following to ensure conformance:
• Use standardised processes and work papers that are designed so that the Standards are adhered to.
• Involve someone within or outside the organisation with suitable knowledge of internal audit practice and/or quality assessment to provide assurance on whether processes adopted by the internal audit activity are being followed.
• Use predefined quality assessment checklists for ongoing monitoring such as those available in IIA´s Quality Assurance Manual.
1311 Internal assessment – Periodic self-assessment- Challenges for small audit activities
• Generally conducted by senior members of the internal audit activity, quality management staff with IPPF expertise, CIAs, or other competent audit professionals assigned elsewhere in the organization.
• When this is not an option an external service provider, an audit firm, a peer or a local IIA chapter professional, can perform the assessment.
• The Standards does not require a full yearly self-assessment each year. For a smaller internal audit activity it´s beneficial to lay out a program how internal assessment will be performed each year between the external quality assessments.
1312 External assessment- Challenges for small audit activities
• Self-assessment with external independent validation – Less expensive and provides opportunities for staff development.
• Full external assessment – Comprehensive overview and advice and saves time.
• To secure both the independence and expertise of the external assessor us;
• IIA Institute chapter or a service provider
• Peer review process.
• Team up with a peer if possible
Developing and implementing QAIP
A key aspect is to determine:
• The role of internal audit management and staff in the quality process.
• The activities that are covered through ongoing monitoring, periodic self-assessment, or external assessments.
• The frequency of self-assessments and external assessments.
• The level of quality, or maturity, desired by the internal audit activity and expected by its stakeholders.
Continuous improvement
Conformance to the Performance StandardsCBOK 2015 Practitioner Survey
0
10
20
30
40
50
60
70
80
90
2000 2100 2200 2300 2400 2500 2600
%
Challenge
All IIA Small IIA
Conformance to performance standard 2000- Managing the Internal Audit Activity
2010 CAE performs an annual risk assessment of the bank, approved by senior management, which serves as basis for the annual audit plan.
2020 The audit plan and budget are approved, reviewed and updated by the governors and the supervisory board.
2030 Resources are managed to achieve the audit plan.
2040 Policies and procedures are in place and approved by the supervisory board.
2050 Activities are coordinated with the external auditor to ensure proper coverage and minimize duplication of efforts.
2060 Supervisory board gets regular reports on all matters related to internal audit activity.
2070 External service provider do not serve as the IAA
Challenge
Conformance
Conformance to performance standard 2100- Nature of Work
Challenge
2110 Governance
2120 Risk Management
2130 Control
Areas for improvements
• The CAE plans to present to the governors and the supervisory board long term audit plan that covers all important areas of bank with regard to the mandated areas of standard 2100.
• The CAE plans to implement a system of continuous monitoring and continuous auditing to enhance the assurance service on control processes. The aim is to be more preventive, detective and automatic to improve the audit activity efficiency.
• The CAE plans to implement lean auditing to drive added value and efficiency.
Compliance
Conformance to performance standard 2200 -2400 - Engagement planning, performing & communicating
2200 Templates are in place for assurance and consulting engagement planning. Work program is subsequently developed to attain the objective and presented to management of the area under review.
2300 The audit activity uses checklists to assist in providing assurance over the quality of the engagement performance.
The CAE has in place a working arrangement with the bank´s PMO to monitor the performance of the audit activity after each audit according to a predefined checklist.
2400 Audit reports are standardized in content and format based on the COSO framework with risk rated issues. Reports are distributed to management for review and the governors and board for discussion.
Compliance Comment:
Management and the board has not been surveyed if they assess the reports to be clear, concise and constructive.
Challenge
Compliance
Conformance to performance standard 2500 - Monitoring progress
Documented follow-up process has been established to monitor management action on accepted recommendation. Status of implementation is traced.
Yearly the CAE summarize a list of risk rated open issues with a brief overall status description in a report for the governors to review and possible action. The report is subsequently submitted to the Supervisory board for discussion and follow up.
Areas for improvements
Contract the bank´s PMO´s to track outstanding issues and report the status to the audit activity for validation when completed.
Challenge
Compliance
Conformance to performance standard 2600 - Communicating the Acceptance of Risks
Internal audit´s policies and procedures include appropriate guidance when the CAE concludes that management has accepted an unacceptable level of risk.
In cases when the CAE wants to draw attention to level of risk that that may be unacceptable to the bank a memorandum of the matter in question is sent to the governors. If necessary, the memorandum is forwarded to the chairperson of the supervisory board of the bank for resolution.
Challenge
Compliance
Advice and support from a peers
• Do not reinvent the wheel.
• Draw on the experience and expertise of others.
• Provide support for others in similar situation
• Strive for mutual benefit
Quality assurance and improvement program
• Add the quality assurance and improvement program as a formal part of your annual audit plan.
• Discuss the importance of applying and being compliant to the IPPF with the management and the board.
Thank you!