QUALITY ASSURANCE AND QUALITY ASSURANCE AND IMPROVEMENT PROGRAM IMPROVEMENT PROGRAM

(QAIP)(QAIP)

AGA Austin CPE LuncheonFebruary 13, 2014

Presented by:Paul Morris, CIA, CPAPriscilla Suggs, MBA

Presentation ObjectivesPresentation Objectives

o Quality Assurance - what is it and why do we need a program?

o Understanding the Quality Assurance requirements per Red Book and Yellow Book

standards

o Review an example of an Internal Audit QAIP process - DFPS

Audit Audit Standards Standards and GAGASand GAGAS

Standards (Red Book)1300 – Quality Assurance and Improvement Program (QAIP)

o 1310 – Requirements of the QAIPo 1311 – Internal Assessmentso 1312 – External Assessmentso 1320 – Reporting on the QAIP

GAGAS (Yellow Book)Standards 3.82 through 3.107 - ‘Quality Control and Assurance’

Why do we need a QAIP?Why do we need a QAIP?

To ensure the Internal Audit Director (IAD) has established an internal audit activity “whose scope of work includes activities found in the Standards and in the Definition of Internal Auditing.”

IPPF, Practice Advisory 1300-1

Why do we need a QAIP?Why do we need a QAIP?“Each audit organization performing audits in accordance with GAGAS must:

a. establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and

b. have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.”

GAGAS, Standard 3.82

A QAIP can improve A QAIP can improve processes.processes.

The QAIP Objective (Red The QAIP Objective (Red Book) Book)

To provide reasonable assurance to our stakeholders that Internal Audit:

o Performs in accordance with the internal audit Charter

o Operates in an effective and efficient manner, and

o Is perceived by stakeholders as adding value and improving the organization’s operations

IPPF, Practice Advisory 1300-1

The QAIP Objective (Red The QAIP Objective (Red Book)Book)

o It is an evaluation of the division’s processes

o It is comprehensive and covers all aspects of the operation and management of the internal audit activity, and

o It is performed by or under the direct supervision of the IAD

IPPF, Practice Advisory 1300-1

The QAIP Objective (Red The QAIP Objective (Red Book)Book)

o The QAIP is not an attempt to reinvent the wheel but rather to ensure that Internal Audit consistently provides quality and value-added services to its stakeholders.

o Begins with instituting policies, procedures and practices that are consistent with the Standards

Requirements of QAIPRequirements of QAIP

The quality assurance and improvement program must include both internal and external assessments

IPPF, Standard 1310; Practice Advisory 1310-1

Internal AssessmentsInternal Assessments

Must include:oOngoing monitoring of the performance of the internal audit activity; and

oPeriodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.

IPPF, Standard 1311; Practice Advisory 1311-1

Internal Assessments – Internal Assessments –

Ongoing Monitoring Ongoing Monitoring

o Supervision of audits, regular, documented reviews of work papers;

o IA checklists and policies/procedures to ensure compliance with applicable standards;

o Feedback from customers (surveys) and other stakeholders;

o Selective workpaper peer reviews;o Management tools: time budgets, time tracking

systems, measuring audit plan completiono Analysis of performance metrics.

Internal Assessments – Internal Assessments –

Periodic ReviewsPeriodic Reviews

o Stakeholder surveys and interviews;

o Can be performed by members of the IA activity;

o Can be performed by CIAs currently assigned elsewhere in the organization;

o Can include combination of self-assessment and preparation of materials for others to review;

o Benchmarking IA’s practice and performance against relevant best practices of the profession

Internal Assessments – Internal Assessments –

GAGASGAGAS“Audit organizations should establish policies and procedures for monitoring of quality in the audit organization. Monitoring of quality is an ongoing, periodic assessment of work completed on audits designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice.”

GAGAS, Standard 3.93

External AssessmentsExternal Assessmentso Must be conducted at least once every five years

by a qualified, independent reviewer or review team from outside the organization.

o The reviewer or review team should be qualified, independent and from outside the agency.

IPPF, Standard 1312; Practice Advisory 1312-1

External AssessmentsExternal Assessments“The audit organization should obtain an external peer review at least once every 3 years that is sufficient in scope to provide a reasonable basis for determining whether, for the period under review, the reviewed audit organization’s system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards.”

GAGAS, Standard 3.96

Considerations for External Considerations for External

ReviewReview

The qualifications of external reviewers as noted in The IIA’s Practice Advisory 1312-1 should be considered when contracting with an outside party to conduct the assessment.

Scope of the External Scope of the External AssessmentAssessment

o Conformance with the Standards, Definition of Internal Auditing, the Code of Ethics, and internal audit’s Charter, plans policies, procedures, practices, and any applicable legislative and regulatory requirements.

o Expectations of Internal Audit as expressed by the Governance and Management (Executive Team)

o Integration of the Internal Audit activity into DFPS’s governance process, including the audit relationship between and among the key groups involved in the process.

Scope of the External Scope of the External AssessmentAssessment

o Tools and techniques used by Internal Audit.

o The mix of knowledge, experiences, and disciplines within the staff, including staff focus on process improvement.

o A determination whether Internal Audit adds value and improves DFPS’s operations.

IPPF Practice Advisory 1312-1

Reporting on the QAIPReporting on the QAIP

Internal Assessment ReportingoResults of internal assessments will be reported to the Audit Committee and to senior management at least annually.

IPPF, Standard 1320 and Interpretation

External Assessment ReportingoResults which include the reviewer’s or review team’s assessment of conformance, is communicated to senior management upon completion.

Implementing Corrective Implementing Corrective ActionAction

If there are any recommendations, the IAD should implement appropriate follow-up

actions to ensure action plans are developed and implemented in a reasonable timeframe.

Example – Example –

Internal Monitoring ProcessInternal Monitoring Process

DFPs Internal Audit uses a team approach to the annual internal monitoring approach. Each team member is assigned a portion of the QAIP, conducts review, and reports results to the Internal Audit Director.

The Director consolidates results and reports annually to the Commissioner and DFPS Executive Leadership Team.

Copies of the DFPS QAIP policy/procedure, assignments and final report are included for discussion.

Questions?