1 Quality Assessment Manual Chapter 1
1 Quality Assessment Manual Chapter 1
1 Quality Assessment Manual Chapter 1
O v e rv i e w
One of internal audit’s major assets is its credibility with stakeholders. To provide credible
assistance and constructive challenge to management, internal auditors must be perceived
as professionals. Professionalism requires conforming to a set of professional standards. This
chapter provides an overview of The IIA’s International Standards for the Professional Practice
of Internal Auditing (Standards) and the other documents that make up the International
Professional Practices Framework (IPPF). It explains how they have evolved as the profes-
sion has matured and how their application should be tailored to each organization without
compromising conformance with the Standards. In particular, it presents and discusses the
1300 series of Standards that deals specifically with quality assurance.
>
7
S ta n d a r d s R e q u i r e Q ua l i t y
Assurance Focus
Chief audit executives (CAEs) need assurance that their internal audit department and each
member of the staff conform to all mandatory elements of the IPPF, and they need to
demonstrate this conformance to their stakeholders. The only way to meet these needs is
with a comprehensive Quality Assurance and Improvement Program (QAIP) that includes
ongoing and periodic internal assessments and periodic external assessments by qualified
independent parties.
Quality internal auditing is defined by the IPPF, which consists of mandatory and strongly
recommended guidance.
9
Mandatory Guidance
The mandatory guidance is considered to be essential for the professional practice of internal
auditing. All mandatory guidance is submitted for review by the entire global profession
through the exposure draft process. It consists of three components:
• Code of Ethics: The Principles and Rules of Conduct that define ethical
behavior for a professional internal auditor.
10 • Practice Guides provide detailed guidance for conducting internal audit activ-
ities. They include processes and procedures, tools and techniques, programs,
and step-by-step approaches, as well as examples of deliverables.
We include Standard 1300 in full because it defines the requirements for a quality assurance
and improvement program. Please note that this is from the 2013 Standards revision. Please
consult The IIA’s website for the most current Standards.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal
audit activity’s conformance with the Definition of Internal Auditing and the Standards and an
evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the effi-
ciency and effectiveness of the internal audit activity and identifies opportunities for improvement.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement
of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and
practices used to manage the internal audit activity and uses processes, tools, and information
considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code
of Ethics, and the Standards.
Sufficient knowledge of internal audit practices requires at least an understanding of all elements
of the International Professional Practices Framework.
Interpretation:
12 External assessments can be in the form of a full external assessment, or a self-assessment with
independent external validation.
A qualified assessor or assessment team demonstrates competence in two areas: the professional
practice of internal auditing and the external assessment process. Competence can be demonstrated
through a mixture of experience and theoretical learning. Experience gained in organizations of
similar size, complexity, sector or industry, and technical issues is more valuable than less relevant
experience. In the case of an assessment team, not all members of the team need to have all the
competencies; it is the team as a whole that is qualified. The chief audit executive uses professional
judgment when assessing whether an assessor or assessment team demonstrates sufficient compe-
tence to be qualified.
An independent assessor or assessment team means not having either a real or an apparent conflict
of interest and not being a part of, or under the control of, the organization to which the internal
audit activity belongs.
Interpretation:
The form, content, and frequency of communicating the results of the quality assurance and improve-
ment program is established through discussions with senior management and the board and
considers the responsibilities of the internal audit activity and chief audit executive as contained in
the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing,
the Code of Ethics, and the Standards, the results of external and periodic internal assessments
are communicated upon completion of such assessments and the results of ongoing monitoring are
communicated at least annually. The results include the assessor’s or assessment team’s assessment
with respect to the degree of conformance.
The chief audit executive may state that the internal audit activity conforms with the
International Standards for the Professional Practice of Internal Auditing only if the results of
the quality assurance and improvement program support this statement.
Interpretation:
The internal audit activity conforms with the Standards when it achieves the outcomes described
in the Definition of Internal Auditing, Code of Ethics, and Standards.
The results of the quality assurance and improvement program include the results of both internal
and external assessments. All internal audit activities will have the results of internal assessments.
Internal audit activities in existence for at least five years will also have the results of external
assessments.
A pp l i c a t i o n of t h e IPPF
The IPPF is the foundation of quality internal auditing. It is equally applicable to all, but
the practice of internal auditing must be adapted to such factors as an organization’s legal,
regulatory and cultural environment, industry, size, and stakeholder expectations. The CAE
must adapt internal auditing to the organization’s environment—while still conforming to
the Standards—and assessors should take this adaptation into consideration. Figure 1-1 from
The IIA’s 2010 Common Body of Knowledge (CBOK) report provides useful perspective on
some of the specific factors that must be considered.
14 Internal auditing may be less mature in emerging countries, privately held (not listed)
companies, not-for-profits, small companies, and organizations with a relatively new
internal audit activity. At the same time, many mature internal audit activities have achieved
“Generally Conforms” on The IIA’s standard quality assessment rating system (Generally
Conforms/Partially Conforms/Does Not Conform) and would like a higher rating to strive
for or to recognize their outstanding practices. For any of these organizations, a maturity
model might be used to compliment or replace the standard rating system. Examples of
maturity models are available on the Internet, and additional IIA guidance on this topic was
anticipated at the time of this writing.
Determined by
Affected by
operations ●● Professional
experience
●● Professional
certification
●● Total years as
CAE 15
●● Line of
reporting
●● 40 hours of
formal training
Interaction/
IC report Communication
frequency,
In-house or
content, etc.
●● Formal IA outsourcing
activity
charter/
strategy, etc.
●● Appointment
of CAE
●● Appointment
of IA service
provider
Assessments are typically performed by a team hired for that purpose. If budget constraints
are an issue, another option for completing a full assessment is through a peer assessment
performed between at least three independent organizations, in which each internal audit
activity is assessed by a team from the other organizations.
The elements of a QAIP are discussed more fully in the next chapters.