Quality Assurance Checklist

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Quality Assurance Checklist

Internal Audit Foundations


Includes

Best Practice Characteristics

What is in place

Standards 1000, 1010, 1100, 1110, 1111, 1120, 1130, 1300, 1310, 1320, 1321, 1322, 2000, 2040
There is an Internal Audit Charter in place

The Internal Audit Charter is reviewed annually to


assure it remains effective and in line with best practice

There are no conflicts of interest that will affect the


individual objectivity of Internal Audit employees or
service providers

Internal Audit Charter is in place

Internal Audit Charter follows the main characteristics


of a suitable model charter. In the public sector it may
be a model provided by an AuditorGeneral, in the
private sector it may be a version from the IIA

Internal Audit Charter contains purpose, authority,


responsibility, definition of internal auditing, reference
to IIA Code of Ethics, reference to IIA Standards,
independence, objectivity, organisational
independence, direct interaction with the Audit
Committee, reporting and communication
arrangements, nature of work to be performed, records
management, conflicts of interest, performance
assessment, Quality Assurance and Improvement
Program, requirement for annual review, approval by
Audit Committee

Organisation chart shows reporting arrangements for


Internal Audit

Annual review of Internal Audit Charter

Documentation to indicate the content and structure of


the Internal Audit Charter has been reviewed and
assessed against a best practice model

The Internal Audit Charter complements the mandate


of the Audit Committee and assurance is available that
the Audit Committee has been structured to accord
with contemporary best practice and statutory or
regulatory requirements

Changes to Internal Audit Charter approved by Audit


Committee

Internal Audit employees have no conflicts of interest,


for example conflict of interest declaration for internal
audit engagements, annual conflict of interest
attestation

Conflicts of interest are reported to the Audit

1
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist


Internal Audit Foundations
Includes

Best Practice Characteristics

What is in place

Committee
There is no impairment to Internal Audit independence
or objectivity

There is a Quality Assurance and Improvement


Program in place

There is effective management of Internal Audit so it


adds value to the organisation

Chief Audit Executive can demonstrate there is no


impairment to independence or objectivity such as
conflicts of interest, scope limitations, restrictions on
access to records or personnel, funding or resource
limitations

Chief Audit Executive makes impairment attestation to


the Audit Committee annually

The organisation structure and Internal Audit Charter


arrangements should both illustrate the reporting lines
for the Chief Audit Executive are appropriate and
strengthen the independence and objectivity of Internal
Audit. The Audit Committee should be required to be
involved in hiring, firing, and remuneration decisions
concerning the Chief Audit Executive; review and
endorse the scope and budget of Internal Audit on the
recommendation of the Chief Audit Executive; consider
the outcomes of all internal audit engagements
reported; meet periodically in camera with the Chief
Audit Executive

There is a comprehensive documented Quality


Assurance and Improvement Program in place

The Quality Assurance and Improvement Program is


measured, monitored and reported

Stakeholder Relationship Program is in place,


monitored, reviewed and uptodate

A Balanced Scorecard Report approach is in place and


reports are provided periodically to senior management
and the Audit Committee

Results of management feedback surveys after each


internal audit engagement and annual feedback which
flows into Balanced Scorecard Report

Results of Internal Assessments

Results of External Assessments

An Action Plan is available to address any issues


arising from Internal Assessments and External

2
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist


Internal Audit Foundations
Includes

Best Practice Characteristics

What is in place

Assessments, action is taken, and progress is reported


periodically to senior management and the Audit
Committee
There is an uptodate Internal Audit Manual of
policies and procedures

There is a documented and uptodate Internal Audit


Manual of policies and procedures

The Internal Audit Manual has been approved by the


Chief Audit Executive and the Audit

The content of the Internal Audit Manual is reasonable,


complete and consistent with the IIA Standards

Internal Audit employees and service providers


consistently use the Internal Audit Manual

Internal Audit employees and service providers have


been inducted and trained in its use

3
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist

Professional Development
Includes

Best Practice Characteristics

What is in place

Standards 1200, 1210, 1220, 1230


Internal Audit employees and service providers are
professionally qualified

There is a performance management process for


Internal Audit employees that includes a Professional
Development Plan for each employee

There are professional development opportunities for

Internal Audit employees have relevant professional


qualifications

Internal Audit employees have relevant professional


certifications

Internal Audit operates at a consistently high standard,


with membership of the IIA recognised as the minimum
requirement for practicing Internal Auditors

The Chief Audit Executive and anyone issuing internal


audit reports should be required to be IIAcertified

An employees Profile is developed and reviewed


annually, including the experience, qualifications,
certifications, and years of auditing experience

The Staff Profile is reported to the Audit Committee as


part of periodic performance reporting

An Internal Audit Capability Framework has been


developed that drives recruitment planning, training
and development activities, and job design. It should be
consistent with the IIA Global Internal Audit
Competency Framework

There is a Job Description for each Internal Audit job


consistent with the abovementioned job design
approach

There is a documented career development path for


Internal Audit employees

There is a performance management process in place


for Internal Audit employees that is linked to Job
Descriptions and Internal Audit business objectives

There is a highlevel Professional Development Plan in


place covering Internal Audit

Internal Audit employees have an individual


professional development plan linked to the highlevel
Professional Development Plan

Internal Audit employees have opportunities and

4
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist


Professional Development
Includes

Best Practice Characteristics

Internal Audit employees

Internal Audit employees are trained so they can


effectively perform their jobs

What is in place

funding for professional development

Internal Audit employees receive sufficient


opportunities and funding to participate in appropriate
professional development activities each year to
maintain professional certifications

Internal Audit employees are encouraged to participate


in the activities of relevant professional bodies

Internal Audit employees receive training in Internal


Audit methodology and use of technology tools

Induction training is provided on initial recruitment of


Internal Audit employees and service providers, with
periodic refresher training provided and completed

5
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist

Internal Audit Planning


Includes

Best Practice Characteristics

What is in place

Standards 2010, 2020, 2030, 2050, 2100, 2110, 2120, 2130


The division of effort amongst Internal Audit, external
audit, and other governance functions is minimised

The nature of Internal Audit work is designed to


evaluate and contribute to improvement of governance,
risk management and control processes using a
systematic and disciplined approach

Internal audit planning is linked to organisation


strategic objectives and risks

The Internal Audit Plan is effectively structured

Coordination and division of assurance effort between


Internal Audit, external audit, and other internal
governance and assurance functions

Internal Audit has championed and / or documented a


suitable 3 Lines of Defence model

Internal Audit Charter, Job Descriptions, methodology


and Internal Audit Plan demonstrate Internal Audit
contributes to management improvement of
governance, risk management and control processes

Internal Audit has used a suitable model and structured


approach within the last 2 to 3 years to assess the
organisation governance arrangements

Internal Audit conducts an annual Risk Assessment to


support its riskbased planning, or leverages the
Enterprise Risk Management resources and
documentation where the organisation has reached an
appropriate level of risk management maturity

There is an Assurance Map that is reviewed and


updated at least annually

There is a comprehensive riskbased Audit Universe


that is reviewed and updated at least annually

The Internal Audit Plan links proposed internal audit


engagements to the organisation strategic objectives,
statutory objectives, risks and business drivers

There is input from management to development of the


Internal Audit Plan via interviews, workshops,
questionnaires, and Enterprise Risk Management
resources

The Internal Audit Plan takes into account various audit


types, Audit Committee input, provision for future
management initiated requests, and followup of
previous higher risk reports and recommendations

The Internal Audit Plan reconciles available resources

6
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist


Internal Audit Planning
Includes

Best Practice Characteristics

What is in place

with the resources required to complete the plan, and


shows the limit of internal audit work that can be
completed with the available resources. Higher risk
areas which cannot be audited because resources are
not available are highlighted to the Audit Committee

The Internal Audit Plan is approved by the Audit


Committee, including changes to the Internal Audit
Plan

Internal Audit has adequate resources to be effective


and to complete its Internal Audit Plan

There is a welldefined process for assessing,


actioning and approving management initiated requests

MultiStage Audits are included, especially for


programs and projects

The Internal Audit Plan and any changes are approved


by the Audit Committee

A documented process is in place to flexibly


interchange riskbased internal audit work as the level
of risk changes or new higher level risks emerge

The interchange of internal audit work continues to


reflect the limit of available resources

Internal Audit has adequate resources that are


appropriate, sufficient and effectively deployed to
achieve the Internal Audit Plan

The financial budget for Internal Audit is reviewed and


endorsed by the Audit Committee

There is scope in the Audit Committee Charter for the


Audit Committee to engage with the Chief Executive
Officer about the resources required to complete the
Internal Audit Plan

7
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist

Internal Audit Engagements


Includes

Best Practice Characteristics

What the is in place

Standards 2070, 2200, 2201, 2210, 2220, 2230, 2240, 2300, 2310, 2320, 2330, 2340

There is a documented and uptodate Internal Audit


Manual of policies and procedures

There is an approved Internal Audit Plan that details


Internal Audit work and estimated resource allocation

There is a schedule for internal audit work to be


conducted over the period of the Internal Audit Plan

There is adequate planning for each internal audit


engagement

There is adequate planning for each internal audit


engagement including audit objectives, scope, timing,
risks, resources, audit team, timeframes, stakeholder
engagement, and audit work schedule and milestones

There is a systematic and disciplined process followed


for each internal audit engagement

There is a systematic and disciplined process that is


planned, documented and followed for each internal
audit engagement. This covers performing the
engagement through identifying, analysing and
evaluating information, then documenting the related
observations and finding

The work performed for each internal audit


engagement aligns to the approved audit objectives, as
does the audit report containing the overall audit
opinion, observations, findings and recommendations

There is a consistent methodology established and


used for performing internal audit engagements and
preparing the associated working papers

Internal Audit employees and service providers have


been trained in use of the methodology

Each internal audit engagement is allocated to an Audit


Manager to supervise completion of the audit and
ensure quality of the audit

There is consideration for use of IT tools such as data


extraction and computer aided analysis techniques and
applications (CAATs)

There is a formal quality review process performed for


internal audit engagements

There is a scheduling process and resource allocation


for internal audit engagements

There is adequate supervision and quality review of


internal audit engagements to assure conformance with
Internal Audit methodology and standards

8
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist


Internal Audit Engagements
Includes

There is regular, documented review of working papers


during internal audit engagements

There is adequate control of service providers who


perform internal audit engagements and other audit
related services

Best Practice Characteristics

The Chief Audit Executive or a senior delegate attends


the audit opening meeting and closing meeting for each
internal audit engagement

Internal audit reports are reviewed and signedoff by


the Chief Audit Executive

If the Chief Audit Executive is not IIAcertified, the


report will be countersigned by an IIAcertified senior
Internal Audit employee

Adequate confidentiality and security arrangements are


in place, documented and maintained for all working
papers including electronic data obtained during audits

There is a consistent and documented methodology for


conducting internal audit engagements and preparing
working papers

There is a formal quality process for internal audit


engagements that includes signoffs at key stages or
milestones of each audit

Requirements for internal audit engagements


performed inhouse also apply to service providers

Service providers have performance measures that are


monitored and periodically reported in conjunction with
Internal Audit performance reporting

Internal Audit reviews and retains working papers


prepared by service providers

Adequate documented confidentiality and security


arrangements are in place for all service provider
engagements, with periodic assertions (at least
annually) from the service provider that these
arrangements are being maintained

Service providers provide evidence of security


clearances for their personnel relative to the security
level required for each internal audit engagement

What the is in place

9
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

Quality Assurance Checklist

Reporting
Includes

Best Practice Characteristics

Standards 2070, 2200, 2201, 2210, 2220, 2230, 2240, 2300, 2310, 2320, 2330, 2340
Internal audit engagement reports are distributed to
management and the Audit Committee

Periodic reports on Internal Audit operations are


provided to the Audit Committee

Results of Internal Assessments are distributed to the


Audit Committee

Internal audit engagement reports are distributed to


management and the Audit Committee in a timely way

An assessment has been completed to ensure the Audit


Committee is satisfied with the style, structure, timing,
reliability and content of internal audit reports

Highlevel planning and reporting is conducted to identify


reflect audit themes

Internal Audit monitors and reports on progress and


completion of higher risk audit findings and associated
recommendations

Internal Audit operations and the Internal Audit Charter


are reviewed annually

Periodic reports on Internal Audit operations are


distributed to the Audit Committee that include the
Internal Audit purpose, authority, responsibility,
performance, significant risk exposures and control
issues that include fraud risks, governance, and other
matters needed or requested by management and the
Audit Committee

A Balanced Scorecard Report is provided to the Audit


Committee regularly

An Internal Audit Annual Report on operations and


performance is provided to the Audit Committee to
demonstrate the Internal Audit contribution to the
organisation

The Internal Audit Annual Report should be provided to


the Chief Executive Officer through the Chair of the Audit
Committee

Internal Audit senior management signoff an annual


Quality Assurance assertion for each completed internal
audit engagement, usually in the form of a post
engagement survey. The results are used in assessing
and reporting on Internal Audit performance

The Chief Audit Executive and Internal Audit senior

10
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist


Reporting
Includes

Best Practice Characteristics


management signoff an annual Quality Assurance
assertion that is reported to the Audit Committee and
provides explicit assurance Internal Audit has conformed
to standards, including how key elements were managed
such as independence, restrictions on work, conflicts of
interest, errors and omissions, and quality assurance and
improvement

Timely distribution of Internal Assessments to the Audit


Committee

Results of External Assessments are distributed to the


Audit Committee

External Assessments are distributed to the Audit


Committee in a timely way

Results of Internal Audit performance measures are


reported to the Audit Committee

Surveys are distributed and reviewed on return to assess


the level of satisfaction key stakeholder groups have with
Internal Audit. This includes the Audit Committee, senior
management, audit clients after internal audit
engagements, and Internal Audit employees

Results of Internal Audit performance measures regularly


reported to the Audit Committee

11
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist

Monitoring and FollowUp


Includes

Best Practice Characteristics

Standard 2500
There is a followup system in place for internal audit
recommendations and action plans to assure they are
implemented in a timely way, including external audit
recommendations

A userfriendly audit recommendation followup system


is in place that is regularly reviewed and updated with
management comments and evidence of remedial action

Progress on implementation of recommendations and


action plans is regularly reported to the Audit Committee

There is riskbased followup of internal audit


recommendations and action plans to evidence they
have been effectively implemented

There is periodic followup assurance of implementation


of internal audit recommendations and management
action plans, with followup action reported to the Audit
Committee

Progress of management actions to remediate higher


risk audit recommendations are reviewed by the Audit
Committee to ensure it remains aware of the status of
high risk and longoverdue recommendations

12
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist

Performance and Process Improvement


Includes

Best Practice Characteristics

Standard 1300
There are performance measures in place for Internal
Audit

There is a management feedback survey distributed


after each internal audit engagement

There is an annual management feedback survey


distributed each year

Internal Audit performance measures are approved by


the Audit Committee and included in the Internal Audit
Charter

Internal Audit performance is monitored and reviewed


against target performance measures

Periodically the Chief Audit Executive undertakes


benchmarking of the Internal Audit, for example against
leading practices such as the IIAAustralia Policy
Agenda or an Internal Audit Maturity Assessment

Benchmarking results are reported to the Audit


Committee, together with action plans for improvement

Internal Audit performance ratings are monitored and


reviewed against target performance measures in the
Internal Audit Charter

Information received from management feedback


surveys is used to improve services and performance of
Internal Audit

Internal Audit performance ratings are monitored and


reviewed against target performance measures in the
Internal Audit Charter

13
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist

Internal Assessments and External Assessments


Includes

Best Practice Characteristics

Standards 1311, 1312


There is an annual Internal Assessment performed
through selfassessment or by other persons within the
organisation with knowledge of internal audit practices
and the Standards

An Internal Assessment against the Standards is


conducted annually

An Internal Audit Action Plan is developed and


implemented to address any partial conformances and
nonconformances or opportunities for improvement, with
progress periodically reported to the Audit Committee

An External Assessment is scheduled at least once


every 5 years by a qualified, independent assessor or
assessment team from outside the organisation

An External Assessment against the Standards is


conducted at least once every 5 years

The terms of reference for the External Assessment are


approved by the Audit Committee, together with reporting
arrangements

An Internal Audit Action Plan is developed and


implemented to address any partial conformances and
nonconformances or opportunities for improvement, with
progress periodically reported to the Audit Committee

14
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist

Code of Ethics
Includes

Best Practice Characteristics

Principles and Rules of Conduct

The IIA Code of Ethics is included in the induction for


Internal Audit employees and service providers

Compliance with the IIA Code Ethics is a requirement


mandated in the Internal Audit Charter

Internal Audit employees and service providers are obliged


to comply with the IIA Code of Ethics through an
appropriate means that may include being IIA members
and signing an appropriate acknowledgement annually

15
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

What is in place

Quality Assurance Checklist


Useful References
Element

Useful Reference

Audit Committees

Audit Committees: A Guide to Good Practices, Second Edition, AASB/AICD/IIAAustralia, Melbourne/Sydney Australia,
2012

Balanced Scorecard Reporting

A Balanced Scorecard Approach for Internal Auditing Departments, Mark L Frigo, The IIA Research Foundation, Altamonte
Springs Florida USA, 2002
Governance, Risk Management and Control: Internal Audit Leading Practices Case Studies from Asia, Case Study 2:
Implementing a Balanced Scorecard at the Australian Taxation Office, pp 3759, Asian Development Bank, Peoples
Republic of China, 2010

Benchmarking

Government Lighthouse, AuditorGenerals Report to Parliament Volume 22011, Audit Office of NSW, Sydney Australia
2011
Policy Agenda, Institute of Internal AuditorsAustralia, Sydney Australia, 2012
Twenty Questions Directors Should Ask About Internal Audit, John Fraser and Hugh Lindsay, Chartered Accountants of
Canada, Second Edition, Toronto Canada, 2007
Notes: There is also industryspecific leading practice guidance, including banking and finance, private sector, and public
sector (from respective state and Federal Auditors General and the IIA Public Sector Committee). Service provider firms
also produce occasional thought leadership publications

Stakeholder Relationship
Management

Insight: Delivering Value to Stakeholders, Patty Miller and Tara Smith, The IIA Research Foundation, Altamonte Springs
Florida USA, 2002
Internal Auditor Magazine, Article: The ABCs of Adding Value, pp 4853, The Institute of Internal Auditors, Altamonte
Springs Florida USA, December 2013

Standards

International Professional Practices Framework (IPPF) 2013 Edition, The Institute of Internal Auditors, Altamonte Springs
Florida USA, 2013

Three Lines of Defense

IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, The Institute of Internal
Auditors, Altamonte Springs Florida USA, 2013

16
Copyright 2014 by The Institute of Internal Auditors Australia. All rights reserved.

You might also like