«Ref. 2014-3 Quality assurance for Internal Audit The IIA Standards stress the importance of quality assurance and improving Internal Audit, but which ...»
Public Internal Control Systems
in the European Union
for Internal Audit
Discussion Paper No. 3
Public Internal Control
An EU approach
Quality assurance for Internal Audit
The IIA Standards stress the importance of quality assurance and improving Internal
Audit, but which of the various approaches is actually taken depends on the level of
maturity of the Internal Audit function. This paper is intended to provoke a discussion
and encourage EU Member States to share their views and experiences when it comes to assuring the quality of Internal Audit.
Table of contents
2. QUALITY ASSURANCE AND IMPROVEMENT
3. QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME
3.1. Aims of the Quality Assurance and Improvement Programme
3.2. Content of the Quality Assurance and Improvement Programme
3.3. Communication of the Quality Assurance and Improvement Programme results
4. ROLE OF CHU
Quality assurance for Internal Audit
1. INTRODUCTION This paper is intended to provoke a discussion and encourage EU Member States to share their views and experiences when it comes to assuring the quality of the Internal Audit (IA) function in the public sector. The paper takes Institute of Internal Auditors (IIA) Standards as a starting point, but this is without prejudice to other assurance providing structures in the EU.
The public sector IA function is established in most Member States and plays an important role in the process of improving governance, control and risk management in the public sector by providing assurance, recommendations and advice on the functioning of management and control systems. In some Member States, it has reached a high level of maturity, enjoys the trust of management and is effective in adding value. In others, it is less developed and/or still moulded by cultural and administrative traditions involving a more centralised approach, with ex ante centralised control and/or ex post financial inspections focusing on legal compliance.
However, implementing the IIA’s Quality Assurance and Improvement Programme (QAIP) should be a natural objective for seeking to maintain ‘fit-for-purpose’ IA activity.
The IA function can be said to be of good quality when it provides objective and relevant assurance and adds value by contributing to the efficiency and effectiveness of governance, risk management and control.
Compliance with the standards applying to the IA profession is very important. In most Member States, public sector IA bases itself on the Standards for the Professional Practice of Internal Auditing1 (part of the IIA’s International Professional Practices Framework – IPPF). In some, these internationally recognised standards are directly applicable in national legislation, while others have incorporated them into their national standards. Consequently, the basic IA standards referred to in this paper are these IPPF Standards.
The Standards stress the importance of quality assurance and improving IA, but which of the various approaches is actually taken depends on the level of maturity of the IA function. Some countries have a Central Harmonisation Unit (CHU) that provides methodological support for the development and implementation of the QAIP.
2. QUALITY ASSURANCE AND IMPROVEMENT
The IPPF contains specific Attribute Standards (1300 series) that focus on the quality and improvement of IA. This makes complete sense, since only operations that comply with the IIA Definition, Standards and Code of Ethics can fully serve the purpose of the IA function and any deviation from the framework could hamper achievement of its aims and its usefulness.
Hereinafter referred to as ‘the IIA Standards’, ‘the IPPF Standards’ or simply ‘the Standards’.
Only if the Standards are followed in their entirety can internal auditors claim in their audit report that their work has been ‘conducted in conformance with the Standards’ (see Standard 2430).
In order to ensure and maintain the quality of IA through implementation of the QAIP, the Chief Audit Executive (CAE) is responsible for making sure that internal and external quality assessments are carried out to confirm inter alia the efficiency and effectiveness of IA.
3. QUALITY ASSURANCE AND IMPROVEMENT PROGRAMMEThe 1300 series of the Standards requires the CAE to develop and maintain a QAIP that covers all aspects of IA activity. The QAIP is the key tool for maintaining quality and developing and implementing it is part of the IA maturity process.
3.1. Aims of the Quality Assurance and Improvement Programme
The main aims of the QAIP are:
• to evaluate conformity with the Definition of Internal Audit, the Standards and the Code of Ethics;
• to assess the efficiency and effectiveness of IA; and
• to identify opportunities for improvement.
3.2. Content of the Quality Assurance and Improvement Programme The QAIP must include both internal and external assessments. The approach to developing the programme may be outlined in guidance documents (e.g. the UK’s Internal Audit Quality Assessment Framework), ordinances (e.g. ordinance of Bulgaria’s Finance Minister) or manuals (as in most countries). The programme methodology should be based on the IIA Standards and corresponding Practice Advisories.
In general, internal and external IA assessments tend to focus on the following:
• the purpose and positioning of the IA unit (appropriate status, independence in carrying out its activities);
• the unit’s structure and resources for delivering the service expected of it;
• the efficiency and effectiveness of the output-oriented auditing process; and
• positive demonstrable impact on governance, risk management and control.
Each area may be divided into sub-sections, accompanied by a list of good practices.
Internal assessment Internal assessment is a key and cost-effective way of helping to ensure the quality of IA
and must include:
• ongoing monitoring of IA activity; and
• periodic self-assessments or assessments by other persons within the organisation with sufficient knowledge of IA practices.
Public sector IA units should develop (by themselves or with the assistance of the CHU) internal rules and/or manuals for internal quality assessment procedures. Since ongoing monitoring is an integral part of day-to-day work under routine policies and practices, the procedures should be clear, applicable and not over-complex.
As the Standards do not describe or interpret periodic assessment, CAEs should develop appropriate forms and procedures for their particular units. (The IIA’s Quality assurance and improvement programme Practice Guide is very useful in this respect).
Internal assessments may also be used as preparation for external assessments, especially where they involve self-assessment with independent external validation.
Surveys have shown that ongoing supervision and feedback from audit clients are two other valuable components of internal assessments and it might be useful to further elaborate on assessment criteria on that basis.
External assessment External assessment is an appropriate way of assuring IA quality, comparing with good practice and ensuring reliability. It also represents an opportunity to promote the IA function within an organisation. As regards methodology, external assessment follows an established approach which is set out in an IIA manual. It involves full external assessment by an independent competent assessor or assessment team.
A recently-introduced2 form of external assessment (actually combining internal and external assessment) is self-assessment with independent external validation. This offers value for money and the self-assessment is a useful exercise in itself, but it may be demanding for the CAE and, more importantly, it may be somewhat subjective.
External assessment must be conducted at least every five years. It is very important that the external assessors are qualified and independent of the organisation. There are qualitative and quantitative benchmarks to facilitate the assessment.
External assessment, including external validation of internal self-assessment, can also be carried out by teams of public sector experts who are qualified internal auditors and provide assessments/validation at the CAE’s request in line with the applicable rules.
This is a good cost-effective means of providing assurance that the Standards are applied appropriately and that the IA function adds value. To ensure independence, the assessment team should not include a representative of the unit being assessed and ‘cross-assignments’ should be avoided.
As from 1 January 2013 Assessment criteria
Attention should be paid to the measurement criteria used in internal and external assessments. As no single criterion can give the whole picture as regards the efficiency and effectiveness of the IA function, a combination of quantitative and qualitative measurements is necessary to provide a more complete picture.
Quantitative indicators are the easiest to develop – examples include:
• number of audits performed;
• number of findings;
• number of recommendations issued;
• number of recommendations implemented;
• time spent carrying out the audit.
Qualitative indicators are harder to identify and/or develop – examples include:
• quality of the findings in terms of materiality;
• quality of recommendations in terms of impact;
• degree of risks covered by the audit plan;
• amendments to the management and control set-up resulting from an audit engagement;
• opinion of internal and external stakeholders.
3.3. Communication of the Quality Assurance and Improvement Programme results The IIA Standards require the CAE to communicate the results of the QAIP to senior management and the Board (which in the public sector could include the Minister).
Communication is an important pre-condition for future improvement (one of the main
objectives of the programme). The CAE should ensure that:
• the results of periodic internal assessments are summarised and discussed, and an action plan for improvement developed and implemented; the results are reported to and reviewed with senior management and the audit committee;
• benchmarks from external assessments are reported to management and the audit committee to facilitate continuous improvement;
• client feedback forms are received from the auditee and documented so that they can be fed into continuous improvement of IA processes;
• the results of ongoing monitoring are communicated at least annually.
The development of IA quality assurance and improvement programme is important for:
• management and other IA clients; because quality assurance focuses on the outcomes that help organisations achieve their aims;
• IA units, because it enables them to fulfil their purpose;
• CHUs (or similar central contact points); because the tools may help the CHU to develop and deliver a common methodology.
The role of the CHU in ensuring IA quality is to encourage and support the IA function in applying the internal assessment mechanisms. The CHU has many tools which can be
used to support internal auditors in ensuring a high level of service, including:
• guidelines for the QAIP, including self-assessment;
• benchmark reporting;
• examples of good practice;
• monitoring, including on-the-spot visits;
The key objective of peer reviews is to monitor/assess IA functioning in the public sector. Their scope should vary according to the level of IA system development.
Initially, a review would focus on organisational and formal aspects of the IA function (organisation and management – including QAIP, planning, reporting, assurance engagements, consulting activities, etc.), whereas later it may relate more to the effectiveness, efficiency and usefulness of IA in public entities.
In Member States in which CHUs are formally established, their tasks may include overseeing, monitoring and advising on public sector IA activity, and reporting annually on these activities to government and/or parliament. However, in some Member States, the tasks of the CHU go beyond this and include (external) assessment of the IA activities of the operational units, including self-assessment with external validation. It is questionable whether such assessments are in line with the Standards, in particular as regards the independence and ‘externality’ of the CHU vis-à-vis the IA unit concerned.
In 2012,3 the Commission’s Directorate-General for Budget considered that an external assessment by the CHU cannot be regarded as satisfying the requirements of the Standards. In line with Practice Advisory 1312-1, DG Budget is of the opinion that, though organisationally separate from the IA unit under review, the CHU cannot be regarded as ‘external’ and ‘independent’ in line with Standard 1312, since it provides the Opinion of 13 November 2012 addressed to the CHUs of (potential) candidate countries, qualifying European Neighbourhood Policy countries and delegates in the Public Expenditure Management Peer Assisted Learning (PEMPAL) organisation, and copied to the SAIs of these countries.
IA activity with assistance and professional guidance. If assessment by the CHU is the only ‘external’ assessment, the IA unit concerned may not indicate in its audit reports that the engagement was ‘conducted in conformance with the International Standards for the Professional Practice of Internal Auditing’ (see Standard 2430).