Performing a periodic self assessment as part of your Quality Assurance Improvement Program
The International Standards for the Professional Practice of Internal Auditing (Standards) set the mandatory requirements for every Internal Audit function. As part of the Standards, there is a key component which requires audit functions to establish a Quality Assurance Improvement Program (QAIP).
This post will focus only on how to develop and perform an Internal Audit Self Assessment, however to provide context and assist with your understanding, we have provided background regarding a QAIP.
The Standards state the following with reference to a QAIP.
1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assessments.
So what is an internal assessment and an external assessment, and what are the differences?
The Standards go on to describe these also. For both an internal and external assessment, it is important that the interpretation attached to each Standard is also read and considered.
1311 – Internal Assessments
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit activity.
Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.
Interpretation: Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Code of Ethics and the Standards. Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards. Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.
1312 – External Assessments
External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:
The form and frequency of external assessment.
The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest.
Interpretation: External assessments may be accomplished through a full external assessment, or a self-assessment with independent external validation. The external assessor must conclude as to conformance with the Code of Ethics and the Standards; the external assessment may also include operational or strategic comments. A qualified assessor or assessment team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of an assessment team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether an assessor or assessment team demonstrates sufficient competence to be qualified. An independent assessor or assessment team means not having an actual or perceived conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs. The chief audit executive should encourage board oversight in the external assessment to reduce perceived or potential conflicts of interest.
Naturally, once an assessment has been performed, it is important that the results are appropriately communicated. This is considered within the Standards also:
1320 – Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. Disclosure should include:
The scope and frequency of both the internal and external assessments.
The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of interest.
Conclusions of assessors.
Corrective action plans.
Interpretation: The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the assessor’s or assessment team’s assessment with respect to the degree of conformance.
A Quality Assurance Improvement Program
So taking into account each of the Standards above, how do we actually implement a a Quality Assurance Improvement Program? Here are a few steps.
Consider the mandatory requirements of the International Professional Practices Framework.
Consider the all of Internal Audit's activities.
Consider the current appraisal Internal Audit activity (i.e. survey's).
Consider how improvement opportunities are identified.
Consider the involvement of management, audit committees and the board in Internal Audit activity.
When considering your QAIP, it is good to build a framework. The IIA has provided an example framework, however this should only be used as a guide. Any framework needs to be reflective of the organisation and the environment which it operates within. To read more about this framework, you can read IIA Guidance here.
In fact, a huge amount of information regarding the QAIP can be found from the IIA here. Alternatively, we have got copies of the documents below. Please note, there are multiple documents here. Please take care and ensure you have downloaded all of the relevant documents,
Performing a periodic self assessment
Now that we have an understanding of what the Standards require and what a QAIP framework looks like, now it is time to perform a self assessment.
The IIA recommends that a self assessment should be performed at least once annually. It would be recommended that an assessment is performed in a quieter period where the results of the assessment will not be conflicting with other key annual audit activities such as annual planning.
When building the self assessment program, the audit function should consider the following:
All mandatory requirements of the IPPF. These include the Standards, Core Principles, Definition and Ethics.
Adequacy and appropriateness of internal audit policies and procedures.
Achievement of KPIs.
Stakeholder expectations and survey results.
Performing the annual self assessment is also a great time for audit teams to review current audit manuals and processes and make necessary updates.
To help audit functions perform their self assessment, we have build a Internal Audit self assessment checklist which helps monitor compliance against the Standards. The checklist does not monitor specifically against other mandatory requirements, nor does it address the other considerations mentioned above, however these are all factored into the checklist through supporting evidence. A copy of the checklist is presented below.
A copy of this free template can be viewed here.
To purchase an editable version of this template, please click here.
The checklist will help audit teams to document the evidence obtained to support their compliance against the Standards, but will also allow teams to record suggested improvement areas. The dashboard included in our template also allows for the effective monitoring of suggested action implementation. All of this combined helps demonstrate continual improvement - a key requirement of the Standards, and can facilitate reporting to management also.
The periodic self assessment is also a great opportunity for audit teams to consider their compliance against the Internal Audit Code of Practice. You can purchase a copy of our Code of Practice Self Assessment template here.
Keep an eye out. We will be preparing a guidance document to help you build a QAIP and implement ongoing and periodic monitoring, to help ensure you are in compliance with the Standards.