HIERARCHY OF QUALITY ASSURANCE ELEMENTS

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-21 Standard 1310: Requirements of the Quality Assurance and Improvement Pro-

gram states that "The quality assurance and improvement program must include both internal and external assessments." "Internal assessments must include:

• Ongoing monitoring of the performance of the internal audit [function]; and

• Periodic self-assessment or assessments by other persons within the organization with sufficient knowledge of internal audit practices" (Standard 1311:

Internal Assessments).

"The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit [function]"

(Standard 1300: Quality Assurance and Improvement Program). The CAE also

"must communicate the results of the quality assurance and improvement program to senior management and the board" (Standard 1320: Reporting on the Quality Assurance and Improvement Program) and may state that the internal audit function conforms with the Standards "only if supported by the results of the quality assurance and improvement program" (Standard 1321: Use of "Conforms with the International Standards for the Professional Practice of Internal Audit- ing"). "When non conformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit [function], the chief audit executive must disclose the nonconformance and the impact to senior management and the board" (Standard 1322: Disclosure ofNonconformance).

2-22 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

Managing the Internal Audit Activity. Standard 2000 indicates that the CAE is responsible for managing the internal audit function (referred to throughout the Standards as the internal audit activity) and ensuring that the function adds value to the organization. Even when an organization outsources the internal audit function to an outside service provider, the organization must have some- one in-house who is responsible for approving the service contract, overseeing the quality of the service provider's work, arranging for reporting assurance and consulting engagement outcomes to senior management and the board, and tracking engagement results and observations. In many cases, this person functions as a CAE. However, when this person has conflicting responsibilities or the outsourced 2000 - Managing the Internal Audit Activity

2100 - Nature of Work 2200 - Engagement Planning 2300 - Performing the Engagement 2400 - Communicating Results 2500 - Monitoring Progress

2600 - Communicating the Acceptance of Risks

The Performance Standards, which describe the nature of internal audit services and the criteria against which the performance of these services can be assessed, are divided into seven main sections:

The Performance Standards

Chapter 9 provides more details regarding the implementation of quality assurance and improvement programs. Further guidance for conducting internal and external reviews can be found in The IIA's Quality Assessment Manual.

Exhibit 2-7 provides a framework for designing a quality assurance program, which includes an underlying principle of substitutability. Quality assurance elements can be substituted for those higher in the hierarchy if specific independence conditions are met. For example, an internal assessment may be conducted in lieu of an external assessment if the assessors are independent (that is, outside the line of authority and responsibility of the work they are assessing). Large internal audit functions with several decentralized internal audit units (for example, an Asian office, a North and South American office, and a European office) may internally assess the work performed by internal auditors on individual assurance and consulting engagements. In such situations, external assessors may focus on the internal audit function's quality assurance process, organizational independence, risk assessment process, and relationships with the audit committee and senior management. Conversely, assessments of individual assurance and consulting engagements conducted by small, centralized internal audit functions must be performed by qualified external assessors.

"External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

• The form and frequency of external assessment; and

• The qualifications and independence of the external assessor or assessment team, including any potential conflict of interest" (Standard 1312: External Assessments).

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-23 Nature ofWork. Standard 2100: Nature of Work is consistent with the Definition

of Internal Auditing discussed earlier in this chapter. It states that "The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic, disciplined, and risk- based approach."

These responsibilities of the CAE are discussed further in chapter 9.

• " ... share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts" (Standard 2050:

Coordination).

• " ... report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards." The CAE also must report "significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board" (Standard 2060: Reporting to Senior Management and the Board).

• " ... ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan" (Standard 2030: Resource Man- agement).

• " ... establish policies and procedures to guide the internal audit activity" (Stan- dard 2040: Policies and Procedures).

• " ... communicate the internal audit activity's plans and resource requirements, including significant interim changes, to senior management and the board for review and approval." The CAE "must also communicate the impact of resource limitations" (Standard 2020: Communication and Approval).

Subsequent standards go on to indicate that, to meet his or her management responsibilities, the CAE must:

• " ... establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals" (Standard 2010: Planning).

• It considers trends and emerging issues that could impact the organization."

The interpretation to Standard 2000 states that "The internal audit activity is effectively managed when:

• It achieves the purpose and responsibility included in the internal audit charter.

• It conforms with the Standards.

• Its individual members conform with the Code of Ethics and the Standards.

function is managed by the board, the external service provider has the addi- tional responsibility of making "the organization aware that the organization has the responsibility for maintaining an effective internal audit activity" (Standard 2070: External Service Provider and Organizational Responsibility for Internal Auditing). The interpretation of this standard goes on to say that "This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Code of Ethics and the Standards."

2·24 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

The Engagement Process. The performance of internal audit engagements, whether assurance or consulting, can be divided into three phases. These engagement phases are illustrated in exhibit 2-8. The following Performance Standard sections pertain directly to the engagement process:

Chapter 3, "Governance," chapter 4, "Risk Management," and chapter 6, "Internal Control," discuss governance, risk management, and control processes in detail and discuss the internal audit function's responsibilities for evaluating and con- tributing to the improvement of these processes.

The internal audit function evaluates risk exposures and evaluates the design adequacy and operating effectiveness of controls "regarding the:

• Achievement of the organization's strategic objectives;

• Reliability and integrity of financial and operational information;

• Effectiveness and efficiency of operations and programs;

• Safeguarding of assets; and

• Compliance with laws, regulations, and contracts" (Standards 2120.Al and 2130.Al).

Third, the internal audit function assists "the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement" (Standard 2130: Control).

Likewise, the internal audit function "must evaluate the effectiveness and contribute to the improvement of the organization's risk management processes"

(Standard 2120: Risk Management). Determining whether the organization's risk management processes are effective is based on the internal audit function's

"assessment that:

• Organizational objectives support and align with the organization's mission;

• Significant risks are identified and assessed;

• Appropriate risk responses are selected that align risks with the organization's risk appetite; and

• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities" (Interpretation to Standard 2120: Risk Management).

• Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management" (Standard 2110: Governance).

The internal audit function "must assess and make appropriate recommendations to improve the organization's governance process for:

• Making strategic and operational decisions,

• Overseeing risk management and control,

• Promoting appropriate ethics and values within the organization;

• Ensuring effective organizational performance management and accountability;

• Communicating risk and control information to appropriate areas of the organization; and

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK, AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-25 Standard 2200: Engagement Planning states that "Internal auditors must develop

and document a plan for each engagement, including the engagement's objectives, scope, timing, and resource allocations." In planning the engagement, the internal audit function "must consider:

• The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance;

The last two sections have been combined in the "Communicate" phase of the engagement process illustrated in exhibit 2-8. The standards pertaining specifi- cally to the engagement process are intentionally general in nature to accommo- date the varying nature of internal audit engagements.

2200 - Engagement Planning 2300 - Performing the Engagement 2400 - Communicating Results 2500 - Monitoring Progress

2500: Monitoring Progress

2410: Criteria for Communicating 2420: Quality of Communications

2421: Errors and Omissions

2430: Use of "Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing"

2431: Engagement Disclosure of Nonconformance 2440: Disseminating Results

2450: Overall Opinions

2400: Communicating Results

2310: lndentifying Information 2320: Analysis and Evaluation 2330: Documenting Information 2340: Engagement Supervision

2300: Performing the Engagement

2201: Planning Considerations 2210: Engagement Objectives

2220:EngagementScope 2230: Engagement Resource Allocation

2240: Engagement Work Program

2200: Engagement Planning EXHIBIT 2-8

THE PHASES OF THE ENGAGEMENT PROCESS AND CORRESPONDING STANDARDS

2-26 INTERNAL AUDITING: ASSURANCE & ADVISORY SERVICES

Internal audit functions may report that their engagements are "conducted in conformance with the International Standards for the Professional Practice of Internal Auditing" only if the results of the quality assurance and improvement program support the statement (Standard 2430: Use of "Conducted in Confor- For internal audit engagements to have value, their outcomes must be communicated timely to the appropriate users. It is not enough, however, for the users to receive a report. The communication must be in a form that minimizes the risk of misinterpretation. Standard 2410: Criteria for Communicating states that "Com- munications must include the engagement's objectives, scope and results." Stan- dard 2420: Quality of Communications further states that "Communications must be accurate, objective, clear, concise, constructive, complete, and timely." More- over, Standard 2421: Errors and Omissions states, "If a final communication con- tains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication."

• " ... base conclusions and engagement results on appropriate analyses and eval- uations" (Standard 2320: Analysis and Evaluation).

• " ... document sufficient, reliable, relevant, and useful information to support the engagement results and conclusions" (Standard 2330: Documenting Infor- mation).

• Make sure that the engagement is "properly supervised to ensure objectives are achieved, quality is assured, and staff is developed" (Standard 2340: Engage- ment Supervision).

While performing the engagement, the internal audit function must:

• " ... identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives" (Standard 2310: Identifying Information).

• "Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and com- plexity of each engagement, time constraints, and available resources" (Stan- dard 2230: Engagement Resource Allocation).

• "Internal auditors must develop and document work programs that achieve the engagement objectives" (Standard 2240: Engagement Work Program).

The following standards apply when planning the internal audit engagement:

• "Objectives must be established for each engagement" (Standard 2210: Engage- ment Objectives).

• "The established scope must be sufficient to achieve the objectives of the engagement" (Standard 2220: Engagement Scope).

• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;

• The adequacy and effectiveness of the activity's governance, risk management, and control processes compared to a relevant framework or model; and

• The opportunities for making significant improvements to the activity's governance, risk management, and control processes" (Standard 2201: Planning Considerations).

Communications must be accurate, objective, clear, concise, constructive, complete, and timely

Quality of

Communications

Communications must include the engagement's objectives, scope, and results.

Criteria for Communicating

THE INTERNATIONAL PROFESSIONAL PRACTICES FRAMEWORK: AUTHORITATIVE GUIDANCE FOR THE INTERNAL AUDIT PROFESSION 2-27 The portion of inherent risk that remains alter management executes its risk responses (sometimes referred to as net risk).

Residual Risk

The IIA's mandatory guidance (the Core Principles, the Code of Ethics, the Stan- dards, and the Definition oflnternal Auditing) is relatively general in nature because

Dalam dokumen pdfcoffee.com internal-auditing-4th-edition-5-pdf-free 1 (Halaman 78-84)