SECTION J ‐ QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Ref. Policy and Practice Requirements IIA Standards and Other references J‐1 Policy: The Head of Internal Audit shall develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. The objective of this program is to provide reasonable assurance to the various stakeholders of the internal audit activity that it: • Performs in accordance with its charter, which should be consistent with the Standards and Code of Ethics, • Operates in an effective and efficient manner, and • Is perceived by those stakeholders as adding value and improving the Center’s operations Discussion: A quality assurance and improvement program comprises: o Clear policies, procedural requirements and explanations of what is expected in terms of alignment with the IIA standards, appropriately organized to meet the conditions under which Internal Audit services are delivered to the Centers. This Manual seeks to address this element. Internal Auditors and Quality control and assurance reviewers should use this Manual as a Standard 1300 ‐ Quality Assurance and Improvement Program The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity Practice Advisory 1300‐1 ‐ Quality Assurance and Improvement Program Standard 1310 – Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external assessments.
benchmark for their work. o Recruitment, performance evaluation and professional development arrangements which promote quality – see Section D.1 of this Manual for related policies and practice requirements o Quality control of medium term and annual internal audit work planning, through internal reviews of draft planning documents and feedback from audit clients before the planning documents are finalized – see Manual Section G.1 for related policies and practice requirements o Feedback from audit clients at the planning and reporting phases of audit engagements – see Manual Sections I.1 and I.5 for related policies and practice requirements o Quality control of audit engagements through appropriate supervision during the audit engagement cycle ‐ particularly at the planning and reporting stages – this is discussed in more detail in this Manual Section o A program of annual internal reviews of audit working papers and reports by independent senior Internal Auditors from among the CGIAR Internal Audit community – this is discussed in more detail in this Manual Section o A program of 5 yearly external Quality Assurance Reviews – this is discussed in more detail in this Manual Section This program is supplemented by feedback from periodic reviews of internal audit activities by Center external auditors, donor auditors, External Program and Management Reviews, and Center
Commissioned External Reviews The Internal Audit organization for the CGIAR System is not large enough to establish a separate, dedicated quality assurance group. The internal aspects of the quality assurance program will be carried out by cooperatively by the CGIAR IAU Directors and Associate Directors, and by other Center Heads of Internal Audit. There are sufficient qualified and experienced staff at these levels to share the responsibilities so that a reasonable level of independence can be kept in the internal program J‐1:1 Practice Requirement: The Head of Internal Audit shall be responsible for assuring that appropriate engagement supervision is provided where other Internal Auditors carry out internal audits for the Center under the Head’s supervision. Discussion: Supervision is a process that begins with planning and continues throughout the examination, evaluation, communication, and follow‐up phases of the engagement. Supervision includes: o Ensuring that the auditors assigned possess the requisite knowledge, skills, and other competencies to perform the engagement. o Providing appropriate instructions during the planning of the engagement and approving the engagement program. o Seeing that the approved engagement program is carried out unless changes are both justified and authorized. Standard 2340 ‐ Engagement Supervision Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. Practice Advisory 2340‐1 – Engagement Supervision
o Determining that engagement working papers adequately support the engagement observations, conclusions, and recommendations. o Ensuring that engagement communications are accurate, objective, clear, concise, constructive, and timely. o Ensuring that engagement objectives are met. o Providing opportunities for developing the knowledge, skills, and other competencies of the Internal Auditors being supervised The Head of Internal Audit has overall responsibility for review but may designate appropriately experienced Internal Auditors to perform the review. Appropriately experienced internal auditors may be utilized to review the work of other less experienced internal auditors. J‐1:2 Practice Requirement: Appropriate evidence of supervision shall be documented and retained. The extent of supervision required will depend on the proficiency and experience of internal auditors and the complexity of the engagement. Practice Advisory 2340‐1 – Engagement Supervision J‐1:3 Practice Requirement: Key engagement working papers, including draft audit terms of reference, audit programs and draft reports, shall be reviewed to ensure that they properly support the engagement communications and that all necessary audit procedures have been performed. Evidence of supervisory review may be in different forms: the reviewer initialing and dating each working paper after it is reviewed. written records (review notes) of questions Practice Advisory 2340‐1 – Engagement Supervision
arising from the review process completing an engagement working paper review checklist, preparing a memorandum specifying the nature, extent, and results of the review, and/or evaluation and acceptance within electronic working paper software. Discussion: This applies also to audits are undertaken directly by the Head of Internal Audit. In such cases another senior internal auditor in the CGIAR IAU or Center IAU, where available one that has previous experience in the audit or subject matter of the area under review, should act as reviewer. When clearing review notes, care should be taken to ensure that the working papers provide adequate evidence that questions raised during the review have been resolved. This may be in the form of a blanket clearance where the questions are straightforward and all satisfactorily addressed. Evidence of review activities, including clearance of questions, should be retained in the working papers. This is often in the form of electronic mails or marked up copies of documents with edit tracking and comments J‐1:4 Practice Requirement: For each Center, an annual program of internal quality assurance over the internal audit activity shall be developed. This program may be carried out by the Director or an Associate Director of the CGIAR IAU, or another Head of Internal Audit for a different Center. Standard 1310 – Requirements of the Quality Assurance and Improvement Program The quality assurance and improvement program must include both internal and external
Discussion: The annual internal quality assurance should comprehensively review the Internal Audit activity for the Center against all the relevant benchmarks set out in this Manual. The review should take account of any performance metrics for the Internal Audit Activity (see Section E of this Manual) The Head of Internal Audit is recommended to prepare for such internal quality assurance reviews by self‐assessing. Time for this level of quality assurance should be built into the Center annual internal audit work plan and Head of Internal Audit’s and the QA reviewer’s own individual annual work plans. Given the geographic dispersion of the Internal Audit activities across the CGIAR System, the internal quality assurance program should rely as much as possible on electronic records and communications. However where possible such reviews will be scheduled at a time when on site review and discussions can also be held. assessments. Practice Advisory 1300‐1 ‐ Quality Assurance and Improvement Program Practice Advisory 1310‐1 – Requirements of the Quality Assurance and Improvement Program Standard 1311 – Internal Assessments Internal assessments must include: Ongoing monitoring of the performance of the internal audit activity; and Periodic reviews performed through self‐ assessment or by other persons within the organization with sufficient knowledge of internal audit practices. Practice Advisory 1311‐1 – Internal Assessments J‐1:5 Practice Requirement: The results of the program shall be documented and shall include overall conclusions and, where appropriate, recommendations for improvement. Discussion: A periodic internal assessment performed within a short time prior to an external assessment can serve to facilitate and reduce the cost of an external assessment. If the 5 yearly external assessments takes the form of a self‐assessment with Practice Advisory 1310‐1 – Requirements of the Quality Assurance and Improvement Program Practice Advisory 1311‐1 – Internal Assessments
independent validation, the periodic internal assessment can serve as the self‐ assessment portion of this process. The IIA’s Quality Assessment Manual contains an outline of the self‐assessment process including guidance and tools, which can be applied to the annual internal quality assurance reviews. Draft and final reporting of results, similar to that for an external assessment, should be prepared J‐1:6 Practice Requirement: The Head of Internal Audit shall report the results of annual internal quality assurance reviews, including recommendations and follow up actions taken or proposed, in the periodic internal audit activity report to the Center’s Director General and the Audit Committee. Practice Advisory 1310‐1 – Requirements of the Quality Assurance and Improvement Program Practice Advisory 1311‐1 – Internal Assessments J‐1:7 Practice Requirement: The collective Internal Audit activity of the CGIAR Internal Auditing Unit and Center‐hired internal auditors shall be subject, at least every 5 years, to a comprehensive external quality assurance review, conducted by a qualified, independent reviewer or review team from outside the CGIAR System. Discussion: External assessments should appraise and express an opinion as to the Internal Audit activity’s compliance with the Standards and, as appropriate, should include recommendations for improvement. These external assessments should cover the entire spectrum of audit and consulting work performed by the internal audit activity and should not be limited to assessing its QA&IP Standard 1312 ‐ External Assessments External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board ‐ the need for more frequent external ;assessments; and ‐ the qualifications and independence of the external reviewer or review team, including any potential conflict of interest.
The external assessment should consist of a broad scope of coverage that includes the following elements of the internal audit activity: o Compliance with the Standards, The IIA’s Code of Ethics, and the internal audit activity’s charters, plans, and policies and practice requirements as set out in this Manual. o Expectations of the internal audit activity expressed by the Centers’ boards, executive management, and operational managers, o Integration of the internal audit activity into the Centers’ governance process, including the attendant relationships between and among the key groups involved in that process, o Tools and techniques employed by the internal audit activity, o Mix of knowledge, experience, and disciplines within the staff, including staff focus on process improvement, and o Determination as to whether or not the audit activity adds value and improves the Centers’ operations. The CGIAR IAU’s first external quality assurance review, conducted by a two person team nominated by the IIA and the World Bank, was in 2004. The next such review is due by 2009. The CGIAR IAU 2008‐2010 business plan makes budget provision for this review in 2009. For the next (2009) review it will be desirable to include all CGIAR internal audit activity, whether carried out by the CGIAR IAU or self‐managing Center Internal Audit Units, in this review. The external quality assurance review Practice Advisory 1312‐1 External Assessments
would also desirably be combined with an external review of the overall strategy and organization and sustainability of the internal audit activities across the CGIAR Centers J‐1:8 Practice requirement: In order to keep the costs of external quality assurance low, avoid too onerous a process on what is a relatively small Internal Audit activity, and to promote the value of the internal quality assurance and improvement program, the format of self‐assessment with external validation will be alternated between full external reviews. Discussion: self‐assessment with external validation has the following features: o A comprehensive and fully documented self‐assessment process, which should emulate the external assessment process, at least with respect to evaluation of compliance with the Standards. o An independent on‐site validation by a qualified reviewer(s). o Economical time and resource requirements ‐ a sample of interviews may be made with senior and operating management and Audit Committee chairs in Centers may be made rather than attempting to cover all Centers • The annual internal qualify assurance review just prior to an external quality assurance review can be carried out as a self‐ assessment subject to validation by the external quality assurance reviewers. Practice Advisory 1312‐1 External Assessments Practice Advisory 1312‐2 External Assessments: Self‐Assessment with Independent Validation
J‐1:9 Practice Requirement: To ensure the independence of the external quality assurance review, the review will be commissioned by the CGIAR IA Consortium Board of Sponsors, the review team selected by them, and the reporting of results will be to this Board. Discussion: The Board of Sponsors provides administrative oversight of the CGIAR IAU and comprises representatives of the Centers and CGIAR Secretariat who receive services from the Unit. The Sponsors are nominated by the Directors General and the CGIAR Director in the case of the Secretariat representative. The report of the review will be addressed to the Board of Sponsors. J‐1:10 Practice Requirement: The preliminary results of the review shall be discussed with the CGIAR IAU Director, Associate Directors and other Center Heads of Internal Audit during and at the conclusion of the assessment process. Practice Advisory 1312‐1 External Assessments J‐1:11 Practice Requirement: The external quality assurance reviewers will prepare a draft report which will be reviewed by the Board of Sponsors and the CGIAR IAU Director, Associate Directors and other Center Heads of Internal Audit. The Board of Sponsors will formulate responses on the basis of the draft report and convey these back to the reviewers for incorporation in the final report. Discussion: The CGIAR IAU Director will review with the Board of Sponsors the proposed
responses to be provided to the external reviewers for incorporation in their final report J‐1:12 Practice Requirement: The external quality assurance report shall include the following: An opinion on the internal audit activity’s compliance with the Standards based on a structured rating process. The term compliance means that the practices of the internal audit activity, taken as a whole, satisfy the requirements of the Standards. Similarly, noncompliance means that the impact and severity of the deficiencies in the practices of the internal audit activity are so significant that they impair the internal audit activity’s ability to discharge its responsibilities. The degree of partial compliance with individual Standards, if relevant to the overall opinion, should also be expressed in the report on the independent assessment. An assessment and evaluation of the use of best practices, both those observed during the assessment and others potentially applicable to the activity. Recommendations for improvement, where appropriate. Unreconciled disagreements between the external review and the internal self‐ assessment being validated. Responses from the Board of Sponsors, as the commissioning entity, that include an action plan and implementation dates Practice Advisory 1312‐1 External Assessments Standard 1320 Reporting on the Quality Assurance and Improvement Program The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board. J‐1:13 Practice Requirement: The results of the external quality assurance review will be reported by the Head of Internal Audit to the Center’s Director General and to Standard 1320 ‐ Reporting on the Quality Program
the Audit Committee of the Board. Discussion: The report may be submitted specially or together with the next scheduled, periodic Internal Audit activity report. J‐1:14 Practice Requirement: Any instances of noncompliance that have been disclosed by a quality assessment (internal or external), which impair the internal audit activity ‘s ability to discharge its responsibilities: Should be adequately remedied, The remedial actions should be documented and reported to the relevant assessor(s), to obtain concurrence that the noncompliance has been adequately remedied, and The remedial actions and agreement of the relevant assessor(s) therewith should be reported to the Board of Sponsors and to Centers’ senior management and Audit Committees. PA1330‐1 ʺConducted in Accordance with the Standardsʺ J‐1:15 Practice Requirement: The Head of Internal Audit may report that the internal audit activity for the Center conforms with the Definition of Internal Auditing, the Code of Ethics and the International Standards for the Professional Practice of Internal Auditing provided that the results of the quality assurance and improvement program supports this statement. Discussion: • Such reporting may be made in the periodic internal audit activity reports and on internal audit websites, and in response to queries from external auditors or donor Standard 1321– Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing” The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.
organizations. • The internal audit activity must have been subject to external quality assurance review at least every five years and the most recent review must have results that support the statement. J.1:16 Practice Requirement: The Head of Internal Audit shall report non‐ conformance with the Definition of Internal Auditing, the Code of Ethics or the International Standards for the Professional Practice of Internal Auditing where this impacts on the overall scope or operation of the internal audit activity. Discussion: • Non‐conformance may be reported in periodic internal audit activity reports, special reports where events have intervened to create a situation of non‐ conformance, and in reports on the results of internal and external quality assurance reviews. Standard 1322– Disclosure of Nonconformance When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.