TOPIC 4 Establishment, Administration and Management of the Internal Audit Ac (IAA) Contents LEARNING UNIT 4: Establishment, administration and Management of the IAA 85 INTRODUCTION TO AND PURPOSE OF THE TOPIC The success or failure of many organisations lies in the effectiveness of its administration and management. The same applies to internal audit activities. How they are managed can influence their effectiveness. The purpose of this topic is to enable students to understand the techniques of administering and managing the IAA and to apply them in practice. S After you have studied this topic, you should be able to do the following: # Discuss the process and considerations that should be taken into account for establishing an IAA in an organisation, # Discuss and advise on the best practice of managing the internal audit activity (0, # Apply quality assurance requirements as per the IPPF to an IAA 96Establishment, administration and management of the IAA Contents 4.1 COMMUNICATION PROCESS, TOOLS AND TECHNIQUES 85 4.2. TYPES OF COMMUNICATION 90 4.1 ESTABLISHING THE IAA. Introduction The success or failure of an IAA largely depends on the process that is followed when the IAA is established. Given the fact that internal auditing is considered an integral part of corporate governance processes, the success of the IAA and the extent of value added by this function will have a significant bearing on the organisation's governance processes. Since internal audit, by definition, helps organisations accomplish their objectives, the success or failure of the IAA will also impact on the success of the organisation. In light of this, it is very important that due consideration is given to the establishment of an IAA within any organisation, Key stakeholders should form part of this process and the guidance provided in the IPPF should be followed closely. 97 ‘Au14861/SGAs a postgraduate student you should research more articles related to the topic to enhance your knowledge and understanding of the subject. audit execut Appointing acl 1 (CAE) The board of directors, with the assistance of the audit committee, must appoint the CAE. The CAE should report administratively to the CEO and functionally to the audit committee. The position of the CAE and the responsibilities of the CAE are discussed in the next part of this module, under Topic 4 ‘Steps to be followed by the CAE in establishing an1AA When establishing an IAA, it is advisable to follow a structured approach. The list of steps that follows, organised in a logical sequence, may be used as a guide and/or a checklist. We provide you with a brief description of the steps with reference to the related IPPF guidance. We expect you to elaborate further on each of the steps through your own research of textbooks, magazine articles and authoritative guidance such as the IPPF, King IV and applicable legislation. In doing this you will be able to compile your own guide, which you can use to prepare for the examinations, This guide will also serve as a handy reference when faced with the challenge of setting up an IAA. Please note that a thorough knowledge of each of the steps, the factors and considerations involved is necessary for you to be able to advise on the structure of any existing IAA step: The first and most important step is to discuss the establishment of the IAA with the governing body. The CAE should ensure that the governing body (e.g. the board of directors in a company or the executive authority in a government organisation) has a proper understanding of the nature and role of the IAA and that there is a proper working relationship in which independence and objectivity is emphasised, so that the CAE will have a free hand when setting up the IAA. The CAE should at this stage indicate that the IAA will be guided by the IPPF, including the Standards and Code of Ethics of the Institute of internal Auditors, sie Attribute Standard 1010, 1100, 1111 and Implementation Guide -1G 1110. 98‘Step2: Submit a full charter, in writing, to the governing body and/or the audit committee and clarify all the provisions contained init. This internal audit charter is also referred to as the mandate of the IAA. The internal audit charter is essential to ensure the proper functioning of the IAA and should be drafted with extreme care. The IAA's objectives, general approach and duties should be accurately and clearly portrayed in the charter and the contents of the charter should comply in all respects with the IPPF sit A Attribute Standard 1000 and Implementation Guide - IG 1000. wavy View the following examples of an internal audit charter for the IAA: https://elobal,thella.org/standards-guidance/public%20documents/modelcharter.pdf Step 3: Draw up a full report/terms of reference/job description in which you describe in detail the status, responsibilities and duties of the CAE and those of internal auditors at the levels of manager, supervisor and senior. This report/terms of reference/job description must be submitted to the governing body and/or the audit committee for formal approval. se -& Attribute Standard 1000 and Implementation Guide - IG 1000. Step 4: Conduct a full survey of the nature and scope of all organisational activities and the physical infrastructure of the whole organisation in order to estimate the extent of the work the IAA will have to perform. This estimation will also have to be cleared with the governing body and the audit committee in order to obtain their approval. ‘Step: Carry out short-term, medium-term and long-term planning of the audit work that will be done. This planning will have to be done in consultation with the external auditor. Obtain the audit committee's approval of this planning. The governing body andjor the audit committee and/or senior executive management should first be given the opportunity to submit urgent or ad hoc requests for audits. si “Performance Standard 2010 and Implementation Guide ~ IG 2010, 99 ‘Au4g61/SG‘Step 6: Determine the details of the auditing personnel component that will be able to deal with the workload in the initial/first year. sate & Performance Standard 2030, 2230 and Implementation Guides - IG 2030 and step7: Determine the physical infrastructure required to function properly as internal auditors, such as offices and equipment, and auditing software. ‘Steps: All available information should be used to draw up a full budget for the IAA; this budget should be approved by the governing body and the audit committee. se Performance Standard 2010 and Implementation Guide ~ 1G 2010. Steps: Compile a comprehensive internal audit manual that is adequate for managing all aspects of the IAA, a SERE A performance Standard 2040 and implementation Guide —16 2040-1 Read the recommended guidance by the IIA in establishing a new internal audit function, available at _https://na.thelia.org/standards-guidance/topics/pages/the- internal-audit-function.aspx ‘As a senior consultant at FixlT Consulting (Pty) Ltd, you have been asked by the management of Want 2 Know (Pty) Ltd to evaluate the effectiveness of the IAA. The IAA has been in existence for nine months. As a point of departure you thought it would be appropriate to find out how the internal audit department was established. In your discussion with the managing director (MD) of Want 2 Know (Pty) Ltd, he informed you that the IAA was established to ensure compliance with the King IV Report. He further stated that the establishment of the IAA would be announced at the next meeting of the Board of Directors. It also came to your attention that the internal audit undertakes only 100projects as instructed by the MD or chief financial officer (CFO), because the IAA does not have formal plans or guidelines and its role and responsibilities are not clearly defined anywhere. The IAA consists of six employees who have two computers and one printer, which is shared by the internal ausit staff. Based on the above information, you are required to critically evaluate the establishment of the current IAA against the suggested practices you have studied in this learning unit. > ‘Steps ‘Step 4: Ensure that the governing body (e.g, the board of directors in a company) has a proper understanding of the nature and role of the IAA. ‘Step 2: Submit a full charter in writing to the governing body andor the audit, committee and clear all the provisions it contains, Current devi From the scenario above, itis clear that the governing body, which is the Board of Directors, is not aware of the existence of the IAA, Therefore, the internal audit may not be effective as it may lack the support of the board or audit committee The internal audit does not have a charter. This isa clear contravention of the Standards and it may also make it very difficult for the IAA to effectively fulfil its responsibilities Step 3: Draw up a fulreport/termsof reference /job description in which you describe in detail the status, responsibilities and duties of he CAE and of internal auditors at the levels of ‘manager, supervisor and senior. Step 4: Conduct a full survey of the nature and scope of all organisational activities and the physical infrastructure of the whole organisation in order to estimate the extent of the work the IAA will have to perform. Step 5: Carry out short-term, medium- term and long-term planning of the audit, work that will be done, ‘Step 6: Work out the details of the personnel component that would be able to deal with the workload in the initialfirst year. ‘Step 7: The physical infrastructure required to conduct an audit, such as offices and equipment, should now be determined ‘Step 8: All available information should be used to draw up a full budget for the IAA and the budget should be approved by the 101 The IAA does not seem to have any formal document in which roles, responsibilities and duties are clearly stated. ‘At the moment the IAA\s taking instructions from both the MD and the CFO. The IAA does not have a clear indication of the nature and scope of its activities. From the scenario above, it does not appear as though the internal audit department has any short-term, medium-term and long-term plans. ‘There are currently six internal audit staff members, However, itis not clear how ‘management came to the decision to have sixemployees The staff members share two computers. This is aclear indication that there was no proper determination of physical infrastructure. This step could not have been followed as the governing body is not aware of the existence of the IAA, AUl4a61/S6governing body and the audit committee. ‘Step 9: Compile a comprehensive internal _| From the case above it appears that theres, audit manual that is adequate for currently no formal documentation guiding, ‘managing all aspects of the IAA. the internal audit processes. Therefore, there is no internal audit manual, Comment This activity illustrated the different steps to be followed in establishing an IAA. At post graduate level, you will also be required to advise on the proper actions to take according to the IPPF and best practices. This would require a detailed discussion of each of the steps. 4.2 ADMINISTRATION AND MANAGEMENT OF THE INTERNAL AUDIT ACTIVITY (IAA) ‘At undergraduate level you made a thorough study of this topic and gained knowledge, understanding and application skills; you should now revise this material thoroughly. Introduction Effective management of the IAA is essential if internal audit is to fulfil its role of helping the organisation to achieve its objectives. This responsibility lies in the hands of the chief audit executive (CAE). The CAE's ability, maturity and professionalism are vital to this accomplishment. Equally important is the CAE's perceived status within the organisation, which should be equivalent to other functional heads. Management of the IAA involves the four basic management functions: planning, controlling, organising and directing, Planning involves, among other activities, the setting of the vision, mission, objectives and goals of the IAA Controlling involves, among others, establishing standards based upon objectives, measuring and reporting performance, and taking corrective/preventive action where necessary. Organising involves, among others, a division of labour, delegation of authority, span of control and coordination, 102Directing involves, among others, motivating, communicating, performance appraisal, discipline and conflict resolution. The IPPF provides guidance on how each of these functions should be performed within the IAA. see Internal Auditing: An introduction, Chapter 5: Section 5.4.1. Key responsibilities of the chief audit executive (CAE) regarding the management of the IAA AEs appointed in organisations are charged with the overall management responsibility for the IAA. The appointment of the CAE is the responsibility of the audit committee of the board of directors. The CAE should have a dual reporting responsibility, reporting administratively to the chief executive officer (CEO) and functionally to the audit committee. The purpose and authority of the IAA should be defined in the internal audit charter. As discussed in learning unit 3.1, the following are some of the responsibilities that the CAE will be expected to discharge when setting upan IAA: (2) Aligning 1AA objectives with an organisation's objectives The CAE is expected to ensure that the objectives of the IAA are fully consistent with those of the organisation. In this way, the CAE will be ensuring that the IAA is relevant to the organisation and working towards the achievement of the overall organisational objectives. The IAA cannot afford to find itself having conflicting objectives with the overall objectives of the organisation. If the IAA is to be taken seriously by management, it should be viewed to be contributing to the overall achievement of the organisation's objectives. (2) Developing the internal audit charter The CAE should prepare an internal audit charter which sets out the scope, reporting lines and status of the IAA. As discussed in learning unit 3.1, this charter should be approved by the audit committee and/or board of directors and it should be communicated to management in order to ‘manage the different expectations from management as to what the IAAis expected to do. sie 103 AUI4861/SGStudy Attribute Standard 1000, Performance Standard 2040, Implementation Guides 1G 1000 & 1G 2040 (3) Developing an internal audit manual The CAE should develop the internal audit manual, which sets out the required standards of performance and the audit processes. This manual can also be used as a means of monitoring guality of audit performance. According to Spencer Pickett (2010:564), documenting management's decisions on how the audit function will be managed and performed will be reflected in the manual and will form the basis for a strategic review. The auditing manual should also include policies and procedures that will help the internal auditors in carrying out their work. (4) Continuous responsibilities ofthe CAE involve the following: a. Planning The CAE has to plan the activities of the IAA and also the individual internal audit engagements. Se «Performance Standard 2010, Implementation Guide -1G 2010 b. Audit risk assessment The prime responsibility for assessing and managing risk lies with top management of the organisation and is delivered through the actions of executive managers. The risk assessment referred to here is in connection with the internal audit planning, but if internal audit has been involved with risk assessment on behalf of the board, there can be one risk assessment for all purposes. Although it is the responsibility of management to manage risks and the assessment thereof, it is equally important for the CAE to understand the risk management process. In some instances, the CAE assists management (through a consulting service) to identify and assess risks. Organisational risk assessment is critical to IAA as it feeds into the IAA's planning processes - especially in organisations that follow a risk-based audit approach. ¢. Staff and resource management 104The CAE should ensure that internal audit staff are being taken care of and are well managed Effective management of internal audit staff can result in an effective IAA, which is highly regarded within an organisation. The success of an IAA is based on the quality and motivation of its staff. Itis, for the CAE to establish an organisation that recognises and deals with these important aspects. soe Performance Standard 2030 and Implementation Guide 2030 d. Training and development The CAE should ensure that the IAA is equipped with skilled and sufficiently trained internal auditors. Training of internal auditors should be based on the needs of individual internal auditors, the requirements of the internal audit plan and the internal audit products or service to be delivered. When appointing and developing internal audit staff, the CAE should ensure that his, staff component has sufficient understanding of management principles, business risks and business processes, that they understand the essentials of accounting, law, taxation and finance, and that all auditors are computer literate. see & = Attribute Standard 1200 and Implementation Guide 1200 e. Performance management For the IAA to be effective there should be systems and processes in place to identify poor performance and to manage and improve performance. The CAE is responsible for the IAA's, performance management. soe Attribute Standard 1300, 1310, 1311, 1312 and Implementation Guides IG 1300, 1310, 1311, 1312, 1312 f. Coordination with external auditors and other assurance providers Itis common for external auditors to have full access to internal audit reports, which enables them to take note of relatively strong and weak areas of control when setting the scope of the external audit, External auditors should also share the results of their work with internal audit, Mutual reliance on each other's work enables more effective use of total audit resources. The CAE should ensure, jointly with the external auditor or other assurance providers such as quality auditors and safety inspectors, that the internal audit and other assurance provider's work is property coordinated to achieve the best coverage and avoid duplication. These arrangements are usually agreed upon with, and reviewed by the audit committee / board of directors. 105 AUI4861/SG‘An organisation's stakeholders are seeking assurance that the organisation is running well, and that effective controls are in place and operating properly. internal audit has an important role to play in providing assurance to these stakeholders, but the trick is how to report the results of his or her work to them effectively. King Il, and recently King IV, specifically recommends that internal auditors and other assurance providers should provide combined assurance to the organisation. Combined assurance was covered in learning unit 2.2.2.2, therefore here we will ust focus on the CAE's responsibility regarding combined assurance. Coordinated assurance involves integrating, coordinating and aligning the risk management and assurance processes within an organisation to optimise and maximise the level of risk, governance, and control oversight over the organisation's landscape. The right amount of assurance depends on the risk appetite of the company. Guidance on risk appetite should be sought from the board through the audit and risk committee. Management, internal assurance providers (such as internal audit) and external assurance providers (such as external audit) are role players in providing assurance to the board regarding risks in an enterprise. Acombined assurance model effectively coordinates the efforts of management and internal and external assurance providers, increases their collaboration, and develops a shared and more holistic view of the organisation's risk profile. A combined assurance model aims to be the antidote to “assurance fatigue”, which can result from an uncoordinated assurance approach Itis therefore eritical for the CAE to coordinate his effort with other assurance providers. The Performance Standards 2050 specifically directs how the CAE should coordinate with other assurance providers, which would enable an ideal approach to combined assurance. The Practice Guide: Coordinating Risk Management and Assurance provides more evidence on coordination. wm Read the lIA's recommended guidance - Practice Guide: Coordination and Reliance: Developing an Assurance Map. This Practice Guide provides guidance on how assurance maps can be used to represent the organisation's risk coverage and assist in identifying, assurance gaps and overlaps. g Corporate social responsibility (CSR) 106The IAA has a responsibility towards CSR. In learning unit 2.2.2.3, we delved into the CSR topic. Now, we will discuss how organisations and their respective internal audit activities are responding to the challenge of “sustainable development, which meets the needs of the present without compromising the ability of future generations, to meet their own needs Here, we focus on the content of CSR with particular emphasis on the involvement of the internal, audit activity. Since the CAE is the head of the IAA, he will have to ensure that the IAA fulfils its responsibilities. However, in order to comprehend the involvement of an effective IAA in this rather vague and contentious area, it is necessary to appreciate the evolution and nature of the CSR discourse. Only once this has been achieved, can we even begin to consider the assurance tools and techniques available to internal auditors, as well as the challenges faced, Internal audit's role in CSR Since King IV, principle 9.3 requires sustainability reporting and disclosures to be independently assured, and since Attribute Standard 1100 (Independence and Objectivity) requires the IAA to be independent by having the IAA perform this CSR assurance function, the requirement will be met. Despite the assurance provided by the IAA usually being directed at internal audiences, it may not be necessary to utilise external assurors. Moreover, the role of internal audit in CSR is also considered in IPPF - Practice Guide "Evaluating Corporate Social Responsibilty/Sustainable Development” issued in February 2010 by the Institute of Internal Auditors (IA). One of the fundamental reasons for internal audit to incorporate CSR audits into its audit plan relates to organisational risk management. One of the fundamental reasons for internal audit to incorporate CSR audits into its audit plan relates to organisational risk management. In this regard, the following King IV principles are particularly relevant: Principle 15.58 requires the board to monitor that internal audit follows an approved risk- based internal audit plan. > Principle 15.59 requires internal audit to provide an overall statement annual as to the effectiveness of the company's system of internal controls and risk management, Moreover, the following Standards specifically require the IAA to consider risk in its processes (which by implication should include matters pertaining to sustainability, as explained earlier and discussed in the BP example provided). ‘© Standard 1220.83 requires internal auditors to be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified, + Standard 2010 requires the chief audit executive to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation's goals. 107 AUI4861/SGStandard 2060 requires the chief audit executive to report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan and on its conformance with the Code of Ethics and the Standards. Reporting must also include significant risk and control issues, including fraud risks, governance issues, and other matters that require the attention of senior management and/or the board, Standard 2100 requires the internal audit activity to evaluate and contribute to the improvement of the organisation's governance, risk management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future impact. Standard 2120 requires the internal audit activity to evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120.Al requires the internal audit activity to evaluate risk exposures relating to the organisation's governance, operations, and information systems regarding the: © achievement of the organisation's strategic objectives © reliability and integrity of financial and operational information; © effectiveness and efficiency of operations and programmes; safeguarding of assets; and compliance with laws, regulations, policies, procedures, and contracts. Standard 2130.A1 requires the internal audit activity to evaluate the adequacy and effectiveness of controls in responding to risks within the organisation's governance, ‘operations, and information systems regarding the: © achievement of the organisation's strategic objectives; © reliability and integrity of financial and operational information; effectiveness and efficiency of operations and programmes; safeguarding of assets; and compliance with laws, regulations, policies, procedures, and contracts. ‘Standard 2201 requires internal auditors to consider the followingin planning the engagement: 108,The strategies and objectives ofthe activity being reviewed and the means by which the activity controls its performance; © The significant risks to the its activty's objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; © Theadequacy and effectiveness of the activity's governance, risk management, and control processes compared to a relevant framework or model; © The opportunities for making significant improvements to the activity's governance, risk management, and control processes. + Standard 2210.A1 requires internal auditors to conduct a preliminary assessment of the risks relevanttto the activity under review. The above extracts from King IV and the International Standards for the Professional Practice of Internal Auditing identifies a clear role for internal audit to be involved in the provision of sustainability assurance. This view is supported by Sawyer et al, who suggest that by evaluating the internal control environment, internal audit reviews compliance with legislation and regulations, determining propriety of social and environmental issues, and ensuring proper disclosure. At the same time, internal audit should ensure that the CSR risks are effectively mitigated, that CSR operations are efficient and effective, and that CSR decisions are based on factual information. inthis regard, the audit customer includes: + the client - the organisation whose functions will be enhanced by the results of the audit; and + management - requiring intelligence on the operations for which itis accountable. In a recent review of the annual reports of JSE listed companies, it was interesting to note comments that the IAA has reviewed or audited the CSR disclosures. In one case a comprehensive assurance report (similar to that issued by external assurers) was included (despite internal audit reports usually targeting internal users) Benefits of a CSR internal audit While management may not be enthusiastic about CSR auditing, if properly performed, the audit should provide the following benefits: ‘+ Assisting with legislative and regulatory compliance. ‘+ Identification of potential problem areas that could result in substantial remediation costs and penalties, as well as the avoidance of litigation against the organisation, ‘+ Improving the image of the organisation by stakeholders due to compliance with legal and regulatory requirements and the adoption of ethical business practices ‘+ Improving the relationship with regulatory authorities due to effective self-regulation, 109 AUl4861/SGway ‘The A's recommended guidance: Practice Guide “Evaluating Corporate Social Responsibility/Sustainable Development. h. Quality assurance x Quality assurance as an integral part of the responsibility of the CAE of the IAA has comprehensively been dealt in your undergraduate studies and you should revise this work thoroughly, Quality assurance and quality services have become a part of the business and professional world, and the internal auditing profession has correspondingly not been able to avoid it. The quality assurance and improvement program of the INA is covered in the internal auditing standards. In view of the Standards regarding the quality assurance and improvement program, there can be ‘no doubt regarding their importance. Adequate and continuous attention to quality assurance and reporting to a higher authority are enforced. The management concept of total quality management (TQM) is Inherent in all aspects of the management of the IAA and individual audit tasks as previously discussed. The main task of the IAA is quality promotion in the broadest sense of the word and it is therefore logical that its own activities should comply with these requirements. The management of the IAA should therefore formally introduce this concept (TQM) to the IAA and promote the elements of TQM amongiits staff. Se “Attribute Standard 1300, 1310, 1313, 1312 and Implementation Guides - 161300, 1310, 1311 1312, 192 k ‘The audit committee has decided to change the structure of your IAA. Currently, the JAA consists of the chief audit executive (CAE) and two internal auditors, who are all situated at the head office. The CAE is involved in the daily performance of individual audit engagements. 10The audit committee has decided to appoint three other internal auditors to relieve the CAE of supervisory duties and enable him to spend most of his time on strategic issues. The CAE will now have more time to manage the IAA effectively. With reference to the IPF, you are required to indicate the CAE's responsibility with regard to the planning of the IAA, Discuss the requirements of the Standards and Implementation Guides with regard to resource management that should be kept in mind when appointing the three additional staff members. Resource management ‘The CAE should ensure that internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved plan, The internal audit staff should possess all the different skills, knowledge and competencies. Internal auditors should be selected on qualifications and competencies regarding the areas being audited and cannot be placed in a position without considering the evaluation of the nature and complexity of the engagement assignment, time constraints and available resources. ‘Training needs of internal auditors should be considered since each engagement serves asa basis for meeting developmental needs of the IAA. Consideration should be given to the use of external resources in instances where additional knowledge, skills, and other competencies are needed. You have recently been appointed as the CAE at Mpumalanga Shared Audit Services, which provides a centralised internal audit function to the various provincial government departments. During your familiarisation programme, you meet with the audit committee and senior management. At these meetings, you realise that no quality assurance reviews have been done. Upon enquiry, senior management advised you that due to resource constraints and the urgent need for the IAA to maximise its audit coverage, the previous CAE — in consultation with the audit committee - decided that it ‘was not a priority to establish a system for quality assurance. Required un AUl4861/SGWith reference to relevant legislation, regulations and standards, discuss the quality assurance requirements for internal audit. * Comment on the decision of the previous CAE and discuss the possible barriers and constraints that may have impacted on the CA€'s decision not to implement @ quality assurance programme. Discuss the benefits of implementing a quality assurance programme. * Outline the process to be followed in implementing quality assurance within your internal audit programme. ‘The quality assurance requirements for internal audit * Attribute Standard 1300 requires the CAE to develop and maintain a quality assurance and improvement programme that covers all aspects of the IAA and continuously monitors its effectiveness. The programme should be designed to help the IAA add value and improve the organisation's operations and to provide assurance that the IAA complies with the Standards and the Code of Ethics. Attribute Standard 1310 requires the quality assurance and improvement program to include both internal and external assessments. Attribute Standard 1311 requires internal assessments to include: © ongoing monitoring of the performance of the IAA; and © periodic reviews performed through self-assessment or by other persons within the organisation with sufficient knowledge of internal audit practices. Attribute Standard 1312 requires external assessments to be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organisation. The chief audit executive must discuss with the board: © The form and frequency of external assessments; and © The qualifications and independence of the external reviewer or review team, including any potential conflict of interest. Attribute Standard 1320 requires the CAE to communicate the results of the quality assurance and improvement program to senior management and the board, ‘© Attribute Standard 1321 allows the CAE to state that the IAA conforms with the International Standards for the Professional Practice of Internal Auditing, only ifthe results of the quality assurance and improvement program support this statement. Attribute Standard 1322 - when non-conformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or 2operation _of the IAA, the chief audit executive must disclose the non- conformance and the impact to senior management and the board, * Compliance with the IIA Standards is mandatory for any IAA, irrespective of whether they are members of the II. ‘The decision of the previous CAE and the possible barriers and constraints that may have impacted on the CAE's decision not to implement a quality assurance programme + Effective quality assurance (QA) does not come without a great deal of work and commitment. Barriers and constraints that act against the successful implementation of formal quality systems represent major obstacles. Quality is a concept whereas quality assurance is a collection of well-planned management systems that take time and effort to apply. QA consolidates and stimulates the formal auditing procedures that underpin quality initiatives, resulting in continuous improvements. Continuous improvements result from feedback loops that discover why things go wrong, with the intention of fixing controllable problems. Barriers to good quality include the following: ©The CAE and the audit committee are not aware of the requirement of the standards for the CAE to implement a quality assurance programme. © Theresa failure to recognise and understand the importance of QA systems. © QA must be driven from the top and will not be effective when audit management is not perceived to be an important part of the commitment to, good service, © Poor management information systems fail to provide feedback on performance targets. QA thrives on information because standards - once established - must be used to measure the efficiency of operations and services. Proper QA systems should be based on guiding the way resources are deployed to minimise the incidence of defects © There is a redundant audit manual that is unable to act as the vehicle for defining and using audit procedures. A quality manual provides the framework for QA as a way of defining formal procedures. Where this is not in place, one must first change the audit culture before the required documentation may be installed. © AAs that have failed to adopt good change management techniques imply that new procedures become difficult to implement. A comprehensive QA programme requires internal audit to assume a position of excellence whenever possible, © There is no formal strategy, which results in a lack of direction. To be of any use, quality systems must be aligned to the current strategy. © There is a lack of human resource management practices such as formal training programmes, leaving staff to sink or swim. Management cannot insist on quality ifthey have not established support systems to underpin this. us AUI4861/SGventure. In this way, both auditors and audit management express a commitment to quality service. © There is a failure to appreciate the need for client-based systems that enable service recipients to specify their needs and expectations in respect of internal audit services. The reconciliation of independence and client needs should be undertaken with due regard for the need to formulate a model of audit service that duly takes cognisance of both factors Benefits of implementing a quality assurance program * The Mpumalanga government is required by the PFMA and its regulations to ensure that its IAAs comply with the provisions of the Standards. Moreover, IAAs are increasingly under pressure to provide value. Itis necessary to provide assurance - to senior management and the board - that the IAA comprises. an informed, experienced and objective team of well-qualified individuals. © Aquality assurance review evaluates the degree to which the IAA conforms to the Standards and its own charter, plans, policies, procedures and systems, and the extent to which it meets the needs of its customers. ‘* Itprovides information on the following: deviations in performance from acknowledged best practices (1) for internal auditing, from the Standards (1) and from the internally prescribed internal audit procedures the effectiveness of the operation of the IAA as perceived by the IAA's members and customers, as measured against their expectations © the extent of integration of the concepts of business controls into internal audit practice ‘© the extent to which the IAA is integrated into the organisation's fabric © the extent to which the IAA adds value to the organisation by providing insights into efficiency and effectiveness (© the optimisation of internal staff performance © the effectiveness of communication with staff and company personnel (© the development of internal audit staff, both personally and professionally © the use of technology to increase efficiency and effectiveness © the effectiveness of ongoing quality assurance programmes © the tools and techniques deployed © the extent of compliance with the charter, plans, policies, procedures and legal requirements © the extent to which internal audit adds value to the organisation recommended improvements to audit processes and practices ‘opening up the channels of communication between the board, the audit ‘committee, management and the internal auditors Quality assurance process aaThe CAE should maintain a quality assurance and improvement programme covering all aspects of the IAA and continually monitor its effectiveness. The purpose is to assist internal audit to add value and improve the organisation's operations and provide assurance regarding the IAA’s conformance with the Standards and Code of Ethics. A. To comply with IIA Standard 1310, a quality assurance review must follow a standardised and professional approach, taking a five-stage process into account. 5, Planning and preparation As part of the planning and preparation process, the quality assurance review team reviews the latest quality standards and internal audit best Practices as established by the IIA. The team usually plans its initial stakeholder meetings and prepares its information requests for the internal audit department. Determining the customer's needs This involves assessing management's commitment to and support of the IAA. This is achieved by obtaining comments and observations from its customers, including management, the audit committee and auditees. Without understanding the needs and wants of the internal audit's stakeholders, it is impossible to evaluate the quality of the IAA's service delivery. Analysing the internal audit process In order to evaluate the process against the Standards, the quality assurance review team requires a comprehensive understanding of the internal audit process in the organisation. Critical internal audit processes are generally taken to include © developing the overall audit plan © planning individual audits © conducting the audit programme © communicating the results © following up ‘Communicating the results of the review The aim is to communicate the results of the review to management and the audit committee in a manner that meets their requirements. The report should provide clarity on the overall conclusions, significant points and items requiring action, highlighting in particular, which standards were achieved and noting any deficiencies detected. In addition, an action plan should be included, listing the dates for remedial action and the allocation of responsibilities, Ongoing improvement us AUI4861/SG‘Ongoing quality improvement should focus on the overall objective of the audit process, namely, achieving maximum customer satisfaction. In this regard, it should evaluate the extent to which stakeholder expectations are being met. B. —_ThellA (Quality Assessment Manual, 6th edition:16) identifies the QA objectives as being, to © assess the efficiency and effectiveness of the IAA ‘© identify opportunities forimproving the performance of the IAR © express an opinion on internal audit's conformance with the Standards It proposes the following 12-point process to ensure a value-added process: 1. Select and train the QA team, 2. Review the self-study. 3. Make a preliminary visit to the organisation to gather additional information, add detail to the work plan, select and schedule interviews and prepare for the on-site visit. Use customer surveys for guidance during interviews and examination of documentation Perform on-site work. 6. Interview selected members of the board, executive management, operating managers and internal audit staf. 7. Consider other monitoring activities that may not be included in the IAA. 8 Evaluate the internal audit's conformance with the Standards. 9. Review quality/process improvement actions under way and planned against established best practice. 10. Provide a summary of issues and recommendations and hold a closing conference with the CAE or other interested parties (e.g. the audit committee) 11. Draft a report, obtain comments and responses to the recommendations, andissue a final report 12. Hold a follow-up executive conference (optional) Do the MCQs on the Self-Assessments tab on myUnisa In this topic you have learned the steps that need to be followed in establishing an IAA, and the role of the CAE in managing the IAA. This role includes ensuring alignment of the 1sIAA objectives to the objectives of the organisation, development of an internal audit charter, development of the internal audit manual, planning, audit risk assessment, staff and resource management, training and development, performance management, coordination with external audit and other assurance providers, and quality assurance. Allof the above key areas are significant to ensuring that the IAA delivers on its mandate of assisting the organisation to achieve its objectives. After you have studied this topic, you should be able to do the following: + discuss the process and considerations that should be taken into account for establishing an IAA in an organisation. + discuss and advise on the best practice of managing the internal audit activity (IAA). + apply quality assurance requirements as per the IPPF to an IAA, Make your own notes here: TOPICS ur AUI4861/SG