Driving Changes from Quality Assurance Reviews: How to Transform Your Department

Driving Changes from Quality
Assurance Reviews:
How to Transform Your Department
from a Pinto to a Porsche
Texas Association of College and University
Auditors
March 6, 2014
Objectives
 Identify Standards and Practice Advisories related to a Quality
Assurance and Improvement Program.
 Recognize the benefits associated with a QAIP that help
create value and buy-in from management for your
organization.
 Enhance the internal audit department’s operations.
 Learn the best practices of the most mature audit groups.
 Position your audit group to an outstanding quality assurance
review.
A little about Toni…
A little about Polly…
Questions for the Audience
• Who has actually performed a QAR?
• Who has participated in a QAR of your own?
• How many of scared of QARs?
What is Quality?
“The standard of something as measured
against other things of a similar kind; the degree
of excellence of something”
YMMV!
1300: The CAE is REQUIRED to develop and
maintain a Quality Assurance and
Improvement Program (QAIP)
“designed to enable an evaluation of the internal
audit activity’s conformance with the Definition
of Internal Auditing and the Standards and an
evaluation of whether internal auditors apply
the Code of Ethics.
The program also assesses the efficiency and
effectiveness of the internal audit activity and
identifies opportunities for improvement.”
But…it’s not just the CAE is it?
Other Guidance
Practice Advisory 1310
• To provide accountability and
transparency, the CAE
communicates the results of
external and, as appropriate,
internal quality program
assessments to the various
stakeholders of the activity
(such as senior management,
the board, and external
auditors).
• At least annually, the CAE
reports to senior management
and the board on the quality
program efforts and results.
1311: Internal Assessments
Ongoing Monitoring
1311: Internal Assessments
Periodic Self-assessments
1312: External Assessments
• Once every 5 years by qualified, independent
assessor or team from outside the
organization.
– Full external assessment
• Peer review
• External Assessor
– Self-assessment with independent external
validation
• Practice Advisories 1312-2, -3, -4
Texas Internal Auditing Act
What Happens During an External
QAR?
• Planning
• Surveys
Planning • Interviews
Fieldwork
• Review of Working Papers
• Review of Documents
• Draft Report
• Exit Conference
Reporting • Report Issued
What Kinds of Things Will They Focus
On Besides the Standards?
Strategies
Technology
Processes
Structure
People
Benefits of a QAIP?
•
•
•
•
•
•
Enhancements to operations
Benchmarking
Humbling
Credibility
Resources
You get to say, “conforms with the International
Standards for the Professional Practice of Internal
Auditing,” in your internal audit charter or reports
• You get a refresher course on the Standards!
• You’re an auditor – that’s what we do!
Common External QA Findings
• Update IA charter on annual basis
• Reporting/independence issues
• Staff knowledge, skills,
competencies lacking to perform
job responsibilities.
• IT audits, including staff
experience
• No performance metrics
• Set up formal QAIP
• Risk assessment
• Audit universe not identified
• Policies and procedures
• Timeliness of report issuance
•
•
•
•
•
•
Audit Committee Charters
No governance audits
Lack of alignment with strategy
Consulting not in charter
Limited budget vs. expectations
Unclear expectations from the
Audit Committee
• Internal Audit not regarded as an
agent of change
Management of the Audit Department
6%
5%
Technology
5% 2%
23%
Communicating Results & Follow-Up
8%
Annual Audit Plan & Risk Assessment
9%
17%
Audit Committee
Engagement Audit Plan & Risk Assessment
12%
13%
Code of Ethics
Charter
Policies and Procedures
QAIP
Are We There Yet?
How do we get there?
Quality is never an
accident. It is always the
result of intelligent effort.
John Ruskin
1819-1900
poet, writer, social thinker
Foundation for Quality
• Reporting relationships
– INDEPENDENCE
• Commitment to quality
– Do you have a statement?
• Charters
• Audit committee & senior
management
– Have you engaged them?
• Monitoring for
effectiveness - QAIP
Key Components of Quality
• Policy on quality assurance
• Internal Audit
policies/manual
• Engagement supervision
• Working paper reviews
• Engagement performance
measures
• Independence and Code of
Ethics compliance
• Report writing procedures
• Client surveys/evaluations
• Self-assessments
• Training
• Peer Reviews  External
Assessment
• Risk assessment drives
plans – annual and
engagement level
• Engagement of audit
committee and senior
management
• Performance metrics
Performance Metrics: UT Dallas
Quality
Effectiveness
Efficiency
Sustainability
Management
% of
recommendations
implemented on
time
Client perception
surveys –
response rate and
“good” responses
% audit plan
completed
Direct audit labor
cost as % of total
budget
% of professional
staff certified as
CPA, CIA, CISA, or
CFE
Audit committee
surveys
Institutional riskbased audits as a
% of audit plan
Direct audit time
as % of total time
Total type of
certifications
(includes others –
CISSP, CRMA,
CFAP, CMA, CISM,
CGAP, etc.)
Development as a
% of total time
Administrative
time as a % of
total time
Performance Metrics
IIA’s Global Internal Audit Survey – Measuring
Internal Audit’s Value (2010):
• % of the audit plan completed
• acceptance and implementation of
recommendations
• surveys/feedback from
– the board/audit committee/senior management
– audited departments
• assurance of sound risk management
• reliance by external auditors on the internal audit
activity
Overall
Maturity
Level
Optimized
Managed
Defined
Repeatable
Initial
Policy
Methodology and
Process
Systems &
Information
Communication
& Reporting
People
Continuous
monitoring and
updating for
necessary changes
and emerging leading
practices
Continuous
monitoring and
updating for
necessary changes
and emerging leading
practices
SMEs identified and
used; training and
development
monitored; robust
succession planning
in place
Extensive use of
data mining and
analytics;
continuous audit
and monitoring
processes in place
driving value
Communications
and reporting highly
effective; high level
of quality
demonstrated in
timely reports
Policies are
communicated to
personnel and
training occurs as
necessary
Methodology and
processes are
communicated to
personnel and
training occurs as
necessary
All resources have
appropriate skills
and credentials;
targeted training
and development in
place
Data integrity is
high; automated
reports are reliable;
key data is
monitored
continuously
Communication and
reporting highly
effective; quality
and timeliness
metrics defined and
monitored
Policies are defined,
in place, and
documented
Uniform methodology
and processes are
defined, in place, and
documented
Appropriate skills
and credentials in
place; training
requirements
documented and
executed
Stable systems in
place; information
generated is reliable
and relied upon
Communication and
reporting processes
are defined, in
place, and
documented;
effective us of
reporting templates
Policies are defined
and in place but may
not be documented
Uniform methodology
and processes are
defined and in place
but may not be
documented
Some specialized
technical skills and
credentials; training
and development
defined but may not
be documented
Fairly effective
systems are in place;
low reliance on data
and information
generated from
systems
Communication and
reporting processes
are defined and in
place but may not
be documented
Policies are not
defined or in place
Methodology and
processes are not
defined or in place
Resource skills and
credentials do not
match process
requirements;
training programs
not defined
High reliance on
manual systems and
spreadsheets;
critical information
not readily available
Communication and
reporting done on
an ad hoc basis; no
validation of results
or focus on quality
IIA Internal Audit Process Maturity - QAIP
Success Stories
• New ideas for improved internal
operations—follow up processes,
review processes, and
opportunities to balance workload.
• An opportunity for the audit team
to feel like they are contributing to
the success of the audit function.
• An opportunity to validate that
your audit shop is doing the right
things.
• An opportunity for stakeholders to
share information which they may
not have shared otherwise so that
the audit team can enhance
stakeholder relationships.
• Effectiveness and efficiency of the
coordination between audit and
compliance groups.
• Define the role of audit in advising
management .
• Develop a formal succession plan
• Validation of the initiatives we
lead or participate in as valuable
contributions to the organization’s
goals.
• Job title from Director to CAE
• Hot topics from benchmarking, best
practices
• Good heads-up for governing boards to
remind them of their oversight
responsibility of the IA function
• Evaluation for CAE
• Independence from the
VPBA’s role in approving all
audit report responses
• Additional funding for
training
• Establishment of an IT
Audit Function
• Participation in the
President’s Cabinet
• Audit measuring our compliance
program against the Federal
Sentencing Guidelines to open a
discussion with the board of
regents about compliance issues
• Individual briefings for regents in
advance of audit committee
meetings, thus strengthening
relationships between audit and
the board
• Focusing our follow-up reporting
to the board on the most
significant issues vs. all issues
• Increasing our efficiency by
eliminating second review on
low risk audits
Other Success Stories to Share?
Are you ready to be a
Porsche?
Contact Information & Resources
The IIA
Find us at www.utdallas.edu/audit-compliance
Polly Atchsion, CPA, CIA
UT Dallas
Audit Manager
pea140130@utdallas.edu
972-883-2240
Toni Stephens, CPA, CIA, CRMA
Executive Director of Audit &
Compliance, UT Dallas
tstephens@utdallas.edu
972-883-4876