QAR – Two Alternate Paths to Accomplish the External Assessment

IIA Puget Sound Chapter LuncheonApril 2015

Tom Taylor – Mutual of Enumclaw, ttaylor@mutualofenumclaw.com Annette Mumford – HomeStreet Bank,

annette.mumford@homestreet.com

Overview of the QAR standards Full external assessment – HomeStreet Bank

◦ Approach◦ Scope◦ Preparation◦ Deliverables◦ Pros/Cons/Rewards/Challenges

Self-Assessment with independent external validation – Mutual of Enumclaw◦ Approach◦ Considerations◦ Stakeholders◦ Challenges◦ Pros

Reviewer qualifications Work program Recommended Steps

Agenda

1. Does your audit function report to the Audit Committee (AC)?

2. How many CAEs here have educated their AC’s on Standards and the QAR process?

3. How many have had a QAR of their audit department?

4. Who is preparing for or planning on doing this?

5. Who has received training or received the accreditation as an independent assessor or validator?

Audience Survey

QAR required under the IPPF Standards are mandatory for auditors who

are CIA’s or members of the institute An external review once every five years

Quality Assurance Requirements

# 1300 – Quality Assurance and Improvement Program

The CAE is responsible for developing and maintaining a quality assurance and improvement program

Covers all aspects of the internal audit activity and continuously monitoring its effectiveness

Provides assurance of conformity with IIA Standards and Code of Ethics

Assesses efficiency and effectiveness

International Professional Practice Standards

# 1310 – Quality Program Assessments Process to monitor and assess the overall effectiveness of

the quality program. Includes both: #1311 - Internal Assessments #1312 - External Assessments

# 1320 – Reporting on the Quality Program The CAE reports the results of the assessments to the

board and senior management.

International Professional Practice Standards

# 1321 – Use of “Conforms with International Standards for the Professional Practice of Internal Auditing”

Not required language but if used, must have an assessment that demonstrates in compliance with the Standards.

# 1322 – Disclosure of Noncompliance To Senior management and board if noncompliance

with the Standards impact overall scope or operation of the internal audit activity.

International Professional Practice Standards

# 1312 – External Assessments

External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.

International Professional Practice Standards

Practice Advisories

Additional Guidance

1300-1 Quality Assurance and Improvement Program January 2009

1310-1 Requirements of the Quality Assurance and Improvement Program January 2009

1311-1 Internal Assessments January 2009

1312-1 External Assessments January 2009

1312-2 External Assessments: Self-Assessment with Independent Validation January 2009

1312-3 Independence of External Assessment Team in the Private Sector June 2011

1312-4 Independence of the External Assessment Team in the Public Sector June 2011

1321-1 Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”

January 2009

What: Engaged a third party for an independent assessment of compliance with IIA Standards and use of best practices

Who: We used the IIA. Services can be provided by accounting firms, IA Services firms, IIA, independent consultants, NALGA Peer Review (government).

How Long: Approximately 3 months start to finish. On-site work completed in 1 week.

External Assessments – What, Who, How Long

HomeStreet Approach

Compliance with IIA Standards and Code of Ethics.

Use of best/leading practices Expectations of IA’s stakeholders – interviews

and surveys. IA’s Charter, plans, policies, procedures,

practices, including QA program. Any regulatory requirements.

IA’s reports to management and the AC. Integration of IA into organization’s corporate

governance and risk management processes.

External Assessments – Scope of Work

HomeStreet – Approach

Audit universe, risk assessment, annual audit planning

Staff credentials and experience. Staff development.

Information technology Evaluation of IA’s use of best

practices/value added Workpaper review

External Assessments – Scope of Work – (Continued)

HomeStreet Approach

Long Lead Time Items: At least one year before, establish internal

QAR processes – ongoing and periodic. Well in advance, perform a self-assessment

against the standards to gauge preparedness. (Remediate if needed/Report Gaps.)

Discuss QAR standards and your plans with the Audit Committee and other key stakeholders

External Assessments – Preparation

HomeStreet - Approach

Engagement Specific Prep: Review bios/resumes of QAR team to ensure

they have the right experience. These individuals will meet with your AC Chair, Senior managers, etc. Needs to be a good fit.

Respond to the QAR team’s requests for information (complete questionnaires, assemble documentation, etc.)

Communicate internally with the Audit Committee, members of management, and the internal audit team on the process, timing, etc.

External Assessments – Preparation

HomeStreet – Approach

Report issued that includes: Opinion on compliance to the Standards.

◦ Best Rating - “Generally Conforms” Assessment and evaluation of the use of

best practices. Recommendations for improvement. Responses from CAE that include action

plans and implementation dates. Report is issued to the Board & CAE.

External Assessments – Project Deliverables

HomeStreet Approach

Pros/Considerations Robust value-added for CAE and IA customers –

best practices, benchmarking. Experienced team – composed of other CAEs with

prior QAR experience, and in our case bank audit experience

Efficient process Felt an outside party would be more willing to

provide more constructive input – more value Credible assurance to stakeholders For large audit departments, may be best choice.

Pros and Cons External Assessments

Cons/Considerations Likely more expensive both for the engagement

itself and travel costs. Potential consultant bias to sell services

(influenced our decision to use the IIA) May have less flexibility on scheduling as QAR

team is likely not local. Some senior managers were not available for interviews the week of the on site work.

Pros and Cons External Assessments

HomeStreet Approach

Be sure to allocate enough time for the preparation and on site work. It is a big time commitment!

Be open for both validation of those things your shop does well and opportunities for improvement/best practices – this is where the value lies.

Challenges/Rewards

CAE/auditor performs self-assessment and independent reviewer validates with testing.

Same criteria evaluated as in the full external assessment.

Accounting firms, IA services firms, independent consultants, Puget Sound IIA Chapter, auditors from other companies can validate.

Self-Assessment with External Validation – What & Who

MOE Approach

Three local firms utilized. Non-competitive industries. From each company, one CAE and one Sr. or

Manager. All signed NDAs. Each company first completed a self-assessment. Utilized the test plan provided by the IIA. Gathered supporting evidence and self-scored. All materials digital and cross referenced. Kick off meeting with all three companies present.

Self-Assessment With Validation

MOE Approach

2-4 weeks of internal self-assessment time prior to validator.

Validation step did not include auditors from company being assessed.

Allowed for one week on-site for each company. Another one/two weeks offsite to compile, vet and

create report. CAE’s contributed to the governance sections. Having CAE sit in on interviews with audit committee

chair and c-suite executives was good. Helped build trust and credibility with executives.

Self-Assessment With Validation

MOE Approach

Validator documents agreement or disagreement with conclusions in the self-assessment report.

Issued separate final from the self-assessment report.

Validation report went to the Board.◦ I also shared report with Management.

CAE also received a separate report from the other CAE’s on general tips/observations.

Self-Assessment With Validation

MOE Approach

Critical to manage expectations!!! Educate! CAE & Internal Audit Department

◦ Is a reflection on leadership & staff skills CEO Management

◦ Answers question of “Who audits the Auditor?” Can give the department credibility.

Board◦ Provides confidence that the audit shop is in fact

functioning according to best practice standards

Self-Assessment With Validation

MOE Stakeholders

◦ Company’s appetite for a QAR? Audit Committee?◦ Do you need a little time to prep (i.e., fix known

issues).◦ Consider a pre-QAR to get your house in order.◦ Best for the CAE to be championing vs. Audit

Committee.◦ As a CAE, you should have a clear picture of

“Why.”◦ Be passionate about the why!◦ You are putting all of your laundry out for others

to see. Could impact your reputation and career. Must take seriously!

Self-Assessment With ValidationMOE Considerations

Multi-year journey. Timing is a consideration. Is the CAE new to the role? (can be a good time to

engage) - provides great feedback or a road map on where to focus energy.

If CAE has been in the role for a while, there are additional considerations.

Self-Assessment With Validation

MOE Considerations

Assessment format to adopt? Reporting format for final presentation? Scheduling conflicts come up given multiple organizations. Merging different auditing styles (black and white vs gray). Often, this is the first time groups have engaged in such

review activities.

Self-Assessment With Validation

MOE Challenges

Less expensive. I liked being a little closer to the review. Sharing of best practice, peer to peer. I felt I could relate better to local teams vs. an

academic approach or consultant. Local companies brought a lot of credibility vs. an

unknown. Value-add for CAE and IA stakeholders comes from the

input of local practitioners, benchmarking, interviews. May be best for smaller IA Departments.

Self-Assessment With Validation

MOE Self-Assessment Pros

Independence ◦ Reciprocal arrangements between 3 or more can be ok.

Integrity and Objectivity. Competence – certified (CIA, CPA, CISA),

knowledgeable of IA Standards, current with IA best practices, 3 or more years IA experience recommended.

Relevant industry experience – recommended but not necessary.

IT Audit experience - recommended but not necessary.

Qualified Reviewer Requirements

Perform periodic Internal Assessments (see 1311-1) to review IA practices and compliance with the Standards and Code of Ethics.

Determine whether performance is consistent with Charter and stakeholder expectations. Consider surveying stakeholders.

Assess use of best practices and value added to organization.

How to prepare? – It’s not all about the workpaper files

There are six Program Segments:

1. Assessing the Organization2. Risk Assessment & Engagement Planning3. Staff Professional Proficiency4. Information Technology5. Assessing Production & Value Added6. Individual Workpaper File Review

Overview of Program Segments

In preparing for a QAR, it is helpful to understand the relationship between the Program Segments and the Internal Auditing Standards

Relationship of Program Segments to Audit Standards

This program segment addresses compliance with six separate standards:

◦ 1000 Purpose Authority & Responsibility◦ 1110 Organizational Independence◦ 1210 Proficiency◦ 1220 Due Professional Care◦ 1230 Continuing Professional Development◦ 2040 Policies & Procedures

Assessing the Organization

The Risk Assessment & Engagement Planning Segment addresses the following standards:

◦ 1230 Continuing Professional Education◦ 2010 Planning◦ 2010.A1 Engagement Planning based on Risk

Assessment◦ 2020 Communication and Approval◦ 2030 Resource Management◦ 2050 Coordination◦ 2060 Reporting to the Board & Senior Management◦ 2110 Risk Management◦ 2340 Engagement Supervision

Risk Assessment & Engagement Planning

The Staff Professional Proficiency Segment addresses the following standards:

◦ 1120 Individual Objectivity◦ 1210 Proficiency◦ 1220 Due Professional Care◦ 1230 Continuing Professional Development

Staff Professional Proficiency

The IT segment, although not specifically referenced to any of the standards, evaluates the IT audit function’s compliance with the following standards:

◦ 1000 Purpose Authority & Responsibility◦ 1110 Organizational Independence◦ 1200-1230 Proficiency & Due Professional Care◦ 2200 – 2240 Engagement Planning

Information Technology

The program segment for “Assessing Production & Value Added relates to the following standards:

1110.A1 Independence in determining audit scope & communicating results

2030 Resource Management 2400 Communicating Results

Assessing Production & Value Added

The program segment for “Assessing Production & Value Added” relates to the following standards: 1220 - Due Professional Care 2030 - Resource Management 2112 – 2130 – Scope of Work 2200 – 2240 - Planning the Engagement 2300 – Performing the Engagement 2310 – 2340 – Examining & Evaluating Information 2400 – 2500 – Communicating Results & Follow up

Individual Workpaper File Review

Brief your audit committee on the requirement and how you plan to meet it.

Compare your practices against standards, address any gaps.

Consider taking the IIA’s QAR class and/or purchasing the IIA QAR Manual

Identify who will perform your QAR or validation

Recommended Steps