Overview of the Institute of Internal Auditors’ Mandatory ... of the Institute of Internal Auditors’ Mandatory Guidance and Quality Assurance Review Melody Reed, ... management

Overview of the Institute of Internal Auditors’ Mandatory Guidance and Quality Assurance Review

Melody Reed, CRCM, CFSAManager

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.

Disclaimer

2© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Overview• Interagency Policy Statement on the Internal Audit

Function and Its Outsourcing (FIL-21-2003/ SR-03-5) • Core Principles for the Professional Practice of

Internal Audi ng •Definition of Internal Auditing• Code of Ethics• International Standards for the Professional Practice

of Internal Auditing (Standards)• External Quality Assurance Review (QAR)

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC 3

FIL-21-2003/ SR-03-5

Interagency Policy Statement on the Internal Audit Function and Its Outsourcing

Issued March 17, 2003, the federal banking agencies revised their 1997 internal audit policy statement to update guidance (in light of the Sarbanes-Oxley Act) on the independence of an accountant who provides both external audit and internal audit services to an institution as well as highlight other areas of concern regarding co-sourced or outsourced internal audit arrangements.


“Many institutions have been engaging independent public accounting firms and other outside professionals (outsourcing vendors) in recent years to perform work that traditionally has been done by internal auditors. These arrangements are often called "internal audit outsourcing," "internal audit assistance," "audit co sourcing," and "extended audit services" (hereafter collectively referred to as outsourcing).”

FIL-21-2003/ SR-03-5 (Continued)


“Outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. However, the agencies have concerns that the structure, scope, and management of some internal audit outsourcing arrangements do not contribute to the institution's safety and soundness.”



Letter broken into 3 parts:• Part I: Key characteristics of the internal audit

function • Part II: Sound practices concerning the use of

outsourcing vendors • Part III: The effect outsourcing arrangements have on

the independence of an external auditor who also provides internal audit services to an institution



PART II - INTERNAL AUDIT OUTSOURCING ARRANGEMENTS • Examples of Arrangements• Additional Considerations for Internal Audit Outsourcing

Arrangements- Contract/ Engagement Letter- Vendor Competence- Management- Communication- Contingency Planning



From Part I: “Directors should be confident that the internal audit function addresses the risks and meets the demands [of the Bank]. To accomplish this objective, directors should consider whether their institution's internal audit activities are conducted in accordance with professional standards, such as the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal Auditing. These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality assurance reviews.”

Area of Focus for the Regulators


Standard 2070 – External Service Provider and Organizational Responsibility for Internal Auditing

When an external service provider serves as the internal audit activity, the provider must make the organization aware that the organization has the responsibility for maintaining an effective internal audit activity.

The IIA and Outsourcing


Standard 2070 – External Service Provider and Organizational Responsibility for Internal Auditing

Interpretation This responsibility is demonstrated through the quality assurance and improvement program which assesses conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.



Q&A on the IIA’s Website: https://na.theiia.org/services/quality/Pages/Frequently-Asked-Questions.aspx

Key question: Who is responsible for an external QA when a Service Provider has been contracted to provide total outsourcing of the internal audit activity?



In all cases, the organization maintains the responsibility for having an external QA in accordance with The IIA's Standards. If the organization has a CAE (partial outsourcing), it is clearly the CAE's responsibility to initiate the process and discussion with the audit committee. If a total outsourcing exists, the person who negotiates the outsourcing of the internal audit services (e.g., CFO, Corporate Controller) would be responsible for initiating the external QA. The service providers' specific work on the assignment would be reviewed as part of the external QA and not the entire firm's policies and procedures (except relevant section of the Policies & Procedures of the service provider as applied in the organization). Service providers must advise and brief their clients on the requirements of the Standards.



Core Principles

Core Principles for the Professional Practice of Internal Auditing• Demonstrates integrity.• Demonstrates competence and due professional care.• Is objective and free from undue influence (independent).• Aligns with the strategies, objectives, and risks of the organization.• Is appropriately positioned and adequately resourced.• Demonstrates quality and continuous improvement.• Communicates effectively.• Provides risk-based assurance.• Is insightful, proactive, and future-focused.• Promotes organizational improvement.


Definition of Internal Auditing

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.


Code of Ethics - Principles

• IntegrityThe integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

• ObjectivityInternal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.

• ConfidentialityInternal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.

• CompetencyInternal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.


Code of Ethics – Rules of Conduct

• Integrity- Internal auditors shall perform their work with honesty,

diligence, and responsibility.- Internal auditors shall observe the law and make

disclosures expected by the law and the profession.- Internal auditors shall not knowingly be a party to any

illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organization.

- Internal auditors shall respect and contribute to the legitimate and ethical objectives of the organization.


Code of Ethics – Rules of Conduct (Continued)

•Objectivity- Internal auditors shall not participate in any activity or

relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organization.

- Internal auditors shall not accept anything that may impair or be presumed to impair their professional judgment.

- Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.



• Confidentiality- Internal auditors shall be prudent in the use and

protection of information acquired in the course of their duties.

- Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.



• Competency- Internal auditors shall engage only in those services for

which they have the necessary knowledge, skills, and experience.

- Internal auditors shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).

- Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services.


Standards

International Standards for the Professional Practice of Internal Auditing (Standards)• The Standards are principles-focused and provide a framework for

performing and promoting internal auditing. The Standards are mandatory requirements consisting of:

- Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels.

- Interpretations, which clarify terms or concepts within the statements.- Glossary terms.

• It is necessary to consider both the statements and their interpretations to understand and apply the Standards correctly. The Standards employ terms that have been given specific meanings as noted in the Glossary, which is also part of the Standards.


Standard 1312 – External Assessments• External assessments must be conducted at least once

every five years by a qualified, independent assessor or assessment team from outside the organization. The chief audit executive must discuss with the board:

- The form and frequency of external assessments; and- The qualifications and independence of the external

assessment team, including any potential conflict of interest.

External Quality Assurance Review (QAR)


• External assessments can be in the form of:- A full external assessment, or - A self-assessment with independent external validation.

•Qualified assessors demonstrate competence in two areas: the professional practice of internal auditing and the external assessment process. • Independent assessors do not have a real or an

apparent conflict of interest.

QAR – Interpretation of the Standard


• The IIA’s QAR Program assesses four areas of the Internal Audit function:

- Internal Audit Governance- Internal Audit Management- Internal Audit Staff- Internal Audit Process

QAR Program


• Internal Audit Charter (1000) and Definition of Internal Audit

• Independence/Objectivity (1100) and Code of Ethics

•Quality Assurance and Improvement Program (QAIP) (1300)

QAR – Internal Audit Governance


•Managing the Internal Audit Activity (2000 and 2450)

• Communicating the Acceptance of Risks (2600)

•Nature of Work (2100)

QAR – Internal Audit Management


• Job descriptions, core competencies, areas of knowledge, etc.

• Specialized areas of knowledge (e.g. IT, treasury, legal/compliance)

•Due professional care (1220)

• Training and continuing professional development (1230)

QAR – Internal Audit Staff (1200)


• Engagement Planning (2200)

• Performing the Engagement (2300)

• Communicating Results (2400)

•Monitoring Process (2500)

QAR – Internal Audit Process


Sources:The Institute of Internal AuditorsInternational Professional Practices Framework (IPPF) 2013 Edition


Melody Reed, CRCM, CFSAEmail: [email protected]: 843.720.5821

Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


Documents

Overview of the Institute of Internal Auditors’ Mandatory ... of the Institute of Internal Auditors’ Mandatory Guidance and Quality Assurance Review Melody Reed, ... management