Even for those internal audit departments that are fully outsourced, the department, itself is still required to have a QA & IP regardless of of whether the outsource provider has completed one of their overall activities.
QA & IP include evaluation of:
- Conformance with the Definition, Code of Ethics and Standards including timely corrective actions to remedy any significant instances of non-conformance
- Adequacy of the internal audit activity's charter, goals, objectives, policies and procedures.
- Contribution to the organization's governance, risk management and control processes.
- Compliance with applicable laws, regulations and government or industry standards.
- Effectiveness of continuous improvement activities and adoption of best practices.
- The extent to which the internal audit activity adds value and improves the organization's operations.
Ongoing internal assessments are practices out into place by the CAE to do routine evaluations of the practices and policies of performing individual audits. Scope of internal assessments:
- Routine and continuous supervision and testing of the performance of audit and consulting work
- Ongoing measurements and analyses of performance metrics, plan accomplishment, cycle time, recommendations accepted
- Periodic validations of compliance with applicable laws, regulations and government or industry standards
- Periodic validations of compliance with the Standards and Code of Ethics
External reviewers should be independent of the organization and of the internal audit activity. The review team should be competent in the professional practice of internal auditing and the external assessment process. Scope of external assessments:
- Conformance with the Definition of Internal Auditing; the Code of Ethics and the Standards
- Expectation of the internal audit activity expressed by the board, senior management and operational managers
- Integration of the internal audit activity into the organization's governance process, including the relationships between and among the key groups involved in the process
- Tools and techniques employed by the internal audit activity
- Mix of knowledge, experience and disciplines within the staff
For internal assessments, the CAE should share the results, necessary action plans and their successful implementation with stakeholders such as senior management, the board and external auditors.
For external assessments, the preliminary results of the review should be discussed with the CAE during and at the conclusion of the assessment process. Final results should be communicated in a formal report to the CAE or other official who authorized the review for the organization, preferably with copies sent directly to appropriate members of senior management and the board.
The use of compliance phrase requires an external assessment at least once during each five-year period, along with ongoing and periodic internal assessments that have concluded that the internal audit activity is in compliance with the Standards and the Code of Ethics.
No comments:
Post a Comment