QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

IA GOVERNANCE: Attribute Standard 1300 Quality Assurance

Improvement Program
 The Chief Audit Executive must develop and maintain a quality
assurance and improvement program that covers all aspect of the
internal audit activity.

Interpretation
 A quality assurance and improvement program is designed to
enable an evaluation of the internal audit activity’s conformance
with the Standards and an evaluation of whether internal auditors
apply the Code of Ethics.
 The program also assesses the efficiency and effectiveness of the
internal audit activity and identifies opportunities for improvement.
The CAE should encourage board oversight in the quality
assurance and improvement program.

QAIP should encompass all aspects of operating and managing internal

audit activity – including consulting engagements- as found in the
mandatory elements of IPPF. A well-developed QAIP ensures that the
concept of quality is embedded in the internal audit activity and all of its
operations.

IA GOVERNANCE: Attribute Standard 1310 Requirements of the

Quality Assurance and Improvement Program
 The quality assurance and improvement program must include
both internal and external assessments.

IA GOVERNANCE: Attribute Standard 1320 Reporting on the Quality

Assurance and Improvement Program
The CAE must communicate the results of the quality assurance and
improvement program to senior management and the board. Disclosure
should include:
- The scope and frequency of both internal and external
assessments
- The qualifications and independence of the assessor(s) or
assessment team, including potential conflicts of interest
- Conclusions of assessors
- Corrective action plans
Interpretation
 The form, content and frequency of communicating the results of
the quality assurance and improvement program is established
through discussions with senior management and the board and
considers the responsibilities of the internal audit activity and the
CAE as contained in the internal audit charter. To demonstrate
conformance with Code of Ethics and the Standards, the results of
external and periodic internal assessments are communicated
upon completion of such assessments, and the results of ongoing
monitoring are communicated at least annually.
IA GOVERNANCE: Attribute Standard 1321 Use of “Conforms with
the International Standards for Professional Practice of Internal
Auditing”
 Indicating that the internal audit activity conforms with the ISPPIA
is appropriate only if supported by the results of the quality
assurance and improvement program.

Interpretation
 The internal audit activity conforms with the Code of Ethics and
the Standards when it achieves the outcomes describes therein.
The results of the quality assurance and improvement program
include the results of both internal and external assessments. All
internal audit activities will have the results of internal
assessments. Internal audit activities in existence for at least 5
years will also have the results of the external assessments.

IA GOVERNANCE: Attribute Standard 1322 Disclosure of

Nonconformance
When nonconformance with the Code of Ethics or the Standards impacts
the overall scope or operation of the internal audit activity, the Chief Audit
Executive must disclose the nonconformance and impact to senior
management and the board.

IA GOVERNANCE: Attribute Standard 1311 Internal Assessments

Internal assessments include:
 Ongoing monitoring of the performance of the internal audit
activity
  Periodic self-assessments or assessments by other persons
within the organization with sufficient knowledge of internal audit
practices.
Interpretation
 Ongoing monitoring is an integral part of the day-to-day
supervision, review, and measurement of the internal audit
activity. Ongoing monitoring is incorporated into the routine
policies and practices used to manage the internal audit activity
and uses processes, tools and information considered necessary
to evaluate conformance with the Code of Ethics and the
Standards.
 Periodic assessments are conducted to evaluate conformance
with the Code of Ethics and Standards. Sufficient knowledge of
internal audit practices requires at least an understanding of all
elements of the IPPF.
 The two interrelated parts of the internal assessments – ongoing
monitoring and periodic self-assessments – provide an effective
structure for the internal audit activity to continuously assess its
conformance with the standards and whether internal auditors
apply the Code of Ethics. Additionally, they may allow for
identification of improvement opportunities.
 Ongoing monitoring is achieved primarily through continuous
activities such as engagement planning and supervision,
standardized work practices, work paper procedures and signoffs,
report reviews as well as identification of any weaknesses or
areas in need of improvement.

IA GOVERNANCE: Attribute Standard 1311 Internal Assessments

Interpretation
Additional mechanisms commonly used for ongoing monitoring
include:
 Checklist or automation tools to provide assurance on internal
auditors’ compliance with established practices and procedures
and to ensure consistency in the application of performance
standards
 Feedback from internal audit clients and other stakeholders
regarding the efficiency and effectiveness of the internal audit
team. Feedback may be solicited immediately following the
engagement or on periodic basis (semi-annually or annually) via
survey tools or conversations between the CAE and management
  Staff and engagement key performance indicators (KPI’s), such as
number of certified internal auditors on staff, their years of
experience in internal auditing, the number of continuing
professional development hours they earned during the year,
timeliness of engagements and stakeholder satisfaction.
 Other measurements that may be valuable in determining the
efficiency and effectiveness of the internal audit activity. Measures
of project budgets, timekeeping systems, and audit plan
completion may help to determine whether the appropriate
amount of time is spent on all aspects of the audit engagement.

Periodic self-assessment have a different focus than ongoing

monitoring in that they generally provide a more holistic, comprehensive
review of the Standards and the internal audit activity.

IA GOVERNANCE: Attribute Standard 1311 Internal Assessments

Interpretation
 Periodic self-assessment have a different focus than ongoing
monitoring in that they generally provide a more holistic,
comprehensive review of the Standards and the internal audit
activity. In contrast, ongoing monitoring is generally focused on
reviews conducted at the engagement level. Additionally, periodic
self-assessments address conformance with every standard,
whereas ongoing monitoring frequently is more focused on the
performance standards at the engagement level.
 It is generally conducted by senior members of the internal audit
activity, a dedicated quality assurance team or individual within
the internal audit activity who has extensive experience with the
IPPF, CIA or other internal audit professionals who may be
assigned elsewhere in the organization.

The internal audit activity conducts periodic self-assessment to

validate its continued conformance with the Standards and Code of
Ethics and to evaluate:
 The quality and supervision of work performed
 The adequacy and appropriateness of internal audit policies and
procedures
 The ways in which the internal audit activity adds value
 The achievement of key performance indicators
 The degree to which stakeholder expectations are met
IA GOVERNANCE: Attribute Standard 1312 External Assessments
External assessments must be conducted at least once every 5 years by
qualified, independent assessor or assessment team from outside the
organization. The CAE must discuss with the board:
The form and frequency of external assessments
Qualifications and independence of the external assessor or assessment
team, including any potential conflict of interest

Interpretation
 External assessments may be accomplished through a full
external assessment, or a self-assessment with independent
external validation. The external assessor must conclude as to
conformance with the Code of Ethics and the Standards; the
external assessment may also include operational or strategic
comments.
 A qualified assessor or assessment team demonstrates
competence in two areas: the professional practice of internal
auditing and the external assessment process. Competence can
be demonstrated through a mixture of experience and theoretical
learning. Experience gained in organizations of similar size,
complexity, sector or industry, and technical issues is more
valuable than less relevant experience.

The scope of a full external assessment typically includes three core

components
 The level of conformance with the Standards and Code of Ethics.
This may be evaluated via a review of the internal audit activity's
charter, plans, policies, procedures, and practices. In some cases,
the review may also include applicable legislative and regulatory
requirements.
 The efficiency and effectiveness of the internal audit activity. This
may be measured through an assessment of the internal audit
activity's processes and infrastructure, including the QAIP, and an
evaluation of the internal audit staff's knowledge, experience, and
expertise.
 The extent to which the internal audit activity meets expectations
of the board, senior management, and operations management,
and adds value to the organization. SPEN
The scope of an self-assessment with independent validation (SAIV)
typically consists of:
 A comprehensive and fully documented self-assessment process
that emulates the full external assessment process, at least with
respect to evaluating the internal audit activity's conformance with
the Standards and Code of Ethics.
 Onsite validation by a qualified, independent external assessor.
 Limited attention to other areas such as benchmarking; review,
consultation, and employment of leading practices; and interviews
with senior and operations management.

PROFICIENCY AND DUE PROFESSIONAL CARE

IA STAFF: Attribute Standard 1200 Proficiency and Due Professional
Care
Engagements must be performed with proficiency and due
professional care

 Performing engagements with proficiency and due professional

care is the responsibility of every internal auditor. Achieving two
attributes begin with an understanding of the Mandatory Guidance
of the IPPF, especially the IIA’s Code of Ethics.
 Internal auditors usually develop proficiency via education,
experience, professional development opportunities, and
qualifications such as internal audit profession’s most relevant
certification, the Certified Internal Auditor.
 Due professional care requires understanding of the IPPF’s
systematic and disciplined approach to internal auditing, which is
supplemented by organization-specific policies and procedures
established by the CAE. This involves the CAE’s recruitment and
training of internal auditors, as well as proper planning, staffing,
and supervising of engagements

IA STAFF: Attribute Standard 1210 Proficiency

Internal auditors must possess the knowledge, skills, and other
competencies needed to perform their individual responsibilities. The
internal audit activity collectively must possess or obtain the knowledge,
skills, and other competencies needed to perform its responsibilities.

Interpretation
  Proficiency is a collective term that refers to the knowledge,
skills, and other competencies required of internal auditors to
effectively carry out their professional responsibilities. It
encompasses consideration of current activities, trends, and
emerging issues, to enable relevant advice and
recommendations.
 The CAE must obtain competent advice and assistance if the
internal auditors lack the knowledge, skills or other competencies
needed to perform all or part of the engagement.
 Internal auditors must have sufficient knowledge to evaluate the
risk of fraud and the manner in which it is managed by the
organization, but are not expected to have the expertise of a
person whose primary responsibility is detecting and investigating
fraud.
 Internal auditors must have sufficient knowledge of key
information technology risks and controls and available
technology-based audit techniques to perform their assigned
work. However, not all internal auditors are expected to have the
expertise of an internal auditor whose primary responsibility is
information technology auditing.
 The CAE must decline the consulting engagement or obtain
competent advice and assistance if the internal auditors lack the
knowledge, skills or other competencies needed to perform all or
part of the engagement.

IA STAFF: Attribute Standard 1220 Due Professional Care

Internal auditors must apply the care and skill expected of a reasonably
prudent and competent internal auditor. Due professional care does not
imply infallibility.

Internal auditors must exercise due professional care by

considering the:
 Extent of work needed to achieve the engagement’s objectives
 Relative complexity, materiality, or significance of matters to which
assurance procedures are applied
 Adequacy and effectiveness of governance, risk management and
control processes
 Probability of significant errors, fraud, or non-compliance
 Cost of assurance in relation to potential benefits
In exercising due professional care, internal auditors must consider
the use of technology-based audit and other data analysis
techniques.

Internal auditors must be alert to significant risks that might affect

objectives, operations, or resources. However, assurance procedures
alone, even when performed with due professional care, do not
guarantee that all significant risks will be identified.

The internal auditors must exercise due professional care during a

consulting engagement by considering the:
 Needs and expectations of clients, including the nature, timing,
and communication of engagement results
 Relative complexity and extent of work needed to achieve the
engagement’s objectives
 Cost of the consulting engagement in relation to potential benefits

IA STAFF: Attribute Standard 1230 Continuing Professional

Development
Internal auditors must enhance their knowledge, skills, and other
competencies through continuing professional development.

 Opportunities for professional development include participating in

conferences, seminars, training programs, online courses and
webinars, self-study programs, or classroom courses; conducting
research projects volunteering with professional organizations;
and pursuing professional certifications such as the CIA.
 To ensure their internal audit knowledge stays current on day-to-
day basis, internal auditors may seek guidance from the IIA
regarding the standards, best practices, procedures and
techniques that could affect the internal audit profession or their
organization and specific industry.

Risk Management
DEFINITION:
 According to IPPF 2017
 the possibility of an event occurring that will have an
impact on the achievement of objectives. Risk is
measures in terms of impact and likelihood.
 Committee of Sponsoring Organizations of Treadway
Commission
  it is the possibility that an event may occur that will
adversely affect the achievement of some enterprise
objectives
 International Standards Organization
 it is the effect of uncertainty on objectives

Risk Criteria:
Risk can be measured in terms of impact and likelihood:
 Impact – if realized, would affect the company
 Likelihood – occurring over a predefined period of time
Risk should read as if something went wrong and what the impact of this
would be (cause + effect)

RISK MANAGEMENT PROCESS

A process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of
the organization’s objectives.

Context Understanding
- Precondition to risk identification
- Understanding the process
- Understanding the Mission, Vision, strategies and objectives

Risk Identification
- Performed in any level of an entity
- Consider past events/ trends and future responsibilities

Risk Assessment & Prioritization

- Probabilities (likelihood) and potential effects (impact) of the risk
events identified are used to prioritized risks (high risk)
Risk Response
- Action plans to prioritized risks
- Risk avoidance – end the activity
- Risk retention – accept the risks
- Risk sharing – transfer some loss potential
- Risk Exploitation – pursue a high return on investment
- Risk reduction – lowers the level of risk

Risk Monitoring and Reporting

- Tracks identified risks, evaluates current risk response, monitor
residual risks, and identifies new risks
- Reports throughout the organization

RISK TERMINOLOGIES
- Risk capacity – ability to accept risk
- Risk appetite – amount of risk is willing to accept in pursuit of
value
- Risk tolerance – specific maximum risk that an organization is
willing to take regarding each relevant risks
- Risk culture – attitude, behaviors, and understanding about risk
- Risk profile – composite view of types, severity, and
interdependencies of risks

RISK MANAGEMENT IN RELATION WITH OTHER STANDARDS

COSO ERM – INTEGRATING WITH STRATEGY AND PERFORMANCE
2017
- Framework that complements, and incorporates some concepts
of, the COSO internal control framework
- Provides a basis for coordinating and integrating all of an
organization’s risk management activities
 - Explicit recognition and understanding of enterprise risk as part of
the strategic planning process will help guide and direct the board
and management to developing the most appropriate strategies
- COSO ERM framework is a set of principles organized under five
main headings

ISO 31000:2018 RISK MANAGEMENT

- Principles-based approach to risk management. Its principles are
the foundation for risk management
- Communicate the characteristics, value, and purpose of effective
and efficient risk management

COMBINED AUSTRALIAN AND NEW ZEALAND STANDARDS

(AS/NZS 4360)
- Principles-based approach to risk management. Its principles are
the foundation for risk management
- Communicate the characteristics, value, and purpose of effective
and efficient risk management

RISK MANAGEMENT IN RELATION WITH OTHER STANDARDS

CONTROL OBJECTIVES FOR INFORMATION TECHNOLOGY (COBIT)
2019
- Widely used framework for managing IT risks designed to be
applicable to:
- Audit and assurance
- Compliance
- IT operations
- Governance
- Security and risk management
- One of the key distinctions made in the COBIT framework is
between IT governance and IT management, each requiring their
own processes and structures

Cobit 2019 Framework

CONTROL

DEFINITION:
According to IPPF 2017, it is any action taken by management, the board
and other parties to manage risk and increase the likelihood that
established objectives and goals will be achieved

Internal Control
A process, effected by an entity's board of directors, management, and
other personnel, designed to x provide reasonable assurance regarding
the achievement of objectives relating to operations, reporting, and
compliance.

Benefits of Control

It can help:
- achieve performance & profitability targets
- prevent loss of resources
- ensure reliable financial reporting
- ensure compliance with laws
- prevent errors and irregularities, if occurred, help ensure timely
detection tellino0018
- an entity gets to where it wants to go

It encourages adherence to prescribed policies and procedures

It can protect employees
- by clearly outlining tasks and responsibilities,
- by providing checks and balances
- from being accused of misappropriations, errors or irregularities.
Limitations of Control
- Reasonable, not absolute
- Affects speed
- Different levels of assurance to objectives
- Human element/ weakness
- Collusion / management override
- Cost-benefit principle
- Uncertain future

Classification of Controls

 Primary Controls
1. Preventive Controls
 Deter the occurrence of unwanted events
 Design to reduce likelihood
 (storing in locked safe, segregating duties, credit limit,
restricting user access, firewall)

2. Detective Control
 Alert the proper people after unwanted event; effective
when detection occurs before material harm occurs
 Designed to reduce likelihood
 (burglar alarm, review of exception reports)

3. Corrective Control
 Correct the negative effect if unwanted events
 Designed to reduce impact
 (disciplinary actions, bank reconciliation)

Classification of Controls
4. Directive Controls
 Cause or encourage the occurrence of a desirable event
 designed to reduce likelihood and impact
 (policies and procedures, training sessions, job
descriptions)

Secondary Controls
1. Compensatory Controls
  May reduce risk when the primary controls are ineffective;
do not reduce risk to an acceptable level
 (supervision, monitoring)
2. Complementary Control
 Work with other controls to reduce risk to an acceptable
level
 (segregation of duty of accounting and custody of cash is
complemented by obtaining deposit slips validated by the
bank)
3. Time-based Control
 Feedback control
 Report information about completed activities;
corrective actions occurs after the fact
 (inspection of completed goods)

 Concurrent control
 Adjust ongoing processes; a real-time controls
monitor activities in the present to prevent them from
deviating too far from the standards (close
supervision of production-line workers)

 Feedforward control
 Anticipate and prevent problems, long-term
perspective
 (policies and procedures)

IT Controls
1. Manual Controls
 Performed outside of a system
 (review and sign-off of a cheque, bank recon)

2. Application Control
 Performed automatically by the system
 Ensure the completeness and accuracy of transaction
processing, authorization and validity (input, process,
output controls)
 Configuration setting in a system that can prevent or detect
problems
 (limit check, edit check)

3. IT Dependent Manual Control

  Performed by
individuals outside of a
system that rely on
manual process but
differ as portion of
control requires
system involvement
 (system generated
report list of users that
have not accessed a
system within the past
90 days)

4. IT General Controls
 Refers to overall information-processing environment
 Tracks and documents that changes authorized, tested,
approved, and implemented into production
 (access rights on system resources, tracks and documents
that changes authorized, tested, approved, and
implemented into production

Internal Control Framework

COSO Internal Control – Integrated Framework 2013
 Published by the Committee of Sponsoring Organizations of the
Treadway Commission for determining what constitutes effective
internal control
 Help organizations design and implement internal control in light
of many changes in business and operating environments,
broaden the application of internal control in addressing
operations and reporting objectives, and clarifying the
requirements.

1. Control Environment
- The control environment sets the tone for an organization's
internal control system. It encompasses the overall culture,
ethical values, governance structure, and commitment to
competence within the organization.
2. Risk Assessment
- Organizations must identify and assess the risks they face
in achieving their objectives. This involves understanding
 internal and external factors that could impact the
organization's ability to achieve its goals.
3. Control Activities
- Control activities are the policies, procedures, and
practices that help mitigate the identified risks. These
controls can be preventive, detective, or corrective in
nature and should be tailored to the organization's specific
needs.
4. Information and
Communication
- Effective internal
control systems
rely on the timely
and accurate flow
of information,
both within the
organization and
with external
parties. This
component
ensures that relevant information is communicated to the
right people, allowing them to make informed decisions.

5. Monitoring Activities
- Continuous monitoring of internal controls is crucial to
ensure they are functioning as intended. Monitoring
involves ongoing assessment, testing, and reporting on the
effectiveness of internal controls.

Internal Control Framework

Purpose: Criteria of Control (COCO) Framework
 Setting Objectives: This component focuses on the importance
of clearly defining and communicating the objectives of the
organization. Objectives provide the basis for internal control
design and implementation. It includes strategic, operational,
financial, and compliance objectives.
 Risk Identification: Here, the framework emphasizes the need to
identify and assess risks that could affect the achievement of
objectives. This includes both internal and external risks, such as
 operational risks, financial risks, compliance risks, and strategic
risks.
 Risk Response: This component highlights the organization's
responsibility to develop and implement appropriate risk
responses. This involves designing and executing control activities
to mitigate identified risks, whether preventive, detective, or
corrective in nature.

Commitment:
 Ethical Values and Integrity: This component underscores the
importance of promoting and maintaining a culture of ethical
values and integrity throughout the organization. It calls for a
commitment to honesty, fairness, and ethical behavior at all levels.
 Board Oversight: Board oversight is critical to effective internal
control. This principle focuses on the board of directors' role in
providing oversight and ensuring that the organization's control
environment is robust.
 Management Philosophy and Operating Style: It emphasizes
the need for management to lead by example, fostering a control-
conscious culture and demonstrating a commitment to achieving
objectives with integrity.

Internal Control Framework

Capability:
Organizational Structure: This component addresses how the
organization's structure and responsibilities are aligned with its
objectives and internal control requirements. It includes
considerations of the allocation of roles and responsibilities.
Assignment of Responsibility: Here, the framework highlights
the importance of clearly defining roles and responsibilities for
internal control activities. It ensures that individuals know what is
expected of them in the context of control implementation.
Human Resource Policies and Practices: This component
focuses on human resource policies and practices that support the
organization's internal control efforts, such as recruitment, training,
and performance evaluation.

Monitoring & Learning:

Monitoring Activities: Ongoing monitoring of internal controls is
vital. This part of the framework emphasizes the need to establish
 a monitoring process to assess the effectiveness of control
activities.
Corrective Action: When control deficiencies are identified, it's
essential to take corrective action promptly. This component
addresses the organization's responsibility to remediate issues
and improve control effectiveness.
Communication: Effective communication is critical for learning
from internal control assessments and sharing insights with
relevant parties, including management and the board of directors.

Internal Control Framework

Turnbull Report (Internal Control: Revised Guide for Directors on the
Combined Code)
A corporate governance document published in the United Kingdom in
1999. It provided guidance on internal control systems and was part of
the UK Corporate Governance Code, which is now known as the UK
Corporate Governance Code.
1. Definition of Internal Control: The report defined internal control
as "the whole system of controls, financial and otherwise,
established by the management in order to carry on the business
of the company in an orderly and efficient manner, ensure
adherence to management policies, safeguard the assets, and
secure as far as possible the completeness and accuracy of the
records."
2. Board Responsibility: The report emphasized the responsibility
of the board of directors in ensuring the effectiveness of the
company's internal control system. It stated that the board should
annually review the effectiveness of the internal control system
and report their findings in the annual report to shareholders.
3. Risk Assessment: The Turnbull Report stressed the importance
of identifying and assessing risks to the achievement of the
company's objectives. It recommended that companies should
have a formal, documented risk assessment process.
4. Control Environment: The report highlighted the significance of
creating a strong control environment, including establishing a
culture of control and compliance throughout the organization.
5. Control Activities: Companies were encouraged to establish
control activities, policies, and procedures that mitigate identified
risks. These controls could be preventive, detective, or corrective
in nature.
6. Information and Communication: Effective internal control
systems depend on the timely and accurate flow of information.
The report recommended that companies should establish
channels for communication and reporting of control-related
information.
7. Monitoring: Regular monitoring of the internal control system was
deemed crucial. Companies were advised to implement ongoing
monitoring processes to ensure that controls were operating as
intended and that any deficiencies were identified and addressed
promptly.
8. Annual Assessment: The report recommended that companies
annually assess and report on the effectiveness of their internal
controls, including any significant weaknesses and plans for
improvement. This assessment would be included in the
company's annual report.