Chapter 3 Due professional care and quality assurance and improvement development

Sub-unit 1 Due professional care and CPE

Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.
Due professional care does not imply infallibility.

Due professional care required is reasonable care, not absolute assurance.

The internal auditors do reasonable work and do reasonable assurance.

Due professional care requires conformance with The IIA’s Code of Ethics and may entail conformance with the
organization’s code of conduct and any additional codes of conduct relevant to other professional designations
attained.

The internal audit activity’s policies and procedures provide a systematic and disciplined approach to planning,
executing, and documenting internal audit work. By following this systematic and disciplined approach, internal
auditors essentially apply due professional care. However, what constitutes due professional care partially
depends upon the complexities of the engagement.

Internal auditors must exercise due professional care during assurance engagements by considering the:

 Extent of work needed to achieve the engagement’s objectives.

 Relative complexity, materiality, or significance of matters to which assurance procedures are applied.
 Adequacy and effectiveness of governance, risk management, and control processes.
 Probability of significant errors, fraud, or noncompliance.
 Cost of assurance in relation to potential benefits.

In exercising due professional care internal auditors must consider the use of technology-based audit and other
data analysis techniques.

Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources.
However, assurance procedures alone, even when performed with due professional care, do not guarantee that all
significant risks will be identified.

Internal auditors must exercise due professional care during a consulting engagement by considering the:

 Needs and expectations of clients, including the nature, timing, and communication of engagement
results.
 Relative complexity and extent of work needed to achieve the engagement’s objectives.
 Cost of the consulting engagement in relation to potential benefits.

Due professional care can be demonstrated if the auditor applied the care and skill of a reasonably competent and
prudent internal auditor in the same or similar circumstances. In light of being reasonably competent and prudent,
any unexpected results from analytical procedures should be investigated and adequately explained.

Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional
development.

Continuing Professional Development, gives specific advice regarding further education to enhance proficiency:

 An individual internal auditor may use a self-assessment tool, such as the Competency Framework, as a
basis for creating a professional development plan. The development plans may encompass on-the-job
training, coaching, mentoring, and other internal and external training, volunteer, or certification
opportunities.
  Opportunities for professional development include participating in conferences, seminars, training
programs, online courses and webinars, self-study programs, or classroom courses; conducting research
projects; volunteering with professional organizations; and pursuing professional certifications.

Certified internal auditors (CIAs) demonstrate their continuing professional development by completing continuing
professional education (CPE).

Practicing and nonpracticing CIAs must complete 40 hours and 20 hours, respectively, of CPE annually (including at
least 2 hours of ethics training).

Qualifying CPE activities are those that contribute to internal audit competence. They include the following:

 Educational programs (e.g., seminars, conferences, or technical sessions provided by auditing or

accounting organizations and chapters; formal in-house training programs; college or university courses
passed; or self-study programs relevant to internal auditing).
 Passing examinations
 Authoring or contributing to publications
 Translating publications
 Delivering oral presentations
 Participating as a subject matter expert volunteer
 Performing external quality assessments

Sub-unit 2 QAIP
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all
aspects of the internal audit activity.

A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s
conformance with the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The
program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for
improvement. The chief audit executive should encourage board oversight in the quality assurance and
improvement program.

Characteristics of a QAIP

The QAIP should encompass all aspects of operating and managing the internal audit activity— including consulting
engagements—as found in the mandatory elements of the [IPPF].

A well-developed QAIP ensures that the concept of quality is embedded in the internal audit activity and all of its
operations.

It must include ongoing and periodic internal assessments as well as external assessments by a qualified
independent assessor or assessment team.

The QAIP consists of five components:

1. Internal assessments,

2. External assessments,

3. Communication of QAIP results,

4. Proper use of a conformance statement, and

5. Disclosure of nonconformance.
The QAIP also includes ongoing measurements and analyses of performance metrics such as accomplishment of
the internal audit plan, cycle time, recommendations accepted, and customer satisfaction

CAE Responsibilities for the QAIP

 The CAE must have a thorough understanding of the mandatory elements of the IPPF, especially the
Standards and Code of Ethics.
 The CAE periodically evaluates the QAIP and updates it as needed.

The quality assurance and improvement program must include both internal and external assessments.

The CAE is responsible for ensuring that the internal audit activity conducts internal assessments and external
assessments.

1) Internal assessments consist of ongoing monitoring and periodic self-assessments, which evaluate the
internal audit activity’s conformance with the mandatory elements of the IPPF, the quality and
supervision of audit work performed, the adequacy of internal audit policies and procedures, the value
the internal audit activity adds to the organization, and the establishment and achievement of key
performance indicators.
 Ongoing monitoring is achieved primarily through continuous activities such as engagement planning and
supervision, standardized work practices, workpaper procedures and signoffs, report reviews, as well as
identification of any weaknesses or areas in need of improvement and action plans to address them.
 Periodic self-assessments are conducted to validate that ongoing monitoring is operating effectively.
2) External assessments provide an opportunity for an independent assessor or assessment team to
conclude as to the internal audit activity’s conformance with the Standards and whether internal auditors
apply the Code of Ethics, and to identify areas for improvement.
 The CAE is responsible for ensuring that the internal audit activity conducts an external assessment at
least once every five years.
 A self-assessment may be performed in lieu of a full external assessment, provided it is validated by a
qualified, independent, competent, and professional external assessor.

The Deming Cycle can be used to establish the QAIP in a planned, methodical manner. The Deming Cycle (or
Plan-Do-Check-Act Cycle) is a continuous improvement model popularized by W. Edwards Deming.

The Deming Cycle consists of four steps:

 Plan
 Do
 Check
 Act

The application of the Deming cycle to the QAIP:

 Formal documentation of standards and expected practices (PLAN)

 Development activities to define quality and build staff awareness of standards and expectations (DO)
 Various forms of assessment and review to measure product or process quality expectations (CHECK)
 Undertake improvement initiatives and documenting lessons learned (ACT)

the Deming Cycle consists of four steps:

 Plan establishes standards and expectations for operating a process to meet goals.

 Do executes the process and collects data for further analysis in the later steps.
  Check compares actual results with expected results and analyzes the difference.

 Act provides feedback by identifying and implementing improvements to the process.

Sub-Unit 3 Internal and External assessment

Internal assessment

Internal assessments must include:

 Ongoing monitoring of the performance of the internal audit activity.

Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the
internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to
manage the internal audit activity and uses processes, tools, and information considered necessary to
evaluate conformance with the Code of Ethics and the Standards.
 Periodic self-assessments or assessments by other persons within the organization with sufficient
knowledge of internal audit practices.
Periodic assessments are conducted to evaluate conformance with the Code of Ethics and the Standards.

The two interrelated parts of internal assessments—ongoing monitoring and periodic self- assessments—provide
an effective structure for the internal audit activity to continuously assess its conformance with the Standards and
whether internal auditors apply the Code of Ethics.

The chief audit executive (CAE) establishes a structure for reporting results of internal assessments that maintains
appropriate credibility and objectivity. Generally, those assigned responsibility for conducting ongoing and periodic
reviews report to the CAE while performing the reviews and communicate results directly to the CAE.

The CAE should report the results of internal assessments, necessary action plans, and their successful
implementation to senior management and the board.

Ongoing Monitoring (of internal assessments)

Ongoing monitoring is generally focused on reviews conducted at the engagement level. Thus, ongoing monitoring
helps the CAE determine whether internal audit processes are delivering quality on an engagement-by-
engagement basis.

Compared with periodic self-assessments, ongoing monitoring emphasizes evaluating conformance with the
performance standards.

Generally, ongoing monitoring occurs routinely throughout the year.

Ongoing monitoring is achieved primarily through continuous activities such as:

 Engagement planning and supervision,

 Standardized work practices,
 Workpaper procedures and signoffs,
 Report reviews

Additional mechanisms commonly used for ongoing monitoring include:

 Checklists or automation tools,

 Feedback from internal audit clients and other stakeholders,
  Staff and engagement key performance indicators (e.g., the number of certified internal auditors on staff,
their years of experience in internal auditing, the number of continuing professional development hours
they earned during the year, timeliness of engagements, and stakeholder satisfaction).

The processes and tools used in ongoing internal assessments include, among other things, measures of project
budgets, timekeeping systems, and audit plan completion.

Periodic Self-Assessments
Compared with ongoing monitoring, periodic self-assessments generally provide a more holistic, comprehensive
review of the Standards and the internal audit activity.

Periodic self-assessments are generally conducted by those with extensive internal auditing experience (e.g.,
senior internal auditors or certified internal auditors).

The internal audit activity conducts periodic self-assessments to validate its continued conformance with the
Standards and Code of Ethics and to evaluate:

 The quality and supervision of work performed.

 The adequacy and appropriateness of internal audit policies and procedures.
 The ways in which the internal audit activity adds value.
 The achievement of key performance indicators.
 The degree to which stakeholder expectations are met.

Adequate Supervision

Adequate supervision is a fundamental element of any quality assurance and improvement program (QAIP).
Supervision begins with planning and continues throughout the performance and communication phases of the
engagement. Adequate supervision is ensured through expectation- setting, ongoing communications among
internal auditors throughout the engagement, and workpaper review procedures, including timely sign-off by the
individual responsible for supervising engagements.

External assessment

External assessments must be conducted at least once every five years by a qualified, independent assessor or
assessment team from outside the organization.

The chief audit executive must discuss with the board:

 The form and frequency of external assessments.

 The qualifications and independence of the external assessor or assessment team, including any potential
conflict of interest.

External assessments provide an independent and objective evaluation of the internal audit activity’s conformance
with the Standards and Code of Ethics.

External assessments of an internal audit activity contain an expressed opinion or conclusion on overall
conformance with the Code of Ethics and the Standards and possibly an assessment for each standard or series of
standards.

External assessments may be accomplished using one of two approaches: a full external assessment, or a self-
assessment with independent external validation (SAIV).”

1. A full external assessment would be conducted by a qualified, independent external assessor or

assessment team. The team should be comprised of competent professionals and led by an experienced
 and professional project team leader. The scope of a full external assessment typically includes three core
components:
 The level of conformance with the Standards and Code of Ethics. This may be evaluated via a review of
the internal audit activity’s charter, plans, policies, procedures, and practices. In some cases, the review
may also include applicable legislative and regulatory requirements.
 The efficiency and effectiveness of the internal audit activity. This may be measured through an
assessment of the internal audit activity’s processes and infrastructure, including the QAIP, and an
evaluation of the internal audit staff’s knowledge, experience, and expertise.
 The extent to which the internal audit activity meets expectations of the board, senior management, and
operations management, and adds value to the organization.”
2. self-assessment with independent external validation [ SAIV]. This type of external assessment typically is
conducted by the internal audit activity and then validated by a qualified, independent external assessor.
The scope of this assessment typically consists of:
 A comprehensive and fully documented self-assessment process that emulates the full external
assessment process, at least with respect to evaluating the internal audit activity’s conformance with the
Standards and Code of Ethics.
 Onsite validation by a qualified, independent external assessor.
 Limited attention to other areas such as benchmarking; review, consultation, and employment of leading
practices; and interviews with senior and operations management.

External assessors or assessment teams must be competent in two main areas:

 The professional practice of internal auditing (including current in-depth knowledge of the IPPF) and
 The external quality assessment process.

External assessors must have no real or apparent conflict of interest due to current or past relationships with the
organization.

Matters relating to independence include conflicts of former employees or of firms providing:

 the financial statement audit,

 significant consulting services, or
 assistance to the internal audit activity.
An individual in another part of the organization or in a related organization (e.g., a parent or an affiliate) is not
independent.

Peer review among three unrelated organizations (but not between two) may satisfy the independence
requirement.

Given concerns about independence, one or more independent individuals may provide separate validation.

Sub-unit 4 Reporting on quality assurance

The results of the QAIP must be reported to senior management and the board.

Senior management and the board must be kept informed about the degree to which the internal audit activity
achieves the degree of professionalism required by the IIA.

The chief audit executive must communicate the results of the quality assurance and improvement program to
senior management and the board. Disclosure should include:

 The scope and frequency of both the internal and external assessments.
  The qualifications and independence of the assessor(s) or assessment team, including potential conflicts
of interest.
 Conclusions of assessors.
 Corrective action plans.

To demonstrate conformance with the Code of Ethics and the Standards, the results of external and periodic
internal assessments are communicated upon completion of such assessments and the results of ongoing
monitoring are communicated at least annually.

The expression of an opinion or conclusion on the results of the external assessment is included in the external
assessment report. The report typically includes an assessment for each standard and an overall assessment for
each standard series (attribute and performance). These assessments are in addition to the overall conformance
results. The following is an example of a rating scale that may be used to show the degree of conformance:

a) Generally, conforms. The top rating means that

 An internal audit activity has a charter, policies, and processes, and
 Their execution and results conform with the Standards.
b) Partially conforms. Deficiencies in practice are judged to deviate from the Standards. But they do not
preclude the internal audit activity from performing its responsibilities.
c) Does not conform. Deficiencies in practice are judged to be so significant as to seriously impair, or
preclude, the internal audit activity’s ability to perform adequately in all or in significant areas of its
responsibilities.

During an external assessment, the assessor may provide recommendations to address:

 Areas that were not in conformance with the Standards and

 Opportunities for improvement.

The CAE may provide management action plans to address recommendations from the external assessment.

The CAE also may consider

 Adding the recommendations and management action plans to the internal audit activity’s existing
monitoring of progress related to internal audit engagement findings and
 Reporting on resolutions.

Verification that recommendations identified during the external assessment have been implemented is
communicated to the board either

 As part of the internal audit activity’s monitoring of progress or

 By following up separately through the next QAIP internal assessment.

The internal audit activity cannot claim to comply with the Standards unless it has a successfully functioning QAIP.

Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of
Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement
program.

Senior management and the board must be informed when an assessment discovers a significant degree of
nonconformance.

Nonconformance of this type refers to the overall internal audit activity and not to specific engagements.
When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the
internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior
management and the board.