QAIP Manual2012 Jamaica

8/9/2019 QAIP Manual2012 Jamaica

1/159

GOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICA

INTERNAL AUDITINTERNAL AUDITINTERNAL AUDITINTERNAL AUDIT

QUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROG

(QAIP)(QAIP)(QAIP)(QAIP)

Policy and Procedures ManualPolicy and Procedures ManualPolicy and Procedures ManualPolicy and Procedures Manual

Revised March 2012


2/159


3/159

Table of ContentsPage

Preface 1

Section 1 The Internal Audit Quality Assurance Program 1.1 Overview of the QAIP 41.2 Managing an Internal Audit Unit 7

1.2.1 Understanding its Entitys Governance Structure 71.2.2 Evaluate the Organizations Risk Management Process 81.2.3 Define and Promote the Internal Audit Unit 81.2.4 Align IAUs Operation to the Organizations Plans 10

1.3 Conducting Audit Assignments1.3.1 Planning Assignments 111.3.2 Execution of Audit Assignment 141.3.3 Communicating Results 16

1.3.4 Follow up of Results 191.4 Managing Internal Audit Human Resources 19

Section 2 Conducting Internal Quality Assurance Reviews2.1 Definition 222.2 IQAR Components 23

2.2.1 Ongoing Reviews 232.2.2 Periodic Reviews 23

2.3 IQAR Policies2.3.1 Administering Periodic Internal Reviews 242.3.2 IQAR Review Cycle 25

2.3.3 Composition and Selection of QAR Teams 252.3.4 Review Team's Qualification 262.3.5 Rotation of Team Members including leaders 272.3.6 Establishing the Formal Self Assessment Scope

and Objectives 272.3.7 Reporting Format 28

2.4 Methodology Formal Self Assessment2.4.1 Planning and Preparation 292.4.2 Interviews with IAU clients 302.4.3 Self-Assessment Fieldwork 302.4.4 Self-Assessment Report 31

Section 3 Conducting the Quality Assessment and Independent (External) Validation 3.1 Definition 343.1.1 Self Assessment with (Independent) external validation 343.1.2 Quality Assessment 34


4/159

Page

3.2 Administering the Quality Assessment and Independent Validation 353.2.1 Quality Assessment 35

3.2.2 Self-Assessment with Independent Validation 353.2.2.1 Team Composition & Selection 363.2.2.2 Qualification of Validators 363.2.2.3 Tenure of Teams including Leaders 373.2.2.4 Scope and Objectives of the Validation Process 373.2.2.5 Reporting 38

3.3 Validation Methodology3.3.1 Planning and Preparation 383.3.2 Fieldwork 383.3.3 Interviews/Survey 393.3.4 Reporting 39

3.3.5 Follow-up 39Section 4 IAU Self-Assessment Report Specimen

Appendices:1 Self-Assessment Guide 522 Self-Assessment Evaluation Summary 593 Self-Assessment Planning Memorandum 674 Audit Effectiveness Questionnaire 705 Interview Guide: Audit Committee 726 Interview Guide: Accounting Officer 78

7 Interview Guide: Senior Operating Management 858 Interview Guide: Chief Internal Auditor 909 Interview Guide: Internal Audit Staff 9810 Audit Assignment Reviews 10611 Audit Client Survey 11212 Standard Conformance Guidelines 12-1 115

and Standard Conformance Evaluation Summary 12-2 12213 Quality Assessment Exercise Interview Guide 12614 Quality assessment Review Guide 13015 IAU Assessment Checklist 13216 IAU Risk Assessment Checklist 136

17 Staff Professional Proficiency Checklist 13918 IT Audit Assignments Review Guide 142

Other Tools:Assessing Production and Value Added 150Observations & Issues Worksheet 153


5/159

PREFACEPREFACEPREFACEPREFACE


6/159

Quality Assurance and Improvement Programme Policy IAD, MoFP | 1

PREFACE

The Ministry of Finance and Planning has taken the initiative to further strengthen the Internal

Audit Units' (IAUs) activities by developing a policy on "Internal Audit Quality Assurance",consistent with the Institute of Internal Auditors (IIA) standards.

In employing a quality assurance and improvement program, stakeholders of the internal audit

unit are reasonably assured that its activities are performed in accordance with international

standards and operated in an effective and efficient manner.

An effective Quality Assurance and Improvement Program begins with instituting policies,

procedures and practices (consistent with the IIA Standards) in an effort to ensure quality of

service to one's clients. These are complemented with the deliberate execution of ongoing and

periodic reviews of the internal audit activities against appropriate standards, leading/ best

practices, established goals and performance targets.

Each Internal Audit Unit was required to implement the IIA Standards as at April 1, 2008.

During the implementation and subsequently thereafter, each unit will be required to carry out

ongoing reviews of its operations and performance. The review will be carried out periodically toevaluate its activities' level of conformance with the IIA Standards and this policy document.

Each Internal Audit Unit is required to conduct a self assessment (i.e. periodic review) every five

(5) years. . Section 2 "Conducting Quality Assurance Internal Reviews" outlines the policies

and procedures for performing a self assessment Review.

In order to verify each IAUs level of conformance to the IIA standards, a team of qualified

officers will perform a Quality Assessment as is deemed necessary. This exercise is to determine

the IAUs level of readiness for external validation which will be conducted thereafter. Section 3

Conducting Validations outlines the policy and procedures for independent validation. The

Independent validation will enable the IAU to declare that their IAU operations are "conducted

in accordance with the (IIA) Standards for the Professional Practice of Internal Auditing".


7/159


Heads of Internal Audit Units are expected to display a strong and deliberate commitment to

effect a quality assurance and improvement program in their units and are encouraged to use this

policy as a guide.

Quality is never an accident; it is always the result of high intention, sincereeffort, intelligent direction and skillful execution; it represents the wise choiceof many alternatives.

William A. Foster

Quality should be inbuilt in the activities, functions, methodology, policies andprocedures, and the human resource practices of the internal audit unit,

rather than being seen as an add -on activity

The Institute of Internal Auditors (IIA) QAIP improvement guide


8/159

Section 1Section 1Section 1Section 1The Internal AuditThe Internal AuditThe Internal AuditThe Internal Audit

Quality Assurance ProgramQuality Assurance ProgramQuality Assurance ProgramQuality Assurance Program


9/159

SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM


OVERVIEW OF THE QAIP PROCESS

The Quality Assurance and Improvement Program (QAIP) is not an attempt to reinvent the

wheel but rather to ensure that the Internal Audit Unit consistently provides quality and value-

added services to its stakeholders.

The Chief Internal Auditor (CIA) is ultimately responsible for implementing a structured QAIP

and should lead by example by embedding quality into the internal audit activity. This should

cover all aspects of the Unit's management and operations outlined in the Standards and best

practices of the profession. It should be noted however, that the entire internal audit activity is

responsible for delivering quality; internal auditors are professionals and should be committed to

delivering quality services. A fundamental concept of the QAIP is that the IAU's operationsshould be in alignment with the Institute of Internal Auditors Standards and guidelines issued by

the Ministry of Finance and the Planning.

A QAIP should conclude on the quality of the internal audit activity and lead to

recommendations for appropriate improvements. It enables an evaluation of:

Conformance with the Definition of Internal Auditing, the Code of Ethics, and the

Standards.

The adequacy of the internal audit activity's charter, goals, objectives, policies, and

procedures.

The contribution to the organization's governance, risk management, and control

processes.

Completeness of coverage of the entire audit universe.

Compliance with applicable laws, regulations, and government or industry standards to

which the internal audit activity may be subject. The risks affecting the operation of the internal audit activity itself. The effectiveness" of continuous improvement activities and adoption of best practices. Whether the internal audit activity adds value, improves the organization's operations, and

contributes to the attainment of objectives.


10/159



To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP must

effectively be applied at three fundamental levels (or perspectives):

Internal Audit Activity Level (self-assessment at the internal audit activity or

organizational level):

The CAE is responsible for providing assurance that:

Written policies and procedures, covering both technical and administrative matters,

are formally documented to guide audit staff in consistent conformance with the

Definition of Internal Auditing, the Code of Ethics, and the Standards.

Audit work conforms to written policies and procedures Audit work achieves the general purposes and responsibilities described in the

internal audit charter. Audit work conforms to the Definition of Internal Auditing, the

Code of Ethics, and the Standard

Internal audit work meets stakeholders expectation

The internal audit activity adds value and improves the organization's operations.

Resources for the internal audit activity are efficiently and effectively utilized.

Internal Audit Engagement Level (self-assessment at the audit, engagement, or

operational level):

The engagement supervisor (possibly a manager or the CAE/CIA) is responsible for providing

assurance that:

Appropriate processes have been used to translate audit plans into specific and

appropriately resourced audit engagements.

Planning, fieldwork conduct, and reporting/communicating results conform to the

Definition of Internal Auditing, the Code of Ethics, and the Standards.

Appropriate mechanisms are established and used to follow-up management actions in

response to audit recommendations


11/159



Post-engagement client surveys, lessons learned, self-assessments, and other

mechanisms to support continuous improvement are completed.

External Perspective (independent external assessment of the entire internal audit

activity including individual engagements):

The External Assessors will validate that:

Audit work conforms to written policies and procedures. Audit work achieves the general purposes and responsibilities described in the

internal audit charter.

Audit work conforms to the Definition of Internal Auditing, the Code of Ethics,

and the Standards. "1

Figure 1 - IIA QAIP Framework

1 IIA_IPPF_PG_-_Quality_Assurance_and_Improvement_Program_March_2012.pdf


12/159



A fundamental concept of the QAIP is that the IAU's operations should be in alignment with the

Institute of Internal Auditors Standards and guidelines issued by the Ministry of Finance and

Planning.

When implementing the IIA Standards, the CIA is expected to give particular attention to the

following main audit activities: Managing an Internal Audit Unit Conducting Audit Assignments Managing Internal Audit Human Resources

The applicable standards for these activities are discussed below:

1.1 MANAGING AN INTERNAL AUDIT UNITWhether establishing a new or managing an existing internal audit unit, the Head of any IAU

should execute these sub-activities in a manner that will assist his/her government entity in

meeting its overall objectives. Each internal audit unit must implement and maintain

documented standard operating procedures (SOP) which incorporates its standard level of

performance for each area/activity within its operations. The SOP should be reviewed on an

ongoing basis and the approval of the audit committee and the accounting officer obtained.

IAU Officers must, among other things, understand their entitys governance structure; evaluate

the organisations risk management process; define and promote the IAU and align the IAUs

operations to the organisations plans.

1.1.1 Understand its Entitys Governance Structure

(Standard 2130 and Practice Advisory 2120)

The IAU must contribute to the Ministry/Departments governance process by evaluating

the entitys accomplishment of: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability.


13/159



Effectively communicating risk control information to appropriate areas of the

organization. Effectively coordinating the IA activities and communicating information among the

Accounting officer, the audit committee, external and internal auditors, management

and if applicable the board of directors.

The CIA must become familiar with and maintain copies of the Acts, Regulations,

policies and procedures, which guide the operations of the Ministry, Department or

Agency. The Financial Administration and Audit Act, The Public Bodies Management

and Accountability Act and The Financial Instructions to Executive Agencies Act are

three examples of legislations which guide the accounting and administrative functions of

Ministries, Departments, Agencies and public bodies respectively.

1.1.2 Evaluate the Organisations Risk Management Process(Standard 2100 and Practice Advisory 2100-3)

Most government entities do not have a structured risk management process.

Nonetheless, IAUs are encouraged to assist their organisation by identifying, evaluating

and making appropriate recommendations concerning the organizations exposure to

significant risks. The risk assessments should be conducted during the development ofthe audit plan and execution of individual audit assignments.

1.1.3 Define and Promote the Internal Audit Unit (Standard 1000)

It is important that officers within the IAU understand their roles and responsibilities so

that they are able to promote the activity to their stakeholders. The following are

minimum steps that may be instituted by the IAU to achieve this objective.

Develop an Internal Audit Charter (Practice Advisory 1000-1)

The internal audit charter provides the functional and organizational framework for the

IAUs activities. It defines, among other things, the IAUs:

Independence; Purpose;


14/159


15/159



1.1.4 Align IAUs Operation to the Organisations Plans (Standard 2000) The CIA should ensure that he/she:

Develops and Implements Corporate and Operation Plans (Standard 2010)

IAUs are mandated to assist their organisation in achieving its strategic objectives by

performing ongoing evaluations and providing constructive recommendations for

improvement.

The IAU must therefore ensure that their corporate and operational plans are aligned

with its organisations plans and reflect how it will assist in achieving the overall

objectives. (Refer to the GOJ Internal Audit Manual or your organisations corporate

planning procedures for further guidance).

Develops and Implements its Internal Audit Plan (Standards 2010 and 2020)

The audit plan must be determined from a risk assessment undertaken at least

annually. Input should be sought from management to identify possible areas to be

audited. The Audit Plan should be reviewed and approved by the Audit Committee.

The selection and number of audit assignments listed on an audit plan depends on the

risk identified, availability of IAU resources and staffing. The CIA should make an

allowance in the audit plan for special requests (consulting services) from

management but must ensure that the unit and its auditors independence are not

impaired by the provision of these services.

Where changes in the environment has led to significant modifications in the Units

annual/operational plans, the Chief Internal Auditors must document the reasons for

such changes, indicate the likely implications/changes in risk exposures etc and

obtain the necessary approvals from the audit committee.


16/159


17/159


18/159



Allocation of Resources (Standard 2230)

The availability of resources (IT, accommodation, travel, materials); staff availability and

competence are important in determining the scope, objective, audit time and

methodology of the assignment.

Audit staff should possess knowledge, skills and other competencies needed to perform

given audit assignments.

If the IAU lacks the knowledge, skills or other competencies needed to perform all or part

of the assignment, technical assistance should be sought or external consultants engaged.

Preparation of Risk Analysis and Audit Programs (Standard 2201, 2240)

The CIA/Team leaders must establish procedures for identifying, analyzing, evaluating

and recording information during the audit. The CIA/team leader should approve the risk

assessment (Control Overview/Risk Matrix) with the detailed audit programs before

commencement of the audit fieldwork. Any subsequent changes to the approved audit

programs must also receive prior approval from the CIA/team leader to be effected.

Written justification of these changes should be reflected in the audit working paper files.

Every audit assignment must have an audit program which must capture the following

elements:

The audit objectives The audit criteria which speaks to the standard of measurement against which the

auditable area will be reviewed. Details of the methodology to be employed in the execution of the audit steps Audit evidence or findings, supporting the audit program, must be adequately

recorded.


19/159



Audit Checklist (Standard 1311)

Throughout the audit engagement, the CIA/Team Leader should cross-check and

complete the Planning Memorandum/Checklist to ensure that all essential tasks are

completed.

1.2.2 Execution of Audit Assignment (S tandard 2300)

Obtaining and Identifying Information (Standard 2310)

Auditors must obtain and identify sufficient, useful and relevant information to achieve

the engagements objectives.

The auditor must know what type of data that s/he will require to determine how best to

present his findings; use of spreadsheets, tables and layouts.

Analysis and Evaluation (Standard 2320)

Audit evidence and conclusions must be based on appropriate analyses and evaluation of

information collected. Therefore Internal Auditors need to consider the following factors

when selecting analytical audit procedures to achieve the audit objective: The significance of the area being examined;

The adequacy of the system of internal control; The availability and reliability of information;

In order to meet the demands of stakeholders for real time assessment of the controls in

place and their vulnerability, Internal Auditors are encouraged to use Computer-Aided

Audit Tools and Techniques to analyze and collate their audit evidence.

Presentation of Working Papers (Standard 2330)

Working papers record, among other things, the significant findings resulting from the

performance of audit steps. Working papers must support and provide documentary

evidence to support audit findings and conclusions. The audit finding must record the

criteria used for the evaluation of a particular task or activity or operation. ( Refer to the

GOJ Internal Audit Manual for working paper templates.)


20/159


21/159



1.2.3 Communicating Results (Standard 2400 )

During the Audit : (Standard 2440.C1 ) Oral Communication

It is important to communicate with management, as the audit progresses, on any

pertinent issue. Auditors should communicate with the management team concerns of any

control risk identified so that mutual understanding and agreement to facts and solutions

is assured; this includes communicating with management on any difficulties being

experienced in obtaining records, documents.

Local Observation /Audit Query/Management Letter

A local Observation/Audit Query is a type of flash report/query that is issued to

management during the audit. This is a formal way of bringing to managements attention

any significant issues or material weaknesses that are found during the audit which may

require immediate attention. It also serves as a means of receiving formal responses to

issues identified during the audit.

Exit Interviews/Conference (Standard 2410 and Practice Advisory 2410.A1)

The main objective of exit interview is to discuss the findings, to resolve conflicts, toidentify managements actions and responses to the findings and to generate

commitment for implementation of recommendations.

Exit interview should be conducted on completion of the audit fieldwork, outlining

audit issues, auditors opinion and/or conclusions. Notes of exit interviews should be

maintained on the audit file. If appropriate, the notes should be signed by

management.

The IAU has a responsibility to communicate to the Audit Client the implications

of not adequately addressing the risk exposure of the organization and

managements response indicating its acceptance of the risks identified. (Standard

2600)


22/159



Preparation of Audit Report (Standard 2410 )

The audit report must communicate the objectives, scope, general criteria, results,

appropriate recommendations and conclusions of the audit review. ( See GOJ Internal

Audit Manual for presentation guidelines)

The Summary of Significant Issues & Findings may be written during the fieldwork on

the completion of each segment of the audit program. The Summary of Significant Issues

& Findings may act as the platform on which the audit report is developed. (Refer to the

GOJ Internal Audit Manual)

Quality of Communication (Standards 2420 and 2430)The audit report should be accurate, clear and concise. The report must include all the

critical elements criteria, findings/conditions, cause, implications/effects, and

recommendations. Refer to the GOJ Internal Audit Manual

Disseminating Results/Report to Appropriate Persons (Standard 2440)

Issuing Audit Reports

All working papers and reports should be treated with a high level of

confidentially and should only be disclosed or made available to relevant parties.

Draft Audit Reports should be issued within two (2) weeks after completion of

audit fieldwork to the relevant parties.

An Exit Interview should be scheduled within two (2) weeks after the Draft

Report has been issued. Initial responses should be documented and confirmed

within this meeting. A second issue (manual/soft copy) should then be donewithin a week after the interview . This second issue serves to solicit final

confirmation and/or clarification from management of statements made within the

Exit Interview.


23/159



Final Audit Reports with confirmed managements response should be issued

within three (3) weeks after the Exit Interview . For the purposes of this

document, A FINAL AUDIT REPORT is one that contains confirmed

managements comment(s).

The CIA may consider an audit assignment closed/completed after submission

of a final audit report.

In instances where management has failed to respond to the draft audit report the

CIA may consider the audit assignment closed, after submitting at least two

written requests for confirmation of managements comments; and these actions

are to be carried out no later than four (4) weeks after the second issuance of

the draft report with the initial managements response.

Field Work

2 weeksDraft Report2 weeks

Exit Interview1 week

Draft Report (second issue)2 weeks

Final Audit Report(with confirmed Management Reponses) 4 weeks

Completed Audit Report

(without confirmed Management Reponses)

NB. Auditors are encouraged to close the audit in theshortest possible time.

SUMMARY (Maximum Days)


24/159



1.2.4 Follow-Up of Results (Standard 2500)There must be a process of follow-up to monitor and ensure that management actions

have been effectively implemented. Follow up must be scheduled, subject to the action

plan declared by management to eliminate or reduce the deficiencies identified in the

audit report. The CIA should follow up implementation of audit recommendations at least

six (6) months after the issue of the final audit report.

1.3 Managing Internal Audit Human Resources

A key factor to the success of any IAU is competent officers who possess the requisite

knowledge and skills and are encouraged to pursue continued training for professional

development. Each IAU human resource management practices are subject to those of its

organisation. However, the following are some areas that the CIA must give particular attention:

Hiring As part of the hiring process, the CIA should attain assurance of qualification and

proficiency of applicants by getting copies of certificates, checking references and

identifying relevant job experience previously gained.

Performance Reviews Work plans/targets should be developed from IAUs Operational and Audit plans for

audit teams, which will be used as the basis for the Performance Management

Appraisal System. Ongoing and annual performance reviews should be conducted to assess staff

competences, identify areas of weaknesses and strengths. The reviews should give a

balanced assessment and be designed in a manner that allows both supervisor and

staff to identify ways of correcting the weaknesses as well as improving/maintaining

the strengths.


25/159


26/159

Section 2Section 2Section 2Section 2

ConductingConductingConductingConducting

Internal QuaInternal QuaInternal QuaInternal Quality Assurancelity Assurancelity Assurancelity Assurance ReviewsReviewsReviewsReviews

(IQARs)(IQARs)(IQARs)(IQARs)


27/159

SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS


The purpose of an Internal Quality Assurance Review (IQAR) is to ensure compliance with the

Financial Administration and Audit Act (FAA Act) and related internal audit guidelines, and

the

1

International Standards for the Professional Practice of Internal Auditing (the Standards ) byeach internal audit unit. Every financial year, IAUs are expected to conduct quality assurance

reviews of their operations.

2.1 DEFINITION

Internal Quality Assurance Review (IQAR) includes both ongoing and periodic assessments of

the IAU's processes and related practices. Ongoing reviews are limited evaluations or inspections

embedded within the various processes or activities of the IAU and periodic reviews are detailed

assessments conducted from time to time, to assure consistent practices within the unit.

Chief Internal Auditors are expected to conduct both periodic review which incorporate both

issue-specific reviews (focus on a particular audit activity/process) and formal self-assessments

(focus on several activities of the internal audit unit). The reviews should be designed to

evaluate: The IAU's conformance with its Charter, the IIA Professional Standards and Code of

Ethics; The efficiency and effectiveness of IAU's operations in meeting the needs of its

various stakeholders.

This complement of ongoing monitoring and periodic self-assessments provides an effective

structure for continuous assessment of internal audit conformance and improvementopportunities.


28/159



2.2 IQAR COMPONENTS

2.2.1 Ongoing Reviews

Ongoing reviews may include, among other activities, any or a combination of the following: Built-in supervisory reviews for each audit activity; Feedback from client surveys on individual audit assignments; Analyses of established performance metrics; Annual risk assessments to guide the development of the IAU's audit plan; Chief Internal Auditor's approval of all final reports and recommendations; Reviews of Audit Policies and Procedures used in each audit assignment to ensure

compliance with applicable planning, fieldwork and reporting standards; Regular, documented review of working papers during audit assignments by

appropriate internal audit staff. This includes but not limited to the review and

approval of risk assessment and audit programs by audit supervisor and/or CIA prior

to audit execution/fieldwork;

Using measures of project budgets, timekeeping systems, and audit plan completion

to determine if appropriate time is spent on different aspects of the audit process, as

well as high risk and complex areas

Any weaknesses or areas for improvement should be addressed on an ongoing basis, as they are

identified, and the results of ongoing monitoring must be reported.

2.2.2 Periodic Reviews

As indicated in 2.1 above, periodic reviews include both issue-specific reviews and formal self-

assessments.

2.2.2.1 Issue-specific reviews may include (among others) any of the following activities:

Review of project budgets; timekeeping systems, audit plan completion and cost

recoveries. Working paper reviews for performance in accordance with GOJ internal audit

policies and IIA standards. In this instance, a supervisor, independent of the audit

assignment, would conduct a secondary review of working papers and related audit


29/159



report. The review is done only for completed audit assignments. (Appendix 10 -

Audit Assignment Reviews).

Bi-annual Client Survey (Appendix 11 - Client Survey) Review of internal audit performance metrics and benchmarking of best/leading

practices, prepare and analyse with GOJ Audit Policies and Guidelines as well as the

IAU's procedures. Periodic activity and performance reporting by the Audit Committee, Accounting

Officer and IAD.

2.2.2.2a Periodic self-assessment includes the following activities: Performance of Client Surveys; Interviews, observations and walkthrough of the

units processes/activities; Review of Selected Audit Assignments; Completion of the Self-Assessment Guide (Appendix 1) ; and Report on the Self-Assessment Exercise with recommendations and plan of

action.

2.2.2.2b. Formal Self-Assessment includes the following activities:

Subject to the scope of the self-assessment, the reviews may include any of thefollowing activities:

Activities outlined under Ongoing and Issue-Specific Reviews (2.2.1 and 2.2.2a)

2.3 IQAR - POLICIES

2.3.1 Administering Quality Assurance Reviews The IIA Standards recommend that periodic reviews be carried out by the internal audit

unit or by other individuals within its organisation who have knowledge of internal audit

practices and the IIA Standards.


30/159



The Ministry of Finance & Planning requires all IAUs to use trained officers within the

IAU to perform both ongoing and periodic internal reviews. Where an IAU has only one

officer, the officer should use his/her discretion in effecting appropriate review activities.

2.3.2 IQAR Review Cycle

Periodic reviews that are issue-specific may be carried out by the IAUs at prescribed

times set out by the Chief Internal Auditor. The CIA should institute both ongoing and

periodic formal reviews in his annual schedule of activities.

The CIA must ensure that a formal self-assessment is conducted at least every five (5)

years. Upon completion of the self assessment report, this should be submitted to the

Internal Audit Directorate for the initiation of the independent validation process there

after.

2.3.3 Composition and Selection of IQAR Teams

2.3.3a. Ongoing Reviews and Issue Specific Reviews : The Chief Internal Auditor should use his/her discretion in selecting officers who will

perform these reviews. He/she must however, ensure that the reviewer is competent to

perform such reviews.

2.3.3b. Formal Self-Assessment

The Internal Review Team will consist of no less than two persons and will be selected

based on the scope and objectives of the internal review.

Where an Internal Audit Unit has difficulty implementing a formal assessment program

due to constraints such as staff limitation, the Chief Internal Auditor should consult with

the Internal Audit Directorate.


31/159



2.3.4 Review Teams' Qualification

2.3.4a. Ongoing Reviews and Issue Specific Reviews The Chief Internal Auditor should use his/her discretion in setting the qualification

criteria for officers who will perform these reviews.


Internal reviewers should possess the following qualifications. There are two

qualification levels: Team Leaders

Three years of managerial/supervisory experience in internal auditing Thorough knowledge of the IIA Standards Hold a Bachelor's Degree, CIA or CGAP designation Good communication and human relationship skills Technical knowledge in at least two of the following areas - compliance,

financial, operational, management and information systems/technology auditing Thorough understanding of the industry within which the IAU's organisation falls Good judgment, analytical and research skills Trained in internal audit quality assurance reviews - assessment of participants

Team Members Two years of supervisory experience in internal auditing; Thorough knowledge of the IIA Standards; Hold a Bachelor's Degree or completed Auditing Techniques level 1 Good communication and human relationship skills; Technical knowledge in at least two of the following areas - compliance,

operational, financial reporting, management and information systems/technology

audits; Working knowledge of the industry within which the IAU's organisation falls; and


32/159



Good judgment, analytical and research skills.

2.3.5 Rotation of Team Members including Leaders

2.3.5a. Ongoing Reviews

As ongoing reviews will be the responsibility of different categories of auditors, the CIA

should assign those reviews so that they are effectively carried out.


Each member of the team may serve for two consecutive reviews and will be eligible for

reappointment after sitting out a term.

This guideline will not apply in instances where the IAU has only one officer.

2.3.6 Establishing the Formal Self Assessment Scope and Objectives

The Internal review should be a collaborative effort between the Chief Internal Auditor

and the review team. Where possible, the CIA may invite the Audit

Committee/Accounting Officer to suggest areas for review.

The following are the minimum objectives that should be reviewed during an IQAR

- Formal Self-Assessment

Conformance with the Standards, The IIA's Code of Ethics, and the internal audit

unit's charter, plans, policies, procedures, practices, and applicable legislative and

regulatory requirements;

Expectations of the internal audit unit expressed by the audit committee, executivemanagement, and operational managers;

Integration of the IAU in the organization's governance process, including the

attendant relationships between and among the key groups involved in that

process; Tools and techniques employed by the IAU;


33/159



Mix of knowledge, experience, and disciplines within the staff, including staff

focus on process improvement; Determination as to whether or not the IAU adds value and improves the

organization's operations; and Prepare the IAU for an independent validation.

2.3.7 Reporting Format

In the planning phase of the review, the CIA should determine and agree with the review

team, as to:

1. How the findings and recommendations will be recorded

2. How findings and recommendations will be reported and the format of the final

report.

The review team is encouraged to produce a balanced report which also includes positive

findings and constructive issues/ recommendations for improvement.

2.4 METHODOLOGY - FORMAL SELF-ASSESSMENT

The review team should ensure that there is adequate documentation of the self-assessment exercise, as their work will be subject to verification by a validation team.

The review team may apply the methodology below in its performance of a self-

assessment.


34/159



2.4.1 Planning and Preparation

The CIA and the Team leader should review the Standards Conformance Guidelines

(Appendix 12-1/2, 12-2/2) to ensure that they are aware of all aspects of what

conformity to the Standards means. Refresh/or sensitize other members of the team of

the applicable Standards and the criteria used to judge the IAU.

2.4.1a. Prepare the Self-Assessment Planning Memorandum

The CIA may delegate the preparation of this document (Appendix 3) but should

review its accuracy and completeness. The CIA/Team Leader should ensure that the

scope and objectives of the engagement are clearly defined and understood.

2.4.1b. Review and modify, as appropriate, the Self-Assessment Guide.

The self-assessment team should have extensive knowledge of the IAUs function

(particularly its mission/charter, structure, processes, and staffing), consequently, it

may not be necessary to perform all of the program steps in order to evaluate and

reach valid conclusions on those areas. Also consider pertinent best practices from

professional literature and other benchmarking sources such as GAIN . (Appendix 1 -

Self-Assessment Guide)

2.4.1c. Distribute Audit Client Surveys to a representative sample of the IAU.

This activity may be reduced or omitted, based on the extent to which the IAU

routinely does similar surveys and recent pertinent results are available.

Summarize and analyze the survey responses, including comments for subsequent use

in enhancing interviews. Extract indicators of the IAUs effectiveness, significant

trends, etc

Select a representative sample of audit and consulting engagements for a review of

planning, working paper, supervision, results and communication issued. Select


35/159



several additional reports for review and consider the adequacy and timeliness of

implementation and follow-up.

2.4.2 Interviews with IAU Clients

If the IAU regularly receives feedback from its clients through post audit surveys or

periodic meetings, then further interviews may not be necessary or may be reduced. In

such instances, it could be arranged so that the validator interviews such clients instead.

The team should summarize and analyze the interview responses; compare these results

with those from the survey; identify areas for improvements; and any other relevant

issues. (Appendices 5 - 9 Interview Guides)

2.4.3 Self-Assessment Fieldwork

The review team will carry out the relevant steps reflected in the SelfAssessment Guide

signed off by the CIA and the team leader. (Appendix 1 - Self Assessment Guide)

The CIA and team leader should ensure that the files and other items to be reviewed are

complete and available. The team should consider all questions and requests for

information and evaluative comments in relation to the assessments scope and

objectives.

The team should ensure that responses and findings are adequately documented.

Whenever a brief response will suffice, in lieu of an attachment, write it in the space provided.

The attachments furnished should be described briefly within the checklist and clearly labeled. If

the requested document/information is not attached to the checklist (i.e., not considered relevant

or to be made available later), so state on the checklist where the attachment is called for and

ensure that it will be readily available for later reference.

The team should give consideration to the following areas when evaluating the IAUs

operation:


36/159



2.4.3a IAUs Structure and Organisation

Assess the IAUs charter, mission statement, goals, organizational structure,

procedure manual and processes for managing the unit.

2.4.3b Risk Assessment & Audit Planning

Evaluate to what extent the IAUs strategic, operational and audit plans are aligned to

its organisation. Also consider the effectiveness of the IAUs planning process in

making optimum use of its resources.

2.4.3c Human Resource Skills and Experience

Assess aspects of the Units human resource management such as the staff

complement, their skills and qualifications; succession planning, empowermentpractices.

2.4.3d Information Technology and Systems Review

Review the IAUs capability and coverage of Information Technology in its audit

plan to review selected IT assignments.

2.4.3e IAUs Operational Activities

Assess the appropriateness of the planning, control, supervision and use of resources

on individual assignments; adequacy of audit documentation; form, content and

effectiveness of the communications and implementation follow-up. ( Appendix 10

Audit Assignment Reviews)

2.4.4 Self-Assessment Report

The team should discuss potential report items with the CIA. To the extent possible, the

team should include agreed actions to be taken by the CIA, in response to report

recommendations, along with a schedule of implementation follow-up and closure of the

agreed actions. (Refer to Appendices 12 2/2 Standard Conformance Evaluation

Summary & Section 4 - Specimen Report)


37/159



In instances, where an independent validation will be carried out, the Self-Assessment

Report will also be subjected to the Validating Teams review.


38/159


ConductingConductingConductingConducting

TheTheTheThe Quality AssQuality AssQuality AssQuality Assessmentessmentessmentessment andandandand Self AssesSelf AssesSelf AssesSelf Assessmentsmentsmentsment

withwithwithwith Independent (external) ValidationIndependent (external) ValidationIndependent (external) ValidationIndependent (external) Validation


39/159


40/159

SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)

VALIDATION

Quality Assurance and Improvement Programme Policy IAD, MoFP 35

The scope of the QA will include coverage of the entire internal audit activity, which are those

elements highlighted above and in the practice guide issued by the IIA on the QAIP (March

2012), as well as other elements deemed necessary to complete the assessment. Using the model

presented in the QAIP framework diagram on page 7, this would include the quality of thegovernance activities and structures, professional practices, and communication processes.

2.6 ADMINISTERING THE QUALITY ASSESSMENT ANDINDEPENDENT VALIDATION

2.6.1 Quality AssessmentA team of qualified officers headed by the IAD will conduct a quality assessment(preliminary review) of the IAU to provide assurance of the IAUs readiness for the

independent(external) validation which asserts compliance with applicable GOJ/IIA

Standards; adoption of best practices; and level of operational efficiency and

effectiveness. The methodology and composition of the QA team will be decided on by

the IAD who will during the design of the methodology and team composition, consider

matters such as IAUs size, scope of the assessment, previous external assessments, and

conflict of interest issues.

2.6.2 SelfAssessment with Independent Validation Within the context of the GOJ quality assurance and improvement program, all internal

audit units are required to obtain validation of their self-assessments.

The purpose of such a review is to provide an independent assessment of the IAUs

compliance with applicable IIA Standards; adoption of best practices; and level of

operational efficiency and effectiveness, thereby enabling the IAU to declare that theiroperations are conducted in accordance with the (IIA) Standards for Professional

Practice of Internal Auditing.


41/159


VALIDATION


2.6.2.1 Team Composition and SelectionThe size of the validation team will be dependent upon the size of the IAU and the scope

of the engagement but should not consist of less than two persons (team leader and

member).

The Independent Validation team will be drawn from members of the IIA local Chapter

and suitably qualified external persons/organisation.

Team Leaders must satisfactorily complete a requisite competency test and be

interviewed by a selection panel to be determined by the Ministry of Finance and

Planning before final selection is confirmed.

Team members selected to participate in assessments must be free from any obligation

to, or interest in the organization or related organizations in which the IAU

functions. They should be independent and have no real or apparent conflict of

interest. Independence of the organization means "not a part of, or under the

control of the organization to which the IAU belongs 3.

2.6.2.2 Qualification of Validators

3.2.2.2a. Team Leaders

Team leaders must satisfy the following minimum qualifications:

o Five years of managerial/supervisory experience in auditingo Possess a Bachelors Degreeo Possess CIA, CGAP, ACCA, CISA, etc. designationo Technical knowledge in at least two of the following areas of audit -compliance,

operational, financial, management and information technology

o Thorough knowledge of the organization, industry in which the IAU functionso Thorough knowledge of the IIA Standardso Good communication/interviewing skills

3 Practice Advisory 1312-1


42/159


VALIDATION


o Excellent analytical and research skillso Trained in audit quality assurance reviews

3.2.2.2b. Team Members

Team members must satisfy the following criteria:

o Two years managerial/supervisory experience in auditingo Hold a Bachelors Degreeo Possess or pursuing CIA, CGAP, ACCA, CISA, etc. designationo Technical knowledge in at least two of the following areas-compliance, operational,

management and information technology auditing

o Working knowledge of the organization, industry in which the IAU functionso Thorough knowledge of the IIA Standardso Good communication, analytical and research skillso Trained in audit quality assurance reviews

2.6.2.3 Tenure of Team Members including LeadersIn order to maintain objectivity and to avoid conflict of interests, team members must be

rotated and should not serve on the same validation team of an entity for more than two

consecutive reviews.

2.6.2.4 Scope and Objectives of the Validation ProcessAs indicated in Section 2 Conducting Internal Quality Assurance Reviews, the

Validation Team Leader, the IAD and the Chief Internal Auditor should all agree on the

nature, scope, scope limitations and specific responsibilities attached to the validation

process.

The Validation Team will carry out performance review tests to determine the soundness

of the conclusions and recommendations drawn by the Unit's self-assessment exercise.


43/159


VALIDATION


2.6.2.5 ReportingA meeting should be arranged by the Validation Team to discuss the findings and provide

the CIA an opportunity to respond to issues raised in the assessment exercise.

The final report, including the CIAs response and action plan, should be signed off by

the CIA and the Validator. The report should then be issued to the CIA along with copies

included for distribution to the Audit Committee, Accounting Officer of the relevant

Ministry/Department and the Ministry of Finance and Planning.

3.3 VALIDATION METHODOLOGY

3.3.1 Planning and Preparation

The Validating Team Leader should ensure that all the necessary preparation has been

finalized prior to commencing the validation work.

Logistics

Logistical arrangements such as how much work can be done off-site, the length of the

on-site visits, form and content of the report and other administrative details should also

be agreed on with the IAD and the CIA.

Off- site ReviewSelf-assessment and other materials completed by IAU should be analyzed off site prior

to the on-site review. ( Appendix 1 - Self Assessment Guide )

3.3.2 Fieldwork

On-site review of self-assessment documentation, performance of limited tests with

reference to source documents and interviews will be conducted over a two five days

period, depending on the scope, size and structure of the IAU.


44/159


VALIDATION


3.3.3 Interviews/Surveys

Where applicable, interviews should be conducted with the Accounting Officer, chairman

of the audit committee and other clients of the IAU. These interviews will provide the

independent validator with direct input from the highest levels of oversight and the

necessary checks and balances to validate interviews/surveys conducted in the self-

assessment. (Appendices 8 13: Interview Templates)

3.3.4 Reporting

A summary of issues and recommendations, discussed at the closing conference, should

be documented. A draft report should also be prepared outlining the validation

procedures and results, opportunities for improvement and other recommendations of the

independent validator. The CIA should be given the opportunity to respond to the

recommendations and provide appropriate action plan. The final validation report should

be signed off by the CIA and Validator and issued to the relevant parties.

The report should express an opinion on the adequacy of the self-assessment process and

indicate the level Internal Audit Units level of conformity to the IIA Standards and the

Ministry of Finance & Planning. (Appendix 6 Standards Conformance Summary)

3.3.5 Follow up (optional)A follow-up visit may be scheduled to monitor the CIAs action plan of the

recommendations. The validator may also be invited to meet with senior management

and discuss the recommendations/ plan of action to be implemented.


45/159



46/159



IAUIAUIAUIAU SELF ASSESSMENT REPORTSELF ASSESSMENT REPORTSELF ASSESSMENT REPORTSELF ASSESSMENT REPORT

SPECIMENSPECIMENSPECIMENSPECIMEN


47/159


48/159

SELF ASSESSMENT REPORT SPECIMEN


EXECUTIVE SUMMARY

The Ministry/Department/Agency conducted a self-assessment of its internal audit services (IA). Theprincipal objectives of the assessment were to assess Ministry/Department/Agencys conformity to TheIIAs Standards for the Professional Practice of Internal Auditing (Standards) and Government of

Jamaica (GoJ) guidelines , evaluate IAs effectiveness in carrying out its mission (as set forth in itscharter and expressed in the expectations of management), and identify opportunities to enhancemanagement and work processes, as well as the IAs value to Ministry/Department/Agency.

As part of the preparation for the self-assessment, we prepared a self-study, with detailed documentation,and sent out surveys to staff and to a representative sample of Ministry/Department/Agencys executives.A summary of the survey results and Ministry/Department/Agency comments (without identifying theindividual survey respondents) have been furnished to the CIA. Extensive interviews were conducted withthe Ministry/Department/Agencys executives (including heads of operating departments), IA staff andany external auditors.

Also reviewed were the IAs risk assessment and audit planning processes, audit tools and methodologies,engagement and staff management processes, and a representative sample of IAs working papers andreports.

The IA environment is well structured and progressive, where the IIA Standards are understood andmanagement is endeavoring to provide useful audit tools and implement appropriate practices. Amongthese tools and practices are automated audit software; frequent professional training for IA staff(including training directed toward obtaining the Certified Internal Auditor qualification) resulting in ahighly qualified staff; efficient scheduling and reporting; concise reports with a focus on risk; and a goodreputation and credibility with clients. Consequently, the comments and recommendations are intended tobuild on this foundation already in place at the Ministry/Department/Agency.

Our recommendations are divided into two groups:

Those that concern the Ministry/Department/Agency as a whole and suggest actions by seniormanagement. Some of these are matters outside the scope of the assessment. They were includedbecause we believe they will be useful to management and because they impact the effectiveness ofthe IAU and the value it can add.

Those that relate to IAs supervision, impact on corporate governance and similar matters that shouldbe implemented within IA, with support from senior management. Highlights of the more significantrecommendations are set forth below, with details in the main body of our report.

PART I: MATTERS FOR CONSIDERATION OF MANAGEMENT

1. Further enhance the independence of the IA or re-establish an audit committee atMinistry/Department/Agency.

2. Adopt Management Control Policy. The Ministry/Department/Agency should develop and adopt aformal Management Control Policy which clearly defines major management, audit committee andinternal audit accountabilities with regard to the Ministry/Department/Agencys risk management,control and governance processes. This policy should be communicated to all levels of management.


49/159



PART II: ISSUES SPECIFIC TO THE CORPORATE OVERSIGHT TEAM (IA)

1. Update IAs universe to expand coverage of Ministry/Department/Agencys operations and other

recommendations below. Expand and update IAs audit risk assessment model to include moredepartments. (Standard 2010)

2. Ensure adequate evidence of supervision of engagements by indicating when the initial auditprogram has been changed and approved. Enhance work papers by the use of initials for datecompleted and date reviewed. ( Standard 2340)

3. Adequate referencing of audit work papers, to ensure a clear map of audit observations findingsand conclusions. (Standard 2320, 2330, 2340)

4.

Review IA coordination with external auditors, taking into account IAs charter and updated riskassessment model a better definition of the external auditors coverage. (Standard 2050)

5. Monitor Progress re timely follow-up of implementation of recommendations, increasemanagement accountability and shift more routine follow-up to responsible senior officers. (Standard2500)

6. Enhance degree of impact on Corporate Governance , by promoting ethics, accountability andeffectively communicating risk and control information especially to newly appointed senior officers.(Standard 2130)

OPINION AS TO CONFORMITY TO THE STANDARDS

The Standards are divided into two major categories: Attribute Standards and Performance Standards .

It is the opinion of the review team that the IA generally conforms to the Attribute Standards and thePerformance Standards . IA also generally conforms to the Code of Ethics, which is a part of the IIAProfessional Practices Framework. The over-all assessment is that IA generally conforms to theStandards / guidelines .

It is our opinion that IA generally conforms to the following Standards :

Attribute Standards

1000 Purpose, Authority, and Responsibility (Charter), 1100 Independence and Objectivity, 1200 Proficiency and Due Professional Care, 1300 Quality Assurance/Improvement Program,


50/159



Performance Standards

2000 Managing the Internal Audit Activity, 2200 Engagement Planning, 2400 Communicating Results, 2600 Managements Acceptance of Risks, and The IIAs Code of Ethics ,

Additionally, recommendation will be made for opportunities for further improvements, in such areas asreferencing working papers, updating work programs, relations with and input from clients, supervision ofengagements and coordination with the external auditors.

It is our opinion that the IA partially conforms to the following Standards/guidelines :

2300 Performing the Engagement , where expanded documentation will strengthen the workingpapers and ensure professional practices.

2500 Monitoring Progress , with more significant opportunities to strengthen the follow-up ofmanagements implementation of planned remedial actions.

We believe this is a reasonable level of conformity in the circumstances, which can be raised to generalconformity to all of the guidelines by implementation of the recommendations.

According to the Quality Assessment Manual, generally conforms means that an internal audit activityhas a charter, policies, and processes that are judged to be in accordance with the Standards , with someopportunities for improvement, as discussed in the recommendations. Partially conforms meansdeficiencies in practice are noted that are judged to deviate from the Standards/guidelines , but thesedeficiencies did not preclude the internal audit activity from performing its responsibilities in anacceptable manner. Does not conform means deficiencies in practice are judged to be so significant asto seriously impair or preclude the internal audit activity from performing adequately in all or insignificant areas of its responsibilities.

______________________________________________________Name of Ministry/Department/Agency CIATEAM LEADERMinistry/Department/Agency Corporate Oversight Team

___________________Date

Ministry/Department/AgencyTeam Members:


51/159



OBSERVATIONS AND RECOMMENDATIONS

PART I: MATTERS FOR CONSIDERATION OF MANAGEMENT

These observations and recommendations originated principally from the comments received from themanagement survey, interviews with selected executives, and follow-up of these matters. All are of directimportance to enhancing effectiveness and added value of the IA.

1. Further enhance the independence of the IA,

Although the IA is independent as it reports functionally to the Permanent Secretary/ ofMinistry/Department/Agency on all subsidiary reports, to the Chairman of Ministry/Department/AgencyAudit Committee (on Ministry/Department/Agency reports), the IAs independence can be furtherenhanced by establishing or re-establishing an audit committee at Ministry/Department/Agency.

The establishment of these committees will improve the effectiveness of the IA by assisting in thepromotion of good corporate governance, control and the follow-up of the implementation of auditrecommendations at each subsidiary.

Recommendation

In order to further enhance the independence and effectiveness of the IA, it is recommended that themanagement of Ministry/Department/Agency re-establish an audit committee and that the Departments inthe financial sector in particular establish audit committees.

2. Adopt Management Control Policy

Currently there is no formal Management Control Policy at ABC Ministry/Department/Agency. A copyof the Model Policy was sent to the Chairman Ministry/Department/Agency, CEO ABCMinistry/Department/Agency, Audit Committee Chairman ABC Ministry/Department/Agency andABC Ministry/Department/Agency Board of Directors for review and adoption. This policy defines forthe Board of Directors the responsibilities of management at all levels, the Internal Audit Activity and theAudit Committee.

Recommendations

ABC Ministry/Department/Agency and other Departments in the financial sector should adopt a writtenManagement Control Policy in order to define roles and ensure accountabilities. This policy whichconveys the roles and responsibilities of management (specifically for action on identified control issues),

the audit committees and the authority of internal audit should be clearly conveyed from the top thoughthe senior levels at all companies.

PART II: ISSUES SPECIFIC TO THE INTERNAL AUDIT ACTIVITY

1. Update IA universe to expand coverage of Group,


52/159



Currently IA conducts audits mainly for a subsidiary, ABC Ministry/Department/Agency. IAs mandateaccording to its charter is to have oversight over the entire Ministry/Department/Agency. The charter alsodetails specific IA responsibilities over the entire Group.

IA plans to expand its risk assessment exercise to the Group in phases in order to expand its coverageusing the Ernst & Young (EY) risk methodology. The expanded coverage of Departments outside thefinancial sector is expected to unfold over the next 3-5 years and will include Information Technology(IT) issues.

Recommendation

IA should develop and publish a strategy which would clearly outline the timeframe for each phase inwhich it intends to expand its coverage of the Group. This would allow IA time to determine and obtainthe additional resources and training it may need to effectively oversee each phase and sector of theGroups operations.

2. Ensure adequate evidence of supervision of engagements

Evidence of supervision can be improved in the following areas: Initialing audit programs and changes thereto as having been reviewed and approved. Initialing working papers as having been reviewed and checked.

Recommendations

IA officials charged with supervisory authority should: Initial the audit program and any subsequent justified changes as approved. Review, initial and date working papers as having been checked.

IA should also consider the development of an engagement working paper review checklist forcompletion by the supervising auditor .

3. Adequate referencing of working papers

Currently, IAs working papers are not adequately referenced. The working papers in some cases do notcontain the elements of purpose, scope, source and conclusions. Also, a master check list which lists theminimum documentation requirements of the work papers as stated in IAs Audit Manual should beattached to the working papers and all documentation filed in a consistent manner whether in electronic orpaper format.

Referencing would ensure a clear trail of how conclusions and recommendations are derived fromengagement observations. The IA created a referencing system in DATE to address this shortcoming.

Recommendations

The referencing system developed should be tested and implemented with immediate effect. This systemshould include:


53/159



The principles of purpose, scope, source in order to provide a clear trail that supports the conclusionsand recommendations.

A well-developed master checklist (for inclusion in the working papers) which identifies the auditprocess as outlined in IAs manual re minimum documentation required to adhere to auditingstandards

A consistent organizational format for collating work papers (electronic or paper) which allows forefficient retrieval of data in support of audit recommendations or auditing standards.

Supervisory review of the working papers should ensure that the referencing system is enforced and thatthe working paper documents adequately supports the engagement observations, conclusions andrecommendations

4. Review IAs coordination with the external auditors

Beyond management review and evaluation, the two principal oversight/monitoring functions in theMinistry/Department/Agency are IA and the external auditors. Each has its specific focus, authorities,

responsibilities, and scope, but there are some similarities among them.

Although there has been some coordination and exchange of information, similarities give rise toopportunities to avoid duplicate effort, ensure adequate overall audit and evaluation coverage, leverageeach others work through joint efforts and reciprocal follow-up of recommendations. Tools for achievingthese aims include a shared universe, coordinated risk assessment/planning, and shared recommendationdatabase. In addition, we can review each others reports and meet as frequently as seems useful.

Recommendation

We recommend IA and the external auditors jointly review the comprehensive audit/evaluation universeto achieve a coordinated division of labor. Further, it is recommended that both IA and the externalauditors take careful account of common interests, which include the potential scope of work, and cleardefinition of external audit coverage, along with the potential for joint teams on some engagementsespecially IT.

5. Monitoring Progress; timely follow-up of the implementation of audit recommendations

There are a number of audit recommendations at ABC Ministry/Department/Agency that have not beenmonitored and followed-up by the IA in a timely manner. A database is currently being developed to trapand track recommendations and the remedial actions taken by management to address areas of riskexposure. There is currently no summary of recommendations implemented versus remedial actionoutstanding.

We believe senior executives and managers should take a more active role in the follow-up ofrecommendations and the implementation of the related action plans. Senior executives should beresponsible to follow up on the implementation status of audit recommendations for their area(s) ofresponsibility.

Recommendations

The IA should ensure that the system developed to track the progress of the implementation of auditrecommendations is comprehensive and addresses the monitoring function efficiently. This system


54/159



should include agreement/sign off by the audit client on remedial action to be taken, the timeframe forimplementation and progress reports.

6. Enhance degree of impact on Corporate Governance

The IA can add more value to Ministry/Department/Agency by improving the degree of its impact oncorporate governance. Although, control awareness presentations have been made by the IA at ABCMinistry/Department/Agency, presentations on ethics and values should also be promoted.

Additionally, it was noted that most of the managers at ABC Ministry/Department/Agency are new totheir positions and would have missed the last risk assessment conducted. As a result, some of themanagers are not aware of the concerns and risks identified during risk assessment exercise.

Recommendation

In order to improve its impact in governance, the IA can consider the following:

Make presentations and provide additional material/support to Ministry/Department/Agencyregarding ethics and values and also other issues such as the tone at the top.

Ensure that new managers are apprised of risk and control concerns previously identified for theirarea(s) of responsibility

Update and conduct risk assessments for the Departments and effectively communicate the results tothe appropriate levels of management at these organizations.


55/159


56/159


APPENDICESAPPENDICESAPPENDICESAPPENDICES ((((ForForForFor Section 2)Section 2)Section 2)Section 2)


57/159

APPENDIX 1SELF ASSESSMENT GUIDE


Internal Audit Unit: ___________________________________

Date Submitted: ______________________________________

On-site Dates: ________________________________________

Self-assessment Due Date: ______________________________

Notes to Preparer(s)

If this self-assessment is for an internal quality assessment or a self-assessment with validation , consider allquestions, information requests, and requests for evaluative comments in relation to the assessments scope andobjectives. Respond to the questions, etc. to the extent the responses are necessary to facilitate and document the workof the internal assessment team and/or validator. Attach the requested documentation or ensure it will be available as

needed during the internal assessment and validation phases.Whenever a brief response will suffice, in lieu of an attachment, write it in the space provided. The attachmentsfurnished should be described briefly within the self-assessment and clearly labeled. If the requesteddocument/information is not attached to the self-assessment (i.e., not considered relevant or to be made available later),so state on the self-assessment where the attachment is required.

The chief internal auditor (CIA) may delegate the preparation of this self-assessment, but should review it for accuracyand completeness, before submitting it to the validator.

I. ORGANIZATION AND ENVIRONMENT

A.

Background of the Organization1. Briefly describe the major activities of the organization and attach a copy of its most recent annual report. ( Include

relevant attachments ).

1. Provide the following summary information about the organization

Approximate number of employees __________

Number of operating locations __________

Geographical locations of major operations ________________________________

__________________________________________________________________

Revenues __________

Assets __________


58/159



B. Risk Management, Governance, Accountability, and Oversight

1 A. Describe the process to identify, measure, and manage enterprise risk in the organization. (Theorganizations ERM process).B. List the most significant risks that have been identified.

(Include relevant attachments )Describe the regulatory constraints/enhancements that had an impact on the work of the IAU with emphasis onrecently enacted legislations or regulations.

2. A. Describe how the organizations strategies are selected, how objectives are established, measured, andreported, and indicate how managers are held accountable for achievement of their assigned objectivesB. Give an overview of the organization mission and comment on the alignment of its strategy and objectives tothe mission

Attach a copy of the policy for controlling the organization (e.g., management control policies, delegations ofauthority, accountabilities, etc.) and comment on planned or potential changes.

3. Assess the adequacy of the charter and comment as to the extent to which this current audit committee chartergives the audit committee adequate authority, scope, resources, information, and access to management todischarge its responsibilities. Comment on any proposed or potential enhancements to the audit committeescurrent charter.

Attach a copy of the audit committees charter or similar document relating to oversight of the IAU.

II. THE INTERNAL AUDIT UNIT (IAU)

A Background of the IAU

1. Name and title of the CIA _________________________________________________________

2. Name (i.e., division, office, department, etc.) and address of the IAUs principal office

Name:Address:Telephone Number:

3. Give a brief history of the IA Department, including when it was started, any change(s) of CIAs during the past

10 years, an indication of its growth in the past 10 years, and significant changes in its lines of reporting,authority, scope of work, and internal organization. Comment on how these changes have enhanced the IAUseffectiveness.

4. Name and title of the person to whom the CIA reports ______________________


59/159



Administratively Name and TitleFunctionally Name and Title

5. Name and address of the chair of the audit committee with oversight of the IAU:

Name:Address:City:Parish:

6. Name of the organizations external auditor. _______________________________________

7. Person who heads the external audit ____________________________

8. Address and telephone number of the external auditors office:

Address:City:Parish:Telephone: Fax:

B. Internal Audit Practice Environment (including Support, Authority, and Scope)

1. Comment as to whether or not the placement of the IAU on the organizations structure is the optimum to ensureindependence, access to appropriate executives, ease of communication, support, and resources. Comment on anyproposed or potential enhancements in these areas.

Attach the government entitys organization chart, including the name and job title of business unit heads, showing

placement of the IAU.

2. Attach the IAUs organization chart and a list of the IAUs staff, classified by staff level and type, along with anindication of time in the IAU and prior experience. Have available for later review the job descriptions, recordsshowing skills requirements, staff qualifications, unfilled positions, use of outside services, recent turnover, andout-placement of staff.

3. Compare the IAUs charter to the model IAU charter in Reference III and comment on how the IAUs charterfosters the independence, access, resources, etc. necessary to the effective functioning of the IAU. Mention any

proposed or potential enhancements to the IAUs charter since the last quality assessment or independent validation.

Attach a copy of the IAUs charter.

Describe the procedures to ensure that the efficiency and effectiveness of the IAU in achieving its mandate.

4. Does the IAU have full access to all areas of the organization? Yes____ No ____ If not, describe restrictions onthe IAU regarding access to information considered necessary to conduct audits and consulting engagements or


60/159



access to relevant managers and employees. Comment on how it affects the effectiveness of the IAU in theachievement of its mandate.

5. Describe the procedures to ensure that the IAUs staff is objective (e.g., conflict of interest statements, auditor

rotation, etc.). Describe the procedure for reporting conflicts of interest or bias to the CIA and subsequently dealingwith them.

6. Describe the philosophy of the IAU, its core values, and mission/goals/objectives for serving its clients.

7. Describe the objectives against which the IAUs periodically measures its performance and describe how executivemanagement, audit committee, or oversight group such as legislative bodies evaluates the performance of the IAU.

Attach a copy of the IAUs policy and standard operating procedure (SOP)

8. Complete the best practices checklist ( see Appendix 3 ) and indicate how these practices enhance the IAUseffectiveness.Comment on any proposed or potential additional practices that would add further value and/or enhanceeffectiveness. If there are such practices that the IAU is not planning to implement (or if it is prevented from doingso), discuss the related reasons and the potential impact of the decisions not to implement them.

9. List other oversight/monitoring units outside the IAU describe their authority, scope, and functions (e.g., safety,environment, evaluation, security, investigations, process improvement, and other compliance/ consultingactivities).Describe: The nature of the unit operational duties How their separation from the IAU impacts on the achievement of the organizations goals, How the separation impacts risk management, management control, efficiency, or resource utilization, and Comment on their report relationship with senior management, the board, and other governance responsibilities

and accountabilities,

C. Relationship of the IAU with Senior Management and the Board (Audit Committee)

1. Describe interactions of the CIA and senior management: involvement in management meetings for strategic andtechnology planning, periodic management briefings, etc.

(See Appendix 5-9 Questionnaire Guides)

2. Describe how senior management and the board (audit committee) are kept informed about the work of the IAU.


61/159



Include how often the CIA is scheduled to meet with them, who attend such meetings, what is typically discussed,how often senior management and the board receive status reports, etc. Comment on any additional formal orinformal contacts.

D. Management of the IAU

1. Provide a brief description of risk assessment and engagement planning. Discuss how the IAUsassurance/consulting universe is determined, and how the planning considers:

Alignment of the IAUs risk assessment and engagement planning with the organizations strategic plans,objectives, and enterprise risk framework.

Technology plans, current systems, those under development, and technology management issues. The management control environment and accountability processes. Management input regarding their plans, concerns, priorities, etc. Potential partnering opportunities and other value-adding activities. Staffing numbers/skills needed, along with opportunities to leverage IA resources through empowerment, joint

efforts with clients, selective outsourcing, fostering self-assessment, etc. Long-range engagement planning to achieve appropriate coverage of the IAUs universe.

2. Describe the extent to which the IAUs priorities, scope of work, and use of resources are aligned with theorganizations enterprise risk management framework. Describe how the IAU contributes to achievement of theorganizations goals. Comment on potential or planned changes to the IAUs priorities, scope, or use of resources toenhance that alignment.

3. Attach a copy of the following:

The engagement planned vs. actual level of achievement for the current period , including engagementscurrently in progress and details of engagements completed and final report issued. At a minimum, provide:o List the audit assignments performed and state the type of audito Name of Audit Client/Unit.o Start date and report issuance date of the engagement.o Number of staff hours or days spent.o Audit manager and lead auditor for the engagement.o Detail of how the recommendations made have improve the efficiency and effectiveness of the

organizations operation.

The engagement planned vs. actual for the prior period , including details of engagements completed andreports issued. At a minimum provide:o List the audit assignments performed and state the type of audito Name of Audit Client/Unit.o Start date and report issuance date of the engagement.o Number of staff hours or days spent.o Audit manager and lead auditor for the engagement.o Detail of how the recommendations made have improve the efficiency and effectiveness of the

organizations operation.

The IAUs financial budget vs. actual for the current period.


62/159



The IAUs financial budget vs. actual for the prior period.

4. Show the percentage of the IAUs staff time and contract (outsourced) services applied to each of the followingtypes of assurance and consulting activities. (Note: If the IAUs timekeeping system does not facilitate classifyingtime in this

QAIP Manual2012 Jamaica

Documents

Transcript of QAIP Manual2012 Jamaica