QAIP Manual2012 Jamaica
-
Upload
marie-nichols -
Category
Documents
-
view
218 -
download
0
Transcript of QAIP Manual2012 Jamaica
-
8/9/2019 QAIP Manual2012 Jamaica
1/159
GOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICAGOVERNMENT OF JAMAICA
INTERNAL AUDITINTERNAL AUDITINTERNAL AUDITINTERNAL AUDIT
QUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROGQUALITY ASSURANCE AND IMPROVEMENT PROG
(QAIP)(QAIP)(QAIP)(QAIP)
Policy and Procedures ManualPolicy and Procedures ManualPolicy and Procedures ManualPolicy and Procedures Manual
Revised March 2012
-
8/9/2019 QAIP Manual2012 Jamaica
2/159
-
8/9/2019 QAIP Manual2012 Jamaica
3/159
Table of ContentsPage
Preface 1
Section 1 The Internal Audit Quality Assurance Program 1.1 Overview of the QAIP 41.2 Managing an Internal Audit Unit 7
1.2.1 Understanding its Entitys Governance Structure 71.2.2 Evaluate the Organizations Risk Management Process 81.2.3 Define and Promote the Internal Audit Unit 81.2.4 Align IAUs Operation to the Organizations Plans 10
1.3 Conducting Audit Assignments1.3.1 Planning Assignments 111.3.2 Execution of Audit Assignment 141.3.3 Communicating Results 16
1.3.4 Follow up of Results 191.4 Managing Internal Audit Human Resources 19
Section 2 Conducting Internal Quality Assurance Reviews2.1 Definition 222.2 IQAR Components 23
2.2.1 Ongoing Reviews 232.2.2 Periodic Reviews 23
2.3 IQAR Policies2.3.1 Administering Periodic Internal Reviews 242.3.2 IQAR Review Cycle 25
2.3.3 Composition and Selection of QAR Teams 252.3.4 Review Team's Qualification 262.3.5 Rotation of Team Members including leaders 272.3.6 Establishing the Formal Self Assessment Scope
and Objectives 272.3.7 Reporting Format 28
2.4 Methodology Formal Self Assessment2.4.1 Planning and Preparation 292.4.2 Interviews with IAU clients 302.4.3 Self-Assessment Fieldwork 302.4.4 Self-Assessment Report 31
Section 3 Conducting the Quality Assessment and Independent (External) Validation 3.1 Definition 343.1.1 Self Assessment with (Independent) external validation 343.1.2 Quality Assessment 34
-
8/9/2019 QAIP Manual2012 Jamaica
4/159
Page
3.2 Administering the Quality Assessment and Independent Validation 353.2.1 Quality Assessment 35
3.2.2 Self-Assessment with Independent Validation 353.2.2.1 Team Composition & Selection 363.2.2.2 Qualification of Validators 363.2.2.3 Tenure of Teams including Leaders 373.2.2.4 Scope and Objectives of the Validation Process 373.2.2.5 Reporting 38
3.3 Validation Methodology3.3.1 Planning and Preparation 383.3.2 Fieldwork 383.3.3 Interviews/Survey 393.3.4 Reporting 39
3.3.5 Follow-up 39Section 4 IAU Self-Assessment Report Specimen
Appendices:1 Self-Assessment Guide 522 Self-Assessment Evaluation Summary 593 Self-Assessment Planning Memorandum 674 Audit Effectiveness Questionnaire 705 Interview Guide: Audit Committee 726 Interview Guide: Accounting Officer 78
7 Interview Guide: Senior Operating Management 858 Interview Guide: Chief Internal Auditor 909 Interview Guide: Internal Audit Staff 9810 Audit Assignment Reviews 10611 Audit Client Survey 11212 Standard Conformance Guidelines 12-1 115
and Standard Conformance Evaluation Summary 12-2 12213 Quality Assessment Exercise Interview Guide 12614 Quality assessment Review Guide 13015 IAU Assessment Checklist 13216 IAU Risk Assessment Checklist 136
17 Staff Professional Proficiency Checklist 13918 IT Audit Assignments Review Guide 142
Other Tools:Assessing Production and Value Added 150Observations & Issues Worksheet 153
-
8/9/2019 QAIP Manual2012 Jamaica
5/159
PREFACEPREFACEPREFACEPREFACE
-
8/9/2019 QAIP Manual2012 Jamaica
6/159
Quality Assurance and Improvement Programme Policy IAD, MoFP | 1
PREFACE
The Ministry of Finance and Planning has taken the initiative to further strengthen the Internal
Audit Units' (IAUs) activities by developing a policy on "Internal Audit Quality Assurance",consistent with the Institute of Internal Auditors (IIA) standards.
In employing a quality assurance and improvement program, stakeholders of the internal audit
unit are reasonably assured that its activities are performed in accordance with international
standards and operated in an effective and efficient manner.
An effective Quality Assurance and Improvement Program begins with instituting policies,
procedures and practices (consistent with the IIA Standards) in an effort to ensure quality of
service to one's clients. These are complemented with the deliberate execution of ongoing and
periodic reviews of the internal audit activities against appropriate standards, leading/ best
practices, established goals and performance targets.
Each Internal Audit Unit was required to implement the IIA Standards as at April 1, 2008.
During the implementation and subsequently thereafter, each unit will be required to carry out
ongoing reviews of its operations and performance. The review will be carried out periodically toevaluate its activities' level of conformance with the IIA Standards and this policy document.
Each Internal Audit Unit is required to conduct a self assessment (i.e. periodic review) every five
(5) years. . Section 2 "Conducting Quality Assurance Internal Reviews" outlines the policies
and procedures for performing a self assessment Review.
In order to verify each IAUs level of conformance to the IIA standards, a team of qualified
officers will perform a Quality Assessment as is deemed necessary. This exercise is to determine
the IAUs level of readiness for external validation which will be conducted thereafter. Section 3
Conducting Validations outlines the policy and procedures for independent validation. The
Independent validation will enable the IAU to declare that their IAU operations are "conducted
in accordance with the (IIA) Standards for the Professional Practice of Internal Auditing".
-
8/9/2019 QAIP Manual2012 Jamaica
7/159
Quality Assurance and Improvement Programme Policy IAD, MoFP | 2
Heads of Internal Audit Units are expected to display a strong and deliberate commitment to
effect a quality assurance and improvement program in their units and are encouraged to use this
policy as a guide.
Quality is never an accident; it is always the result of high intention, sincereeffort, intelligent direction and skillful execution; it represents the wise choiceof many alternatives.
William A. Foster
Quality should be inbuilt in the activities, functions, methodology, policies andprocedures, and the human resource practices of the internal audit unit,
rather than being seen as an add -on activity
The Institute of Internal Auditors (IIA) QAIP improvement guide
-
8/9/2019 QAIP Manual2012 Jamaica
8/159
Section 1Section 1Section 1Section 1The Internal AuditThe Internal AuditThe Internal AuditThe Internal Audit
Quality Assurance ProgramQuality Assurance ProgramQuality Assurance ProgramQuality Assurance Program
-
8/9/2019 QAIP Manual2012 Jamaica
9/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 4
OVERVIEW OF THE QAIP PROCESS
The Quality Assurance and Improvement Program (QAIP) is not an attempt to reinvent the
wheel but rather to ensure that the Internal Audit Unit consistently provides quality and value-
added services to its stakeholders.
The Chief Internal Auditor (CIA) is ultimately responsible for implementing a structured QAIP
and should lead by example by embedding quality into the internal audit activity. This should
cover all aspects of the Unit's management and operations outlined in the Standards and best
practices of the profession. It should be noted however, that the entire internal audit activity is
responsible for delivering quality; internal auditors are professionals and should be committed to
delivering quality services. A fundamental concept of the QAIP is that the IAU's operationsshould be in alignment with the Institute of Internal Auditors Standards and guidelines issued by
the Ministry of Finance and the Planning.
A QAIP should conclude on the quality of the internal audit activity and lead to
recommendations for appropriate improvements. It enables an evaluation of:
Conformance with the Definition of Internal Auditing, the Code of Ethics, and the
Standards.
The adequacy of the internal audit activity's charter, goals, objectives, policies, and
procedures.
The contribution to the organization's governance, risk management, and control
processes.
Completeness of coverage of the entire audit universe.
Compliance with applicable laws, regulations, and government or industry standards to
which the internal audit activity may be subject. The risks affecting the operation of the internal audit activity itself. The effectiveness" of continuous improvement activities and adoption of best practices. Whether the internal audit activity adds value, improves the organization's operations, and
contributes to the attainment of objectives.
-
8/9/2019 QAIP Manual2012 Jamaica
10/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 5
To achieve comprehensive coverage of all aspects of the internal audit activity, a QAIP must
effectively be applied at three fundamental levels (or perspectives):
Internal Audit Activity Level (self-assessment at the internal audit activity or
organizational level):
The CAE is responsible for providing assurance that:
Written policies and procedures, covering both technical and administrative matters,
are formally documented to guide audit staff in consistent conformance with the
Definition of Internal Auditing, the Code of Ethics, and the Standards.
Audit work conforms to written policies and procedures Audit work achieves the general purposes and responsibilities described in the
internal audit charter. Audit work conforms to the Definition of Internal Auditing, the
Code of Ethics, and the Standard
Internal audit work meets stakeholders expectation
The internal audit activity adds value and improves the organization's operations.
Resources for the internal audit activity are efficiently and effectively utilized.
Internal Audit Engagement Level (self-assessment at the audit, engagement, or
operational level):
The engagement supervisor (possibly a manager or the CAE/CIA) is responsible for providing
assurance that:
Appropriate processes have been used to translate audit plans into specific and
appropriately resourced audit engagements.
Planning, fieldwork conduct, and reporting/communicating results conform to the
Definition of Internal Auditing, the Code of Ethics, and the Standards.
Appropriate mechanisms are established and used to follow-up management actions in
response to audit recommendations
-
8/9/2019 QAIP Manual2012 Jamaica
11/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 6
Post-engagement client surveys, lessons learned, self-assessments, and other
mechanisms to support continuous improvement are completed.
External Perspective (independent external assessment of the entire internal audit
activity including individual engagements):
The External Assessors will validate that:
Audit work conforms to written policies and procedures. Audit work achieves the general purposes and responsibilities described in the
internal audit charter.
Audit work conforms to the Definition of Internal Auditing, the Code of Ethics,
and the Standards. "1
Figure 1 - IIA QAIP Framework
1 IIA_IPPF_PG_-_Quality_Assurance_and_Improvement_Program_March_2012.pdf
-
8/9/2019 QAIP Manual2012 Jamaica
12/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 7
A fundamental concept of the QAIP is that the IAU's operations should be in alignment with the
Institute of Internal Auditors Standards and guidelines issued by the Ministry of Finance and
Planning.
When implementing the IIA Standards, the CIA is expected to give particular attention to the
following main audit activities: Managing an Internal Audit Unit Conducting Audit Assignments Managing Internal Audit Human Resources
The applicable standards for these activities are discussed below:
1.1 MANAGING AN INTERNAL AUDIT UNITWhether establishing a new or managing an existing internal audit unit, the Head of any IAU
should execute these sub-activities in a manner that will assist his/her government entity in
meeting its overall objectives. Each internal audit unit must implement and maintain
documented standard operating procedures (SOP) which incorporates its standard level of
performance for each area/activity within its operations. The SOP should be reviewed on an
ongoing basis and the approval of the audit committee and the accounting officer obtained.
IAU Officers must, among other things, understand their entitys governance structure; evaluate
the organisations risk management process; define and promote the IAU and align the IAUs
operations to the organisations plans.
1.1.1 Understand its Entitys Governance Structure
(Standard 2130 and Practice Advisory 2120)
The IAU must contribute to the Ministry/Departments governance process by evaluating
the entitys accomplishment of: Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability.
-
8/9/2019 QAIP Manual2012 Jamaica
13/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 8
Effectively communicating risk control information to appropriate areas of the
organization. Effectively coordinating the IA activities and communicating information among the
Accounting officer, the audit committee, external and internal auditors, management
and if applicable the board of directors.
The CIA must become familiar with and maintain copies of the Acts, Regulations,
policies and procedures, which guide the operations of the Ministry, Department or
Agency. The Financial Administration and Audit Act, The Public Bodies Management
and Accountability Act and The Financial Instructions to Executive Agencies Act are
three examples of legislations which guide the accounting and administrative functions of
Ministries, Departments, Agencies and public bodies respectively.
1.1.2 Evaluate the Organisations Risk Management Process(Standard 2100 and Practice Advisory 2100-3)
Most government entities do not have a structured risk management process.
Nonetheless, IAUs are encouraged to assist their organisation by identifying, evaluating
and making appropriate recommendations concerning the organizations exposure to
significant risks. The risk assessments should be conducted during the development ofthe audit plan and execution of individual audit assignments.
1.1.3 Define and Promote the Internal Audit Unit (Standard 1000)
It is important that officers within the IAU understand their roles and responsibilities so
that they are able to promote the activity to their stakeholders. The following are
minimum steps that may be instituted by the IAU to achieve this objective.
Develop an Internal Audit Charter (Practice Advisory 1000-1)
The internal audit charter provides the functional and organizational framework for the
IAUs activities. It defines, among other things, the IAUs:
Independence; Purpose;
-
8/9/2019 QAIP Manual2012 Jamaica
14/159
-
8/9/2019 QAIP Manual2012 Jamaica
15/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 10
1.1.4 Align IAUs Operation to the Organisations Plans (Standard 2000) The CIA should ensure that he/she:
Develops and Implements Corporate and Operation Plans (Standard 2010)
IAUs are mandated to assist their organisation in achieving its strategic objectives by
performing ongoing evaluations and providing constructive recommendations for
improvement.
The IAU must therefore ensure that their corporate and operational plans are aligned
with its organisations plans and reflect how it will assist in achieving the overall
objectives. (Refer to the GOJ Internal Audit Manual or your organisations corporate
planning procedures for further guidance).
Develops and Implements its Internal Audit Plan (Standards 2010 and 2020)
The audit plan must be determined from a risk assessment undertaken at least
annually. Input should be sought from management to identify possible areas to be
audited. The Audit Plan should be reviewed and approved by the Audit Committee.
The selection and number of audit assignments listed on an audit plan depends on the
risk identified, availability of IAU resources and staffing. The CIA should make an
allowance in the audit plan for special requests (consulting services) from
management but must ensure that the unit and its auditors independence are not
impaired by the provision of these services.
Where changes in the environment has led to significant modifications in the Units
annual/operational plans, the Chief Internal Auditors must document the reasons for
such changes, indicate the likely implications/changes in risk exposures etc and
obtain the necessary approvals from the audit committee.
-
8/9/2019 QAIP Manual2012 Jamaica
16/159
-
8/9/2019 QAIP Manual2012 Jamaica
17/159
-
8/9/2019 QAIP Manual2012 Jamaica
18/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 13
Allocation of Resources (Standard 2230)
The availability of resources (IT, accommodation, travel, materials); staff availability and
competence are important in determining the scope, objective, audit time and
methodology of the assignment.
Audit staff should possess knowledge, skills and other competencies needed to perform
given audit assignments.
If the IAU lacks the knowledge, skills or other competencies needed to perform all or part
of the assignment, technical assistance should be sought or external consultants engaged.
Preparation of Risk Analysis and Audit Programs (Standard 2201, 2240)
The CIA/Team leaders must establish procedures for identifying, analyzing, evaluating
and recording information during the audit. The CIA/team leader should approve the risk
assessment (Control Overview/Risk Matrix) with the detailed audit programs before
commencement of the audit fieldwork. Any subsequent changes to the approved audit
programs must also receive prior approval from the CIA/team leader to be effected.
Written justification of these changes should be reflected in the audit working paper files.
Every audit assignment must have an audit program which must capture the following
elements:
The audit objectives The audit criteria which speaks to the standard of measurement against which the
auditable area will be reviewed. Details of the methodology to be employed in the execution of the audit steps Audit evidence or findings, supporting the audit program, must be adequately
recorded.
-
8/9/2019 QAIP Manual2012 Jamaica
19/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 14
Audit Checklist (Standard 1311)
Throughout the audit engagement, the CIA/Team Leader should cross-check and
complete the Planning Memorandum/Checklist to ensure that all essential tasks are
completed.
1.2.2 Execution of Audit Assignment (S tandard 2300)
Obtaining and Identifying Information (Standard 2310)
Auditors must obtain and identify sufficient, useful and relevant information to achieve
the engagements objectives.
The auditor must know what type of data that s/he will require to determine how best to
present his findings; use of spreadsheets, tables and layouts.
Analysis and Evaluation (Standard 2320)
Audit evidence and conclusions must be based on appropriate analyses and evaluation of
information collected. Therefore Internal Auditors need to consider the following factors
when selecting analytical audit procedures to achieve the audit objective: The significance of the area being examined;
The adequacy of the system of internal control; The availability and reliability of information;
In order to meet the demands of stakeholders for real time assessment of the controls in
place and their vulnerability, Internal Auditors are encouraged to use Computer-Aided
Audit Tools and Techniques to analyze and collate their audit evidence.
Presentation of Working Papers (Standard 2330)
Working papers record, among other things, the significant findings resulting from the
performance of audit steps. Working papers must support and provide documentary
evidence to support audit findings and conclusions. The audit finding must record the
criteria used for the evaluation of a particular task or activity or operation. ( Refer to the
GOJ Internal Audit Manual for working paper templates.)
-
8/9/2019 QAIP Manual2012 Jamaica
20/159
-
8/9/2019 QAIP Manual2012 Jamaica
21/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 16
1.2.3 Communicating Results (Standard 2400 )
During the Audit : (Standard 2440.C1 ) Oral Communication
It is important to communicate with management, as the audit progresses, on any
pertinent issue. Auditors should communicate with the management team concerns of any
control risk identified so that mutual understanding and agreement to facts and solutions
is assured; this includes communicating with management on any difficulties being
experienced in obtaining records, documents.
Local Observation /Audit Query/Management Letter
A local Observation/Audit Query is a type of flash report/query that is issued to
management during the audit. This is a formal way of bringing to managements attention
any significant issues or material weaknesses that are found during the audit which may
require immediate attention. It also serves as a means of receiving formal responses to
issues identified during the audit.
Exit Interviews/Conference (Standard 2410 and Practice Advisory 2410.A1)
The main objective of exit interview is to discuss the findings, to resolve conflicts, toidentify managements actions and responses to the findings and to generate
commitment for implementation of recommendations.
Exit interview should be conducted on completion of the audit fieldwork, outlining
audit issues, auditors opinion and/or conclusions. Notes of exit interviews should be
maintained on the audit file. If appropriate, the notes should be signed by
management.
The IAU has a responsibility to communicate to the Audit Client the implications
of not adequately addressing the risk exposure of the organization and
managements response indicating its acceptance of the risks identified. (Standard
2600)
-
8/9/2019 QAIP Manual2012 Jamaica
22/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 17
Preparation of Audit Report (Standard 2410 )
The audit report must communicate the objectives, scope, general criteria, results,
appropriate recommendations and conclusions of the audit review. ( See GOJ Internal
Audit Manual for presentation guidelines)
The Summary of Significant Issues & Findings may be written during the fieldwork on
the completion of each segment of the audit program. The Summary of Significant Issues
& Findings may act as the platform on which the audit report is developed. (Refer to the
GOJ Internal Audit Manual)
Quality of Communication (Standards 2420 and 2430)The audit report should be accurate, clear and concise. The report must include all the
critical elements criteria, findings/conditions, cause, implications/effects, and
recommendations. Refer to the GOJ Internal Audit Manual
Disseminating Results/Report to Appropriate Persons (Standard 2440)
Issuing Audit Reports
All working papers and reports should be treated with a high level of
confidentially and should only be disclosed or made available to relevant parties.
Draft Audit Reports should be issued within two (2) weeks after completion of
audit fieldwork to the relevant parties.
An Exit Interview should be scheduled within two (2) weeks after the Draft
Report has been issued. Initial responses should be documented and confirmed
within this meeting. A second issue (manual/soft copy) should then be donewithin a week after the interview . This second issue serves to solicit final
confirmation and/or clarification from management of statements made within the
Exit Interview.
-
8/9/2019 QAIP Manual2012 Jamaica
23/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 18
Final Audit Reports with confirmed managements response should be issued
within three (3) weeks after the Exit Interview . For the purposes of this
document, A FINAL AUDIT REPORT is one that contains confirmed
managements comment(s).
The CIA may consider an audit assignment closed/completed after submission
of a final audit report.
In instances where management has failed to respond to the draft audit report the
CIA may consider the audit assignment closed, after submitting at least two
written requests for confirmation of managements comments; and these actions
are to be carried out no later than four (4) weeks after the second issuance of
the draft report with the initial managements response.
Field Work
2 weeksDraft Report2 weeks
Exit Interview1 week
Draft Report (second issue)2 weeks
Final Audit Report(with confirmed Management Reponses) 4 weeks
Completed Audit Report
(without confirmed Management Reponses)
NB. Auditors are encouraged to close the audit in theshortest possible time.
SUMMARY (Maximum Days)
-
8/9/2019 QAIP Manual2012 Jamaica
24/159
SECTION 1: THE INTERNAL AUDIT QUALITY ASSURANCE PROGRAM
Quality Assurance and Improvement Programme Policy IAD, MoFP | 19
1.2.4 Follow-Up of Results (Standard 2500)There must be a process of follow-up to monitor and ensure that management actions
have been effectively implemented. Follow up must be scheduled, subject to the action
plan declared by management to eliminate or reduce the deficiencies identified in the
audit report. The CIA should follow up implementation of audit recommendations at least
six (6) months after the issue of the final audit report.
1.3 Managing Internal Audit Human Resources
A key factor to the success of any IAU is competent officers who possess the requisite
knowledge and skills and are encouraged to pursue continued training for professional
development. Each IAU human resource management practices are subject to those of its
organisation. However, the following are some areas that the CIA must give particular attention:
Hiring As part of the hiring process, the CIA should attain assurance of qualification and
proficiency of applicants by getting copies of certificates, checking references and
identifying relevant job experience previously gained.
Performance Reviews Work plans/targets should be developed from IAUs Operational and Audit plans for
audit teams, which will be used as the basis for the Performance Management
Appraisal System. Ongoing and annual performance reviews should be conducted to assess staff
competences, identify areas of weaknesses and strengths. The reviews should give a
balanced assessment and be designed in a manner that allows both supervisor and
staff to identify ways of correcting the weaknesses as well as improving/maintaining
the strengths.
-
8/9/2019 QAIP Manual2012 Jamaica
25/159
-
8/9/2019 QAIP Manual2012 Jamaica
26/159
Section 2Section 2Section 2Section 2
ConductingConductingConductingConducting
Internal QuaInternal QuaInternal QuaInternal Quality Assurancelity Assurancelity Assurancelity Assurance ReviewsReviewsReviewsReviews
(IQARs)(IQARs)(IQARs)(IQARs)
-
8/9/2019 QAIP Manual2012 Jamaica
27/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 22
The purpose of an Internal Quality Assurance Review (IQAR) is to ensure compliance with the
Financial Administration and Audit Act (FAA Act) and related internal audit guidelines, and
the
1
International Standards for the Professional Practice of Internal Auditing (the Standards ) byeach internal audit unit. Every financial year, IAUs are expected to conduct quality assurance
reviews of their operations.
2.1 DEFINITION
Internal Quality Assurance Review (IQAR) includes both ongoing and periodic assessments of
the IAU's processes and related practices. Ongoing reviews are limited evaluations or inspections
embedded within the various processes or activities of the IAU and periodic reviews are detailed
assessments conducted from time to time, to assure consistent practices within the unit.
Chief Internal Auditors are expected to conduct both periodic review which incorporate both
issue-specific reviews (focus on a particular audit activity/process) and formal self-assessments
(focus on several activities of the internal audit unit). The reviews should be designed to
evaluate: The IAU's conformance with its Charter, the IIA Professional Standards and Code of
Ethics; The efficiency and effectiveness of IAU's operations in meeting the needs of its
various stakeholders.
This complement of ongoing monitoring and periodic self-assessments provides an effective
structure for continuous assessment of internal audit conformance and improvementopportunities.
-
8/9/2019 QAIP Manual2012 Jamaica
28/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 23
2.2 IQAR COMPONENTS
2.2.1 Ongoing Reviews
Ongoing reviews may include, among other activities, any or a combination of the following: Built-in supervisory reviews for each audit activity; Feedback from client surveys on individual audit assignments; Analyses of established performance metrics; Annual risk assessments to guide the development of the IAU's audit plan; Chief Internal Auditor's approval of all final reports and recommendations; Reviews of Audit Policies and Procedures used in each audit assignment to ensure
compliance with applicable planning, fieldwork and reporting standards; Regular, documented review of working papers during audit assignments by
appropriate internal audit staff. This includes but not limited to the review and
approval of risk assessment and audit programs by audit supervisor and/or CIA prior
to audit execution/fieldwork;
Using measures of project budgets, timekeeping systems, and audit plan completion
to determine if appropriate time is spent on different aspects of the audit process, as
well as high risk and complex areas
Any weaknesses or areas for improvement should be addressed on an ongoing basis, as they are
identified, and the results of ongoing monitoring must be reported.
2.2.2 Periodic Reviews
As indicated in 2.1 above, periodic reviews include both issue-specific reviews and formal self-
assessments.
2.2.2.1 Issue-specific reviews may include (among others) any of the following activities:
Review of project budgets; timekeeping systems, audit plan completion and cost
recoveries. Working paper reviews for performance in accordance with GOJ internal audit
policies and IIA standards. In this instance, a supervisor, independent of the audit
assignment, would conduct a secondary review of working papers and related audit
-
8/9/2019 QAIP Manual2012 Jamaica
29/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 24
report. The review is done only for completed audit assignments. (Appendix 10 -
Audit Assignment Reviews).
Bi-annual Client Survey (Appendix 11 - Client Survey) Review of internal audit performance metrics and benchmarking of best/leading
practices, prepare and analyse with GOJ Audit Policies and Guidelines as well as the
IAU's procedures. Periodic activity and performance reporting by the Audit Committee, Accounting
Officer and IAD.
2.2.2.2a Periodic self-assessment includes the following activities: Performance of Client Surveys; Interviews, observations and walkthrough of the
units processes/activities; Review of Selected Audit Assignments; Completion of the Self-Assessment Guide (Appendix 1) ; and Report on the Self-Assessment Exercise with recommendations and plan of
action.
2.2.2.2b. Formal Self-Assessment includes the following activities:
Subject to the scope of the self-assessment, the reviews may include any of thefollowing activities:
Activities outlined under Ongoing and Issue-Specific Reviews (2.2.1 and 2.2.2a)
2.3 IQAR - POLICIES
2.3.1 Administering Quality Assurance Reviews The IIA Standards recommend that periodic reviews be carried out by the internal audit
unit or by other individuals within its organisation who have knowledge of internal audit
practices and the IIA Standards.
-
8/9/2019 QAIP Manual2012 Jamaica
30/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 25
The Ministry of Finance & Planning requires all IAUs to use trained officers within the
IAU to perform both ongoing and periodic internal reviews. Where an IAU has only one
officer, the officer should use his/her discretion in effecting appropriate review activities.
2.3.2 IQAR Review Cycle
Periodic reviews that are issue-specific may be carried out by the IAUs at prescribed
times set out by the Chief Internal Auditor. The CIA should institute both ongoing and
periodic formal reviews in his annual schedule of activities.
The CIA must ensure that a formal self-assessment is conducted at least every five (5)
years. Upon completion of the self assessment report, this should be submitted to the
Internal Audit Directorate for the initiation of the independent validation process there
after.
2.3.3 Composition and Selection of IQAR Teams
2.3.3a. Ongoing Reviews and Issue Specific Reviews : The Chief Internal Auditor should use his/her discretion in selecting officers who will
perform these reviews. He/she must however, ensure that the reviewer is competent to
perform such reviews.
2.3.3b. Formal Self-Assessment
The Internal Review Team will consist of no less than two persons and will be selected
based on the scope and objectives of the internal review.
Where an Internal Audit Unit has difficulty implementing a formal assessment program
due to constraints such as staff limitation, the Chief Internal Auditor should consult with
the Internal Audit Directorate.
-
8/9/2019 QAIP Manual2012 Jamaica
31/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 26
2.3.4 Review Teams' Qualification
2.3.4a. Ongoing Reviews and Issue Specific Reviews The Chief Internal Auditor should use his/her discretion in setting the qualification
criteria for officers who will perform these reviews.
2.3.4b. Formal Self-Assessment
Internal reviewers should possess the following qualifications. There are two
qualification levels: Team Leaders
Three years of managerial/supervisory experience in internal auditing Thorough knowledge of the IIA Standards Hold a Bachelor's Degree, CIA or CGAP designation Good communication and human relationship skills Technical knowledge in at least two of the following areas - compliance,
financial, operational, management and information systems/technology auditing Thorough understanding of the industry within which the IAU's organisation falls Good judgment, analytical and research skills Trained in internal audit quality assurance reviews - assessment of participants
Team Members Two years of supervisory experience in internal auditing; Thorough knowledge of the IIA Standards; Hold a Bachelor's Degree or completed Auditing Techniques level 1 Good communication and human relationship skills; Technical knowledge in at least two of the following areas - compliance,
operational, financial reporting, management and information systems/technology
audits; Working knowledge of the industry within which the IAU's organisation falls; and
-
8/9/2019 QAIP Manual2012 Jamaica
32/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 27
Good judgment, analytical and research skills.
2.3.5 Rotation of Team Members including Leaders
2.3.5a. Ongoing Reviews
As ongoing reviews will be the responsibility of different categories of auditors, the CIA
should assign those reviews so that they are effectively carried out.
2.3.5b. Formal Self-Assessment
Each member of the team may serve for two consecutive reviews and will be eligible for
reappointment after sitting out a term.
This guideline will not apply in instances where the IAU has only one officer.
2.3.6 Establishing the Formal Self Assessment Scope and Objectives
The Internal review should be a collaborative effort between the Chief Internal Auditor
and the review team. Where possible, the CIA may invite the Audit
Committee/Accounting Officer to suggest areas for review.
The following are the minimum objectives that should be reviewed during an IQAR
- Formal Self-Assessment
Conformance with the Standards, The IIA's Code of Ethics, and the internal audit
unit's charter, plans, policies, procedures, practices, and applicable legislative and
regulatory requirements;
Expectations of the internal audit unit expressed by the audit committee, executivemanagement, and operational managers;
Integration of the IAU in the organization's governance process, including the
attendant relationships between and among the key groups involved in that
process; Tools and techniques employed by the IAU;
-
8/9/2019 QAIP Manual2012 Jamaica
33/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 28
Mix of knowledge, experience, and disciplines within the staff, including staff
focus on process improvement; Determination as to whether or not the IAU adds value and improves the
organization's operations; and Prepare the IAU for an independent validation.
2.3.7 Reporting Format
In the planning phase of the review, the CIA should determine and agree with the review
team, as to:
1. How the findings and recommendations will be recorded
2. How findings and recommendations will be reported and the format of the final
report.
The review team is encouraged to produce a balanced report which also includes positive
findings and constructive issues/ recommendations for improvement.
2.4 METHODOLOGY - FORMAL SELF-ASSESSMENT
The review team should ensure that there is adequate documentation of the self-assessment exercise, as their work will be subject to verification by a validation team.
The review team may apply the methodology below in its performance of a self-
assessment.
-
8/9/2019 QAIP Manual2012 Jamaica
34/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 29
2.4.1 Planning and Preparation
The CIA and the Team leader should review the Standards Conformance Guidelines
(Appendix 12-1/2, 12-2/2) to ensure that they are aware of all aspects of what
conformity to the Standards means. Refresh/or sensitize other members of the team of
the applicable Standards and the criteria used to judge the IAU.
2.4.1a. Prepare the Self-Assessment Planning Memorandum
The CIA may delegate the preparation of this document (Appendix 3) but should
review its accuracy and completeness. The CIA/Team Leader should ensure that the
scope and objectives of the engagement are clearly defined and understood.
2.4.1b. Review and modify, as appropriate, the Self-Assessment Guide.
The self-assessment team should have extensive knowledge of the IAUs function
(particularly its mission/charter, structure, processes, and staffing), consequently, it
may not be necessary to perform all of the program steps in order to evaluate and
reach valid conclusions on those areas. Also consider pertinent best practices from
professional literature and other benchmarking sources such as GAIN . (Appendix 1 -
Self-Assessment Guide)
2.4.1c. Distribute Audit Client Surveys to a representative sample of the IAU.
This activity may be reduced or omitted, based on the extent to which the IAU
routinely does similar surveys and recent pertinent results are available.
Summarize and analyze the survey responses, including comments for subsequent use
in enhancing interviews. Extract indicators of the IAUs effectiveness, significant
trends, etc
Select a representative sample of audit and consulting engagements for a review of
planning, working paper, supervision, results and communication issued. Select
-
8/9/2019 QAIP Manual2012 Jamaica
35/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 30
several additional reports for review and consider the adequacy and timeliness of
implementation and follow-up.
2.4.2 Interviews with IAU Clients
If the IAU regularly receives feedback from its clients through post audit surveys or
periodic meetings, then further interviews may not be necessary or may be reduced. In
such instances, it could be arranged so that the validator interviews such clients instead.
The team should summarize and analyze the interview responses; compare these results
with those from the survey; identify areas for improvements; and any other relevant
issues. (Appendices 5 - 9 Interview Guides)
2.4.3 Self-Assessment Fieldwork
The review team will carry out the relevant steps reflected in the SelfAssessment Guide
signed off by the CIA and the team leader. (Appendix 1 - Self Assessment Guide)
The CIA and team leader should ensure that the files and other items to be reviewed are
complete and available. The team should consider all questions and requests for
information and evaluative comments in relation to the assessments scope and
objectives.
The team should ensure that responses and findings are adequately documented.
Whenever a brief response will suffice, in lieu of an attachment, write it in the space provided.
The attachments furnished should be described briefly within the checklist and clearly labeled. If
the requested document/information is not attached to the checklist (i.e., not considered relevant
or to be made available later), so state on the checklist where the attachment is called for and
ensure that it will be readily available for later reference.
The team should give consideration to the following areas when evaluating the IAUs
operation:
-
8/9/2019 QAIP Manual2012 Jamaica
36/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 31
2.4.3a IAUs Structure and Organisation
Assess the IAUs charter, mission statement, goals, organizational structure,
procedure manual and processes for managing the unit.
2.4.3b Risk Assessment & Audit Planning
Evaluate to what extent the IAUs strategic, operational and audit plans are aligned to
its organisation. Also consider the effectiveness of the IAUs planning process in
making optimum use of its resources.
2.4.3c Human Resource Skills and Experience
Assess aspects of the Units human resource management such as the staff
complement, their skills and qualifications; succession planning, empowermentpractices.
2.4.3d Information Technology and Systems Review
Review the IAUs capability and coverage of Information Technology in its audit
plan to review selected IT assignments.
2.4.3e IAUs Operational Activities
Assess the appropriateness of the planning, control, supervision and use of resources
on individual assignments; adequacy of audit documentation; form, content and
effectiveness of the communications and implementation follow-up. ( Appendix 10
Audit Assignment Reviews)
2.4.4 Self-Assessment Report
The team should discuss potential report items with the CIA. To the extent possible, the
team should include agreed actions to be taken by the CIA, in response to report
recommendations, along with a schedule of implementation follow-up and closure of the
agreed actions. (Refer to Appendices 12 2/2 Standard Conformance Evaluation
Summary & Section 4 - Specimen Report)
-
8/9/2019 QAIP Manual2012 Jamaica
37/159
SECTION 2: CONDUCTING INTERNALQUALITY ASSURANCE REVIEWS
Quality Assurance and Improvement Programme Policy IAD, MoFP | 32
In instances, where an independent validation will be carried out, the Self-Assessment
Report will also be subjected to the Validating Teams review.
-
8/9/2019 QAIP Manual2012 Jamaica
38/159
Section 3Section 3Section 3Section 3
ConductingConductingConductingConducting
TheTheTheThe Quality AssQuality AssQuality AssQuality Assessmentessmentessmentessment andandandand Self AssesSelf AssesSelf AssesSelf Assessmentsmentsmentsment
withwithwithwith Independent (external) ValidationIndependent (external) ValidationIndependent (external) ValidationIndependent (external) Validation
-
8/9/2019 QAIP Manual2012 Jamaica
39/159
-
8/9/2019 QAIP Manual2012 Jamaica
40/159
SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)
VALIDATION
Quality Assurance and Improvement Programme Policy IAD, MoFP 35
The scope of the QA will include coverage of the entire internal audit activity, which are those
elements highlighted above and in the practice guide issued by the IIA on the QAIP (March
2012), as well as other elements deemed necessary to complete the assessment. Using the model
presented in the QAIP framework diagram on page 7, this would include the quality of thegovernance activities and structures, professional practices, and communication processes.
2.6 ADMINISTERING THE QUALITY ASSESSMENT ANDINDEPENDENT VALIDATION
2.6.1 Quality AssessmentA team of qualified officers headed by the IAD will conduct a quality assessment(preliminary review) of the IAU to provide assurance of the IAUs readiness for the
independent(external) validation which asserts compliance with applicable GOJ/IIA
Standards; adoption of best practices; and level of operational efficiency and
effectiveness. The methodology and composition of the QA team will be decided on by
the IAD who will during the design of the methodology and team composition, consider
matters such as IAUs size, scope of the assessment, previous external assessments, and
conflict of interest issues.
2.6.2 SelfAssessment with Independent Validation Within the context of the GOJ quality assurance and improvement program, all internal
audit units are required to obtain validation of their self-assessments.
The purpose of such a review is to provide an independent assessment of the IAUs
compliance with applicable IIA Standards; adoption of best practices; and level of
operational efficiency and effectiveness, thereby enabling the IAU to declare that theiroperations are conducted in accordance with the (IIA) Standards for Professional
Practice of Internal Auditing.
-
8/9/2019 QAIP Manual2012 Jamaica
41/159
SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)
VALIDATION
Quality Assurance and Improvement Programme Policy IAD, MoFP 36
2.6.2.1 Team Composition and SelectionThe size of the validation team will be dependent upon the size of the IAU and the scope
of the engagement but should not consist of less than two persons (team leader and
member).
The Independent Validation team will be drawn from members of the IIA local Chapter
and suitably qualified external persons/organisation.
Team Leaders must satisfactorily complete a requisite competency test and be
interviewed by a selection panel to be determined by the Ministry of Finance and
Planning before final selection is confirmed.
Team members selected to participate in assessments must be free from any obligation
to, or interest in the organization or related organizations in which the IAU
functions. They should be independent and have no real or apparent conflict of
interest. Independence of the organization means "not a part of, or under the
control of the organization to which the IAU belongs 3.
2.6.2.2 Qualification of Validators
3.2.2.2a. Team Leaders
Team leaders must satisfy the following minimum qualifications:
o Five years of managerial/supervisory experience in auditingo Possess a Bachelors Degreeo Possess CIA, CGAP, ACCA, CISA, etc. designationo Technical knowledge in at least two of the following areas of audit -compliance,
operational, financial, management and information technology
o Thorough knowledge of the organization, industry in which the IAU functionso Thorough knowledge of the IIA Standardso Good communication/interviewing skills
3 Practice Advisory 1312-1
-
8/9/2019 QAIP Manual2012 Jamaica
42/159
SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)
VALIDATION
Quality Assurance and Improvement Programme Policy IAD, MoFP 37
o Excellent analytical and research skillso Trained in audit quality assurance reviews
3.2.2.2b. Team Members
Team members must satisfy the following criteria:
o Two years managerial/supervisory experience in auditingo Hold a Bachelors Degreeo Possess or pursuing CIA, CGAP, ACCA, CISA, etc. designationo Technical knowledge in at least two of the following areas-compliance, operational,
management and information technology auditing
o Working knowledge of the organization, industry in which the IAU functionso Thorough knowledge of the IIA Standardso Good communication, analytical and research skillso Trained in audit quality assurance reviews
2.6.2.3 Tenure of Team Members including LeadersIn order to maintain objectivity and to avoid conflict of interests, team members must be
rotated and should not serve on the same validation team of an entity for more than two
consecutive reviews.
2.6.2.4 Scope and Objectives of the Validation ProcessAs indicated in Section 2 Conducting Internal Quality Assurance Reviews, the
Validation Team Leader, the IAD and the Chief Internal Auditor should all agree on the
nature, scope, scope limitations and specific responsibilities attached to the validation
process.
The Validation Team will carry out performance review tests to determine the soundness
of the conclusions and recommendations drawn by the Unit's self-assessment exercise.
-
8/9/2019 QAIP Manual2012 Jamaica
43/159
SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)
VALIDATION
Quality Assurance and Improvement Programme Policy IAD, MoFP 38
2.6.2.5 ReportingA meeting should be arranged by the Validation Team to discuss the findings and provide
the CIA an opportunity to respond to issues raised in the assessment exercise.
The final report, including the CIAs response and action plan, should be signed off by
the CIA and the Validator. The report should then be issued to the CIA along with copies
included for distribution to the Audit Committee, Accounting Officer of the relevant
Ministry/Department and the Ministry of Finance and Planning.
3.3 VALIDATION METHODOLOGY
3.3.1 Planning and Preparation
The Validating Team Leader should ensure that all the necessary preparation has been
finalized prior to commencing the validation work.
Logistics
Logistical arrangements such as how much work can be done off-site, the length of the
on-site visits, form and content of the report and other administrative details should also
be agreed on with the IAD and the CIA.
Off- site ReviewSelf-assessment and other materials completed by IAU should be analyzed off site prior
to the on-site review. ( Appendix 1 - Self Assessment Guide )
3.3.2 Fieldwork
On-site review of self-assessment documentation, performance of limited tests with
reference to source documents and interviews will be conducted over a two five days
period, depending on the scope, size and structure of the IAU.
-
8/9/2019 QAIP Manual2012 Jamaica
44/159
SECTION 3:CONDUCTING THE QUALITY ASSESSMENT AND INDEPENDENT (EXTERNAL)
VALIDATION
Quality Assurance and Improvement Programme Policy IAD, MoFP 39
3.3.3 Interviews/Surveys
Where applicable, interviews should be conducted with the Accounting Officer, chairman
of the audit committee and other clients of the IAU. These interviews will provide the
independent validator with direct input from the highest levels of oversight and the
necessary checks and balances to validate interviews/surveys conducted in the self-
assessment. (Appendices 8 13: Interview Templates)
3.3.4 Reporting
A summary of issues and recommendations, discussed at the closing conference, should
be documented. A draft report should also be prepared outlining the validation
procedures and results, opportunities for improvement and other recommendations of the
independent validator. The CIA should be given the opportunity to respond to the
recommendations and provide appropriate action plan. The final validation report should
be signed off by the CIA and Validator and issued to the relevant parties.
The report should express an opinion on the adequacy of the self-assessment process and
indicate the level Internal Audit Units level of conformity to the IIA Standards and the
Ministry of Finance & Planning. (Appendix 6 Standards Conformance Summary)
3.3.5 Follow up (optional)A follow-up visit may be scheduled to monitor the CIAs action plan of the
recommendations. The validator may also be invited to meet with senior management
and discuss the recommendations/ plan of action to be implemented.
-
8/9/2019 QAIP Manual2012 Jamaica
45/159
Quality Assurance and Improvement Programme Policy IAD, MoFP 40
-
8/9/2019 QAIP Manual2012 Jamaica
46/159
Quality Assurance and Improvement Programme Policy IAD, MoFP | 41
Section 4Section 4Section 4Section 4
IAUIAUIAUIAU SELF ASSESSMENT REPORTSELF ASSESSMENT REPORTSELF ASSESSMENT REPORTSELF ASSESSMENT REPORT
SPECIMENSPECIMENSPECIMENSPECIMEN
-
8/9/2019 QAIP Manual2012 Jamaica
47/159
-
8/9/2019 QAIP Manual2012 Jamaica
48/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 43
EXECUTIVE SUMMARY
The Ministry/Department/Agency conducted a self-assessment of its internal audit services (IA). Theprincipal objectives of the assessment were to assess Ministry/Department/Agencys conformity to TheIIAs Standards for the Professional Practice of Internal Auditing (Standards) and Government of
Jamaica (GoJ) guidelines , evaluate IAs effectiveness in carrying out its mission (as set forth in itscharter and expressed in the expectations of management), and identify opportunities to enhancemanagement and work processes, as well as the IAs value to Ministry/Department/Agency.
As part of the preparation for the self-assessment, we prepared a self-study, with detailed documentation,and sent out surveys to staff and to a representative sample of Ministry/Department/Agencys executives.A summary of the survey results and Ministry/Department/Agency comments (without identifying theindividual survey respondents) have been furnished to the CIA. Extensive interviews were conducted withthe Ministry/Department/Agencys executives (including heads of operating departments), IA staff andany external auditors.
Also reviewed were the IAs risk assessment and audit planning processes, audit tools and methodologies,engagement and staff management processes, and a representative sample of IAs working papers andreports.
The IA environment is well structured and progressive, where the IIA Standards are understood andmanagement is endeavoring to provide useful audit tools and implement appropriate practices. Amongthese tools and practices are automated audit software; frequent professional training for IA staff(including training directed toward obtaining the Certified Internal Auditor qualification) resulting in ahighly qualified staff; efficient scheduling and reporting; concise reports with a focus on risk; and a goodreputation and credibility with clients. Consequently, the comments and recommendations are intended tobuild on this foundation already in place at the Ministry/Department/Agency.
Our recommendations are divided into two groups:
Those that concern the Ministry/Department/Agency as a whole and suggest actions by seniormanagement. Some of these are matters outside the scope of the assessment. They were includedbecause we believe they will be useful to management and because they impact the effectiveness ofthe IAU and the value it can add.
Those that relate to IAs supervision, impact on corporate governance and similar matters that shouldbe implemented within IA, with support from senior management. Highlights of the more significantrecommendations are set forth below, with details in the main body of our report.
PART I: MATTERS FOR CONSIDERATION OF MANAGEMENT
1. Further enhance the independence of the IA or re-establish an audit committee atMinistry/Department/Agency.
2. Adopt Management Control Policy. The Ministry/Department/Agency should develop and adopt aformal Management Control Policy which clearly defines major management, audit committee andinternal audit accountabilities with regard to the Ministry/Department/Agencys risk management,control and governance processes. This policy should be communicated to all levels of management.
-
8/9/2019 QAIP Manual2012 Jamaica
49/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 44
PART II: ISSUES SPECIFIC TO THE CORPORATE OVERSIGHT TEAM (IA)
1. Update IAs universe to expand coverage of Ministry/Department/Agencys operations and other
recommendations below. Expand and update IAs audit risk assessment model to include moredepartments. (Standard 2010)
2. Ensure adequate evidence of supervision of engagements by indicating when the initial auditprogram has been changed and approved. Enhance work papers by the use of initials for datecompleted and date reviewed. ( Standard 2340)
3. Adequate referencing of audit work papers, to ensure a clear map of audit observations findingsand conclusions. (Standard 2320, 2330, 2340)
4.
Review IA coordination with external auditors, taking into account IAs charter and updated riskassessment model a better definition of the external auditors coverage. (Standard 2050)
5. Monitor Progress re timely follow-up of implementation of recommendations, increasemanagement accountability and shift more routine follow-up to responsible senior officers. (Standard2500)
6. Enhance degree of impact on Corporate Governance , by promoting ethics, accountability andeffectively communicating risk and control information especially to newly appointed senior officers.(Standard 2130)
OPINION AS TO CONFORMITY TO THE STANDARDS
The Standards are divided into two major categories: Attribute Standards and Performance Standards .
It is the opinion of the review team that the IA generally conforms to the Attribute Standards and thePerformance Standards . IA also generally conforms to the Code of Ethics, which is a part of the IIAProfessional Practices Framework. The over-all assessment is that IA generally conforms to theStandards / guidelines .
It is our opinion that IA generally conforms to the following Standards :
Attribute Standards
1000 Purpose, Authority, and Responsibility (Charter), 1100 Independence and Objectivity, 1200 Proficiency and Due Professional Care, 1300 Quality Assurance/Improvement Program,
-
8/9/2019 QAIP Manual2012 Jamaica
50/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 45
Performance Standards
2000 Managing the Internal Audit Activity, 2200 Engagement Planning, 2400 Communicating Results, 2600 Managements Acceptance of Risks, and The IIAs Code of Ethics ,
Additionally, recommendation will be made for opportunities for further improvements, in such areas asreferencing working papers, updating work programs, relations with and input from clients, supervision ofengagements and coordination with the external auditors.
It is our opinion that the IA partially conforms to the following Standards/guidelines :
2300 Performing the Engagement , where expanded documentation will strengthen the workingpapers and ensure professional practices.
2500 Monitoring Progress , with more significant opportunities to strengthen the follow-up ofmanagements implementation of planned remedial actions.
We believe this is a reasonable level of conformity in the circumstances, which can be raised to generalconformity to all of the guidelines by implementation of the recommendations.
According to the Quality Assessment Manual, generally conforms means that an internal audit activityhas a charter, policies, and processes that are judged to be in accordance with the Standards , with someopportunities for improvement, as discussed in the recommendations. Partially conforms meansdeficiencies in practice are noted that are judged to deviate from the Standards/guidelines , but thesedeficiencies did not preclude the internal audit activity from performing its responsibilities in anacceptable manner. Does not conform means deficiencies in practice are judged to be so significant asto seriously impair or preclude the internal audit activity from performing adequately in all or insignificant areas of its responsibilities.
______________________________________________________Name of Ministry/Department/Agency CIATEAM LEADERMinistry/Department/Agency Corporate Oversight Team
___________________Date
Ministry/Department/AgencyTeam Members:
-
8/9/2019 QAIP Manual2012 Jamaica
51/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 46
OBSERVATIONS AND RECOMMENDATIONS
PART I: MATTERS FOR CONSIDERATION OF MANAGEMENT
These observations and recommendations originated principally from the comments received from themanagement survey, interviews with selected executives, and follow-up of these matters. All are of directimportance to enhancing effectiveness and added value of the IA.
1. Further enhance the independence of the IA,
Although the IA is independent as it reports functionally to the Permanent Secretary/ ofMinistry/Department/Agency on all subsidiary reports, to the Chairman of Ministry/Department/AgencyAudit Committee (on Ministry/Department/Agency reports), the IAs independence can be furtherenhanced by establishing or re-establishing an audit committee at Ministry/Department/Agency.
The establishment of these committees will improve the effectiveness of the IA by assisting in thepromotion of good corporate governance, control and the follow-up of the implementation of auditrecommendations at each subsidiary.
Recommendation
In order to further enhance the independence and effectiveness of the IA, it is recommended that themanagement of Ministry/Department/Agency re-establish an audit committee and that the Departments inthe financial sector in particular establish audit committees.
2. Adopt Management Control Policy
Currently there is no formal Management Control Policy at ABC Ministry/Department/Agency. A copyof the Model Policy was sent to the Chairman Ministry/Department/Agency, CEO ABCMinistry/Department/Agency, Audit Committee Chairman ABC Ministry/Department/Agency andABC Ministry/Department/Agency Board of Directors for review and adoption. This policy defines forthe Board of Directors the responsibilities of management at all levels, the Internal Audit Activity and theAudit Committee.
Recommendations
ABC Ministry/Department/Agency and other Departments in the financial sector should adopt a writtenManagement Control Policy in order to define roles and ensure accountabilities. This policy whichconveys the roles and responsibilities of management (specifically for action on identified control issues),
the audit committees and the authority of internal audit should be clearly conveyed from the top thoughthe senior levels at all companies.
PART II: ISSUES SPECIFIC TO THE INTERNAL AUDIT ACTIVITY
1. Update IA universe to expand coverage of Group,
-
8/9/2019 QAIP Manual2012 Jamaica
52/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 47
Currently IA conducts audits mainly for a subsidiary, ABC Ministry/Department/Agency. IAs mandateaccording to its charter is to have oversight over the entire Ministry/Department/Agency. The charter alsodetails specific IA responsibilities over the entire Group.
IA plans to expand its risk assessment exercise to the Group in phases in order to expand its coverageusing the Ernst & Young (EY) risk methodology. The expanded coverage of Departments outside thefinancial sector is expected to unfold over the next 3-5 years and will include Information Technology(IT) issues.
Recommendation
IA should develop and publish a strategy which would clearly outline the timeframe for each phase inwhich it intends to expand its coverage of the Group. This would allow IA time to determine and obtainthe additional resources and training it may need to effectively oversee each phase and sector of theGroups operations.
2. Ensure adequate evidence of supervision of engagements
Evidence of supervision can be improved in the following areas: Initialing audit programs and changes thereto as having been reviewed and approved. Initialing working papers as having been reviewed and checked.
Recommendations
IA officials charged with supervisory authority should: Initial the audit program and any subsequent justified changes as approved. Review, initial and date working papers as having been checked.
IA should also consider the development of an engagement working paper review checklist forcompletion by the supervising auditor .
3. Adequate referencing of working papers
Currently, IAs working papers are not adequately referenced. The working papers in some cases do notcontain the elements of purpose, scope, source and conclusions. Also, a master check list which lists theminimum documentation requirements of the work papers as stated in IAs Audit Manual should beattached to the working papers and all documentation filed in a consistent manner whether in electronic orpaper format.
Referencing would ensure a clear trail of how conclusions and recommendations are derived fromengagement observations. The IA created a referencing system in DATE to address this shortcoming.
Recommendations
The referencing system developed should be tested and implemented with immediate effect. This systemshould include:
-
8/9/2019 QAIP Manual2012 Jamaica
53/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 48
The principles of purpose, scope, source in order to provide a clear trail that supports the conclusionsand recommendations.
A well-developed master checklist (for inclusion in the working papers) which identifies the auditprocess as outlined in IAs manual re minimum documentation required to adhere to auditingstandards
A consistent organizational format for collating work papers (electronic or paper) which allows forefficient retrieval of data in support of audit recommendations or auditing standards.
Supervisory review of the working papers should ensure that the referencing system is enforced and thatthe working paper documents adequately supports the engagement observations, conclusions andrecommendations
4. Review IAs coordination with the external auditors
Beyond management review and evaluation, the two principal oversight/monitoring functions in theMinistry/Department/Agency are IA and the external auditors. Each has its specific focus, authorities,
responsibilities, and scope, but there are some similarities among them.
Although there has been some coordination and exchange of information, similarities give rise toopportunities to avoid duplicate effort, ensure adequate overall audit and evaluation coverage, leverageeach others work through joint efforts and reciprocal follow-up of recommendations. Tools for achievingthese aims include a shared universe, coordinated risk assessment/planning, and shared recommendationdatabase. In addition, we can review each others reports and meet as frequently as seems useful.
Recommendation
We recommend IA and the external auditors jointly review the comprehensive audit/evaluation universeto achieve a coordinated division of labor. Further, it is recommended that both IA and the externalauditors take careful account of common interests, which include the potential scope of work, and cleardefinition of external audit coverage, along with the potential for joint teams on some engagementsespecially IT.
5. Monitoring Progress; timely follow-up of the implementation of audit recommendations
There are a number of audit recommendations at ABC Ministry/Department/Agency that have not beenmonitored and followed-up by the IA in a timely manner. A database is currently being developed to trapand track recommendations and the remedial actions taken by management to address areas of riskexposure. There is currently no summary of recommendations implemented versus remedial actionoutstanding.
We believe senior executives and managers should take a more active role in the follow-up ofrecommendations and the implementation of the related action plans. Senior executives should beresponsible to follow up on the implementation status of audit recommendations for their area(s) ofresponsibility.
Recommendations
The IA should ensure that the system developed to track the progress of the implementation of auditrecommendations is comprehensive and addresses the monitoring function efficiently. This system
-
8/9/2019 QAIP Manual2012 Jamaica
54/159
SELF ASSESSMENT REPORT SPECIMEN
Quality Assurance and Improvement Programme Policy IAD, MoFP | 49
should include agreement/sign off by the audit client on remedial action to be taken, the timeframe forimplementation and progress reports.
6. Enhance degree of impact on Corporate Governance
The IA can add more value to Ministry/Department/Agency by improving the degree of its impact oncorporate governance. Although, control awareness presentations have been made by the IA at ABCMinistry/Department/Agency, presentations on ethics and values should also be promoted.
Additionally, it was noted that most of the managers at ABC Ministry/Department/Agency are new totheir positions and would have missed the last risk assessment conducted. As a result, some of themanagers are not aware of the concerns and risks identified during risk assessment exercise.
Recommendation
In order to improve its impact in governance, the IA can consider the following:
Make presentations and provide additional material/support to Ministry/Department/Agencyregarding ethics and values and also other issues such as the tone at the top.
Ensure that new managers are apprised of risk and control concerns previously identified for theirarea(s) of responsibility
Update and conduct risk assessments for the Departments and effectively communicate the results tothe appropriate levels of management at these organizations.
-
8/9/2019 QAIP Manual2012 Jamaica
55/159
-
8/9/2019 QAIP Manual2012 Jamaica
56/159
Quality Assurance and Improvement Programme Policy IAD, MoFP | 51
APPENDICESAPPENDICESAPPENDICESAPPENDICES ((((ForForForFor Section 2)Section 2)Section 2)Section 2)
-
8/9/2019 QAIP Manual2012 Jamaica
57/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 52
Internal Audit Unit: ___________________________________
Date Submitted: ______________________________________
On-site Dates: ________________________________________
Self-assessment Due Date: ______________________________
Notes to Preparer(s)
If this self-assessment is for an internal quality assessment or a self-assessment with validation , consider allquestions, information requests, and requests for evaluative comments in relation to the assessments scope andobjectives. Respond to the questions, etc. to the extent the responses are necessary to facilitate and document the workof the internal assessment team and/or validator. Attach the requested documentation or ensure it will be available as
needed during the internal assessment and validation phases.Whenever a brief response will suffice, in lieu of an attachment, write it in the space provided. The attachmentsfurnished should be described briefly within the self-assessment and clearly labeled. If the requesteddocument/information is not attached to the self-assessment (i.e., not considered relevant or to be made available later),so state on the self-assessment where the attachment is required.
The chief internal auditor (CIA) may delegate the preparation of this self-assessment, but should review it for accuracyand completeness, before submitting it to the validator.
I. ORGANIZATION AND ENVIRONMENT
A.
Background of the Organization1. Briefly describe the major activities of the organization and attach a copy of its most recent annual report. ( Include
relevant attachments ).
1. Provide the following summary information about the organization
Approximate number of employees __________
Number of operating locations __________
Geographical locations of major operations ________________________________
__________________________________________________________________
Revenues __________
Assets __________
-
8/9/2019 QAIP Manual2012 Jamaica
58/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 53
B. Risk Management, Governance, Accountability, and Oversight
1 A. Describe the process to identify, measure, and manage enterprise risk in the organization. (Theorganizations ERM process).B. List the most significant risks that have been identified.
(Include relevant attachments )Describe the regulatory constraints/enhancements that had an impact on the work of the IAU with emphasis onrecently enacted legislations or regulations.
2. A. Describe how the organizations strategies are selected, how objectives are established, measured, andreported, and indicate how managers are held accountable for achievement of their assigned objectivesB. Give an overview of the organization mission and comment on the alignment of its strategy and objectives tothe mission
Attach a copy of the policy for controlling the organization (e.g., management control policies, delegations ofauthority, accountabilities, etc.) and comment on planned or potential changes.
3. Assess the adequacy of the charter and comment as to the extent to which this current audit committee chartergives the audit committee adequate authority, scope, resources, information, and access to management todischarge its responsibilities. Comment on any proposed or potential enhancements to the audit committeescurrent charter.
Attach a copy of the audit committees charter or similar document relating to oversight of the IAU.
II. THE INTERNAL AUDIT UNIT (IAU)
A Background of the IAU
1. Name and title of the CIA _________________________________________________________
2. Name (i.e., division, office, department, etc.) and address of the IAUs principal office
Name:Address:Telephone Number:
3. Give a brief history of the IA Department, including when it was started, any change(s) of CIAs during the past
10 years, an indication of its growth in the past 10 years, and significant changes in its lines of reporting,authority, scope of work, and internal organization. Comment on how these changes have enhanced the IAUseffectiveness.
4. Name and title of the person to whom the CIA reports ______________________
-
8/9/2019 QAIP Manual2012 Jamaica
59/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 54
Administratively Name and TitleFunctionally Name and Title
5. Name and address of the chair of the audit committee with oversight of the IAU:
Name:Address:City:Parish:
6. Name of the organizations external auditor. _______________________________________
7. Person who heads the external audit ____________________________
8. Address and telephone number of the external auditors office:
Address:City:Parish:Telephone: Fax:
B. Internal Audit Practice Environment (including Support, Authority, and Scope)
1. Comment as to whether or not the placement of the IAU on the organizations structure is the optimum to ensureindependence, access to appropriate executives, ease of communication, support, and resources. Comment on anyproposed or potential enhancements in these areas.
Attach the government entitys organization chart, including the name and job title of business unit heads, showing
placement of the IAU.
2. Attach the IAUs organization chart and a list of the IAUs staff, classified by staff level and type, along with anindication of time in the IAU and prior experience. Have available for later review the job descriptions, recordsshowing skills requirements, staff qualifications, unfilled positions, use of outside services, recent turnover, andout-placement of staff.
3. Compare the IAUs charter to the model IAU charter in Reference III and comment on how the IAUs charterfosters the independence, access, resources, etc. necessary to the effective functioning of the IAU. Mention any
proposed or potential enhancements to the IAUs charter since the last quality assessment or independent validation.
Attach a copy of the IAUs charter.
Describe the procedures to ensure that the efficiency and effectiveness of the IAU in achieving its mandate.
4. Does the IAU have full access to all areas of the organization? Yes____ No ____ If not, describe restrictions onthe IAU regarding access to information considered necessary to conduct audits and consulting engagements or
-
8/9/2019 QAIP Manual2012 Jamaica
60/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 55
access to relevant managers and employees. Comment on how it affects the effectiveness of the IAU in theachievement of its mandate.
5. Describe the procedures to ensure that the IAUs staff is objective (e.g., conflict of interest statements, auditor
rotation, etc.). Describe the procedure for reporting conflicts of interest or bias to the CIA and subsequently dealingwith them.
6. Describe the philosophy of the IAU, its core values, and mission/goals/objectives for serving its clients.
7. Describe the objectives against which the IAUs periodically measures its performance and describe how executivemanagement, audit committee, or oversight group such as legislative bodies evaluates the performance of the IAU.
Attach a copy of the IAUs policy and standard operating procedure (SOP)
8. Complete the best practices checklist ( see Appendix 3 ) and indicate how these practices enhance the IAUseffectiveness.Comment on any proposed or potential additional practices that would add further value and/or enhanceeffectiveness. If there are such practices that the IAU is not planning to implement (or if it is prevented from doingso), discuss the related reasons and the potential impact of the decisions not to implement them.
9. List other oversight/monitoring units outside the IAU describe their authority, scope, and functions (e.g., safety,environment, evaluation, security, investigations, process improvement, and other compliance/ consultingactivities).Describe: The nature of the unit operational duties How their separation from the IAU impacts on the achievement of the organizations goals, How the separation impacts risk management, management control, efficiency, or resource utilization, and Comment on their report relationship with senior management, the board, and other governance responsibilities
and accountabilities,
C. Relationship of the IAU with Senior Management and the Board (Audit Committee)
1. Describe interactions of the CIA and senior management: involvement in management meetings for strategic andtechnology planning, periodic management briefings, etc.
(See Appendix 5-9 Questionnaire Guides)
2. Describe how senior management and the board (audit committee) are kept informed about the work of the IAU.
-
8/9/2019 QAIP Manual2012 Jamaica
61/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 56
Include how often the CIA is scheduled to meet with them, who attend such meetings, what is typically discussed,how often senior management and the board receive status reports, etc. Comment on any additional formal orinformal contacts.
D. Management of the IAU
1. Provide a brief description of risk assessment and engagement planning. Discuss how the IAUsassurance/consulting universe is determined, and how the planning considers:
Alignment of the IAUs risk assessment and engagement planning with the organizations strategic plans,objectives, and enterprise risk framework.
Technology plans, current systems, those under development, and technology management issues. The management control environment and accountability processes. Management input regarding their plans, concerns, priorities, etc. Potential partnering opportunities and other value-adding activities. Staffing numbers/skills needed, along with opportunities to leverage IA resources through empowerment, joint
efforts with clients, selective outsourcing, fostering self-assessment, etc. Long-range engagement planning to achieve appropriate coverage of the IAUs universe.
2. Describe the extent to which the IAUs priorities, scope of work, and use of resources are aligned with theorganizations enterprise risk management framework. Describe how the IAU contributes to achievement of theorganizations goals. Comment on potential or planned changes to the IAUs priorities, scope, or use of resources toenhance that alignment.
3. Attach a copy of the following:
The engagement planned vs. actual level of achievement for the current period , including engagementscurrently in progress and details of engagements completed and final report issued. At a minimum, provide:o List the audit assignments performed and state the type of audito Name of Audit Client/Unit.o Start date and report issuance date of the engagement.o Number of staff hours or days spent.o Audit manager and lead auditor for the engagement.o Detail of how the recommendations made have improve the efficiency and effectiveness of the
organizations operation.
The engagement planned vs. actual for the prior period , including details of engagements completed andreports issued. At a minimum provide:o List the audit assignments performed and state the type of audito Name of Audit Client/Unit.o Start date and report issuance date of the engagement.o Number of staff hours or days spent.o Audit manager and lead auditor for the engagement.o Detail of how the recommendations made have improve the efficiency and effectiveness of the
organizations operation.
The IAUs financial budget vs. actual for the current period.
-
8/9/2019 QAIP Manual2012 Jamaica
62/159
APPENDIX 1SELF ASSESSMENT GUIDE
Quality Assurance and Improvement Programme Policy IAD, MoFP | 57
The IAUs financial budget vs. actual for the prior period.
4. Show the percentage of the IAUs staff time and contract (outsourced) services applied to each of the followingtypes of assurance and consulting activities. (Note: If the IAUs timekeeping system does not facilitate classifyingtime in this